Madhusudan Singh <[EMAIL PROTECTED]> writes: > Thanks for your response. I contacted the KDC admins yesterday and they > suggested that I use :
> kinit -k -t /etc/krb5.keytab afs/[EMAIL PROTECTED] > where the keytab is stored in /etc/krb5.keytab > instead of kinit zzzz > In this case, what would my admin principal be for afs-newcell (the > second one I listed ?). No, no, this does something completely different. You have to have an AFS principal created in Kerberos; this is the principal that the servers use to authenticate to each other and the principal for which AFS clients get service tickets. This principal is called afs/omega.domain.edu, you create a keytab with that principal in it, and you use asetkey with that principal. This is the principal that has to be single DES. Completely separate from that, you need a *user* principal that will be the AFS administrator. That principal should correspond to a person, will be used with regular kinit just like any user Kerberos principal, and will be used to authenticate you, as administrator, to the AFS server. It can just be your regular user principal, although we recommend that it be a separate admin instance so that you don't use the same principal for both routine work and for privileged access. When running afs-newcell, the admin principal is the user principal, either zzzz or zzzz/admin (or zzzz/root, or what have you), whatever you decide to use. The afs/omega.domain.edu principal is something different, and once you've downloaded it and used asetkey on it, you shouldn't have to think about it any further. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
