[OpenAFS] AFS-K5 transition problem - 'unknown key version number'

Derek Atkins warlord@MIT.EDU
23 Aug 2002 18:55:35 -0400


This is NOT what you want....  You should keep the default key types
as they were (with 3DES), but when you create (or update) the AFS key
you should use the '-e des-cbc-crc' option to make it only create
a 1-des key.

You _DO_ want 3des keys for everything else!!!

-derek

"tbird57" <tbird57@subdimension.com> writes:

> FBO:
> 
> Thanks for the tip,  I did get it working.  What I've
> discovered
> is that the orginal supported_enctypes defined in my
> 'kdc.conf'
> file also included every conceivable keytype/salt
> combination,
> with des3 keys defined at the beginning of the list. Each
> time I 
> added a key, I got two keys created for the AFS principle, a
> des key, and
> a des3 key. I modified my 'kdc.conf' as below, moving the
> des3 
> key type entries, and adding the 'default_key_type' :
> 
> 
>   default_key_type = des-cbc-crc
>   supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
> des-cbc-crc:afs3  des3-cbc-raw:normal des3-cbc-
> sha1:normal
> 
> After that, whenever I added a key to the Kerberos 5 keytab
> file, I got a single des key, only, and I used
> that to re-key the AFS KeyFile.  I'm now able to
> successfully authenticate to AFS using K5.
> 
> Thanks again.
> 
> Cheers,
> -Tom
> 
> 
> > -----Original Message-----
> > From: openafs-info-admin@openafs.org
> > [mailto:openafs-info-admin@openafs.org]On Behalf Of FBO
> > Sent: Thursday, August 22, 2002 12:24 AM
> > To: OpenAFS-info@openafs.org
> > Subject: Re: [OpenAFS] AFS-K5 transition problem -
> 'unknown 
> > key version
> > number'
> > 
> > 
> > On Wed, Aug 21, 2002 at 10:59:43AM -0500, tbird57 wrote:
> > [snip]
> > > What am I missing? I was guessing that the key
> encryption
> > > type was
> > > an issue, which is why I specified 'ktadd' with '-e'. 
> I've
> > > seen
> > > other postings regarding what appears to be the same
> > > problem. 
> > > Any clues (and an explanation) are much appreciated...
> > 
> > AFAIK there must not be any other key for the
> AFS-principal in your
> > krb5. So it shouldn't be necessary to use ktadd together
> with "-e".
> > You should use 'kadmin -e des-cbc-crc' when CREATING the
> > AFS-principal.
> > As soon as there are wrong keys associated with the
> AFS-princ
> > it will not work.
> > 
> > Use 'kadmin -e des-cbc-crc', delete the old, create a new
> AFS-princ.
> > Use 'ktadd' and 'asetkey' the key into all you
> AFS-Servers.
> > That should work.
> > 
> > (Own experiences, Please correct me if I'm wrong...)
> > 
> > Regards,
> > 
> > FBO
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> 
> _____________________________________________________________________
> // free anonymous email || forums \\ subZINE || anonymous browsing 
>             subDIMENSION -- http://www.subdimension.com
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available