Hi! Right now I got time and tried:
On 05.03.2010 01:44, Stephen Joyce wrote: > Lars: > > I did get past the issuing of DES tickets. I have other problems (see my > recent message to the list), but I did enable DES tickets on 2008R2. I > did the following (not all may be required). > > - In the DC's Local Security Policy, I enabled all ciphers by checking > all 6 boxes at Security Settings \ Local Policies \ Security Options \ > "Network security: Configure encryption types allowed for Kerberos" Done that. > - In AD in the Default Domain Controllers Policy, Computer Configuration > \ Policies \ Administrative Templates \ Ssytem/Net Logon \ "Allow > cryptography algorithms compatible with Windows NT 4.0" (Enable). [I'd > bet this step isn't necessary; I was grasping when I tried it and > haven't backed out to check yet.] I did not found the "administrative templates" in my policies section. > - Add a REG_DWORD (32 bit) named KdcUseRequestedEtypesForTickets with > value 1 at HKLM\SYSTEM\CurrentControlSet\services\kdc. Without this, the > DC won't talk DES to clients, even if you do extract a DES-only keytab > (you'll see "KDC has no support for encryption type" messages). done that. > - Reboot the DC (at least restart the KDC process is required) done that. But as it is a 2nd AD server for the domain, I have not done anything to the afs user account (it is already set with enable DES, no timeout and accout is sensitive, do not delegate). On 2 test accounts I enabled the "use krb DES enc types for this account". But still on a Win7 client added to our domain and the Win 2008R2 server as only krb5-server I got a error of "KDC has no support for encryption type". Any ideas, please? Maybe the "do not delegate the afs account" is bad? MfG, Lars Schimmer -- ------------------------------------------------------------- TU Graz, Institut für ComputerGraphik & WissensVisualisierung Tel: +43 316 873-5405 E-Mail: l.schim...@cgv.tugraz.at Fax: +43 316 873-5402 PGP-Key-ID: 0x4A9B1723 _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
