[OpenAFS] KeyFile generation issue

Joe Di Lellio joed@ucsc.edu
Thu, 31 Aug 2006 15:22:45 -0700 (PDT)

   I'm almost done with a trio of systems to replace my DB servers,
but I'm having trouble with my KeyFile.  I've followed the instructions
(as mentioned below), but to no avail.  The specific instructions are
from the afs-krb5-2.0 distribution.

   What I've done:

1) The instructions mention creating an AFS principal.  We have one
already, as I have a test KDC with a clone of the production KDC's DB.
However, I did try nuking the old principal & recreating it, on the
chance that was the problem.  Regardless, I started with a kvno of 3.

2) There is also a mention of using asetkey to find the kvno in the
current KeyFile, and modifying the kvno in kerberos to have the
same as the highest.  I've tried both going from no KeyFile and using
the one from my current TransArc servers.  In the latter case I had
a kvno here of 3.

3) I've used ktadd to extract the afs key to keytab file (the specific
command is modified slightly as per a page I found googling):

kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 afs@CATS.UCSC.EDU

As mentioned, this incremented the kvno; in this case to 4.

4) Used asetkey to copy the new AFS key from the keytab to the KeyFile:

# ./asetkey add 4 /etc/krb5.keytab afs

5) I kept the keytab file around for a while, but also tried removing
mention to the AFS principle.

In all the cases, I keep getting the following error:

Tokens for user of AFS id 24961 for cell cats.ucsc.edu are discarded
(rxkad error=19270407).  Simple googling showed that as RXKADBADTICKET,
aka "security object was passed a bad ticket".  This particular error
has come up with the some of varying iterations of how I did this, as
above.  I've also seen, as the one variation to the above, the error
19270408 - RXKADUNKNOWNKEY, aka "ticket contained unknown key version
number".  In this case I believe it was an early attempt where I had
a low kvno in my KeyFile (like 3), but I'd increased the kvno on the
KDC principle due to multiple attempts; I believe it was 9 or so (minor
data point).  That KeyFile was grabbed from one of my TransArc DB servers.

Any clues?  As far as I can tell, I've gone through the instructions
extemely carefully, and with all the variations should I just be running
across some oddity.  I wouldn't be surprised if I'm missing something
fairly obvious, but I really just can't say.

As always, thanks in advance.

It ain't what you don't know that gets you into trouble.  It's what you
know for sure that just ain't so.		-- Mark Twain