Hi all, After some time, I'm finally getting around to putting my personal cell back up (this time on debian with openafs-1.6.4 from wheezy-backports and Heimdal.
My afs/cell principal is setup thusly: kadmin> get afs/coyhile.com Principal: afs/coyhile....@coyhile.com Principal expires: never Password expires: never Last password change: 2013-07-19 10:00:32 UTC Max ticket life: 1 day Max renewable life: 1 week Kvno: 3 Mkvno: unknown Last successful login: never Last failed login: never Failed login count: 0 Last modified: 2013-07-19 10:00:32 UTC Modifier: kadmin/ad...@coyhile.com Attributes: Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[3], des3-cbc-sha1(pw-salt)[3], arcfour-hmac-md5(pw-salt)[3], des-cbc-md5(pw-salt())[3] PK-INIT ACL: Aliases: kadmin> ext -k AFSKEYFILE:/etc/openafs/server/KeyFile afs/coyhile.com kadmin> and in krb5.conf, I do have allow_weak_crypto = true in libdefaults. All in all, Heimdal is working fine, but aklog is failing to get me tokens: chaos:/var/log # kinit admin ad...@coyhile.com's Password: chaos:/var/log # klist Credentials cache: FILE:/tmp/krb5cc_1141449863_q94vTe Principal: ad...@coyhile.com Issued Expires Principal Jul 19 10:07:40 2013 Jul 20 10:07:36 2013 krbtgt/coyhile....@coyhile.com Jul 19 10:07:40 2013 Jul 20 10:07:36 2013 afs/coyhile....@coyhile.com chaos:/var/log # aklog -d Authenticating to cell coyhile.com (server chaos.coyhile.com). Trying to authenticate to user's realm COYHILE.COM. Getting tickets: afs/coyhile....@coyhile.com Kerberos error code returned by get_cred : -1765328370 aklog: Couldn't get coyhile.com AFS tickets: aklog: unknown RPC error (-1765328370) while getting AFS tickets chaos:/var/log # and in the KDC logs, I see this: 2013-07-19T10:07:40 ENC-TS Pre-authentication succeeded -- ad...@coyhile.com using aes256-cts-hmac-sha1-96 2013-07-19T10:07:40 ENC-TS pre-authentication succeeded -- ad...@coyhile.com 2013-07-19T10:07:40 AS-REQ authtime: 2013-07-19T10:07:40 starttime: unset endtime: 2013-07-20T10:07:36 renew till: 2013-07-26T10:07:36 2013-07-19T10:07:40 Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, des3-cbc-md5, arcfour-hmac-md5, des-cbc-md5, des-cbc-md4, des-cbc-crc, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 2013-07-19T10:07:40 Requested flags: renewable, forwardable 2013-07-19T10:07:40 sending 738 bytes to IPv4:37.153.98.57 2013-07-19T10:07:40 TGS-REQ ad...@coyhile.com from IPv4:37.153.98.57 for afs/coyhile....@coyhile.com [canonicalize, renewable, forwardable] 2013-07-19T10:07:40 Server (afs/coyhile....@coyhile.com) has no support for etypes 2013-07-19T10:07:40 Failed building TGS-REP to IPv4:37.153.98.57 2013-07-19T10:07:40 tgs-req: sending error: -1765328370 to client Does *everything* need a DES key, or just the afs/cell principal? -c _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info