Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets

2022-09-20 Thread Jose M Calhariz
One more time, thank you everyone.  I made a quick blog post for
remember my self about what was said here and maybe to help someone
else in need.

http://blog.calhariz.com

On Wed, Sep 14, 2022 at 09:22:49PM +0200, Harald Barth wrote:
> 
> > Good to know, in my case I am setting up new kerberos realm and new
> > OpenAFS cells just for testing.  This ambiguos afs principal is good
> > for me, but maybe not enough for other people.
> 
> Use the afs/cell-name. It has worked for me for years in different
> setups. It's better. Listen to Jeff (if not to me ;-)
> 
> Harald.
> ___
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 

Kind regards
Jose M Calhariz


-- 
--
Estar compromissado e meio caminho andado para  sucesso
-- Zinder


signature.asc
Description: PGP signature


Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets

2022-09-14 Thread Harald Barth


> Good to know, in my case I am setting up new kerberos realm and new
> OpenAFS cells just for testing.  This ambiguos afs principal is good
> for me, but maybe not enough for other people.

Use the afs/cell-name. It has worked for me for years in different
setups. It's better. Listen to Jeff (if not to me ;-)

Harald.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets

2022-09-14 Thread Jeffrey E Altman
On 9/14/2022 2:17 PM, Jose M Calhariz (jose.calha...@tecnico.ulisboa.pt) 
wrote:

On Wed, Sep 14, 2022 at 02:00:02PM -0400, Jeffrey E Altman wrote:


If your cell name is "your-cell-name.com" then these need to be

addprinc -randkey -e aes256-cts-hmac-sha1-96 afs/your-cell-name.com
ktadd -k /root/rxkad.keytab afs/your-cell-name.com

The use of "afs@REALM" is ambiguous in environment where there are multiple 
cells authenticated by a single REALM.


Good to know, in my case I am setting up new kerberos realm and new
OpenAFS cells just for testing.  This ambiguos afs principal is good
for me, but maybe not enough for other people.
When searching for a service principal, aklog will search for principals 
in this order


1. afs/your-cell-name.com@   referral request sent to the client
   principal's REALM
2. afs/your-cell-name.com@REALM
3. afs@REALM

If afs/your-cell-name.com@REALM does not exist, there will be a negative 
lookup and the cost of the extra round trips.


"afs@REALM" should not be used for a new cell.  That name made sense 
when there was a one-to-one mapping between cell and realm due to the 
existence of "kaserver".


The preference for afs/your-cell-name.com@REALM over afs@REALM has been 
present in OpenAFS since the MIT AFS-Kerberos 5 Migration Kit was merged 
in November 2004.


OpenAFS 1.4.0 was the first release which integrated Kerberos v5 support.

Jeffrey Altman



smime.p7s
Description: S/MIME Cryptographic Signature


Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets

2022-09-14 Thread Jeffrey E Altman
On 9/14/2022 12:57 PM, Jose M Calhariz 
(jose.calha...@tecnico.ulisboa.pt) wrote:


My updated instructions are:

kadmin.local
addprinc -randkey -e aes256-cts-hmac-sha1-96 afs
ktadd -k /root/rxkad.keytab afs
getprinc afs
quit


If your cell name is "your-cell-name.com" then these need to be

addprinc -randkey -e aes256-cts-hmac-sha1-96 afs/your-cell-name.com
ktadd -k /root/rxkad.keytab afs/your-cell-name.com

The use of "afs@REALM" is ambiguous in environment where there are multiple 
cells authenticated by a single REALM.

Jeffrey Altman




smime.p7s
Description: S/MIME Cryptographic Signature


Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets

2022-09-12 Thread Jeffrey E Altman
On 9/12/2022 11:49 AM, Jose M Calhariz 
(jose.calha...@tecnico.ulisboa.pt) wrote:
Todo the setup of the cell I was following the instrtuctions from 
Debian 9. So I have done:

kadmin.local
addprinc -randkey -e des-cbc-crc:v4 afs
ktadd -k /root/afs.keytab -e des-cbc-crc:v4 afs
getprinc afs
quit


There are a couple of things wrong with these directions.

1. The service principal that should be created is "afs/" not
   "afs".
2. The encryption types that must be added are afs256-cts-hmac-sha1-96
   and rc4-hmac (if you wish to support Windows clients)



smime.p7s
Description: S/MIME Cryptographic Signature


Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets

2022-09-12 Thread Jeffrey E Altman
On 9/12/2022 10:10 AM, Jose M Calhariz 
(jose.calha...@tecnico.ulisboa.pt) wrote:

Hi,

I have setup a test cell of OpenAFS 1.6.x, Debian 9.  For testing the
upgrade to Debian 11.  When I do the initial setup of the cell and do
the first aklog I get the following error:

aklog: unknown RPC error (-1765328370) while getting AFS tickets

How do I get the meaning of this error?  This error number is not on
Google.  I have just tested the aklog command on the client against
another cell and it worked.  So my problem is the new cell.


The error is Kerberos v5 error KRB5KDC_ERR_ETYPE_NOSUPP, "KDC has no 
support for encryption type".


Is the OpenAFS client version older than 1.6.5?

Prior to 1.6.5 aklog explicitly requested AFS service tickets with a 
DES-CBC-CRC session key.


Alternatively, the AFS service principal for the test cell might have 
been created without an AES key.


Jeffrey Altman






smime.p7s
Description: S/MIME Cryptographic Signature