On Thu, May 10, 2012 at 3:42 PM, Andrew Deason <adea...@sinenomine.net> wrote: > On Thu, 10 May 2012 13:17:40 -0400 > Jeff White <jaw...@pitt.edu> wrote: > >> >> Now I tried to add support for the realm UNIV.PITT.EDU (the real one >> >> running on Windows Server 2003 AD): >> > I thought it was Windows Server 2008 R2? Or was that just PITT.EDU? >> >> My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003. > > But according to the thread OP, I thought PITT.EDU was kaserver? > >> >> [root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab >> >> afs/pitt....@univ.pitt.edu >> > How exactly did you generate this keytab? >> >> The same way I did it on PITT.EDU: >> ktpass -princ afs/pitt....@univ.pitt.edu -mapuser afskerbuser -pass * >> -crypto DES-CBC-CRC +rndpass /mapop add +desonly /ptype >> KRB5_NT_PRINCIPAL +dumpsalt -out afskerbuser.keytab > > I've been told some of the versions of the ktpass tool with 2003 can > generate incorrect keytabs; this step in general in my experience is a > source of a lot of problems.
Details here: http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/ > I don't know much about AD so I'm not > exactly sure on the ways to check this, but are you able to kinit with > that keytab? Like, 'kinit -kt foo.keytab afs/pitt....@univ.pitt.edu' ? > > Not that you normally want to do that, but I think AD usually allows AS > requests on it, since iirc you just create the 'afs' user similarly as a > normal user account. I don't remember for sure but I think so; you set it up as a UPN not an SPN,, so that *should* be true. -- Derrick _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info