Kvno value is actually 9 throughout (idiosyncrasy of MIT Kerb, increasing kvno when adding a key to keytab; Section 3.51 in this doc: http://openafs-wiki.stanford.edu/AFSLore/AdminFAQ/#3.51%20Can%20I%20authenti cate%20to%20my%20af).
Here is the current kvno, as shown by kadmin: kadmin: get_principal afs/[email protected] Principal: afs/[email protected] -- snip -- Number of keys: 1 Key: vno 9, DES cbc mode with RSA-MD5, no salt Attributes: Policy: [none] And also as shown by klist: [root@afs1c afs]# klist -e -k afs1_dantolov.uits.indiana.edu_kdc.keytab Keytab name: FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab KVNO Principal ---- -------------------------------------------------------------------------- 9 afs/[email protected] (DES cbc mode with RSA-MD5) I have the encryption des-cbc-md5 in three other AFS-related keytabs, which asetkey has been able to process. Is there a way to narrow down the meaning/origin of that error? Thanks, Danko _____ From: Jeffrey Altman [mailto:[email protected]] Sent: Tuesday, April 12, 2011 11:09 AM To: Danko Antolovic Cc: <[email protected]> Subject: Re: [OpenAFS] asetkey: unknown RPC error (-1765328203) while extracting AFS service key If the kvno you generated is 8, then the keno you ask asetkey to add must also be 8. Sent from my iPad On Apr 12, 2011, at 11:01 AM, "Danko Antolovic" <[email protected]> wrote: Hello, here is my problem: I have a nicely functional AFS server, cell name afs1.bedrock.iu.edu, authenticating against an AD realm. I want to give it a second authentication realm, a Kerberos 5, named KDC.DANTOLOV.UITS.INDIANA.EDU. All of this is under RHEL 5. On the KDC machine, I made the service principal and placed its key in a keytab. All of that apparently worked OK: kadmin: add_principal -e des-cbc-md5:normal -kvno 8 <mailto:afs/[email protected]> afs/[email protected] kadmin: ktadd -e des-cbc-md5:normal -k afs1_dantolov.uits.indiana.edu_kdc.keytab <mailto:afs/[email protected]> afs/[email protected] I transferred the keytab to the AFS server, and it looks fine: [root@afs1c afs]# klist -e -k afs1_dantolov.uits.indiana.edu_kdc.keytab Keytab name: FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab KVNO Principal ---- -------------------------------------------------------------------------- 9 afs/[email protected] (DES cbc mode with RSA-MD5) However, the asetkey fails to get the key out of the keytab and into the /usr/afs/etc/KeyFile: [root@afs1c afs]# asetkey add 9 afs1_dantolov.uits.indiana.edu_kdc.keytab afs/afs1.bedrock.iu.edu asetkey: unknown RPC error (-1765328203) while extracting AFS service key The translation of the error code is not very helpful: [root@afs1c afs]# translate_et -1765328203 -1765328203 (krb5).181 = unknown RPC error (-1765328203) I have the right file /usr/afs/etc/krb.conf on the AFS server: [root@afs1c afs]# cat /usr/afs/etc/krb.conf ADS.IU.EDU KDC.DANTOLOV.UITS.INDIANA.EDU This problem has been discussed in OpenAFS forums in 2010, in an AD setting, apparently inconclusively. Would anyone be able to shed any new light? Thank you very much, Danko Antolovic Principal Scientist, Research Technologies, Indiana University
