[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

Andrew Deason adeason@sinenomine.net
Thu, 5 Jan 2012 12:02:31 -0500

On Thu, 05 Jan 2012 11:31:01 -0500
Jeff White <jaw171@pitt.edu> wrote:

> 1. He created an AD domain called ad.dementia.org.
> 2. He created a user with a logon name of 'afs-adtest'.
> 3. He exported the keytab with: ktpass -princ 
> afs/adtest.dementia.org@AD.DEMENTIA.ORG -mapuser afs -pass * -crypto 
> DES-CBC-MD5 -out afs-keytab
> 4. Imported the keytab with: asetkey add 3 /etc/afs.keytab 
> afs/adtest.dementia.org@AD.DEMENTIA.ORG
> Why didn't he use the logon name afs-adtest in that ktpass command?  

I don't have that presentation in front of me, but that may have just
been a mistake.

> Where did 'afs/adtest.dementia.org@AD.DEMENTIA.ORG' come from,
> particularly the 'afs/adtest.dementia.org' part?  His logon name is
> not afs and what is adtest?

I don't know the internal AD details etc, but conceptually that commands
maps the principal name afs/adtest.dementia.org@AD.DEMENTIA.ORG to the
AD user "afs" (or "afs-adtest" or whatever you call it). OpenAFS by
convention uses the principal name afs/<cell_name>@REALM for krb5. So,
adtest.dementia.org is the AFS cell name in that example.

> $ aklog -d
> Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
> Trying to authenticate to user's realm PITT.EDU.
> Getting tickets: afs/pitt.edu@PITT.EDU
> Kerberos error code returned by get_cred : -1765328164
> aklog: Couldn't get pitt.edu AFS tickets:
> aklog: unknown RPC error (-1765328164) while getting AFS tickets

Well, you're getting a different error this time, so that's something.
What krb5 implementation are you running on that machine? I think that
error is KRB5_REALM_CANT_RESOLVE... is PITT.EDU in krb5.conf, or in dns
or what? Anything odd with that configuration?

Andrew Deason