If the kvno you generated is 8, then the keno you ask asetkey to add must also be 8.
Sent from my iPad On Apr 12, 2011, at 11:01 AM, "Danko Antolovic" <[email protected]> wrote: > Hello, > > here is my problem: I have a nicely functional AFS server, cell name > afs1.bedrock.iu.edu, authenticating against an AD realm. I want to give it a > second authentication realm, a Kerberos 5, named > KDC.DANTOLOV.UITS.INDIANA.EDU. All of this is under RHEL 5. > > On the KDC machine, I made the service principal and placed its key in a > keytab. All of that apparently worked OK: > > kadmin: add_principal -e des-cbc-md5:normal -kvno 8 > afs/[email protected] > > kadmin: ktadd -e des-cbc-md5:normal -k > afs1_dantolov.uits.indiana.edu_kdc.keytab > afs/[email protected] > > I transferred the keytab to the AFS server, and it looks fine: > > [root@afs1c afs]# klist -e -k afs1_dantolov.uits.indiana.edu_kdc.keytab > Keytab name: FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 9 afs/[email protected] (DES cbc mode with > RSA-MD5) > > However, the asetkey fails to get the key out of the keytab and into the > /usr/afs/etc/KeyFile: > > [root@afs1c afs]# asetkey add 9 afs1_dantolov.uits.indiana.edu_kdc.keytab > afs/afs1.bedrock.iu.edu > asetkey: unknown RPC error (-1765328203) while extracting AFS service key > > The translation of the error code is not very helpful: > > [root@afs1c afs]# translate_et -1765328203 > -1765328203 (krb5).181 = unknown RPC error (-1765328203) > > I have the right file /usr/afs/etc/krb.conf on the AFS server: > > [root@afs1c afs]# cat /usr/afs/etc/krb.conf > ADS.IU.EDU KDC.DANTOLOV.UITS.INDIANA.EDU > > This problem has been discussed in OpenAFS forums in 2010, in an AD setting, > apparently inconclusively. Would anyone be able to shed any new light? > > Thank you very much, > > Danko Antolovic > Principal Scientist, Research Technologies, > Indiana University >
