[OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service principle - OK?

Andrew Deason adeason@sinenomine.net
Fri, 26 Jul 2013 09:51:11 -0500


On Fri, 26 Jul 2013 14:07:46 +0200
Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:

> Ok, now with access to such a machine:
> krbtgt/CGV.TUGRAZ.AT@CGV.TUGRAZ.AT
> Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS
> mode with 96-bit SHA-1 HMAC
> afs/cgv.tugraz.at/CGV.TUGRAZ.AT
> Etype /skey, tkt): DES cbc mode with CRC-32, AES-256 CTS mode with
> 96-bit SHA-1 HMAC
> 
> On the working machine the AES-256 CTS is also some kind of DES.
> Interesting why one of three get 2 DES and non AES....

Are you sure you have the "DES-only" account option set? Can you show
what the userAccountControl and msDS-SupportedEncryptionTypes fields are
for that account in LDAP? (You can see this either using ldapsearch from
a unix machine if you don't know how in windows) Do you know what
version of Windows Server this is?

If the "des-only" attribute is set for the account, it looks like it's
not being honored.

-- 
Andrew Deason
adeason@sinenomine.net