[OpenAFS] asetkey: unknown RPC error (-1765328203) while extracting AFS service key
Jeffrey Altman
jaltman@secure-endpoints.com
Tue, 12 Apr 2011 11:09:12 -0400
--Apple-Mail-2-43725731
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
If the kvno you generated is 8, then the keno you ask asetkey to add must al=
so be 8.
Sent from my iPad
On Apr 12, 2011, at 11:01 AM, "Danko Antolovic" <dantolov@indiana.edu> wrote=
:
> Hello,
> =20
> here is my problem: I have a nicely functional AFS server, cell name afs1.=
bedrock.iu.edu, authenticating against an AD realm. I want to give it a seco=
nd authentication realm, a Kerberos 5, named KDC.DANTOLOV.UITS.INDIANA.EDU. =
All of this is under RHEL 5.
> =20
> On the KDC machine, I made the service principal and placed its key in a k=
eytab. All of that apparently worked OK:
> =20
> kadmin: add_principal -e des-cbc-md5:normal -kvno 8 afs/afs1.bedrock.iu=
.edu@KDC.DANTOLOV.UITS.INDIANA.EDU
> =20
> kadmin: ktadd -e des-cbc-md5:normal -k afs1_dantolov.uits.indiana.edu_kdc=
.keytab afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU
> =20
> I transferred the keytab to the AFS server, and it looks fine:
> =20
> [root@afs1c afs]# klist -e -k afs1_dantolov.uits.indiana.edu_kdc.keytab
> Keytab name: FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab
> KVNO Principal
> ---- ---------------------------------------------------------------------=
-----
> 9 afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU (DES cbc mode w=
ith RSA-MD5)
> =20
> However, the asetkey fails to get the key out of the keytab and into the /=
usr/afs/etc/KeyFile:
> =20
> [root@afs1c afs]# asetkey add 9 afs1_dantolov.uits.indiana.edu_kdc.keyt=
ab afs/afs1.bedrock.iu.edu
> asetkey: unknown RPC error (-1765328203) while extracting AFS service key
> =20
> The translation of the error code is not very helpful:
> =20
> [root@afs1c afs]# translate_et -1765328203
> -1765328203 (krb5).181 =3D unknown RPC error (-1765328203)
> =20
> I have the right file /usr/afs/etc/krb.conf on the AFS server:
> =20
> [root@afs1c afs]# cat /usr/afs/etc/krb.conf
> ADS.IU.EDU KDC.DANTOLOV.UITS.INDIANA.EDU
> =20
> This problem has been discussed in OpenAFS forums in 2010, in an AD settin=
g, apparently inconclusively. Would anyone be able to shed any new light?
> =20
> Thank you very much,
> =20
> Danko Antolovic
> Principal Scientist, Research Technologies,
> Indiana University
> =20
--Apple-Mail-2-43725731
Content-Transfer-Encoding: 7bit
Content-Type: text/html;
charset=utf-8
<html><body bgcolor="#FFFFFF"><div>If the kvno you generated is 8, then the keno you ask asetkey to add must also be 8.<br><br>Sent from my iPad</div><div><br>On Apr 12, 2011, at 11:01 AM, "Danko Antolovic" <<a href="mailto:dantolov@indiana.edu">dantolov@indiana.edu</a>> wrote:<br><br></div><div></div><blockquote type="cite"><div><o:smarttagtype namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="PlaceType">
<o:smarttagtype namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="PlaceName">
<o:smarttagtype namespaceuri="urn:schemas-microsoft-com:office:smarttags" name="place">
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Times New Roman";
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="Section1">
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">Hello,<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">here is my problem: I have a
nicely functional AFS server, cell name <a href="http://afs1.bedrock.iu.edu">afs1.bedrock.iu.edu</a>, authenticating
against an AD realm. I want to give it a second authentication realm, a
Kerberos 5, named KDC.DANTOLOV.UITS.INDIANA.EDU. All of this is under RHEL 5.<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">On the KDC machine, I made
the service principal and placed its key in a keytab. All of that apparently
worked OK:<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">kadmin: add_principal -e
des-cbc-md5:normal -kvno 8
<a href="mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU"><a href="mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU">afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU</a></a><o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">kadmin: ktadd -e
des-cbc-md5:normal -k afs1_dantolov.uits.indiana.edu_kdc.keytab
<a href="mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU"><a href="mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU">afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU</a></a><o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">I transferred the keytab to
the AFS server, and it looks fine:<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">[root@afs1c afs]# klist -e
-k afs1_dantolov.uits.indiana.edu_kdc.keytab<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">Keytab name:
FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">KVNO Principal<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">----
--------------------------------------------------------------------------<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""> 9
<a href="mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU">afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU</a> (DES cbc mode with
RSA-MD5) <o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">However, the asetkey fails
to get the key out of the keytab and into the /usr/afs/etc/KeyFile:<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">[root@afs1c afs]# asetkey
add 9 afs1_dantolov.uits.indiana.edu_kdc.keytab afs/afs1.bedrock.iu.edu<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">asetkey: unknown RPC error
(-1765328203) while extracting AFS service key<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">The translation of the error
code is not very helpful:<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">[root@afs1c afs]#
translate_et -1765328203<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">-1765328203 (krb5).181 =
unknown RPC error (-1765328203)<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">I have the right file
/usr/afs/etc/krb.conf on the AFS server:<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">[root@afs1c afs]# cat
/usr/afs/etc/krb.conf<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><a href="http://ADS.IU.EDU">ADS.IU.EDU</a>
KDC.DANTOLOV.UITS.INDIANA.EDU<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">This problem has been discussed
in OpenAFS forums in 2010, in an AD setting, apparently inconclusively. Would
anyone be able to shed any new light?<o:p></o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal" style="text-autospace:none"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">Thank you very much,<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="2" face="Courier New"><span style="font-size:10.0pt;
font-family:"Courier New""><o:p> </o:p></span></font></p>
<p class="MsoNormal"><font size="2" face="Courier New"><span style="font-size:10.0pt;
font-family:"Courier New"">Danko Antolovic<o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="2" face="Courier New"><span style="font-size:10.0pt;
font-family:"Courier New"">Principal Scientist, Research Technologies,<o:p></o:p></span></font></p>
<p class="MsoNormal"><st1:place w:st="on"><st1:placename w:st="on"><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">Indiana</span></font></st1:placename><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New"">
<st1:placetype w:st="on">University</st1:placetype></span></font></st1:place><font size="2" face="Courier New"><span style="font-size:10.0pt;font-family:"Courier New""><o:p></o:p></span></font></p>
<p class="MsoNormal"><font size="2" face="Courier New"><span style="font-size:10.0pt;
font-family:"Courier New""><o:p> </o:p></span></font></p>
</div>
</o:smarttagtype></o:smarttagtype></o:smarttagtype></div></blockquote></body></html>
--Apple-Mail-2-43725731--