[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

Jason Edgecombe jason@rampaginggeek.com
Tue, 10 Jan 2012 18:25:41 -0500 

Would you dump that into the bug tracker or the wiki for future 
reference? Updating the docs would be ideal ;)

Thanks,
Jason

On 01/10/2012 11:39 AM, Jeff White wrote:
> I decided to scrap my Windows box and start over again.  I was able to 
> get it work this time but I don't know what was different that made it 
> work.  I am able to get a ticket as the AFS principal and things seem 
> to be working, at least until I run into the next problem.  For those 
> who care these are my notes from the one that worked:
> *
>
>  10. On the Windows Active Directory server, enable DES encryption
>      types for Kerberos
>         1. Create a GPO called 'Allow_DES'
>         2. Configure the following entry to allow all encryption types
>            listed
>               1. Computer Configuration -> Policies -> Windows Settings
>                  -> Local Policies -> Security Options -> Networking
>                  security: Configure encryption types allowed for 
> Kerberos
>         3. Link the 'Allow_DES' GPO to the 'Domain Controllers' OU.
>         4. Reboot.
>  11. Create a user in AD called 'afs-pitt-edu-cell'.
>  12. In the settings for the AFS user check 'Use Kerberos DES
>      encryption types for this account' then change the password.
>  13. Export the keytab for it.  Note the KVNO.
>         1. ktpass -princ afs/pitt.edu@PITT.EDU -mapuser
>            afs-pitt-edu-cell -pass * -crypto DES-CBC-CRC +rndpass
>            /mapop add +desonly /ptype KRB5_NT_PRINCIPAL +dumpsalt -out
>            afs-pitt-edu-cell.keytab
>  14. Copy the keytab to afs-dev-03.cssd as
>      /etc/afs-pitt-edu-cell.keytab and make it root readable
>         1. chmod 600 /etc/afs.keytab
>  15. Using the KVNO from earlier add the keytab to AFS
>         1. asetkey add 4 /etc/afs.keytab afs/pitt.edu@PITT.EDU
>
> *
> Thanks to everyone for their help.
>
> Jeff White - Linux/Unix Systems Engineer
> University of Pittsburgh - CSSD
>
>
> On 01/10/2012 10:02 AM, Andrew Deason wrote:
>> On Mon, 09 Jan 2012 17:13:57 -0500
>> Jeff White<jaw171@pitt.edu>  wrote:
>>
>>> Other possibly useful pieces of information:
>>>
>>> sAMAccountName: afs
>>> userPrincipalName: afs/pitt.edu@PITT.EDU
>> Just one more possible guess: are you sure you're talking to the
>> right kdc? I would expect the windows event log will log something when
>> a failure occurs when you do things like:
>>
>>>> [root@afs-dev-03 ~]# kinit afs/pitt.edu@PITT.EDU
>>>> kinit: Client not found in Kerberos database while getting initial
>>>> credentials
>> And maybe the log event would give more useful information. I don't
>> really expect it to, but you never know. A more accurate test may be to
>> try 'kinit -k -t afs.keytab afs/pitt.edu@PITT.EDU' or
>> 'kvno afs/pitt.edu@PITT.EDU' (after you've "kinit"d with a normal
>> princ), but of course the error you've already given is an issue.
>>
>