>I then created the service account srvAFS, and extracted a keytab on the
>Domain Controller using the following command:

So I'm not the expert on how AD works, so I can't speak for what happens
if you create a service account called _one_ thing and then have a
different principal name.  Like, what name ends up in the service
ticket?  But, moving on ...

># kvno adu...@ad.mydomain.com
>kvno: Server not found in Kerberos database while getting credentials for 
>adu...@ad.mydomain.com

kvno is used when you already have a Kerberos ticket (with kinit) and you're
getting a service ticket for what you give on the command line.  I think
what you want "kinit adUser" and the "kvno afs/mydomain.com".  Although
aklog should do the same thing.

It would be interesting to see what the output of "klist" is after you
do that kinit/kvno command sequence.

There is some magic that asetkey does in terms of key version numbering
for rxkad_krb5 but it escapes me now and I suspect that's not your real
problem.  I am assuming you've distributed the KeyFile to _all_ of your
AFS servers.

--Ken
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to