I'm almost done with a trio of systems to replace my DB servers, but I'm having trouble with my KeyFile. I've followed the instructions (as mentioned below), but to no avail. The specific instructions are from the afs-krb5-2.0 distribution.
What I've done: 1) The instructions mention creating an AFS principal. We have one already, as I have a test KDC with a clone of the production KDC's DB. However, I did try nuking the old principal & recreating it, on the chance that was the problem. Regardless, I started with a kvno of 3. 2) There is also a mention of using asetkey to find the kvno in the current KeyFile, and modifying the kvno in kerberos to have the same as the highest. I've tried both going from no KeyFile and using the one from my current TransArc servers. In the latter case I had a kvno here of 3. 3) I've used ktadd to extract the afs key to keytab file (the specific command is modified slightly as per a page I found googling): kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 [EMAIL PROTECTED] As mentioned, this incremented the kvno; in this case to 4. 4) Used asetkey to copy the new AFS key from the keytab to the KeyFile: # ./asetkey add 4 /etc/krb5.keytab afs 5) I kept the keytab file around for a while, but also tried removing mention to the AFS principle. In all the cases, I keep getting the following error: Tokens for user of AFS id 24961 for cell cats.ucsc.edu are discarded (rxkad error=19270407). Simple googling showed that as RXKADBADTICKET, aka "security object was passed a bad ticket". This particular error has come up with the some of varying iterations of how I did this, as above. I've also seen, as the one variation to the above, the error 19270408 - RXKADUNKNOWNKEY, aka "ticket contained unknown key version number". In this case I believe it was an early attempt where I had a low kvno in my KeyFile (like 3), but I'd increased the kvno on the KDC principle due to multiple attempts; I believe it was 9 or so (minor data point). That KeyFile was grabbed from one of my TransArc DB servers. Any clues? As far as I can tell, I've gone through the instructions extemely carefully, and with all the variations should I just be running across some oddity. I wouldn't be surprised if I'm missing something fairly obvious, but I really just can't say. As always, thanks in advance. ------ It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. -- Mark Twain _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
