The KB article you found:
http://support.microsoft.com/kb/919557
Sounds like what Jeff was talking about as part of Vista. I guess
it is available seperatly.
The Ktpass tool uses the host name part of the servicePrincipalName attribute
instead of the samAccountName attribute that the Key
John W. Sopko Jr. wrote:
I found this and am going to try to get the hotfix for ktpassword:
http://support.microsoft.com/kb/919557
Good. You found the Windows 2003 SP1 ktpass version that works.
I don't know why Microsoft makes it so hard to find this. I searched
for it and came up empty.
red face, red face, red face...my bad, my bad, my bad
Homer says do!
ps -ef|grep fileserver
root 4579 4574 0 10:55 ? 00:00:00 /usr/afs/bin/fileserver -L
-realm CSX.UNC.EDU
Need I say more.
It works! That is when I change to -realm MSE.UNCCS.TEST
I used bos
John W. Sopko Jr. wrote:
red face, red face, red face...my bad, my bad, my bad
Homer says do!
ps -ef|grep fileserver
root 4579 4574 0 10:55 ? 00:00:00 /usr/afs/bin/fileserver
-L -realm CSX.UNC.EDU
Need I say more.
That would certainly be the cause of much pain.
I tried and it did not work, am I missing something?
My linux server is a test server, I can do anything on it:
Verify kvno of service principal:
[EMAIL PROTECTED] /]$ kvno afs/[EMAIL PROTECTED]
afs/[EMAIL PROTECTED]: kvno = 2
I have admin rights on the AD, it also is a test
server. I loaded
John W. Sopko Jr. wrote:
I tried and it did not work, am I missing something?
My linux server is a test server, I can do anything on it:
Verify kvno of service principal:
[EMAIL PROTECTED] /]$ kvno afs/[EMAIL PROTECTED]
afs/[EMAIL PROTECTED]: kvno = 2
I have admin rights on the AD, it also
Douglas E. Engert wrote:
John W. Sopko Jr. wrote:
I tried and it did not work, am I missing something?
My linux server is a test server, I can do anything on it:
Verify kvno of service principal:
[EMAIL PROTECTED] /]$ kvno afs/[EMAIL PROTECTED]
afs/[EMAIL PROTECTED]: kvno = 2
I have
Douglas E. Engert wrote:
Not sure what's wrong. Your system is saying the salt is the
sAMAccountName. My W2K3 system says it is the
UserPrincipalName (UPN). But then again we have not changed the
password since we went from W2K to W2K3.
Since all the other methods (ktpass and asetkey) are
On Wed, 10 Jan 2007, Jeffrey Altman wrote:
Look back in this thread for e-mails from Doug describing
how to check the salt and from Marcus on how to test that
your key is valid.
These should end up in the Wiki. Anyone bored?
___
OpenAFS-info
If I get Windows authentication working I will document it.
I want to do more research The beginning
of the semester started yesterday and I am getting busy.
Derrick J Brashear wrote:
On Wed, 10 Jan 2007, Jeffrey Altman wrote:
Look back in this thread for e-mails from Doug describing
how
Getting close, I can feel it:
Verify Windows service account:
---
C:\tempsetspn -L afs
Registered ServicePrincipalNames for CN=afs service principal,CN=Users,DC=mse,DC
=unccs,DC=test:
afs/cs.unc.edu
Change the Windows afs domain user password to a known password,
cs.unc.edu != mse.unccs.test
Do you have the Kerberos realm specified in the
afs/etc/krb.conf
file?
John W. Sopko Jr. wrote:
Getting close, I can feel it:
Verify Windows service account:
---
C:\tempsetspn -L afs
Registered ServicePrincipalNames for CN=afs
Yes:
eagle/root [/usr/afs/etc] # cat /usr/afs/etc/krb.conf
MSE.UNCCS.TEST
I tried making it lower case, restarting afs and
that did not work either.
Jeffrey Altman wrote:
cs.unc.edu != mse.unccs.test
Do you have the Kerberos realm specified in the
afs/etc/krb.conf
file?
John W.
It is the realm name which is upper-case.
What does klist -e show for the ticket enc-types?
John W. Sopko Jr. wrote:
Yes:
eagle/root [/usr/afs/etc] # cat /usr/afs/etc/krb.conf
MSE.UNCCS.TEST
I tried making it lower case, restarting afs and
that did not work either.
Jeffrey
[EMAIL PROTECTED] /]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_3903_015mRF
Default principal: [EMAIL PROTECTED]
Valid starting ExpiresService principal
01/10/07 09:46:13 01/10/07 19:46:16 krbtgt/[EMAIL PROTECTED]
renew until 01/17/07 09:46:13, Etype (skey, tkt): ArcFour
I think the problem is the afs/cs.unc.edu service key
is the wrong encryption type even thought I checked the
Use DES encryption type for this account in the gui.
IT is using DES but with RSA-MD5 as shown in kinit -e.
