[OpenAFS] openafs and kerberos5
Forrest D. Whitcher
fw@fwsystems.com
Mon, 09 Apr 2001 12:42:16 -0400
Derek Atkins wrote:
>
> "Forrest D. Whitcher" <fw@fwsystems.com> writes:
>
> > (!!!! btw HELP! :- ... the latest I've been able to figure out is
> > that when I obtain an afs ticket from the k5 KDC (requires krb524d
> > be running to translate tickets).. the AFS key that is granted is
> > listed in the K5 tickets !!!??? might explain why afs is complaining
> > when I try to use the ticket????)
>
> The way Ken's tool works is that it obtains a krb5 AFS key and then
> uses the krb524d server to convert the v5 ticket to a v4 ticket in
> order to stuff it into the kernel. It never caches the v4 ticket
> elsewhere.
>
Ok, that makes sense <doh> ... but:
> Perhaps you have a kvno problem between client/KDC and server? If the
> kvno (Key Version Number) does not match then you will be rejected
> (even if the key does match).
>
> -derek
if I use aklog after creating the k5 afs principal, 'asetkey add' (with
check that the new KeyFile kvno is incremented 1 from what it was prior)
and killing kaserver the error is:
19270407 (rxk).7 = security object was passed a bad ticket
I guess that could be the kvno! <doh> and now I see in Ken's 'ISSUES'
doc file that I need to change my password to be issued the afs key
that's called out in kdc.conf And indeed on the root account (on which I
changed the PW the other day) Kadmin now shows the afs key
Number of keys: 4
Key: vno 4, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 4, DES cbc mode with CRC-32, no salt
Key: vno 4, DES cbc mode with CRC-32, Version 4
Key: vno 4, DES cbc mode with CRC-32, AFS version 3
And of course mine doesn't because I've not yet run kpasswd <doh>
Number of keys: 3
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
So that's obviously reason #1 why it's broke, And you're saying I
also need to match the users's k5 & afs kvno's?
I'm a little gun-shy 'cause everytime I've converted the master key
it's locked me out of the afs admin tools and I have to re-boot
re-config and try again. (finaly figured out that recovery is
simpler if I backup the afs KeyFile.)
Derek, thanks for the help! I think this will fix it
forrest
>
> --
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord@MIT.EDU PGP key available
--
Forrest Whitcher Principal FW Systems
617.254.3506 fw@fwsystems.com
fw@world.std.com 6174803245@mobile.att.net
Information systems consulting http://www.fwsystems.com