[OpenAFS] KeyFile generation issue
Joe Di Lellio
joed@ucsc.edu
Fri, 1 Sep 2006 14:23:27 -0700 (PDT)
Unfortunately, I jumped the gun on this. Initial probing looked
fine - get tokens, create/mod/delete files/dirs. Actual AFS actions
like creating volumes, querying members of a group, etc, failed with
the following error:
Could not get an Id for volume users
rxk: ticket contained unknown key version number
rxk: ticket contained unknown key version number
Error in vos create command.
rxk: ticket contained unknown key version number
In case of fat fingering I've tried this more than once. Still
no joy.
An unrelated question: should I be able to reuse TransArc KeyFiles?
I have a dev environment set up. If I have a copy of the production
KDC database and the older KeyFiles, the new openafs DB servers should
work, right?
On Thu, 31 Aug 2006, ted creedon wrote:
>
>
> -----Original Message-----
> From: Joe Di Lellio [mailto:joed@ucsc.edu]
> Sent: Thursday, August 31, 2006 4:15 PM
> To: ted creedon
> Subject: RE: [OpenAFS] KeyFile generation issue
>
>
> Cool, that was it. Thanks!
>
> On Thu, 31 Aug 2006, ted creedon wrote:
>
> > I use strace -e read=0,1,2,3 -e write=0,1,2,3 -o foo.c asset key
> > (The .c colorizes the output in an editor)
> >
> > To help figure out whats going on. I futz around with ktutil and asetkey
> > until things line up. Look at the kdc log file for incorrect principal
> > names.
> >
> > I think that the :v4 should be :normal
> > kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 afs@CATS.UCSC.EDU
> > kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:normal afs@CATS.UCSC.EDU
> >
> > tedc
> >
> > -----Original Message-----
> > From: openafs-info-admin@openafs.org
> [mailto:openafs-info-admin@openafs.org]
> > On Behalf Of Joe Di Lellio
> > Sent: Thursday, August 31, 2006 3:23 PM
> > To: openafs-info@openafs.org
> > Subject: [OpenAFS] KeyFile generation issue
> >
> >
> > I'm almost done with a trio of systems to replace my DB servers,
> > but I'm having trouble with my KeyFile. I've followed the instructions
> > (as mentioned below), but to no avail. The specific instructions are
> > from the afs-krb5-2.0 distribution.
> >
> > What I've done:
> >
> > 1) The instructions mention creating an AFS principal. We have one
> > already, as I have a test KDC with a clone of the production KDC's DB.
> > However, I did try nuking the old principal & recreating it, on the
> > chance that was the problem. Regardless, I started with a kvno of 3.
> >
> > 2) There is also a mention of using asetkey to find the kvno in the
> > current KeyFile, and modifying the kvno in kerberos to have the
> > same as the highest. I've tried both going from no KeyFile and using
> > the one from my current TransArc servers. In the latter case I had
> > a kvno here of 3.
> >
> > 3) I've used ktadd to extract the afs key to keytab file (the specific
> > command is modified slightly as per a page I found googling):
> >
> > kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 afs@CATS.UCSC.EDU
> >
> > As mentioned, this incremented the kvno; in this case to 4.
> >
> > 4) Used asetkey to copy the new AFS key from the keytab to the KeyFile:
> >
> > # ./asetkey add 4 /etc/krb5.keytab afs
> >
> > 5) I kept the keytab file around for a while, but also tried removing
> > mention to the AFS principle.
> >
> > In all the cases, I keep getting the following error:
> >
> > Tokens for user of AFS id 24961 for cell cats.ucsc.edu are discarded
> > (rxkad error=19270407). Simple googling showed that as RXKADBADTICKET,
> > aka "security object was passed a bad ticket". This particular error
> > has come up with the some of varying iterations of how I did this, as
> > above. I've also seen, as the one variation to the above, the error
> > 19270408 - RXKADUNKNOWNKEY, aka "ticket contained unknown key version
> > number". In this case I believe it was an early attempt where I had
> > a low kvno in my KeyFile (like 3), but I'd increased the kvno on the
> > KDC principle due to multiple attempts; I believe it was 9 or so (minor
> > data point). That KeyFile was grabbed from one of my TransArc DB servers.
> >
> > Any clues? As far as I can tell, I've gone through the instructions
> > extemely carefully, and with all the variations should I just be running
> > across some oddity. I wouldn't be surprised if I'm missing something
> > fairly obvious, but I really just can't say.
> >
> > As always, thanks in advance.
> >
> > ------
> > It ain't what you don't know that gets you into trouble. It's what you
> > know for sure that just ain't so. -- Mark Twain
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> >
> >
>
> ------
> It ain't what you don't know that gets you into trouble. It's what you
> know for sure that just ain't so. -- Mark Twain
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
------
It ain't what you don't know that gets you into trouble. It's what you
know for sure that just ain't so. -- Mark Twain