I tried removing the afs account, adding it again, checking the DES box,
resetting the password, exporting the keytab, removing the old keytab,
and adding the new keytab. I still can't aklog.
I'm a little confused on the syntax of ktpass to export the keytab from
AD. I'm using a presentation from Derrick Brashear but I don't
understand his syntax:
1. He created an AD domain called ad.dementia.org.
2. He created a user with a logon name of 'afs-adtest'.
3. He exported the keytab with: ktpass -princ
afs/[email protected] -mapuser afs -pass * -crypto
DES-CBC-MD5 -out afs-keytab
4. Imported the keytab with: asetkey add 3 /etc/afs.keytab
afs/[email protected]
Why didn't he use the logon name afs-adtest in that ktpass command?
Where did 'afs/[email protected]' come from,
particularly the 'afs/adtest.dementia.org' part? His logon name is not
afs and what is adtest?
I did this:
1. Created an AD domain called pitt.edu.
2. Created the GPO to allow DES and applied it to the Domain Controllers.
3. Created a user with a logon name of 'afs'.
4. Exported the keytab with: ktpass -princ afs/[email protected]
-mapuser afs -pass * -crypto DES-CBC-MD5 -out afs.keytab
5. Imported the keytab with: asetkey add 4 /etc/afs.keytab
afs/[email protected]
I still get an error but I'm not sure if I'm exporting/importing the
keytab correctly. I've tried a variety of principals but all fail to
let me aklog. What principal should be used?
$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/[email protected]
Kerberos error code returned by get_cred : -1765328164
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328164) while getting AFS tickets
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD
On 01/05/2012 10:33 AM, Andrew Deason wrote:
On Thu, 05 Jan 2012 10:07:09 -0500
Jeff White<[email protected]> wrote:
I noticed there is a box which says 'Use Kerberos DES encryption types
for this account' in the settings of each account, do I need to set
that?
Yes.
Just on the afs principal/user or on every user of AFS in the
realm?
Just on the afs/pitt.edu princ. It is also advisable to turn off the PAC
for that principal if you haven't already (though that doesn't have
anything to do with the current error). That is, turn this on:
<http://support.microsoft.com/kb/832572>.
Do I need to do the export and asetkey again after the changes I made?
Not sure on this one. I would guess "no", but I've never done this in
that order.
Also, is there a way to have all our users in AD without enabling DES?
I recall hearing that it was possible by having an MIT Kerberos box to
hold the AFS principal alone with DES enabled but have all the user
principals in AD without DES.
You can do this, but either way the afs/pitt.edu princ is the only one
that has DES enabled. But yeah, if you just want to be able to turn off
the "enable DES" checkbox in AD to be able to show someone that you're
mostly not running with DES, that's an option.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
