[OpenAFS] Help setting up openafs on debian bookworm
Ernesto Alfonso
erjoalgo@gmail.com
Sun, 2 Jun 2024 08:47:49 -0400
--00000000000080254c0619e7a06a
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
I am a bit paranoid so I redacted part the `asetkey` output with question
marks, here is the actual output, including the keytab list (on debian I
don't seem to have rkt or wkt but I have klist):
=E2=96=88[asus][~][1]$ sudo asetkey list
rxkad_krb5 kvno 5 enctype 17; key is:
5eb1d56251abadd918b41843f2246825
rxkad_krb5 kvno 5 enctype 18; key is:
d075ab4afb7e5f482b90ec35a8948a3f7838f39b581d49f42c10a554c2bf2955
rxkad_krb5 kvno 9 enctype 17; key is:
4282df96efc8b6667fa48e422875728a
rxkad_krb5 kvno 9 enctype 18; key is:
a2577e635303819c8b26f303e901d7e662f59101e9a4361c414e77716443fef6
All done.
=E2=96=88[asus][~][0]$ sudo klist -ke /etc/openafs/server/rxkad.keytab
Keytab name: FILE:/etc/openafs/server/rxkad.keytab
KVNO Principal
----
--------------------------------------------------------------------------
9 afs@ASUS.ERJOALGO.COM (aes256-cts-hmac-sha1-96)
9 afs@ASUS.ERJOALGO.COM (aes128-cts-hmac-sha1-96)
5 afs/asus.erjoalgo.com@ASUS.ERJOALGO.COM (aes256-cts-hmac-sha1-96)
5 afs/asus.erjoalgo.com@ASUS.ERJOALGO.COM (aes128-cts-hmac-sha1-96)
=E2=96=88
The reason I have two different key numbers is that I have keys for two
different principals, both afs@ASUS.ERJOALGO.COM and afs/
asus.erjoalgo.com@ASUS.ERJOALGO.COM . The latter principal came after
trying to solve the error "bos: ticket contained unknown key version number
error encountered while" and coming across this post below:
https://lists.openafs.org/pipermail/openafs-info/2009-April/031205.html
Which said:
My fault
the principal should be afs/creedon.biz@CREEDON.BIZ not afs@CREEDON.BIZ
Found it out with aklog -d
Tedc
My actual problem was that I had updated the principal's keys without
re-exporting them to the keytab and importing them into AFS, and doing this
fixed the "ticket contained unknown key version number error" problem.
I could probably remove the afs/asus.erjoalgo.com@ASUS.ERJOALGO.COM key but
it doesn't seem to do any harm. In fact, I have done it:
=E2=96=88[asus][~][130]$ sudo kadmin.local ktrem -k
/etc/openafs/server/rxkad.keytab afs/asus.erjoalgo.com all
Entry for principal afs/asus.erjoalgo.com with kvno 5 removed from
keytab WRFILE:/etc/openafs/server/rxkad.keytab.
Entry for principal afs/asus.erjoalgo.com with kvno 5 removed from
keytab WRFILE:/etc/openafs/server/rxkad.keytab.
=E2=96=88[asus][~][0]$ sudo klist -ke /etc/openafs/server/rxkad.keytab
Keytab name: FILE:/etc/openafs/server/rxkad.keytab
KVNO Principal
----
--------------------------------------------------------------------------
9 afs@ASUS.ERJOALGO.COM (aes256-cts-hmac-sha1-96)
9 afs@ASUS.ERJOALGO.COM (aes128-cts-hmac-sha1-96)
=E2=96=88[asus][~][130]$ sudo rm /etc/openafs/server/KeyFileExt
=E2=96=88[asus][~][0]$ sudo akeyconvert -all
Wrote 2 keys
=E2=96=88[asus][~][0]$ sudo asetkey list
rxkad_krb5 kvno 9 enctype 17; key is:
4282df96efc8b6667fa48e422875728a
rxkad_krb5 kvno 9 enctype 18; key is:
a2577e635303819c8b26f303e901d7e662f59101e9a4361c414e77716443fef6
All done.
=E2=96=88[asus][~][0]$ sudo bos listkeys asus.erjoalgo.com -localauth
All done.
