[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 -
Questions about DES
Jeff White
jaw171@pitt.edu
Mon, 09 Jan 2012 11:19:56 -0500
This is a multi-part message in MIME format.
--------------060906030300050304050500
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Same error (-1765328370) even with DES-CBC-CRC.
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD
On 01/09/2012 11:11 AM, Ted Creedon wrote:
> I think the encryption is incorrect. Should be:DES-CBC-CRC
>
>
> tedc
>
> On Mon, Jan 9, 2012 at 8:05 AM, Jeff White <jaw171@pitt.edu
> <mailto:jaw171@pitt.edu>> wrote:
>
> Thanks for the reply. I'm not sure what about short names would
> cause problems but I recall hearing about that with AD before so
> I'll assume it's just a weird thing/bug with Windows. I
> originally created a logon name of 'afs' not 'afs/pitt.edu
> <http://pitt.edu>' so ktpass or something changed it. I started
> over with an account named afs-pitt-edu-cell, exported the key,
> imported the key, and of course it still has the DES error as
> expected. Do you think the KdcUseRequestedEtypesForTickets
> registry change which I can't implement without breaking
> everything as I mentioned before is why DES is failing? I can see
> in gpresult that DES should be allowed and the DES box is checked
> on the account so other than that or the attributes Douglas Engert
> mentioned I don't know what could be wrong and I'll have to admit
> defeat and give up.
>
> C:\Users\jaw171.AFSDC-DEV>ktpass -princ afs/pitt.edu@PITT.EDU
> <mailto:pitt.edu@PITT.EDU> -mapuser afs-pitt-
> edu-cell -pass * -crypto DES-CBC-MD5 +rndpass /mapop add +desonly
> /ptype KRB5_NT
> _PRINCIPAL +dumpsalt -out afs-pitt-edu-cell.keytab
> Targeting domain controller: AFSDC-DEV.pitt.edu
> <http://AFSDC-DEV.pitt.edu>
> Using legacy password setting method
> Successfully mapped afs/pitt.edu <http://pitt.edu> to
> afs-pitt-edu-cell.
> Building salt with principalname afs/pitt.edu <http://pitt.edu>
> and domain PITT.EDU <http://PITT.EDU> (encryption ty
> pe 3)...
> Hashing password with salt "PITT.EDUafspitt.edu
> <http://PITT.EDUafspitt.edu>".
> Key created.
> Output keytab to afs-pitt-edu-cell.keytab:
> Keytab version: 0x502
> keysize 48 afs/pitt.edu@PITT.EDU <mailto:pitt.edu@PITT.EDU> ptype
> 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x3 (DE
> S-CBC-MD5) keylength 8 (0x57100bd91a01155d)
> Account afs-pitt-edu-cell has been set for DES-only encryption.
>
> Jeff White - Linux/Unix Systems Engineer
> University of Pittsburgh - CSSD
>
>
> On 01/08/2012 11:50 AM, Jeffrey Altman wrote:
>
> Separate from your DES issues, there are two serious problems
> here.
>
> 1. You are creating an account with a logon name of
> "afs/pitt.edu <http://pitt.edu>"
> instead of something like "afs-pitt-edu-cell" and then setting
> a Service
> Principal Name of "afs/pitt.edu@PITT.EDU
> <mailto:pitt.edu@PITT.EDU>" on that account.
>
> The slash in Kerberos is a name component separator. When aklog
> requests a ticket for "afs/pitt.edu@PITT.EDU
> <mailto:pitt.edu@PITT.EDU>" it is asking the PITT.EDU
> <http://PITT.EDU>
> KDC for the principal
>
> "afs" "pitt.edu <http://pitt.edu>"
>
> Not the principal
>
> "afs/pitt.edu <http://pitt.edu>"
>
> 2. You cannot give the account the name "AFS" or have a short
> name of
> "AFS". Doing so will cause name resolution of "afs@PITT.EDU
> <mailto:afs@PITT.EDU>" to succeed
> which will in turn break all of your deployed Windows AFS clients.
>
>
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org <mailto:OpenAFS-info@openafs.org>
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
--------------060906030300050304050500
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Same error (-1765328370) even with DES-CBC-CRC.<br>
<pre class="moz-signature" cols="72">Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD</pre>
<br>
On 01/09/2012 11:11 AM, Ted Creedon wrote:
<blockquote
cite="mid:CAPUU0a14NoKDQTRqK-6ixYtGY0EGVwRJWWgW6rt8HSV3KJgXKQ@mail.gmail.com"
type="cite">I think the encryption is incorrect. Should
be:DES-CBC-CRC<br>
<br>
<br>
tedc<br>
<br>
<div class="gmail_quote">On Mon, Jan 9, 2012 at 8:05 AM, Jeff
White <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:jaw171@pitt.edu">jaw171@pitt.edu</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">Thanks for the reply. I'm not sure what
about short names would cause problems but I recall hearing
about that with AD before so I'll assume it's just a weird
thing/bug with Windows. I originally created a logon name of
'afs' not 'afs/<a moz-do-not-send="true"
href="http://pitt.edu" target="_blank">pitt.edu</a>' so
ktpass or something changed it. I started over with an
account named afs-pitt-edu-cell, exported the key, imported
the key, and of course it still has the DES error as expected.
