[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

Douglas E. Engert deengert@anl.gov
Thu, 05 Jan 2012 11:09:25 -0600


On 1/5/2012 10:31 AM, Jeff White wrote:
> I tried removing the afs account, adding it again, checking the DES box, resetting the password, exporting the keytab, removing the old keytab, and adding the new keytab. I still can't aklog.
>
> I'm a little confused on the syntax of ktpass to export the keytab from AD. I'm using a presentation from Derrick Brashear but I don't understand his syntax:
>
> 1. He created an AD domain called ad.dementia.org.
> 2. He created a user with a logon name of 'afs-adtest'.
> 3. He exported the keytab with: ktpass -princ afs/adtest.dementia.org@AD.DEMENTIA.ORG -mapuser afs -pass * -crypto DES-CBC-MD5 -out afs-keytab
> 4. Imported the keytab with: asetkey add 3 /etc/afs.keytab afs/adtest.dementia.org@AD.DEMENTIA.ORG
>
> Why didn't he use the logon name afs-adtest in that ktpass command? Where did 'afs/adtest.dementia.org@AD.DEMENTIA.ORG' come from, particularly the 'afs/adtest.dementia.org' part? His logon name is
> not afs and what is adtest?
>
> I did this:
>
> 1. Created an AD domain called pitt.edu.
> 2. Created the GPO to allow DES and applied it to the Domain Controllers.
> 3. Created a user with a logon name of 'afs'.
> 4. Exported the keytab with: ktpass -princ afs/pitt.edu@PITT.EDU -mapuser afs -pass * -crypto DES-CBC-MD5 -out afs.keytab
> 5. Imported the keytab with: asetkey add 4 /etc/afs.keytab afs/pitt.edu@PITT.EDU
>
> I still get an error but I'm not sure if I'm exporting/importing the keytab correctly. I've tried a variety of principals but all fail to let me aklog. What principal should be used?
>
> $ aklog -d
> Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
> Trying to authenticate to user's realm PITT.EDU.
> Getting tickets: afs/pitt.edu@PITT.EDU
> Kerberos error code returned by get_cred : -1765328164

#define KRB5_REALM_CANT_RESOLVE                  (-1765328164L)

Do you have a krb5.conf file and added the PITT.EDU realm,
and the KDC= entries?

Before doing the aklog, try doing
kinit someuser@PITT.EDU
klist



> aklog: Couldn't get pitt.edu AFS tickets:
> aklog: unknown RPC error (-1765328164) while getting AFS tickets
>
> Jeff White - Linux/Unix Systems Engineer
> University of Pittsburgh - CSSD
>
>
> On 01/05/2012 10:33 AM, Andrew Deason wrote:
>> On Thu, 05 Jan 2012 10:07:09 -0500
>> Jeff White<jaw171@pitt.edu> wrote:
>>
>>> I noticed there is a box which says 'Use Kerberos DES encryption types
>>> for this account' in the settings of each account, do I need to set
>>> that?
>> Yes.
>>
>>> Just on the afs principal/user or on every user of AFS in the
>>> realm?
>> Just on the afs/pitt.edu princ. It is also advisable to turn off the PAC
>> for that principal if you haven't already (though that doesn't have
>> anything to do with the current error). That is, turn this on:
>> <http://support.microsoft.com/kb/832572>.
>>
>>> Do I need to do the export and asetkey again after the changes I made?
>> Not sure on this one. I would guess "no", but I've never done this in
>> that order.
>>
>>> Also, is there a way to have all our users in AD without enabling DES?
>>> I recall hearing that it was possible by having an MIT Kerberos box to
>>> hold the AFS principal alone with DES enabled but have all the user
>>> principals in AD without DES.
>> You can do this, but either way the afs/pitt.edu princ is the only one
>> that has DES enabled. But yeah, if you just want to be able to turn off
>> the "enable DES" checkbox in AD to be able to show someone that you're
>> mostly not running with DES, that's an option.
>>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444