[OpenAFS] unknown RPC error (-1765328370) while getting AFS tickets

chas williams - CONTRACTOR chas@cmf.nrl.navy.mil
Tue, 27 Mar 2012 10:10:56 -0400


specifically, your /etc/krb5.conf should have allow_weak_crypto =3D true
in the [libdefaults] section.

i tried to add this info to the afslore wiki but it didnt seem to take.

On Tue, 27 Mar 2012 07:49:53 -0400
Derrick Brashear <shadow@gmail.com> wrote:

> https://lists.openafs.org/pipermail/openafs-info/2011-June/036188.html
>=20
> On Tue, Mar 27, 2012 at 3:45 AM, Stefan Michael Guenther
> <s.guenther@in-put.de> wrote:
> > Hello,
> >
> > I'm currently trying to setup OpenAFS 1.6.0-1 together with MIT Kerbero=
s 1.9.1 on an Ubuntu System.
> >
> > All necessary processes are running but something seems to be wrong wit=
h my Kerberos configuration:
> >
> > intranet:/var/log# kinit admin
> > Password for admin@IN-PUT.DE:
> >
> > intranet:/var/log# klist
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: admin@IN-PUT.DE
> >
> > Valid starting =A0 =A0 Expires =A0 =A0 =A0 =A0 =A0 =A0Service principal
> > 03/27/12 09:13:32 =A003/27/12 19:13:32 =A0krbtgt/IN-PUT.DE@IN-PUT.DE
> > =A0 =A0 =A0 =A0renew until 03/28/12 09:13:29
> >
> >
> > intranet:/var/log# aklog -d
> > Authenticating to cell IN-PUT.DE (server intranet.in-put.de).
> > Trying to authenticate to user's realm IN-PUT.DE.
> > Getting tickets: afs/IN-PUT.DE@IN-PUT.DE
> > We've deduced that we need to authenticate to realm IN-PUT.DE.
> > Getting tickets: afs/IN-PUT.DE@IN-PUT.DE
> > Getting tickets: afs/IN-PUT.DE@IN-PUT.DE
> > Getting tickets: afs@IN-PUT.DE
> > Kerberos error code returned by get_cred : -1765328370
> > aklog: Couldn't get IN-PUT.DE AFS tickets:
> > aklog: unknown RPC error (-1765328370) while getting AFS tickets
> >
> >
> > According to a number of postings the error is related to ticket encryp=
tion, but I guess I have the right settings in the Kerberos config files:
> >
> > /etc/krb5.conf
> > -------------------
> >
> > [libdefaults]
> > =A0 =A0 =A0 =A0default_realm =3D IN-PUT.DE
> > =A0 =A0 =A0 =A0krb4_config =3D /etc/krb.conf
> > =A0 =A0 =A0 =A0krb4_realms =3D /etc/krb.realms
> > =A0 =A0 =A0 =A0kdc_timesync =3D 1
> > =A0 =A0 =A0 =A0ccache_type =3D 4
> > =A0 =A0 =A0 =A0forwardable =3D true
> > =A0 =A0 =A0 =A0proxiable =3D true
> > =A0 =A0 =A0 =A0fcc-mit-ticketflags =3D true
> >
> > [realms]
> > =A0 =A0 =A0 =A0IN-PUT.DE =3D {
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0kdc =3D intranet.in-put.de
> > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0admin_server =3D intranet.in-put.de
> > =A0 =A0 =A0 =A0}
> >
> > [domain_realm]
> > =A0 =A0 =A0 =A0.in-put.de =3D IN-PUT.DE
> > =A0 =A0 =A0 =A0in-put.de =3D IN-PUT.DE
> >
> > [login]
> > =A0 =A0 =A0 =A0krb4_convert =3D true
> > =A0 =A0 =A0 =A0krb4_get_tickets =3D false
> >
> > /etc/krb5kdc/kdc.conf
> > ------------------------------
> >
> > [kdcdefaults]
> > =A0 =A0kdc_ports =3D 750,88
> >
> > [realms]
> > =A0 =A0IN-PUT.DE =3D {
> > =A0 =A0 =A0 =A0database_name =3D /var/lib/krb5kdc/principal
> > =A0 =A0 =A0 =A0admin_keytab =3D FILE:/etc/krb5kdc/kadm5.keytab
> > =A0 =A0 =A0 =A0acl_file =3D /etc/krb5kdc/kadm5.acl
> > =A0 =A0 =A0 =A0key_stash_file =3D /etc/krb5kdc/stash
> > =A0 =A0 =A0 =A0kdc_ports =3D 750,88
> > =A0 =A0 =A0 =A0max_life =3D 10h 0m 0s
> > =A0 =A0 =A0 =A0max_renewable_life =3D 7d 0h 0m 0s
> > =A0 =A0 =A0 =A0master_key_type =3D des3-hmac-sha1
> > =A0 =A0 =A0 =A0supported_enctypes =3D #supported_enctypes =3D aes256-ct=
s:normal arcfour-hmac:normal des3-hmac-sha1:normal des-cbc-crc:normal des:n=
ormal des:v4 des:norealm des:onlyrealm des:afs3
> > =A0 =A0 =A0 =A0default_principal_flags =3D +preauth
> > =A0 =A0}
> >
> > Thanks for any hints or suggestions,
> >
> > Stefan
>=20
>=20
>=20