Re: [OpenAFS] ADS and MIT Kerberos transition auth continued

Thu, 16 Jul 2009 14:03:09 -0700 


Eric Chris Garrison wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Douglas E. Engert wrote:

And after you reset the desonly bit in AD, did you use ktpass with
-pass somepassword -out keytabfile
or did you use the -rndPass option?


The ADS admin says "We always use the rndPass option for generating the
keytabs. Yes, I set des option before generating the keytabs."

Does this make a difference?


No it should not.

What is the exact ktpass command your admin is running to update AD
and generate the keytab for you?

If you use ADSI Edit to look at the account, do you see the
msDS-KeyVersionNumber matching the kvno?




And you put the new key in the /usr/afs/etc/KeyFile on all the servers
with the correct kvno? Not sure, but you may have to restart the servers
too.


Yep, using asetkey.  We restart the servers every time to be sure as well.


If you have a number of DC in your domain, there might be a propagation
delay as the DCs are updated.

There was also an issue with some older ktpass command, do you have the
latest one? See Jeff's post:

http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=2882

Aslo if you are using W2008 and 64bit:
http://support.microsoft.com/kb/960830



And you did a fresh kinit?


Yes.

Jeffrey Altman wrote:

des-cbc-md5 is fine.  after you set the DES-only bit you need to
generate assign a new password for the account and re-export the keytab
with a new kvno which then needs to be imported into the AFS KeyFile


Yeah, they generated a new keytab with a new kvno and we used asetkey to
import it into the KeyFile.

Anything else that we might be missing?  I keep thinking it must be
something simple.

Chris
- --
Eric Chris Garrison             | Principal Mass Storage Specialist
ecgar...@iupui.edu              | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgar...@iupui.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKX4PWG2WsK8XoJWURAoR4AJ9F+pcGDLySoWq/22vTjio3JXVlIACcCQK7
5++qLvFzIr+lpcADqYpflfI=
=wdV0
-----END PGP SIGNATURE-----




--

 Douglas E. Engert  <deeng...@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info























					Reply via email to