[OpenAFS] AFS + Kerberos

Maurizio Santini msantini@pictage.com.ar
Wed, 19 Jan 2005 14:32:40 -0300 

So If my problem is key mismatch how do I solve it?  I mean what do I
need to do for the kvno number match the other entries?

Thanks,

Maurizio


On Wed, 2005-01-19 at 10:08, sophana wrote:
> If you want that ktadd duplicates a key into a keytab without scrambling 
> it, it is not possible.
> This is a security feature of kerberos.
> 
> ktadd always scramble the key before copying it into the keytab file.
> 
> I had the same problem, and there is no (easy) solution.
> 
> Hope this helps...
> 
> Maurizio Santini wrote:
> 
> >Does anyone know how to circumnavigate this kind of egg/chicken problem?
> >
> >I'm trying to make the kvno for a testuser match the entry in
> >/etc/krb5.keytab and the KeyFile but every time I do so using "ktadd" I
> >have to change the password for the user.  As a consequence the kvno
> >gets increased by one and I have the same problem again.
> >
> >I'm doing this because I get the error "security object was passed a bad
> >ticket" and I think it's because there's a key mismatch (please correct
> >me if I'm wrong).
> >
> >aklog seems to work but If a try to create a file a get 'Permission
> >denied'. The "tokens" command says "User's (AFS ID 828) tokens for
> >afs@test.pictage.com.ar" which is correct.
> >
> >------klist output------
> >Ticket cache: FILE:/tmp/krb5cc_608
> >Default principal: testuser@TEST.PICTAGE.COM.AR
> >
> >Valid starting     Expires            Service principal
> >01/18/05 17:42:56  01/19/05 03:42:54 
> >krbtgt/TEST.PICTAGE.COM.AR@TEST.PICTAGE.COM.AR
> >01/18/05 17:43:10  01/19/05 03:42:54  testuser@TEST.PICTAGE.COM.AR
> >01/18/05 18:06:44  01/19/05 03:42:54
> >afs/test.pictage.com.ar@TEST.PICTAGE.COM.AR
> >------------------------
> >
> >I'm using KerberosV-1.3.5, OpenAFS 1.2.11 and RHL 7.3
> >
> >Regards,
> >
> >Maurizio Santini
> >System administrator
> >TenRoses
> >
> >_______________________________________________
> >OpenAFS-info mailing list
> >OpenAFS-info@openafs.org
> >https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> >  
> >