[OpenAFS] Kerberos 5, AFS, and no krb524d

Derek Atkins warlord@MIT.EDU
05 Jun 2003 19:58:45 -0400 

Nicholas Henke <henken@seas.upenn.edu> writes:

> On Thu, 2003-06-05 at 15:32, Douglas E. Engert wrote:
> > If you Kerberos admins will not run the krb524d (and I don't know
> > why not) there are some other options:
> > 
> >  o An aklog that just used the k5 ticket would be good, but is there one
> >    yet? This would in efect be a klog, using k5, and the K5 realm must
> >    match the AFS cell. The AFS servers need to be 1.2.9 
> 
> Why must the K5 realm match the AFS cell ? I think this would not work,
> as we have a static K5 realm of UPENN.EDU and are looking to migrate
> each of our linux clusters to it's own AFS cell.

Well, it doesn't HAVE to, but it works better that way.  If nothing
else you need to configure your krb5.conf to tell kerberos that the
realm for .liniac.upenn.edu is UPENN.EDU.  It should work with cell !=
REALM, but it's certainly much EASIER to cope when cell = REALM.

> >  o Run krb524d -k on a seperate machine, but the client need to know where
> >    it is, as well as the lib. We do this for the W2K KDC, The krb5.conf 
> >    [realms] entry has a krb524d = <host> where the krb524d runs on UNIX.
> 
> Ok -- here are the steps that I did to try to get this to work...where
> did I go wrong ?

[snip]

> [root@roughneck root]# asetkey add 1 /etc/krb5.keytab
> afs/roughneck.liniac.upenn.edu
> 
> [root@roughneck root]# asetkey list
> kvno    1: key is: 588fe6078915e58c
> All done.

Are you sure that you've got kvno #1 after the ktadd?  If your kvno
doesn't match then you'll have a problem.

> [root@roughneck root]# kinit -p afsadmin/roughneck.liniac.upenn.edu
> Password for afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU:
> kinit(v5): Preauthentication failed while getting initial credentials
> 
> I know I typed in the passwd correctly -- but I do not get
> authenticated. Now I change the password for afsadmin:

Uhh, ktadd changes the "password" to a random key.  So obviously this
wont work.  Try:

    kinit -k -p afsadmin/roughneck.liniac.upenn.edu.

Question: what do you plan to do with this "afsadmin/<host>"
principal?  AFS certainly doesn't need it for anything.

> Now -- If I try kinit'ing before the ktadd, it works, but after I get
> Preauthentication failed... Is ktadd changing the password ? What other
> information can I send to debug this ?

Yes, ktadd is changing the password.

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available