[OpenAFS] Re: OpenAFS 1.7.26 windows and not changed AFS service principle - OK?

Andrew Deason adeason@sinenomine.net
Fri, 26 Jul 2013 15:30:06 -0500


On Fri, 26 Jul 2013 14:07:46 +0200
Lars Schimmer <l.schimmer@cgv.tugraz.at> wrote:

> Ok, now with access to such a machine:
> krbtgt/CGV.TUGRAZ.AT@CGV.TUGRAZ.AT
> Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS
> mode with 96-bit SHA-1 HMAC
> afs/cgv.tugraz.at/CGV.TUGRAZ.AT
> Etype /skey, tkt): DES cbc mode with CRC-32, AES-256 CTS mode with
> 96-bit SHA-1 HMAC

By any chance, do you happen to have the registry entry

HKLM\SYSTEM\CurrentControlSet\services\kdc\KdcUseRequestedEtypesForTickets

set to 1? That seems like it may cause that behavior, from a quck test I
just did.

I'm having trouble seeing what on earth that option is for. From what I
can find on various sites, that makes the KDC use the client-specified
enctype list for the service ticket enctype, ignoring the principal
enctype settings (but still honoring the principal enctypes for the
session key?). I'm having trouble seeing any scenario where that is not
completely inappropriate (and a security issue!), let alone for AFS
usage.

I've seen this mentioned in a few AFS/Active Directory howtos, and I
have no idea why. If anyone has some info to share...

-- 
Andrew Deason
adeason@sinenomine.net