[OpenAFS] How to replace pam_krb5 on RHEL 8 systems

Ken Hornstein kenh@cmf.nrl.navy.mil
Fri, 08 Jul 2022 09:53:26 -0400

>   The problem is that we (well, at least me!) have no idea which enctype=

>is expected, and which enctypes are actually tried. Debug output is not =

>too helpful here. Any ideas on how to get useful information?

You said you rekeyed your AFS environment with an AES256 key, but
the error message says:

"error obtaining credentials for 'afs/rrz.uni-koeln.de@RRZ.UNI-KOELN.DE' (=
enctype=3D1) on behalf of ....: No credentials found with supported encryp=
tion types"

Enctype 1 is ... single-DES (specifically, des-cbc-crc).  So you're asking
for a single-DES key but the server only supports AES256, so that isn't
surprising you get that error.  Is the client code limiting the enctype
to single-DES?  If so, that's your problem.