[OpenAFS] AFS-K5 transition
Corey Kovacs
ckovacs@DEPAUW.EDU
Wed, 21 Aug 2002 11:21:36 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Is the AFS --> K5 migration fully documented anywhere? I've got an OpenAFS
1.2.6 server that I want to convert to use K5. I've seen most if not all of
the separate documents, but never anything in one comprehensive place. I
understand that building the system from the beginning is reletively
painless, but what about systems that already have users?
Corey
On Wednesday 21 August 2002 10:59, tbird57 wrote:
> Hi,
>
>
> I've encountered a problem on the AFS cell I've built under
> RH Linux
> 7.1 server (Kernel 2.4.2). I'm running openAFS 1.2.2, and
> Kerberos 5
> (version 1.2.2-12), and the problems started after I tried
> to get AFS to
> use K5 (Ken Hornstein's migration kit - afs-krb5-1.3). I
> built the kit,
> and I'm running 'fakeka' as an instance under the bosserver.
> I created
> a K5 key for afs, in a temporary keytab, and loaded it into
> the AFS
>
> KeyFile using 'asetkey', per instructions in the kit:
> > [root@montana: /root]# kadmin.local
> > Authenticating as principal afsadmin/admin@SENSE.NET with
>
> password.
>
> > kadmin.local: ktadd -e des-cbc-crc:v4 -k
>
> /var/tmp/krb5.keytab afs
>
> > Entry for principal afs with kvno 16, encryption type DES
>
> cbc mode with CRC-32 added to keytab
> WRFILE:/var/tmp/krb5.keytab.
>
> > kadmin.local: quit
> > [root@montana /root]# klist -k /var/tmp/krb5.keytab
> > Keytab name: FILE:/var/tmp/krb5.keytab
> > KVNO Principal
> > ----
>
> ------------------------------------------------------------
> -----------
>
> > 16 afs@SENSE.NET
> > [root@montana /root]# asetkey add 16 /var/tmp/krb5.keytab
>
> afs
>
> > [root@montana /root]# asetkey list
> > kvno 11: key is: 98ad20fd6754896b
> > kvno 16: key is: 941f98ada1b64fc8
> > All done.
>
> I restarted the bosserver (actually, I had rebooted the
> system, and
> everything came up fine, AFS and Kerberos servers).
> So far so good. Now, I can 'klog' into the adminstrative
> account, and
> I get a token cached for AFS (I verified the correct AFS
>
> ID):
> > [root@montana /root]# klog afsadmin
> > Password:
> > [root@montana /root]# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: afsadmin@SENSE.NET
> >
> > Valid starting Expires Service principal
> > 08/20/02 21:45:12 08/21/02 07:45:12
>
> krbtgt/SENSE.NET@SENSE.NET
>
> > 08/20/02 21:45:18 08/21/02 07:45:12 afs@SENSE.NET
> >
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> > [root@montana /root]# tokens
> >
> > Tokens held by the Cache Manager:
> >
> > User's (AFS ID 2) tokens for afs@sense.net [Expires Aug 21
>
> 19:33]
>
> > --End of list--
>
> But, something is awry with the ticket being passed:
> > [root@montana /root]# vos listvol montana
> > Could not fetch the list of partitions from the server
> > rxk: ticket contained unknown key version number
> > Error in vos listvol command.
> > rxk: ticket contained unknown key version number
>
> and:
> > [root@montana include]# pts listentries
> > Name ID Owner Creator
> > pts: ticket contained unknown key version number ; unable
>
> to list entries
>
>
> What am I missing? I was guessing that the key encryption
> type was
> an issue, which is why I specified 'ktadd' with '-e'. I've
> seen
> other postings regarding what appears to be the same
> problem.
> Any clues (and an explanation) are much appreciated...
>
> Cheers,
>
> -Tom
> _____________________________________________________________________
> // free anonymous email || forums \\ subZINE || anonymous browsing
> subDIMENSION -- http://www.subdimension.com
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9Y74Qglw65kKkYY4RAvMfAKCoY8I9kC3M9eg2D5AmirGVTDW+UQCfbLK3
HdFL+my77Rw9ZsGxxGTnEGI=
=2YbM
-----END PGP SIGNATURE-----