[OpenAFS] asetkey: unknown RPC error (-1765328203) while extracting AFS service key

Danko Antolovic dantolov@indiana.edu
Tue, 12 Apr 2011 11:41:20 -0400


This is a multi-part message in MIME format.

------=_NextPart_000_000D_01CBF906.8B9FB250
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

Kvno value is actually 9 throughout 

(idiosyncrasy of MIT Kerb, increasing kvno when adding a key to keytab;
Section 3.51 in this doc:
http://openafs-wiki.stanford.edu/AFSLore/AdminFAQ/#3.51%20Can%20I%20authenti
cate%20to%20my%20af).

 

Here is the current kvno, as shown by kadmin:

 

kadmin:  get_principal
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU

Principal: afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU

 

-- snip --

 

Number of keys: 1

Key: vno 9, DES cbc mode with RSA-MD5, no salt

Attributes:

Policy: [none]

 

And also as shown by klist:

 

[root@afs1c afs]# klist -e -k  afs1_dantolov.uits.indiana.edu_kdc.keytab

Keytab name: FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab

KVNO Principal

----
--------------------------------------------------------------------------

   9 afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU (DES cbc mode
with RSA-MD5) 

 

 

I have the encryption des-cbc-md5 in three other AFS-related keytabs, which
asetkey has been able to process. 

 

Is there a way to narrow down the meaning/origin of that error?

 

Thanks,

Danko

 

  _____  

From: Jeffrey Altman [mailto:jaltman@secure-endpoints.com] 
Sent: Tuesday, April 12, 2011 11:09 AM
To: Danko Antolovic
Cc: <openafs-info@openafs.org>
Subject: Re: [OpenAFS] asetkey: unknown RPC error (-1765328203) while
extracting AFS service key

 

If the kvno you generated is 8, then the keno you ask asetkey to add must
also be 8.

Sent from my iPad


On Apr 12, 2011, at 11:01 AM, "Danko Antolovic" <dantolov@indiana.edu>
wrote:

Hello,

 

here is my problem: I have a nicely functional AFS server, cell name
afs1.bedrock.iu.edu, authenticating against an AD realm. I want to give it a
second authentication realm, a Kerberos 5, named
KDC.DANTOLOV.UITS.INDIANA.EDU.  All of this is under RHEL 5.

 

On the KDC machine, I made the service principal and placed its key in a
keytab. All of that apparently worked OK:

 

kadmin:  add_principal -e des-cbc-md5:normal  -kvno 8
<mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU>
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU

 

kadmin:  ktadd -e des-cbc-md5:normal -k
afs1_dantolov.uits.indiana.edu_kdc.keytab
<mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU>
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU

 

I transferred the keytab to the AFS server, and it looks fine:

 

[root@afs1c afs]# klist -e -k  afs1_dantolov.uits.indiana.edu_kdc.keytab

Keytab name: FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab

KVNO Principal

----
--------------------------------------------------------------------------

   9 afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU (DES cbc mode
with RSA-MD5) 

 

However, the asetkey fails to get the key out of the keytab and into the
/usr/afs/etc/KeyFile:

 

[root@afs1c afs]#  asetkey add  9  afs1_dantolov.uits.indiana.edu_kdc.keytab
afs/afs1.bedrock.iu.edu

asetkey: unknown RPC error (-1765328203) while extracting AFS service key

 

The translation of the error code is not very helpful:

 

[root@afs1c afs]# translate_et  -1765328203

-1765328203 (krb5).181 = unknown RPC error (-1765328203)

 

I have the right file /usr/afs/etc/krb.conf on the AFS server:

 

[root@afs1c afs]# cat /usr/afs/etc/krb.conf

ADS.IU.EDU  KDC.DANTOLOV.UITS.INDIANA.EDU

 

This problem has been discussed in OpenAFS forums in 2010, in an AD setting,
apparently inconclusively. Would anyone be able to shed any new light?

