[OpenAFS] Debian AFS Install Problem

FBO fbo3@gmx.net
Wed, 20 Mar 2002 12:51:23 +0100 

On Mon, Mar 18, 2002 at 11:49:31AM -0500, Ted Anderson wrote:
> On 16 Mar 2002 20:08:32 -0500 eichin-oa@boxedpenguin.com wrote:
> > As for the rxkad error, you can run the number though translate_et
> > (which I don't have built here, but it looks like it was one of the
> > ones in the test case:)
> > 19270407 (rxk).7 = security object was passed a bad ticket
> 
> In my experience, this often indicates a key version number skew.  So
> perhaps the file server 'ent' has a keyfile that doesn't match the keys
> the Kerberos server has.

As far as I know, the kvno in /etc/openafs/server/KeyFile and the one for
afs@ALPHA (ALPHA is my realm...) in /var/lib/krb5kdc must be equal:

ent # asetkey list
kvno    8: key is: 314f022592f20dbf
All done.
ent # kadmin.local
Authenticating as principal root/admin@ALPHA with password.
kadmin.local:  getprinc afs
Principal: afs@ALPHA
Expiration date: [never]
Last password change: Tue Mar 19 15:43:01 CET 2002
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue Mar 19 15:43:01 CET 2002 (frank/admin@ALPHA)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 8, Triple DES cbc mode with HMAC/sha1, no salt
Key: vno 8, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
kadmin.local:  quit

The kvno seems to be equal, I used ktadd (in kadmin.local) and asetkey
for copying the key into the fileservers's keyfile.

> 
> On Fri, 15 Mar 2002 12:47:19 +0100 fbo3@gmx.net wrote:
> > ent # bos listusers ent
> > bos: failed to retrieve super-user list (security object was passed a bad ticket)
> >
> > ?? Why do I have to use -localauth ??
> >
> > ent # bos listusers ent -localauth
> > SUsers are: root
> 
> When you specify -localauth the bos command ignores your tokens, and
> uses its root access to fabricate a key using the local keyfile.  Since
> you are talking to the local machine this is sure to avoid any key
> version number problems.  But you need to fix this skew problem.

Are there other keys than afs@ALPHA's necessary in afs-fileserver's keyfile
or should the afs@ALPHA-key be stored somewhere else too?

> 
> > fs sa /afs system:anyuser rl
> > fs: You don't have the required access rights on '/afs'
> > Failed: 256
> > ent # tail -n 1 /var/log/syslog
> > Mar 15 12:32:42 enterprise kernel: afs: Tokens for user of AFS id 1 for cell alpha are discarded (rxkad error=19270407)
> >
> > ?? Does anyone know what the problem could be ??
> 
> This is likely the same version number skew as above.
> 
> Ted Anderson
> 

Frank