[OpenAFS] Help with Windows, OpenAFS 1.7 and Heimdal

Billy Beaudoin wrbeaudo@ncsu.edu
Thu, 15 Dec 2011 13:38:42 -0500 

Under [libdefaults] add "allow_weak_crypto =3D true".  It appears
Heimdal considers that weak crypto but KfW doesn't.

Billy Beaudoin
ITECS Systems
NC State University



On Thu, Dec 15, 2011 at 12:52 PM, Eric Sturdivant <sturdiva@umd.edu> wrote:
> On Thu, 15 Dec 2011, Jeffrey Altman wrote:
>
>> 32-bit NIM requires the krbv4w32.dll and krb524.dll from MIT KFW.
>> A future Heimdal distribution will bundle them as an optional install
>> item and a future NIM distribution will stop supporting Kerberos v4
>> entirely.
>>
>> For now you can copy the DLLs from the MIT distribution and place them
>> in your PATH.
>>
>
> This gets us a bit further, but now NIM fails getting AFS tokens. The err=
or
> message is "Credentials could not be obtained for cell glue.umd.edu".
>
> aklog -d shows:
>
> C:\Users\Administrator>aklog -d
> Authenticating to cell glue.umd.edu.
> Getting v5 tickets: afs/glue.umd.edu@UMD.EDU
> Kerberos error code returned by get_cred: -1765328234
> aklog: Couldn't get glue.umd.edu AFS tickets: encryption type des-cbc-crc=
 is
> dis
> abled
>
>
> klist shows:
>
> Credentials cache: API:tender@UMD.EDU
> =A0 =A0 =A0 =A0Principal: tender@UMD.EDU
> =A0 =A0Cache version: 0
>
> Server: krbtgt/UMD.EDU@UMD.EDU
> Client: tender@UMD.EDU
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
> Ticket length: 307
> Auth time: =A0Dec 15 12:50:42 2011
> End time: =A0 Dec 15 22:50:45 2011
> Ticket flags: pre-authent, initial, forwardable
> Addresses: addressless
>
>
>
> but the des-cbc-crc type is allowed in the KDC, klist output from a unix
> machine:
>
> Server: afs/glue.umd.edu@UMD.EDU
> Client: sturdiva@UMD.EDU
> Ticket etype: des-cbc-crc, kvno 1
> Ticket length: 310
> Auth time: =A0Dec 15 12:29:24 2011
> Start time: Dec 15 12:29:39 2011
> End time: =A0 Dec 16 12:29:25 2011
> Ticket flags: forwarded, pre-authenticated, transited-policy-checked
> Addresses: IPv4:128.8.236.234
>
>
>
> Is this a local setting (on the windows machine) preventing the afs ticke=
t
> from being acquired? (tcpdump doesn't sohw any communication to the kdc's
> when the aklog command is run).
>
>
> --
> Eric Sturdivant
> University of Maryland
> Office of Information Technology
> Enterprise Unix Services
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info