[OpenAFS] Setting up a new Win 2008r2 AD as krb5 server for OpenAFS
Jeffrey Altman
jaltman@secure-endpoints.com
Tue, 26 Oct 2010 08:51:45 -0400
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig608F183004A12D4FC9265FB8
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 10/26/2010 6:48 AM, Lars Schimmer wrote:
> Hi!
>=20
> Due to some problems while migrating from 2003 to 2008 I need to redo m=
y
> complete AD.
> Biggest problem beside the work to setup all users is:
> creating new afs credential and set it up in the OpenAFS Fileservers.
>=20
> Is there any guide/step-by-step available now?
> I once did it and did not documented it well :-(
Unless someone like yourself wrote one and placed it in the wiki or
updated the admin guide, the answer would be 'no'.
>=20
> So far I know:
0. Enable support for single DES in AD
> 1. create user afs in AD, user cannot change pass, passwd never expires=
> 2. setspn afs afs/cgv.tugraz.at
> 3. ktpass -out NAME.out.txt -princ afs@CGV.TUGRAZ.AT \
> -crypto DES-CBC-CRC +rndPass -DesOnly /ptype KRB5_NT_SRV_HST
Use MIT kvno tool to request a service ticket for
afs/cgv.tugraz.at@CGV.TUGRAZ.AT. That will report the kvno.
Or you can examine the user account object in AD.
> 4. on fileservers: asetkey add 3 NAME.out.txt afs/cgv.tugraz.at
replace "add 3" with "add <kvno>"
> 5. restart fileservers.
restart not required. touch the server CellServDB file.
> But as ktpass does not set the kvno in AD, how do I get the kvno?
>=20
> And do I miss a point?
>=20
>=20
> MfG,
> Lars Schimmer
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
--------------enig608F183004A12D4FC9265FB8
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJMxs7hAAoJENxm1CNJffh48T0H/jkorhu0unwrK6oeHacU7N8o
pOgxYcmYyMWTAv0/a4wtgbazwy5agHzVuqykfuBenvZOl3WSKaTlBZNfFoKrtBfp
uPMa2iSsNFKLz8joCYeFvvMffbckaCMqf+c/n9xEbZ1DStAZZ8idqC61vpHBzmof
rejmP9n1l5Smcm5CrzyblMDbjrN6VaxEXiForYsKLBowny2iY6IrTLbBxxkzEoGD
UCLF4vfJCRSqc92UxZzrCNiGgAx4cdyXRoGYNGSOn8mAecL9vrsMpjcI2yD6b8mp
C8y4kjzlO/IlPm1EJTP4NznL/CDT+gdmsKT7LgH6EhHSFjULpsdgu2i7rXDb5K0=
=kiTE
-----END PGP SIGNATURE-----
--------------enig608F183004A12D4FC9265FB8--