[OpenAFS] Re: Screwy keys? OpenAFS pts (and other) problems with MIT KDC

Jeff Blaine jblaine@kickflop.net
Fri, 19 May 2006 14:46:49 -0400


 > Before you got "unknown key version number", right?

Sorry, yes.  My eyes are a bit crossed from all of this.

 > It looks like you just changed the kvno to match the
 > one in the AFS keyfile, but the actual _key_ is different.
 > I think you need to genreate a whole new key in database,
 > with a new kvno, and place that in the KeyFile.

How strange.  I swear I tried to do just that... 5 times
yesterday before even posting (hence all the way up to
kvno 5).

Anyway, it works now.  Thanks all.

kadmin.local:  ktremove afs/jbtest
Entry for principal afs/jbtest with kvno 5 removed from keytab 
WRFILE:/etc/krb5.keytab.
kadmin.local:  ktadd -e des-cbc-crc:normal afs/jbtest
Entry for principal afs/jbtest with kvno 6, encryption type DES cbc mode 
with CRC-32 added to keytab WRFILE:/etc/krb5.keytab.
kadmin.local:  quit

bash-2.05# asetkey list
kvno    5: key is: FOOBAR
All done.
bash-2.05# asetkey delete 5
bash-2.05# asetkey add 6 /etc/krb5.keytab afs/jbtest
bash-2.05# asetkey list
kvno    6: key is: BLAH
All done.
bash-2.05#
bash-2.05# unlog
bash-2.05# kdestroy
bash-2.05#
bash-2.05# kinit admin
Password for admin@JBTEST:
bash-2.05# aklog -d
Authenticating to cell jbtest (server noodle.foo.com).
We've deduced that we need to authenticate to realm JBTEST.
Getting tickets: afs/jbtest@JBTEST
Using Kerberos V5 ticket natively
About to resolve name admin to id in cell jbtest.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 /  @ JBTEST
bash-2.05#
bash-2.05# pts members system:administrators
Members of system:administrators (id: -204) are:
   admin
bash-2.05#