=E2=96=88[asus][~][0]$
Now my problem is still understanding why `bos listkeys` now succeeds but
returns an empty set when asetkey does list 4 keys.
Ernesto
On Sun, Jun 2, 2024 at 4:15=E2=80=AFAM Dirk Heinrichs <dirk.heinrichs@altum=
.de>
wrote:
> Ernesto Alfonso:
>
> > sudo asetkey list
> > rxkad_krb5 kvno 5 enctype 17; key is:
> > ????????????????????????????????
> > rxkad_krb5 kvno 5 enctype 18; key is:
> > ????????????????????????????????????????????????????????????????
> > rxkad_krb5 kvno 9 enctype 17; key is:
> > ????????????????????????????????
> > rxkad_krb5 kvno 9 enctype 18; key is:
> > ????????????????????????????????????????????????????????????????
>
> I'm a little bit confused about the key version numbers (kvno). They
> should IMHO be the same. Are those question marks the same string for
> the respective enctypes? You could also check the content of your
> keytab, by running "ktutil". In ktutil, read your keytab file using "rkt
> /etc/openafs/server/rxkad.keytab" and then list the keys using the "l"
> (lowercase "L") command. It should list multiple keys, which all have
> the same kvno. If not delete the ones with the lower kvno's, using
> "delent <slot number>" and save the file using "wkt
> /etc/openafs/server/rxkad.keytab".
>
> HTH...
>
> Dirk
>
> --
> Dirk Heinrichs <dirk.heinrichs@altum.de>
> Matrix-Adresse: @heini:chat.altum.de
> GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
> Privacy Handbuch: https://www.privacy-handbuch.de
>
>
--00000000000080254c0619e7a06a
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div>I am a bit paranoid so I redacted part the `asetkey` =
output with question marks, here is the actual output, including the keytab=
list (on debian I don't seem to have rkt or wkt but I have klist):</di=
v><div><br></div><div><br></div><div>=C2=A0 =C2=A0 =E2=96=88[asus][~][1]$ s=
udo asetkey list<br>=C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0kvno =C2=
=A0 =C2=A05 enctype 17; key is: 5eb1d56251abadd918b41843f2246825<br>=C2=A0 =
=C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0kvno =C2=A0 =C2=A05 enctype 18; key i=
s: d075ab4afb7e5f482b90ec35a8948a3f7838f39b581d49f42c10a554c2bf2955<br>=C2=
=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0kvno =C2=A0 =C2=A09 enctype 17; k=
ey is: 4282df96efc8b6667fa48e422875728a<br>=C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =
=C2=A0 =C2=A0kvno =C2=A0 =C2=A09 enctype 18; key is: a2577e635303819c8b26f3=
03e901d7e662f59101e9a4361c414e77716443fef6<br>=C2=A0 =C2=A0 All done.<br>=
=C2=A0 =C2=A0 =E2=96=88[asus][~][0]$ sudo klist -ke /etc/openafs/server/rxk=
ad.keytab<br>=C2=A0 =C2=A0 Keytab name: FILE:/etc/openafs/server/rxkad.keyt=
ab<br>=C2=A0 =C2=A0 KVNO Principal<br>=C2=A0 =C2=A0 ---- ------------------=
--------------------------------------------------------<br>=C2=A0 =C2=A0 =
=C2=A0 =C2=A09 <a href=3D"mailto:afs@ASUS.ERJOALGO.COM">afs@ASUS.ERJOALGO.C=
OM</a> (aes256-cts-hmac-sha1-96)<br>=C2=A0 =C2=A0 =C2=A0 =C2=A09 <a href=3D=
"mailto:afs@ASUS.ERJOALGO.COM">afs@ASUS.ERJOALGO.COM</a> (aes128-cts-hmac-s=
ha1-96)<br>=C2=A0 =C2=A0 =C2=A0 =C2=A05 afs/<a href=3D"mailto:asus.erjoalgo=
