[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions
Thu, 5 Jan 2012 12:02:31 -0500
On Thu, 05 Jan 2012 11:31:01 -0500
Jeff White <email@example.com> wrote:
> 1. He created an AD domain called ad.dementia.org.
> 2. He created a user with a logon name of 'afs-adtest'.
> 3. He exported the keytab with: ktpass -princ
> afs/adtest.dementia.org@AD.DEMENTIA.ORG -mapuser afs -pass * -crypto
> DES-CBC-MD5 -out afs-keytab
> 4. Imported the keytab with: asetkey add 3 /etc/afs.keytab
> Why didn't he use the logon name afs-adtest in that ktpass command?
I don't have that presentation in front of me, but that may have just
been a mistake.
> Where did 'afs/adtest.dementia.org@AD.DEMENTIA.ORG' come from,
> particularly the 'afs/adtest.dementia.org' part? His logon name is
> not afs and what is adtest?
I don't know the internal AD details etc, but conceptually that commands
maps the principal name afs/adtest.dementia.org@AD.DEMENTIA.ORG to the
AD user "afs" (or "afs-adtest" or whatever you call it). OpenAFS by
convention uses the principal name afs/<cell_name>@REALM for krb5. So,
adtest.dementia.org is the AFS cell name in that example.
> $ aklog -d
> Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
> Trying to authenticate to user's realm PITT.EDU.
> Getting tickets: afs/pitt.edu@PITT.EDU
> Kerberos error code returned by get_cred : -1765328164
> aklog: Couldn't get pitt.edu AFS tickets:
> aklog: unknown RPC error (-1765328164) while getting AFS tickets
Well, you're getting a different error this time, so that's something.
What krb5 implementation are you running on that machine? I think that
error is KRB5_REALM_CANT_RESOLVE... is PITT.EDU in krb5.conf, or in dns
or what? Anything odd with that configuration?