Samba4 KDC des enctypes?
abartlet at samba.org
Fri Oct 14 23:40:41 MDT 2011
On Sat, 2011-10-15 at 06:48 +0200, Gémes Géza wrote:
> 2011-10-15 01:52 keltezéssel, Andrew Bartlett írta:
> > On Sat, 2011-10-15 at 00:43 +0200, Gémes Géza wrote:
> >> Hi,
> >> In the process of testing out our organizations Openldap/Heimdal/Samba3
> >> migration to Samba4 I've set up a domain and created a user called afs
> >> with an spn of afs/cell at REALM for use with a test openafs cell. The
> >> problem is that current versions of openafs require des enctypes and so
> >> an allow_weak_crypto = true setting in the [kdc] section for Heimdal.
> >> I've tried to use the same trick in /etc/krb.conf for samba4
> >> (4.0.0alpha18-GIT-7a0b5d6) but it doesn't seem to work. Is it supposed
> >> to read and apply that setting or there should be an other way to set it
> >> up? The level 3 log of the failed ticket acquisition is attached.
> > The issues I see here are that your AFS principal is not set up
> > correctly. It should have:
> > servicePrincipalName: afs/cell
> > (ie, without @REALM).
> > The remaining issue (the PAC verify failure) is odd, as I thought we had
> > tests for that. Certainly you need to have the allow_weak_crypto
> > setting in your krb5.conf as a precondition.
> > Andrew Bartlett
> Thanks you!
> I changed that, but to my surprise the culprit was allow_weak_crypto.
> Once I've moved that from the [kdc] section to the [libdefaults]
> everything started working.
> I don't know could my experiences be useful enough to be documented in
> the wiki?
Certainly we should document the way to turn on DES crypto, and
integrating Samba and AFS is certainly an interesting use case that I
think should be documented.
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical