>I then created the service account srvAFS, and extracted a keytab on the >Domain Controller using the following command:
So I'm not the expert on how AD works, so I can't speak for what happens if you create a service account called _one_ thing and then have a different principal name. Like, what name ends up in the service ticket? But, moving on ... ># kvno adu...@ad.mydomain.com >kvno: Server not found in Kerberos database while getting credentials for >adu...@ad.mydomain.com kvno is used when you already have a Kerberos ticket (with kinit) and you're getting a service ticket for what you give on the command line. I think what you want "kinit adUser" and the "kvno afs/mydomain.com". Although aklog should do the same thing. It would be interesting to see what the output of "klist" is after you do that kinit/kvno command sequence. There is some magic that asetkey does in terms of key version numbering for rxkad_krb5 but it escapes me now and I suspect that's not your real problem. I am assuming you've distributed the KeyFile to _all_ of your AFS servers. --Ken _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info