[OpenAFS] Re: Multiple Kerberos realm support

Derrick Brashear shadow@gmail.com
Thu, 10 May 2012 15:49:31 -0400

On Thu, May 10, 2012 at 3:42 PM, Andrew Deason <adeason@sinenomine.net> wrote:
> On Thu, 10 May 2012 13:17:40 -0400
> Jeff White <jaw171@pitt.edu> wrote:
>> >> Now I tried to add support for the realm UNIV.PITT.EDU (the real one
>> >> running on Windows Server 2003 AD):
>> > I thought it was Windows Server 2008 R2? Or was that just PITT.EDU?
>> My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003.
> But according to the thread OP, I thought PITT.EDU was kaserver?
>> >> [root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab
>> >> afs/pitt.edu@UNIV.PITT.EDU
>> > How exactly did you generate this keytab?
>> The same way I did it on PITT.EDU:
>> ktpass -princ afs/pitt.edu@UNIV.PITT.EDU -mapuser afskerbuser -pass *
>> -crypto DES-CBC-CRC +rndpass /mapop add +desonly /ptype
>> KRB5_NT_PRINCIPAL +dumpsalt -out afskerbuser.keytab
> I've been told some of the versions of the ktpass tool with 2003 can
> generate incorrect keytabs; this step in general in my experience is a
> source of a lot of problems.

Details here:

> I don't know much about AD so I'm not
> exactly sure on the ways to check this, but are you able to kinit with
> that keytab? Like, 'kinit -kt foo.keytab afs/pitt.edu@UNIV.PITT.EDU' ?
> Not that you normally want to do that, but I think AD usually allows AS
> requests on it, since iirc you just create the 'afs' user similarly as a
> normal user account.

I don't remember for sure but I think so; you set it up as a UPN not an SPN,,
so that *should* be true.