[OpenAFS] New installation, linux server, AD kerberos
Benjamin Kaduk
kaduk@mit.edu
Tue, 20 Jun 2017 15:21:42 -0500
On Tue, Jun 20, 2017 at 08:18:10PM +0000, John D'Ausilio wrote:
> I’ve been fighting with trying to bring up a brand new AFS on linux (Ubuntu server 16.04LTS).
> I had the domain admins add a user and principle and generate a keytab, from which I deleted the DES keys:
> ktutil: list -e
> slot KVNO Principal
> ---- ---- ---------------------------------------------------------------------
> 1 6 afs/test.example.com@REALM (arcfour-hmac)
> 2 6 afs/test.example.com@REALM (aes256-cts-hmac-sha1-96)
> 3 6 afs/test.example.com@REALM (aes128-cts-hmac-sha1-96)
> I can get a ticket with kinit with the keytab
> When I try to add it to openafs config with asetkey, I get this:
> asetkey: unknown RPC error (-1765328203) for keytab entry with Principal afs/test.example.com@REALM, kvno 6, DES-CBC-CRC/MD5/MD4
>
> It appears to be trying to looking for a DES key? I don’t see any way to tell asetkey what the crypto is (though I see references to an earlier? version that took the encryption type number as a parameter).
Without looking too hard at the particular error message, you don't
need to use asetkey with the version of openafs shipped with
16.04LTS -- just rename the krb5 keytab to rxkad.keytab and drop it
in the directory next to the KeyFile.
Unfortunately,
http://openafs.org/pages/security/install-rxkad-k5-1.6.txt and the
other text associated with OPENAFS-SA-2013-003 may still be the best
documentation for this. The Unix Quickstart guide should have the
proper procedure as well, IIRC.
-Ben