[OpenAFS] Re: Multiple Kerberos realm support
Andrew Deason
adeason@sinenomine.net
Thu, 10 May 2012 17:17:09 -0500
On Thu, 10 May 2012 17:28:51 -0400
Jeff White <jaw171@pitt.edu> wrote:
> > Details here:
> > http://wiki.openafs.org/AFSLore/WindowsK5AfsServicePrincipal/
>
> I used the exact same ktpass args on both the 2008 PITT.EDU realm and
> the 2003 UNIV.PITT.EDU realm (changing the realm name though). Is there
> something wrong with running it with those args on 2003?
It has nothing to do with the args or usage, etc; some versions of the
tool are just broken. See the link.
> This might be a problem:
> [root@afs-dev-03 ~]# kinit -kt /var/tmp/afskerbuser.keytab
> afs/pitt.edu@UNIV.PITT.EDU
> kinit: KDC has no support for encryption type while getting initial
> credentials
That's a little confusing, since the KDC granted you a service ticket
with a DES enctype earlier:
> [jaw171@afs-dev-03 ~]$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_354461
> Default principal: jaw171@UNIV.PITT.EDU
>
> Valid starting Expires Service principal
> 05/10/12 13:12:45 05/10/12 23:12:48 krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU
> renew until 05/17/12 13:12:45, Etype (skey, tkt): arcfour-hmac,
> arcfour-hmac
> 05/10/12 13:12:59 05/10/12 23:12:48 afs/pitt.edu@UNIV.PITT.EDU
> renew until 05/17/12 13:12:45, Etype (skey, tkt): des-cbc-crc,
> des-cbc-md5
>From that output I would expect that DES stuff is turned on for the
account, but... can you check? And can you say what's in the keytab:
ktutil
rkt /var/tmp/afskerbuserkeytab
l -e
--
Andrew Deason
adeason@sinenomine.net