Correction on that: The "ktutil" was run on the linux host! (not windows)
But still... the ktpass.exe gives me bogus keyfiles. /Erik -----Original Message----- From: [EMAIL PROTECTED] on behalf of Lönroth Erik Sent: Wed 1/3/2007 4:34 PM To: Jeffrey Altman Cc: [email protected] Subject: RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh OK, I believe have resolved the problem now after 5 whole days of trial and error. It turns out that using the "KTPASS" native from Active Directory generates keys that is not liked by AFS. I instead used ktutil.exe (for windows) to generate my key that I then imported as usual into AFS. On Microsoft AD side: >ktutil ktutil: addent -password -p afs/[EMAIL PROTECTED] -k 9 -e des-cbc-crc ktutil: wkt ./keytab.file ktutil: quit This file is then copied to linux and imported exactly as I would normally: asetkey add 9 keytab.file afs/sss.se.scania.com Now - everything works kinit sssler aklog touch /afs/sss.se.scania.com/home/sssler/somefile ls /afs/sss.se.scania.com/home/sssler/somefile /afs/sss.se.scania.com/home/sssler/somefile Success! I verified this by behaviour - AGAIN - by using the "KTPASS.EXE" (without changing anything else) and importing the key with "asetkey" as normal. C:\ktpass -out afs-keytab-md5-verify -princ afs/[EMAIL PROTECTED] -mapuser afs -crypto DES-CBC-CRC -pass * Targeting domain controller: SeSoCoLab11.scania.se Successfully mapped afs/sss.se.scania.com to afs. Type the password for afs/sss.se.scania.com: Type the password again to confirm: WARNING: pType and account type do not match. This might cause problems. Key created. Output keytab to afs-keytab-md5-verify: Keytab version: 0x502 keysize 63 afs/[EMAIL PROTECTED] ptype 0 (KRB5_NT_UNKNOWN) vno 9 etype 0x1 (DES-CBC-CRC) keylength 8 (0xbff2e56b29943d3e) (Again publishing the key to the whole world ;-) ... and - using this key in AFS - I get the same error again : rxkad error=19270407 I swapped back again to the key generated by ktutil.exe - and it works again. It seems that using the KTPASS.EXE generates bogus keys for me! I have not read this anywhere and I have read pretty much everyting, did I miss something critical here or is this a bug/feature? /Erik -----Original Message----- From: Jeffrey Altman [mailto:[EMAIL PROTECTED] Sent: Wed 1/3/2007 3:16 PM To: Lönroth Erik Cc: [email protected] Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh Lönroth Erik wrote: > I believe I have... My file looks like this. Can I be sure this is OK? > In my missery I can't trust anything at the moment. > > [EMAIL PROTECTED] ~]# cat /usr/afs/etc/krb.conf > LAB.SCANIA.COM > LAB.SCANIA.COM sesocolab11.scania.com This is fine. Although the second line is not used by AFS so you can remove it. Did you restart the AFS servers after setting this value? > I have also looked in AD to se the Service principal binding (Is this > right?) : > > C:\setspn -A afs/sss.se.scania.com afs > Registering ServicePrincipalNames for > CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=s > cania,DC=com > afs/sss.se.scania.com > Updated object > > C:\setspn -L afs > Registered ServicePrincipalNames for > CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=sc > ania,DC=com: > afs/sss.se.scania.com > HOST/afs > HOST/afs.LAB > That is fine. RXKADBADTICKET can be generated if the clocks between AFS and AD are not synchronized. Are they? Jeffrey Altman
