afs-krb5 integration

Cesar Garcia Cesar.Garcia at morganstanley.com
Thu Oct 17 13:42:02 EDT 2002 

There is also a bug in krb524d that does not set the kvno on the
returned V4 ticket. Here's a patch:

$ diff -c krb524d.c.orig krb524d.c
*** krb524d.c.orig      Thu Oct 17 13:37:30 2002
--- krb524d.c   Thu Oct 17 13:39:55 2002
***************
*** 412,418 ****
              memset (key, 0, sizeof (*key));
              return ret;
          }
!
          krb5_kt_free_entry(context, &entry);
          return 0;
       } else if (use_master) {
--- 412,419 ----
              memset (key, 0, sizeof (*key));
              return ret;
          }
!           if(kvnop)
!             *kvnop = entry.vno;
          krb5_kt_free_entry(context, &entry);
          return 0;
       } else if (use_master) {


>>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:

>> i have strange problems in integrating openafs into krb5.
>> I use openafs 1.2.7 and kerberos 1.2.6 for the slave-server and 1.2.4 for
>> the kerberos master/admin server.
>> I checked everything with these key-versions (thanks to Derek on the openafs
>> mailing lis), but it did not help.
>> I always get "ticket contained unknown key version number"

Ken> At the end of the day, there is a ticket in a Keyfile that does not agree
Ken> with the service ticket stored in your KDC.  This is the ONLY possible
Ken> cause of this error (at least, the only one I've ever seen).

Ken> Possible causes of this:

Ken> - You're not updating the KeyFile on ALL of your AFS servers (yes, you
Ken>   have to do them ALL, and the best way to do that is with upclient,
Ken>   because it needs to be the same one everywhere).

Ken> - You entered in the wrong kvno for asetkey.

Ken> - You have an old cached service ticket on your client.

Ken> There may be more problems, but these are the only ones that I've seen.
Ken> I know that some people were unable to make it work, but I am convinced
Ken> that they still had one of these problems and they just didn't realize it.

Ken> --Ken
Ken> ________________________________________________
Ken> Kerberos mailing list           Kerberos at mit.edu
Ken> http://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list