[OpenAFS] Kerberos + Windows
Ken Hornstein
kenh@cmf.nrl.navy.mil
Wed, 24 Aug 2022 14:42:48 -0400
>I then created the service account srvAFS, and extracted a keytab on the
>Domain Controller using the following command:
So I'm not the expert on how AD works, so I can't speak for what happens
if you create a service account called _one_ thing and then have a
different principal name. Like, what name ends up in the service
ticket? But, moving on ...
># kvno adUser@AD.MYDOMAIN.COM
>kvno: Server not found in Kerberos database while getting credentials for=
adUser@AD.MYDOMAIN.COM
kvno is used when you already have a Kerberos ticket (with kinit) and you'=
re
getting a service ticket for what you give on the command line. I think
what you want "kinit adUser" and the "kvno afs/mydomain.com". Although
aklog should do the same thing.
It would be interesting to see what the output of "klist" is after you
do that kinit/kvno command sequence.
There is some magic that asetkey does in terms of key version numbering
for rxkad_krb5 but it escapes me now and I suspect that's not your real
problem. I am assuming you've distributed the KeyFile to _all_ of your
AFS servers.
--Ken