[OpenAFS] Migrating away from single DES

r. l. rainer.laatsch@t-online.de
Tue, 15 Sep 2020 18:32:08 +0200


The simplest solution: use  gssklog  of D.E.Engert.  The token then 
comes from an AFS vlservers KeyFile

and not from an entry afs/**@*** in some krb5kdc. Just run some gssklogd 
and switch from aklog to

gssklog in your profiles. Some times ago, even CERN.ch used it.

The original tarfile can still be found at

   http://www.hep.man.ac.uk/u/masj/gssklog/

or try my updated version at

   http://95.217.219.185/ContribAFS/Gssklog-0.11.tar

The binaries were done on ScientificLinux-6.10 with a newer KRB5 in 
/opt/krb5/

and a static compilation of openafs (had to fix hcrypto and roken libs 
there)


Best regards

R. Laatsch








=================================================================

On 2020-09-14 10:32, ProbaNet SRLS wrote:
> Hello!
>
>      Recent releases of krb5 (> 1.18) no longer support single des
> encryption (the "allow_weak_crypto = yes" option in krb5.conf client
> side has no longer effect), so now we get this error with "aklog -d":
>
> ---
>
> Kerberos error code returned by get_cred : -1765328370
> aklog: Couldn't get XXXXX AFS tickets:
> aklog: KDC has no support for encryption type while getting AFS tickets
>
> ---
>
> How should we proceed?
>
>
> Stefano
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info