>Now I've created my afs@REALM principal, with a v4 des-cbc-crc key. Let me try to fill in some of the gaps here.
The "v4" part of the key is the salt, which for service keys don't matter (the documentation with the migration kit explains more about that). >Over on the AFS bosserver machine I've run kadmin, authenticated as >admin/admin and done a ktadd afs. > >Then I exit kadmin and run asetkey on the new /etc/krb5.keytab to, >presumably, extract the key. ... which sounds right ... >Then I should be able to do a kinit -4 afs@REALM, authenticate, and then >run aklog to get a token, right? Actually ... no. aklog takes a _V5_ TGT; you don't need any V4 credentials at all. And what you're asking here is to get credentials as the AFS service, which you don't really want (unless you happen to be a user named "afs", which would cause you problems). You really want: kinit -5 your_username@REALM Then run aklog. >But when I do kinit, I get kinit(v4): Password incorrect. I know it's >the same password I gave when I created the key (since it's just "afs" >until I get this right). One thing that is covered in the FAQ (and briefly mentioned in the migration kit documentation) is that every time you run ktadd, the key is changed, so the password for that account is no longer "afs" - it's actually a random key which probably doesn't correspond to a valid password. So you couldn't run kinit against the afs service, even if that was something you wanted to do (which you don't). --Ken _______________________________________________ OpenAFS-devel mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-devel
