Would you dump that into the bug tracker or the wiki for future
reference? Updating the docs would be ideal ;)
Thanks,
Jason
On 01/10/2012 11:39 AM, Jeff White wrote:
I decided to scrap my Windows box and start over again. I was able to
get it work this time but I don't know what was different that made it
work. I am able to get a ticket as the AFS principal and things seem
to be working, at least until I run into the next problem. For those
who care these are my notes from the one that worked:
*
10. On the Windows Active Directory server, enable DES encryption
types for Kerberos
1. Create a GPO called 'Allow_DES'
2. Configure the following entry to allow all encryption types
listed
1. Computer Configuration -> Policies -> Windows Settings
-> Local Policies -> Security Options -> Networking
security: Configure encryption types allowed for
Kerberos
3. Link the 'Allow_DES' GPO to the 'Domain Controllers' OU.
4. Reboot.
11. Create a user in AD called 'afs-pitt-edu-cell'.
12. In the settings for the AFS user check 'Use Kerberos DES
encryption types for this account' then change the password.
13. Export the keytab for it. Note the KVNO.
1. ktpass -princ afs/[email protected] -mapuser
afs-pitt-edu-cell -pass * -crypto DES-CBC-CRC +rndpass
/mapop add +desonly /ptype KRB5_NT_PRINCIPAL +dumpsalt -out
afs-pitt-edu-cell.keytab
14. Copy the keytab to afs-dev-03.cssd as
/etc/afs-pitt-edu-cell.keytab and make it root readable
1. chmod 600 /etc/afs.keytab
15. Using the KVNO from earlier add the keytab to AFS
1. asetkey add 4 /etc/afs.keytab afs/[email protected]
*
Thanks to everyone for their help.
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD
On 01/10/2012 10:02 AM, Andrew Deason wrote:
On Mon, 09 Jan 2012 17:13:57 -0500
Jeff White<[email protected]> wrote:
Other possibly useful pieces of information:
sAMAccountName: afs
userPrincipalName: afs/[email protected]
Just one more possible guess: are you sure you're talking to the
right kdc? I would expect the windows event log will log something when
a failure occurs when you do things like:
[root@afs-dev-03 ~]# kinit afs/[email protected]
kinit: Client not found in Kerberos database while getting initial
credentials
And maybe the log event would give more useful information. I don't
really expect it to, but you never know. A more accurate test may be to
try 'kinit -k -t afs.keytab afs/[email protected]' or
'kvno afs/[email protected]' (after you've "kinit"d with a normal
princ), but of course the error you've already given is an issue.
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
