[OpenAFS] Samba4 KDC afs service principal?

Jeffrey Altman jaltman@secure-endpoints.com
Sat, 15 Oct 2011 01:50:31 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF4094068FCC9B914EE4E520F
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 10/14/2011 6:29 PM, G=C3=A9mes G=C3=A9za wrote:
> Hi,
>=20
> In testing for our organizations migration from an
> OpenLDAP/Heimdal/Samba3 based authentication infrastructure to a Samba4=

> one, I've set up a domain. Created a user principal called afs (with
> enctypes: des-cbc-crc and des-cbc-md5) and set up an SPN for it:
> afs/cell@REALM (initially was trying with afs@REALM, but from the KDC
> logs saw that client requested afs/cell@REALM so changed it). Exported
> it to a keytab which was successfully built with asetkey into a KeyFile=
=2E
> But when I try to do an aklog with a keytab as Administrator@REALM, it
> gives:
> aklog: Couldn't get "cell" AFS tickets:
> aklog: unknown RPC error (-1765328324) while getting AFS tickets
> In theory Samba4 (the KDC part being Heimdal) should obey to the settin=
g
> allow_weak_crypto=3Dtrue from the [kdc] section of krb5.conf. (That
> assumption I'm going to check with the samba-technical mailing list).

-1765328324 =3D  Generic error (see e-text)

You need to look at the error text returned in the Kerberos response
from the KDC to determine what the actual error is.  Or look in the KDC
logs.

Jeffrey Altman


--------------enigF4094068FCC9B914EE4E520F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJOmR8pAAoJENxm1CNJffh4BB4H/Ram53zU5NizXQGON6X0V5Gv
Ti0DlV9F8tTAYZC7tXZUPNrkY8PZwQC5SQqh/VFbKZN18yTchQkSjVOvVqi2kgbA
Hl8iFBPvmxY1XaVWpCmt6pAOC++m7TDlLwr7xa8qRAD2UY5NZmBqJqTjE93N/R+F
n2euErYO02GAT2m1cwQTQc20ZPbLXdX3RV6IZuBeY1D8a6MvJj/qBHSRTofOgV2t
mx2EFkfDVZNbKMZqp2sYYlfWwX9lvZAAo8uezO7sY0GT4soY7vMketcrfrrx0n5G
gYh6fGIY2Du5riNGRq6FkPQFye4VM91tKGcHgqzHQ5vv/E+nWS81xkKm31r2p48=
=AGjm
-----END PGP SIGNATURE-----

--------------enigF4094068FCC9B914EE4E520F--