[OpenAFS] AFS-K5 transition problem - 'unknown key version number'

tbird57 tbird57@subdimension.com
Fri, 23 Aug 2002 13:51:48 -0500


FBO:

Thanks for the tip,  I did get it working.  What I've
discovered
is that the orginal supported_enctypes defined in my
'kdc.conf'
file also included every conceivable keytype/salt
combination,
with des3 keys defined at the beginning of the list. Each
time I 
added a key, I got two keys created for the AFS principle, a
des key, and
a des3 key. I modified my 'kdc.conf' as below, moving the
des3 
key type entries, and adding the 'default_key_type' :


  default_key_type = des-cbc-crc
  supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3  des3-cbc-raw:normal des3-cbc-
sha1:normal

After that, whenever I added a key to the Kerberos 5 keytab
file, I got a single des key, only, and I used
that to re-key the AFS KeyFile.  I'm now able to
successfully authenticate to AFS using K5.

Thanks again.

Cheers,
-Tom


> -----Original Message-----
> From: openafs-info-admin@openafs.org
> [mailto:openafs-info-admin@openafs.org]On Behalf Of FBO
> Sent: Thursday, August 22, 2002 12:24 AM
> To: OpenAFS-info@openafs.org
> Subject: Re: [OpenAFS] AFS-K5 transition problem -
'unknown 
> key version
> number'
> 
> 
> On Wed, Aug 21, 2002 at 10:59:43AM -0500, tbird57 wrote:
> [snip]
> > What am I missing? I was guessing that the key
encryption
> > type was
> > an issue, which is why I specified 'ktadd' with '-e'. 
I've
> > seen
> > other postings regarding what appears to be the same
> > problem. 
> > Any clues (and an explanation) are much appreciated...
> 
> AFAIK there must not be any other key for the
AFS-principal in your
> krb5. So it shouldn't be necessary to use ktadd together
with "-e".
> You should use 'kadmin -e des-cbc-crc' when CREATING the
> AFS-principal.
> As soon as there are wrong keys associated with the
AFS-princ
> it will not work.
> 
> Use 'kadmin -e des-cbc-crc', delete the old, create a new
AFS-princ.
> Use 'ktadd' and 'asetkey' the key into all you
AFS-Servers.
> That should work.
> 
> (Own experiences, Please correct me if I'm wrong...)
> 
> Regards,
> 
> FBO
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org

_____________________________________________________________________
// free anonymous email || forums \\ subZINE || anonymous browsing 
            subDIMENSION -- http://www.subdimension.com