[OpenAFS] ad+openafs

Benjamin Kaduk kaduk@MIT.EDU
Wed, 4 May 2016 01:44:00 -0400 (EDT) 

1.6.14 doesn't need to have single-DES enabled; we shouldn't be
recommending it.  The rxkad.keytab method should work fine with AES keys.

-Ben

On Tue, 3 May 2016, Brandon Allbery wrote:

> -1765328370 is KRB5KDC_ERR_ETYPE_NOSUPP. This often means that DES is disabled somewhere. Note that the client library *also* needs DES enabled; you might need to add to the [libdefaults] section of /etc/krb5.conf on the RH system,
>
>     allow_weak_crypto = true
>
> From: openafs-info-admin@openafs.org [mailto:openafs-info-admin@openafs.org] On Behalf Of zhaoxy299@ustc.edu.cn
> Sent: Tuesday, May 3, 2016 4:39 AM
> To: openafs-info@openafs.org
> Subject: [OpenAFS] ad+openafs
>
>
> hi
>
> i install openafs1.6.14 on redhat 6.7 and i want to use the ad as krb5 auth .
>
> here is my steps:
>
> 1  install openafs1.6.14 on redhat6.7
>
> 2  install ad on windows 2008 r2
>
> 3  ktpass -princ afs/cellname@ADDOMAINNAME -mapuser afscell@ADDOMAINNAME \ -mapOp add -out afs-keytab +rndPass -crypto DES-CBC-CRC +DesOnly \ -ptype KRB5_NT_PRINCIPAL +DumpSalt )
>
> 4 use kinit wang
>
>    aklog
>
> [root@test-afs002 ]# klist -e -f
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: wang@PC.COM<mailto:wang@PC.COM>
>
> Valid starting     Expires            Service principal
> 05/03/16 16:26:46  05/04/16 02:26:33  krbtgt/PC.COM@PC.COM<mailto:krbtgt/PC.COM@PC.COM>
>         renew until 05/10/16 16:26:46, Flags: FRIA
>         Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 05/03/16 16:27:04  05/04/16 02:26:33  afs/pc.com@PC.COM<mailto:afs/pc.com@PC.COM>
>         renew until 05/10/16 16:26:46, Flags: FRA
>         Etype (skey, tkt): arcfour-hmac, arcfour-hmac
> [root@test-afs002 ]# ls /afs/pc.com/
> ls: cannot open directory /afs/pc.com/: Permission denied
> [root@test-afs002 ]#
>
> if Create a afs user in the AD as a normal user with the login afs, set user cannot change passwordd, password never expires. Try to set "Use Kerberos DES encryption types for this account" on the Account tab. then when i use the command
>
> [root@test-afs002 ]# kinit wang
> Password for wang@PC.COM<mailto:wang@PC.COM>:
> [root@test-afs002 ]# aklog
> aklog: Couldn't get pc.com AFS tickets:
> aklog: unknown RPC error (-1765328370) while getting AFS tickets
> [root@test-afs002 ]#
>
> i configure the ad follow the web https://wiki.openafs.org/win2008r2adaskdc/,but i can't find what is wrong with me ?can you tell me ?
>
> thanks
>
>
>