[OpenAFS] ADS and MIT Kerberos transition auth continued

Eric Chris Garrison ecgarris@iupui.edu
Fri, 17 Jul 2009 15:35:36 -0400


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Douglas E. Engert wrote:
> Can you run  klist -e -t -K -k afstest-md5.keytab
> and verify that the key matches what asetkey has.

Thank you!  This led to the solution... It did NOT match, as the key had
been added with bos addkey with the most recent service principal keytab
from the ADS admin, and I deleted and re-added it with asetkey and then it
did match, and now it works for BOTH realms.

Earlier, the ADS admin was automatically generating a key that used HMAC
with des-cbc-crc because it had solved a problem for another admin setting
up NFS, so he thought it was necessary.

Thanks again!  This has been a frustrating project.  Now to prepare to do
it in production.

Chris
- --
Eric Chris Garrison             | Principal Mass Storage Specialist
ecgarris@iupui.edu              | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKYNKIG2WsK8XoJWURAg0LAJ9pRyIpttFt+Lbiig5LrvZcVAsRQgCfRWvl
hO4fCbiMWh48dnLhjvQ9CJg=
=sl8k
-----END PGP SIGNATURE-----