Samba4 KDC des enctypes?
Andrew Bartlett
abartlet at samba.org
Fri Oct 14 17:52:55 MDT 2011
On Sat, 2011-10-15 at 00:43 +0200, Gémes Géza wrote:
> Hi,
>
> In the process of testing out our organizations Openldap/Heimdal/Samba3
> migration to Samba4 I've set up a domain and created a user called afs
> with an spn of afs/cell at REALM for use with a test openafs cell. The
> problem is that current versions of openafs require des enctypes and so
> an allow_weak_crypto = true setting in the [kdc] section for Heimdal.
> I've tried to use the same trick in /etc/krb.conf for samba4
> (4.0.0alpha18-GIT-7a0b5d6) but it doesn't seem to work. Is it supposed
> to read and apply that setting or there should be an other way to set it
> up? The level 3 log of the failed ticket acquisition is attached.
The issues I see here are that your AFS principal is not set up
correctly. It should have:
servicePrincipalName: afs/cell
(ie, without @REALM).
The remaining issue (the PAC verify failure) is odd, as I thought we had
tests for that. Certainly you need to have the allow_weak_crypto
setting in your krb5.conf as a precondition.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list