So I tried to change the principal account
to use only plain DES-CBC-CRC. I
DES-CBC-CRC and DES-CBC-MD5 use the same DES key and
DES-CBC-MD5 is supported by OpenAFS 1.4.x.
That is not your problem.
There are many reasons a bad ticket error can be produced.
One is that the stored key doesn't match the one used to
encrypt the server portion of the service ticket. The
Douglas E. Engert wrote:
Its all about the salt -- When DES is used with Krb5 a des key is generated
by concatenating the password with the salt, and calling des_string_to_key
So the only way to really know what the key is is to know thew password
and the salt.
The salt is normally derived
The -kvno option of ktpass is only to be used if you are generating
a keytab entry to be used in conjunction with a Windows 2000 server.
Do not use it if you are using a Windows 2003 server.
The hex string that is specified as the Salt is just that a hex string.
Convert the hex to ASCII
The Windows XP SP2 version of ktpass.exe can be found as part of the
Support Tools pack:
http://www.microsoft.com/downloads/details.aspx?familyid=49AE8576-9BB9-4126-9761-BA8011FABF38displaylang=en
smime.p7s
Description: S/MIME Cryptographic Signature
Jeffrey Altman wrote:
The -kvno option of ktpass is only to be used if you are generating
a keytab entry to be used in conjunction with a Windows 2000 server.
Do not use it if you are using a Windows 2003 server.
Then how do you get the kvno in the account and the keytab to match?
Also as
John W. Sopko Jr. wrote:
I really did not think it would be this complex to
generate a Windows service principal and corresponding
/usr/afs/etc/KeyFile.
No it should not be, but then again Microsoft did some
things early on that did not follow the Kerberos
conversions, including not using
John W. Sopko Jr. wrote:
Jeffrey Altman wrote:
The -kvno option of ktpass is only to be used if you are generating
a keytab entry to be used in conjunction with a Windows 2000 server.
Do not use it if you are using a Windows 2003 server.
Then how do you get the kvno in the account and
Jeffrey Altman wrote:
John W. Sopko Jr. wrote:
Yes I will try your instructions, I am not in control
of our Windows servers and they are running W2K. I do
have access to a test W2003 AD server.
* Use a working (non-2003 SP1) version of ktpass to export the key
The 2003 SP1 Support
John W. Sopko Jr. wrote:
In C:\Program Files\Support Tools\ktpass
right click properties version tab shows 5.2.3790.1830
So use ktutil on the linux openafs server, setting the
password the same as the afs users Windows password:
eagle/root [/usr/afs/etc] # ktutil
ktutil: add_entry
Jeffrey Altman wrote:
John W. Sopko Jr. wrote:
In C:\Program Files\Support Tools\ktpass
right click properties version tab shows 5.2.3790.1830
So use ktutil on the linux openafs server, setting the
password the same as the afs users Windows password:
eagle/root [/usr/afs/etc] # ktutil
[EMAIL PROTECTED] != afs/[EMAIL PROTECTED]
choose one and stick with it.
John W. Sopko Jr. wrote:
Jeffrey Altman wrote:
John W. Sopko Jr. wrote:
In C:\Program Files\Support Tools\ktpass
right click properties version tab shows 5.2.3790.1830
So use ktutil on the linux openafs server,
Jeffrey Altman wrote:
[EMAIL PROTECTED] != afs/[EMAIL PROTECTED]
choose one and stick with it.
I am confused with Windows principals:
[EMAIL PROTECTED] /]$ kinit afs/[EMAIL PROTECTED]
kinit(v5): Client not found in Kerberos database while getting initial
credentials
That is why I did:
Even assuming you wanted to kinit to your service principal
you would have to so with the correct principal name
afs/[EMAIL PROTECTED] != afs/[EMAIL PROTECTED]
Your default realm name is CSX.UNC.EDU, not MSE.UNCCS.TEST.
However, you don't want to be able to kinit to that service
principal.
@openafs.org
Subject: RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS -
rxkad error=19270407, arg
This is a multi-part message in MIME format.
--_=_NextPart_001_01C72F4D.B4C63582
Content-Type: text/plain;
charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
John W. Sopko Jr. wrote:
Yes I will try your instructions, I am not in control
of our Windows servers and they are running W2K. I do
have access to a test W2003 AD server.
* Use a working (non-2003 SP1) version of ktpass to export the key
The 2003 SP1 Support Tools version is
for authentication.
