Solved: [OpenAFS] OpenAFS 1.6.0 and Windows 2008R2 Active Directory enctype problem

Gémes Géza geza@kzsdabas.hu
Sun, 02 Oct 2011 12:44:24 +0200


> Hi,
>
> Our school currently uses a Samba3+OpenLDAP+Heimdal combo to hold the
> authentication+account databases.
> OpenAFS works problem-less with this setup (once I allowed weak crypto
> in Heimdal).
> Sooner or later we will need to upgrade to Samba4 (which uses an Active
> Directory like database (and Heimdal internally)).
> To test the effect of the upgrade on OpenAFS I've configured a Windows
> 2008R2 based Active Directory and a Debian (Squeeze) box (going to act
> as the OpenAFS pt- vl- and dafs- server for the testcell) I've followed
> http://workshop.openafs.org/afsbpw06/talks/shadow-AD.pdf in creating the
> KeyFile. Everything went file until I've tried to obtain afs tokens (I
> have successfully got krb5 tickets for krbtgt but not for afs) with both
> aklog and afslog (from Heimdal), they gives:
>
> aklog: Couldn't get kzs.ad AFS tickets:
> aklog: unknown RPC error (-1765328370) while getting AFS tickets
>
> and
>
> afslog: krb5_afslog(<default cell>): KDC has no support for encryption type
>
> I've tried to make the Windows2008R2 KDC accept the requested enctype
> with KdcUseRequestedEtypesForTickets as described in:
> http://support.microsoft.com/default.aspx?scid=kb;en-us;833708 but the
> enctype problem remains. :-(
>
> Thank you!
>
> Geza
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
Hi,

I've successfully solved the problem by applying the hotfix:
http://support.microsoft.com/kb/978055
And following:
http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/18419b87-8ed1-4139-80b8-0c8e09456a31/

Cheers

Geza