I usually create the AFS principal and put it onto the first server in one go with heimdals ktutil: ktutil -k AFSKEYFILE:/usr/afs/etc/KeyFile get -p your-admin-principal afs/your-cell@YOUR-REALM The AFSKEYFILE: tells the heimdal library that this is not a normal krb5 keyfile. (This is from memory only, so I blame any inaccuracy on that ;-) Harald.