[OpenAFS] aklog error: unknown RPC error (-1765328184) while getting AFS tickets allow_weak_enctypes may be required in the Kerberos configuration

Greg Wilson Greg.Wilson@asu.edu
Thu, 7 Nov 2013 22:16:43 +0000


--_000_375EE2B41AC75248ACDC5080C984EA832EF3509Eexmbt01asuritea_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

We recently upgraded to OpenAFS 1.6.5 on our authen and file servers and al=
so did a re-key for Kerberos V5.

The aklog command run on RHEL6 has the following error:

Kerberos error code returned by get_cred : -1765328184
aklog: Couldn't get asu.edu AFS tickets:
aklog: unknown RPC error (-1765328184) while getting AFS tickets allow_weak=
_enctypes may be required in the Kerberos configuration

As the error suggests, adding "allow_weak_crypto =3D true" to krb5.conf mak=
es the errors go away.

Can someone tell me what the security ramifications of this are?

The Client AFS version is OpenAFS 1.6.1.

Thanks,

Greg Wilson


--_000_375EE2B41AC75248ACDC5080C984EA832EF3509Eexmbt01asuritea_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html dir=3D"ltr">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style id=3D"owaParaStyle" type=3D"text/css">P {margin-top:0;margin-bottom:=
0;}</style>
</head>
<body ocsi=3D"0" fpstyle=3D"1">
<div style=3D"direction: ltr;font-family: Tahoma;color: #000000;font-size: =
10pt;">We recently upgraded to OpenAFS 1.6.5 on our authen and file servers=
 and also did a re-key for Kerberos V5.<br>
<br>
The aklog command run on <font size=3D"2"><span style=3D"font-size:10pt;">R=
HEL6 has the following error:<br>
</span></font><br>
<font size=3D"2"><span style=3D"font-size:10pt;">Kerberos error code return=
ed by get_cred : -1765328184<br>
aklog: Couldn't get asu.edu AFS tickets:<br>
aklog: unknown RPC error (-1765328184) while getting AFS tickets allow_weak=
_enctypes may be required in the Kerberos configuration<br>
<br>
As the error suggests, adding &quot;allow_weak_crypto =3D true&quot; to krb=
5.conf makes the errors go away.<br>
<br>
Can someone tell me what the security ramifications of this are?<br>
<br>
The Client AFS version is OpenAFS 1.6.1.<br>
<br>
Thanks,<br>
<br>
Greg Wilson<br>
<br>
</span></font></div>
</body>
</html>

--_000_375EE2B41AC75248ACDC5080C984EA832EF3509Eexmbt01asuritea_--