[OpenAFS] Krb auth working but unable to acquire token on any clients

Jeffrey Altman jaltman@secure-endpoints.com
Mon, 23 Jan 2012 04:41:56 -0500

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 1/23/2012 12:57 AM, Thomas Smith wrote:
> Hi,
> I am getting the following errors when attempting to get a token from o=
ur AFS server:
>     aklog: Couldn't get domain.tld AFS tickets:
>     aklog: unknown RPC error (-1765328370) while getting AFS tickets

Kerberos v5 error -1765328370 =3D KDC has no support for encryption type

You need to turn on support for DES-CBC-CRC or DES-CBC-MD5.

> I get this exact error on all *NIX-based systems (Linux and Mac). My Wi=
ndows clients get a different error but with the same result--they are un=
able to acquire a token.
> aklog: Couldn't get domain.tld AFS tickets: KDC has no support for encr=
yption type

Same error.

> Kerberos authentication is working fine on all clients--Windows, Linux =
and Mac.
> Everything that I've found so far regarding these errors points to a pr=
oblem with DES support on the KDC (Server 2008 R2), but I've confirmed wi=
th our admins that this is enabled. In fact, the server has been working =
for nearly a year without any problems, authenticating against the same W=
in2k8 servers.
> The one thing that did change in the last day or two was that our admin=
s updated Windows on our GCs. Otherwise, I'm told that no configuration c=
hanges were made--just Windows Updates (which includes SP1).

They obviously updated the policy to disable support for DES.

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG v1.4.9 (MingW32)