Still not good (Was Solved: [OpenAFS] OpenAFS 1.6.0 and Windows 2008R2 Active Directory enctype problem)

Gémes Géza geza@kzsdabas.hu
Sun, 02 Oct 2011 15:49:55 +0200


2011-10-02 12:44 keltezéssel, Gémes Géza írta:
>> Hi,
>>
>> Our school currently uses a Samba3+OpenLDAP+Heimdal combo to hold the
>> authentication+account databases.
>> OpenAFS works problem-less with this setup (once I allowed weak crypto
>> in Heimdal).
>> Sooner or later we will need to upgrade to Samba4 (which uses an Active
>> Directory like database (and Heimdal internally)).
>> To test the effect of the upgrade on OpenAFS I've configured a Windows
>> 2008R2 based Active Directory and a Debian (Squeeze) box (going to act
>> as the OpenAFS pt- vl- and dafs- server for the testcell) I've followed
>> http://workshop.openafs.org/afsbpw06/talks/shadow-AD.pdf in creating the
>> KeyFile. Everything went file until I've tried to obtain afs tokens (I
>> have successfully got krb5 tickets for krbtgt but not for afs) with both
>> aklog and afslog (from Heimdal), they gives:
>>
>> aklog: Couldn't get kzs.ad AFS tickets:
>> aklog: unknown RPC error (-1765328370) while getting AFS tickets
>>
>> and
>>
>> afslog: krb5_afslog(<default cell>): KDC has no support for encryption type
>>
>> I've tried to make the Windows2008R2 KDC accept the requested enctype
>> with KdcUseRequestedEtypesForTickets as described in:
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;833708 but the
>> enctype problem remains. :-(
>>
>> Thank you!
>>
>> Geza
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
> Hi,
>
> I've successfully solved the problem by applying the hotfix:
> http://support.microsoft.com/kb/978055
> And following:
> http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/18419b87-8ed1-4139-80b8-0c8e09456a31/
>
> Cheers
>
> Geza
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
Hi,

My previous optimism was a little bit premature, now I can successfully
acquire tokens, but authenticating to openafs (1.6.0) still fails. E.g.:

#vos listvldb -server localhost
VLDB entries for server localhost
Could not access the VLDB for attributes
rxk: security object was passed a bad ticket

After:
# kdestroy
# vos listvldb -server localhost
vsu_ClientInit: Could not get afs tokens, running unauthenticated.
VLDB entries for server localhost

root.afs
    RWrite: 536870912
    number of sites -> 1
       server winbind.kzs.ad partition /vicepa RW Site

Total entries: 1

Thanks for any idea!

Geza