[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008
- Questions about DES
Tue, 10 Jan 2012 18:25:41 -0500
Would you dump that into the bug tracker or the wiki for future
reference? Updating the docs would be ideal ;)
On 01/10/2012 11:39 AM, Jeff White wrote:
> I decided to scrap my Windows box and start over again. I was able to
> get it work this time but I don't know what was different that made it
> work. I am able to get a ticket as the AFS principal and things seem
> to be working, at least until I run into the next problem. For those
> who care these are my notes from the one that worked:
> 10. On the Windows Active Directory server, enable DES encryption
> types for Kerberos
> 1. Create a GPO called 'Allow_DES'
> 2. Configure the following entry to allow all encryption types
> 1. Computer Configuration -> Policies -> Windows Settings
> -> Local Policies -> Security Options -> Networking
> security: Configure encryption types allowed for
> 3. Link the 'Allow_DES' GPO to the 'Domain Controllers' OU.
> 4. Reboot.
> 11. Create a user in AD called 'afs-pitt-edu-cell'.
> 12. In the settings for the AFS user check 'Use Kerberos DES
> encryption types for this account' then change the password.
> 13. Export the keytab for it. Note the KVNO.
> 1. ktpass -princ afs/pitt.edu@PITT.EDU -mapuser
> afs-pitt-edu-cell -pass * -crypto DES-CBC-CRC +rndpass
> /mapop add +desonly /ptype KRB5_NT_PRINCIPAL +dumpsalt -out
> 14. Copy the keytab to afs-dev-03.cssd as
> /etc/afs-pitt-edu-cell.keytab and make it root readable
> 1. chmod 600 /etc/afs.keytab
> 15. Using the KVNO from earlier add the keytab to AFS
> 1. asetkey add 4 /etc/afs.keytab afs/pitt.edu@PITT.EDU
> Thanks to everyone for their help.
> Jeff White - Linux/Unix Systems Engineer
> University of Pittsburgh - CSSD
> On 01/10/2012 10:02 AM, Andrew Deason wrote:
>> On Mon, 09 Jan 2012 17:13:57 -0500
>> Jeff White<email@example.com> wrote:
>>> Other possibly useful pieces of information:
>>> sAMAccountName: afs
>>> userPrincipalName: afs/pitt.edu@PITT.EDU
>> Just one more possible guess: are you sure you're talking to the
>> right kdc? I would expect the windows event log will log something when
>> a failure occurs when you do things like:
>>>> [root@afs-dev-03 ~]# kinit afs/pitt.edu@PITT.EDU
>>>> kinit: Client not found in Kerberos database while getting initial
>> And maybe the log event would give more useful information. I don't
>> really expect it to, but you never know. A more accurate test may be to
>> try 'kinit -k -t afs.keytab afs/pitt.edu@PITT.EDU' or
>> 'kvno afs/pitt.edu@PITT.EDU' (after you've "kinit"d with a normal
>> princ), but of course the error you've already given is an issue.