I have an Ubuntu 18.04 computer where I connected (as client) to an AFS filesystem via openafs and kinit (krb5), hosted by my company (based on MIT Kerberos). This works well, here the log:
KRB5_TRACE=/dev/stdout kinit -V username
Using default cache: /tmp/krb5cc_5864_3P0GQm
Using principal: username@DOMAIN.COM
Getting initial credentials for username@DOMAIN.COM
Sending unauthenticated request
Sending request (198 bytes) to DOMAIN.COM
Resolving hostname SERVER.DOMAIN.COM
Sending initial UDP request to dgram IP:PORT
Received answer (572 bytes) from dgram IP:PORT
Response was not from master KDC
Salt derived from principal: DOMAIN.COMusername
Getting AS key, salt "DOMAIN.COMusername", params ""
Password for username@DOMAIN.COM:
AS key obtained from gak_fct: des3-cbc-sha1/****
Decrypted AS reply; session key is: des-cbc-crc/****
FAST negotiation: unavailable
Initializing FILE:/tmp/krb5cc_5864_3P0GQm with default princ username@DOMAIN.COM
Storing username@DOMAIN.COM -> krbtgt/DOMAIN.COM@DOMAIN.COM in FILE:/tmp/krb5cc_5864_3P0GQm
Warning: Your password will expire in XXX days
Authenticated to Kerberos v5
Today, I upgraded to Ubuntu 20.04 and 22.04 via do-release-upgrade, and after successful completion, the AFS drives are still well mounted and readable, but the kinit authentication stopped working (already in 20.04), with this error, exactly the same in both 20.04 and 22.04:
KRB5_TRACE=/dev/stdout kinit -V username
Using default cache: /tmp/krb5cc_1001
Using principal: username@DOMAIN.COM
Getting initial credentials for username@DOMAIN.COM
Error loading plugin module pkinit: 2/unable to find plugin [/usr/lib/x86_64-linux-gnu/krb5/plugins/preauth/pkinit.so]: No such file or directory
Sending unauthenticated request
Sending request (201 bytes) to DOMAIN.COM
Resolving hostname SERVER.DOMAIN.COM
Sending initial UDP request to dgram IP:PORT
Received answer (127 bytes) from dgram IP:PORT
Response was not from primary KDC
Received error from KDC: -1765328370/KDC has no support for encryption type
Retrying AS request with primary KDC
Getting initial credentials for username@DOMAIN.COM
Sending unauthenticated request
Sending request (201 bytes) to DOMAIN.COM (primary)
kinit: KDC has no support for encryption type while getting initial credentials
Any idea how I can solve this error that prevents getting authenticated?
Here a comparison of the version of the relevant packages:
krb5-config: 2.6 http://archive.ubuntu.com/ubuntu bionic/main amd64
krb5-user: 1.16-2ubuntu0.2 http://archive.ubuntu.com/ubuntu bionic-updates/universe amd64
openafs-krb5: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64
openafs-modules-dkms: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64
openafs-client: 1.8.8.1-3~ppa0~ubuntu18.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu bionic/main amd64
vs
krb5-config: 2.6+nmu1ubuntu1 http://archive.ubuntu.com/ubuntu jammy/main amd64
krb5-user: 1.19.2-2 http://archive.ubuntu.com/ubuntu jammy/universe amd64
openafs-krb5: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64
openafs-modules-dkms: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64
openafs-client: 1.8.8.1-3~ppa0~ubuntu22.04.2 http://ppa.launchpad.net/openafs/stable/ubuntu jammy/main amd64
[EDIT: find below my krb5.conf file]
[libdefaults]
allow_weak_crypto = true
default_realm = DOMAIN.COM
ticket_lifetime = 24h
renew_lifetime = 120h
dns_lookup_realm = false
dns_lookup_kdc = false
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
}
plain = {
something = something-else
}
}
fcc-mit-ticketflags = true
[realms]
DOMAIN.COM = {
default_domain = DOMAIN.COM
kdc = SERVER.DOMAIN.COM
admin_server = SERVER.DOMAIN.COM
kdc = SERVER.DOMAIN.COM
v4_name_convert = {
host = {
rcmd = host
}
}
}
[domain_realm]
.DOMAIN.COM = DOMAIN.COM
[login]
krb4_convert = true
krb4_get_tickets = false
[appdefaults]
aklog_homedir = true
always_aklog = true
kdestroy = true
retain_after_close = false
pam-afs-session = {
nopag = true
minimum_uid = 4999
}
debug = true
Thanks in advance.