* ted creedon [2007-03-09 07:35:12 -0900]: > Kadmin needs "des-cbc-crc:normal" specifically with the ":normal" suffix.
N.B. scorch is using Heimdal (0.7 or 0.8?), not MIT Kerberos. I'd suggest deleting the AES and Arcfour enctypes as well. This was probably not an issue with the version of Heimdal in use three years ago (no AES support yet), which would explain why those old notes did not mention it. "bos listkeys" lists two keys with the same kvno (1). At least one of them must be wrong. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of scorch > Sent: Friday, March 09, 2007 6:42 AM > To: openafs-info@openafs.org > Subject: [OpenAFS] incorrect KeyFile causing cell setup to fail -- maybe > wrong enctype ? > > hi, > > I am starting a fresh cell on a test box & having trouble with correct > creation of KeyFile. for some reason my notes done 3 years ago are not > sufficient, & some advice is needed! > > Presumably this is due either to: > wrong enctype(s) > incorrect extraction method > does anybody see where I'm going horribly wrong? > > thanks, Dave > > # create afs KeyFile from heimdal & put in the right place > # see below for krb5.conf > > [EMAIL PROTECTED]:/home/dave $ mkdir -m 700 p /etc/openafs/server > > [EMAIL PROTECTED]:/home/dave $ kadmin -p admin/krb > kadmin> add --random-key --use-defaults afs > kadmin> del_enctype afs des3-cbc-sha1 > kadmin> get [EMAIL PROTECTED] > Principal: [EMAIL PROTECTED] > Principal expires: never > Password expires: never > Last password change: never > Max ticket life: 1 day > Max renewable life: 1 week > Kvno: 1 > Mkvno: 0 > Last successful login: never > Last failed login: never > Failed login count: 0 > Last modified: 2007-03-08 21:57:02 UTC > Modifier: admin/[EMAIL PROTECTED] > Attributes: > Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt), > des-cbc-crc(pw-salt), aes256-cts-hmac-sha1-96(pw-salt), > arcfour-hmac-md5(pw-salt) > > kadmin> ext -k /tmp/afskeytabfile.krb5 afs > kadmin> quit > > [EMAIL PROTECTED]:/home/dave $ ktutil -k /tmp/afskeytabfile.krb5 list > /tmp/afskeytabfile.krb5: > > Vno Type Principal > 1 des-cbc-md5 [EMAIL PROTECTED] > 1 des-cbc-md4 [EMAIL PROTECTED] > 1 des-cbc-crc [EMAIL PROTECTED] > 1 aes256-cts-hmac-sha1-96 [EMAIL PROTECTED] > 1 arcfour-hmac-md5 [EMAIL PROTECTED] > > [EMAIL PROTECTED]:/home/dave $ ktutil copy FILE:/tmp/afskeytabfile.krb5 > AFSKEYFILE:/etc/openafs/server/KeyFile > > [EMAIL PROTECTED]:/home/dave $ /usr/local/sbin/bosserver -syslog -noauth > > [EMAIL PROTECTED]:/etc/openafs/server $ pafs > 24807 /usr/local/sbin/bosserver -syslog -noauth > 31579 /usr/libexec/afsd --log=/var/log/arlad.log --cpu-usage > --check-consistency > > [EMAIL PROTECTED]:/home/dave $ /usr/local/sbin/bosserver -syslog -noauth > [EMAIL PROTECTED]:/home/dave $ pafs > 22752 /usr/local/sbin/bosserver -syslog -noauth > 31579 /usr/libexec/afsd --log=/var/log/arlad.log --cpu-usage > --check-consistency > > [EMAIL PROTECTED]:/home/dave $ /usr/local/bin/bos listkeys localhost > bos: security object was passed a bad ticket error encountered while > listing keys > > [EMAIL PROTECTED]:/home/dave $ /usr/local/bin/bos listkeys localhost -noauth > bos: you are not authorized for this operation error encountered while > listing keys > > [EMAIL PROTECTED]:/home/dave $ /usr/local/bin/bos listkeys localhost > -localauth > key 1 has cksum 250617512 > key 1 has cksum 3616054386 > Keys last changed on Fri Mar 9 10:59:32 2007. > All done. > [EMAIL PROTECTED]:/home/dave $ klist -vT > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: admin/[EMAIL PROTECTED] > Cache version: 4 > > Server: krbtgt/[EMAIL PROTECTED] > Ticket etype: aes256-cts-hmac-sha1-96, kvno 1 > Auth time: Mar 9 10:08:01 2007 > End time: Mar 10 02:48:01 2007 > Ticket flags: initial > Addresses: IPv4:10.0.0.3, IPv4:10.0.0.12, IPv4:10.0.0.20, > IPv4:10.0.0.25, IPv4:10.0.0.27, IPv4:10.0.0.32 > > Server: [EMAIL PROTECTED] > Ticket etype: des-cbc-crc, kvno 1 > Auth time: Mar 9 10:08:01 2007 > End time: Mar 10 02:48:01 2007 > Ticket flags: transited-policy-checked > Addresses: IPv4:10.0.0.3, IPv4:10.0.0.12, IPv4:10.0.0.20, > IPv4:10.0.0.25, IPv4:10.0.0.27, IPv4:10.0.0.32 > > > Mar 9 10:08:01 Mar 10 02:48:01 Tokens for muse.net.nz (256) > [EMAIL PROTECTED]:/home/dave $ > > > file:/etc/kerberosV/krb5.conf > # $OpenBSD: krb5.conf.example,v 1.6 2005/02/07 06:08:10 david Exp $ > # > # Example Kerberos 5 configuration file. You may need to change the defaults > # in this file to match your environment. > # > # See krb5.conf(5) and the heimdal infopage for more information. > # > # Normally, the realm should be your DNS domain name with uppercase > # letters. In this example file, we've written the realm as MY.REALM > # and the domain as my.domain to make it clear what we refer to. > # > # Normally, it is not necessary to do any changes on client-only > # machines, as it's recommended that the information needed is put > # in DNS. > # On server machines, it is not strictly necessary, but it is recommended > # to have local configuration. > # > [libdefaults] > default_realm = MUSE.NET.NZ > ticket_lifetime = 60000 > clockskew = 300 > > [appdefaults] > afs-use-524 = no > afslog = yes > > [realms] > MUSE.NET.NZ = { > supported_keytypes = des:normal des-cbc-crc:v4 > des-cbc-crc:afs3 > kdc = kerberos.muse.net.nz > admin_server = kerberos.muse.net.nz > kpasswd_server = kerberos.muse.net.nz > } > > [domain_realm] > .muse.net.nz = MUSE.NET.NZ > > [kadmin] > default_keys = v5 afs3 > afs-cell = muse.net.nz > > [logging] > kadmind = FILE:/var/heimdal/kadmind.log > > [kdc] > require-preauth = no > v4-realm = MUSE.NET.NZ > afs-cell = muse.net.nz > > > _______________________________________________ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info > > _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
