Hello,
here is my problem: I have a nicely functional AFS server, cell name afs1.bedrock.iu.edu, authenticating against an AD realm. I want to give it a second authentication realm, a Kerberos 5, named KDC.DANTOLOV.UITS.INDIANA.EDU. All of this is under RHEL 5. On the KDC machine, I made the service principal and placed its key in a keytab. All of that apparently worked OK: kadmin: add_principal -e des-cbc-md5:normal -kvno 8 afs/afs1.bedrock.iu....@kdc.dantolov.uits.indiana.edu kadmin: ktadd -e des-cbc-md5:normal -k afs1_dantolov.uits.indiana.edu_kdc.keytab afs/afs1.bedrock.iu....@kdc.dantolov.uits.indiana.edu I transferred the keytab to the AFS server, and it looks fine: [root@afs1c afs]# klist -e -k afs1_dantolov.uits.indiana.edu_kdc.keytab Keytab name: FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab KVNO Principal ---- -------------------------------------------------------------------------- 9 afs/afs1.bedrock.iu....@kdc.dantolov.uits.indiana.edu (DES cbc mode with RSA-MD5) However, the asetkey fails to get the key out of the keytab and into the /usr/afs/etc/KeyFile: [root@afs1c afs]# asetkey add 9 afs1_dantolov.uits.indiana.edu_kdc.keytab afs/afs1.bedrock.iu.edu asetkey: unknown RPC error (-1765328203) while extracting AFS service key The translation of the error code is not very helpful: [root@afs1c afs]# translate_et -1765328203 -1765328203 (krb5).181 = unknown RPC error (-1765328203) I have the right file /usr/afs/etc/krb.conf on the AFS server: [root@afs1c afs]# cat /usr/afs/etc/krb.conf ADS.IU.EDU KDC.DANTOLOV.UITS.INDIANA.EDU This problem has been discussed in OpenAFS forums in 2010, in an AD setting, apparently inconclusively. Would anyone be able to shed any new light? Thank you very much, Danko Antolovic Principal Scientist, Research Technologies, Indiana University
