[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: How to create afs KeyFile with ktutil.
Martin MOKREJ�-BŠ writes:�-A
> On Fri, 13 Dec 2002, Gunnar Gunnarsson wrote:
>
> Hi,
>
> > Hi,
> > I'm trying to set up afs cell with heimdal (Heimdal 0.5.1, KTH-KRB 1.2.1)
> > and OpenAFS 1.2.7 on Solaris.
> >
> > I've kerberos realm and created afs principial for the cell with
> > Keytypes(salttype[(salt-value)]): des-cbc-crc(pw-salt), des-cbc-md4(pw-salt),
> > des-cbc-md5(pw-salt), des3-cbc-sha1(pw-salt)
> >
> > I've copied the afs key to krb5.keytab and ktutil list gives:
> >
> > FILE:/etc/krb5.keytab:
> >
> > Vno Type Principal
> > 1 des-cbc-crc host/sarabi.netia.se@NETIA.SE
> > 1 des-cbc-md4 host/sarabi.netia.se@NETIA.SE
> > 1 des-cbc-md5 host/sarabi.netia.se@NETIA.SE
> > 1 des3-cbc-sha1 host/sarabi.netia.se@NETIA.SE
> > 1 des-cbc-crc afs@NETIA.SE
> > 1 des-cbc-md4 afs@NETIA.SE
> > 1 des-cbc-md5 afs@NETIA.SE
> > 1 des3-cbc-sha1 afs@NETIA.SE
> >
>
> Maybe you should delete the sha1 key. I did it and things work, but I'm
> not sure it was really necessary.
I deleted the sha1 key but still no luck. My keys look like this:
# ktutil list
FILE:/etc/krb5.keytab:
Vno Type Principal
1 des-cbc-crc host/sarabi.netia.se@NETIA.SE
1 des-cbc-md4 host/sarabi.netia.se@NETIA.SE
1 des-cbc-md5 host/sarabi.netia.se@NETIA.SE
1 des3-cbc-sha1 host/sarabi.netia.se@NETIA.SE
1 des-cbc-crc afs@NETIA.SE
1 des-cbc-crc afs@NETIA.SE
1 des-cbc-md4 afs@NETIA.SE
1 des-cbc-md5 afs@NETIA.SE
krb4:/etc/srvtab:
Vno Type Principal
1 des-cbc-md5 host/sarabi.netia.se@NETIA.SE
1 des-cbc-md4 host/sarabi.netia.se@NETIA.SE
1 des-cbc-crc host/sarabi.netia.se@NETIA.SE
1 des-cbc-md5 afs@NETIA.SE
1 des-cbc-md4 afs@NETIA.SE
1 des-cbc-crc afs@NETIA.SE
# ktutil -k AFSKEYFILE:/etc/openafs/server/KeyFile list
AFSKEYFILE:/etc/openafs/server/KeyFile:
Vno Type Principal
1 des-cbc-md5 afs/netia.se@NETIA.SE
1 des-cbc-md5 afs/netia.se@NETIA.SE
1 des-cbc-md5 afs/netia.se@NETIA.SE
Shouldn't it be des-cbc-crc ?
>
> Have a look at
> http://www.central.org/twiki/bin/view/AFSLore/KerberosAFSInstall
> I'm added new lines to the text.
Okay it's a overwhelming information. I need to know what to add to my
krb5.conf to support afs on klients and how to set up my kdc etc.
>
> I have to say, I've working only kerberos4 installation, the heimdal-0.5.1
> does not work for me on Linux (the KDC part works), but I cannot access
> afs.
I'm using krb4 but I want to move on to krb5.
>
> > krb4:/etc/srvtab:
> >
> > Vno Type Principal
> > 1 des-cbc-md5 host/sarabi.netia.se@NETIA.SE
> > 1 des-cbc-md4 host/sarabi.netia.se@NETIA.SE
> > 1 des-cbc-crc host/sarabi.netia.se@NETIA.SE
> > 1 des-cbc-md5 afs@NETIA.SE
> > 1 des-cbc-md4 afs@NETIA.SE
> > 1 des-cbc-crc afs@NETIA.SE
> >
> > I've copied the afs key to KeyFile with
> > ktutil copy /etc/krb5.keytab AFSKEYFILE:/etc/openafs/server/KeyFile
> > ( btw ktutil doesn't looks for ThisCell in /etc/openafs )
> > but I can't list with ktutil
> >
> > ktutil -k /etc/openafs/server/KeyFile list
> > ktutil: krb5_kt_start_seq_get /etc/openafs/server/KeyFile: Unsupported key table format version number
> >
> >
> > While trying to use the tokens I get
> > rxk: security object was passed a bad ticket
>
> Reimport the key from KeyFile back into srvtab and KeyTab. Look at Wiki
> documentation. To make sure it's the same key.
>
>
> --
> Martin Mokrejs <mmokrejs@natur.cuni.cz>, <m.mokrejs@gsf.de>
> PGP5.0i key is at http://www.natur.cuni.cz/~mmokrejs
> MIPS / Institute for Bioinformatics <http://mips.gsf.de>
> GSF - National Research Center for Environment and Health
> Ingolstaedter Landstrasse 1, D-85764 Neuherberg, Germany
> tel.: +49-89-3187 3683 , fax:�-B +49-89-3187 3585�-A
>