[OpenAFS] Re: Multiple Kerberos realm support

Jeff White jaw171@pitt.edu
Thu, 10 May 2012 17:28:51 -0400

Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD

On 05/10/2012 03:49 PM, Derrick Brashear wrote:
> On Thu, May 10, 2012 at 3:42 PM, Andrew Deason<adeason@sinenomine.net>  wrote:
>> On Thu, 10 May 2012 13:17:40 -0400
>> Jeff White<jaw171@pitt.edu>  wrote:
>>>>> Now I tried to add support for the realm UNIV.PITT.EDU (the real one
>>>>> running on Windows Server 2003 AD):
>>>> I thought it was Windows Server 2008 R2? Or was that just PITT.EDU?
>>> My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003.
>> But according to the thread OP, I thought PITT.EDU was kaserver?
Our production PITT.EDU is kaserver.  My test one is 2008 R2 AD.  
Perhaps I should have named it better.
>>>>> [root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab
>>>>> afs/pitt.edu@UNIV.PITT.EDU
>>>> How exactly did you generate this keytab?
>>> The same way I did it on PITT.EDU:
>>> ktpass -princ afs/pitt.edu@UNIV.PITT.EDU -mapuser afskerbuser -pass *
>>> -crypto DES-CBC-CRC +rndpass /mapop add +desonly /ptype
>>> KRB5_NT_PRINCIPAL +dumpsalt -out afskerbuser.keytab
>> I've been told some of the versions of the ktpass tool with 2003 can
>> generate incorrect keytabs; this step in general in my experience is a
>> source of a lot of problems.
> Details here:
> http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/
I used the exact same ktpass args on both the 2008 PITT.EDU realm and 
the 2003 UNIV.PITT.EDU realm (changing the realm name though).  Is there 
something wrong with running it with those args on 2003?
>> I don't know much about AD so I'm not
>> exactly sure on the ways to check this, but are you able to kinit with
>> that keytab? Like, 'kinit -kt foo.keytab afs/pitt.edu@UNIV.PITT.EDU' ?
>> Not that you normally want to do that, but I think AD usually allows AS
>> requests on it, since iirc you just create the 'afs' user similarly as a
>> normal user account.
> I don't remember for sure but I think so; you set it up as a UPN not an SPN,,
> so that *should* be true.
This might be a problem:
[root@afs-dev-03 ~]# kinit -kt /var/tmp/afskerbuser.keytab 
kinit: KDC has no support for encryption type while getting initial