[OpenAFS] fakeka / master key problems with AFS migration
John Tang Boyland
Fri, 05 Aug 2005 15:18:07 -0500
I'm going through the migration process. With some help from you
I got as far as being able to use kinit/aklog for regular AFS authentication.
But "fakeka -m" refused to start. It complained:
fakeka: No matching key in entry while decrypting the master key
A previous openafs-info message indicated that this is fixed by re-creating
the KDC database with a master key using DES encryption rather than 3DES.
(By the way: when I built krb5-1.4.1, it didn't build fakeka. I had to
explicitly "make fakeka" in the kdc directory. Also, I'm running the
KDC on the only database server machine currently.)
master_key_type = des-cbc-crc:normal
in the [realms] section for my realm in kdc.conf resulted in this message
from kdb5_util create:
create: Bad encryption type while transforming master key from password
When I changed it to
master_key_type = des-cbc-crc
I got this error message from kdb5_util create:
kdb5_util: Illegal configuration parameter for local KADM5 client while initializing the Kerberos admin interface
and the kadm5.keytab was not created.
When kadmind starts it complains:
kadmind: Cannot set GSS-API authentication names.
That's probably fine. I don't need GSS-API.
But when I try to authenticate a user, I get the message:
kinit(v5): Generic error (see e-text) while getting initial credentials
and in the log it says:
DECRYPT_CLIENT_KEY: user@MY.REALM for krbtgt/MY.REALM@MY.REALM, Message size is incompatible with encryption type
If I add the "master_key_type = des-cbc-crc" to the client krb5.conf,
it still doesn't work. The same errors show up.