On Fri, 26 Jul 2013 14:07:46 +0200 Lars Schimmer <l.schim...@cgv.tugraz.at> wrote:
> Ok, now with access to such a machine: > krbtgt/cgv.tugraz...@cgv.tugraz.at > Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS > mode with 96-bit SHA-1 HMAC > afs/cgv.tugraz.at/CGV.TUGRAZ.AT > Etype /skey, tkt): DES cbc mode with CRC-32, AES-256 CTS mode with > 96-bit SHA-1 HMAC By any chance, do you happen to have the registry entry HKLM\SYSTEM\CurrentControlSet\services\kdc\KdcUseRequestedEtypesForTickets set to 1? That seems like it may cause that behavior, from a quck test I just did. I'm having trouble seeing what on earth that option is for. From what I can find on various sites, that makes the KDC use the client-specified enctype list for the service ticket enctype, ignoring the principal enctype settings (but still honoring the principal enctypes for the session key?). I'm having trouble seeing any scenario where that is not completely inappropriate (and a security issue!), let alone for AFS usage. I've seen this mentioned in a few AFS/Active Directory howtos, and I have no idea why. If anyone has some info to share... -- Andrew Deason adea...@sinenomine.net _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info