[OpenAFS] OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about
Thu, 05 Jan 2012 10:07:09 -0500
As part of an AFS/Kerberos upgrade project I am building a test cell to
mimic what we may eventually have in production by using Microsoft
Active Directory as my KDC. This test cell has one Windows Server 2008
R2 box running Active Directory and one RHEL 6.1 box with the OpenAFS
software running on it.
I'm following the guide and the 'Verifying the AFS Initialization
Script' section where aklog is ran for the first time is where I am
stuck. I can kinit and get a ticket from AD but when I aklog I get an
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jaw171@PITT.EDU
Valid starting Expires Service principal
01/05/12 09:35:12 01/05/12 19:35:14 krbtgt/PITT.EDU@PITT.EDU
renew until 01/12/12 09:35:12
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets
It seems that error means the KDC does not support DES-CBC-CRC. I added
'allow_weak_crypto = true' to /etc/krb5.conf, same error. I created a
GPO in AD which allows DES-CBC-CRC and applied this GPO to the 'Domain
Controllers' container. Same error with aklog. What else do I have to
do to make DES-CBC-CRC work in Active Directory 2008?
I noticed there is a box which says 'Use Kerberos DES encryption types
for this account' in the settings of each account, do I need to set
that? Just on the afs principal/user or on every user of AFS in the
realm? I exported the key for the afs principal from AD using 'ktpass
-princ afs/pitt.edu@PITT.EDU -mapuser afs -pass * -crypto DES-CBC-MD5
-out afs.keytab'. Do I need to do the export and asetkey again after
the changes I made?
Also, is there a way to have all our users in AD without enabling DES?
I recall hearing that it was possible by having an MIT Kerberos box to
hold the AFS principal alone with DES enabled but have all the user
principals in AD without DES.
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD