[OpenAFS] Mit Krb5 and OpenAFS

Derek T. Yarnell derek@cs.umd.edu
Fri, 18 Jan 2002 15:50:03 -0500


On Fri, 18 Jan 2002, Derek Atkins wrote:

>Derrick J Brashear <shadow@dementia.org> writes:
>
>> either
>> -the AFS key in the kdc doesn't match the KeyFile
>> -the server isn't configured for the cell the client is
>
>Wait, you said you did a modprinc on the kvno after you did the
>asetkey from the keytab?  That's your problem.  It means you kvno is
>now out of sync between the kdc and the keyfile..
>

Ok i didn't do the modprinc after the asetkey. I have tried to remove
the key in the keytab and then add it again
eg.		
	ktremove -k /etc/krb5.keytab afs@CS.UMD.EDU all	
		then
	ktadd -k /etc/krb5.keytab afs@CS.UMD.EDU
		Entry for principal afs with kvno 5, encryption type DES cbc mode with 
CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
		Entry for principal afs with kvno 5, encryption type Triple DES cbc mode raw 
added to keytab WRFILE:/etc/krb5.keytab.
		
		then
	/usr/local/openafs/sbin/asetkey add 5 /etc/krb5.keytab afs

		then
	[root@bungholio]# /usr/local/openafs/sbin/asetkey list
		kvno    1: key is: e31652153dabe3a8
		kvno    3: key is: 5bb332cb52c2cd68
		kvno    5: key is: 3bc48a1ac10d2c0d
		All done.

Then after i kinit and aklog again.
i ran :

[root@bungholio]# /usr/local/openafs/bin/tokens

Tokens held by the Cache Manager:

Tokens for afs@cs.umd.edu [Expires Jan 19 01:35]
--End of list--

So i have a token for afs@cs.umd.edu but i don't really under

>> probably the first. if you have the keytab you converted from, you might
>> try kinit or whatever mit krb5 supports from the keytab
>

I tried i guess what you are saying here :
kdestroy 		# got rid of tokens
kinit -k -t /etc/krb5.keytab afs	# get afs cred's from keytab (no password)
aklog		
tokens			# showed i got a token

But still get access denied.
with this error in /var/log/messages

afs: Tokens for user of AFS id 0 for cell cs.umd.edu are discarded (rxkad 
error=19270407)

which says :
	
[root@bungholio]# /export/home/openafs/bin/translate_et 19270407
19270407 (rxk).7 = security object was passed a bad ticket




>This would be a decent test to see if you are out of sync.  You may
>need to run 'kadmin ktadd' to get a new keytab and then run asetkey
>again to set the new key.
>
>> -D
>
>-derek
>-- 
>       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>       Member, MIT Student Information Processing Board  (SIPB)
>       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>       warlord@MIT.EDU                        PGP key available
>_______________________________________________
>OpenAFS-info mailing list
>OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
>

-- 
Derek Yarnell
CS System Staff
derek@cs.umd.edu
	
.				

   ... INDEED!