.com@ASUS.ERJOALGO.COM">asus.erjoalgo.com@ASUS.ERJOALGO.COM</a> (aes256-cts=
-hmac-sha1-96)<br>=C2=A0 =C2=A0 =C2=A0 =C2=A05 afs/<a href=3D"mailto:asus.e=
rjoalgo.com@ASUS.ERJOALGO.COM">asus.erjoalgo.com@ASUS.ERJOALGO.COM</a> (aes=
128-cts-hmac-sha1-96)<br>=C2=A0 =C2=A0 =E2=96=88<br></div><div><br></div><d=
iv><br></div><div>The reason I have two different key numbers is that I hav=
e keys for two different principals, both <a href=3D"mailto:afs@ASUS.ERJOAL=
GO.COM">afs@ASUS.ERJOALGO.COM</a> and afs/<a href=3D"mailto:asus.erjoalgo.c=
om@ASUS.ERJOALGO.COM">asus.erjoalgo.com@ASUS.ERJOALGO.COM</a> . The latter =
principal came after trying to solve the error "<span style=3D"color:r=
gb(0,0,0)">bos: ticket contained unknown key version number error encounter=
ed while" and coming across this post below:</span></div><div><span st=
yle=3D"color:rgb(0,0,0)"><br></span></div><div><a href=3D"https://lists.ope=
nafs.org/pipermail/openafs-info/2009-April/031205.html">https://lists.opena=
fs.org/pipermail/openafs-info/2009-April/031205.html</a></div><div><br></di=
v><div>Which said:</div><div><br></div><div>=C2=A0 =C2=A0 My fault<br>=C2=
=A0 =C2=A0 the principal should be afs/<a href=3D"mailto:creedon.biz@CREEDO=
N.BIZ">creedon.biz@CREEDON.BIZ</a> not <a href=3D"mailto:afs@CREEDON.BIZ">a=
fs@CREEDON.BIZ</a><br>=C2=A0 =C2=A0 Found it out with aklog -d<br>=C2=A0 =
=C2=A0 Tedc<br></div><div><br></div><div><br></div><div>My actual problem w=
as that I had updated the principal's keys without re-exporting them to=
the keytab and importing them into AFS, and doing this fixed the "<sp=
an style=3D"color:rgb(0,0,0)">ticket contained unknown key version number e=
rror" problem.</span></div><div><br></div><div>I could probably remove=
the afs/<a href=3D"mailto:asus.erjoalgo.com@ASUS.ERJOALGO.COM">asus.erjoal=
go.com@ASUS.ERJOALGO.COM</a> key but it doesn't seem to do any harm. In=
fact, I have done it:</div><div><br></div><div>=C2=A0 =C2=A0 =E2=96=88[asu=
s][~][130]$ sudo kadmin.local ktrem -k /etc/openafs/server/rxkad.keytab afs=
/<a href=3D"http://asus.erjoalgo.com">asus.erjoalgo.com</a> all<br>=C2=A0 =
=C2=A0 Entry for principal afs/<a href=3D"http://asus.erjoalgo.com">asus.er=
joalgo.com</a> with kvno 5 removed from keytab WRFILE:/etc/openafs/server/r=
xkad.keytab.<br>=C2=A0 =C2=A0 Entry for principal afs/<a href=3D"http://asu=
s.erjoalgo.com">asus.erjoalgo.com</a> with kvno 5 removed from keytab WRFIL=
E:/etc/openafs/server/rxkad.keytab.<br>=C2=A0 =C2=A0 =E2=96=88[asus][~][0]$=
sudo klist -ke /etc/openafs/server/rxkad.keytab<br>=C2=A0 =C2=A0 Keytab na=
me: FILE:/etc/openafs/server/rxkad.keytab<br>=C2=A0 =C2=A0 KVNO Principal<b=
r>=C2=A0 =C2=A0 ---- ------------------------------------------------------=
--------------------<br>=C2=A0 =C2=A0 =C2=A0 =C2=A09 <a href=3D"mailto:afs@=
ASUS.ERJOALGO.COM">afs@ASUS.ERJOALGO.COM</a> (aes256-cts-hmac-sha1-96)<br>=
=C2=A0 =C2=A0 =C2=A0 =C2=A09 <a href=3D"mailto:afs@ASUS.ERJOALGO.COM">afs@A=
SUS.ERJOALGO.COM</a> (aes128-cts-hmac-sha1-96)<br>=C2=A0 =C2=A0 =E2=96=88[a=
sus][~][130]$ sudo rm /etc/openafs/server/KeyFileExt<br>=C2=A0 =C2=A0 =E2=
