[OpenAFS] Samba4 KDC afs service principal?

Gémes Géza geza@kzsdabas.hu
Sat, 15 Oct 2011 00:29:42 +0200


In testing for our organizations migration from an
OpenLDAP/Heimdal/Samba3 based authentication infrastructure to a Samba4
one, I've set up a domain. Created a user principal called afs (with
enctypes: des-cbc-crc and des-cbc-md5) and set up an SPN for it:
afs/cell@REALM (initially was trying with afs@REALM, but from the KDC
logs saw that client requested afs/cell@REALM so changed it). Exported
it to a keytab which was successfully built with asetkey into a KeyFile.
But when I try to do an aklog with a keytab as Administrator@REALM, it
aklog: Couldn't get "cell" AFS tickets:
aklog: unknown RPC error (-1765328324) while getting AFS tickets
In theory Samba4 (the KDC part being Heimdal) should obey to the setting
allow_weak_crypto=true from the [kdc] section of krb5.conf. (That
assumption I'm going to check with the samba-technical mailing list).

Thanks for any idea!