[OpenAFS] afs migration to Kerberos 5 Help

Steve Devine sdevine@msu.edu
Fri, 18 Jun 2004 20:38:36 -0400 (EDT)


Jeffrey Hutzelman said:
>
>
> On Thursday, June 17, 2004 22:19:42 -0400 Steve Devine <sdevine@msu.edu>
> wrote:
>
>> All,
>>
>> I am trying to set up a test afs cell and migrate it to Kerb 5.
>> The cell works as expected and the kdc works fine as well. I can kinit and
>> klist tickets etc. I converted a afs principal to the kdc and now I can
>> kinit using the original afs password .. so far so good.
>>
>> When I run aklog -d this is what I get
>>###################
>>
>> Authenticating to cell kerb5.cl.msu.edu (server open-afsdb2.cl.msu.edu).
>> We've deduced that we need to authenticate to realm KERB5.CL.MSU.EDU.
>> Getting tickets: afs/kerb5.cl.msu.edu@KERB5.CL.MSU.EDU
>> About to resolve name XXXX-email-protested-XXX to id in cell
>> kerb5.cl.msu.edu. Id 4
>> Set username to AFS ID 4
>> Setting tokens. AFS ID 4 /  @ KERB5.CL.MSU.EDU
>> aklog: unable to obtain tokens for cell kerb5.cl.msu.edu (status:
>> 11862791).
>>################################
>>
>> Heres a question. In the README for afs-krb5 it says
>> 1) Create an AFS principal in the Kerberos database.  Call it:
>> afs@YOUR.CELL.NAME
>>
>> Yet in the debug for aklog -d it seems to be calling for
>> afs/kerb5.cl.msu.edu@KERB5.CL.MSU.EDU
>>
>> So which one do I need ?
>
>
> Either will work -- any modern aklog will try both principal names; it will
> try afs/krb5.cl.msu.edu@KERB5.CL.MSU.EDU and then afs@KERB5.CL.MSU.EDU.  If
> your kdb only contains the latter, then you will see messages in the kdc
> logs about the unknown principal.
>
>
> The debugging output you included indicates that aklog is successfully
> obtaining an AFS service ticket and looking up the user's PTS ID.  However,
> it is failing to store the tokens with this error:
>
>    11862791  KTC.7   KTC_NOCM
>   Cache Manager is not initialized / afsd is not running
>
>
> You must have a running AFS client before aklog will work.
>
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
>    Sr. Research Systems Programmer
>    School of Computer Science - Research Computing Facility
>    Carnegie Mellon University - Pittsburgh, PA
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>

An update ..

This entry seems to be critical in the kdc.conf
######################
master_key_type = des-cbc-crc
supported_enctypes = des-cbc-crc:normal, des-cbc-crc:v4, des-cbc-crc:afs3
#######################
kdc must be created with single des enctype like so :
kdb5_util create -k des-cbc-crc:normal -r YOURREALM -s

Thanks to all for your help.

/sd

Steve Devine

Michigan State University