[OpenAFS] Unable to get tokens after replacing Win2k3 DC with a Win2k8 DC

[Thomas Smith]

Hi,

Our AD admins replaced our local DC. We were working great when the DC
was Win2k3--since they replaced it with a Win2k8 DC, none of my
OpenAFS servers are able to supply tokens. (Not sure if this is
relevant... But the admin who did the upgrade had a number of issues
and was unable to promote the box to a RW DC, he was only able to
promote it to an RO DC.)

I am able to acquire a kerberos ticket on every machine (clients
included). But when I run aklog from the file server:

----- AKLOG
aklog -d domain.local -k DOMAIN.LOCAL
Authenticating to cell domain.local (server server01.domain.local).
We were told to authenticate to realm DOMAIN.LOCAL.
Getting tickets: afs/domain.local@DOMAIN.LOCAL
Getting tickets: afs/domain.local@DOMAIN.LOCAL
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get domain.local AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets
----- END AKLOG

When I run it from a Mac client:

----- AKLOG
aklog -d domain.local -k DOMAIN.LOCAL
Authenticating to cell domain.local (server server01.domain.local).
We were told to authenticate to realm DOMAIN.LOCAL.
Getting tickets: afs/domain.local@DOMAIN.LOCAL
Getting tickets: afs/domain.local@DOMAIN.LOCAL
Kerberos error code returned by get_cred : -1765328353
aklog: Couldn't get domain.local AFS tickets:
aklog: Decrypt integrity check failed while getting AFS tickets
----- END AKLOG

I'm not really sure where to go with this... Nothing has changed other
than our local DC.

Everything I've found regarding errors like this points to a kerberos
problem, but I am able to get tickets just fine.