 

Thank you very much,

 

Danko Antolovic

Principal Scientist, Research Technologies,

Indiana University

 


------=_NextPart_000_000D_01CBF906.8B9FB250
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><o:SmartTagType
 namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"PlaceType"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PlaceName"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal;
	font-family:"Times New Roman";
	color:windowtext;
	font-weight:normal;
	font-style:normal;
	text-decoration:none none;}
span.EmailStyle18
	{mso-style-type:personal-reply;
	font-family:"Times New Roman";
	color:blue;
	font-weight:normal;
	font-style:normal;
	text-decoration:none none;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body bgcolor=3Dwhite lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Kvno value is =
actually 9
throughout <o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>(idiosyncrasy of =
MIT Kerb,
increasing kvno when adding a key to keytab; Section 3.51 in this doc:
http://openafs-wiki.stanford.edu/AFSLore/AdminFAQ/#3.51%20Can%20I%20authe=
nticate%20to%20my%20af).<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Here is the current =
kvno, as
shown by kadmin:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>kadmin:&nbsp;
get_principal&nbsp; =
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU<o:p></o:p></span></=
font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Principal:
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU<o:p></o:p></span></=
font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>-- snip =
--<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Number of keys: =
1<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Key: vno 9, DES cbc =
mode
with RSA-MD5, no salt<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Attributes:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Policy: =
[none]<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>And also as shown =
by klist:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>[root@afs1c afs]# =
klist -e
-k&nbsp; =
afs1_dantolov.uits.indiana.edu_kdc.keytab<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Keytab name:
FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab<o:p></o:p></span></font></=
p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>KVNO =
Principal<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>----
-------------------------------------------------------------------------=
-<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>&nbsp;&nbsp; 9
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU (DES cbc mode with
RSA-MD5) <o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>I have the =
encryption </span></font>des-cbc-md5<font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;font-family:"Courier New"'>
in three other AFS-related keytabs, which asetkey has been able to =
process. <o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Is there a way to =
narrow
down the meaning/origin of that error?<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Thanks,<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Danko<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><o:p>&nbsp;</o:p></span></font></p>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span =
style=3D'font-size:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font =
size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'> =
Jeffrey Altman
[mailto:jaltman@secure-endpoints.com] <br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Tuesday, April 12, =
2011
11:09 AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> Danko Antolovic<br>
<b><span style=3D'font-weight:bold'>Cc:</span></b>
&lt;openafs-info@openafs.org&gt;<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> Re: [OpenAFS] =
asetkey:
unknown RPC error (-1765328203) while extracting AFS service =
key</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>If the kvno you generated is 8, then the keno you ask asetkey to =
add
must also be 8.<br>
<br>
Sent from my iPad<o:p></o:p></span></font></p>

</div>

<div>

<p class=3DMsoNormal style=3D'margin-bottom:12.0pt'><font size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'><br>
On Apr 12, 2011, at 11:01 AM, &quot;Danko Antolovic&quot; &lt;<a
href=3D"mailto:dantolov@indiana.edu">dantolov@indiana.edu</a>&gt; =
wrote:<o:p></o:p></span></font></p>

</div>

<blockquote style=3D'margin-top:5.0pt;margin-bottom:5.0pt' type=3Dcite>

<div><u1:smarttagtype =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"PlaceType"><u1:smarttagtype =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"PlaceName"><u1:smarttagtype =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags" =
name=3D"place">

