[OpenAFS] ADS and MIT Kerberos transition auth continued

Douglas E. Engert deengert@anl.gov
Thu, 16 Jul 2009 16:02:42 -0500


Eric Chris Garrison wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Douglas E. Engert wrote:
>> And after you reset the desonly bit in AD, did you use ktpass with
>> -pass somepassword -out keytabfile
>> or did you use the -rndPass option?
> 
> The ADS admin says "We always use the rndPass option for generating the
> keytabs. Yes, I set des option before generating the keytabs."
> 
> Does this make a difference?

No it should not.

What is the exact ktpass command your admin is running to update AD
and generate the keytab for you?

If you use ADSI Edit to look at the account, do you see the
msDS-KeyVersionNumber matching the kvno?

> 
>> And you put the new key in the /usr/afs/etc/KeyFile on all the servers
>> with the correct kvno? Not sure, but you may have to restart the servers
>> too.
> 
> Yep, using asetkey.  We restart the servers every time to be sure as well.

If you have a number of DC in your domain, there might be a propagation
delay as the DCs are updated.

There was also an issue with some older ktpass command, do you have the
latest one? See Jeff's post:

http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=2882

Aslo if you are using W2008 and 64bit:
http://support.microsoft.com/kb/960830
> 
>> And you did a fresh kinit?
> 
> Yes.
> 
> Jeffrey Altman wrote:
>> des-cbc-md5 is fine.  after you set the DES-only bit you need to
>> generate assign a new password for the account and re-export the keytab
>> with a new kvno which then needs to be imported into the AFS KeyFile
> 
> Yeah, they generated a new keytab with a new kvno and we used asetkey to
> import it into the KeyFile.
> 
> Anything else that we might be missing?  I keep thinking it must be
> something simple.
> 
> Chris
> - --
> Eric Chris Garrison             | Principal Mass Storage Specialist
> ecgarris@iupui.edu              | Indiana University - Research Storage
> W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFKX4PWG2WsK8XoJWURAoR4AJ9F+pcGDLySoWq/22vTjio3JXVlIACcCQK7
> 5++qLvFzIr+lpcADqYpflfI=
> =wdV0
> -----END PGP SIGNATURE-----
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444