[OpenAFS] ADS and MIT Kerberos transition auth continued
Jeffrey Altman
jaltman@secure-endpoints.com
Thu, 16 Jul 2009 15:12:32 -0400
Eric Chris Garrison wrote:
> Okay, we continue to fight this. We found that despite having an
> alternate realm name in /usr/afs/etc/krb.conf, users from that realm were
> being treated as unauthorized, anonymous users, rather than being mapped
> as they should be.
>
> We looked into enctypes as a possible culprit. We were using des-cbc-crc,
> but when we'd do an aklog, ADS returns des-cbc-md5, and they said they can
> not restrict it to just one type, but can restrict it to just DES types.
> (The ADS admin said they set the "Use Kerberos DES encryption types" flag).
des-cbc-md5 is fine. after you set the DES-only bit you need to
generate assign a new password for the account and re-export the keytab
with a new kvno which then needs to be imported into the AFS KeyFile
Jeffrey Altman