[OpenAFS] asetkey: unknown RPC error (-1765328203) while extracting AFS service key

Tue, 12 Apr 2011 11:01:39 -0400

This is a multi-part message in MIME format.

------=_NextPart_000_0003_01CBF901.000740F0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello,

here is my problem: I have a nicely functional AFS server, cell name
afs1.bedrock.iu.edu, authenticating against an AD realm. I want to give it a
second authentication realm, a Kerberos 5, named
KDC.DANTOLOV.UITS.INDIANA.EDU.  All of this is under RHEL 5.

On the KDC machine, I made the service principal and placed its key in a
keytab. All of that apparently worked OK:

kadmin:  add_principal -e des-cbc-md5:normal  -kvno 8
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU

kadmin:  ktadd -e des-cbc-md5:normal -k
afs1_dantolov.uits.indiana.edu_kdc.keytab
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU

I transferred the keytab to the AFS server, and it looks fine:

[root@afs1c afs]# klist -e -k  afs1_dantolov.uits.indiana.edu_kdc.keytab

Keytab name: FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab

KVNO Principal

----
--------------------------------------------------------------------------

   9 afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU (DES cbc mode
with RSA-MD5) 

However, the asetkey fails to get the key out of the keytab and into the
/usr/afs/etc/KeyFile:

[root@afs1c afs]#  asetkey add  9  afs1_dantolov.uits.indiana.edu_kdc.keytab
afs/afs1.bedrock.iu.edu

asetkey: unknown RPC error (-1765328203) while extracting AFS service key

The translation of the error code is not very helpful:

[root@afs1c afs]# translate_et  -1765328203

-1765328203 (krb5).181 = unknown RPC error (-1765328203)

I have the right file /usr/afs/etc/krb.conf on the AFS server:

[root@afs1c afs]# cat /usr/afs/etc/krb.conf

ADS.IU.EDU  KDC.DANTOLOV.UITS.INDIANA.EDU

This problem has been discussed in OpenAFS forums in 2010, in an AD setting,
apparently inconclusively. Would anyone be able to shed any new light?

Thank you very much,

Danko Antolovic

Principal Scientist, Research Technologies,

Indiana University

------=_NextPart_000_0003_01CBF901.000740F0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PlaceType"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PlaceName"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Times New Roman";
	color:windowtext;
	font-weight:normal;
	font-style:normal;
	text-decoration:none none;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Hello,<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

here is my problem: =
I have a
nicely functional AFS server, cell name afs1.bedrock.iu.edu, =
authenticating
against an AD realm. I want to give it a second authentication realm, a
Kerberos 5, named KDC.DANTOLOV.UITS.INDIANA.EDU.&nbsp; All of this is =
under RHEL 5.<o:p></o:p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

On the KDC machine, =
I made
the service principal and placed its key in a keytab. All of that =
apparently
worked OK:<o:p></o:p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>kadmin:&nbsp; =
add_principal -e
des-cbc-md5:normal&nbsp; -kvno 8&nbsp;
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU<o:p></o:p></span></=
font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>kadmin:&nbsp; ktadd =
-e
des-cbc-md5:normal -k afs1_dantolov.uits.indiana.edu_kdc.keytab&nbsp;
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU<o:p></o:p></span></=
font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>I transferred the =
keytab to
the AFS server, and it looks fine:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>[root@afs1c afs]# =
klist -e
-k&nbsp; =
afs1_dantolov.uits.indiana.edu_kdc.keytab<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Keytab name:
FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab<o:p></o:p></span></font></=
p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>KVNO =
Principal<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>----
-------------------------------------------------------------------------=
-<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>&nbsp;&nbsp; 9
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU (DES cbc mode with
RSA-MD5) <o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>However, the =
asetkey fails
to get the key out of the keytab and into the =
/usr/afs/etc/KeyFile:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>[root@afs1c =
afs]#&nbsp; asetkey
add&nbsp; 9&nbsp; afs1_dantolov.uits.indiana.edu_kdc.keytab&nbsp; =
afs/afs1.bedrock.iu.edu<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>asetkey: unknown =
RPC error
(-1765328203) while extracting AFS service =
key<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>The translation of =
the error
code is not very helpful:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>[root@afs1c afs]#
translate_et&nbsp; -1765328203<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>-1765328203 =
(krb5).181 =3D
unknown RPC error (-1765328203)<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>I have the right =
file
/usr/afs/etc/krb.conf on the AFS server:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>[root@afs1c afs]# =
cat
/usr/afs/etc/krb.conf<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>ADS.IU.EDU&nbsp;
KDC.DANTOLOV.UITS.INDIANA.EDU<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

This problem has =
been discussed
in OpenAFS forums in 2010, in an AD setting, apparently inconclusively. =
Would
anyone be able to shed any new light?<o:p></o:p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Thank you very =
much,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Danko Antolovic<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Principal Scientist, Research =
Technologies,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><st1:place w:st=3D"on"><st1:PlaceName =
w:st=3D"on"><font size=3D2
  face=3D"Courier New"><span =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Indiana</span></font></st1:PlaceName><font
 size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;font-family:"Courier New"'>
 <st1:PlaceType =
w:st=3D"on">University</st1:PlaceType></span></font></st1:place><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------=_NextPart_000_0003_01CBF901.000740F0--