On 01/05/2012 12:02 PM, Andrew Deason wrote:
On Thu, 05 Jan 2012 11:31:01 -0500
Jeff White<[email protected]> wrote:
1. He created an AD domain called ad.dementia.org.
2. He created a user with a logon name of 'afs-adtest'.
3. He exported the keytab with: ktpass -princ
afs/[email protected] -mapuser afs -pass * -crypto
DES-CBC-MD5 -out afs-keytab
4. Imported the keytab with: asetkey add 3 /etc/afs.keytab
afs/[email protected]
Why didn't he use the logon name afs-adtest in that ktpass command?
I don't have that presentation in front of me, but that may have just
been a mistake.
Where did 'afs/[email protected]' come from,
particularly the 'afs/adtest.dementia.org' part? His logon name is
not afs and what is adtest?
I don't know the internal AD details etc, but conceptually that commands
maps the principal name afs/[email protected] to the
AD user "afs" (or "afs-adtest" or whatever you call it). OpenAFS by
convention uses the principal name afs/<cell_name>@REALM for krb5. So,
adtest.dementia.org is the AFS cell name in that example.
$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/[email protected]
Kerberos error code returned by get_cred : -1765328164
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328164) while getting AFS tickets
Well, you're getting a different error this time, so that's something.
What krb5 implementation are you running on that machine? I think that
error is KRB5_REALM_CANT_RESOLVE... is PITT.EDU in krb5.conf, or in dns
or what? Anything odd with that configuration?
Jeffrey Altman:
A GPO was created to allow DES in Kerberos and linked to the Domain
Controllers container.
Andrew Deason:
Bah, there was a DNS problem. I fixed that and I'm back to the first
error. I made sure to use the principal afs/[email protected] for the
principal in the keytab which should be correct (user is afs, cell is
pitt.edu, realm is PITT.EDU). This is on RHEL 6.1 x64 and should be
using MIT's Kerberos implementation for the client as provided by RedHat.
[root@afs-dev-03 ~]# rpm -qa | grep krb
krb5-devel-1.9-22.el6_2.1.x86_64
krb5-libs-1.9-22.el6_2.1.x86_64
krb5-workstation-1.9-22.el6_2.1.x86_64
openafs-krb5-1.6.0-1.el6.x86_64
pam_krb5-2.3.11-6.el6.x86_64
Douglas Engert:
Yes, I can get a ticket.
[root@afs-dev-03 ~]# kinit -V [email protected]
Using default cache: /tmp/krb5cc_0
Using principal: [email protected]
Password for [email protected]:
Authenticated to Kerberos v5
[root@afs-dev-03 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [email protected]
Valid starting Expires Service principal
01/05/12 12:48:35 01/05/12 22:48:37 krbtgt/[email protected]
renew until 01/12/12 12:48:35
[root@afs-dev-03 ~]# aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/[email protected]
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets
Yea, I shouldn't be getting user tickets/token as root but whatever,
this is just a test box and a test principal.
I was sent the URL
http://openafs-wiki.stanford.edu/AFSLore/win2008r2adaskdc/ by Lars
Schimmer but making the registry change it said was needed made it so I
can no longer log into my DC at all, even on the console. Time to wipe
out the DC and start everything over again.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