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'><!--[if gte mso =
9]><xml>
    <u1:shapedefaults u2:ext=3D"edit" spidmax=3D"1026"/>
</xml><![endif]--><!--[if gte mso 9]><xml>
    <u1:shapelayout u3:ext=3D"edit">
     <u1:idmap u3:ext=3D"edit" data=3D"1"/>
    </u1:shapelayout>
</xml><![endif]-->Hello,<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>here is my problem: =
I have a
nicely functional AFS server, cell name <a =
href=3D"http://afs1.bedrock.iu.edu">afs1.bedrock.iu.edu</a>,
authenticating against an AD realm. I want to give it a second =
authentication
realm, a Kerberos 5, named KDC.DANTOLOV.UITS.INDIANA.EDU.&nbsp; All of =
this is
under RHEL 5.<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>On the KDC machine, =
I made
the service principal and placed its key in a keytab. All of that =
apparently
worked OK:<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>kadmin:&nbsp; =
add_principal
-e des-cbc-md5:normal&nbsp; -kvno 8&nbsp; <a
href=3D"mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU"></a=
><a
href=3D"mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU">afs=
/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU</a><u1:p></u1:p></span=
></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>kadmin:&nbsp; ktadd =
-e
des-cbc-md5:normal -k afs1_dantolov.uits.indiana.edu_kdc.keytab&nbsp; <a
href=3D"mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU"></a=
><a
href=3D"mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU">afs=
/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU</a><u1:p></u1:p></span=
></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>I transferred the =
keytab to
the AFS server, and it looks =
fine:<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>[root@afs1c afs]# =
klist -e
-k&nbsp; =
afs1_dantolov.uits.indiana.edu_kdc.keytab<u1:p></u1:p></span></font><o:p>=
</o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Keytab name: =
FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab<u1:p></u1:p></span></font>=
<o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>KVNO =
Principal<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>----
-------------------------------------------------------------------------=
-<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>&nbsp;&nbsp; 9 <a
href=3D"mailto:afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU">afs=
/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU</a>
(DES cbc mode with RSA-MD5) <u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>However, the =
asetkey fails
to get the key out of the keytab and into the =
/usr/afs/etc/KeyFile:<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>[root@afs1c =
afs]#&nbsp;
asetkey add&nbsp; 9&nbsp; =
afs1_dantolov.uits.indiana.edu_kdc.keytab&nbsp;
afs/afs1.bedrock.iu.edu<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>asetkey: unknown =
RPC error
(-1765328203) while extracting AFS service =
key<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>The translation of =
the error
code is not very helpful:<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>[root@afs1c afs]#
translate_et&nbsp; -1765328203<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>-1765328203 =
(krb5).181 =3D
unknown RPC error =
(-1765328203)<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>I have the right =
file
/usr/afs/etc/krb.conf on the AFS =
server:<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>[root@afs1c afs]# =
cat
/usr/afs/etc/krb.conf<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'><a =
href=3D"http://ADS.IU.EDU">ADS.IU.EDU</a>&nbsp;
KDC.DANTOLOV.UITS.INDIANA.EDU<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>This problem has =
been
discussed in OpenAFS forums in 2010, in an AD setting, apparently
inconclusively. Would anyone be able to shed any new =
light?<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D2 =
face=3D"Courier New"><span
style=3D'font-size:10.0pt;font-family:"Courier New"'>Thank you very =
much,<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Danko =
Antolovic<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier New"'>Principal Scientist, Research =
Technologies,<u1:p></u1:p></span></font><o:p></o:p></p>

<p class=3DMsoNormal><st1:place u4:st=3D"on"><st1:placename =
u4:st=3D"on"><st1:place
w:st=3D"on"><st1:PlaceName w:st=3D"on"><font size=3D2 face=3D"Courier =
New"><span
  style=3D'font-size:10.0pt;font-family:"Courier =
New"'>Indiana</span></font></st1:PlaceName><font
 size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;font-family:"Courier New"'></st1:placename>
 <st1:placetype u4:st=3D"on"><st1:PlaceType =
w:st=3D"on">University</st1:placetype></st1:PlaceType></span></font></st1=
:place></st1:place><o:p></o:p></p>

<u1:p></u1:p>

<p class=3DMsoNormal><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt;
font-family:"Courier =
New"'><u1:p>&nbsp;</u1:p></span></font><o:p></o:p></p>

</div>

</blockquote>

</u1:smarttagtype></u1:smarttagtype></u1:smarttagtype></div>

</body>

</html>

------=_NextPart_000_000D_01CBF906.8B9FB250--