On Fri, 26 Jul 2013 14:07:46 +0200 Lars Schimmer <[email protected]> wrote:
> Ok, now with access to such a machine: > krbtgt/[email protected] > Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS > mode with 96-bit SHA-1 HMAC > afs/cgv.tugraz.at/CGV.TUGRAZ.AT > Etype /skey, tkt): DES cbc mode with CRC-32, AES-256 CTS mode with > 96-bit SHA-1 HMAC > > On the working machine the AES-256 CTS is also some kind of DES. > Interesting why one of three get 2 DES and non AES.... Are you sure you have the "DES-only" account option set? Can you show what the userAccountControl and msDS-SupportedEncryptionTypes fields are for that account in LDAP? (You can see this either using ldapsearch from a unix machine if you don't know how in windows) Do you know what version of Windows Server this is? If the "des-only" attribute is set for the account, it looks like it's not being honored. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
