[OpenAFS] Mit Krb5 and OpenAFS

Derek Atkins warlord@MIT.EDU
18 Jan 2002 16:29:46 -0500 

"Derek T. Yarnell" <derek@cs.umd.edu> writes:

> 	ktremove -k /etc/krb5.keytab afs@CS.UMD.EDU all	
> 		then
> 	ktadd -k /etc/krb5.keytab afs@CS.UMD.EDU
> 		Entry for principal afs with kvno 5, encryption type DES cbc mode with 
> CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
> 		Entry for principal afs with kvno 5, encryption type Triple DES cbc mode raw 
> added to keytab WRFILE:/etc/krb5.keytab.

Well, this is one problem.. You've got a 3DES key in there!  Try this:
        ktremove -k /etc/krb5.keytab afs@CS.UMD.EDU all
        ktadd -k /etc/krb5/keytab -e des-cbc-crc:v4 afs@CS.UMD.EDU

Once you get rid of the 3des key, things should be much better.  Then
you can run asetkey again (most likely with version 6 keys).

> Then after i kinit and aklog again.
> i ran :
> 
> [root@bungholio]# /usr/local/openafs/bin/tokens
> 
> Tokens held by the Cache Manager:
> 
> Tokens for afs@cs.umd.edu [Expires Jan 19 01:35]
> --End of list--
> 
> So i have a token for afs@cs.umd.edu but i don't really under
> 
> >> probably the first. if you have the keytab you converted from, you might
> >> try kinit or whatever mit krb5 supports from the keytab
> >
> 
> I tried i guess what you are saying here :
> kdestroy 		# got rid of tokens
> kinit -k -t /etc/krb5.keytab afs	# get afs cred's from keytab (no password)
> aklog		
> tokens			# showed i got a token

Well, this wasn't what I suggested.. I was just suggesting 'kinit -k'
to make sure that the keytab matched the KDC.  What I was suggesting
was:

        kinit -k ...
        klist

If you have valid tickets, then:

        kdestroy
        kinit
        aklog

> But still get access denied.
> with this error in /var/log/messages
> 
> afs: Tokens for user of AFS id 0 for cell cs.umd.edu are discarded (rxkad 
> error=19270407)
> 
> which says :
> 	
> [root@bungholio]# /export/home/openafs/bin/translate_et 19270407
> 19270407 (rxk).7 = security object was passed a bad ticket

Yes, this is due to the 3des nature of the keytab.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available