[OpenAFS] kaserver.DB0 converted, no success authenticating

Jeff Blaine jblaine@kickflop.net
Mon, 29 Oct 2007 13:55:55 -0400

Kevin Coffman wrote:
> On 10/29/07, Ken Hornstein <kenh@cmf.nrl.navy.mil> wrote:
>>> Oct 29 12:58:13 silmaril krb5kdc[13245](info): AS_REQ (7 etypes {18 17
>>> 16 23 1 3 2}) xxx.xx.11.213: DECRYPT_CLIENT_KEY: jblaine@RCF.FOO.COM for
>>> krbtgt/RCF.FOO.COM@RCF.FOO.COM, Decrypt integrity check failed
>> One little thing I always forget about afs2k5db .... it currently only
>> works if your master key is single-DES (in theory this isn't hard to fix,
>> but see previous comments about time, interest, etc etc).  Judging by
>> this error, the client keys are not encrypted properly in the database.
>> I am guessing that your K/M principal is something other than single-DES.

Thanks Ken and Kevin.

> Could changing realm names be another possibility?  Jeff, are you
> using the same realm name in your KDC as in the kaserver?

Same realm.

Yes, the K/M principal is single and triple DES'd.

How does one go about deleting one of K/M's keys in DB
without shooting oneself in the foot?