[OpenAFS] Unable to get tokens after replacing Win2k3 DC with a
Tue, 19 Apr 2011 21:49:35 -0600
On Mon, Apr 18, 2011 at 1:06 PM, Thomas Smith <firstname.lastname@example.org> wrote:
> It seems that this RODC is creating issues for us. What appears to be
> happening is the RODC issues the server a TGT. When the server
> attempts to acquire a TGS, the RODC forwards the request to an RWDC
> but that server doesn't honor the TGT issued by the RODC. We were able
> to workaround this issue by forcing kerberos to connect to an RWDC. We
> verified functionality by successfully enumerating AD user accounts.
> With kerberos working now, and with DES-CBC-MD5 enabled, we are still
> getting at the same RPC error. It's my understanding that AFS uses the
> local krb5 install for authentication--is this the case?
Just a guess, from a Kerberos newbie: fire up wireshark and see what
type your client is asking for in the AS-REQ and/or TGS-REQ. I believe
Microsoft's RODCs insist on NT_SRV_INST, and AFS's aklog may be
failing because the principal type is NT_UNKNOWN. It would match your
"Decrypt integrity check failed" error.
See the discussions at