[OpenAFS] Krb auth working but unable to acquire token on any clients

Thomas Smith theitsmith@gmail.com
Sun, 22 Jan 2012 22:57:16 -0700


I am getting the following errors when attempting to get a token from =
our AFS server:

    aklog: Couldn't get domain.tld AFS tickets:
    aklog: unknown RPC error (-1765328370) while getting AFS tickets

I get this exact error on all *NIX-based systems (Linux and Mac). My =
Windows clients get a different error but with the same result--they are =
unable to acquire a token.

aklog: Couldn't get domain.tld AFS tickets: KDC has no support for =
encryption type

Kerberos authentication is working fine on all clients--Windows, Linux =
and Mac.

Everything that I've found so far regarding these errors points to a =
problem with DES support on the KDC (Server 2008 R2), but I've confirmed =
with our admins that this is enabled. In fact, the server has been =
working for nearly a year without any problems, authenticating against =
the same Win2k8 servers.

The one thing that did change in the last day or two was that our admins =
updated Windows on our GCs. Otherwise, I'm told that no configuration =
changes were made--just Windows Updates (which includes SP1).

Can anyone offer any insight into this problem? I'm not really sure =
where to go from here.

Note that we are on OpenAFS 1.4.12 on the Linux boxes (server and =
clients), 1.5.9904 on our Windows clients (with some older versions of =
the 1.5.x series out there too), and 1.6.1 on our Mac clients.

~ Tom

PS: Our admins just sent me an error they discovered in the event logs =
that may be relevant:

"While processing a TGS request for the target server afs/domain.tld, =
the account user@domain.tld did not have a suitable key for generating a =
Kerberos ticket (the missing key has an ID of 8). The requested etypes =
were 1. The accounts available etypes were 23  -133  -128  18  17  3  =