[OpenAFS] enctype issues with Heimdal and debian for afs/cell

[Coy Hile]

Hi all,

After some time, I'm finally getting around to putting my personal cell back up 
(this time on debian with openafs-1.6.4 from wheezy-backports and Heimdal.

My afs/cell principal is setup thusly:

kadmin> get afs/coyhile.com
            Principal: afs/coyhile....@coyhile.com
    Principal expires: never
     Password expires: never
 Last password change: 2013-07-19 10:00:32 UTC
      Max ticket life: 1 day
   Max renewable life: 1 week
                 Kvno: 3
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2013-07-19 10:00:32 UTC
             Modifier: kadmin/ad...@coyhile.com
           Attributes:
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[3], 
des3-cbc-sha1(pw-salt)[3], arcfour-hmac-md5(pw-salt)[3], 
des-cbc-md5(pw-salt())[3]
          PK-INIT ACL:
              Aliases:

kadmin> ext -k AFSKEYFILE:/etc/openafs/server/KeyFile afs/coyhile.com
kadmin>

and  in krb5.conf,  I do have allow_weak_crypto = true in libdefaults.

All in all, Heimdal is working fine, but aklog is failing to get me tokens:

chaos:/var/log # kinit admin
ad...@coyhile.com's Password:
chaos:/var/log # klist
Credentials cache: FILE:/tmp/krb5cc_1141449863_q94vTe
        Principal: ad...@coyhile.com

  Issued                Expires               Principal
Jul 19 10:07:40 2013  Jul 20 10:07:36 2013  krbtgt/coyhile....@coyhile.com
Jul 19 10:07:40 2013  Jul 20 10:07:36 2013  afs/coyhile....@coyhile.com
chaos:/var/log # aklog -d
Authenticating to cell coyhile.com (server chaos.coyhile.com).
Trying to authenticate to user's realm COYHILE.COM.
Getting tickets: afs/coyhile....@coyhile.com
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get coyhile.com AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets
chaos:/var/log #

and in the KDC logs, I see this:

2013-07-19T10:07:40 ENC-TS Pre-authentication succeeded -- ad...@coyhile.com 
using aes256-cts-hmac-sha1-96
2013-07-19T10:07:40 ENC-TS pre-authentication succeeded -- ad...@coyhile.com
2013-07-19T10:07:40 AS-REQ authtime: 2013-07-19T10:07:40 starttime: unset 
endtime: 2013-07-20T10:07:36 renew till: 2013-07-26T10:07:36
2013-07-19T10:07:40 Client supported enctypes: aes256-cts-hmac-sha1-96, 
aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, 
des-cbc-md5, des-cbc-md4, des-cbc-crc, using 
aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
2013-07-19T10:07:40 Requested flags: renewable, forwardable
2013-07-19T10:07:40 sending 738 bytes to IPv4:37.153.98.57
2013-07-19T10:07:40 TGS-REQ ad...@coyhile.com from IPv4:37.153.98.57 for 
afs/coyhile....@coyhile.com [canonicalize, renewable, forwardable]
2013-07-19T10:07:40 Server (afs/coyhile....@coyhile.com) has no support for 
etypes
2013-07-19T10:07:40 Failed building TGS-REP to IPv4:37.153.98.57
2013-07-19T10:07:40 tgs-req: sending error: -1765328370 to client

Does *everything* need a DES key, or just the afs/cell principal?

-c
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info