[32151] in Kerberos

Re: Win 2008R2 kdc and linux client: no support for encryption type

daemon@ATHENA.MIT.EDU (Lars Schimmer)
Tue Mar 16 10:20:24 2010

Date: Tue, 16 Mar 2010 15:20:11 +0100
From: Lars Schimmer <l.schimmer@cgv.tugraz.at>
CC: kerberos@mit.edu
Hash: SHA1

Douglas E. Engert wrote:
> Your problem is more of an OpenAFS problem in how it has to use
> DES. You should be ask on the OpenAFS list, as there
> have been similar issues before on setting up the afs/cell
> principal.

Maybe, maybe not. As it works with 2003, it is somehow problem of 2008R2
sending out the correct DES enctypes.

>>>>> What user are you using with the kinit?
> I did used the users with "use DES enctypes" enabled.
>> Only the AD account for the afs and afs/cell principals
>> need to have DES. All others can use the defaults.

Ok, good to know.

> Now I tried with the users without this function enabled and I get
> tickets. But no tokens :-(
> Error:
> adiotest:~# kinit schimmer
> Password for schimmer@CGV.TUGRAZ.AT:
> adiotest:~# aklog
> aklog: Couldn't get cgv.tugraz.at AFS tickets:
> aklog: unknown RPC error (-1765328370) while getting AFS tickets
> adiotest:~# tokens
>> aklog -d   will show some debug output.
>> What versions of OpenAFS and Kerberos are running on the client?

OpenAFS 1.4.11 from lenny-backports and krb5-user:
  Installed: 1.8+dfsg~alpha1-7
On Win7 netID manager

> Tokens held by the Cache Manager:
>    --End of list--
> adiotest:~#
> klist -e
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: schimmer@CGV.TUGRAZ.AT
> Valid starting     Expires            Service principal
> 03/10/10 10:18:24  03/11/10 10:18:24  krbtgt/CGV.TUGRAZ.AT@CGV.TUGRAZ.AT
>         Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
> So looks like no DES enctype for OpenAFS.
>> You also said in a previous note:
> I set on the Win 2008R2:
> - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with
> value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc.
> - In the DC's Local Security Policy, I enabled all ciphers by checking
> all 6 boxes at Security Settings \ Local Policies \ Security Options \
> "Network security: Configure encryption types allowed for Kerberos"
> - I set "use DES enctypes" for some test users (it was enabled for the
> afs service principal)
>> I don't recall asking our AD admin to make these registry changes in 2008
>> to get AFS to work. This may be your problem. It may override
>> the ADS_UF_USE_DES_KEY_ONLY in the UserAccountControl attribute in the
>> account.

Hm.Other guys told me I have re re-enable the DES enctypes to use server
with OpenAFS again. But if the settings in the AD says "enable DES" - it
should be the same as "use DES enctypes" in the account, isn't it?

>> On the afs service account what are the values of the
>> msDS-SupportedEncryptionTypes, UserAccountControl and msDS-KeyVersionNumber
>> attributes?
>> http://msdn.microsoft.com/en-us/library/cc223853(PROT.13).aspx
>> http://msdn.microsoft.com/en-us/library/ms680832(VS.85).aspx

Got me - where to change those parts, in the account dteails of the
domain I do not see those.

Thank you so far.

Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405       E-Mail: l.schimmer@cgv.tugraz.at
Fax: +43 316 873-5402       PGP-Key-ID: 0x4A9B1723
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

