[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

Mon, 9 Jan 2012 08:11:26 -0800

--f46d043c8136888ede04b61aa629
Content-Type: text/plain; charset=ISO-8859-1

I think the encryption is incorrect. Should be:DES-CBC-CRC

tedc

On Mon, Jan 9, 2012 at 8:05 AM, Jeff White <jaw171@pitt.edu> wrote:

> Thanks for the reply.  I'm not sure what about short names would cause
> problems but I recall hearing about that with AD before so I'll assume it's
> just a weird thing/bug with Windows.  I originally created a logon name of
> 'afs' not 'afs/pitt.edu' so ktpass or something changed it.  I started
> over with an account named afs-pitt-edu-cell, exported the key, imported
> the key, and of course it still has the DES error as expected.  Do you
> think the KdcUseRequestedEtypesForTicket**s registry change which I can't
> implement without breaking everything as I mentioned before is why DES is
> failing?  I can see in gpresult that DES should be allowed  and the DES box
> is checked on the account so other than that or the attributes Douglas
> Engert mentioned I don't know what could be wrong and I'll have to admit
> defeat and give up.
>
> C:\Users\jaw171.AFSDC-DEV>**ktpass -princ afs/pitt.edu@PITT.EDU -mapuser
> afs-pitt-
> edu-cell -pass * -crypto DES-CBC-MD5 +rndpass /mapop add +desonly /ptype
> KRB5_NT
> _PRINCIPAL +dumpsalt -out afs-pitt-edu-cell.keytab
> Targeting domain controller: AFSDC-DEV.pitt.edu
> Using legacy password setting method
> Successfully mapped afs/pitt.edu to afs-pitt-edu-cell.
> Building salt with principalname afs/pitt.edu and domain PITT.EDU(encryption ty
> pe 3)...
> Hashing password with salt "PITT.EDUafspitt.edu".
> Key created.
> Output keytab to afs-pitt-edu-cell.keytab:
> Keytab version: 0x502
> keysize 48 afs/pitt.edu@PITT.EDU ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype
> 0x3 (DE
> S-CBC-MD5) keylength 8 (0x57100bd91a01155d)
> Account afs-pitt-edu-cell has been set for DES-only encryption.
>
> Jeff White - Linux/Unix Systems Engineer
> University of Pittsburgh - CSSD
>
>
> On 01/08/2012 11:50 AM, Jeffrey Altman wrote:
>
>> Separate from your DES issues, there are two serious problems here.
>>
>> 1. You are creating an account with a logon name of "afs/pitt.edu"
>> instead of something like "afs-pitt-edu-cell" and then setting a Service
>> Principal Name of "afs/pitt.edu@PITT.EDU" on that account.
>>
>> The slash in Kerberos is a name component separator.  When aklog
>> requests a ticket for "afs/pitt.edu@PITT.EDU" it is asking the PITT.EDU
>> KDC for the principal
>>
>>   "afs" "pitt.edu"
>>
>> Not the principal
>>
>>   "afs/pitt.edu"
>>
>> 2. You cannot give the account the name "AFS" or have a short name of
>> "AFS".  Doing so will cause name resolution of "afs@PITT.EDU" to succeed
>> which will in turn break all of your deployed Windows AFS clients.
>>
>>
>>
>>
>>  ______________________________**_________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/**mailman/listinfo/openafs-info<https://lists.openafs.org/mailman/listinfo/openafs-info>
>

--f46d043c8136888ede04b61aa629
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

I think the encryption is incorrect. Should be:DES-CBC-CRC<br><br><br>tedc<=
br><br><div class=3D"gmail_quote">On Mon, Jan 9, 2012 at 8:05 AM, Jeff Whit=
e <span dir=3D"ltr">&lt;<a href=3D"mailto:jaw171@pitt.edu">jaw171@pitt.edu<=
/a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">Thanks for the reply. =A0I&#39;m not sure wh=
at about short names would cause problems but I recall hearing about that w=
ith AD before so I&#39;ll assume it&#39;s just a weird thing/bug with Windo=
ws. =A0I originally created a logon name of &#39;afs&#39; not &#39;afs/<a h=
ref=3D"http://pitt.edu" target=3D"_blank">pitt.edu</a>&#39; so ktpass or so=
mething changed it. =A0I started over with an account named afs-pitt-edu-ce=
ll, exported the key, imported the key, and of course it still has the DES =
error as expected. =A0Do you think the KdcUseRequestedEtypesForTicket<u></u=
>s registry change which I can&#39;t implement without breaking everything =
as I mentioned before is why DES is failing? =A0I can see in gpresult that =
DES should be allowed =A0and the DES box is checked on the account so other=
 than that or the attributes Douglas Engert mentioned I don&#39;t know what=
 could be wrong and I&#39;ll have to admit defeat and give up.<br>