Do you think the KdcUseRequestedEtypesForTickets registry
change which I can't implement without breaking everything as
I mentioned before is why DES is failing? I can see in
gpresult that DES should be allowed and the DES box is
checked on the account so other than that or the attributes
Douglas Engert mentioned I don't know what could be wrong and
I'll have to admit defeat and give up.<br>
<br>
C:\Users\jaw171.AFSDC-DEV>ktpass -princ afs/<a
moz-do-not-send="true" href="mailto:pitt.edu@PITT.EDU"
target="_blank">pitt.edu@PITT.EDU</a> -mapuser afs-pitt-<br>
edu-cell -pass * -crypto DES-CBC-MD5 +rndpass /mapop add
+desonly /ptype KRB5_NT<br>
_PRINCIPAL +dumpsalt -out afs-pitt-edu-cell.keytab<br>
Targeting domain controller: <a moz-do-not-send="true"
href="http://AFSDC-DEV.pitt.edu" target="_blank">AFSDC-DEV.pitt.edu</a><br>
Using legacy password setting method<br>
Successfully mapped afs/<a moz-do-not-send="true"
href="http://pitt.edu" target="_blank">pitt.edu</a> to
afs-pitt-edu-cell.<br>
Building salt with principalname afs/<a moz-do-not-send="true"
href="http://pitt.edu" target="_blank">pitt.edu</a> and
domain <a moz-do-not-send="true" href="http://PITT.EDU"
target="_blank">PITT.EDU</a> (encryption ty<br>
pe 3)...<br>
Hashing password with salt "<a moz-do-not-send="true"
href="http://PITT.EDUafspitt.edu" target="_blank">PITT.EDUafspitt.edu</a>".<br>
Key created.<br>
Output keytab to afs-pitt-edu-cell.keytab:<br>
Keytab version: 0x502<br>
keysize 48 afs/<a moz-do-not-send="true"
href="mailto:pitt.edu@PITT.EDU" target="_blank">pitt.edu@PITT.EDU</a>
ptype 1 (KRB5_NT_PRINCIPAL) vno 5 etype 0x3 (DE<br>
S-CBC-MD5) keylength 8 (0x57100bd91a01155d)<br>
Account afs-pitt-edu-cell has been set for DES-only
encryption.<br>
<br>
Jeff White - Linux/Unix Systems Engineer<br>
University of Pittsburgh - CSSD<br>
<br>
<br>
On 01/08/2012 11:50 AM, Jeffrey Altman wrote:<br>
<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
0.8ex; border-left: 1px solid rgb(204, 204, 204);
padding-left: 1ex;">
Separate from your DES issues, there are two serious
problems here.<br>
<br>
1. You are creating an account with a logon name of "afs/<a
moz-do-not-send="true" href="http://pitt.edu"
target="_blank">pitt.edu</a>"<br>
instead of something like "afs-pitt-edu-cell" and then
setting a Service<br>
Principal Name of "afs/<a moz-do-not-send="true"
href="mailto:pitt.edu@PITT.EDU" target="_blank">pitt.edu@PITT.EDU</a>"
on that account.<br>
<br>
The slash in Kerberos is a name component separator. When
aklog<br>
requests a ticket for "afs/<a moz-do-not-send="true"
href="mailto:pitt.edu@PITT.EDU" target="_blank">pitt.edu@PITT.EDU</a>"
it is asking the <a moz-do-not-send="true"
href="http://PITT.EDU" target="_blank">PITT.EDU</a><br>
KDC for the principal<br>
<br>
"afs" "<a moz-do-not-send="true" href="http://pitt.edu"
target="_blank">pitt.edu</a>"<br>
<br>
Not the principal<br>
<br>
"afs/<a moz-do-not-send="true" href="http://pitt.edu"
target="_blank">pitt.edu</a>"<br>
<br>
2. You cannot give the account the name "AFS" or have a
short name of<br>
"AFS". Doing so will cause name resolution of "<a
moz-do-not-send="true" href="mailto:afs@PITT.EDU"
target="_blank">afs@PITT.EDU</a>" to succeed<br>
which will in turn break all of your deployed Windows AFS
clients.<br>
<br>
<br>
<br>
<br>
</blockquote>
_______________________________________________<br>
OpenAFS-info mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenAFS-info@openafs.org" target="_blank">OpenAFS-info@openafs.org</a><br>
<a moz-do-not-send="true"
href="https://lists.openafs.org/mailman/listinfo/openafs-info"
target="_blank">https://lists.openafs.org/mailman/listinfo/openafs-info</a><br>
</blockquote>
</div>
<br>
</blockquote>
</body>
</html>
--------------060906030300050304050500--