On 7/26/2013 2:56 AM, Lars Schimmer wrote: > On 2013-07-25 17:55, Andrew Deason wrote: >> On Thu, 25 Jul 2013 11:36:52 -0400 (EDT) >> Benjamin Kaduk <ka...@mit.edu> wrote: >> >>> The short version is: a misconfigured KDC can cause problems for new >>> clients against old servers. >> >> If that's true, we need to say specifically what that misconfiguration >> is, so people can check for them and avoid it. I'm not aware of any way >> to create such a configuration (that behavior sounds instead like a KDC >> bug to me, without knowing any further details). >> >> In particular with AD, the AFS service account must already have the >> USE_DES_KEY_ONLY userAccountControl bit set in order for us to work at >> all with plain rxkad. Lars, do you know if the "Use Kerberos DES >> encryption types for this account" account option is checked for the AFS >> service account? Do you see any errors in wherever the Windows client >> normally logs errors? Can you access that path if you destroy your >> tokens? > > It is a bit more subtile. > Yes, the AFS service account has DES only activated. klist -e on liunux > shows me: > 2013-07-26 08:50:42 2013-07-27 08:51:58 afs/cgv.tugraz...@cgv.tugraz.at > Etype (skey, tkt): des-cbc-crc, des-cbc-crc > > (on a still old client). > > I updated 3 clients for a test on windows 7 to 1.7.26. One works fine, > two show me a valid token on login, but the AfS path is not reachable at > all ( \\AFS\.cgv.tugraz.at not reachable).
What are the enctypes of the service tickets obtained on the Windows systems that do not work? The enctypes from a service ticket on Linux using the old client using the old algorithm are not comparable.
smime.p7s
Description: S/MIME Cryptographic Signature