On Thu, 05 Jan 2012 11:31:01 -0500 Jeff White <[email protected]> wrote:
> 1. He created an AD domain called ad.dementia.org. > 2. He created a user with a logon name of 'afs-adtest'. > 3. He exported the keytab with: ktpass -princ > afs/[email protected] -mapuser afs -pass * -crypto > DES-CBC-MD5 -out afs-keytab > 4. Imported the keytab with: asetkey add 3 /etc/afs.keytab > afs/[email protected] > > Why didn't he use the logon name afs-adtest in that ktpass command? I don't have that presentation in front of me, but that may have just been a mistake. > Where did 'afs/[email protected]' come from, > particularly the 'afs/adtest.dementia.org' part? His logon name is > not afs and what is adtest? I don't know the internal AD details etc, but conceptually that commands maps the principal name afs/[email protected] to the AD user "afs" (or "afs-adtest" or whatever you call it). OpenAFS by convention uses the principal name afs/<cell_name>@REALM for krb5. So, adtest.dementia.org is the AFS cell name in that example. > $ aklog -d > Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu). > Trying to authenticate to user's realm PITT.EDU. > Getting tickets: afs/[email protected] > Kerberos error code returned by get_cred : -1765328164 > aklog: Couldn't get pitt.edu AFS tickets: > aklog: unknown RPC error (-1765328164) while getting AFS tickets Well, you're getting a different error this time, so that's something. What krb5 implementation are you running on that machine? I think that error is KRB5_REALM_CANT_RESOLVE... is PITT.EDU in krb5.conf, or in dns or what? Anything odd with that configuration? -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
