Compare the keytab files produced with ktutil and ktpass for the same key. How are they different?
Jeffrey Altman Lönroth Erik wrote: > OK, I believe have resolved the problem now after 5 whole days of trial > and error. > > It turns out that using the "KTPASS" native from Active Directory > generates keys that is not liked by AFS. > > I instead used ktutil.exe (for windows) to generate my key that I then > imported as usual into AFS. > > On Microsoft AD side: > >>ktutil > ktutil: addent -password -p afs/[EMAIL PROTECTED] -k 9 -e > des-cbc-crc > ktutil: wkt ./keytab.file > ktutil: quit > > This file is then copied to linux and imported exactly as I would normally: > > asetkey add 9 keytab.file afs/sss.se.scania.com > > Now - everything works > > kinit sssler > aklog > touch /afs/sss.se.scania.com/home/sssler/somefile > ls /afs/sss.se.scania.com/home/sssler/somefile > /afs/sss.se.scania.com/home/sssler/somefile > > Success! > > I verified this by behaviour - AGAIN - by using the "KTPASS.EXE" > (without changing anything else) and importing the key with "asetkey" as > normal. > > C:\ktpass -out afs-keytab-md5-verify -princ > afs/[EMAIL PROTECTED] -mapuser afs -crypto DES-CBC-CRC > -pass * > Targeting domain controller: SeSoCoLab11.scania.se > Successfully mapped afs/sss.se.scania.com to afs. > Type the password for afs/sss.se.scania.com: > Type the password again to confirm: > WARNING: pType and account type do not match. This might cause problems. > Key created. > Output keytab to afs-keytab-md5-verify: > Keytab version: 0x502 > keysize 63 afs/[EMAIL PROTECTED] ptype 0 > (KRB5_NT_UNKNOWN) vno 9 > etype 0x1 (DES-CBC-CRC) keylength 8 (0xbff2e56b29943d3e) > > (Again publishing the key to the whole world ;-) > > ... and - using this key in AFS - I get the same error again : rxkad > error=19270407 > > I swapped back again to the key generated by ktutil.exe - and it works > again. > > It seems that using the KTPASS.EXE generates bogus keys for me! > > I have not read this anywhere and I have read pretty much everyting, did > I miss something critical here or is this a bug/feature? > > /Erik > > > > > > > > -----Original Message----- > From: Jeffrey Altman [mailto:[EMAIL PROTECTED] > Sent: Wed 1/3/2007 3:16 PM > To: Lönroth Erik > Cc: [email protected] > Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - > rxkad error=19270407, arghhhh > > Lönroth Erik wrote: >> I believe I have... My file looks like this. Can I be sure this is OK? >> In my missery I can't trust anything at the moment. >> >> [EMAIL PROTECTED] ~]# cat /usr/afs/etc/krb.conf >> LAB.SCANIA.COM >> LAB.SCANIA.COM sesocolab11.scania.com > > This is fine. Although the second line is not used by AFS so you > can remove it. > > Did you restart the AFS servers after setting this value? > >> I have also looked in AD to se the Service principal binding (Is this >> right?) : >> >> C:\setspn -A afs/sss.se.scania.com afs >> Registering ServicePrincipalNames for >> CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=s >> cania,DC=com >> afs/sss.se.scania.com >> Updated object >> >> C:\setspn -L afs >> Registered ServicePrincipalNames for >> CN=afs,OU=Users,OU=VAS,OU=TEST,DC=lab,DC=sc >> ania,DC=com: >> afs/sss.se.scania.com >> HOST/afs >> HOST/afs.LAB >> > > That is fine. > > RXKADBADTICKET can be generated if the clocks between AFS and AD > are not synchronized. Are they? > > Jeffrey Altman > _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
