[OpenAFS] Re: Multiple Kerberos realm support
Douglas E. Engert
Fri, 11 May 2012 11:13:32 -0500
On 5/10/2012 5:24 PM, Andrew Deason wrote:
> On Thu, 10 May 2012 17:17:09 -0500
> Andrew Deason<email@example.com> wrote:
>>> This might be a problem:
>>> [root@afs-dev-03 ~]# kinit -kt /var/tmp/afskerbuser.keytab
>>> kinit: KDC has no support for encryption type while getting initial
>> That's a little confusing, since the KDC granted you a service ticket
>> with a DES enctype earlier:
> Er, no, this is RHEL6, with MIT krb5 1.9 iirc, which disables DES by
> default. If the cause of that is what I think it is, that's a really
> confusing error message, since it's not the KDC that's refusing the
> request. Add the following:
> allow_weak_crypto = true
> to the [libdefaults] section of /etc/krb5.conf, and try that again.
It could also be 2008 has DES turned off, and may not give you a TGT with DES.
I wireshark trace of the KRB5 packets would reveal what is actually happening.
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439