Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD
On 05/10/2012 03:49 PM, Derrick Brashear wrote:
On Thu, May 10, 2012 at 3:42 PM, Andrew Deason<[email protected]> wrote:
On Thu, 10 May 2012 13:17:40 -0400
Jeff White<[email protected]> wrote:
Now I tried to add support for the realm UNIV.PITT.EDU (the real one
running on Windows Server 2003 AD):
I thought it was Windows Server 2008 R2? Or was that just PITT.EDU?
My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003.
But according to the thread OP, I thought PITT.EDU was kaserver?
Our production PITT.EDU is kaserver. My test one is 2008 R2 AD.
Perhaps I should have named it better.
[root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab
afs/[email protected]
How exactly did you generate this keytab?
The same way I did it on PITT.EDU:
ktpass -princ afs/[email protected] -mapuser afskerbuser -pass *
-crypto DES-CBC-CRC +rndpass /mapop add +desonly /ptype
KRB5_NT_PRINCIPAL +dumpsalt -out afskerbuser.keytab
I've been told some of the versions of the ktpass tool with 2003 can
generate incorrect keytabs; this step in general in my experience is a
source of a lot of problems.
Details here:
http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/
I used the exact same ktpass args on both the 2008 PITT.EDU realm and
the 2003 UNIV.PITT.EDU realm (changing the realm name though). Is there
something wrong with running it with those args on 2003?
I don't know much about AD so I'm not
exactly sure on the ways to check this, but are you able to kinit with
that keytab? Like, 'kinit -kt foo.keytab afs/[email protected]' ?
Not that you normally want to do that, but I think AD usually allows AS
requests on it, since iirc you just create the 'afs' user similarly as a
normal user account.
I don't remember for sure but I think so; you set it up as a UPN not an SPN,,
so that *should* be true.
This might be a problem:
[root@afs-dev-03 ~]# kinit -kt /var/tmp/afskerbuser.keytab
afs/[email protected]
kinit: KDC has no support for encryption type while getting initial
credentials
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
