[OpenAFS] Unable to get tokens after replacing Win2k3 DC with a Win2k8 DC

Mickey Lane mlane@sinenomine.net
Wed, 11 May 2011 07:36:54 -0500 

Did your admins go to Windows Server 2008 (Standard, whatever) or to 2008 R=
2?

I'm trying to collect notes on getting the KDC to run on 2008 Standard (not=
 R2)
and having a very difficult time of it.

Thanks.

> -----Original Message-----
> From: openafs-info-admin@openafs.org [mailto:openafs-info-
> admin@openafs.org] On Behalf Of Thomas Smith
> Sent: Sunday, April 17, 2011 9:35 PM
> To: OpenAFS-info@openafs.org
> Subject: [OpenAFS] Unable to get tokens after replacing Win2k3 DC with
> a Win2k8 DC
>=20
> Hi,
>=20
> Our AD admins replaced our local DC. We were working great when the DC
> was Win2k3--since they replaced it with a Win2k8 DC, none of my
> OpenAFS servers are able to supply tokens. (Not sure if this is
> relevant... But the admin who did the upgrade had a number of issues
> and was unable to promote the box to a RW DC, he was only able to
> promote it to an RO DC.)
>=20
> I am able to acquire a kerberos ticket on every machine (clients
> included). But when I run aklog from the file server:
>=20
> ----- AKLOG
> aklog -d domain.local -k DOMAIN.LOCAL
> Authenticating to cell domain.local (server server01.domain.local).
> We were told to authenticate to realm DOMAIN.LOCAL.
> Getting tickets: afs/domain.local@DOMAIN.LOCAL
> Getting tickets: afs/domain.local@DOMAIN.LOCAL
> Kerberos error code returned by get_cred : -1765328370
> aklog: Couldn't get domain.local AFS tickets:
> aklog: unknown RPC error (-1765328370) while getting AFS tickets
> ----- END AKLOG
>=20
> When I run it from a Mac client:
>=20
> ----- AKLOG
> aklog -d domain.local -k DOMAIN.LOCAL
> Authenticating to cell domain.local (server server01.domain.local).
> We were told to authenticate to realm DOMAIN.LOCAL.
> Getting tickets: afs/domain.local@DOMAIN.LOCAL
> Getting tickets: afs/domain.local@DOMAIN.LOCAL
> Kerberos error code returned by get_cred : -1765328353
> aklog: Couldn't get domain.local AFS tickets:
> aklog: Decrypt integrity check failed while getting AFS tickets
> ----- END AKLOG
>=20
> I'm not really sure where to go with this... Nothing has changed other
> than our local DC.
>=20
> Everything I've found regarding errors like this points to a kerberos
> problem, but I am able to get tickets just fine.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info