[OpenAFS] incorrect KeyFile causing cell setup to fail -- maybe wrong enctype ?

Sergio Gelato Sergio.Gelato@astro.su.se
Sat, 10 Mar 2007 12:56:59 +0100


* ted creedon [2007-03-09 07:35:12 -0900]:
> Kadmin needs "des-cbc-crc:normal" specifically with the ":normal" suffix.

N.B. scorch is using Heimdal (0.7 or 0.8?), not MIT Kerberos.

I'd suggest deleting the AES and Arcfour enctypes as well. This was
probably not an issue with the version of Heimdal in use three years
ago (no AES support yet), which would explain why those old notes did
not mention it.

"bos listkeys" lists two keys with the same kvno (1). At least one of them
must be wrong.

> -----Original Message-----
> From: openafs-info-admin@openafs.org [mailto:openafs-info-admin@openafs.org]
> On Behalf Of scorch
> Sent: Friday, March 09, 2007 6:42 AM
> To: openafs-info@openafs.org
> Subject: [OpenAFS] incorrect KeyFile causing cell setup to fail -- maybe
> wrong enctype ?
> 
> hi,
> 
> I am starting a fresh cell on a test box & having trouble with correct
> creation of KeyFile. for some reason my notes done 3 years ago are not
> sufficient, & some advice is needed!
> 
> Presumably this is due either to:
> 	wrong enctype(s)
> 	incorrect extraction method
> does anybody see where I'm going horribly wrong?
> 
> thanks, Dave
> 
> # create afs KeyFile from heimdal & put in the right place
> # see below for krb5.conf
> 
> root@sendai:/home/dave $ mkdir -m 700 p /etc/openafs/server
> 
> root@sendai:/home/dave $ kadmin -p admin/krb
> kadmin> add --random-key --use-defaults afs
> kadmin> del_enctype afs des3-cbc-sha1
> kadmin> get afs@MUSE.NET.NZ
>              Principal: afs@MUSE.NET.NZ
>      Principal expires: never
>       Password expires: never
>   Last password change: never
>        Max ticket life: 1 day
>     Max renewable life: 1 week
>                   Kvno: 1
>                  Mkvno: 0
> Last successful login: never
>      Last failed login: never
>     Failed login count: 0
>          Last modified: 2007-03-08 21:57:02 UTC
>               Modifier: admin/krb@MUSE.NET.NZ
>             Attributes:
>               Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt),
> des-cbc-crc(pw-salt), aes256-cts-hmac-sha1-96(pw-salt),
> arcfour-hmac-md5(pw-salt)
> 
> kadmin> ext -k /tmp/afskeytabfile.krb5 afs
> kadmin> quit
> 
> root@sendai:/home/dave $ ktutil -k /tmp/afskeytabfile.krb5 list
> /tmp/afskeytabfile.krb5:
> 
> Vno  Type                     Principal
>    1  des-cbc-md5              afs@MUSE.NET.NZ
>    1  des-cbc-md4              afs@MUSE.NET.NZ
>    1  des-cbc-crc              afs@MUSE.NET.NZ
>    1  aes256-cts-hmac-sha1-96  afs@MUSE.NET.NZ
>    1  arcfour-hmac-md5         afs@MUSE.NET.NZ
> 
> root@sendai:/home/dave $ ktutil copy FILE:/tmp/afskeytabfile.krb5
> AFSKEYFILE:/etc/openafs/server/KeyFile
> 
> root@sendai:/home/dave $ /usr/local/sbin/bosserver -syslog -noauth
> 
> root@sendai:/etc/openafs/server $ pafs
> 24807 /usr/local/sbin/bosserver -syslog -noauth
> 31579 /usr/libexec/afsd --log=/var/log/arlad.log --cpu-usage
> --check-consistency
> 
> root@sendai:/home/dave $ /usr/local/sbin/bosserver -syslog -noauth
> root@sendai:/home/dave $ pafs
> 22752 /usr/local/sbin/bosserver -syslog -noauth
> 31579 /usr/libexec/afsd --log=/var/log/arlad.log --cpu-usage
> --check-consistency
> 
> root@sendai:/home/dave $ /usr/local/bin/bos listkeys localhost
> bos: security object was passed a bad ticket error encountered while
> listing keys
> 
> root@sendai:/home/dave $ /usr/local/bin/bos listkeys localhost -noauth
> bos: you are not authorized for this operation error encountered while
> listing keys
> 
> root@sendai:/home/dave $ /usr/local/bin/bos listkeys localhost -localauth
> key 1 has cksum 250617512
> key 1 has cksum 3616054386
> Keys last changed on Fri Mar  9 10:59:32 2007.
> All done.
> root@sendai:/home/dave $ klist -vT
> Credentials cache: FILE:/tmp/krb5cc_0
>          Principal: admin/afs@MUSE.NET.NZ
>      Cache version: 4
> 
> Server: krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
> Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
> Auth time:  Mar  9 10:08:01 2007
> End time:   Mar 10 02:48:01 2007
> Ticket flags: initial
> Addresses: IPv4:10.0.0.3, IPv4:10.0.0.12, IPv4:10.0.0.20,
> IPv4:10.0.0.25, IPv4:10.0.0.27, IPv4:10.0.0.32
> 
> Server: afs@MUSE.NET.NZ
> Ticket etype: des-cbc-crc, kvno 1
> Auth time:  Mar  9 10:08:01 2007
> End time:   Mar 10 02:48:01 2007
> Ticket flags: transited-policy-checked
> Addresses: IPv4:10.0.0.3, IPv4:10.0.0.12, IPv4:10.0.0.20,
> IPv4:10.0.0.25, IPv4:10.0.0.27, IPv4:10.0.0.32
> 
> 
> Mar  9 10:08:01  Mar 10 02:48:01  Tokens for muse.net.nz (256)
> root@sendai:/home/dave $
> 
> 
> file:/etc/kerberosV/krb5.conf
> # $OpenBSD: krb5.conf.example,v 1.6 2005/02/07 06:08:10 david Exp $
> #
> # Example Kerberos 5 configuration file. You may need to change the defaults
> # in this file to match your environment.
> #
> # See krb5.conf(5) and the heimdal infopage for more information.
> #
> # Normally, the realm should be your DNS domain name with uppercase
> # letters. In this example file, we've written the realm as MY.REALM
> # and the domain as my.domain to make it clear what we refer to.
> #
> # Normally, it is not necessary to do any changes on client-only
> # machines, as it's recommended that the information needed is put
> # in DNS.
> # On server machines, it is not strictly necessary, but it is recommended
> # to have local configuration.
> #
> [libdefaults]
> 	default_realm = MUSE.NET.NZ
> 	ticket_lifetime = 60000
> 	clockskew = 300
> 
> [appdefaults]
> 	afs-use-524 = no
> 	afslog = yes
> 
> [realms]
> 	MUSE.NET.NZ = {
> 		supported_keytypes = des:normal des-cbc-crc:v4
> des-cbc-crc:afs3
> 		kdc = kerberos.muse.net.nz
> 		admin_server = kerberos.muse.net.nz
> 		kpasswd_server = kerberos.muse.net.nz
> 	}
> 
> [domain_realm]
> 	.muse.net.nz = MUSE.NET.NZ
> 
> [kadmin]
> 	default_keys = v5 afs3
> 	afs-cell = muse.net.nz
> 
> [logging]
> 	kadmind = FILE:/var/heimdal/kadmind.log
> 
> [kdc]
> 	require-preauth = no
> 	v4-realm = MUSE.NET.NZ
> 	afs-cell = muse.net.nz
> 
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
>