[OpenAFS] Krb auth working but unable to acquire token on any clients

Thomas Smith theitsmith@ThomasSmith.info
Mon, 23 Jan 2012 10:23:09 -0700


On Jan 23, 2012, at 2:41 AM, Jeffrey Altman wrote:

> On 1/23/2012 12:57 AM, Thomas Smith wrote:
>> Hi,
>>=20
>> I am getting the following errors when attempting to get a token from =
our AFS server:
>>=20
>>    aklog: Couldn't get domain.tld AFS tickets:
>>    aklog: unknown RPC error (-1765328370) while getting AFS tickets
>=20
> Kerberos v5 error -1765328370 =3D KDC has no support for encryption =
type
>=20
> You need to turn on support for DES-CBC-CRC or DES-CBC-MD5.
>=20
>> I get this exact error on all *NIX-based systems (Linux and Mac). My =
Windows clients get a different error but with the same result--they are =
unable to acquire a token.
>>=20
>> aklog: Couldn't get domain.tld AFS tickets: KDC has no support for =
encryption type
>=20
> Same error.
>=20
>> Kerberos authentication is working fine on all clients--Windows, =
Linux and Mac.
>>=20
>> Everything that I've found so far regarding these errors points to a =
problem with DES support on the KDC (Server 2008 R2), but I've confirmed =
with our admins that this is enabled. In fact, the server has been =
working for nearly a year without any problems, authenticating against =
the same Win2k8 servers.
>>=20
>> The one thing that did change in the last day or two was that our =
admins updated Windows on our GCs. Otherwise, I'm told that no =
configuration changes were made--just Windows Updates (which includes =
SP1).
>=20
> They obviously updated the policy to disable support for DES.

Something happened, but they're telling me that they haven't disabled =
DES-CBC-MD5--they checked the policies (and sent me a screenshot) =
showing that it is in fact enabled.

Is there anything I can do on the AFS server or Windows client to =
provide them additional details as evidence? They are currently looking =
for problems with my AFS setup, not with their GCs.=