Separate from your DES issues, there are two serious problems here. 1. You are creating an account with a logon name of "afs/pitt.edu" instead of something like "afs-pitt-edu-cell" and then setting a Service Principal Name of "afs/[email protected]" on that account.
The slash in Kerberos is a name component separator. When aklog requests a ticket for "afs/[email protected]" it is asking the PITT.EDU KDC for the principal "afs" "pitt.edu" Not the principal "afs/pitt.edu" 2. You cannot give the account the name "AFS" or have a short name of "AFS". Doing so will cause name resolution of "[email protected]" to succeed which will in turn break all of your deployed Windows AFS clients.
signature.asc
Description: OpenPGP digital signature