=96=88[asus][~][0]$ sudo akeyconvert -all<br>=C2=A0 =C2=A0 Wrote 2 keys<br>=
=C2=A0 =C2=A0 =E2=96=88[asus][~][0]$ sudo asetkey list<br>=C2=A0 =C2=A0 rxk=
ad_krb5 =C2=A0 =C2=A0 =C2=A0kvno =C2=A0 =C2=A09 enctype 17; key is: 4282df9=
6efc8b6667fa48e422875728a<br>=C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0k=
vno =C2=A0 =C2=A09 enctype 18; key is: a2577e635303819c8b26f303e901d7e662f5=
9101e9a4361c414e77716443fef6<br>=C2=A0 =C2=A0 All done.<br>=C2=A0 =C2=A0 =
=E2=96=88[asus][~][0]$ sudo bos listkeys=C2=A0<span style=3D"font-family:mo=
nospace"><span style=3D"color:rgb(0,0,0)"><a href=3D"http://asus.erjoalgo.c=
om">asus.erjoalgo.com</a></span></span>=C2=A0-localauth<br>=C2=A0 =C2=A0 Al=
l done.<br>=C2=A0 =C2=A0 =E2=96=88[asus][~][0]$<br>=C2=A0 =C2=A0=C2=A0<br><=
/div><div><br></div><div>Now my problem is still understanding why `bos lis=
tkeys` now succeeds but returns an empty set when asetkey does list 4 keys.=
</div><div><br></div><div>Ernesto</div></div><br><div class=3D"gmail_quote"=
><div dir=3D"ltr" class=3D"gmail_attr">On Sun, Jun 2, 2024 at 4:15=E2=80=AF=
AM Dirk Heinrichs <<a href=3D"mailto:dirk.heinrichs@altum.de">dirk.heinr=
ichs@altum.de</a>> wrote:<br></div><blockquote class=3D"gmail_quote" sty=
le=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);paddi=
ng-left:1ex">Ernesto Alfonso:<br>
<br>
> sudo asetkey list<br>
> =C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0kvno =C2=A0 =C2=A05 encty=
pe 17; key is: <br>
> ????????????????????????????????<br>
> =C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0kvno =C2=A0 =C2=A05 encty=
pe 18; key is: <br>
> ????????????????????????????????????????????????????????????????<br>
> =C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0kvno =C2=A0 =C2=A09 encty=
pe 17; key is: <br>
> ????????????????????????????????<br>
> =C2=A0 =C2=A0 rxkad_krb5 =C2=A0 =C2=A0 =C2=A0kvno =C2=A0 =C2=A09 encty=
pe 18; key is: <br>
> ????????????????????????????????????????????????????????????????<br>
<br>
I'm a little bit confused about the key version numbers (kvno). They <b=
r>
should IMHO be the same. Are those question marks the same string for <br>
the respective enctypes? You could also check the content of your <br>
keytab, by running "ktutil". In ktutil, read your keytab file usi=
ng "rkt <br>
/etc/openafs/server/rxkad.keytab" and then list the keys using the &qu=
ot;l" <br>
(lowercase "L") command. It should list multiple keys, which all =
have <br>
the same kvno. If not delete the ones with the lower kvno's, using <br>
"delent <slot number>" and save the file using "wkt <b=
r>
/etc/openafs/server/rxkad.keytab".<br>
<br>
HTH...<br>
<br>
=C2=A0=C2=A0=C2=A0=C2=A0 Dirk<br>
<br>
-- <br>
Dirk Heinrichs <<a href=3D"mailto:dirk.heinrichs@altum.de" target=3D"_bl=
ank">dirk.heinrichs@altum.de</a>><br>
Matrix-Adresse: @heini:<a href=3D"http://chat.altum.de" rel=3D"noreferrer" =
target=3D"_blank">chat.altum.de</a><br>
GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049<br>
Privacy Handbuch: <a href=3D"https://www.privacy-handbuch.de" rel=3D"norefe=
rrer" target=3D"_blank">https://www.privacy-handbuch.de</a><br>
<br>
</blockquote></div>
--00000000000080254c0619e7a06a--