Thank you for your response. > >The steps I followed and documented as I went (from the Quickstart guide > >for Linux) are listed below. > On Debian/Ubuntu, you can also run the afs-newcell script after > installation.
I started over and tried that, but it doesn't seem to support the rxkad.keytab file that you mention later on in your message, so I went back and adjusted my steps. > >What might I be missing? I've spent a solid 8 hours monkeying with this > >and making no progress. > Did you check that the kvno in your OpenAFS keyfile matches the kvno > of the key in your KDC? If they don't match, you need to export the > key again (each modification changes the kvno). Yes, see below: root@ueafs1:~# /opt/pbis/bin/klist -k -e /etc/openafs/server/rxkad.keytab Keytab name: WRFILE:/etc/openafs/server/rxkad.keytab KVNO Principal ---- -------------------------------------------------------------------------- 6 afs/[email protected] (des-cbc-crc) 6 afs/[email protected] (des-cbc-md5) 6 afs/[email protected] (aes128-cts-hmac-sha1-96) 6 afs/[email protected] (aes256-cts-hmac-sha1-96) 6 afs/[email protected] (arcfour-hmac) root@ueafs1:~# /opt/pbis/bin/kvno afs/ad.domain.com afs/[email protected]: kvno = 6 > You don't want libpam-openafs-kaserver, but libpam-afs-session (but > that's not related to your problem). Thanks, I now see that kaserver was the previous/old authentication method. I have adjusted my steps. > >samba-tool spn add afs/ad.domain.com afs > >samba-tool domain exportkeytab /tmp/afs --principal=afs/ad.domain.com > Is "ad.domain.com" your actual cell name, or is it only "domain.com"? ad.domain.com is my AD domain name, Kerberos realm, and cell name. > >/opt/pbis/bin/kinit [email protected] > >/opt/pbis/bin/kvno -k /etc/afs.keytab afs/ad.domain.com > >asetkey add 6 /etc/afs.keytab afs/ad.domain.com > Starting with 1.6.5.1, you don't need to use asetkey anymore. You > can export the key to /etc/openafs/server/rxkad.keytab directly and > it will be used by OpenAFS just fine. You're also not restricted to > DES-CBC-CRC anymore. I tried that. Also following the steps at https://openafs.dk/doku.php?id=server:openafs, I went through "Kerberizing the OpenAFS server" and "Initial setup of bosserver", and as soon as I hit the "bos setcellname" command I receive the error: root@ueafs1:~# bos setcellname -server ueafs1.ad.domain.com -name ad.domain.com -localauth bos: failed to set cell (ticket contained unknown key version number) root@ueafs1:~# /opt/pbis/bin/klist Ticket cache: FILE:/tmp/krb5cc_483120612_gRyJqv Default principal: [email protected] Valid starting Expires Service principal 01/01/14 21:12:54 01/02/14 07:12:54 krbtgt/[email protected] renew until 01/02/14 21:12:52, Etype (skey, tkt): aes256-cts-hmac-sha1-96, arcfour-hmac 01/01/14 21:16:03 01/02/14 07:12:54 afs/[email protected] renew until 01/02/14 21:12:52, Etype (skey, tkt): arcfour-hmac, arcfour-hmac I must be missing something obviously stupid. _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