C:\Users\jaw171.AFSDC-DEV&gt;ktpass -princ afs/<a href=3D"mailto:pit=
t.edu@PITT.EDU" target=3D"_blank">pitt.edu@PITT.EDU</a> -mapuser afs-pitt-<=
br>
edu-cell -pass * -crypto DES-CBC-MD5 +rndpass /mapop add +desonly /ptype KR=
B5_NT 
_PRINCIPAL +dumpsalt -out afs-pitt-edu-cell.keytab 
Targeting domain controller: <a href=3D"http://AFSDC-DEV.pitt.edu" target=
=3D"_blank">AFSDC-DEV.pitt.edu</a> 
Using legacy password setting method 
Successfully mapped afs/<a href=3D"http://pitt.edu" target=3D"_blank">pitt.=
edu</a> to afs-pitt-edu-cell. 
Building salt with principalname afs/<a href=3D"http://pitt.edu" target=3D"=
_blank">pitt.edu</a> and domain <a href=3D"http://PITT.EDU" target=3D"_blan=
k">PITT.EDU</a> (encryption ty 
pe 3)... 
Hashing password with salt &quot;<a href=3D"http://PITT.EDUafspitt.edu" tar=
get=3D"_blank">PITT.EDUafspitt.edu</a>&quot;. 
Key created. 
Output keytab to afs-pitt-edu-cell.keytab: 
Keytab version: 0x502 
keysize 48 afs/<a href=3D"mailto:pitt.edu@PITT.EDU" target=3D"_blank">pitt.=
edu@PITT.EDU</a> ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x3 (DE 
S-CBC-MD5) keylength 8 (0x57100bd91a01155d) 
Account afs-pitt-edu-cell has been set for DES-only encryption. 
 
Jeff White - Linux/Unix Systems Engineer 
University of Pittsburgh - CSSD 
 
 
On 01/08/2012 11:50 AM, Jeffrey Altman wrote: 
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
Separate from your DES issues, there are two serious problems here. 
 
1. You are creating an account with a logon name of &quot;afs/<a href=3D"ht=
tp://pitt.edu" target=3D"_blank">pitt.edu</a>&quot; 
instead of something like &quot;afs-pitt-edu-cell&quot; and then setting a =
Service 
Principal Name of &quot;afs/<a href=3D"mailto:pitt.edu@PITT.EDU" target=3D"=
_blank">pitt.edu@PITT.EDU</a>&quot; on that account. 
 
The slash in Kerberos is a name component separator. =A0When aklog 
requests a ticket for &quot;afs/<a href=3D"mailto:pitt.edu@PITT.EDU" target=
=3D"_blank">pitt.edu@PITT.EDU</a>&quot; it is asking the <a href=3D"http://=
PITT.EDU" target=3D"_blank">PITT.EDU</a> 
KDC for the principal 
 
 =A0 &quot;afs&quot; &quot;<a href=3D"http://pitt.edu" target=3D"_blank">pi=
tt.edu</a>&quot; 
 
Not the principal 
 
 =A0 &quot;afs/<a href=3D"http://pitt.edu" target=3D"_blank">pitt.edu</a>&q=
uot; 
 
2. You cannot give the account the name &quot;AFS&quot; or have a short nam=
e of 
&quot;AFS&quot;. =A0Doing so will cause name resolution of &quot;<a href=3D=
"mailto:afs@PITT.EDU" target=3D"_blank">afs@PITT.EDU</a>&quot; to succeed<b=
r>
which will in turn break all of your deployed Windows AFS clients. 
 
 
 
 
</blockquote>
_______________________________________________ 
OpenAFS-info mailing list 
<a href=3D"mailto:OpenAFS-info@openafs.org" target=3D"_blank">OpenAFS-info@=
openafs.org</a> 
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info" target=
=3D"_blank">https://lists.openafs.org/mailman/listinfo/openafs-info<=
/a> 
</blockquote></div>

--f46d043c8136888ede04b61aa629--