[OpenAFS] bos status reports wrong key version number

Derrick J Brashear shadow@dementia.org
Tue, 26 Jun 2007 00:32:17 -0400 (EDT)

On Mon, 25 Jun 2007, Christopher Mason wrote:

> Hello.
> I'm setting up a new AFS cell using Active Directory as my KDC.  When I run:
>   bos status mprcafs01.mayo.edu
> I get:
>   bos: failed to contact host's bosserver (ticket contained unknown
>   key version number).
> I've created the keys using the samba's net command:
>   net ads keytab add afs/mprc.mayo.edu@MFAD.MFROOT.ORG
> then I deleted the two other keys with non-des-crc-cbc enctypes using ktutil, 
> and added the single des-crc-cbc key using asetkey.  The key versions 
> reported by aset and kvno seem to match (see below for more details).
> I've tried the entire key creation/addition process several times to make 
> sure there wasn't a mismatch (deleting and recreating the computer account in 
> AD each time), but I don't know of a way to get AD to tell what it thinks the 
> key version number is (ie analog to kadmin).
> Any ideas what I may have done wrong?
> Thanks,
> -c
> Essentially what I did was:
> Pre-create computer account mprcafs01 using AD Users and Computers.
> net ads join "createcomputer=Research/MCR/Resources/Samba Servers -- 
> LABS/MPRC" -S mfadir04.mfad.mfroot.org
> On windows: setspn -A afs/mprc.mayo.edu mprcafs01 because otherwise windows 
> refuses the SPN because it's not on it's list of approved SPNs.
> net ads keytab add afs/mprc.mayo.edu@MFAD.MFROOT.ORG
> ktutil
> rkt /etc/krb5.keytab
> delent those afs/mprc.mayo.edu entries which had non des-crc-cbc enctypes

which were what types?

because, well, i presume those are also in the kdc, and, frankly, that's 
probably your issue.

the right answer is not to delete them from the keytab. it's to delete 
them from the kdc.