-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Douglas E. Engert wrote: > And after you reset the desonly bit in AD, did you use ktpass with > -pass somepassword -out keytabfile > or did you use the -rndPass option?
The ADS admin says "We always use the rndPass option for generating the keytabs. Yes, I set des option before generating the keytabs." Does this make a difference? > And you put the new key in the /usr/afs/etc/KeyFile on all the servers > with the correct kvno? Not sure, but you may have to restart the servers > too. Yep, using asetkey. We restart the servers every time to be sure as well. > And you did a fresh kinit? Yes. Jeffrey Altman wrote: > des-cbc-md5 is fine. after you set the DES-only bit you need to > generate assign a new password for the account and re-export the keytab > with a new kvno which then needs to be imported into the AFS KeyFile Yeah, they generated a new keytab with a new kvno and we used asetkey to import it into the KeyFile. Anything else that we might be missing? I keep thinking it must be something simple. Chris - -- Eric Chris Garrison | Principal Mass Storage Specialist [email protected] | Indiana University - Research Storage W: 317-278-1207 M: 317-250-8649 | Jabber IM: [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKX4PWG2WsK8XoJWURAoR4AJ9F+pcGDLySoWq/22vTjio3JXVlIACcCQK7 5++qLvFzIr+lpcADqYpflfI= =wdV0 -----END PGP SIGNATURE----- _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
