>>>>> "Ken" == Ken Hornstein <[EMAIL PROTECTED]> writes:
>> i have strange problems in integrating openafs into krb5. I >> use openafs 1.2.7 and kerberos 1.2.6 for the slave-server and >> 1.2.4 for the kerberos master/admin server. I checked >> everything with these key-versions (thanks to Derek on the >> openafs mailing lis), but it did not help. I always get >> "ticket contained unknown key version number" Ken> At the end of the day, there is a ticket in a Keyfile that Ken> does not agree with the service ticket stored in your KDC. Ken> This is the ONLY possible cause of this error (at least, the Ken> only one I've ever seen). Except that your info is out of date. Quoting the 1.2.6 README: * krb524d will now, by default, convert krb5 tickets for afs service princpals to special tokens that are actually just the EncryptedData part of a krb5 Ticket structure. This may be overridden; please consult src/krb524/README for details. And quoting that readme: Krb524 AFS Conversion --------------------- An alternate conversion is provided for AFS servers that support the encrypted part of a krb5 ticket as an AFS token. If the krb524d is converting a principal whose first component is afs and if the encrypted part of the ticket fits in 344 bytes, then it will default to simply returning the encrypted part of the ticket as a token. If it turns out that the AFS server does not support the ticket, then users will get an unknown key version error and the krb524d must be configured to use v4 tickets for this AFS service. The krb524d looks in the appdefaults section of krb5.conf for an application called afs_krb5 to determine whether afs principals support encrypted ticket parts as tokens. The following configuration fragment says that [EMAIL PROTECTED] supports the new token format but [EMAIL PROTECTED] and [EMAIL PROTECTED] do not. Note that the default is to assume afs servers support the new format. [appdefaults] afs_krb5 = { ATHENA.MIT.EDU = { # This stanza describes principals in the #ATHENA.MIT.EDU realm afs = false afs/athena.mit.edu = false afs/sipb.mit.edu = true } } ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos