[OpenAFS] Krb auth working but unable to acquire token on any clients

Jeffrey Altman jaltman@secure-endpoints.com
Mon, 23 Jan 2012 04:41:56 -0500 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig1C4C565822C393F395DA388A
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 1/23/2012 12:57 AM, Thomas Smith wrote:
> Hi,
>=20
> I am getting the following errors when attempting to get a token from o=
ur AFS server:
>=20
>     aklog: Couldn't get domain.tld AFS tickets:
>     aklog: unknown RPC error (-1765328370) while getting AFS tickets

Kerberos v5 error -1765328370 =3D KDC has no support for encryption type

You need to turn on support for DES-CBC-CRC or DES-CBC-MD5.

> I get this exact error on all *NIX-based systems (Linux and Mac). My Wi=
ndows clients get a different error but with the same result--they are un=
able to acquire a token.
>=20
> aklog: Couldn't get domain.tld AFS tickets: KDC has no support for encr=
yption type

Same error.

> Kerberos authentication is working fine on all clients--Windows, Linux =
and Mac.
>=20
> Everything that I've found so far regarding these errors points to a pr=
oblem with DES support on the KDC (Server 2008 R2), but I've confirmed wi=
th our admins that this is enabled. In fact, the server has been working =
for nearly a year without any problems, authenticating against the same W=
in2k8 servers.
>=20
> The one thing that did change in the last day or two was that our admin=
s updated Windows on our GCs. Otherwise, I'm told that no configuration c=
hanges were made--just Windows Updates (which includes SP1).

They obviously updated the policy to disable support for DES.



--------------enig1C4C565822C393F395DA388A
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJPHStlAAoJENxm1CNJffh4vxwH/R5EpUWYwxIg0en93y1aD6eH
GXUmdEj7lp1vEgpd9OpcX+RyhMvNPDOFc6/VrFtOMXtD3zOrRvmaUXnEXs/tvqho
zLz644xcpkbx+H1N0ZJfaxfHKpA4COVEyC7qZLA8m5/RmbAAtuTL/gGgq9hBOxyY
1U51lJSK1R6tSdHDGEIhOSO9vPwKlfswRyPlye62vlUkDLjbjBIK07dQc9iAtnF1
adg9N8K4JMGBPeNStL5doEuW5N5ArEyvrZ+kAXQZi4GYdVb7gU3BnlORAKbBvUa9
mwSotkB49Dmz94xIIu5mp3fpm1hK8uKEQRZWdpmxzlIEr/mtQtOkOaiWpgG4X4o=
=Arng
-----END PGP SIGNATURE-----

--------------enig1C4C565822C393F395DA388A--