[OpenAFS] bos status reports wrong key version number
Christopher Mason
Mason.Christopher@mayo.edu
Mon, 25 Jun 2007 23:25:21 -0500
Hello.
I'm setting up a new AFS cell using Active Directory as my KDC. When I run:
bos status mprcafs01.mayo.edu
I get:
bos: failed to contact host's bosserver (ticket contained unknown
key version number).
I've created the keys using the samba's net command:
net ads keytab add afs/mprc.mayo.edu@MFAD.MFROOT.ORG
then I deleted the two other keys with non-des-crc-cbc enctypes using
ktutil, and added the single des-crc-cbc key using asetkey. The key
versions reported by aset and kvno seem to match (see below for more
details).
I've tried the entire key creation/addition process several times to
make sure there wasn't a mismatch (deleting and recreating the computer
account in AD each time), but I don't know of a way to get AD to tell
what it thinks the key version number is (ie analog to kadmin).
Any ideas what I may have done wrong?
Thanks,
-c
Essentially what I did was:
Pre-create computer account mprcafs01 using AD Users and Computers.
net ads join "createcomputer=Research/MCR/Resources/Samba Servers --
LABS/MPRC" -S mfadir04.mfad.mfroot.org
On windows: setspn -A afs/mprc.mayo.edu mprcafs01 because otherwise
windows refuses the SPN because it's not on it's list of approved SPNs.
net ads keytab add afs/mprc.mayo.edu@MFAD.MFROOT.ORG
ktutil
rkt /etc/krb5.keytab
delent those afs/mprc.mayo.edu entries which had non des-crc-cbc enctypes
wkt /tmp/afs.keytab
asetkey add 3 /tmp/afs.keytab afs/mprc.mayo.edu
kinit works as does kvno afs/mprc.mayo.edu
Here's some more info:
[root@mprcafs01 etc]# rpm -qa | grep openafs
openafs-1.5.20-4
openafs-krb5-1.5.20-4
openafs-client-1.5.20-4
openafs-server-1.5.20-4
openafs-krb5-1.5.20-4
openafs-client-1.5.20-4
openafs-server-1.5.20-4
openafs-kernel-1.5.20-2.6.20_1.2952.fc6_4
[root@mprcafs01 ~]# asetkey list
kvno 3: key is: <hidden>
All done.
[root@mprcafs01 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cjm37@MFAD.MFROOT.ORG
Valid starting Expires Service principal
06/25/07 22:51:00 06/26/07 08:51:00 krbtgt/MFAD.MFROOT.ORG@MFAD.MFROOT.ORG
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
06/25/07 22:51:37 06/26/07 08:51:00 afs/mprc.mayo.edu@MFAD.MFROOT.ORG
Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5
[root@mprcafs01 ~]# klist -ke /tmp/afs.keytab
Keytab name: FILE:/tmp/afs.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 afs/mprc.mayo.edu@MFAD.MFROOT.ORG (DES cbc mode with CRC-32)
[root@mprcafs01 ~]# aklog -d -c mprc.mayo.edu -k MFAD.MFROOT.ORG
Authenticating to cell mprc.mayo.edu (server mprcafs01.mayo.edu).
We were told to authenticate to realm MFAD.MFROOT.ORG.
Getting tickets: afs/mprc.mayo.edu@MFAD.MFROOT.ORG
Using Kerberos V5 ticket natively
About to resolve name cjm37 to id in cell mprc.mayo.edu.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 / @ MFAD.MFROOT.ORG
[root@mprcafs01 ~]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@mprc.mayo.edu [Expires Jun 26 08:51]
--End of list--
[root@mprcafs01 ~]# bos status mprcafs01.mayo.edu
bos: failed to contact host's bosserver (ticket contained unknown key
version number).
[root@mprcafs01 etc]# kvno -e des-cbc-crc afs/mprc.mayo.edu
afs/mprc.mayo.edu@MFAD.MFROOT.ORG: kvno = 3
[root@mprcafs01 ~]# bos status localhost -local -long
Instance ptserver, (type is simple) currently running normally.
Process last started at Mon Jun 25 22:24:55 2007 (1 proc starts)
Command 1 is '/usr/afs/bin/ptserver'
Instance vlserver, (type is simple) currently running normally.
Process last started at Mon Jun 25 22:24:55 2007 (1 proc starts)
Command 1 is '/usr/afs/bin/vlserver'
Instance fs, (type is fs) currently running normally.
Auxiliary status is: file server running.
Process last started at Mon Jun 25 22:24:55 2007 (2 proc starts)
Command 1 is '/usr/afs/bin/fileserver'
Command 2 is '/usr/afs/bin/volserver'
Command 3 is '/usr/afs/bin/salvager'
[root@mprcafs01 ~]# cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 36000
default_tgs_entypes = rc4-hmac des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5
default_realm = MFAD.MFROOT.ORG
[realms]
MFAD.MFROOT.ORG = {
kdc = mfadir04.mfad.mfroot.org:88
admin_server = mfad.mfroot.org:749
default_domain = mfad.mfroot.org
}
[domain_realm]
mayo.edu = MFAD.MFROOT.ORG
.mayo.edu = MFAD.MFROOT.ORG
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 86401
forwardable = true
krb4_convert = false
}
[root@mprcafs01 etc]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----
--------------------------------------------------------------------------
3 host/mprcafs01.mayo.edu@MFAD.MFROOT.ORG (DES cbc mode with CRC-32)
3 host/mprcafs01.mayo.edu@MFAD.MFROOT.ORG (DES cbc mode with RSA-MD5)
3 host/mprcafs01.mayo.edu@MFAD.MFROOT.ORG (ArcFour with HMAC/md5)
3 host/MPRCAFS01@MFAD.MFROOT.ORG (DES cbc mode with CRC-32)
3 host/MPRCAFS01@MFAD.MFROOT.ORG (DES cbc mode with RSA-MD5)
3 host/MPRCAFS01@MFAD.MFROOT.ORG (ArcFour with HMAC/md5)
3 MPRCAFS01$@MFAD.MFROOT.ORG (DES cbc mode with CRC-32)
3 MPRCAFS01$@MFAD.MFROOT.ORG (DES cbc mode with RSA-MD5)
3 MPRCAFS01$@MFAD.MFROOT.ORG (ArcFour with HMAC/md5)
3 afs/mprc.mayo.edu@MFAD.MFROOT.ORG (DES cbc mode with CRC-32)