[OpenAFS] OpenAFS 1.6.0 and Windows 2008R2 Active Directory enctype problem

Gémes Géza geza@kzsdabas.hu
Sun, 02 Oct 2011 10:19:20 +0200


Our school currently uses a Samba3+OpenLDAP+Heimdal combo to hold the
authentication+account databases.
OpenAFS works problem-less with this setup (once I allowed weak crypto
in Heimdal).
Sooner or later we will need to upgrade to Samba4 (which uses an Active
Directory like database (and Heimdal internally)).
To test the effect of the upgrade on OpenAFS I've configured a Windows
2008R2 based Active Directory and a Debian (Squeeze) box (going to act
as the OpenAFS pt- vl- and dafs- server for the testcell) I've followed
http://workshop.openafs.org/afsbpw06/talks/shadow-AD.pdf in creating the
KeyFile. Everything went file until I've tried to obtain afs tokens (I
have successfully got krb5 tickets for krbtgt but not for afs) with both
aklog and afslog (from Heimdal), they gives:

aklog: Couldn't get kzs.ad AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets


afslog: krb5_afslog(<default cell>): KDC has no support for encryption type

I've tried to make the Windows2008R2 KDC accept the requested enctype
with KdcUseRequestedEtypesForTickets as described in:
http://support.microsoft.com/default.aspx?scid=kb;en-us;833708 but the
enctype problem remains. :-(

Thank you!