[OpenAFS-devel] I think I'm closer, but....

[Ken Hornstein]

>Now I've created my afs@REALM principal, with a v4 des-cbc-crc key.

Let me try to fill in some of the gaps here.

The "v4" part of the key is the salt, which for service keys don't matter
(the documentation with the migration kit explains more about that).

>Over on the AFS bosserver machine I've run kadmin, authenticated as
>admin/admin and done a ktadd afs.
>
>Then I exit kadmin and run asetkey on the new /etc/krb5.keytab to,
>presumably, extract the key.

... which sounds right ...

>Then I should be able to do a kinit -4 afs@REALM, authenticate, and then
>run aklog to get a token, right?

Actually ... no.

aklog takes a _V5_ TGT; you don't need any V4 credentials at all.  And
what you're asking here is to get credentials as the AFS service, which
you don't really want (unless you happen to be a user named "afs",
which would cause you problems).  You really want:

kinit -5 your_username@REALM

Then run aklog.

>But when I do kinit, I get kinit(v4): Password incorrect.  I know it's
>the same password I gave when I created the key (since it's just "afs"
>until I get this right).

One thing that is covered in the FAQ (and briefly mentioned in the
migration kit documentation) is that every time you run ktadd, the key
is changed, so the password for that account is no longer "afs" - it's
actually a random key which probably doesn't correspond to a valid
password.  So you couldn't run kinit against the afs service, even
if that was something you wanted to do (which you don't).

--Ken