[OpenAFS] unknown key version numbers when using standard aklog with gssklog daemon

Douglas E. Engert deengert@anl.gov
Tue, 02 Sep 2003 10:12:09 -0500 

Chris McClimans wrote:
> 
> I've switched from krb524 to gssklog (which appears to offer krb524 as
> well) but after I get tokens it appears I have the wrong key version.
> I'm not sure how that could happen as I only have 1 version on the
> server both in the KeyFile and keytab (and they match).
> 

With the gssklog, these keys don't have to match, but the

/etc/openafs/server/KeyFile and the  /usr/afs/etc/KeyFile files must match.

The key, knvo and enctype in the KDC and the keytab must match, as
there ae used by the GSSPAI to authenticate to the gssklogd. 
The gssklogd then encryptes the token using the keys found in your case in  
/etc/openafs/server/KeyFile. The AFS servers refer to the the /usr/afs/etc/KeyFile
to decrypt the token. 


> -chris
> 
> On the client:
> 
> cp114% klist -e
> klist -e
> Kerberos 5 ticket cache: 'API:Initial default ccache'
> Default Principal: mccliman@CS.TTU.EDU
> Valid Starting     Expires            Service Principal
> 09/02/03 06:25:46  09/02/03 16:25:46  krbtgt/CS.TTU.EDU@CS.TTU.EDU
>         Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc
> mode with HMAC/sha1
> 09/02/03 06:25:55  09/02/03 16:25:46  afs/cs.ttu.edu@CS.TTU.EDU
>         Etype (skey, tkt): DES cbc mode with CRC-32, Triple DES cbc mode with
> HMAC/sha1
> 
> cp114% tokens
> tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 1) tokens for afs@cs.ttu.edu [Expires Sep  2 16:25]
>     --End of list--
> cp114% pts listentries
> pts listentries
> Name                          ID  Owner Creator
> pts: ticket contained unknown key version number ; unable to list
> entries
> 

So does the token work as expected for the file access, but not for PTS?

Does the /etc/openafs/server/KeyFile match the /usr/afs/etc/KeyFile?

Has the PTS been restated since the keys where updated?


> ^^^ yummy
> 
> On the server:
> 
> oak:~# klist -ketK | grep afs/cs.ttu.edu@CS
>    10 08/27/03 15:56:34 afs/cs.ttu.edu@CS.TTU.EDU (DES cbc mode with
> CRC-32)  (0x1234567890)
> 
> oak:~# asetkey list
> kvno   10: key is: 1234567890
> All done.
> 
> oak:~# ps -ef | grep gssklog
> root      3128     1  0 Aug31 ?        00:00:00 /usr/sbin/gssklogd -a
> /etc/openafs/server/KeyFile -k /etc/krb5.keytab
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444