[OpenAFS] enctype issues with Heimdal and debian for afs/cell

Coy Hile Coy.Hile@COYHILE.COM
Fri, 19 Jul 2013 10:11:37 +0000 

Hi all,

After some time, I'm finally getting around to putting my personal cell bac=
k up (this time on debian with openafs-1.6.4 from wheezy-backports and Heim=
dal.

My afs/cell principal is setup thusly:

kadmin> get afs/coyhile.com
            Principal: afs/coyhile.com@COYHILE.COM
    Principal expires: never
     Password expires: never
 Last password change: 2013-07-19 10:00:32 UTC
      Max ticket life: 1 day
   Max renewable life: 1 week
                 Kvno: 3
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2013-07-19 10:00:32 UTC
             Modifier: kadmin/admin@COYHILE.COM
           Attributes:
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[3], des3-cbc-sha1(p=
w-salt)[3], arcfour-hmac-md5(pw-salt)[3], des-cbc-md5(pw-salt())[3]
          PK-INIT ACL:
              Aliases:

kadmin> ext -k AFSKEYFILE:/etc/openafs/server/KeyFile afs/coyhile.com
kadmin>

and  in krb5.conf,  I do have allow_weak_crypto =3D true in libdefaults.

All in all, Heimdal is working fine, but aklog is failing to get me tokens:

chaos:/var/log # kinit admin
admin@COYHILE.COM's Password:
chaos:/var/log # klist
Credentials cache: FILE:/tmp/krb5cc_1141449863_q94vTe
        Principal: admin@COYHILE.COM

  Issued                Expires               Principal
Jul 19 10:07:40 2013  Jul 20 10:07:36 2013  krbtgt/COYHILE.COM@COYHILE.COM
Jul 19 10:07:40 2013  Jul 20 10:07:36 2013  afs/coyhile.com@COYHILE.COM
chaos:/var/log # aklog -d
Authenticating to cell coyhile.com (server chaos.coyhile.com).
Trying to authenticate to user's realm COYHILE.COM.
Getting tickets: afs/coyhile.com@COYHILE.COM
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get coyhile.com AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets
chaos:/var/log #

and in the KDC logs, I see this:

2013-07-19T10:07:40 ENC-TS Pre-authentication succeeded -- admin@COYHILE.CO=
M using aes256-cts-hmac-sha1-96
2013-07-19T10:07:40 ENC-TS pre-authentication succeeded -- admin@COYHILE.CO=
M
2013-07-19T10:07:40 AS-REQ authtime: 2013-07-19T10:07:40 starttime: unset e=
ndtime: 2013-07-20T10:07:36 renew till: 2013-07-26T10:07:36
2013-07-19T10:07:40 Client supported enctypes: aes256-cts-hmac-sha1-96, aes=
128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cb=
c-md5, des-cbc-md4, des-cbc-crc, using aes256-cts-hmac-sha1-96/aes256-cts-h=
mac-sha1-96
2013-07-19T10:07:40 Requested flags: renewable, forwardable
2013-07-19T10:07:40 sending 738 bytes to IPv4:37.153.98.57
2013-07-19T10:07:40 TGS-REQ admin@COYHILE.COM from IPv4:37.153.98.57 for af=
s/coyhile.com@COYHILE.COM [canonicalize, renewable, forwardable]
2013-07-19T10:07:40 Server (afs/coyhile.com@COYHILE.COM) has no support for=
 etypes
2013-07-19T10:07:40 Failed building TGS-REP to IPv4:37.153.98.57
2013-07-19T10:07:40 tgs-req: sending error: -1765328370 to client

Does *everything* need a DES key, or just the afs/cell principal?

-c