Samba4 KDC des enctypes?

Gémes Géza geza at kzsdabas.hu
Fri Oct 14 22:48:46 MDT 2011


2011-10-15 01:52 keltezéssel, Andrew Bartlett írta:
> On Sat, 2011-10-15 at 00:43 +0200, Gémes Géza wrote:
>> Hi,
>>
>> In the process of testing out our organizations Openldap/Heimdal/Samba3
>> migration to Samba4 I've set up a domain and created a user called afs
>> with an spn of afs/cell at REALM for use with a test openafs cell. The
>> problem is that current versions of openafs require des enctypes and so
>> an allow_weak_crypto = true setting in the [kdc] section for Heimdal.
>> I've tried to use the same trick in /etc/krb.conf for samba4
>> (4.0.0alpha18-GIT-7a0b5d6) but it doesn't seem to work. Is it supposed
>> to read and apply that setting or there should be an other way to set it
>> up? The level 3 log of the failed ticket acquisition is attached.
> The issues I see here are that your AFS principal is not set up
> correctly.  It should have:
>
> servicePrincipalName: afs/cell
> (ie, without @REALM).
>
> The remaining issue (the PAC verify failure) is odd, as I thought we had
> tests for that.  Certainly you need to have the allow_weak_crypto
> setting in your krb5.conf as a precondition.
>
> Andrew Bartlett
>
Thanks you!

I changed that, but to my surprise the culprit was allow_weak_crypto.
Once I've moved that from the [kdc] section to the [libdefaults]
everything started working.

I don't know could my experiences be useful enough to be documented in
the wiki?

Cheers

Geza



More information about the samba-technical mailing list