Assarsson, Emil wrote: > Hi all, > > KDC: Microsoft Active Directory 2008 > AFS server OS: Ubuntu 9.10 > OpenAFS version: 1.4.11+dfsg-1 (distributed version) > > Admin and service account are AD accounts. > I created the service user as a regular user and
good
> checked the option "use DES encryption types for this account"
good
> I created the keytab with ktutil:
use Microsoft's ktpass to set the password on the service account
and create the keytab.
> rxk: security object was passed a bad ticket
Unfortunately, there is no good debugging information available from an
rx security class. A krb5 related bad ticket error can be generated for
many reasons:
1 krb5 ticket length greater than 12000 bytes
2 krb5 cipher length not a multiple of 8
3 a failure to decrypt the ticket because the key in the keytab
with the matching kvno is wrong.
4 a failure to decode the encrypted ticket part
5 a null component is present in the principal name
6 the principal name has more than two components
7 the principal name has a dot in the first component and the
dot check is not disabled
8 the session key type is something other than DES-CBC-{CRC,MD4,MD5}
9 the session key length is not 8
The most likely issues are 1, 3, 7, and 8.
To address 1 the NO_AUTH_DATA_REQUIRED flag should be set on the AFS
service account. See http://support.microsoft.com/kb/832572/
To address 3 generate the keytab using ktsetup
To address 7 either do not use principals with dots in the first
component or turn disable the check from the command line of each afs
service.
To address 8 make sure that "use DES" is set for the AFS service and
each of the user accounts that will be accessing AFS.
Jeffrey Altman
Secure Endpoints Inc.
smime.p7s
Description: S/MIME Cryptographic Signature
