[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

Jeff White jaw171@pitt.edu
Mon, 09 Jan 2012 11:05:45 -0500

Thanks for the reply.  I'm not sure what about short names would cause 
problems but I recall hearing about that with AD before so I'll assume 
it's just a weird thing/bug with Windows.  I originally created a logon 
name of 'afs' not 'afs/pitt.edu' so ktpass or something changed it.  I 
started over with an account named afs-pitt-edu-cell, exported the key, 
imported the key, and of course it still has the DES error as expected.  
Do you think the KdcUseRequestedEtypesForTickets registry change which I 
can't implement without breaking everything as I mentioned before is why 
DES is failing?  I can see in gpresult that DES should be allowed  and 
the DES box is checked on the account so other than that or the 
attributes Douglas Engert mentioned I don't know what could be wrong and 
I'll have to admit defeat and give up.

C:\Users\jaw171.AFSDC-DEV>ktpass -princ afs/pitt.edu@PITT.EDU -mapuser 
edu-cell -pass * -crypto DES-CBC-MD5 +rndpass /mapop add +desonly /ptype 
_PRINCIPAL +dumpsalt -out afs-pitt-edu-cell.keytab
Targeting domain controller: AFSDC-DEV.pitt.edu
Using legacy password setting method
Successfully mapped afs/pitt.edu to afs-pitt-edu-cell.
Building salt with principalname afs/pitt.edu and domain PITT.EDU 
(encryption ty
pe 3)...
Hashing password with salt "PITT.EDUafspitt.edu".
Key created.
Output keytab to afs-pitt-edu-cell.keytab:
Keytab version: 0x502
keysize 48 afs/pitt.edu@PITT.EDU ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 
0x3 (DE
S-CBC-MD5) keylength 8 (0x57100bd91a01155d)
Account afs-pitt-edu-cell has been set for DES-only encryption.

Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD

On 01/08/2012 11:50 AM, Jeffrey Altman wrote:
> Separate from your DES issues, there are two serious problems here.
> 1. You are creating an account with a logon name of "afs/pitt.edu"
> instead of something like "afs-pitt-edu-cell" and then setting a Service
> Principal Name of "afs/pitt.edu@PITT.EDU" on that account.
> The slash in Kerberos is a name component separator.  When aklog
> requests a ticket for "afs/pitt.edu@PITT.EDU" it is asking the PITT.EDU
> KDC for the principal
>    "afs" "pitt.edu"
> Not the principal
>    "afs/pitt.edu"
> 2. You cannot give the account the name "AFS" or have a short name of
> "AFS".  Doing so will cause name resolution of "afs@PITT.EDU" to succeed
> which will in turn break all of your deployed Windows AFS clients.