[OpenAFS] AFS Authentication to windows 2003 AD server.
Larry Cashdollar
lcashdol@gmail.com
Wed, 7 Dec 2005 16:34:16 -0500
------=_Part_4522_6207800.1133991256683
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
I did recreate the keytab files and pushed those to the afs servers. Usin=
g
the following command, thinking this was the case. There any new flags
that I might have missed?
ktpass -princ afs@vapid-labs.com <afs@corp.akamai.com> -mapuser afs
-pass * -out afs.keytab -kvno 1
I restarted the afs service daemons with bos restart, which seemed to
work fine as well.
On 12/7/05, Jeffrey Altman <jaltman@secure-endpoints.com> wrote:
>
> Microsoft changed the behavior of Windows with regards to the use of
> key version numbers in 2003. You will need to re-export the service
> principal keys.
>
> Jeffrey Altman
>
>
> Larry Cashdollar wrote:
> > Hello all,
> > So for two or three years now I have managed an AFS Cell tha=
t
> > authenticates to windows 2000 AD server.
> >
> > The AD servers were recently converted to windows 2003 and now I can no
> > longer authenticate to my cell.
> >
> > Authenticating to cell vapid-labs.com <http://vapid-labs.com> (server
> > afs-camdb1.vapid-labs.com <http://afs-camdb1.vapid-labs.com>).
> > We've deduced that we need to authenticate to realm VAPID-LABS.COM
> > <http://VAPID-LABS.COM>.
> > Getting tickets: afs/vapid-labs.com@VAPID-LABS.COM
> > <mailto:labs.com@VAPID-LABS.COM>
> > Kerberos error code returned by get_cred: -1765328154
> > aklog: Couldn't get vapid-labs.com <http://vapid-labs.com> AFS tickets:
> > aklog: Key version number for principal in key table is incorrect while
> > gettingAFS tickets
> >
> > On my other client I get the same error code, but it is mapped to a
> > different message.
> >
> > Which one is the correct message?
> >
> > larry@Mathom:~$ aklog -d
> > Authenticating to cell vapid-labs.com <http://vapid-labs.com> (server
> > afs-camdb1.vapid-labs.com <http://afs-camdb1.vapid-labs.com>).
> > We've deduced that we need to authenticate to realm vapid-labs.com
> > <http://vapid-labs.com>.
> > Getting tickets: afs/vapid-labs.com@VAPID-LABS.COM
> > <mailto:labs.com@VAPID-LABS.COM>
> > Kerberos error code returned by get_cred: -1765328154
> > aklog: Couldn't get vapid-labs.com <http://vapid-labs.com> AFS tickets:
> > aklog: New password cannot be zero length while getting AFS tickets
> >
> >
> > I use a seperate kerberos server running krb524 on port 4444 to convert
> > tickets.
> >
> > Any help will be appreciated.
> >
>
>
>
------=_Part_4522_6207800.1133991256683
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
I did recreate the keytab files and pushed those to the afs
servers. Using the following command, thinking this
was the case. There any new flags that I might have missed?<br>
<br>
<pre>ktpass -princ <a class=3D"moz-txt-link-abbreviated" href=3D"mailto:afs=
@corp.akamai.com">afs@vapid-labs.com</a> -mapuser afs -pass * -out afs.keyt=
ab -kvno 1<br><br><br>I restarted the afs service daemons with bos restart,=
which seemed to work fine as well.
<br></pre>
<div><span class=3D"gmail_quote">On 12/7/05, <b class=3D"gmail_sendername">=
<span style=3D"font-weight: bold;"></span>Jeffrey Altman</b> <<a href=3D=
"mailto:jaltman@secure-endpoints.com">jaltman@secure-endpoints.com</a>> =
wrote:
</span><blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rg=
b(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Microsoft =
changed the behavior of Windows with regards to the use of<br>key version n=
umbers in 2003. You will need to re-export the service
<br>principal keys.<br><br>Jeffrey Altman<br><br><br>Larry Cashdollar wrote=
:<br>> Hello all,<br>>  =
; So
for two or three years now I have managed an AFS Cell that<br>> authenti=
cates to windows 2000 AD server.<br>><br>> The AD servers were recent=
ly converted to windows 2003 and now I can no<br>> longer authenticate t=
o my cell.
<br>><br>> Authenticating to cell <a href=3D"http://vapid-labs.com">v=
apid-labs.com</a> <<a href=3D"http://vapid-labs.com">http://vapid-labs.c=
om</a>> (server<br>> <a href=3D"http://afs-camdb1.vapid-labs.com">afs=
-camdb1.vapid-labs.com
</a> <<a href=3D"http://afs-camdb1.vapid-labs.com">http://afs-camdb1.vap=
id-labs.com</a>>).<br>> We've deduced that we need to authenticate to=
realm <a href=3D"http://VAPID-LABS.COM">VAPID-LABS.COM</a><br>> <<a =
href=3D"http://VAPID-LABS.COM">
http://VAPID-LABS.COM</a>>.<br>> Getting tickets: afs/vapid-<a href=
=3D"mailto:labs.com@VAPID-LABS.COM">labs.com@VAPID-LABS.COM</a><br>> <=
;mailto:<a href=3D"mailto:labs.com@VAPID-LABS.COM">labs.com@VAPID-LABS.COM<=
/a>
><br>> Kerberos error code returned by get_cred: -1765328154<br>> =
aklog: Couldn't get <a href=3D"http://vapid-labs.com">vapid-labs.com</a> &l=
t;<a href=3D"http://vapid-labs.com">http://vapid-labs.com</a>> AFS ticke=
ts:
<br>> aklog: Key version number for principal in key table is incorrect =
while<br>> gettingAFS tickets<br>><br>> On my other client I get t=
he same error code, but it is mapped to a<br>> different message.<br>
><br>> Which one is the correct message?<br>><br>> larry@Mathom=
:~$ aklog -d<br>> Authenticating to cell <a href=3D"http://vapid-labs.co=
m">vapid-labs.com</a> <<a href=3D"http://vapid-labs.com">http://vapid-la=
bs.com
</a>> (server<br>> <a href=3D"http://afs-camdb1.vapid-labs.com">afs-c=
amdb1.vapid-labs.com</a> <<a href=3D"http://afs-camdb1.vapid-labs.com">h=
ttp://afs-camdb1.vapid-labs.com</a>>).<br>> We've deduced that we nee=
d to authenticate to realm=20
<a href=3D"http://vapid-labs.com">vapid-labs.com</a><br>> <<a href=3D=
"http://vapid-labs.com">http://vapid-labs.com</a>>.<br>> Getting tick=
ets: afs/vapid-<a href=3D"mailto:labs.com@VAPID-LABS.COM">labs.com@VAPID-LA=
BS.COM
</a><br>> <mailto:<a href=3D"mailto:labs.com@VAPID-LABS.COM">labs.com=
@VAPID-LABS.COM</a>><br>> Kerberos error code returned by get_cred: -=
1765328154<br>> aklog: Couldn't get <a href=3D"http://vapid-labs.com">va=
pid-labs.com
</a> <<a href=3D"http://vapid-labs.com">http://vapid-labs.com</a>> AF=
S tickets:<br>> aklog: New password cannot be zero length while getting =
AFS tickets<br>><br>><br>> I use a seperate kerberos server runnin=
g krb524 on port 4444 to convert
<br>> tickets.<br>><br>> Any help will be appreciated.<br>><br>=
<br><br></blockquote></div><br>
------=_Part_4522_6207800.1133991256683--