[OpenAFS] asetkey: unknown RPC error (-1765328203) while extracting AFS service key

Jeffrey Altman jaltman@secure-endpoints.com
Tue, 12 Apr 2011 12:02:14 -0400


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigFB8F7685FFD00FEB7A9A44D5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 4/12/2011 11:18 AM, Simon Wilkinson wrote:
>=20
> On 12 Apr 2011, at 16:09, Jeffrey Altman wrote:
>=20
>> If the kvno you generated is 8, then the keno you ask asetkey to add m=
ust also be 8.
>=20
> The principal was added with kvno 8, but then the 'ktadd' incremented t=
hat number by 1 one when it regenerated the key to create the keytab. kli=
st shows the kvno as 9:
>=20
>>> [root@afs1c afs]# klist -e -k  afs1_dantolov.uits.indiana.edu_kdc.key=
tab
>>> Keytab name: FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab
>>> KVNO Principal
>>> ---- ----------------------------------------------------------------=
----------
>>>    9 afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU (DES cbc m=
ode with RSA-MD5)
>=20
> I think the problem is the encryption type. When we do the extract, we =
specifically ask for a des-cbc-crc key. The key you have created is des-c=
bc-md5. I suspect that the extraction routine is seeing these types as di=
fferent, and so failing the match.
>=20
> Try again with a des-cbc-crc key, and see if that works!
>=20
> Cheers,
>=20
> Simon.

My apologies for the rushed (and incorrect) response.

Simon is correct.  The most likely cause of KRB5_KT_NOTFOUND
(-17655328203) is the non-matching enctype.  I've posted a patchset to
gerrit.openafs.org which permits the DES-CBC-MD5 and DES-CBC-MD4
enctypes to be accepted by asetkey.

  http://gerrit.openafs.org/#change,4459

Jeffrey Altman


--------------enigFB8F7685FFD00FEB7A9A44D5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJNpHeIAAoJENxm1CNJffh4B8EIAMIQka75vaWiS9ZonggX8Ule
YmDkFtUYryfJCZ99uyw5P4EPpB7ejPC7s+VsCYoVkp3rwVlAErNmGVthOSR7JJvo
BR6o71o9Hkdy9MHebbOB61AfUmGnhW3ac6QduF5Co0C2+VbWvFuw5y/DCGViuOFt
twW8hFF3y+VdDaOK0jdZ7m5bRsT59hiix0gb4N/fjZUenyGfXjwMHd6OnIEmN5we
2Vi7wFCnA0RGMKFmAHODNhOJ1K0W44jalKqhp/DbgkdrwCLIoLW7SzRj2FmE+IVM
R8OLDgXvY1UIpRlg9cHSQ0rMq+ZG7r09vhAw1Uh35nc4BqdeJNzUJ4v65/JchhU=
=HknG
-----END PGP SIGNATURE-----

--------------enigFB8F7685FFD00FEB7A9A44D5--