[OpenAFS] ADS and MIT Kerberos transition auth continued
Eric Chris Garrison
Thu, 16 Jul 2009 15:47:34 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Douglas E. Engert wrote:
> And after you reset the desonly bit in AD, did you use ktpass with
> -pass somepassword -out keytabfile
> or did you use the -rndPass option?
The ADS admin says "We always use the rndPass option for generating the
keytabs. Yes, I set des option before generating the keytabs."
Does this make a difference?
> And you put the new key in the /usr/afs/etc/KeyFile on all the servers
> with the correct kvno? Not sure, but you may have to restart the servers
Yep, using asetkey. We restart the servers every time to be sure as well.
> And you did a fresh kinit?
Jeffrey Altman wrote:
> des-cbc-md5 is fine. after you set the DES-only bit you need to
> generate assign a new password for the account and re-export the keytab
> with a new kvno which then needs to be imported into the AFS KeyFile
Yeah, they generated a new keytab with a new kvno and we used asetkey to
import it into the KeyFile.
Anything else that we might be missing? I keep thinking it must be
Eric Chris Garrison | Principal Mass Storage Specialist
firstname.lastname@example.org | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: email@example.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----