Turbo Fredriksson wrote: >>>>>> "Douglas" == Douglas E Engert <[EMAIL PROTECTED]> writes: > > Douglas> The account name (ktpass -mapuser) could be city_afs and > Douglas> the SPN=afs/europe.ad.<domain>@<DOMAIN> > > Oki, the admin have now create a keytab using: > > ----- s n i p ----- > ktpass -princ afs/<cell>@<REALM> -mapuser <city>_afs -pass * -crypto > DES-CBC-MD5 -out c:\temp\unixkeytab > Targeting domain controller: <domaincontroller> > Successfully mapped afs/<cell> to <city>_afs. > Type the password for afs/<cell>: > Type the password again to confirm: > WARNING: pType and account type do not match. This might cause problems. > Key created. > Output keytab to c:\temp\unixkeytab: > Keytab version: 0x502 > keysize 75 afs/<cell>@<REALM> ptype 0 > (KRB5_NT_UNKNOWN) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 > (0xe9801968ba2aada4)
The avoid the pType warning add -pType KRB5_NT_PRINCIPAL Be aware that you just published your key to the world. of course this one doesn't work, but the one created with ktutil is correct and is of course now public. Has -DesOnly been set on the account? > ----- s n i p ----- > > Unfortunatly this gives me other problems: > > ----- s n i p ----- > root@<afsserver>:/usr/afs/etc# asetkey add 3 unixkeytab afs/<cell>@<REALM> Did you restart the servers? Or touch the server's "CellServDB" file? > root@<afsserver>:/usr/afs/etc# bos restart localhost -all -localauth Now you did. > root@<afsserver>:/usr/afs/etc# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: admin@<REALM> > > Valid starting Expires Service principal > 01/09/07 11:11:00 01/09/07 17:51:00 krbtgt/<REALM>@<REALM> > 01/09/07 11:11:07 01/09/07 17:51:00 afs/<cell>@<REALM> What does "klist -e" report the enc-types as? > I've inquired what version of ktpass.exe/os the're running > on the AD, but haven't got a reply yet (probably lunch :)... > Just if it matters, I compared the keyfiles as well. > > ----- s n i p ----- > [EMAIL PROTECTED]:/usr/afs/etc# klist -k unixkeytab -t -K > Keytab name: FILE:unixkeytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 3 01/01/70 01:00:00 afs/<cell>@<REALM> (0xe9801968ba2aada4) > [EMAIL PROTECTED]:/usr/afs/etc# klist -k keytab.file -t -K > Keytab name: FILE:keytab.file > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 3 01/09/07 11:14:13 afs/<cell>@<REALM> (0x83dab01c6bb03701) > [EMAIL PROTECTED]:/usr/afs/etc# > ----- s n i p ----- > > They ARE different, but since neither work... ? Did I miss restarting > something? I'we been waiting for more than the 'AD sync time' so it > can't be that... You have already restarted everything via the bos restart command so you should be good from that perspective. I'm going to place my bet on the enc-type of the ticket. Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature
