[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

[Jeffrey Altman]

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigF71853B978DA850242C71972
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Separate from your DES issues, there are two serious problems here.

1. You are creating an account with a logon name of "afs/pitt.edu"
instead of something like "afs-pitt-edu-cell" and then setting a Service
Principal Name of "afs/pitt.edu@PITT.EDU" on that account.

The slash in Kerberos is a name component separator.  When aklog
requests a ticket for "afs/pitt.edu@PITT.EDU" it is asking the PITT.EDU
KDC for the principal

  "afs" "pitt.edu"

Not the principal

  "afs/pitt.edu"

2. You cannot give the account the name "AFS" or have a short name of
"AFS".  Doing so will cause name resolution of "afs@PITT.EDU" to succeed
which will in turn break all of your deployed Windows AFS clients.





--------------enigF71853B978DA850242C71972
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJPCclzAAoJENxm1CNJffh4KzIIALYSToPFK40n+MSyzt1jDetF
XBDQcp/gvWEvSxjC5Bh8Mg8FkE74Jt0yLj3ifmR4eXedIjdBHW6NSzoZPFV0bc/l
lBsdyaj7HfIoFfKNoB3vzbz/8bjOsi26n03z6UzVjobeQA/VzkzKkXRGSN0GjCnH
fFneMFovGsXcVNjxATE0x02abrxv6pJXnjUiBkHmVdI1MVYeYmuSzFDyNrLc2kL+
THBlaxRXx8G5sCDYe/Xd1Etze2RIEL+bnRj5OoKVMQF2KuGTq4t5tROxn5CXriqm
mxVlcGVy4yXyz9LiIVjv26+FhAaxvtwbJREkE8KEuww10Leye7mjBUWtCuqqPXo=
=Ww9K
-----END PGP SIGNATURE-----

--------------enigF71853B978DA850242C71972--