[OpenAFS] OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

Jeff White jaw171@pitt.edu
Thu, 05 Jan 2012 10:07:09 -0500 

As part of an AFS/Kerberos upgrade project I am building a test cell to 
mimic what we may eventually have in production by using Microsoft 
Active Directory as my KDC.  This test cell has one Windows Server 2008 
R2 box running Active Directory and one RHEL 6.1 box with the OpenAFS 
software running on it.

I'm following the guide and the  'Verifying the AFS Initialization 
Script' section where aklog is ran for the first time is where I am 
stuck.  I can kinit and get a ticket from AD but when I aklog I get an 
error:

$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jaw171@PITT.EDU

Valid starting     Expires            Service principal
01/05/12 09:35:12  01/05/12 19:35:14  krbtgt/PITT.EDU@PITT.EDU
         renew until 01/12/12 09:35:12

$ aklog
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets

It seems that error means the KDC does not support DES-CBC-CRC.  I added 
'allow_weak_crypto = true' to /etc/krb5.conf, same error.  I created a 
GPO in AD which allows DES-CBC-CRC and applied this GPO to the 'Domain 
Controllers' container.  Same error with aklog.  What else do I have to 
do to make DES-CBC-CRC work in Active Directory 2008?

I noticed there is a box which says 'Use Kerberos DES encryption types 
for this account' in the settings of each account, do I need to set 
that?  Just on the afs principal/user or on every user of AFS in the 
realm?  I exported the key for the afs principal from AD using 'ktpass 
-princ afs/pitt.edu@PITT.EDU -mapuser afs -pass * -crypto DES-CBC-MD5 
-out afs.keytab'.  Do I need to do the export and asetkey again after 
the changes I made?

Also, is there a way to have all our users in AD without enabling DES?  
I recall hearing that it was possible by having an MIT Kerberos box to 
hold the AFS principal alone with DES enabled but have all the user 
principals in AD without DES.

-- 
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD