[OpenAFS] bos status reports wrong key version number

Christopher Mason Mason.Christopher@mayo.edu
Mon, 25 Jun 2007 23:25:21 -0500 

Hello.

I'm setting up a new AFS cell using Active Directory as my KDC.  When I run:

    bos status mprcafs01.mayo.edu

I get:

    bos: failed to contact host's bosserver (ticket contained unknown
    key version number).

I've created the keys using the samba's net command:

    net ads keytab add afs/mprc.mayo.edu@MFAD.MFROOT.ORG

then I deleted the two other keys with non-des-crc-cbc enctypes using 
ktutil, and added the single des-crc-cbc key using asetkey.  The key 
versions reported by aset and kvno seem to match (see below for more 
details).

I've tried the entire key creation/addition process several times to 
make sure there wasn't a mismatch (deleting and recreating the computer 
account in AD each time), but I don't know of a way to get AD to tell 
what it thinks the key version number is (ie analog to kadmin).

Any ideas what I may have done wrong?

Thanks,

-c

Essentially what I did was:

Pre-create computer account mprcafs01 using AD Users and Computers.
net ads join "createcomputer=Research/MCR/Resources/Samba Servers -- 
LABS/MPRC" -S mfadir04.mfad.mfroot.org
On windows: setspn -A afs/mprc.mayo.edu mprcafs01 because otherwise 
windows refuses the SPN because it's not on it's list of approved SPNs.
net ads keytab add afs/mprc.mayo.edu@MFAD.MFROOT.ORG
ktutil
rkt /etc/krb5.keytab
delent those afs/mprc.mayo.edu entries which had non des-crc-cbc enctypes
wkt /tmp/afs.keytab
asetkey add 3 /tmp/afs.keytab afs/mprc.mayo.edu
kinit works as does kvno afs/mprc.mayo.edu


Here's some more info:



[root@mprcafs01 etc]# rpm -qa | grep openafs
openafs-1.5.20-4
openafs-krb5-1.5.20-4
openafs-client-1.5.20-4
openafs-server-1.5.20-4
openafs-krb5-1.5.20-4
openafs-client-1.5.20-4
openafs-server-1.5.20-4
openafs-kernel-1.5.20-2.6.20_1.2952.fc6_4


[root@mprcafs01 ~]# asetkey list
kvno    3: key is: <hidden>
All done.

[root@mprcafs01 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: cjm37@MFAD.MFROOT.ORG

Valid starting     Expires            Service principal
06/25/07 22:51:00  06/26/07 08:51:00  krbtgt/MFAD.MFROOT.ORG@MFAD.MFROOT.ORG
         Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
06/25/07 22:51:37  06/26/07 08:51:00  afs/mprc.mayo.edu@MFAD.MFROOT.ORG
         Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with HMAC/md5

[root@mprcafs01 ~]# klist -ke /tmp/afs.keytab
Keytab name: FILE:/tmp/afs.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    3 afs/mprc.mayo.edu@MFAD.MFROOT.ORG (DES cbc mode with CRC-32)

[root@mprcafs01 ~]# aklog -d -c mprc.mayo.edu -k MFAD.MFROOT.ORG
Authenticating to cell mprc.mayo.edu (server mprcafs01.mayo.edu).
We were told to authenticate to realm MFAD.MFROOT.ORG.
Getting tickets: afs/mprc.mayo.edu@MFAD.MFROOT.ORG
Using Kerberos V5 ticket natively
About to resolve name cjm37 to id in cell mprc.mayo.edu.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 /  @ MFAD.MFROOT.ORG

[root@mprcafs01 ~]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 1) tokens for afs@mprc.mayo.edu [Expires Jun 26 08:51]
    --End of list--

[root@mprcafs01 ~]# bos status mprcafs01.mayo.edu
bos: failed to contact host's bosserver (ticket contained unknown key 
version number).

[root@mprcafs01 etc]# kvno -e des-cbc-crc afs/mprc.mayo.edu
afs/mprc.mayo.edu@MFAD.MFROOT.ORG: kvno = 3



[root@mprcafs01 ~]# bos status localhost -local -long
Instance ptserver, (type is simple) currently running normally.
     Process last started at Mon Jun 25 22:24:55 2007 (1 proc starts)
     Command 1 is '/usr/afs/bin/ptserver'

Instance vlserver, (type is simple) currently running normally.
     Process last started at Mon Jun 25 22:24:55 2007 (1 proc starts)
     Command 1 is '/usr/afs/bin/vlserver'

Instance fs, (type is fs) currently running normally.
     Auxiliary status is: file server running.
     Process last started at Mon Jun 25 22:24:55 2007 (2 proc starts)
     Command 1 is '/usr/afs/bin/fileserver'
     Command 2 is '/usr/afs/bin/volserver'
     Command 3 is '/usr/afs/bin/salvager'



[root@mprcafs01 ~]# cat /etc/krb5.conf
[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  ticket_lifetime = 36000
  default_tgs_entypes = rc4-hmac des-cbc-md5
  default_tkt_enctypes = rc4-hmac des-cbc-md5
  permitted_enctypes = rc4-hmac des-cbc-md5
  default_realm = MFAD.MFROOT.ORG

[realms]
  MFAD.MFROOT.ORG = {
   kdc = mfadir04.mfad.mfroot.org:88
   admin_server = mfad.mfroot.org:749
   default_domain = mfad.mfroot.org
  }

[domain_realm]
  mayo.edu = MFAD.MFROOT.ORG
  .mayo.edu = MFAD.MFROOT.ORG

[kdc]
  profile = /var/kerberos/krb5kdc/kdc.conf

[appdefaults]
  pam = {
    debug = false
    ticket_lifetime = 36000
    renew_lifetime = 86401
    forwardable = true
    krb4_convert = false
  }

[root@mprcafs01 etc]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
    3 host/mprcafs01.mayo.edu@MFAD.MFROOT.ORG (DES cbc mode with CRC-32)
    3 host/mprcafs01.mayo.edu@MFAD.MFROOT.ORG (DES cbc mode with RSA-MD5)
    3 host/mprcafs01.mayo.edu@MFAD.MFROOT.ORG (ArcFour with HMAC/md5)
    3 host/MPRCAFS01@MFAD.MFROOT.ORG (DES cbc mode with CRC-32)
    3 host/MPRCAFS01@MFAD.MFROOT.ORG (DES cbc mode with RSA-MD5)
    3 host/MPRCAFS01@MFAD.MFROOT.ORG (ArcFour with HMAC/md5)
    3 MPRCAFS01$@MFAD.MFROOT.ORG (DES cbc mode with CRC-32)
    3 MPRCAFS01$@MFAD.MFROOT.ORG (DES cbc mode with RSA-MD5)
    3 MPRCAFS01$@MFAD.MFROOT.ORG (ArcFour with HMAC/md5)
    3 afs/mprc.mayo.edu@MFAD.MFROOT.ORG (DES cbc mode with CRC-32)