[OpenAFS] Initial setup "rxk: security object was passed a bad ticket"

Assarsson, Emil emil.assarsson@sonyericsson.com
Tue, 17 Nov 2009 10:17:28 +0100

Hi all,

KDC: Microsoft Active Directory 2008
AFS server OS: Ubuntu 9.10
OpenAFS version: 1.4.11+dfsg-1 (distributed version)

Admin and service account are AD accounts.
I created the service user as a regular user and checked the option "use 
DES encryption types for this account"
I created the keytab with ktutil:
addent -password -p afs/lnx036.test.net -k 3 -e des-cbc-crc
wkt /etc/krb5.keytab.afs

I have managed to setup as far as afs-newcell without problem.
Now I need to kinit and aklog and so far no visible problems:

# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: adminuser@TEST.NET

Valid starting     Expires            Service principal
11/17/09 09:44:08  11/17/09 19:44:11  krbtgt/TEST.NET@TEST.NET
    renew until 11/18/09 08:56:08, Etype (skey, tkt): ArcFour with 
HMAC/md5, ArcFour with HMAC/md5
11/17/09 09:44:11  11/17/09 19:44:11  afs/lnx036.test.net@TEST.NET
    renew until 11/18/09 08:56:08, Etype (skey, tkt): DES cbc mode with 
CRC-32, DES cbc mode with RSA-MD5

# aklog -cell lnx036.test.net -k TEST.NET -d
Authenticating to cell lnx036.test.net (server lx0480.test.net).
We were told to authenticate to realm TEST.NET.
Getting tickets: afs/lnx036.test.net@TEST.NET
Getting tickets: afs/lnx036.test.net@TEST.NET
Using Kerberos V5 ticket natively
About to resolve name adminuser to id in cell lnx036.test.net.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 /  @ TEST.NET

I think that this seems ok.

Then when I try to use the token in some way like:
# vos status lx0480.test.net
Could not access status information about the server
rxk: security object was passed a bad ticket
Error in vos status command.
rxk: security object was passed a bad ticket

I have tried some things...
* changed the enctype to md5
* changed the setting "Use DES.." in the AD to off

I can't find much written about this setup.
Is it possible to make this work and will it be a supportable solution?
Are there any other solutions to make this work in a Microsoft centric 

All input most appreciated :-)