[OpenAFS] afs krb5 migration

Martin Schulz schulz@iwrmm.math.uni-karlsruhe.de
21 Apr 2001 06:16:44 +0200 

Hello again,

now, that AFS is more or less running on our SUN, I made an attempt to
make it work with the already existing MIT krb5 server (on another
machine).

I therefore used Ken Hornsteins migration kit. I had quite some
difficulties to get it compile etc, but I got this one and got it to
work bit by bit. However, I am now completely stuck in a situation
that - at first glance - looks perfectly well. 

I can obtain the K5 Ticket with the K5 kinit, I can use aklog and get
an afs token in the cache as well as my users afs token in the afs
cache Manager. 

---------------------------------------------------------------------------
$ ./klist 
Ticket cache: FILE:/tmp/krb5cc_500
Default principal: schulz@IWRMM.UNI-KARLSRUHE.DE

Valid starting     Expires            Service principal
04/21/01 05:46:05  04/21/01 15:46:05  krbtgt/IWRMM.UNI-KARLSRUHE.DE@IWRMM.UNI-KARLSRUHE.DE
04/21/01 05:46:21  04/21/01 15:46:05  afs@IWRMM.UNI-KARLSRUHE.DE


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
$ /usr/afs/bin/tokens

Tokens held by the Cache Manager:

User's (AFS ID 500) tokens for afs@iwrmm.uni-karlsruhe.de [Expires Apr 21 15:46]
   --End of list--
--------------------------------------------------------------------------

However, I cannot use these tokens, since everytime I need it to
access some file or directory, I get a message like:

---------------------------------------------------------------------------
afs: Tokens for user of AFS id 500 for cell iwrmm.uni-karlsruhe.de are discarded (rxkad error=19270407)
---------------------------------------------------------------------------

translate_et tells me:

----------------------------------------------------------------------
19270407 (rxk).7 = security object was passed a bad ticket
----------------------------------------------------------------------

What does that mean? I already checked kvno, the highest number in 
`asetkey list` coincides with the one shown by kadmin getprinc.

I suppose that some key may be wrong. How could I display the actual
keys in kadmin in a Form byte-by-byte-comparable to the one in
alistkey? 

Furthermore, I observed that the afs principal has only two keys in
kerberos, whereas usual user have four of them:

AFS:
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 2, Triple DES cbc mode raw, no salt

myself:
Key: vno 2, DES cbc mode with CRC-32, no salt
Key: vno 2, Triple DES cbc mode raw, no salt
Key: vno 2, DES cbc mode with CRC-32, Version 4
Key: vno 2, DES cbc mode with CRC-32, AFS version 3

Is that supposed to be that way? 

Yours,
-- 
Martin Schulz                             schulz@iwrmm.math.uni-karlsruhe.de
Uni Karlsruhe, Institut f. wissenschaftliches Rechnen u. math. Modellbildung
Engesser Str. 6, 76128 Karlsruhe