RE: [OpenAFS] New installation, linux server, AD kerberos

Tue, 20 Jun 2017 14:42:00 -0700 

Thanks for the clues, moved me a bit further along. After reading the unix 
quickstart again, I noticed the note re: asetkey and 1.8 .. but I can't find 
anywhere where it says anything about copying the keytab intact.
Once I get it working I'll post a (hopefully complete) procedure for the next 
guy ..

-----Original Message-----
From: Benjamin Kaduk [mailto:[email protected]] 
Sent: Tuesday, June 20, 2017 4:22 PM
To: John D'Ausilio
Cc: [email protected]
Subject: Re: [OpenAFS] New installation, linux server, AD kerberos

On Tue, Jun 20, 2017 at 08:18:10PM +0000, John D'Ausilio wrote:
> I’ve been fighting with trying to bring up a brand new AFS on linux (Ubuntu 
> server 16.04LTS).
> I had the domain admins add a user and principle and generate a keytab, from 
> which I deleted the DES keys:
> ktutil:  list -e
> slot KVNO Principal
> ---- ---- 
> ---------------------------------------------------------------------
>    1    6  afs/test.example.com@REALM (arcfour-hmac) 
>    2    6  afs/test.example.com@REALM (aes256-cts-hmac-sha1-96) 
>    3    6  afs/test.example.com@REALM (aes128-cts-hmac-sha1-96)
> I can get a ticket with kinit with the keytab When I try to add it to 
> openafs config with asetkey, I get this:
> asetkey: unknown RPC error (-1765328203) for keytab entry with 
> Principal afs/test.example.com@REALM, kvno 6, DES-CBC-CRC/MD5/MD4
> 
> It appears to be trying to looking for a DES key? I don’t see any way to tell 
> asetkey what the crypto is (though I see references to an earlier? version 
> that took the encryption type number as a parameter).

Without looking too hard at the particular error message, you don't need to use 
asetkey with the version of openafs shipped with 16.04LTS -- just rename the 
krb5 keytab to rxkad.keytab and drop it in the directory next to the KeyFile.

Unfortunately,
http://openafs.org/pages/security/install-rxkad-k5-1.6.txt and the other text 
associated with OPENAFS-SA-2013-003 may still be the best documentation for 
this.  The Unix Quickstart guide should have the proper procedure as well, IIRC.

-Ben
:��T���&j)b�   b�өzpJ)ߢ�^��좸!��l��b��(���~�+����Y���b�ا~�����~ȧ~

Reply via email to