On Fri, 26 Sep 2014 11:41:27 +0200 Andreas Donath <[email protected]> wrote:
> I have an issue accessing the file system after > an OS upgrade on one of our KRB5 Heimdal KDCs > (which is a Linux distribution called UCS(V3.2) > based on debian). > > While the update process, a script was executed, that > must have altered the enctypes (or more?) of the principals. Was upgrading Heimdal a part of this process? At least some versions of Heimdal are known to have behaviors/bugs that break rxkad-k5 behavior. > I can do a kinit and a aklog on the clients fine, but > trying to access files ends up in "Permission denied" > klist -a shows: What about a 'klist -a' when using the KDC that works? What does that look like? > I'm by no means a KRB expert, but my assumption is, > that the differences here > (e.g. Mkvno or des-cbc-crc(pw-salt)[1]) might cause the > trouble. So the alterations of the afs service principal > on the new KDC do not correctly correspond to the key > that was once exported and provided to my AFSCell via > bos addkey. It looks like those differences in output may just be due to a different Heimdal version, but I'm not sure (someone more familiar with Heimdal can probably say). You could try extracting the AFS principal key (make sure not to change they key when you do so), and comparing the keytab on the new 'broken' KDC against the old 'working' one, and see if the keytabs differ at all. It doesn't seem to me like the keying material has changed, so that won't do anything, but who knows. However, what is more concerning is that you mention adding the key via 'bos addkey', which implies using DES keys. Are you not using rxkad.keytab? The kadmin output you provide suggests you are using non-DES enctypes and rxkad-k5, and so you should be extracting keys to an rxkad.keytab file. I'm not sure how your old environment could have been working without doing that, since your 'old' KDC reports non-DES keys. Do you not have an rxkad.keytab file anywhere? > Is there a way to keep the old afs/CELL key in my environment, > because I do not want to end up in not being able to > access my cell at all, if the export/re-import of the > new key fails? You can keep the old key on openafs's side of things, yes, but the keys have to have two different kvnos. Trying to keep two different keys in the KDC database is more tricky, I believe. -- Andrew Deason [email protected] _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
