[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to create afs KeyFile with ktutil.



On Fri, 13 Dec 2002, Gunnar Gunnarsson wrote:

Hi,

> Hi,
> I'm trying to set up afs cell with heimdal (Heimdal 0.5.1, KTH-KRB 1.2.1)
> and OpenAFS 1.2.7 on Solaris.
>
> I've kerberos realm and created afs principial for the cell with
> Keytypes(salttype[(salt-value)]): des-cbc-crc(pw-salt), des-cbc-md4(pw-salt),
> des-cbc-md5(pw-salt), des3-cbc-sha1(pw-salt)
>
> I've copied the afs key to krb5.keytab and ktutil list gives:
>
> FILE:/etc/krb5.keytab:
>
> Vno  Type           Principal
>   1  des-cbc-crc    host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-md4    host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-md5    host/sarabi.netia.se@NETIA.SE
>   1  des3-cbc-sha1  host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-crc    afs@NETIA.SE
>   1  des-cbc-md4    afs@NETIA.SE
>   1  des-cbc-md5    afs@NETIA.SE
>   1  des3-cbc-sha1  afs@NETIA.SE
>

Maybe you should delete the sha1 key. I did it and things work, but I'm
not sure it was really necessary.

Have a look at
http://www.central.org/twiki/bin/view/AFSLore/KerberosAFSInstall
I'm added new lines to the text.

I have to say, I've working only kerberos4 installation, the heimdal-0.5.1
does not work for me on Linux (the KDC part works), but I cannot access
afs.

> krb4:/etc/srvtab:
>
> Vno  Type         Principal
>   1  des-cbc-md5  host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-md4  host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-crc  host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-md5  afs@NETIA.SE
>   1  des-cbc-md4  afs@NETIA.SE
>   1  des-cbc-crc  afs@NETIA.SE
>
> I've copied the afs key to KeyFile with
> ktutil copy /etc/krb5.keytab AFSKEYFILE:/etc/openafs/server/KeyFile
> ( btw ktutil doesn't looks for ThisCell in /etc/openafs )
> but I can't list with ktutil
>
> ktutil -k /etc/openafs/server/KeyFile list
> ktutil: krb5_kt_start_seq_get /etc/openafs/server/KeyFile: Unsupported key table format version number
>
>
> While trying to use the tokens I get
> rxk: security object was passed a bad ticket

Reimport the key from KeyFile back into srvtab and KeyTab. Look at Wiki
documentation. To make sure it's the same key.


-- 
Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585