[OpenAFS] openafs and kerberos5

Forrest D. Whitcher fw@fwsystems.com
Mon, 09 Apr 2001 12:42:16 -0400 

Derek Atkins wrote:
> 
> "Forrest D. Whitcher" <fw@fwsystems.com> writes:
> 
> > (!!!! btw HELP! :- ... the latest I've been able to figure out is
> > that when I obtain an afs ticket from the k5 KDC (requires krb524d
> > be running to translate tickets).. the AFS key that is granted is
> > listed in the K5 tickets !!!??? might explain why afs is complaining
> > when I try to use the ticket????)
> 
> The way Ken's tool works is that it obtains a krb5 AFS key and then
> uses the krb524d server to convert the v5 ticket to a v4 ticket in
> order to stuff it into the kernel.  It never caches the v4 ticket
> elsewhere.
> 
Ok, that makes sense <doh> ... but:

> Perhaps you have a kvno problem between client/KDC and server?  If the
> kvno (Key Version Number) does not match then you will be rejected
> (even if the key does match).
> 
> -derek

if I use aklog after creating the k5 afs principal, 'asetkey add' (with
check that the new KeyFile kvno is incremented 1 from what it was prior) 
and killing kaserver the error is:

19270407 (rxk).7 = security object was passed a bad ticket

I guess that could be the kvno! <doh> and now I see in Ken's 'ISSUES'
doc file that I need to change my password to be issued the afs key
that's called out in kdc.conf And indeed on the root account (on which I
changed the PW the other day) Kadmin now shows the afs key

Number of keys: 4
Key: vno 4, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 4, DES cbc mode with CRC-32, no salt
Key: vno 4, DES cbc mode with CRC-32, Version 4
Key: vno 4, DES cbc mode with CRC-32, AFS version 3

And of course mine doesn't because I've not yet run kpasswd <doh>

Number of keys: 3
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4

So that's obviously reason #1 why it's broke, And you're saying I
also need to match the users's k5 & afs kvno's? 

I'm a little gun-shy 'cause everytime I've converted the master key
it's locked me out of the afs admin tools and I have to re-boot
re-config and try again. (finaly figured out that recovery is 
simpler if I backup the afs KeyFile.)

Derek, thanks for the help! I think this will fix it

forrest

> 
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available

-- 
Forrest Whitcher    Principal      FW Systems 
617.254.3506                       fw@fwsystems.com                 
fw@world.std.com                   6174803245@mobile.att.net
Information systems consulting     http://www.fwsystems.com