[OpenAFS] Win 2008R2 DES eanble?

Lars Schimmer l.schimmer@cgv.tugraz.at
Mon, 08 Mar 2010 13:49:20 +0100 

Hi!

Right now I got time and tried:

On 05.03.2010 01:44, Stephen Joyce wrote:
> Lars:
>=20
> I did get past the issuing of DES tickets. I have other problems (see m=
y
> recent message to the list), but I did enable DES tickets on 2008R2. I
> did the following (not all may be required).
>=20
> - In the DC's Local Security Policy, I enabled all ciphers by checking
> all 6 boxes at Security Settings \ Local Policies \ Security Options \
> "Network security: Configure encryption types allowed for Kerberos"

Done that.

> - In AD in the Default Domain Controllers Policy, Computer Configuratio=
n
> \ Policies \ Administrative Templates \ Ssytem/Net Logon \ "Allow
> cryptography algorithms compatible with Windows NT 4.0" (Enable). [I'd
> bet this step isn't necessary; I was grasping when I tried it and
> haven't backed out to check yet.]

I did not found the "administrative templates" in my policies section.

> - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with
> value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc. Without this, th=
e
> DC won't talk DES to clients, even if you do extract a DES-only keytab
> (you'll see "KDC has no support for encryption type" messages).

done that.

> - Reboot the DC (at least restart the KDC process is required)

done that.

But as it is a 2nd AD server for the domain, I have not done anything to
the afs user account (it is already set with enable DES, no timeout and
accout is sensitive, do not delegate).
On 2 test accounts I enabled the "use krb DES enc types for this account".

But still on a Win7 client added to our domain and the Win 2008R2 server
as only krb5-server I got a error of "KDC has no support for encryption
type".

Any ideas, please?
Maybe the "do not delegate the afs account" is bad?

MfG,
Lars Schimmer
--=20
-------------------------------------------------------------
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723