Hi!

Due to some problems while migrating from 2003 to 2008 I need to redo my
complete AD.
Biggest problem beside the work to setup all users is:
creating new afs credential and set it up in the OpenAFS Fileservers.

Is there any guide/step-by-step available now?
I once did it and did not documented it well :-(

So far I know:
1. create user afs in AD, user cannot change pass, passwd never expires
2. setspn afs afs/cgv.tugraz.at
3. ktpass -out NAME.out.txt -princ afs*******\
       -crypto DES-CBC-CRC  rndPass -DesOnly /ptype KRB5_NT_SRV_HST
4. on fileservers: asetkey add 3 NAME.out.txt afs/cgv.tugraz.at
5. restart fileservers.
But as ktpass does not set the kvno in AD, how do I get the kvno?

And do I miss a point?

MfG,
Lars Schimmer
- --
- -------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel:  43 316 873-5405       E-Mail: l.schimmer*******
Fax:  43 316 873-5402       PGP-Key-ID: 0x4A9B1723

updated the admin guide, the answer would be 'no'.

0. Enable support for single DES in AD

Use MIT kvno tool to request a service ticket for
afs/cgv.tugraz.at*******.   That will report the kvno.
Or you can examine the user account object in AD.

replace "add 3" with "add <kvno>"

restart not required.  touch the server CellServDB file.

OpenAFS-info mailing list
OpenAFS-info*******/mailman/listinfo/openafs-info

On a related note, if anyone has a document on setting up 2008 AD topass through all authentication requests to MIT krb5 that would beextremely welcome here.

There are docs at mircosoft on doing this with win2k or something, andi've been told that other sites (umich) do this, but we're not windowsexperts and our efforts up to now have failed.

thanks
danno

danno
--
Dan Pritts, Sr. Systems Engineer
Internet2
office:  1-734-352-4953 | mobile:  1-734-834-7224

In addition to the above its a good idea to make sure you have the
2003 SP1 version of ktpass.  http://support.microsoft.com/kb/892777

Also to keep the size of tokens small, consider setting the NO_AUTH DATA_REQUIRED
flag in the userAccountControl for the afs account. This tells AD not
to add a PAC to the service ticket for AFS. A ticket (and token) with a PAC can
be 12K or more, without it less the 1K. Currently AFS does not use the PAC. http://support.microsoft.com/kb/832572

--

  Douglas E. Engert  <DEEngert*******>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Looks like we are one out of 10 running this setup worldwide. I try to
document my steps well and put it up later on.

Thank you. Those were the information I needed. Will try and report back.

MfG,
Lars Schimmer
--
-------------------------------------------------------------
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel:  43 316 873-5405       E-Mail: l.schimmer*******
Fax:  43 316 873-5402       PGP-Key-ID: 0x4A9B1723

As Simon reminds me, without the fix to ubik that is present in

   http://gerrit.openafs.org/#change,3150

a restart of the servers will be required after a new key is installed.

The database servers, that is, if I'm reading that change correctly. The
fileservers should still be fine.

--
Andrew Deason
adeason*******

On 1.4, you want to restart them all.

I can't find the relevant bug fix, but I know for sure that one majorAFS user hit problems with connections from fileserver to dbserver whenthey rekeyed the fileservers, and did not restart them.

S.

Do you mean RT 125020 (STABLE14-viced-ubik-clientdestroy-null-20090703)?
If so, yes, I think that would do it. That fix was in 1.4.11, but yeah,
to be more safe in the general case...

--
Andrew Deason
adeason*******

it's not so much after a new key is installed that this fixes; it's
that if you immediately remove the old key that you need this.

--
Derrick