[OpenAFS] asetkey, aklog and weird key/principal

Douglas E. Engert deengert@anl.gov
Mon, 08 Jan 2007 09:55:04 -0600


Turbo Fredriksson wrote:
> I setting up AFS (v1.4.2) on Ubuntu with a Win2k3
> AD.
>=20
> I/We have no admin rights on the AD unfortunatly,
> and the AFS principal we was given is in the form:

The AD admin can create the AFS account with any name they want,
but the ServicePrincipalName assigned to must be, as Jeff said,
afs@<REALM>, or more commonly afs/<cellname>@<REALM>
Since the <cellname> is usually based on a DNS name,
it should be globally unique, so your AD admins should not
have a problem with using the SPN of afs/cellname@REALM

>=20
> <city>_afs/EU<city><srv_nr>@<REALM>
>=20
> My cell is named:
>=20
> europe.ad.<domain>

The account name (ktpass -mapuser) could be city_afs
and the SPN=3Dafs/europe.ad.<domain>@<DOMAIN>

>=20
> where =C2=B4<domain>=C2=B4 and =C2=B4<REALM>=C2=B4 is the same (just
> different case as it should).
>=20
>=20
> Is there any way to make sure aklog gets the correct
> host token with this setup?!
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>=20
>=20

--=20

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444