[OpenAFS] ADS and MIT Kerberos transition auth continued
Douglas E. Engert
deengert@anl.gov
Fri, 17 Jul 2009 14:20:46 -0500
Brandon S. Allbery KF8NH wrote:
> On Jul 17, 2009, at 15:01 , Eric Chris Garrison wrote:
>> [root@rufus2 etc]# klist -e
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: afs/afstest.iu.edu@ADS.IU.EDU
>>
>> Valid starting Expires Service principal
>> 07/17/09 14:34:44 07/18/09 00:34:44 krbtgt/ADS.IU.EDU@ADS.IU.EDU
>> renew until 07/18/09 14:34:44, Etype (skey, tkt): AES-256 CTS
>> mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
>
> Er? AES-256 won't work with AFS.
No, that is a tgt to test if kinit works. It looks like it did.
>
>> 07/17/09 14:38:58 07/18/09 00:38:55 afs/afstest.iu.edu@ADS.IU.EDU
>> renew until 07/18/09 14:38:51, Etype (skey, tkt): DES cbc mode
>> with CRC-32, DES cbc mode with RSA-MD5
>
> This is what it should look like.
No, that is what it should look like after an aklog to get the service ticket.
Eric,
Can you run klist -e -t -K -k afstest-md5.keytab
and verify that the key matches what asetkey has.
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444