[OpenAFS] KeyFile generation issue
ted creedon
tcreedon@easystreet.com
Thu, 31 Aug 2006 17:10:13 -0700
-----Original Message-----
From: Joe Di Lellio [mailto:joed@ucsc.edu]
Sent: Thursday, August 31, 2006 4:15 PM
To: ted creedon
Subject: RE: [OpenAFS] KeyFile generation issue
Cool, that was it. Thanks!
On Thu, 31 Aug 2006, ted creedon wrote:
> I use strace -e read=0,1,2,3 -e write=0,1,2,3 -o foo.c asset key
> (The .c colorizes the output in an editor)
>
> To help figure out whats going on. I futz around with ktutil and asetkey
> until things line up. Look at the kdc log file for incorrect principal
> names.
>
> I think that the :v4 should be :normal
> kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 afs@CATS.UCSC.EDU
> kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:normal afs@CATS.UCSC.EDU
>
> tedc
>
> -----Original Message-----
> From: openafs-info-admin@openafs.org
[mailto:openafs-info-admin@openafs.org]
> On Behalf Of Joe Di Lellio
> Sent: Thursday, August 31, 2006 3:23 PM
> To: openafs-info@openafs.org
> Subject: [OpenAFS] KeyFile generation issue
>
>
> I'm almost done with a trio of systems to replace my DB servers,
> but I'm having trouble with my KeyFile. I've followed the instructions
> (as mentioned below), but to no avail. The specific instructions are
> from the afs-krb5-2.0 distribution.
>
> What I've done:
>
> 1) The instructions mention creating an AFS principal. We have one
> already, as I have a test KDC with a clone of the production KDC's DB.
> However, I did try nuking the old principal & recreating it, on the
> chance that was the problem. Regardless, I started with a kvno of 3.
>
> 2) There is also a mention of using asetkey to find the kvno in the
> current KeyFile, and modifying the kvno in kerberos to have the
> same as the highest. I've tried both going from no KeyFile and using
> the one from my current TransArc servers. In the latter case I had
> a kvno here of 3.
>
> 3) I've used ktadd to extract the afs key to keytab file (the specific
> command is modified slightly as per a page I found googling):
>
> kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 afs@CATS.UCSC.EDU
>
> As mentioned, this incremented the kvno; in this case to 4.
>
> 4) Used asetkey to copy the new AFS key from the keytab to the KeyFile:
>
> # ./asetkey add 4 /etc/krb5.keytab afs
>
> 5) I kept the keytab file around for a while, but also tried removing
> mention to the AFS principle.
>
> In all the cases, I keep getting the following error:
>
> Tokens for user of AFS id 24961 for cell cats.ucsc.edu are discarded
> (rxkad error=19270407). Simple googling showed that as RXKADBADTICKET,
> aka "security object was passed a bad ticket". This particular error
> has come up with the some of varying iterations of how I did this, as
> above. I've also seen, as the one variation to the above, the error
> 19270408 - RXKADUNKNOWNKEY, aka "ticket contained unknown key version
> number". In this case I believe it was an early attempt where I had
> a low kvno in my KeyFile (like 3), but I'd increased the kvno on the
> KDC principle due to multiple attempts; I believe it was 9 or so (minor
> data point). That KeyFile was grabbed from one of my TransArc DB servers.
>
> Any clues? As far as I can tell, I've gone through the instructions
> extemely carefully, and with all the variations should I just be running
> across some oddity. I wouldn't be surprised if I'm missing something
> fairly obvious, but I really just can't say.
>
> As always, thanks in advance.
>
> ------
> It ain't what you don't know that gets you into trouble. It's what you
> know for sure that just ain't so. -- Mark Twain
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
------
It ain't what you don't know that gets you into trouble. It's what you
know for sure that just ain't so. -- Mark Twain