ktpass -princ [EMAIL PROTECTED] -mapuser afs -pass * -out afs.keytab -kvno 1
I restarted the afs service daemons with bos restart, which seemed to work fine as well.
On 12/7/05, Jeffrey Altman <[EMAIL PROTECTED]> wrote:
Microsoft changed the behavior of Windows with regards to the use of
key version numbers in 2003. You will need to re-export the service
principal keys.
Jeffrey Altman
Larry Cashdollar wrote:
> Hello all,
> So for two or three years now I have managed an AFS Cell that
> authenticates to windows 2000 AD server.
>
> The AD servers were recently converted to windows 2003 and now I can no
> longer authenticate to my cell.
>
> Authenticating to cell vapid-labs.com <http://vapid-labs.com> (server
> afs-camdb1.vapid-labs.com <http://afs-camdb1.vapid-labs.com>).
> We've deduced that we need to authenticate to realm VAPID-LABS.COM
> < http://VAPID-LABS.COM>.
> Getting tickets: afs/vapid-[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED] >
> Kerberos error code returned by get_cred: -1765328154
> aklog: Couldn't get vapid-labs.com <http://vapid-labs.com> AFS tickets:
> aklog: Key version number for principal in key table is incorrect while
> gettingAFS tickets
>
> On my other client I get the same error code, but it is mapped to a
> different message.
>
> Which one is the correct message?
>
> [EMAIL PROTECTED]:~$ aklog -d
> Authenticating to cell vapid-labs.com <http://vapid-labs.com > (server
> afs-camdb1.vapid-labs.com <http://afs-camdb1.vapid-labs.com>).
> We've deduced that we need to authenticate to realm vapid-labs.com
> <http://vapid-labs.com>.
> Getting tickets: afs/vapid-[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]>
> Kerberos error code returned by get_cred: -1765328154
> aklog: Couldn't get vapid-labs.com <http://vapid-labs.com> AFS tickets:
> aklog: New password cannot be zero length while getting AFS tickets
>
>
> I use a seperate kerberos server running krb524 on port 4444 to convert
> tickets.
>
> Any help will be appreciated.
>
