[OpenAFS] OpenAFS + krb5

Charles Clancy security@xauth.net
Tue, 26 Nov 2002 19:39:17 -0600 (CST) 

If you're using Kerberos V5 1.2.6 or newer, you need an extra setting in
your krb5.conf for krb524d:

[appdefaults]
afs_krb5 = {
	ALB-NZ.ESPHION.COM = {
                afs = false
		afs/alb-nz.esphion.com = false
        }
}

Otherwise krb524d spits out tickets you won't be able to use.  See
src/krb524d/README in your krb5 source tree for more info.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]


On Wed, 27 Nov 2002, Nathan Ward wrote:

> Hi,
>
> I have been tearing my hair out the last few days trying to get this working, to no avail.
>
> I have krb5kdc and krb524d running on a machine.
> I have an AFS principal in the KDC.
> I have all the correct info in DNS.
>
> I keep getting those evil rxkad error 19270408's and I have tried the following:
> - Having an afs/alb-nz.esphion.com@ALB-NZ.ESPHION.COM principal
> - Having an afs@ALB-NZ.ESPHION.COM principal
> - Specifying -e des-cbc-crc:v4
> - Specifying -e des-cbc-crc:normal
> - Specifying -e des-cbc-crc:afs3
> - A patch to krb524d.c to make it return the correct kvno.
> - Having matching kvno's in my KeyFile and my KDC ( I check with getprinc <principal> and bos listkeys
>   serv-1 localauth )
>
> I have openafs configured to after running afs-newcell. afs-rootvol fails on fs setacl /afs system:anyuser rl.
> ls /afs fails also.
> The rxkad error appears in my system logs for both.
>
> Is there a way to see what kvno krb524d is spitting out?  What does the -k krb524d option do?
>
> Google seems to be telling me many different things (above), none of them worked.
>
> Are there any useful debug commands I can use other than:
> - bos listkeys
> - aklog -d
> - kadmin: getprinc <princ>
> - ktutil: list
> - klist -cfean
>
> Thanks for any help you can give.
>
> --
>
> Nathan Ward
> System Administrator
> Esphion Ltd.
>
> PH:    +64 9 4142060      | EMail: nward@esphion.com
> MOB:   +64 9 21 431675    | Web:   www.esphion.com
>
> --
>
> This message is provided "AS IS" with no warranties, and confers no rights.
> Any opinions or policies stated within are my own and do not necessarily constitute those of my employer.
> Harvesting of this address for purposes of bulk email (spam and UCE) is expressly prohibited unless by my explicit prior request.  I retaliate viciously against spammers and spam sites.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>