[OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh

Jeffrey Altman jaltman@secure-endpoints.com
Tue, 09 Jan 2007 16:01:30 -0500

John W. Sopko Jr. wrote:

> In C:\Program Files\Support Tools\ktpass
> right click properties "version tab" shows 5.2.3790.1830
> So use ktutil on the linux openafs server, setting the
> password the same as the afs users Windows password:
> eagle/root [/usr/afs/etc] # ktutil
> ktutil:  add_entry -password -p afs/cs.unc.edu@MSE.UNCCS.TEST -k 1 -e
> des-cbc-crc

Where did you get the key version number of 1 from?

The key version number must match the number that is actually
issued by the KDC.  You can identify the version number using
the MIT Kerberos utility

  kvno <principal>

> cell cs.unc.edu are discarded (rxkad error=19270408)

The OpenAFS translate_et <error_code> command will tell you this
is because

  19270408 = ticket contained unknown key version number

> Windows Event Viewer, System log shows this, sometimes:
> While processing a TGS request for the target server afs/cs.unc.edu, the
> account sopko@MSE.UNCCS.TEST did not have a suitable key for generating
> a Kerberos ticket (the missing key has an ID of 8). The requested etypes
> were 2.  The accounts available etypes were 3  1.

What in the world is requesting a ticket with DES-CBC-MD4 ?

> -----------
> Once I get Windows AD working can I run both our current kaserver and
> Windows AD authentication against our production cs.unc.edu openafs cell
> at the same time? If I can generate afs/cs.unc.edu service pincipals
> with the same password on the kaserver and the AD server will this work?
> This may be a good migration path for us. We currently have 2 password
> databases, kaserver and Windows AD. When we create accounts we use the
> same user login name for both wndows and linux. Most users keep their
> passwords the same so logging into Windows gives them an afs token.
> Even if they don't we just tell them to use their Windows password
> as we migrate machine configurations.
> This way we can migrate machines to authenticate to "Windows AD only"
> over a short period of time and start testing real live systems.
> First I have to get Windows AD afs service pricnipal working.

AFS only stores DES keys by key version number.  Ensure that your
kaserver key and your AD key have different version numbers and
you will be just fine.

Jeffrey Altman