[OpenAFS] incorrect KeyFile causing cell setup to fail -- maybe wrong enctype ?

scorch scorch@muse.net.nz
Sat, 10 Mar 2007 04:42:01 +1300


I am starting a fresh cell on a test box & having trouble with correct
creation of KeyFile. for some reason my notes done 3 years ago are not
sufficient, & some advice is needed!

Presumably this is due either to:
	wrong enctype(s)
	incorrect extraction method
does anybody see where I'm going horribly wrong?

thanks, Dave

# create afs KeyFile from heimdal & put in the right place
# see below for krb5.conf

root@sendai:/home/dave $ mkdir -m 700 p /etc/openafs/server

root@sendai:/home/dave $ kadmin -p admin/krb
kadmin> add --random-key --use-defaults afs
kadmin> del_enctype afs des3-cbc-sha1
kadmin> get afs@MUSE.NET.NZ
             Principal: afs@MUSE.NET.NZ
     Principal expires: never
      Password expires: never
  Last password change: never
       Max ticket life: 1 day
    Max renewable life: 1 week
                  Kvno: 1
                 Mkvno: 0
Last successful login: never
     Last failed login: never
    Failed login count: 0
         Last modified: 2007-03-08 21:57:02 UTC
              Modifier: admin/krb@MUSE.NET.NZ
              Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt),
des-cbc-crc(pw-salt), aes256-cts-hmac-sha1-96(pw-salt),

kadmin> ext -k /tmp/afskeytabfile.krb5 afs
kadmin> quit

root@sendai:/home/dave $ ktutil -k /tmp/afskeytabfile.krb5 list

Vno  Type                     Principal
   1  des-cbc-md5              afs@MUSE.NET.NZ
   1  des-cbc-md4              afs@MUSE.NET.NZ
   1  des-cbc-crc              afs@MUSE.NET.NZ
   1  aes256-cts-hmac-sha1-96  afs@MUSE.NET.NZ
   1  arcfour-hmac-md5         afs@MUSE.NET.NZ

root@sendai:/home/dave $ ktutil copy FILE:/tmp/afskeytabfile.krb5

root@sendai:/home/dave $ /usr/local/sbin/bosserver -syslog -noauth

root@sendai:/etc/openafs/server $ pafs
24807 /usr/local/sbin/bosserver -syslog -noauth
31579 /usr/libexec/afsd --log=/var/log/arlad.log --cpu-usage

root@sendai:/home/dave $ /usr/local/sbin/bosserver -syslog -noauth
root@sendai:/home/dave $ pafs
22752 /usr/local/sbin/bosserver -syslog -noauth
31579 /usr/libexec/afsd --log=/var/log/arlad.log --cpu-usage

root@sendai:/home/dave $ /usr/local/bin/bos listkeys localhost
bos: security object was passed a bad ticket error encountered while
listing keys

root@sendai:/home/dave $ /usr/local/bin/bos listkeys localhost -noauth
bos: you are not authorized for this operation error encountered while
listing keys

root@sendai:/home/dave $ /usr/local/bin/bos listkeys localhost -localauth
key 1 has cksum 250617512
key 1 has cksum 3616054386
Keys last changed on Fri Mar  9 10:59:32 2007.
All done.
root@sendai:/home/dave $ klist -vT
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: admin/afs@MUSE.NET.NZ
     Cache version: 4

Server: krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Auth time:  Mar  9 10:08:01 2007
End time:   Mar 10 02:48:01 2007
Ticket flags: initial
Addresses: IPv4:, IPv4:, IPv4:,
IPv4:, IPv4:, IPv4:

Server: afs@MUSE.NET.NZ
Ticket etype: des-cbc-crc, kvno 1
Auth time:  Mar  9 10:08:01 2007
End time:   Mar 10 02:48:01 2007
Ticket flags: transited-policy-checked
Addresses: IPv4:, IPv4:, IPv4:,
IPv4:, IPv4:, IPv4:

Mar  9 10:08:01  Mar 10 02:48:01  Tokens for muse.net.nz (256)
root@sendai:/home/dave $

# $OpenBSD: krb5.conf.example,v 1.6 2005/02/07 06:08:10 david Exp $
# Example Kerberos 5 configuration file. You may need to change the defaults
# in this file to match your environment.
# See krb5.conf(5) and the heimdal infopage for more information.
# Normally, the realm should be your DNS domain name with uppercase
# letters. In this example file, we've written the realm as MY.REALM
# and the domain as my.domain to make it clear what we refer to.
# Normally, it is not necessary to do any changes on client-only
# machines, as it's recommended that the information needed is put
# in DNS.
# On server machines, it is not strictly necessary, but it is recommended
# to have local configuration.
	default_realm = MUSE.NET.NZ
	ticket_lifetime = 60000
	clockskew = 300

	afs-use-524 = no
	afslog = yes

		supported_keytypes = des:normal des-cbc-crc:v4 des-cbc-crc:afs3
		kdc = kerberos.muse.net.nz
		admin_server = kerberos.muse.net.nz
		kpasswd_server = kerberos.muse.net.nz

	.muse.net.nz = MUSE.NET.NZ

	default_keys = v5 afs3
	afs-cell = muse.net.nz

	kadmind = FILE:/var/heimdal/kadmind.log

	require-preauth = no
	v4-realm = MUSE.NET.NZ
	afs-cell = muse.net.nz