[OpenAFS] 1.3.70 and aklog
Christopher D. Clausen
cclausen@acm.org
Tue, 17 Aug 2004 01:21:46 -0500
Jeffrey Altman wrote:
> Christopher D. Clausen wrote:
>> I am logging on to my machine using my Active Directory password in
>> the AD.UIUC.EDU domain. I then run ms2mit to populate the MIT
>> credential cache with my AD tickets. I than attempt to obtain AFS
>> tokens. I get a token, but its for cclausen@ad.uiuc.edu and I do
>> not have permissions within the acm.uiuc.edu cell.
>
> What version are your servers?
>
> If they are not built from 1.3.65 or later; or you have not ported the
> patches for MD5 support to the 1.2.11 build; then you cannot use AFS
> service tickets issued by Active Directory 2003.
My servers are 1.2.11 and they have not been patched for MD5 support. I
don't understand why I need this patch. I do not have an AFS service
ticket in Active Directory. The only AFS service ticket is the one on
the MIT KDC: afs/acm.uiuc.edu@ACM.UIUC.EDU
Or perhaps I do not understand what you mean by "AFS service ticket."
>> C:\> "C:\Program Files\OpenAFS\Client\Program\aklog.exe" -5 -d
>> Authenticating to cell acm.uiuc.edu.
>> Getting v5 tickets: afs/acm.uiuc.edu@ACM.UIUC.EDU
>> About to resolve name cclausen@AD.UIUC.EDU to id
>> Id 32766
>> doing first-time registration of cclausen@ad.uiuc.edu at acm.uiuc.edu
>> libprot: funny kvno (256) in ticket, proceeding
>> aklog.exe: unable to create remote PTS user cclausen@ad.uiuc.edu in
>> cell acm.uiuc.edu (status: 19270403).
>> Set username to cclausen@ad.uiuc.edu
>> Getting tokens.
Why is it trying to create a remote user? I am not a remote user, I'm
just using Kerberos trusts to obtain the ticket/token. Is this not
possible or am I completely misunderstanding cross-realm trusts?
> names are local identifiers in tokens. they have no impact on how
> the server treats the tickets. You are using Kerberos 5 cross realm
> to obtains a ticket for afs/acm.uiuc.edu@ACM.UIUC.EDU. The Kerberos
> 5 ticket is going to have the principal name cclausen@AD.UIUC.EDU
> in it. This should be translated to cclausen@ad.uiuc.edu by the
> AFS server.
gssklog correctly gives me a token in the acm.uiuc.edu cell. (See
below)
> Does "cclausen@ad.uiuc.edu" appear in your acl list
> for the acm.uiuc.edu cell? If not, that is where your problem lies.
That ACL does not exist.
But I cannot add it either:
H:\>fs sa . cclausen@ad.uiuc.edu rl
fs:'.': code 0x19
I thought that the user @ domain syntax was only used for foreign users.
Shouldn't I be able to use my AD.UIUC.EDU tickets to get tokens in the
ACM.UIUC.EDU realm via the Kerberos trust? Or am I again completely
missing something obvious?
> What does "klist -e" report for the enctype of
> "afs/acm.uiuc.edu@ACM.UICU.EDU"? You want it to read:
>
> Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
cclausen@KBS-CDC C:\>klist -ef
Ticket cache: API:krb5cc.cclausen
Default principal: cclausen@AD.UIUC.EDU
Valid starting Expires Service principal
08/16/04 23:03:10 08/17/04 09:03:10 krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
renew until 08/23/04 23:03:10, Flags: FRIA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/16/04 23:03:10 08/17/04 09:03:10
host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
renew until 08/23/04 23:03:10, Flags: FRA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/16/04 23:03:10 08/17/04 09:03:10 krbtgt/ACM.UIUC.EDU@AD.UIUC.EDU
renew until 08/23/04 23:03:10, Flags: FRA
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
RSA-MD5
08/17/04 00:17:44 08/17/04 09:03:10 afs/acm.uiuc.edu@ACM.UIUC.EDU
renew until 08/23/04 23:03:10, Flags: FRA
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
CRC-32
It looks to be DES to me. The realm trust was used to obtain the
afs/acm.uiuc.edu ticket.
>> C:\>tokens
>> Tokens held by the Cache Manager:
>> User cclausen@ad.uiuc.edu's tokens for afs@acm.uiuc.edu [Expires Aug
>> 17 09:03]
>> --End of list --
>
> This looks correct.
It doesn't look correct to me.
Things work the way I think they should when I use gssklog:
C:\>unlog
C:\>kdestroy
C:\>ms2mit
C:\>klist
Ticket cache: API:krb5cc.cclausen
Default principal: cclausen@AD.UIUC.EDU
Valid starting Expires Service principal
08/17/04 00:47:52 08/17/04 09:03:10 krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
renew until 08/23/04 23:03:10
08/16/04 23:03:10 08/17/04 09:03:10 krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
renew until 08/23/04 23:03:10
08/17/04 00:31:12 08/17/04 09:03:10
ldap/ad-dc-p1.ad.uiuc.edu@AD.UIUC.EDU
renew until 08/23/04 23:03:10
08/17/04 00:24:22 08/17/04 09:03:10
cifs/ad-dc-p1.ad.uiuc.edu@AD.UIUC.EDU
renew until 08/23/04 23:03:10
08/17/04 00:24:22 08/17/04 09:03:10
ldap/AD-DC-P2.ad.uiuc.edu/ad.uiuc.edu@AD.UIUC.EDU
renew until 08/23/04 23:03:10
08/17/04 00:24:22 08/17/04 09:03:10
LDAP/AD-DC-P2.ad.uiuc.edu@AD.UIUC.EDU
renew until 08/23/04 23:03:10
08/16/04 23:03:10 08/17/04 09:03:10
host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
renew until 08/23/04 23:03:10
C:\>gssklog
C:\>tokens
Tokens held by the Cache Manager:
User cclausen's tokens for afs@acm.uiuc.edu [Expires Aug 17 09:03]
--End of list --
C:\>klist -ef
Ticket cache: API:krb5cc.cclausen
Default principal: cclausen@AD.UIUC.EDU
Valid starting Expires Service principal
08/17/04 00:47:52 08/17/04 09:03:10 krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
renew until 08/23/04 23:03:10, Flags: FfRA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/16/04 23:03:10 08/17/04 09:03:10 krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
renew until 08/23/04 23:03:10, Flags: FRIA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/16/04 23:03:10 08/17/04 09:03:10
host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
renew until 08/23/04 23:03:10, Flags: FRA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/17/04 00:47:52 08/17/04 09:03:10 krbtgt/ACM.UIUC.EDU@AD.UIUC.EDU
renew until 08/23/04 23:03:10, Flags: FfRA
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
RSA-MD5
08/17/04 00:48:17 08/17/04 09:03:10
gssklog/mintaka.acm.uiuc.edu@ACM.UIUC.EDU
renew until 08/23/04 23:03:10, Flags: FfRA
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple
DES cbc mode with HMAC/sha1
I have tokens for cclausen and I can correctly access my files.
Are aklog and gssklog acting differently wrt to the cross realm trust?
I mean, they both do the same thing, set AFS tokens. Why would one set
tokens for cclausen and one for cclausen@ad.uiuc.edu.
Thanks for your quick response!
<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin