[OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service principle - OK?

Lars Schimmer l.schimmer@cgv.tugraz.at
Fri, 26 Jul 2013 08:56:44 +0200


This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
------enig2JAVIBOSXNGRTUOCXKWJQ
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 2013-07-25 17:55, Andrew Deason wrote:
> On Thu, 25 Jul 2013 11:36:52 -0400 (EDT)
> Benjamin Kaduk <kaduk@MIT.EDU> wrote:
>=20
>> The short version is: a misconfigured KDC can cause problems for new
>> clients against old servers.
>=20
> If that's true, we need to say specifically what that misconfiguration
> is, so people can check for them and avoid it. I'm not aware of any way=

> to create such a configuration (that behavior sounds instead like a KDC=

> bug to me, without knowing any further details).
>=20
> In particular with AD, the AFS service account must already have the
> USE_DES_KEY_ONLY userAccountControl bit set in order for us to work at
> all with plain rxkad. Lars, do you know if the "Use Kerberos DES
> encryption types for this account" account option is checked for the AF=
S
> service account? Do you see any errors in wherever the Windows client
> normally logs errors? Can you access that path if you destroy your
> tokens?

It is a bit more subtile.
Yes, the AFS service account has DES only activated. klist -e on liunux
shows me:
2013-07-26 08:50:42  2013-07-27 08:51:58  afs/cgv.tugraz.at@CGV.TUGRAZ.AT=

        Etype (skey, tkt): des-cbc-crc, des-cbc-crc

(on a still old client).

I updated 3 clients for a test on windows 7 to 1.7.26. One works fine,
two show me a valid token on login, but the AfS path is not reachable at
all ( \\AFS\.cgv.tugraz.at not reachable).


MfG,
Lars Schimmer
--=20
-------------------------------------------------------------
TU Graz, Institut f=FCr ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723




------enig2JAVIBOSXNGRTUOCXKWJQ
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlHyHawACgkQmWhuE0qbFyOuGQCbBV00HJL+WWMEP0I9LmI3h3OO
U+QAniqztK9EPZXrZrnkWBwCWqAKUUzi
=IKbe
-----END PGP SIGNATURE-----

------enig2JAVIBOSXNGRTUOCXKWJQ--