[OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service principle -
OK?
Andrew Deason
adeason@sinenomine.net
Fri, 26 Jul 2013 15:30:06 -0500
On Fri, 26 Jul 2013 14:07:46 +0200
Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:
> Ok, now with access to such a machine:
> krbtgt/CGV.TUGRAZ.AT@CGV.TUGRAZ.AT
> Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS
> mode with 96-bit SHA-1 HMAC
> afs/cgv.tugraz.at/CGV.TUGRAZ.AT
> Etype /skey, tkt): DES cbc mode with CRC-32, AES-256 CTS mode with
> 96-bit SHA-1 HMAC
By any chance, do you happen to have the registry entry
HKLM\SYSTEM\CurrentControlSet\services\kdc\KdcUseRequestedEtypesForTickets
set to 1? That seems like it may cause that behavior, from a quck test I
just did.
I'm having trouble seeing what on earth that option is for. From what I
can find on various sites, that makes the KDC use the client-specified
enctype list for the service ticket enctype, ignoring the principal
enctype settings (but still honoring the principal enctypes for the
session key?). I'm having trouble seeing any scenario where that is not
completely inappropriate (and a security issue!), let alone for AFS
usage.
I've seen this mentioned in a few AFS/Active Directory howtos, and I
have no idea why. If anyone has some info to share...
--
Andrew Deason
adeason@sinenomine.net