-----Original Message----- From: Joe Di Lellio [mailto:[EMAIL PROTECTED] Sent: Thursday, August 31, 2006 4:15 PM To: ted creedon Subject: RE: [OpenAFS] KeyFile generation issue
Cool, that was it. Thanks! On Thu, 31 Aug 2006, ted creedon wrote: > I use strace -e read=0,1,2,3 -e write=0,1,2,3 -o foo.c asset key > (The .c colorizes the output in an editor) > > To help figure out whats going on. I futz around with ktutil and asetkey > until things line up. Look at the kdc log file for incorrect principal > names. > > I think that the :v4 should be :normal > kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 [EMAIL PROTECTED] > kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:normal [EMAIL PROTECTED] > > tedc > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Joe Di Lellio > Sent: Thursday, August 31, 2006 3:23 PM > To: [email protected] > Subject: [OpenAFS] KeyFile generation issue > > > I'm almost done with a trio of systems to replace my DB servers, > but I'm having trouble with my KeyFile. I've followed the instructions > (as mentioned below), but to no avail. The specific instructions are > from the afs-krb5-2.0 distribution. > > What I've done: > > 1) The instructions mention creating an AFS principal. We have one > already, as I have a test KDC with a clone of the production KDC's DB. > However, I did try nuking the old principal & recreating it, on the > chance that was the problem. Regardless, I started with a kvno of 3. > > 2) There is also a mention of using asetkey to find the kvno in the > current KeyFile, and modifying the kvno in kerberos to have the > same as the highest. I've tried both going from no KeyFile and using > the one from my current TransArc servers. In the latter case I had > a kvno here of 3. > > 3) I've used ktadd to extract the afs key to keytab file (the specific > command is modified slightly as per a page I found googling): > > kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 [EMAIL PROTECTED] > > As mentioned, this incremented the kvno; in this case to 4. > > 4) Used asetkey to copy the new AFS key from the keytab to the KeyFile: > > # ./asetkey add 4 /etc/krb5.keytab afs > > 5) I kept the keytab file around for a while, but also tried removing > mention to the AFS principle. > > In all the cases, I keep getting the following error: > > Tokens for user of AFS id 24961 for cell cats.ucsc.edu are discarded > (rxkad error=19270407). Simple googling showed that as RXKADBADTICKET, > aka "security object was passed a bad ticket". This particular error > has come up with the some of varying iterations of how I did this, as > above. I've also seen, as the one variation to the above, the error > 19270408 - RXKADUNKNOWNKEY, aka "ticket contained unknown key version > number". In this case I believe it was an early attempt where I had > a low kvno in my KeyFile (like 3), but I'd increased the kvno on the > KDC principle due to multiple attempts; I believe it was 9 or so (minor > data point). That KeyFile was grabbed from one of my TransArc DB servers. > > Any clues? As far as I can tell, I've gone through the instructions > extemely carefully, and with all the variations should I just be running > across some oddity. I wouldn't be surprised if I'm missing something > fairly obvious, but I really just can't say. > > As always, thanks in advance. > > ------ > It ain't what you don't know that gets you into trouble. It's what you > know for sure that just ain't so. -- Mark Twain > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info > > > ------ It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. -- Mark Twain _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
