[OpenAFS] Win 2008R2 DES eanble?

Stephen Joyce stephen@physics.unc.edu
Thu, 4 Mar 2010 19:44:09 -0500 (EST) 

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--43577093-917354464-1267749329=:1795
Content-Type: TEXT/PLAIN; CHARSET=X-UNKNOWN; FORMAT=flowed
Content-Transfer-Encoding: QUOTED-PRINTABLE
Content-ID: <Pine.LNX.4.64.1003041935551.1795@hellbender.physics.unc.edu>

Lars:

I did get past the issuing of DES tickets. I have other problems (see my=20
recent message to the list), but I did enable DES tickets on 2008R2. I did=
=20
the following (not all may be required).

- In the DC's Local Security Policy, I enabled all ciphers by checking all=
=20
6 boxes at Security Settings \ Local Policies \ Security Options \ "Network=
=20
security: Configure encryption types allowed for Kerberos"

- In AD in the Default Domain Controllers Policy, Computer Configuration \=
=20
Policies \ Administrative Templates \ Ssytem/Net Logon \ "Allow=20
cryptography algorithms compatible with Windows NT 4.0" (Enable). [I'd bet=
=20
this step isn't necessary; I was grasping when I tried it and haven't=20
backed out to check yet.]

- Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with value=
=20
1 at HKLM\SYSTEM\CurrentControlSet\services\kdc. Without this, the DC won't=
=20
talk DES to clients, even if you do extract a DES-only keytab (you'll see=
=20
"KDC has no support for encryption type" messages).

- Reboot the DC (at least restart the KDC process is required)

- Create your afscell account in AD.

- Checked "Use Kerberos DES encryption types for this account" on the=20
Account tab of the afscell user account in AD. I'd also recommend password=
=20
never expires.

- Extract the keytab similarly to this. Adjust to taste:
ktpass -princ afs/cellname@ADDOMAINNAME -mapuser afscell@ADDOMAINNAME=20
-mapOp add -out afs-keytab +rndPass -crypto DES-CBC-CRC +DesOnly -ptype=20
KRB5_NT_PRINCIPAL +DumpSalt -kvno 3

Note that in my experience, your specified kvno must equal or exceed the=20
number of times the user's keytab has been extracted. If you specify a kvno=
=20
of 3, then go back and ask for a kvno of 1 for the same user account, you=
=20
won't get it (but you will get a keytab with the next higher kvno). It's=20
recommended to verify the kvno and the etype of the keytab using your=20
favorite method prior to importing into your afs keyfile.

Also, I had to delete and re-create my afscell user's account in AD after=
=20
making the changes to the DC detailed above to enable DES. Extracting a=20
keytab for an account made before the changes didn't work for me. Your=20
mileage may vary.

Cheers, Stephen
--
Stephen Joyce
Systems Administrator
PANIC - Physics and Astronomy Network Infrastructure and Computing
University of North Carolina at Chapel Hill=20
voice: 919.962.7214
fax: 919.962.0480

A human being should be able to change a diaper, plan an invasion,=20
butcher a hog, conn a ship, design a building, write a sonnet, balance=20
accounts, build a wall, set a bone, comfort the dying, take orders,=20
give orders, cooperate, act alone, solve equations, analyze a new=20
problem, pitch manure, program a computer, cook a tasty meal, fight=20
efficiently, die gallantly. Specialization is for insects.
                                       -Robert A. Heinlein

On Thu, 4 Mar 2010, Lars Schimmer wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi!
>
> Sorry for a bit OT question:
> I want to extend our AD with a Windows 2008R2 server with KDC enabled.
> Now I know I need to enable DES enctype again to be able to use OpenAFS
> with such a KDC, but I am a bit lost where to enable this.
> Found a few point on google so far:
> - -administrative tools for server
> - -for each client seperate of the AD
>
> But what is the real solution?
>
> MfG,
> Lars Schimmer
> - --
> - -------------------------------------------------------------
> TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
> Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
> Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iEYEARECAAYFAkuP1A0ACgkQmWhuE0qbFyNjAQCgi473Qem43r/cOepipBI0MNvR
> DDEAn0Y8YmWl0UnGMQfFrwxoQTPNmY+W
> =3Dj10e
> -----END PGP SIGNATURE-----
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
--43577093-917354464-1267749329=:1795--