[OpenAFS] Krb auth working but unable to acquire token on any clients
Mon, 23 Jan 2012 10:26:12 -0700
On Jan 23, 2012, at 2:41 AM, Jeffrey Altman wrote:
> On 1/23/2012 12:57 AM, Thomas Smith wrote:
>> I am getting the following errors when attempting to get a token from =
our AFS server:
>> aklog: Couldn't get domain.tld AFS tickets:
>> aklog: unknown RPC error (-1765328370) while getting AFS tickets
> Kerberos v5 error -1765328370 =3D KDC has no support for encryption =
> You need to turn on support for DES-CBC-CRC or DES-CBC-MD5.
>> I get this exact error on all *NIX-based systems (Linux and Mac). My =
Windows clients get a different error but with the same result--they are =
unable to acquire a token.
>> aklog: Couldn't get domain.tld AFS tickets: KDC has no support for =
> Same error.
>> Kerberos authentication is working fine on all clients--Windows, =
Linux and Mac.
>> Everything that I've found so far regarding these errors points to a =
problem with DES support on the KDC (Server 2008 R2), but I've confirmed =
with our admins that this is enabled. In fact, the server has been =
working for nearly a year without any problems, authenticating against =
the same Win2k8 servers.
>> The one thing that did change in the last day or two was that our =
admins updated Windows on our GCs. Otherwise, I'm told that no =
configuration changes were made--just Windows Updates (which includes =
> They obviously updated the policy to disable support for DES.
Yeah, something happened but they're telling me that they haven't =
disabled DES-CBC-MD5 (what I asked them to enable when we migrated to =
Win2k8)--they checked the policies (and sent me a screenshot) showing =
that it is in fact enabled.
Is there anything else I can do on the AFS server or Windows client to =
provide them additional details as evidence? They are currently looking =
for problems with my AFS setup, not with their GCs.=