[OpenAFS] Samba4 KDC afs service principal?

Gémes Géza geza@kzsdabas.hu
Sat, 15 Oct 2011 09:36:45 +0200

2011-10-15 07:50 keltezéssel, Jeffrey Altman írta:
> On 10/14/2011 6:29 PM, Gémes Géza wrote:
>> Hi,
>> In testing for our organizations migration from an
>> OpenLDAP/Heimdal/Samba3 based authentication infrastructure to a Samba4
>> one, I've set up a domain. Created a user principal called afs (with
>> enctypes: des-cbc-crc and des-cbc-md5) and set up an SPN for it:
>> afs/cell@REALM (initially was trying with afs@REALM, but from the KDC
>> logs saw that client requested afs/cell@REALM so changed it). Exported
>> it to a keytab which was successfully built with asetkey into a KeyFile.
>> But when I try to do an aklog with a keytab as Administrator@REALM, it
>> gives:
>> aklog: Couldn't get "cell" AFS tickets:
>> aklog: unknown RPC error (-1765328324) while getting AFS tickets
>> In theory Samba4 (the KDC part being Heimdal) should obey to the setting
>> allow_weak_crypto=true from the [kdc] section of krb5.conf. (That
>> assumption I'm going to check with the samba-technical mailing list).
> -1765328324 =  Generic error (see e-text)
> You need to look at the error text returned in the Kerberos response
> from the KDC to determine what the actual error is.  Or look in the KDC
> logs.
> Jeffrey Altman
Thank you!

Found out that at the origin of the problem were:
1. wrong spn (Thanks to Andrew Bartlett for discovering it): it should
have been: afs/cell
2. allow_wek_crypto = true should have been in the [libdefaults] section
of krb5.conf

In the meantime I've discovered an other annoyance: if the username I
add as superuser begins with a capital letter, as in Administrator I
won't be able to do privileged fs operations because he couldn't get
tokens (kerberos part goes fine, even aklog is running without errors,
but checking with tokens reveals, that there are simply none). I could
initialize the cell only by using administrator from the beginning
instead of Administrator.