[OpenAFS] Creating service principal and keytab from active directory for afs/cell

2013-09-26 Thread Owen Le Blanc
I found a page of instructions at wiki.openafs.org/WindowsK5AfsServicePrincipal which is to create a keytab for the user afs/cell@REALM. It seems to me that on current AFS cells, i.e., updated after the recent security patch, there are a number of changes that need to be made to this page (which i

[OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

2013-09-26 Thread Andrew Deason
On Thu, 26 Sep 2013 09:54:56 +0100 Owen Le Blanc wrote: > Can the user now be afs/cell/cellname@REALM? I'm not sure which parts of this you meant to be literal and which parts are the actual cell name. The principal name hasn't changed; it's always afs/@ > Do you still need to use DES encryptio

Re: [OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

2013-09-26 Thread Arne Wiebalck
On Sep 26, 2013, at 5:02 PM, Andrew Deason wrote: > On Thu, 26 Sep 2013 09:54:56 +0100 > Owen Le Blanc wrote: > >> Can the user now be afs/cell/cellname@REALM? > > I'm not sure which parts of this you meant to be literal and which parts > are the actual cell name. The principal name hasn't c

[OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

2013-09-26 Thread Andrew Deason
On Thu, 26 Sep 2013 15:28:16 + Arne Wiebalck wrote: > > For Windows 2003 I believe it should be RC4-HMAC-NT, yes. But for > > newer versions, you need an AES (this starts with 2008 or 2008 R2). > > But there > > Does that mean access to updated AFS servers would fail if AD handed out > ArcFo

Re: [OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

2013-09-26 Thread Jeffrey Altman
On 9/26/2013 11:28 AM, Arne Wiebalck wrote: > > On Sep 26, 2013, at 5:02 PM, Andrew Deason > > wrote: > >> On Thu, 26 Sep 2013 09:54:56 +0100 >> Owen Le Blanc mailto:lebl...@mcc.ac.uk>> wrote: >> >>> Can the user now be afs/cell/cellname@REALM? >> >> I'm not sure

RE: [OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

2013-09-26 Thread Arne Wiebalck
Thanks Andrew and Jeffrey. So, from what I understand from your answers is that as long the AFS server has a rxkad.keytab that contains the enc type the KDC issues, things should be OK afs-wise. To answer Andrew's questions: the test realm is a clone of our production one, so it can issue service

[OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

2013-09-26 Thread Andrew Deason
On Thu, 26 Sep 2013 16:38:42 + Arne Wiebalck wrote: > To answer Andrew's questions: the test realm is a clone of our > production one, so it can issue service tickets for > afs/testcell@testrealm. With the corresponding changes to krb5.conf, > CellservDB and the like aklog will get you a ses

[OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

2013-09-26 Thread Andrew Deason
On Thu, 26 Sep 2013 16:38:42 + Arne Wiebalck wrote: > Thanks Andrew and Jeffrey. > > So, from what I understand from your answers is that as long the > AFS server has a rxkad.keytab that contains the enc type the > KDC issues, things should be OK afs-wise. I just realized I didn't confirm t

Re: [OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

2013-09-26 Thread Arne Wiebalck
Do you happen to know what controls which enc type AD will pick when issuing an AFS service ticket? Cheers, Arne Andrew Deason schrieb: On Thu, 26 Sep 2013 16:38:42 + Arne Wiebalck wrote: > Thanks Andrew and Jeffrey. > > So, from what I understand from your answers is that as long th

[OpenAFS] Re: Creating service principal and keytab from active directory for afs/cell

2013-09-26 Thread Andrew Deason
On Thu, 26 Sep 2013 17:21:47 + Arne Wiebalck wrote: > Do you happen to know what controls which enc type AD will pick when > issuing an AFS service ticket? I don't know if this is an exhaustive list, but at least these things impact it: - The userAccountControl and msDS-SupportedEncryption

Re: [OpenAFS] Re: Moving Magic Trio to another domain

2013-09-26 Thread Kim
Haven't followed the entire discussion, but I would use "vos dump | vos restore" to copy the data if this hasn't already been ruled out. Keeps ACLs/mountpoints/data ... Kim On Tue Sep 24 15:07:44 CDT 2013, Andrew Deason wrote: > On Tue, 24 Sep 2013 22:50:47 +0300 (EEST) > "Jukka Tuominen"

[OpenAFS] Creating service principal and keytab from active directory for afs/cell

2013-09-26 Thread Owen Le Blanc
I found a page of instructions at wiki.openafs.org/WindowsK5AfsServicePrincipal which is to create a keytab for the user afs/cell@REALM. It seems to me that on current AFS cells, i.e., updated after the recent security patch, there are a number of changes that need to be made to this page (which i

[OpenAFS] Re: Ubik: Synchronize database with server 0.0.0.0 failed (error = 10029)

2013-09-26 Thread John Burns
On Tue, 24 Sep 2013 13:38:23 -0500 Andrew Deason adea...@sinenomine.net wrote: >> I have a very simple setup, with one server afsserver1.local at >> 192.168.0.2, and I'm running stock Debian 1.6.5-1 amd64 openafs >> servers. > Well, something seems to think you have more than one server, and it >

Re: [OpenAFS] Re: Moving Magic Trio to another domain

2013-09-26 Thread Jukka Tuominen
I'm currently trying to figure out the ldap part. With help, I got access to the afs content without moving it. Users are reintroduced to krb, both afs and ldap preserved their user data. I exported ldap data into a text file and replaced old domains with new ones. Then I imported it back. The