[OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service principle -
OK?
Andrew Deason
adeason@sinenomine.net
Thu, 25 Jul 2013 10:55:02 -0500
On Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
Benjamin Kaduk <kaduk@MIT.EDU> wrote:
> The short version is: a misconfigured KDC can cause problems for new
> clients against old servers.
If that's true, we need to say specifically what that misconfiguration
is, so people can check for them and avoid it. I'm not aware of any way
to create such a configuration (that behavior sounds instead like a KDC
bug to me, without knowing any further details).
In particular with AD, the AFS service account must already have the
USE_DES_KEY_ONLY userAccountControl bit set in order for us to work at
all with plain rxkad. Lars, do you know if the "Use Kerberos DES
encryption types for this account" account option is checked for the AFS
service account? Do you see any errors in wherever the Windows client
normally logs errors? Can you access that path if you destroy your
tokens?
--
Andrew Deason
adeason@sinenomine.net