[OpenAFS-devel] ticket contained unknown key version number
Jeffrey Hutzelman
jhutz@cmu.edu
Wed, 17 Aug 2005 11:42:46 -0400
On Wednesday, August 17, 2005 02:34:42 AM +0200 Martin MOKREJ=A9=20
<mmokrejs@ribosome.natur.cuni.cz> wrote:
> My /etc/krb5.conf is attached. Anything wrong in there?
> Are there soem enctypes which do not work? I mean, do I have to delete
> some of them after afs/cellname principal is created?
> Like:
> # /usr/heimdal/sbin/ktutil -k /etc/krb5.keytab del -p afs/doma@DOMA -e=20
des-cbc-md5
> # /usr/heimdal/sbin/ktutil -k /etc/krb5.keytab del -p afs/doma@DOMA -e=20
des-cbc-md4
> # /usr/heimdal/sbin/ktutil -k /etc/krb5.keytab del -p afs/doma@DOMA -e=20
aes256-cts-hmac-sha1-96
> # /usr/heimdal/sbin/ktutil -k /etc/krb5.keytab del -p afs/doma@DOMA -e=20
arcfour-hmac-md5
First, you will want to use kadmin's del_enctypes command to delete from =
the
Kerberos database any non-DES keys on the afs service principal, such as =
the
aes256-cts-hmac-sha1-96 and arcfour-hmac-md5 keys you mention above. What=20
is
in the keytab file is irrelevant; keytab files are for servers, not the =
KDC.
However, I suspect your real problem is that you lack an AFS keyfile in
/usr/afs/etc/KeyFile or whereever is appropriate for your system. To =
create
this file, you should use a command like
ktutil copy /etc/krb5.keytab AFSKEYFILE:/usr/afs/etc/KeyFile
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA