FYI for all,
As an alternative approach to using ktpass for adding service principals
to AD, we use a program called msktutil, developed by Dan Perry while at
PNNL. It uses OPenLDAP, GSSAPI and SASL to authenticatate to AD, add accounts
and service principals, and update keytabs all in one step. Google for
msktuitl. You will also see a version
http://download.systemimager.org/~finley/msktutil/
packaged up by one of our people.
We have not used this to add AFS, as the AFS was added to AD years ago,
but we have used it with HTTP, cvs, pop and many host principals.
Turbo Fredriksson wrote:
"Douglas" == Douglas E Engert <[EMAIL PROTECTED]> writes:
Douglas> The account name (ktpass -mapuser) could be city_afs and
Douglas> the SPN=afs/europe.ad.<domain>@<DOMAIN>
Oki, the admin have now create a keytab using:
----- s n i p -----
ktpass -princ afs/<cell>@<REALM> -mapuser <city>_afs -pass * -crypto
DES-CBC-MD5 -out c:\temp\unixkeytab
Targeting domain controller: <domaincontroller>
Successfully mapped afs/<cell> to <city>_afs.
Type the password for afs/<cell>:
Type the password again to confirm:
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to c:\temp\unixkeytab:
Keytab version: 0x502
keysize 75 afs/<cell>@<REALM> ptype 0
(KRB5_NT_UNKNOWN) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xe9801968ba2aada4)
----- s n i p -----
Unfortunatly this gives me other problems:
----- s n i p -----
root@<afsserver>:/usr/afs/etc# asetkey add 3 unixkeytab afs/<cell>@<REALM>
root@<afsserver>:/usr/afs/etc# tokens
Tokens held by the Cache Manager:
--End of list--
root@<afsserver>:/usr/afs/etc# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@<afsserver>:/usr/afs/etc# kinit admin
Password for admin@<REALM>:
root@<afsserver>:/usr/afs/etc# aklog
root@<afsserver>:/usr/afs/etc# pts listentries
Name ID Owner Creator
pts: security object was passed a bad ticket ; unable to list entries
root@<afsserver>:/usr/afs/etc#
----- s n i p -----
The only reference I found about this problem was
http://comments.gmane.org/gmane.comp.file-systems.openafs.general/19094
and I tried the same trick with ktutil but it did no change:
----- s n i p -----
root@<afsserver>:/usr/afs/etc# asetkey list
kvno 3: key is: e9801968ba2aada4
All done.
root@<afsserver>:/usr/afs/etc# asetkey delete 3
root@<afsserver>:/usr/afs/etc# asetkey list
All done.
root@<afsserver>:/usr/afs/etc# ktutil
ktutil: addent -password -p afs/<cell>@<REALM> -k 3 -e des-cbc-crc
Password for afs/<cell>@<REALM>:
ktutil: wkt ./keytab.file
ktutil: quit
root@<afsserver>:/usr/afs/etc# asetkey add 3 keytab.file afs/<cell>@<REALM>
root@<afsserver>:/usr/afs/etc# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@<cell> [Expires Jan 9 17:51]
--End of list--
root@<afsserver>:/usr/afs/etc# unlog
root@<afsserver>:/usr/afs/etc# bos restart localhost -all -localauth
root@<afsserver>:/usr/afs/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@<REALM>
Valid starting Expires Service principal
01/09/07 11:11:00 01/09/07 17:51:00 krbtgt/<REALM>@<REALM>
01/09/07 11:11:07 01/09/07 17:51:00 afs/<cell>@<REALM>
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@<afsserver>:/usr/afs/etc# kdestroy
root@<afsserver>:/usr/afs/etc# kinit admin
Password for admin@<REALM>:
root@<afsserver>:/usr/afs/etc# aklog
root@<afsserver>:/usr/afs/etc# pts listentries
Name ID Owner Creator
pts: security object was passed a bad ticket ; unable to list entries
root@<afsserver>:/usr/afs/etc#
root@<afsserver>:/usr/afs/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@<REALM>
Valid starting Expires Service principal
01/09/07 11:15:42 01/09/07 17:55:42 krbtgt/<REALM>@<REALM>
01/09/07 11:15:48 01/09/07 17:55:42 afs/<cell>@<REALM>
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@<afsserver>:/usr/afs/etc# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@<cell> [Expires Jan 9 17:55]
--End of list--
root@<afsserver>:/usr/afs/etc#
----- s n i p -----
I've inquired what version of ktpass.exe/os the're running
on the AD, but haven't got a reply yet (probably lunch :)...
Just if it matters, I compared the keyfiles as well.
----- s n i p -----
[EMAIL PROTECTED]:/usr/afs/etc# klist -k unixkeytab -t -K
Keytab name: FILE:unixkeytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/01/70 01:00:00 afs/<cell>@<REALM> (0xe9801968ba2aada4)
[EMAIL PROTECTED]:/usr/afs/etc# klist -k keytab.file -t -K
Keytab name: FILE:keytab.file
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/09/07 11:14:13 afs/<cell>@<REALM> (0x83dab01c6bb03701)
[EMAIL PROTECTED]:/usr/afs/etc#
----- s n i p -----
They ARE different, but since neither work... ? Did I miss restarting
something? I'we been waiting for more than the 'AD sync time' so it
can't be that...
And the time is syncronized with ntpdate from the same NTPd as
the AD once every hour...
PS. I just noticed the timestamp on 'unixkeytab'... Might be nothing,
but...
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
