[OpenAFS] Trouble with weak encryption types in Heimdal/AuriStor configuration

John C Perkins john@cs.wisc.edu
Mon, 4 Dec 2017 21:43:43 +0000 

--_000_CY4PR06MB3431E8B9CF72CFF2345A9FAC933C0CY4PR06MB3431namp_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

We're looking at moving to the AuriStor AFS client for our Windows 10 compu=
ters soon. I've run across an issue that works with our old MIT KfW/OpenAFS=
 1.3.31 configuration.

When logging in as the domain administrator, I see domain administrator Ker=
beros tickets displayed in NIM (v. 2.5.0.106). However, when I try to fetch=
 a ticket for myself user@KERB_REALM (which uses an old KDC that still reli=
es on weak encryption types), I get an error I can not obtain a ticket and =
maybe I should turn on the "allow weak encryption types" option that is alr=
eady enabled in NIM and specified in \ProgramData\Kerberos\krb5.conf

Normal users in our Windows domain are authenticated against the same KDC u=
sed for obtaining OpenAFS credentials using altIdentity definitions in Acti=
ve Directory. Group policy enables various weak encryption types until we c=
an upgrade that KDC. At login, the client computer is able to authenticate =
against the KDC and obtain a ticket/token for the user.

Any suggestions for allowing the domain administrator users, which is authe=
nticated directly against our Active Directory domain controllers, to be ab=
le to obtain a user Kerberos ticfket/AFS token? This wasn't a problem using=
 MIT KfW 3.2.2.

John Perkins
UW-Madison Computer Sciences


--_000_CY4PR06MB3431E8B9CF72CFF2345A9FAC933C0CY4PR06MB3431namp_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
>
<meta name=3D"Generator" content=3D"Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:#0563C1;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:#954F72;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri",sans-serif;
	color:windowtext;}
.MsoChpDefault
	{mso-style-type:export-only;
	font-family:"Calibri",sans-serif;}
@page WordSection1
	{size:8.5in 11.0in;
	margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
	{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"#0563C1" vlink=3D"#954F72">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">We&#8217;re looking at moving to the AuriStor AFS cl=
ient for our Windows 10 computers soon. I&#8217;ve run across an issue that=
 works with our old MIT KfW/OpenAFS 1.3.31 configuration.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">When logging in as the domain administrator, I see d=
omain administrator Kerberos tickets displayed in NIM (v. 2.5.0.106). Howev=
er, when I try to fetch a ticket for myself user@KERB_REALM (which uses an =
old KDC that still relies on weak
 encryption types), I get an error I can not obtain a ticket and maybe I sh=
ould turn on the &#8220;allow weak encryption types&#8221; option that is a=
lready enabled in NIM and specified in \ProgramData\Kerberos\krb5.conf<o:p>=
</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Normal users in our Windows domain are authenticated=
 against the same KDC used for obtaining OpenAFS credentials using altIdent=
ity definitions in Active Directory. Group policy enables various weak encr=
yption types until we can upgrade
 that KDC. At login, the client computer is able to authenticate against th=
e KDC and obtain a ticket/token for the user.
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Any suggestions for allowing the domain administrato=
r users, which is authenticated directly against our Active Directory domai=
n controllers, to be able to obtain a user Kerberos ticfket/AFS token? This=
 wasn&#8217;t a problem using MIT KfW 3.2.2.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">John Perkins<o:p></o:p></p>
<p class=3D"MsoNormal">UW-Madison Computer Sciences<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</body>
</html>

--_000_CY4PR06MB3431E8B9CF72CFF2345A9FAC933C0CY4PR06MB3431namp_--