Jeffrey, Thanks, that was, in fact, the problem. The authentication against the second realm works fine now.
[root@afs1c afs]# asetkey add 9 afs1_dantolov.uits.indiana.edu_kdc.keytab afs/[email protected] [root@afs1c afs]# [root@afs1c afs]# bos listkeys afs1 -noauth key 3 has cksum 3855684052 key 9 has cksum 3805856571 Keys last changed on Tue Apr 12 13:54:08 2011. All done. Could we add an explicit note about the syntax of the "principal" field in the asetkey documentation, thus making this world a better place ? ........ :-) http://docs.openafs.org/Reference/8/asetkey.html Thanks again for the help. Danko Antolovic -----Original Message----- From: Jeffrey Altman [mailto:[email protected]] Sent: Tuesday, April 12, 2011 1:21 PM To: Danko Antolovic Subject: Re: [OpenAFS] asetkey: unknown RPC error (-1765328203) while extracting AFS service key On 4/12/2011 11:01 AM, Danko Antolovic wrote: > [root@afs1c afs]# asetkey add 9 > afs1_dantolov.uits.indiana.edu_kdc.keytab afs/afs1.bedrock.iu.edu This may not be a enctype issue afterall. Please try specifying the realm as part of the principal you are attempting to import. If you don't specify a realm, one will be guessed for you. Jeffrey Altman -----Original Message----- From: Jeffrey Altman [mailto:[email protected]] Sent: Tuesday, April 12, 2011 12:02 PM Cc: Danko Antolovic; <[email protected]> Subject: Re: [OpenAFS] asetkey: unknown RPC error (-1765328203) while extracting AFS service key On 4/12/2011 11:18 AM, Simon Wilkinson wrote: > > On 12 Apr 2011, at 16:09, Jeffrey Altman wrote: > >> If the kvno you generated is 8, then the keno you ask asetkey to add must also be 8. > > The principal was added with kvno 8, but then the 'ktadd' incremented that number by 1 one when it regenerated the key to create the keytab. klist shows the kvno as 9: > >>> [root@afs1c afs]# klist -e -k afs1_dantolov.uits.indiana.edu_kdc.keytab >>> Keytab name: FILE:afs1_dantolov.uits.indiana.edu_kdc.keytab >>> KVNO Principal >>> ---- -------------------------------------------------------------------------- >>> 9 afs/[email protected] (DES cbc mode with RSA-MD5) > > I think the problem is the encryption type. When we do the extract, we specifically ask for a des-cbc-crc key. The key you have created is des-cbc-md5. I suspect that the extraction routine is seeing these types as different, and so failing the match. > > Try again with a des-cbc-crc key, and see if that works! > > Cheers, > > Simon. My apologies for the rushed (and incorrect) response. Simon is correct. The most likely cause of KRB5_KT_NOTFOUND (-17655328203) is the non-matching enctype. I've posted a patchset to gerrit.openafs.org which permits the DES-CBC-MD5 and DES-CBC-MD4 enctypes to be accepted by asetkey. http://gerrit.openafs.org/#change,4459 Jeffrey Altman _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
