afs-krb5 integration

Klaas Hagemann kerberos at northsailor.de
Mon Oct 21 09:19:34 EDT 2002


Hi,

even with your patch having applied successfully for the server, i get the
following error message after having kinit'd and aklog'd:

# pts listentries
Name                         ID  Owner Creator
pts: ticket contained unknown key version number ; unable to list entries


Any ideas?
Klaas
----- Original Message -----
From: "Cesar Garcia" <Cesar.Garcia at morganstanley.com>
To: "Klaas Hagemann" <kerberos at northsailor.de>
Cc: "Cesar Garcia" <Cesar.Garcia at morganstanley.com>; <kerberos at mit.edu>
Sent: Friday, October 18, 2002 5:23 PM
Subject: Re: afs-krb5 integration


> We haven't had problems with it. We've only recently started rolling
> out OpenAFS.
>
> >>>>> "Klaas" == Klaas Hagemann <kerberos at northsailor.de> writes:
>
> Klaas> Hi Cesar, thanks for your quick help.  I supposed, i woould
> Klaas> have searched a long time for this bug.....  But with your
> Klaas> patch, the krb524d works good together with openafs?
>
> Klaas> Thanks Klaas ----- Original Message ----- From: "Cesar Garcia"
> Klaas> <Cesar.Garcia at morganstanley.com> To: "Ken Hornstein"
> Klaas> <kenh at cmf.nrl.navy.mil> Cc: "Cesar Garcia"
> Klaas> <Cesar.Garcia at morganstanley.com>; <kerberos at mit.edu> Sent:
> Klaas> Friday, October 18, 2002 6:22 AM Subject: Re: afs-krb5
> Klaas> integration
>
>
> >> Not sure - I'm not exactly an AFS subject matter expert and I
> >> haven't seen the AFS code that implements the key retrieval (from
> >> KeyFile) and token validation.
> >>
> >> When I first started looking at MIT's krb524, this was the first
> >> problem we saw. [the 524 client setting the lifetimes incorrectly
> >> was the other, as apparently the resulting V4 ticket lifetimes are
> >> not communicated back to the client over the 524 wire protocol and
> >> the client is setting it based on 5 minute increments in the V4
> >> ticket, not the CMU/AFS lifetime interpretation].
> >>
> >> I noticed the kvno returned was "0", while the actual kvno for our
> >> afs principal was "1" (as seen via kadmin).  Given the error and
> >> the observed behavior wrt kvno, the fix was rather straight
> >> forward.
> >>
> >> Perhaps your afs server uses different criteria for key
> >> retrieval. We're only now starting to roll out OpenAFS. Our
> >> observations were made with Transarc AFS, versios 3.x. Sorry I
> >> don't have a good answer for this.
> >>
> >> >>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
> >>
> >> >> There is also a bug in krb524d that does not set the kvno on the
> >> >> returned V4 ticket. Here's a patch:
> >>
> Ken> Interesting ... so what triggers this?  I mean, it seems to work
> Ken> in normal circumstances ...
> >>
> Ken> --Ken
> >> ________________________________________________ Kerberos mailing
> >> list Kerberos at mit.edu
> >> http://mailman.mit.edu/mailman/listinfo/kerberos
>
> Klaas> ________________________________________________ Kerberos
> Klaas> mailing list Kerberos at mit.edu
> Klaas> http://mailman.mit.edu/mailman/listinfo/kerberos
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos




More information about the Kerberos mailing list