On Mon, 17 Nov 2014 16:28:51 +0100 Andreas Ladanyi <andreas.lada...@kit.edu> wrote:
> I think i solved this issue now: ...but you mentioned it still doesn't work? I don't see how this is solved. > In none of the above cases the afs service ticket work correctly > although In the 1. case i have a des-cbc-crc key. > I cant access my user directory in afs. I get a permission denied error. Yes, and that is expected. I suppose I have not been clear; you have two different ways to make this work: 1. Extract a keytab for afs/cell with just DES, and nothing else, just like you originally did (and add it to the KeyFile). Then get the FreeIPA KDC and your client machine configured to use DES. If you have not correctly configured these to let you use DES, then you get the error you originally saw (-1765328370). If you've already set allow_weak_crypto on the KDC and the client, then you may need to ask the FreeIPA people for additional help. 2. Extract a keytab for afs/cell with non-DES enctypes, and install it in rxkad.keytab. Follow the instructions I mentioned in <http://openafs.org/pages/security/install-rxkad-k5-1.6.txt> and <http://openafs.org/pages/security/how-to-rekey.txt> to configure the servers to use this keytab. If you have not configured the servers to do this, then you will get errors such as "permission denied", as you have been getting. So, follow one of those paths, and you should be able to get authentication working. Your current setup I believe is following neither of those approaches, and so it doesn't work. I would think option 2 is easier, but that's up to you. -- Andrew Deason adea...@sinenomine.net _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info