Date: Wed, 3 Jan 2007 16:40:33 +0100
From: =?iso-8859-1?Q?L=F6nroth_Erik?= [EMAIL PROTECTED]
To: =?iso-8859-1?Q?L=F6nroth_Erik?= [EMAIL PROTECTED],
Jeffrey Altman [EMAIL PROTECTED]
Cc: openafs-info@openafs.org
Subject: RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad
-8859-1?Q?L=F6nroth_Erik?= [EMAIL PROTECTED]
To: =?iso-8859-1?Q?L=F6nroth_Erik?= [EMAIL PROTECTED],
Jeffrey Altman [EMAIL PROTECTED]
Cc: openafs-info@openafs.org
Subject: RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS -
rxkad error=19270407, arg
This is a multi-part message
: =?iso-8859-1?Q?L=F6nroth_Erik?= [EMAIL PROTECTED]
To: =?iso-8859-1?Q?L=F6nroth_Erik?= [EMAIL PROTECTED],
Jeffrey Altman [EMAIL PROTECTED]
Cc: openafs-info@openafs.org
Subject: RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS -
rxkad error=19270407, arg
This is a multi-part message
John W. Sopko Jr. wrote:
I should have been more clear. I am only running a TEST
krb5 1.4.4 server under linux. I am still running kaserver.
Like lots of folks looking to migrate to K5, have been for
years.
oh, much relief felt by all :-)
I would prefer to keep the dns/realm/afs.cell names
Yes I will try your instructions, I am not in control
of our Windows servers and they are running W2K. I do
have access to a test W2003 AD server.
* Use a working (non-2003 SP1) version of ktpass to export the key
The 2003 SP1 Support Tools version is 5.2.3790.1830. Do not use it.
So
] Active Directory 2003, kerberos 5, openAFS - rxkad
error=19270407, arg
Derrick J Brashear wrote:
When I was preparing my slides I had this error, and then I took a
package from Jeff Altman with ktpass; then ktpass worked, but I assumed
I had changed something else.
Right. What version
Hello!
I've been trying to get OpenAFS 1.4.2 to work with Microsoft Active Directory
(AD) 2003 as KDC for some week now, and I starting to believe I should have
went on that early vaccation after all. I just can't get it to work. It ends at:
19270407 = security object was passed a bad ticket
Have you set the authentication realm the AFS server's krb.conf file
to LAB.SCANIA.COM ?
Jeffrey Altman
P.S. In your krb5.conf file, don't do this:
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
smime.p7s
Description: S/MIME Cryptographic
Am Mittwoch, 3. Januar 2007 14:29 schrieb ext Jeffrey Altman:
P.S. In your krb5.conf file, don't do this:
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
Is this a general recommendation or only for Erik? Can you give some
background info?
Dirk Heinrichs wrote:
Am Mittwoch, 3. Januar 2007 14:29 schrieb ext Jeffrey Altman:
P.S. In your krb5.conf file, don't do this:
default_tkt_enctypes = des-cbc-crc des-cbc-md5
default_tgs_enctypes = des-cbc-crc des-cbc-md5
Is this a general recommendation or only for Erik? Can you
=com:
afs/sss.se.scania.com
HOST/afs
HOST/afs.LAB
/Erik
-Original Message-
From: Jeffrey Altman [mailto:[EMAIL PROTECTED]
Sent: Wed 1/3/2007 2:29 PM
To: Lönroth Erik
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad
error
Lönroth Erik wrote:
I believe I have... My file looks like this. Can I be sure this is OK?
In my missery I can't trust anything at the moment.
[EMAIL PROTECTED] ~]# cat /usr/afs/etc/krb.conf
LAB.SCANIA.COM
LAB.SCANIA.COM sesocolab11.scania.com
This is fine. Although the second line is not
pretty much everyting, did I miss
something critical here or is this a bug/feature?
/Erik
-Original Message-
From: Jeffrey Altman [mailto:[EMAIL PROTECTED]
Sent: Wed 1/3/2007 3:16 PM
To: Lönroth Erik
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5
: RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad
error=19270407, arg
OK, I believe have resolved the problem now after 5 whole days of trial and
error.
It turns out that using the KTPASS native from Active Directory generates
keys that is not liked by AFS.
I instead used
On Wed, 3 Jan 2007, Lönroth Erik wrote:
I swapped back again to the key generated by ktutil.exe - and it works again.
It seems that using the KTPASS.EXE generates bogus keys for me!
I have not read this anywhere and I have read pretty much everyting, did I miss
something critical here or is
-Original Message-
From: Jeffrey Altman [mailto:[EMAIL PROTECTED]
Sent: Wed 1/3/2007 3:16 PM
To: Lönroth Erik
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS -
rxkad error=19270407, arg
Lönroth Erik wrote:
I believe I have... My file looks
Derrick J Brashear wrote:
When I was preparing my slides I had this error, and then I took a
package from Jeff Altman with ktpass; then ktpass worked, but I assumed
I had changed something else.
Right. What version of ktpass are you using? There was a bug in one
version. The one that came
-Original Message-
From: Jeffrey Altman [mailto:[EMAIL PROTECTED]
Sent: Wed 1/3/2007 3:16 PM
To: Lönroth Erik
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS -
rxkad error=19270407, arg
Lönroth Erik wrote:
I believe I have... My file looks like
49 matches
Mail list logo
