[OpenAFS] Kerberos5 and afs
Christopher D. Clausen
cclausen@acm.org
Thu, 15 Nov 2007 17:32:04 -0600
Steve Devine <sdevine@msu.edu> wrote:
> Does the order of the enctypes listed in the kdc affect this?
> This is my current kdc.conf entry:
> supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
> des-cbc-crc:v4 des-cbc-crc:afs3
> I'm not sure how to manipulate the kvno on the AD
I currently have the following on a KDC with an AD domain trust:
supported_enctypes = aes256-cts:normal aes128-cts:normal rc4-hmac:normal
des3-hmac-sha1:normal des-cbc-crc:normal
I suspect that you may want at least the rc4-hmac:normal in that list,
as that is one of the enc_types that AD supports.
I remember that I had no luck getting the trust to work when using
specific enc_types in the -e option to ktadd. Completely omiting the
"-e" seemed to work though. This could be something odd in my
environment though.
For instance, my cross-realm TGT has AES enc_types that are not actually
supported by Windows:
kadmin.local: getprinc krbtgt/ILLIGAL.UIUC.EDU@AD.UIUC.EDU
Principal: krbtgt/ILLIGAL.UIUC.EDU@AD.UIUC.EDU
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
You can turn on RC4 for the realm trust using ktpass.exe.
If you join #kerberos on Freenode IRC there are smart people in the
channel who can help you with this.
<<CDC