[OpenAFS] (no subject)

T. Matthew Cocker matt@cs.auckland.ac.nz
Wed, 23 May 2001 14:28:38 +1200 

Hi

We are trying to set up an OPENAFS 1.0.4 AFS cell with Heimdal 0.3d Krb5 as 
the authentication server. We are using the following krb5.conf file
__________________________

[logging]
  default = FILE:/var/log/krb5libs.log
  kdc = FILE:/var/log/krb5kdc.log
  admin_server = FILE:/var/log/kadmind.log

[libdefaults]
  ticket_lifetime = 24000
  default_realm = CELL.NAME
  default_tkt_enctypes = des-cbc-crc
  default_tgs_enctypes = des-cbc-crc

[realms]
  CELL.NAME = {
   kdc = afs-01.cell.name:88
   admin_server = afs-01.cell.name:749
   default_domain = cell.name
  }

[domain_realm]
  .cell.name = CELL.NAME
  cell.name = CELL.NAME

[kdc]
  profile = /var/kerberos/krb5kdc/kdc.conf
  enable-kerberos4 = true
  v4-realm = CELL.NAME
  enable-kaserver = true
  afs-cell = cell.name

[kadmin]
  default_keys = v4 v5 des:afs3-salt:cell.name
  afs-cell = cell.name
  v4-realm = CELL.NAME

[pam]
  debug = false
  ticket_lifetime = 36000
  renew_lifetime = 36000
  forwardable = true

_______________________________

I then did the following

      # kstash

      #kadmin -l
kadmin> add --random-key afs
         Max ticket life [unlimited]:
         Max renewable life [unlimited]:
         Attributes []:
         kadmin> ext afs

   # ktutil list
Vno  Type           Principal
   1  des-cbc-md5    afs
   1  des-cbc-md4    afs
   1  des-cbc-crc    afs
   1  des3-cbc-sha1  afs
   1  des-cbc-md5    afs
   1  des-cbc-md4    afs
   1  des-cbc-crc    afs
   1  des-cbc-md5    afs
   1  des-cbc-md4    afs
   1  des-cbc-crc    afs

      # ktutil copy /etc/krb5.keytab AFSKEYFILE:/usr/afs/etc/KeyFile

I then added a user "admin"

kadmin> get -l admin
                Principal: admin@CELL.NAME
        Principal expires: never
         Password expires: never
     Last password change: never
          Max ticket life: 1 day
       Max renewable life: 1 week
                     Kvno: 1
                    Mkvno: 0
                   Policy: none
    Last successful login: never
        Last failed login: never
       Failed login count: 0
            Last modified: 2001-05-22 01:17:31 UTC
                 Modifier: kadmin/admin@CELL.NAME
               Attributes:
Keytypes(salttype[(salt-value)]): des-cbc-md5(pw-salt()), 
des-cbc-md4(pw-salt()), des-cbc-crc(pw-salt()), des3-cbc-sha1(pw-salt), 
des-cbc-md5(pw-salt), des-cbc-md4(pw-salt), des-cbc-crc(pw-salt), 
des-cbc-md5(afs3-salt(cell.name)), des-cbc-md4(afs3-salt(cell.name)), 
des-cbc-crc(afs3-salt(cell.name))


Now we have shutdown the KASERVER. Windows clients and unix clients get 
tickets and tokens via heimdal but the tokens are no good. (we are using 
klog at the moment on both platforms). We also have no access to the pts 
utils and after shutting down heimdal and restarting kaserver we can get 
tokens for afs that work but we can't add users to kaserver (is this a 
permissions problem because KeyFile was overwritten with a new key?).

I guess I have two questions now, what did we do wrong in heimdal that the 
tokens were disregarded by AFS? and how can we at least get back to where 
we were before we did the ktutil copy?

Cheers,

Matthew Cocker