I'm speculating, but that would be a problem with how Windows implements the "ktpass mapuser" function and then returns tickets for a mapped user with the same kvno as the principal. So both the user "afs" and the principal "afs/mycell.edu" are returning tickets with the same kvno. And I don't think there are separate entries for these principals in the kerberos database.
Are you saying these are being mapped to the same principal in AD? If so, it's confusing but should be irrelevant.
Otherwise, is there a way for aklog to not bother getting a ticket for the "[email protected]" principal, and just use "afs/[email protected] "?
That's what it should be doing; only if that principal can't be found or otherwise fails will it fall back to a...@.
-- brandon s. allbery [solaris,freebsd,perl,pugs,haskell] [email protected] system administrator [openafs,heimdal,too many hats] [email protected] electrical and computer engineering, carnegie mellon university KF8NH
PGP.sig
Description: This is a digitally signed message part
