I am a bit paranoid so I redacted part the `asetkey` output with question
marks, here is the actual output, including the keytab list (on debian I
don't seem to have rkt or wkt but I have klist):
█[asus][~][1]$ sudo asetkey list
rxkad_krb5 kvno 5 enctype 17; key is:
5eb1d56251abadd918b41843f2246825
rxkad_krb5 kvno 5 enctype 18; key is:
d075ab4afb7e5f482b90ec35a8948a3f7838f39b581d49f42c10a554c2bf2955
rxkad_krb5 kvno 9 enctype 17; key is:
4282df96efc8b6667fa48e422875728a
rxkad_krb5 kvno 9 enctype 18; key is:
a2577e635303819c8b26f303e901d7e662f59101e9a4361c414e77716443fef6
All done.
█[asus][~][0]$ sudo klist -ke /etc/openafs/server/rxkad.keytab
Keytab name: FILE:/etc/openafs/server/rxkad.keytab
KVNO Principal
----
--------------------------------------------------------------------------
9 [email protected] (aes256-cts-hmac-sha1-96)
9 [email protected] (aes128-cts-hmac-sha1-96)
5 afs/[email protected] (aes256-cts-hmac-sha1-96)
5 afs/[email protected] (aes128-cts-hmac-sha1-96)
█
The reason I have two different key numbers is that I have keys for two
different principals, both [email protected] and afs/
[email protected] . The latter principal came after
trying to solve the error "bos: ticket contained unknown key version number
error encountered while" and coming across this post below:
https://lists.openafs.org/pipermail/openafs-info/2009-April/031205.html
Which said:
My fault
the principal should be afs/[email protected] not [email protected]
Found it out with aklog -d
Tedc
My actual problem was that I had updated the principal's keys without
re-exporting them to the keytab and importing them into AFS, and doing this
fixed the "ticket contained unknown key version number error" problem.
I could probably remove the afs/[email protected] key but
it doesn't seem to do any harm. In fact, I have done it:
█[asus][~][130]$ sudo kadmin.local ktrem -k
/etc/openafs/server/rxkad.keytab afs/asus.erjoalgo.com all
Entry for principal afs/asus.erjoalgo.com with kvno 5 removed from
keytab WRFILE:/etc/openafs/server/rxkad.keytab.
Entry for principal afs/asus.erjoalgo.com with kvno 5 removed from
keytab WRFILE:/etc/openafs/server/rxkad.keytab.
█[asus][~][0]$ sudo klist -ke /etc/openafs/server/rxkad.keytab
Keytab name: FILE:/etc/openafs/server/rxkad.keytab
KVNO Principal
----
--------------------------------------------------------------------------
9 [email protected] (aes256-cts-hmac-sha1-96)
9 [email protected] (aes128-cts-hmac-sha1-96)
█[asus][~][130]$ sudo rm /etc/openafs/server/KeyFileExt
█[asus][~][0]$ sudo akeyconvert -all
Wrote 2 keys
█[asus][~][0]$ sudo asetkey list
rxkad_krb5 kvno 9 enctype 17; key is:
4282df96efc8b6667fa48e422875728a
rxkad_krb5 kvno 9 enctype 18; key is:
a2577e635303819c8b26f303e901d7e662f59101e9a4361c414e77716443fef6
All done.
█[asus][~][0]$ sudo bos listkeys asus.erjoalgo.com -localauth
All done.
█[asus][~][0]$
Now my problem is still understanding why `bos listkeys` now succeeds but
returns an empty set when asetkey does list 4 keys.
Ernesto
On Sun, Jun 2, 2024 at 4:15 AM Dirk Heinrichs <[email protected]>
wrote:
> Ernesto Alfonso:
>
> > sudo asetkey list
> > rxkad_krb5 kvno 5 enctype 17; key is:
> > ????????????????????????????????
> > rxkad_krb5 kvno 5 enctype 18; key is:
> > ????????????????????????????????????????????????????????????????
> > rxkad_krb5 kvno 9 enctype 17; key is:
> > ????????????????????????????????
> > rxkad_krb5 kvno 9 enctype 18; key is:
> > ????????????????????????????????????????????????????????????????
>
> I'm a little bit confused about the key version numbers (kvno). They
> should IMHO be the same. Are those question marks the same string for
> the respective enctypes? You could also check the content of your
> keytab, by running "ktutil". In ktutil, read your keytab file using "rkt
> /etc/openafs/server/rxkad.keytab" and then list the keys using the "l"
> (lowercase "L") command. It should list multiple keys, which all have
> the same kvno. If not delete the ones with the lower kvno's, using
> "delent <slot number>" and save the file using "wkt
> /etc/openafs/server/rxkad.keytab".
>
> HTH...
>
> Dirk
>
> --
> Dirk Heinrichs <[email protected]>
> Matrix-Adresse: @heini:chat.altum.de
> GPG Public Key: 80F1540E03A3968F3D79C382853C32C427B48049
> Privacy Handbuch: https://www.privacy-handbuch.de
>
>
