Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets
One more time, thank you everyone. I made a quick blog post for remember my self about what was said here and maybe to help someone else in need. http://blog.calhariz.com On Wed, Sep 14, 2022 at 09:22:49PM +0200, Harald Barth wrote: > > > Good to know, in my case I am setting up new kerberos realm and new > > OpenAFS cells just for testing. This ambiguos afs principal is good > > for me, but maybe not enough for other people. > > Use the afs/cell-name. It has worked for me for years in different > setups. It's better. Listen to Jeff (if not to me ;-) > > Harald. > ___ > OpenAFS-info mailing list > OpenAFS-info@openafs.org > https://lists.openafs.org/mailman/listinfo/openafs-info > Kind regards Jose M Calhariz -- -- Estar compromissado e meio caminho andado para sucesso -- Zinder signature.asc Description: PGP signature
Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets
> Good to know, in my case I am setting up new kerberos realm and new > OpenAFS cells just for testing. This ambiguos afs principal is good > for me, but maybe not enough for other people. Use the afs/cell-name. It has worked for me for years in different setups. It's better. Listen to Jeff (if not to me ;-) Harald. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets
On 9/14/2022 2:17 PM, Jose M Calhariz (jose.calha...@tecnico.ulisboa.pt) wrote: On Wed, Sep 14, 2022 at 02:00:02PM -0400, Jeffrey E Altman wrote: If your cell name is "your-cell-name.com" then these need to be addprinc -randkey -e aes256-cts-hmac-sha1-96 afs/your-cell-name.com ktadd -k /root/rxkad.keytab afs/your-cell-name.com The use of "afs@REALM" is ambiguous in environment where there are multiple cells authenticated by a single REALM. Good to know, in my case I am setting up new kerberos realm and new OpenAFS cells just for testing. This ambiguos afs principal is good for me, but maybe not enough for other people. When searching for a service principal, aklog will search for principals in this order 1. afs/your-cell-name.com@ referral request sent to the client principal's REALM 2. afs/your-cell-name.com@REALM 3. afs@REALM If afs/your-cell-name.com@REALM does not exist, there will be a negative lookup and the cost of the extra round trips. "afs@REALM" should not be used for a new cell. That name made sense when there was a one-to-one mapping between cell and realm due to the existence of "kaserver". The preference for afs/your-cell-name.com@REALM over afs@REALM has been present in OpenAFS since the MIT AFS-Kerberos 5 Migration Kit was merged in November 2004. OpenAFS 1.4.0 was the first release which integrated Kerberos v5 support. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets
On 9/14/2022 12:57 PM, Jose M Calhariz (jose.calha...@tecnico.ulisboa.pt) wrote: My updated instructions are: kadmin.local addprinc -randkey -e aes256-cts-hmac-sha1-96 afs ktadd -k /root/rxkad.keytab afs getprinc afs quit If your cell name is "your-cell-name.com" then these need to be addprinc -randkey -e aes256-cts-hmac-sha1-96 afs/your-cell-name.com ktadd -k /root/rxkad.keytab afs/your-cell-name.com The use of "afs@REALM" is ambiguous in environment where there are multiple cells authenticated by a single REALM. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets
On 9/12/2022 11:49 AM, Jose M Calhariz (jose.calha...@tecnico.ulisboa.pt) wrote: Todo the setup of the cell I was following the instrtuctions from Debian 9. So I have done: kadmin.local addprinc -randkey -e des-cbc-crc:v4 afs ktadd -k /root/afs.keytab -e des-cbc-crc:v4 afs getprinc afs quit There are a couple of things wrong with these directions. 1. The service principal that should be created is "afs/" not "afs". 2. The encryption types that must be added are afs256-cts-hmac-sha1-96 and rc4-hmac (if you wish to support Windows clients) smime.p7s Description: S/MIME Cryptographic Signature
Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets
On 9/12/2022 10:10 AM, Jose M Calhariz (jose.calha...@tecnico.ulisboa.pt) wrote: Hi, I have setup a test cell of OpenAFS 1.6.x, Debian 9. For testing the upgrade to Debian 11. When I do the initial setup of the cell and do the first aklog I get the following error: aklog: unknown RPC error (-1765328370) while getting AFS tickets How do I get the meaning of this error? This error number is not on Google. I have just tested the aklog command on the client against another cell and it worked. So my problem is the new cell. The error is Kerberos v5 error KRB5KDC_ERR_ETYPE_NOSUPP, "KDC has no support for encryption type". Is the OpenAFS client version older than 1.6.5? Prior to 1.6.5 aklog explicitly requested AFS service tickets with a DES-CBC-CRC session key. Alternatively, the AFS service principal for the test cell might have been created without an AES key. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature