Unfortunately, I jumped the gun on this. Initial probing looked fine - get tokens, create/mod/delete files/dirs. Actual AFS actions like creating volumes, querying members of a group, etc, failed with the following error:
Could not get an Id for volume users rxk: ticket contained unknown key version number rxk: ticket contained unknown key version number Error in vos create command. rxk: ticket contained unknown key version number In case of fat fingering I've tried this more than once. Still no joy. An unrelated question: should I be able to reuse TransArc KeyFiles? I have a dev environment set up. If I have a copy of the production KDC database and the older KeyFiles, the new openafs DB servers should work, right? On Thu, 31 Aug 2006, ted creedon wrote: > > > -----Original Message----- > From: Joe Di Lellio [mailto:[EMAIL PROTECTED] > Sent: Thursday, August 31, 2006 4:15 PM > To: ted creedon > Subject: RE: [OpenAFS] KeyFile generation issue > > > Cool, that was it. Thanks! > > On Thu, 31 Aug 2006, ted creedon wrote: > > > I use strace -e read=0,1,2,3 -e write=0,1,2,3 -o foo.c asset key > > (The .c colorizes the output in an editor) > > > > To help figure out whats going on. I futz around with ktutil and asetkey > > until things line up. Look at the kdc log file for incorrect principal > > names. > > > > I think that the :v4 should be :normal > > kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 [EMAIL PROTECTED] > > kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:normal [EMAIL PROTECTED] > > > > tedc > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > > On Behalf Of Joe Di Lellio > > Sent: Thursday, August 31, 2006 3:23 PM > > To: [email protected] > > Subject: [OpenAFS] KeyFile generation issue > > > > > > I'm almost done with a trio of systems to replace my DB servers, > > but I'm having trouble with my KeyFile. I've followed the instructions > > (as mentioned below), but to no avail. The specific instructions are > > from the afs-krb5-2.0 distribution. > > > > What I've done: > > > > 1) The instructions mention creating an AFS principal. We have one > > already, as I have a test KDC with a clone of the production KDC's DB. > > However, I did try nuking the old principal & recreating it, on the > > chance that was the problem. Regardless, I started with a kvno of 3. > > > > 2) There is also a mention of using asetkey to find the kvno in the > > current KeyFile, and modifying the kvno in kerberos to have the > > same as the highest. I've tried both going from no KeyFile and using > > the one from my current TransArc servers. In the latter case I had > > a kvno here of 3. > > > > 3) I've used ktadd to extract the afs key to keytab file (the specific > > command is modified slightly as per a page I found googling): > > > > kadmin: ktadd -k /etc/krb5.keytab -e des-cbc-crc:v4 [EMAIL PROTECTED] > > > > As mentioned, this incremented the kvno; in this case to 4. > > > > 4) Used asetkey to copy the new AFS key from the keytab to the KeyFile: > > > > # ./asetkey add 4 /etc/krb5.keytab afs > > > > 5) I kept the keytab file around for a while, but also tried removing > > mention to the AFS principle. > > > > In all the cases, I keep getting the following error: > > > > Tokens for user of AFS id 24961 for cell cats.ucsc.edu are discarded > > (rxkad error=19270407). Simple googling showed that as RXKADBADTICKET, > > aka "security object was passed a bad ticket". This particular error > > has come up with the some of varying iterations of how I did this, as > > above. I've also seen, as the one variation to the above, the error > > 19270408 - RXKADUNKNOWNKEY, aka "ticket contained unknown key version > > number". In this case I believe it was an early attempt where I had > > a low kvno in my KeyFile (like 3), but I'd increased the kvno on the > > KDC principle due to multiple attempts; I believe it was 9 or so (minor > > data point). That KeyFile was grabbed from one of my TransArc DB servers. > > > > Any clues? As far as I can tell, I've gone through the instructions > > extemely carefully, and with all the variations should I just be running > > across some oddity. I wouldn't be surprised if I'm missing something > > fairly obvious, but I really just can't say. > > > > As always, thanks in advance. > > > > ------ > > It ain't what you don't know that gets you into trouble. It's what you > > know for sure that just ain't so. -- Mark Twain > > _______________________________________________ > > OpenAFS-info mailing list > > [email protected] > > https://lists.openafs.org/mailman/listinfo/openafs-info > > > > > > > > ------ > It ain't what you don't know that gets you into trouble. It's what you > know for sure that just ain't so. -- Mark Twain > > > _______________________________________________ > OpenAFS-info mailing list > [email protected] > https://lists.openafs.org/mailman/listinfo/openafs-info > ------ It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so. -- Mark Twain _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
