[OpenAFS] 1.3.70 and aklog
Christopher D. Clausen
cclausen@acm.org
Tue, 17 Aug 2004 03:54:40 -0500
Jeffrey Altman wrote:
> Christopher D. Clausen wrote:
>
>> Jeffrey Altman wrote:
>
>> My servers are 1.2.11 and they have not been patched for MD5
>> support. I don't understand why I need this patch. I do not have
>> an AFS service ticket in Active Directory. The only AFS service
>> ticket is the one on the MIT KDC: afs/acm.uiuc.edu@ACM.UIUC.EDU
>
> What enctype is this ticket?
DES cbc mode with CRC-32 and no salt
>> Why is it trying to create a remote user? I am not a remote user,
>> I'm just using Kerberos trusts to obtain the ticket/token. Is this
>> not possible or am I completely misunderstanding cross-realm trusts?
>
> You are a remote user as long as you are obtaining the token via
> a cross-realm trust. If you were to obtain a TGT directly from
> ACM.UIUC.EDU you would be a local user.
Ok. Thank you. I'm starting to understand.
Couldn't I just create a afs/acm.uiuc.edu@AD.UIUC.EDU AFS service
principal using ktpass.exe, add it my AFS servers and use that to
authenticate from the AD.UIUC.EDU realm / domain instead of trying to
setup this foreign user stuff?
So I would need to set up:
1) pts creategroup system:authuser@ad.uiuc.edu
system:administrators -cell acm.uiuc.edu
2) create a pts user cclausen@ad.uiuc.edu (is this needed)?
3) add cclausen@ad.uiuc.edu to ACLs.
4) try aklog (which works once the above are done.)
Will this work if the Kerberos trust is only one way?
ACM.UIUC.EDU trusts AD.UIUC.EDU
AD.UIUC.EDU DOES NOT trust ACM.UIUC.EDU
Or does there need to be a trust in each direction for the cross-realm
authentication to work?
Also, the ACM.UIUC.EDU realm is running MIT krb5-1.2.4-5 (Debian woody).
Would the KDCs need to be upgraded for this cross-realm stuff to work?
I assume that I still need to have newer servers, or otherwise patch
them to support the MD5 enctype:
C:\>vos examine user.cclausen
vsu_ClientInit: funny kvno (256) in ticket, proceeding
rxk: Ticket length too long or too short
The above is the result of me acutally having a cclausen@ad.uiuc.edu
token and not having upgraded AFS servers, correct? As it works just
fine if I unlog.
> You have obtained a token for acm.uiuc.edu. The name of the principal
> associated with the token is cclausen@ad.uiuc.edu. Therefore, you
> are a foreign user.
Ok.
> Because you don't understand cross realm.
Indeed. I'm trying to fix that, which is why I am asking questions.
>> I have tokens for cclausen and I can correctly access my files.
>
> yes. but gssklogd exists solely within the realm ACM.UIUC.EDU and it
> has been configured to use the first component of the principal name
> as the AFS username. The token which is generated contains the user
> principal name "cclausen@ACM.UIUC.EDU"; it does not contain the
> cross-realm principal name "cclausen@AD.UIUC.EDU". gssklogd throws
> away the foreign realm and substitutes the local realm.
Ok.
> Are you able to access your home directory when you destroy your
> tokens with unlog.exe?
If I do not have tokens, I can only list files in my home directory, as
per the system:anyuser l ACL.
> I'm concerned that you unable to access the volume at all.
I can access it just fine either when I kinit to cclausen@ACM.UIUC.EDU
or use gssklog to obtain tokens.
I do however seem to have problems accessing anything in AFS when I have
cclausen@ad.uiuc.edu tokens (after setting up some of the foreign user
stuff listed above.) If I unlog, things go back to normal. (I assume
this is either b/c of the older AFS servers or some configuration option
I've overlooked.)
C:\>ms2mit
C:\>klist
Ticket cache: API:krb5cc.cclausen
Default principal: cclausen@AD.UIUC.EDU
Valid starting Expires Service principal
08/17/04 03:25:14 08/17/04 13:25:14 krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
renew until 08/24/04 03:25:14
08/17/04 03:25:14 08/17/04 13:25:14
host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
renew until 08/24/04 03:25:14
Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)
C:\>"c:\Program Files\OpenAFS\Client\Program\aklog.exe" -d -5 -c
acm.uiuc.edu
Authenticating to cell acm.uiuc.edu.
Getting v5 tickets: afs/acm.uiuc.edu@ACM.UIUC.EDU
About to resolve name cclausen@AD.UIUC.EDU to id
Id 130742
Set username to AFS ID 130742
Getting tokens.
C:\>tokens
Tokens held by the Cache Manager:
User's (AFS ID 130742) tokens for afs@acm.uiuc.edu [Expires Aug 17
13:25]
--End of list --
C:\>dir h:\
Volume in drive H is AFS
Volume Serial Number is 0000-04D2
Directory of h:\
17-Aug-04 01:47 AM <DIR> .
17-Aug-04 01:47 AM <DIR> ..
24-Jul-04 12:23 AM <DIR> Desktop
04-May-04 02:27 AM <DIR> Library
15-May-04 02:17 PM <DIR> Movies
23-Mar-04 06:49 PM <DIR> Music
15-May-04 05:49 AM <DIR> ncsa
08-Aug-04 12:42 AM <DIR> Public
15-Aug-04 09:10 PM <DIR> public_html
03-Aug-04 06:07 PM <DIR> src
31-Dec-69 10:59 PM 0 Private
.
. (snip)
.
10 File(s) 5,147,963 bytes
10 Dir(s) 1,099,511,626,752 bytes free
C:\>h:
H:\>dir
(hangs for several seconds before returning same list as above.)
H:\>klist -ef
Ticket cache: API:krb5cc.cclausen
Default principal: cclausen@AD.UIUC.EDU
Valid starting Expires Service principal
08/17/04 03:25:14 08/17/04 13:25:14 krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
renew until 08/24/04 03:25:14, Flags: FRIA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/17/04 03:25:14 08/17/04 13:25:14
host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
renew until 08/24/04 03:25:14, Flags: FRA
Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/17/04 03:25:14 08/17/04 13:25:14 krbtgt/ACM.UIUC.EDU@AD.UIUC.EDU
renew until 08/24/04 03:25:14, Flags: FRA
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
RSA-MD5
08/17/04 03:46:55 08/17/04 13:25:14 afs/acm.uiuc.edu@ACM.UIUC.EDU
renew until 08/24/04 03:25:14, Flags: FRA
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
CRC-32
Please don't reply to the list AND to me. I am on the list, even if I
don't understand everything.
<<CDC