Heimdal # mkdir /var/heimdal # openssl rand 10240 | /usr/heimdal/sbin/kstash --master-key-fd=0 kstash: writing key to `/var/heimdal/m-key' # /usr/heimdal/sbin/kadmin -l kadmin> init DOMA Realm max ticket life [unlimited]: Realm max renewable ticket life [unlimited]: kadmin> add mmokrejs/admin Max ticket life [1 day]:unlimited Max renewable life [1 week]:unlimited Principal expiration time [never]: Password expiration time [never]: Attributes []: mmokrejs/admin@DOMA's Password: Verifying - mmokrejs/admin@DOMA's Password: kadmin> quit # /usr/heimdal/libexec/kdc & # /usr/heimdal/bin/kinit mmokrejs/admin # /usr/heimdal/bin/klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: mmokrejs/admin@DOMA Issued Expires Principal Dec 7 00:12:42 Dec 14 00:12:42 krbtgt/DOMA@DOMA # cat >> /var/heimdal/kadmind.acl mmokrejs/admin all ^D # rm /usr/afs/etc/KeyFile rm /usr/vice/etc/KeyFile rm /etc/krb5.keytab # /usr/heimdal/libexec/kadmind & # /usr/heimdal/sbin/kadmin --admin-server=aquarius -p mmokrejs/admin kadmin> add --random-key afs/doma kadmin> del_enctype afs/doma@DOMA des3-cbc-sha1 kadmin> del_enctype afs/doma@DOMA arcfour-hmac-md5 kadmin> del_enctype afs/doma@DOMA aes256-cts-hmac-sha1-96 kadmin> del_enctype afs/doma@DOMA des-cbc-md4 kadmin> del_enctype afs/doma@DOMA des-cbc-md5 # heimdal before Sept 2 2005 # needs des-cbc-md5 for the # next ktutil step! Since then # will use any of the des keys kadmin> get afs/doma kadmin> ext afs/doma@DOMA kadmin> quit # /usr/heimdal/sbin/ktutil list # /usr/heimdal/sbin/ktutil -k /etc/krb5.keytab del -p afs/doma@DOMA -e des-cbc-md5 # /usr/heimdal/sbin/ktutil -k /etc/krb5.keytab del -p afs/doma@DOMA -e des-cbc-md4 # /usr/heimdal/sbin/ktutil -k /etc/krb5.keytab del -p afs/doma@DOMA -e aes256-cts-hmac-sha1-96 # /usr/heimdal/sbin/ktutil -k /etc/krb5.keytab del -p afs/doma@DOMA -e arcfour-hmac-md5 /usr/heimdal/sbin/ktutil copy /etc/krb5.keytab AFSKEYFILE:/usr/vice/etc/KeyFile /usr/heimdal/sbin/ktutil -k AFSKEYFILE:/usr/vice/etc/KeyFile list # /usr/heimdal/sbin/ktutil copy AFSKEYFILE:/usr/vice/etc/KeyFile /etc/krb5.keytab # /usr/heimdal/bin/kinit -k -t /etc/krb5.keytab afs/doma # /usr/afs/bin/bos listkeys -server aquarius -localauth -showkey /usr/heimdal/sbin/ktutil copy FILE:/etc/krb5.keytab AFSKEYFILE:/usr/vice/etc/KeyFile (doesn't work for me, as bosserver coredumps on the generated KeyFile, but maybe that was related to the requirement that des-cbc-md5 was available) or /usr/heimdal/sbin/ktutil copy krb4:/etc/srvtab AFSKEYFILE:/usr/vice/etc/KeyFile (did work for me) # cat >> /usr/afs/etc/krb.conf DOMA DOMA vrapenec.doma admin server # cat > /usr/afs/etc/ThisCell doma ^D # cp /usr/afs/etc/ThisCell /usr/vice/etc/ThisCell # afslog --verbose krb5 tried afs@BIOMED.CAS.CZ -> -1765328228 krb5 tried afs/biomed.cas.cz@BIOMED.CAS.CZ -> -1765328228 krb5 tried afs@BIOMED.CAS.CZ -> -1765328228 krb5 tried afs/biomed.cas.cz@BIOMED.CAS.CZ -> -1765328228 afslog: krb5_afslog(): Cannot contact any KDC for requested realm # # grep 1765328228 /usr/afsws/include/rx/* # grep 1765328228 /usr/heimdal/include/* /usr/heimdal/include/krb5_err.h:#define KRB5_KDC_UNREACH (-1765328228L) To get rid of these errors, red below: This is the 5->4 ticket conversion service, but you really want [appdefaults] libkafs = { afs-use-524 = local } assuming your afs servers know how to deal with krb5 tickets. If you get: # afslog -v krb5 tried afs@DOMA -> -1765328377 krb5 tried afs/doma@DOMA -> 0 krb5 tried afs/netlabs@DOMA -> -1765328377 krb5 tried afs@NETLABS -> -1765328377 krb5 tried afs/netlabs@NETLABS -> -1765328377 afslog: krb5_afslog(): Server not found in Kerberos database # grep 1765328377 /usr/afsws/include/rx/* # grep 1765328377 /usr/heimdal/include/* /usr/heimdal/include/krb5_err.h:#define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377L) # If you have still problems, check: /usr/heimdal/sbin/ktutil -k FILE:/etc/krb5.keytab list /usr/afs/etc/krb.conf /usr/afs/etc/ThisCell /usr/vice/etc/CellServDB KTH-Kerberos IV and Transarc AFS Someone wrote a nice page at http://www.cs.cmu.edu/afs/andrew.cmu.edu/usr/shadow/www/afs/afs-with-kerberos.html http://www.contrib.andrew.cmu.edu/~shadow/afs/afs-with-kerberos.html As someone noted, you might need some ext_srvtab utility to extract the key from /etc/srvtab, but I don't remeber that I needed it. Then he also suggets to use asetkey utility. Create afs.natur\.cuni\.cz@NATUR.CUNI.CZ principal entry in kerberos: principal name: afs principal instance: natur.cuni.cz principal realm: NATUR.CUNI.CZ Import this key from Kerberos (/etc/srvtab) into AFS /usr/afs/etc/KeyFile using asetkey utility, which is I think from /afs/transarc.com/public/afs-contrib ./asetkey add 0 /etc/srvtab afs.natur.cuni.cz@NATUR.CUNI.CZ This KeyFile with the AFS-key you can just always re-copy to new AFS machines. Be sure that the key version number KVNO is always same in this KeyFile and in Kerberos database. On all these machines you of course need afs.hostname.REALM key loaded into their /etc/srvtab (create them with 'ksrvutil get'). You can test if you have same keys in kerberos and AFS like this: kauth username tokens If you have some tokens now, then it works and you can now shutdown kaserver. Users, which you have created in AFS under kaserver are in /usr/afs/db/kaserver.*, but you can just forget them. Create these users again in Kerberos IV. AFS users are then looked up in: kerberos database (/var/kerberos/principal.db) /usr/afs/etc/UserList (permission to manipulate 'bos') system:administrators (permissions for vos, pts, fs, i.e. 'pts adduser' etc) --------------------------------------------------------------------------------- Another approach, untested: http://www.natur.cuni.cz/~majordomo/krb4/krb4.9703/msg00002.html Date: Tue, 9 May 2000 10:57:23 +0200 (MET DST) From: Johan Hedin To: Erland Fristedt Cc: krb4@sics.se Subject: Re: AFS+KTH-KRB problem This is a printout how we got it to work. Hope this helps. /Johan Hedin callisto#/usr/athena/sbin/ksrvutil -p johanh.admin -f srvtab get Name [rcmd]: afs Instance [callisto]: fusion.kth.se Realm [FUSION.KTH.SE]: Is this correct? (y,n) [y] Add more keys? (y,n) [n] Password for johanh.admin@FUSION.KTH.SE: Warning: Are you sure `fusion.kth.se' should not be `fusion'? Added afs.fusion.kth.se@FUSION.KTH.SE Old keyfile in srvtab.old. callisto#/usr/athena/sbin/ksrvutil -p johanh.admin -f srvtab list Version Principal 4 afs.fusion.kth.se@FUSION.KTH.SE callisto#/tmp/asetkey add 4 srvtab afs.fusion.kth.se@FUSION.KTH.SE callisto#cd .. callisto#bin/bos status callisto Instance buserver, currently running normally. Instance ptserver, currently running normally. Instance vlserver, currently running normally. Instance fs, currently running normally. Auxiliary status is: file server running. callisto#bin/fs la /afs Access list for /afs is Normal rights: system:administrators rlidwka -------------------------------------------------------------------------------- > Tokens held by the Cache Manager: > > User's (AFS ID 6020) tokens for afs@sunrise.ericsson.se [Expires May 5 > 04:05] > --End of list-- You got your tickets alright, but then > > touch /afs/.sunrise.ericsson.se/tabort > afs: Tokens for user of AFS id 6020 for cell sunrise.ericsson.se are > discarded (rxkad error=19270407) grep 19270407 /usr/afsws/include/rx/* /usr/afsws/include/rx/rxkad.h:#define RXKADBADTICKET (19270407L) so I would guess that the key version number and/or the key on your AFS servers does not match the key of the afs principal. Use klist -v to figure out about key version numbers and then use $ kstring2key -c sunrise.ericsson.se password: ascii = \242\345\345\260\323p\263\233 hex = a2e5e5b0d370b39b or some other means to ensure that you use the same keys.