[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

Jeff White jaw171@pitt.edu
Thu, 05 Jan 2012 11:31:01 -0500

I tried removing the afs account, adding it again, checking the DES box, 
resetting the password, exporting the keytab, removing the old keytab, 
and adding the new keytab.  I still can't aklog.

I'm a little confused on the syntax of ktpass to export the keytab from 
AD.  I'm using a presentation from Derrick Brashear but I don't 
understand his syntax:

1. He created an AD domain called ad.dementia.org.
2. He created a user with a logon name of 'afs-adtest'.
3. He exported the keytab with: ktpass -princ 
afs/adtest.dementia.org@AD.DEMENTIA.ORG -mapuser afs -pass * -crypto 
DES-CBC-MD5 -out afs-keytab
4. Imported the keytab with: asetkey add 3 /etc/afs.keytab 

Why didn't he use the logon name afs-adtest in that ktpass command?  
Where did 'afs/adtest.dementia.org@AD.DEMENTIA.ORG' come from, 
particularly the 'afs/adtest.dementia.org' part?  His logon name is not 
afs and what is adtest?

I did this:

1. Created an AD domain called pitt.edu.
2. Created the GPO to allow DES and applied it to the Domain Controllers.
3. Created a user with a logon name of 'afs'.
4. Exported the keytab with: ktpass -princ afs/pitt.edu@PITT.EDU 
-mapuser afs -pass * -crypto DES-CBC-MD5 -out afs.keytab
5. Imported the keytab with: asetkey add 4 /etc/afs.keytab 

I still get an error but I'm not sure if I'm exporting/importing the 
keytab correctly.  I've tried a variety of principals but all fail to 
let me aklog.  What principal should be used?

$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt.edu@PITT.EDU
Kerberos error code returned by get_cred : -1765328164
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328164) while getting AFS tickets

Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD

On 01/05/2012 10:33 AM, Andrew Deason wrote:
> On Thu, 05 Jan 2012 10:07:09 -0500
> Jeff White<jaw171@pitt.edu>  wrote:
>> I noticed there is a box which says 'Use Kerberos DES encryption types
>> for this account' in the settings of each account, do I need to set
>> that?
> Yes.
>> Just on the afs principal/user or on every user of AFS in the
>> realm?
> Just on the afs/pitt.edu princ. It is also advisable to turn off the PAC
> for that principal if you haven't already (though that doesn't have
> anything to do with the current error). That is, turn this on:
> <http://support.microsoft.com/kb/832572>.
>> Do I need to do the export and asetkey again after the changes I made?
> Not sure on this one. I would guess "no", but I've never done this in
> that order.
>> Also, is there a way to have all our users in AD without enabling DES?
>> I recall hearing that it was possible by having an MIT Kerberos box to
>> hold the AFS principal alone with DES enabled but have all the user
>> principals in AD without DES.
> You can do this, but either way the afs/pitt.edu princ is the only one
> that has DES enabled. But yeah, if you just want to be able to turn off
> the "enable DES" checkbox in AD to be able to show someone that you're
> mostly not running with DES, that's an option.