[OpenAFS] Re: Multiple Kerberos realm support
Douglas E. Engert
deengert@anl.gov
Fri, 11 May 2012 11:13:32 -0500
On 5/10/2012 5:24 PM, Andrew Deason wrote:
> On Thu, 10 May 2012 17:17:09 -0500
> Andrew Deason<adeason@sinenomine.net> wrote:
>
>>> This might be a problem:
>>> [root@afs-dev-03 ~]# kinit -kt /var/tmp/afskerbuser.keytab
>>> afs/pitt.edu@UNIV.PITT.EDU
>>> kinit: KDC has no support for encryption type while getting initial
>>> credentials
>>
>> That's a little confusing, since the KDC granted you a service ticket
>> with a DES enctype earlier:
>
> Er, no, this is RHEL6, with MIT krb5 1.9 iirc, which disables DES by
> default. If the cause of that is what I think it is, that's a really
> confusing error message, since it's not the KDC that's refusing the
> request. Add the following:
>
> allow_weak_crypto = true
>
> to the [libdefaults] section of /etc/krb5.conf, and try that again.
It could also be 2008 has DES turned off, and may not give you a TGT with DES.
I wireshark trace of the KRB5 packets would reveal what is actually happening.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444