Samba4 KDC des enctypes?

Andrew Bartlett abartlet at
Fri Oct 14 17:52:55 MDT 2011

On Sat, 2011-10-15 at 00:43 +0200, Gémes Géza wrote:
> Hi,
> In the process of testing out our organizations Openldap/Heimdal/Samba3
> migration to Samba4 I've set up a domain and created a user called afs
> with an spn of afs/cell at REALM for use with a test openafs cell. The
> problem is that current versions of openafs require des enctypes and so
> an allow_weak_crypto = true setting in the [kdc] section for Heimdal.
> I've tried to use the same trick in /etc/krb.conf for samba4
> (4.0.0alpha18-GIT-7a0b5d6) but it doesn't seem to work. Is it supposed
> to read and apply that setting or there should be an other way to set it
> up? The level 3 log of the failed ticket acquisition is attached.

The issues I see here are that your AFS principal is not set up
correctly.  It should have:

servicePrincipalName: afs/cell
(ie, without @REALM).

The remaining issue (the PAC verify failure) is odd, as I thought we had
tests for that.  Certainly you need to have the allow_weak_crypto
setting in your krb5.conf as a precondition.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 

More information about the samba-technical mailing list