RE: [OpenAFS] ad+openafs

Tue, 03 May 2016 22:45:55 -0700 

1.6.14 doesn't need to have single-DES enabled; we shouldn't be
recommending it.  The rxkad.keytab method should work fine with AES keys.

-Ben

On Tue, 3 May 2016, Brandon Allbery wrote:

> -1765328370 is KRB5KDC_ERR_ETYPE_NOSUPP. This often means that DES is 
> disabled somewhere. Note that the client library *also* needs DES enabled; 
> you might need to add to the [libdefaults] section of /etc/krb5.conf on the 
> RH system,
>
>     allow_weak_crypto = true
>
> From: openafs-info-ad...@openafs.org [mailto:openafs-info-ad...@openafs.org] 
> On Behalf Of zhaoxy...@ustc.edu.cn
> Sent: Tuesday, May 3, 2016 4:39 AM
> To: openafs-info@openafs.org
> Subject: [OpenAFS] ad+openafs
>
>
> hi
>
> i install openafs1.6.14 on redhat 6.7 and i want to use the ad as krb5 auth .
>
> here is my steps:
>
> 1  install openafs1.6.14 on redhat6.7
>
> 2  install ad on windows 2008 r2
>
> 3  ktpass -princ afs/cellname@ADDOMAINNAME -mapuser afscell@ADDOMAINNAME \ 
> -mapOp add -out afs-keytab +rndPass -crypto DES-CBC-CRC +DesOnly \ -ptype 
> KRB5_NT_PRINCIPAL +DumpSalt )
>
> 4 use kinit wang
>
>    aklog
>
> [root@test-afs002 ]# klist -e -f
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: w...@pc.com<mailto:w...@pc.com>
>
> Valid starting     Expires            Service principal
> 05/03/16 16:26:46  05/04/16 02:26:33  
> krbtgt/pc....@pc.com<mailto:krbtgt/pc....@pc.com>
>         renew until 05/10/16 16:26:46, Flags: FRIA
>         Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
> 05/03/16 16:27:04  05/04/16 02:26:33  
> afs/pc....@pc.com<mailto:afs/pc....@pc.com>
>         renew until 05/10/16 16:26:46, Flags: FRA
>         Etype (skey, tkt): arcfour-hmac, arcfour-hmac
> [root@test-afs002 ]# ls /afs/pc.com/
> ls: cannot open directory /afs/pc.com/: Permission denied
> [root@test-afs002 ]#
>
> if Create a afs user in the AD as a normal user with the login afs, set user 
> cannot change passwordd, password never expires. Try to set "Use Kerberos DES 
> encryption types for this account" on the Account tab. then when i use the 
> command
>
> [root@test-afs002 ]# kinit wang
> Password for w...@pc.com<mailto:w...@pc.com>:
> [root@test-afs002 ]# aklog
> aklog: Couldn't get pc.com AFS tickets:
> aklog: unknown RPC error (-1765328370) while getting AFS tickets
> [root@test-afs002 ]#
>
> i configure the ad follow the web 
> https://wiki.openafs.org/win2008r2adaskdc/,but i can't find what is wrong 
> with me ?can you tell me ?
>
> thanks
>
>
>
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to