[OpenAFS] ADS and MIT Kerberos transition auth continued
Eric Chris Garrison
Fri, 17 Jul 2009 15:35:36 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Douglas E. Engert wrote:
> Can you run klist -e -t -K -k afstest-md5.keytab
> and verify that the key matches what asetkey has.
Thank you! This led to the solution... It did NOT match, as the key had
been added with bos addkey with the most recent service principal keytab
from the ADS admin, and I deleted and re-added it with asetkey and then it
did match, and now it works for BOTH realms.
Earlier, the ADS admin was automatically generating a key that used HMAC
with des-cbc-crc because it had solved a problem for another admin setting
up NFS, so he thought it was necessary.
Thanks again! This has been a frustrating project. Now to prepare to do
it in production.
Eric Chris Garrison | Principal Mass Storage Specialist
email@example.com | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: firstname.lastname@example.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----