[OpenAFS] ADS and MIT Kerberos transition auth continued

Eric Chris Garrison ecgarris@iupui.edu
Thu, 16 Jul 2009 15:47:34 -0400

Hash: SHA1

Douglas E. Engert wrote:
> And after you reset the desonly bit in AD, did you use ktpass with
> -pass somepassword -out keytabfile
> or did you use the -rndPass option?

The ADS admin says "We always use the rndPass option for generating the
keytabs. Yes, I set des option before generating the keytabs."

Does this make a difference?

> And you put the new key in the /usr/afs/etc/KeyFile on all the servers
> with the correct kvno? Not sure, but you may have to restart the servers
> too.

Yep, using asetkey.  We restart the servers every time to be sure as well.

> And you did a fresh kinit?


Jeffrey Altman wrote:
> des-cbc-md5 is fine.  after you set the DES-only bit you need to
> generate assign a new password for the account and re-export the keytab
> with a new kvno which then needs to be imported into the AFS KeyFile

Yeah, they generated a new keytab with a new kvno and we used asetkey to
import it into the KeyFile.

Anything else that we might be missing?  I keep thinking it must be
something simple.

- --
Eric Chris Garrison             | Principal Mass Storage Specialist
ecgarris@iupui.edu              | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org