[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: How to create afs KeyFile with ktutil.



On Mon, 16 Dec 2002, Gunnar Gunnarsson wrote:

> Martin MOKREJ-BŠ writes:-A
>  > On Fri, 13 Dec 2002, Gunnar Gunnarsson wrote:
>  >
>  > Hi,
>  >
>  > > Hi,
>  > > I'm trying to set up afs cell with heimdal (Heimdal 0.5.1, KTH-KRB 1.2.1)
>  > > and OpenAFS 1.2.7 on Solaris.
>  > >
>  > > I've kerberos realm and created afs principial for the cell with
>  > > Keytypes(salttype[(salt-value)]): des-cbc-crc(pw-salt), des-cbc-md4(pw-salt),
>  > > des-cbc-md5(pw-salt), des3-cbc-sha1(pw-salt)
>  > >
>  > > I've copied the afs key to krb5.keytab and ktutil list gives:
>  > >
>  > > FILE:/etc/krb5.keytab:
>  > >
>  > > Vno  Type           Principal
>  > >   1  des-cbc-crc    host/sarabi.netia.se@NETIA.SE
>  > >   1  des-cbc-md4    host/sarabi.netia.se@NETIA.SE
>  > >   1  des-cbc-md5    host/sarabi.netia.se@NETIA.SE
>  > >   1  des3-cbc-sha1  host/sarabi.netia.se@NETIA.SE
>  > >   1  des-cbc-crc    afs@NETIA.SE
>  > >   1  des-cbc-md4    afs@NETIA.SE
>  > >   1  des-cbc-md5    afs@NETIA.SE
>  > >   1  des3-cbc-sha1  afs@NETIA.SE
>  > >
>  >
>  > Maybe you should delete the sha1 key. I did it and things work, but I'm
>  > not sure it was really necessary.
> I deleted the sha1 key but still no luck. My keys look like this:
> # ktutil list
> FILE:/etc/krb5.keytab:
>
> Vno  Type           Principal
>   1  des-cbc-crc    host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-md4    host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-md5    host/sarabi.netia.se@NETIA.SE
>   1  des3-cbc-sha1  host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-crc    afs@NETIA.SE
>   1  des-cbc-crc    afs@NETIA.SE
>   1  des-cbc-md4    afs@NETIA.SE
>   1  des-cbc-md5    afs@NETIA.SE

After deleting keys from database, you shoul recreate the KeyTab and
srvtab files.


>
> krb4:/etc/srvtab:
>
> Vno  Type         Principal
>   1  des-cbc-md5  host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-md4  host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-crc  host/sarabi.netia.se@NETIA.SE
>   1  des-cbc-md5  afs@NETIA.SE
>   1  des-cbc-md4  afs@NETIA.SE
>   1  des-cbc-crc  afs@NETIA.SE
>
>
> # ktutil -k AFSKEYFILE:/etc/openafs/server/KeyFile list
> AFSKEYFILE:/etc/openafs/server/KeyFile:
>
> Vno  Type         Principal
>   1  des-cbc-md5  afs/netia.se@NETIA.SE
>   1  des-cbc-md5  afs/netia.se@NETIA.SE
>   1  des-cbc-md5  afs/netia.se@NETIA.SE
>
> Shouldn't it be des-cbc-crc ?

Delete the /etc/openafs/server/KeyFile and copy the key agin from KDC to
the file. I know that ktutil just appends to a present file, so you have
the same key 3 times in it. Is that a bug?

I have also des-cbc-md5 key in it, maybe that's the reason why it doesn't
work me too.

>
>  >
>  > Have a look at
>  > http://www.central.org/twiki/bin/view/AFSLore/KerberosAFSInstall
>  > I'm added new lines to the text.
> Okay it's a overwhelming information. I need to know what to add to my
> krb5.conf to support afs on klients and how to set up my kdc etc.

Can't say what's the minimum content. Look at manpage krb5.conf then.

>  > I have to say, I've working only kerberos4 installation, the heimdal-0.5.1
>  > does not work for me on Linux (the KDC part works), but I cannot access
>  > afs.
> I'm using krb4 but I want to move on to krb5.
>  >
>  > > krb4:/etc/srvtab:
>  > >
>  > > Vno  Type         Principal
>  > >   1  des-cbc-md5  host/sarabi.netia.se@NETIA.SE
>  > >   1  des-cbc-md4  host/sarabi.netia.se@NETIA.SE
>  > >   1  des-cbc-crc  host/sarabi.netia.se@NETIA.SE
>  > >   1  des-cbc-md5  afs@NETIA.SE
>  > >   1  des-cbc-md4  afs@NETIA.SE
>  > >   1  des-cbc-crc  afs@NETIA.SE
>  > >
>  > > I've copied the afs key to KeyFile with
>  > > ktutil copy /etc/krb5.keytab AFSKEYFILE:/etc/openafs/server/KeyFile
>  > > ( btw ktutil doesn't looks for ThisCell in /etc/openafs )
>  > > but I can't list with ktutil
>  > >
>  > > ktutil -k /etc/openafs/server/KeyFile list
>  > > ktutil: krb5_kt_start_seq_get /etc/openafs/server/KeyFile: Unsupported key table format version number
>  > >
>  > >
>  > > While trying to use the tokens I get
>  > > rxk: security object was passed a bad ticket
>  >
>  > Reimport the key from KeyFile back into srvtab and KeyTab. Look at Wiki
>  > documentation. To make sure it's the same key.
>  >
>  >
>  > --
>  > Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
>  > PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
>  > MIPS / Institute for Bioinformatics <http://mips.gsf.de>
>  > GSF - National Research Center for Environment and Health
>  > Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
>  > tel.: +49-89-3187 3683 , fax:-B +49-89-3187 3585-A
>  >
>

-- 
Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
MIPS / Institute for Bioinformatics <http://mips.gsf.de>
GSF - National Research Center for Environment and Health
Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
tel.: +49-89-3187 3683 , fax: +49-89-3187 3585