[OpenAFS] fakeka / master key problems with AFS migration

John Tang Boyland boyland@solomons.cs.uwm.edu
Fri, 05 Aug 2005 15:18:07 -0500

I'm going through the migration process.  With some help from you
I got as far as being able to use kinit/aklog for regular AFS authentication.
But "fakeka -m" refused to start. It complained:
	fakeka: No matching key in entry while decrypting the master key
A previous openafs-info message indicated that this is fixed by re-creating 
the KDC database with a master key using DES encryption rather than 3DES.

(By the way: when I built krb5-1.4.1, it didn't build fakeka.  I had to 
explicitly "make fakeka" in the kdc directory.  Also, I'm running the 
KDC on the only database server machine currently.)

	master_key_type = des-cbc-crc:normal
in the [realms] section for my realm in kdc.conf resulted in this message
from kdb5_util create:
	create: Bad encryption type while transforming master key from password

When I changed it to 
	master_key_type = des-cbc-crc
I got this error message from kdb5_util create:
	kdb5_util: Illegal configuration parameter for local KADM5 client while initializing the Kerberos admin interface
and the kadm5.keytab was not created.

When kadmind starts it complains:
	kadmind: Cannot set GSS-API authentication names.
That's probably fine.  I don't need GSS-API.

But when I try to authenticate a user, I get the message:
	kinit(v5): Generic error (see e-text) while getting initial credentials
and in the log it says:
	DECRYPT_CLIENT_KEY: user@MY.REALM for krbtgt/MY.REALM@MY.REALM, Message size is incompatible with encryption type

If I add the "master_key_type = des-cbc-crc" to the client krb5.conf,
it still doesn't work.  The same errors show up.

Any hints?