[OpenAFS] Debian - openafs -noauth problems

Russ Allbery rra@stanford.edu
Tue, 23 Aug 2005 11:35:53 -0700

Madhusudan Singh <singh.madhusudan@gmail.com> writes:

> Thanks for your response. I contacted the KDC admins yesterday and they
> suggested that I use :

> 	kinit -k -t /etc/krb5.keytab afs/omega.domain.edu@KERBEROS.DOMAIN.EDU

> 	where the keytab is stored in /etc/krb5.keytab

> 	instead of kinit zzzz

> In this case, what would my admin principal be for afs-newcell (the
> second one I listed ?).

No, no, this does something completely different.

You have to have an AFS principal created in Kerberos; this is the
principal that the servers use to authenticate to each other and the
principal for which AFS clients get service tickets.  This principal is
called afs/omega.domain.edu, you create a keytab with that principal in
it, and you use asetkey with that principal.  This is the principal that
has to be single DES.

Completely separate from that, you need a *user* principal that will be
the AFS administrator.  That principal should correspond to a person, will
be used with regular kinit just like any user Kerberos principal, and will
be used to authenticate you, as administrator, to the AFS server.  It can
just be your regular user principal, although we recommend that it be a
separate admin instance so that you don't use the same principal for both
routine work and for privileged access.

When running afs-newcell, the admin principal is the user principal,
either zzzz or zzzz/admin (or zzzz/root, or what have you), whatever you
decide to use.  The afs/omega.domain.edu principal is something different,
and once you've downloaded it and used asetkey on it, you shouldn't have
to think about it any further.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>