[OpenAFS] incorrect KeyFile causing cell setup to fail -- maybe wrong enctype ?

scorch scorch@muse.net.nz
Fri, 09 Mar 2007 11:05:13 +1300


hi,

I am starting a fresh cell on a test box & having trouble with correct 
creation of KeyFile. for some reason my notes done 3 years ago are not 
sufficient, & advice on

Presumably this is due either to:
	wrong enctype(s)
	incorrect extraction method
does anybody see where I'm going horribly wrong?

thanks, Dave

# create afs KeyFile from heimdal & put in the right place
# see below for krb5.conf

root@sendai:/home/dave $ mkdir -m 700 p /etc/openafs/server

root@sendai:/home/dave $ kadmin -p admin/krb
kadmin> add --random-key --use-defaults afs
kadmin> del_enctype afs des3-cbc-sha1
kadmin> get afs@MUSE.NET.NZ
             Principal: afs@MUSE.NET.NZ
     Principal expires: never
      Password expires: never
  Last password change: never
       Max ticket life: 1 day
    Max renewable life: 1 week
                  Kvno: 1
                 Mkvno: 0
Last successful login: never
     Last failed login: never
    Failed login count: 0
         Last modified: 2007-03-08 21:57:02 UTC
              Modifier: admin/krb@MUSE.NET.NZ
            Attributes:
              Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt), 
des-cbc-crc(pw-salt), aes256-cts-hmac-sha1-96(pw-salt), 
arcfour-hmac-md5(pw-salt)

kadmin> ext -k /tmp/afskeytabfile.krb5 afs
kadmin> quit

root@sendai:/home/dave $ ktutil -k /tmp/afskeytabfile.krb5 list
/tmp/afskeytabfile.krb5:

Vno  Type                     Principal
   1  des-cbc-md5              afs@MUSE.NET.NZ
   1  des-cbc-md4              afs@MUSE.NET.NZ
   1  des-cbc-crc              afs@MUSE.NET.NZ
   1  aes256-cts-hmac-sha1-96  afs@MUSE.NET.NZ
   1  arcfour-hmac-md5         afs@MUSE.NET.NZ
root@sendai:/home/dave $ ktutil copy FILE:/tmp/afskeytabfile.krb5 
AFSKEYFILE:/etc/openafs/server/KeyFile

root@sendai:/home/dave $ /usr/local/sbin/bosserver -syslog -noauth

root@sendai:/etc/openafs/server $ pafs
24807 /usr/local/sbin/bosserver -syslog -noauth
31579 /usr/libexec/afsd --log=/var/log/arlad.log --cpu-usage 
--check-consistency

root@sendai:/home/dave $ /usr/local/sbin/bosserver -syslog -noauth
root@sendai:/home/dave $ pafs
22752 /usr/local/sbin/bosserver -syslog -noauth
31579 /usr/libexec/afsd --log=/var/log/arlad.log --cpu-usage 
--check-consistency

root@sendai:/home/dave $ /usr/local/bin/bos listkeys localhost
bos: security object was passed a bad ticket error encountered while 
listing keys

root@sendai:/home/dave $ /usr/local/bin/bos listkeys localhost -noauth
bos: you are not authorized for this operation error encountered while 
listing keys

root@sendai:/home/dave $ /usr/local/bin/bos listkeys localhost -localauth
key 1 has cksum 250617512
key 1 has cksum 3616054386
Keys last changed on Fri Mar  9 10:59:32 2007.
All done.
root@sendai:/home/dave $ klist -vT
Credentials cache: FILE:/tmp/krb5cc_0
         Principal: admin/afs@MUSE.NET.NZ
     Cache version: 4

Server: krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Auth time:  Mar  9 10:08:01 2007
End time:   Mar 10 02:48:01 2007
Ticket flags: initial
Addresses: IPv4:10.0.0.3, IPv4:10.0.0.12, IPv4:10.0.0.20, 
IPv4:10.0.0.25, IPv4:10.0.0.27, IPv4:10.0.0.32

Server: afs@MUSE.NET.NZ
Ticket etype: des-cbc-crc, kvno 1
Auth time:  Mar  9 10:08:01 2007
End time:   Mar 10 02:48:01 2007
Ticket flags: transited-policy-checked
Addresses: IPv4:10.0.0.3, IPv4:10.0.0.12, IPv4:10.0.0.20, 
IPv4:10.0.0.25, IPv4:10.0.0.27, IPv4:10.0.0.32


Mar  9 10:08:01  Mar 10 02:48:01  Tokens for muse.net.nz (256)
root@sendai:/home/dave $


file:/etc/kerberosV/krb5.conf
# $OpenBSD: krb5.conf.example,v 1.6 2005/02/07 06:08:10 david Exp $
#
# Example Kerberos 5 configuration file. You may need to change the defaults
# in this file to match your environment.
#
# See krb5.conf(5) and the heimdal infopage for more information.
#
# Normally, the realm should be your DNS domain name with uppercase
# letters. In this example file, we've written the realm as MY.REALM
# and the domain as my.domain to make it clear what we refer to.
#
# Normally, it is not necessary to do any changes on client-only
# machines, as it's recommended that the information needed is put
# in DNS.
# On server machines, it is not strictly necessary, but it is recommended
# to have local configuration.
#
[libdefaults]
	default_realm = MUSE.NET.NZ
	ticket_lifetime = 60000
	clockskew = 300

[appdefaults]
	afs-use-524 = no
	afslog = yes

[realms]
	MUSE.NET.NZ = {
		supported_keytypes = des:normal des-cbc-crc:v4 des-cbc-crc:afs3
		kdc = kerberos.muse.net.nz
		admin_server = kerberos.muse.net.nz
		kpasswd_server = kerberos.muse.net.nz
	}

[domain_realm]
	.muse.net.nz = MUSE.NET.NZ

[kadmin]
	default_keys = v5 afs3
	afs-cell = muse.net.nz

[logging]
	kadmind = FILE:/var/heimdal/kadmind.log

[kdc]
	require-preauth = no
	v4-realm = MUSE.NET.NZ
	afs-cell = muse.net.nz