[OpenAFS] Kerberos 1.10.1 and OpenAFS

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 04 Apr 2012 10:23:03 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigD2E27FEEBC31A5813B4FB93B
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

The 1.10 Kerberos distribution does not support weak encryption types
such as DES out of the box.  If you do not explicitly enable support for
weak encryption types it won't matter what keys you have on service
principals or what other configuration is specified, weak encryption
keys simply will not be used.   This is an incremental step towards the
removal of weak encryption types such as DES from the Kerberos ecosystem.=


The AFS service principal must have a working DES key.  If it doesn't,
you cannot obtain service tickets for AFS that are usable.



On 4/4/2012 10:04 AM, Steve Devine wrote:
> MSU is preparing to upgrade from MIT Kerberos 1.6x to 1.10.1. While
> doing some testing of client access I discovered that I was not able to=

> get a token (aklog) after kinit-ing to the test server.
> In order to make this work we needed to put the following line in the
> /etc/krb5.conf on the Kerberos KDC.
> allow_weak_crypto =3D true
>=20
> This seems odd to me. I expected to need doing this on the client side
> not the server. This is related to the afs principal in the KDC no
> doubt, but I'm not sure why.  Any thoughts?
>=20
> If this question belongs on the Kerberos list let me know.=20
>=20
> Thanks
>=20
> Steve Devine
> Content and Collaboration
> Information Technology Services
> Michigan State University
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


--------------enigD2E27FEEBC31A5813B4FB93B
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJPfFlKAAoJENxm1CNJffh4d8IIALO6P5cUjGh2b5yIJP3e4wgo
PLdzEG4KKccz+sox2GsKVfpCZDVnmQHx5D5CABmyEZyuiGuk8vVtJ9MObTJ8AiUj
0RzL9Aq35C23gy83LyLEwMs7PZ+GL8vnsqM5EjIbvZDEQy6OaKFaZngyFhRl9lQj
2zNtrfH8Z3oG7PmLoeJ3gfJ3AcAcrJYFWRWBHQe9SJz7sPEjrZH6mfKnFcI70Dls
rSK6+r/8kFxpHBoO09oaGAQAvfcPbBvTisgSqh/PLKflNDFje5WcSaZQ0tnlcmLB
6eWW9khZ+7gswo0dvZSU13SSqzAatSaIRHinYzoKHS7MNJppodaqV/HiySQ4GjY=
=jOEe
-----END PGP SIGNATURE-----

--------------enigD2E27FEEBC31A5813B4FB93B--