[OpenAFS] kaserver.DB0 converted, no success authenticating

Ken Hornstein kenh@cmf.nrl.navy.mil
Mon, 29 Oct 2007 15:05:43 -0400


>> Could changing realm names be another possibility?  Jeff, are you
>> using the same realm name in your KDC as in the kaserver?

Just as a side note: that is definately not the problem here.  This is
evident by the KDC log message mentioning "DECRYPT_CLIENT_KEY" - that can
only occur if the principal keys are encrypted incorrectly.  The confusing
part is that "Decrypt integrity check failed" is passed back to the client
and it interprets it as "Password incorrect", which is confusing.

>Yes, the K/M principal is single and triple DES'd.
>
>How does one go about deleting one of K/M's keys in DB
>without shooting oneself in the foot?

Short answer: you don't.  There is currently not a good way to
change the enctype of the master key (you can _change_ the key, but
it has to have the same enctype).  Just deleting the triple-DES key
isn't good enough, as your existing keys will then not be able to
be decrypted.  This may have changed more recently, so I could be
wrong.  I tried to change my master key enctype once, but it was
used in enough places that it was very hard, so I gave up.

I think your easiest solution is to fix afs2k5db so it works with
different master key enctypes.  Like I said, IN THEORY this should
be simple.  Second easiest: redo your realm with only a single-DES
key (it all depends on your realm setup as to which one you find
easier).

--Ken