[OpenAFS] Win 2008R2 DES eanble?
Thu, 4 Mar 2010 19:44:09 -0500 (EST)
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Content-Type: TEXT/PLAIN; CHARSET=X-UNKNOWN; FORMAT=flowed
I did get past the issuing of DES tickets. I have other problems (see my=20
recent message to the list), but I did enable DES tickets on 2008R2. I did=
the following (not all may be required).
- In the DC's Local Security Policy, I enabled all ciphers by checking all=
6 boxes at Security Settings \ Local Policies \ Security Options \ "Network=
security: Configure encryption types allowed for Kerberos"
- In AD in the Default Domain Controllers Policy, Computer Configuration \=
Policies \ Administrative Templates \ Ssytem/Net Logon \ "Allow=20
cryptography algorithms compatible with Windows NT 4.0" (Enable). [I'd bet=
this step isn't necessary; I was grasping when I tried it and haven't=20
backed out to check yet.]
- Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with value=
1 at HKLM\SYSTEM\CurrentControlSet\services\kdc. Without this, the DC won't=
talk DES to clients, even if you do extract a DES-only keytab (you'll see=
"KDC has no support for encryption type" messages).
- Reboot the DC (at least restart the KDC process is required)
- Create your afscell account in AD.
- Checked "Use Kerberos DES encryption types for this account" on the=20
Account tab of the afscell user account in AD. I'd also recommend password=
- Extract the keytab similarly to this. Adjust to taste:
ktpass -princ afs/cellname@ADDOMAINNAME -mapuser afscell@ADDOMAINNAME=20
-mapOp add -out afs-keytab +rndPass -crypto DES-CBC-CRC +DesOnly -ptype=20
KRB5_NT_PRINCIPAL +DumpSalt -kvno 3
Note that in my experience, your specified kvno must equal or exceed the=20
number of times the user's keytab has been extracted. If you specify a kvno=
of 3, then go back and ask for a kvno of 1 for the same user account, you=
won't get it (but you will get a keytab with the next higher kvno). It's=20
recommended to verify the kvno and the etype of the keytab using your=20
favorite method prior to importing into your afs keyfile.
Also, I had to delete and re-create my afscell user's account in AD after=
making the changes to the DC detailed above to enable DES. Extracting a=20
keytab for an account made before the changes didn't work for me. Your=20
mileage may vary.
PANIC - Physics and Astronomy Network Infrastructure and Computing
University of North Carolina at Chapel Hill=20
A human being should be able to change a diaper, plan an invasion,=20
butcher a hog, conn a ship, design a building, write a sonnet, balance=20
accounts, build a wall, set a bone, comfort the dying, take orders,=20
give orders, cooperate, act alone, solve equations, analyze a new=20
problem, pitch manure, program a computer, cook a tasty meal, fight=20
efficiently, die gallantly. Specialization is for insects.
-Robert A. Heinlein
On Thu, 4 Mar 2010, Lars Schimmer wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Sorry for a bit OT question:
> I want to extend our AD with a Windows 2008R2 server with KDC enabled.
> Now I know I need to enable DES enctype again to be able to use OpenAFS
> with such a KDC, but I am a bit lost where to enable this.
> Found a few point on google so far:
> - -administrative tools for server
> - -for each client seperate of the AD
> But what is the real solution?
> Lars Schimmer
> - --
> - -------------------------------------------------------------
> TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
> Tel: +43 316 873-5405 E-Mail: email@example.com
> Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
> OpenAFS-info mailing list