[OpenAFS] asetkey: unknown RPC error (-1765328203) while extracting AFS service key

Danko Antolovic dantolov@indiana.edu
Tue, 12 Apr 2011 14:23:25 -0400 

Jeffrey,
Thanks, that was, in fact, the problem. The authentication against the
second realm works fine now.

[root@afs1c afs]#  asetkey add  9  afs1_dantolov.uits.indiana.edu_kdc.keytab
afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU
[root@afs1c afs]# 
[root@afs1c afs]# bos listkeys afs1  -noauth
key 3 has cksum 3855684052
key 9 has cksum 3805856571
Keys last changed on Tue Apr 12 13:54:08 2011.
All done.

Could we add an explicit note about the syntax of the "principal" field in
the asetkey documentation, thus making this world a better place ?
........  :-)

http://docs.openafs.org/Reference/8/asetkey.html

Thanks again for the help.

Danko Antolovic


-----Original Message-----
From: Jeffrey Altman [mailto:jaltman@secure-endpoints.com] 
Sent: Tuesday, April 12, 2011 1:21 PM
To: Danko Antolovic
Subject: Re: [OpenAFS] asetkey: unknown RPC error (-1765328203) while
extracting AFS service key

On 4/12/2011 11:01 AM, Danko Antolovic wrote:
> [root@afs1c afs]#  asetkey add  9 
> afs1_dantolov.uits.indiana.edu_kdc.keytab  afs/afs1.bedrock.iu.edu


This may not be a enctype issue afterall.   Please try specifying the
realm as part of the principal you are attempting to import.  If you
don't specify a realm, one will be guessed for you.

Jeffrey Altman




-----Original Message-----
From: Jeffrey Altman [mailto:jaltman@secure-endpoints.com] 
Sent: Tuesday, April 12, 2011 12:02 PM
Cc: Danko Antolovic; <openafs-info@openafs.org>
Subject: Re: [OpenAFS] asetkey: unknown RPC error (-1765328203) while
extracting AFS service key

On 4/12/2011 11:18 AM, Simon Wilkinson wrote:
> 
> On 12 Apr 2011, at 16:09, Jeffrey Altman wrote:
> 
>> If the kvno you generated is 8, then the keno you ask asetkey to add must
also be 8.
> 
> The principal was added with kvno 8, but then the 'ktadd' incremented that
number by 1 one when it regenerated the key to create the keytab. klist
shows the kvno as 9:
> 
>>> [root@afs1c afs]# klist -e -k  afs1_dantolov.uits.indiana.edu_kdc.keytab
>>> Keytab name: FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab
>>> KVNO Principal
>>> ----
--------------------------------------------------------------------------
>>>    9 afs/afs1.bedrock.iu.edu@KDC.DANTOLOV.UITS.INDIANA.EDU (DES cbc mode
with RSA-MD5)
> 
> I think the problem is the encryption type. When we do the extract, we
specifically ask for a des-cbc-crc key. The key you have created is
des-cbc-md5. I suspect that the extraction routine is seeing these types as
different, and so failing the match.
> 
> Try again with a des-cbc-crc key, and see if that works!
> 
> Cheers,
> 
> Simon.

My apologies for the rushed (and incorrect) response.

Simon is correct.  The most likely cause of KRB5_KT_NOTFOUND
(-17655328203) is the non-matching enctype.  I've posted a patchset to
gerrit.openafs.org which permits the DES-CBC-MD5 and DES-CBC-MD4
enctypes to be accepted by asetkey.

  http://gerrit.openafs.org/#change,4459

Jeffrey Altman