[OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh

John W. Sopko Jr. sopko@cs.unc.edu
Fri, 05 Jan 2007 12:16:11 -0500

Yes I will try your instructions, I am not in control
of our Windows servers and they are running W2K. I do
have access to a test W2003 AD server.

 >  * Use a working (non-2003 SP1) version of ktpass to export the key
 >    The 2003 SP1 Support Tools version is 5.2.3790.1830.  Do not use it.

So use the original ktpass? Is there a way to verify the
working version? Thanks for all your help.

While we are on the subject. If we decide to have our
L/Unix infrustrucure, including afs, authenticate to
Windows AD; how comfortable do you feel that one day
a Microsoft patch might break things? Our Windows group
say they cannot guarantee this will not happen. I know
this is a big question...

Jeffrey Altman wrote:
> John W. Sopko Jr. wrote:
>> I should have been more clear. I am only running a TEST
>> krb5 1.4.4 server under linux. I am still running kaserver.
>> Like lots of folks looking to migrate to K5, have been for
>> years.
> oh, much relief felt by all  :-)
>> I would prefer to keep the dns/realm/afs.cell names all the same.
>> The only way to do this is to run one kerberos 5 server. The
>> linux krb5_pam module seems to work fine for authenticating
>> to k5 and getting afs tokens. Aklog works great also. Have tested
>> linux krb5_pam and apache authentication to Windows AD.
>> We run 3 active directory servers, currently Windows 2000
>> to be upgraded to 2003 very soon. We have a Windows group that
>> manages these machines.
>> I am trying to piece things together like Eric.
>> What we need is clear steps on how to create the Windows
>> AD afs/cell.name user and the proper way to export the
>> afs/cell.name key. Would be nice to have this for both
>> W2K and W2003. The linux "asetkey" man page  is real clear
>> on how to do this in linux, (thanks Russ).
> The instructions I provided should work for you.  If they don't,
> scream.
>> I plan on trying to attend the AFS & Kerberos
>> Best Practices Workshop 2007. I am sure over the next few
>> months things will get more clear on this.
> There is a talk from last years workshop by Derrick on this
> very topic.
> Jeffrey Altman

John W. Sopko Jr.               University of North Carolina
email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
Phone: 919-962-1844             Sitterson Hall; Room 044
Fax:   919-962-1799             Chapel Hill, NC 27599-3175