[OpenAFS] incorrect KeyFile causing cell setup to fail -- maybe wrong enctype ?

Fri, 09 Mar 2007 07:43:21 -0800 

hi,

I am starting a fresh cell on a test box & having trouble with correct
creation of KeyFile. for some reason my notes done 3 years ago are not
sufficient, & some advice is needed!

Presumably this is due either to:
        wrong enctype(s)
        incorrect extraction method
does anybody see where I'm going horribly wrong?

thanks, Dave

# create afs KeyFile from heimdal & put in the right place
# see below for krb5.conf

[EMAIL PROTECTED]:/home/dave $ mkdir -m 700 p /etc/openafs/server

[EMAIL PROTECTED]:/home/dave $ kadmin -p admin/krb
kadmin> add --random-key --use-defaults afs
kadmin> del_enctype afs des3-cbc-sha1
kadmin> get [EMAIL PROTECTED]
            Principal: [EMAIL PROTECTED]
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 day
   Max renewable life: 1 week
                 Kvno: 1
                Mkvno: 0
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2007-03-08 21:57:02 UTC
             Modifier: admin/[EMAIL PROTECTED]
           Attributes:
             Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt),
des-cbc-crc(pw-salt), aes256-cts-hmac-sha1-96(pw-salt),
arcfour-hmac-md5(pw-salt)

kadmin> ext -k /tmp/afskeytabfile.krb5 afs
kadmin> quit

[EMAIL PROTECTED]:/home/dave $ ktutil -k /tmp/afskeytabfile.krb5 list
/tmp/afskeytabfile.krb5:

Vno  Type                     Principal
  1  des-cbc-md5              [EMAIL PROTECTED]
  1  des-cbc-md4              [EMAIL PROTECTED]
  1  des-cbc-crc              [EMAIL PROTECTED]
  1  aes256-cts-hmac-sha1-96  [EMAIL PROTECTED]
  1  arcfour-hmac-md5         [EMAIL PROTECTED]

[EMAIL PROTECTED]:/home/dave $ ktutil copy FILE:/tmp/afskeytabfile.krb5
AFSKEYFILE:/etc/openafs/server/KeyFile

[EMAIL PROTECTED]:/home/dave $ /usr/local/sbin/bosserver -syslog -noauth

[EMAIL PROTECTED]:/etc/openafs/server $ pafs
24807 /usr/local/sbin/bosserver -syslog -noauth
31579 /usr/libexec/afsd --log=/var/log/arlad.log --cpu-usage
--check-consistency

[EMAIL PROTECTED]:/home/dave $ /usr/local/sbin/bosserver -syslog -noauth
[EMAIL PROTECTED]:/home/dave $ pafs
22752 /usr/local/sbin/bosserver -syslog -noauth
31579 /usr/libexec/afsd --log=/var/log/arlad.log --cpu-usage
--check-consistency

[EMAIL PROTECTED]:/home/dave $ /usr/local/bin/bos listkeys localhost
bos: security object was passed a bad ticket error encountered while
listing keys

[EMAIL PROTECTED]:/home/dave $ /usr/local/bin/bos listkeys localhost -noauth
bos: you are not authorized for this operation error encountered while
listing keys

[EMAIL PROTECTED]:/home/dave $ /usr/local/bin/bos listkeys localhost -localauth
key 1 has cksum 250617512
key 1 has cksum 3616054386
Keys last changed on Fri Mar  9 10:59:32 2007.
All done.
[EMAIL PROTECTED]:/home/dave $ klist -vT
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: admin/[EMAIL PROTECTED]
    Cache version: 4

Server: krbtgt/[EMAIL PROTECTED]
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Auth time:  Mar  9 10:08:01 2007
End time:   Mar 10 02:48:01 2007
Ticket flags: initial
Addresses: IPv4:10.0.0.3, IPv4:10.0.0.12, IPv4:10.0.0.20,
IPv4:10.0.0.25, IPv4:10.0.0.27, IPv4:10.0.0.32

Server: [EMAIL PROTECTED]
Ticket etype: des-cbc-crc, kvno 1
Auth time:  Mar  9 10:08:01 2007
End time:   Mar 10 02:48:01 2007
Ticket flags: transited-policy-checked
Addresses: IPv4:10.0.0.3, IPv4:10.0.0.12, IPv4:10.0.0.20,
IPv4:10.0.0.25, IPv4:10.0.0.27, IPv4:10.0.0.32


Mar  9 10:08:01  Mar 10 02:48:01  Tokens for muse.net.nz (256)
[EMAIL PROTECTED]:/home/dave $


file:/etc/kerberosV/krb5.conf
# $OpenBSD: krb5.conf.example,v 1.6 2005/02/07 06:08:10 david Exp $
#
# Example Kerberos 5 configuration file. You may need to change the defaults
# in this file to match your environment.
#
# See krb5.conf(5) and the heimdal infopage for more information.
#
# Normally, the realm should be your DNS domain name with uppercase
# letters. In this example file, we've written the realm as MY.REALM
# and the domain as my.domain to make it clear what we refer to.
#
# Normally, it is not necessary to do any changes on client-only
# machines, as it's recommended that the information needed is put
# in DNS.
# On server machines, it is not strictly necessary, but it is recommended
# to have local configuration.
#
[libdefaults]
        default_realm = MUSE.NET.NZ
        ticket_lifetime = 60000
        clockskew = 300

[appdefaults]
        afs-use-524 = no
        afslog = yes

[realms]
        MUSE.NET.NZ = {
                supported_keytypes = des:normal des-cbc-crc:v4 des-cbc-crc:afs3
                kdc = kerberos.muse.net.nz
                admin_server = kerberos.muse.net.nz
                kpasswd_server = kerberos.muse.net.nz
        }

[domain_realm]
        .muse.net.nz = MUSE.NET.NZ

[kadmin]
        default_keys = v5 afs3
        afs-cell = muse.net.nz

[logging]
        kadmind = FILE:/var/heimdal/kadmind.log

[kdc]
        require-preauth = no
        v4-realm = MUSE.NET.NZ
        afs-cell = muse.net.nz


_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to