Red Hat Bugzilla – Bug 454280
cannot get AFS service principal into keytab
Last modified: 2015-01-04 18:33:13 EST
Description of problem: I can't extract an afs3-salted service principal so that
Version-Release number of selected component: ipa-client-1.1.0-2.fc9.x86_64
How reproducible: always
Steps to Reproduce:
1. ipa-addservice afs
2. ipa-getkeytab -s kdc -p afs -e des-cbc-crc:afs3 -k /etc/krb5.keytab.afs
Warning unrecognized encryption type: [des-cbc-crc:afs3]
No warnings, then asetkey works.
Additional info: using kadmin.local as described in
<http://www.dementia.org/twiki/bin/view/AFSLore/FedoraAFSInstall> appears to
work (at least asetkey now works), but the service ticket is placed under
cn=kerberos instead of cn=services,cn=accounts (apparently this is Bad!).
I am no expert in Kerberos or OpenAFS, so it's possible I'm trying to do
something slightly stupid.
Matt I remember we discussed this problem before you submitted a bug.
Can you please try with just -e des-cbc-crc ?
What errors do you get if you use this form ?
It would be nice to have krb5kdc.log if openAFS fails to obtain a tgt using a
keytab generated this way.
Need to know if there was actually a fix for this -or should be resolved with a different status than MODIFIED? Thanks
jenny - its probably one of those bugs where we wanted to see if we can reproduce the original problem.
If we can, then re-open the bug.
else, mark it as closed/worksforme
from install log:
2008-11-26 02:44:23,729 DEBUG [6/13]: adding default keytypes
2008-11-26 02:44:23,777 INFO add krbSupportedEncSaltTypes:
modifying entry "cn=BOS.REDHAT.COM,cn=kerberos,dc=bos,dc=redhat,dc=com"