[OpenAFS] AFS + Kerberos

Maurizio Santini msantini@pictage.com.ar
Wed, 19 Jan 2005 19:06:23 -0300


I finally managed to get it work. I applied the instructions found at
https://lists.openafs.org/pipermail/openafs-devel/2001-November/007220.html
and didn't get the "security object was passed a bad ticket" error
anymore.  I would still get 'Permission denied" when trying to create a
file but that was an ACL matter which now makes me wonder if AFS and
Kerberos were working long before the security..... error message.

Thanks to anyone's help.

Maurizio

On Wed, 2005-01-19 at 14:32, Maurizio Santini wrote:
> So If my problem is key mismatch how do I solve it?  I mean what do I
> need to do for the kvno number match the other entries?
> 
> Thanks,
> 
> Maurizio
> 
> 
> On Wed, 2005-01-19 at 10:08, sophana wrote:
> > If you want that ktadd duplicates a key into a keytab without scrambling 
> > it, it is not possible.
> > This is a security feature of kerberos.
> > 
> > ktadd always scramble the key before copying it into the keytab file.
> > 
> > I had the same problem, and there is no (easy) solution.
> > 
> > Hope this helps...
> > 
> > Maurizio Santini wrote:
> > 
> > >Does anyone know how to circumnavigate this kind of egg/chicken problem?
> > >
> > >I'm trying to make the kvno for a testuser match the entry in
> > >/etc/krb5.keytab and the KeyFile but every time I do so using "ktadd" I
> > >have to change the password for the user.  As a consequence the kvno
> > >gets increased by one and I have the same problem again.
> > >
> > >I'm doing this because I get the error "security object was passed a bad
> > >ticket" and I think it's because there's a key mismatch (please correct
> > >me if I'm wrong).
> > >
> > >aklog seems to work but If a try to create a file a get 'Permission
> > >denied'. The "tokens" command says "User's (AFS ID 828) tokens for
> > >afs@test.pictage.com.ar" which is correct.
> > >
> > >------klist output------
> > >Ticket cache: FILE:/tmp/krb5cc_608
> > >Default principal: testuser@TEST.PICTAGE.COM.AR
> > >
> > >Valid starting     Expires            Service principal
> > >01/18/05 17:42:56  01/19/05 03:42:54 
> > >krbtgt/TEST.PICTAGE.COM.AR@TEST.PICTAGE.COM.AR
> > >01/18/05 17:43:10  01/19/05 03:42:54  testuser@TEST.PICTAGE.COM.AR
> > >01/18/05 18:06:44  01/19/05 03:42:54
> > >afs/test.pictage.com.ar@TEST.PICTAGE.COM.AR
> > >------------------------
> > >
> > >I'm using KerberosV-1.3.5, OpenAFS 1.2.11 and RHL 7.3
> > >
> > >Regards,
> > >
> > >Maurizio Santini
> > >System administrator
> > >TenRoses
> > >
> > >_______________________________________________
> > >OpenAFS-info mailing list
> > >OpenAFS-info@openafs.org
> > >https://lists.openafs.org/mailman/listinfo/openafs-info
> > >
> > >  
> > >
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info