Samba4 KDC des enctypes?

[Andrew Bartlett]

On Sat, 2011-10-15 at 06:48 +0200, Gémes Géza wrote:
> 2011-10-15 01:52 keltezéssel, Andrew Bartlett írta:
> > On Sat, 2011-10-15 at 00:43 +0200, Gémes Géza wrote:
> >> Hi,
> >>
> >> In the process of testing out our organizations Openldap/Heimdal/Samba3
> >> migration to Samba4 I've set up a domain and created a user called afs
> >> with an spn of afs/cell at REALM for use with a test openafs cell. The
> >> problem is that current versions of openafs require des enctypes and so
> >> an allow_weak_crypto = true setting in the [kdc] section for Heimdal.
> >> I've tried to use the same trick in /etc/krb.conf for samba4
> >> (4.0.0alpha18-GIT-7a0b5d6) but it doesn't seem to work. Is it supposed
> >> to read and apply that setting or there should be an other way to set it
> >> up? The level 3 log of the failed ticket acquisition is attached.
> > The issues I see here are that your AFS principal is not set up
> > correctly.  It should have:
> >
> > servicePrincipalName: afs/cell
> > (ie, without @REALM).
> >
> > The remaining issue (the PAC verify failure) is odd, as I thought we had
> > tests for that.  Certainly you need to have the allow_weak_crypto
> > setting in your krb5.conf as a precondition.
> >
> > Andrew Bartlett
> >
> Thanks you!
> 
> I changed that, but to my surprise the culprit was allow_weak_crypto.
> Once I've moved that from the [kdc] section to the [libdefaults]
> everything started working.
> 
> I don't know could my experiences be useful enough to be documented in
> the wiki?

Certainly we should document the way to turn on DES crypto, and
integrating Samba and AFS is certainly an interesting use case that I
think should be documented. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org