On 22 Nov 2011, at 20:28, Jeff Blaine wrote: > I'm a little confused. I just had to turn on > allow_weak_crypto in a RHEL6 kerberos client's > /etc/krb5.conf to be able to aklog. > > My understanding was that this setting was only > needed on the KDCs, which until now, has been > working fine since we upgraded our KDCs to 1.9.
You need the setting on the KDCs, because otherwise they won't issue any single DES tickets, regardless of the encryption types set for the afs/<cell> principal. But ... > Is that just because our other clients are (they > are) running sub-1.9 MIT Kerberos so we didn't hit > this? You also need this setting on all of your clients, because otherwise you won't be able to get any single DES tickets. This has been the case since MIT Kerberos 1.8. In later versions of OpenAFS we work round this by having aklog use a krb5 function to enable weak crypto for that specific context, but I guess you aren't using that version of OpenAFS yet. S. _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
