[OpenAFS] Unable to get tokens after replacing Win2k3 DC with a
Win2k8 DC
Thomas Smith
theitsmith@gmail.com
Mon, 18 Apr 2011 12:06:16 -0700
On Sun, Apr 17, 2011 at 6:53 PM, Jeffrey Altman
<jaltman@secure-endpoints.com> wrote:
> On 4/17/2011 9:35 PM, Thomas Smith wrote:
>> Hi,
>>
>> Our AD admins replaced our local DC. We were working great when the DC
>> was Win2k3--since they replaced it with a Win2k8 DC,
>
> Win2K8 disables the DES enctype by default. =A0It must be enabled for AFS
> tokens.
Thanks Jeffrey.
Our AD admins have made this change--they enabled DES-CBC-MD5 (they
left DES-CBC-CRC disabled). We found another issue, though...
It seems that this RODC is creating issues for us. What appears to be
happening is the RODC issues the server a TGT. When the server
attempts to acquire a TGS, the RODC forwards the request to an RWDC
but that server doesn't honor the TGT issued by the RODC. We were able
to workaround this issue by forcing kerberos to connect to an RWDC. We
verified functionality by successfully enumerating AD user accounts.
With kerberos working now, and with DES-CBC-MD5 enabled, we are still
getting at the same RPC error. It's my understanding that AFS uses the
local krb5 install for authentication--is this the case?