[OpenAFS] AFS-Tokens in cross realm szenario problem

Ulrich Schwickerath ulrich.schwickerath@iwr.fzk.de
Tue, 16 Aug 2005 19:44:45 +0200 

Hello,

we are currently using 1.3.86 on two X86_64 based database server nodes, 
providing an AFS cell named  cg.fzk.de. We have a ADS KDC for CG.FZK.DE with 
some users inside. On the client side we are using Heimdal 0.6.4. If I 
authenticate to CG.FZK.DE I can retrieve AFS tokens both with aklog or with 
heimdals afslog, and also pam_krb5afs is in place which happily gives me a 
working AFS token after successful KRB5 authentication. 
So far, so good. Now we have another ADS based realm (KA.FZK.DE), and we have 
set up a one way trust between the two KDCs. If I authenticate now in 
KA.FZK.DE, I can login into a node in CG.FZK.DE, kerberized authentication 
works fine (I tested with rsh), and again, I get an AFS token. But this time 
the token is discarded:

afs: Tokens for user of AFS id 1234 for cell cg.fzk.de are discarded (rxkad 
error=19270408), meaning:
19270408 (rxk).8 = ticket contained unknown key version number

Running heimdals afslog by hand in verbose mode I get no error messages 
whatsoever, but a somewhat strange principal name that is successfully tried:

afslog -v
krb5 tried afs/cg.fzk.de@KA.FZK.DE -> 0

After that I have the following principals and tokens:
[schwicke@iwrcgvor1:/afs/cg.fzk.de/home/schwicke]$ klist -v
Credentials cache: FILE:/tmp/krb5cc_p29657
        Principal: schwicke@KA.FZK.DE
    Cache version: 4

Server: krbtgt/KA.FZK.DE@KA.FZK.DE
Ticket etype: arcfour-hmac-md5, kvno 100002
Session key: des
Auth time:  Aug 16 18:53:14 2005
Start time: Aug 16 19:24:25 2005
End time:   Aug 17 04:53:14 2005
Ticket flags: forwardable, forwarded, pre-authenticated
Addresses: IPv4:141.52.165.254

Server: krbtgt/CG.FZK.DE@KA.FZK.DE
Ticket etype: arcfour-hmac-md5
Session key: des
Auth time:  Aug 16 18:53:14 2005
Start time: Aug 16 19:24:25 2005
End time:   Aug 17 04:53:14 2005
Ticket flags: forwarded, pre-authenticated, ok-as-delegate
Addresses: IPv4:141.52.165.254

Server: krbtgt/CG.FZK.DE@KA.FZK.DE
Ticket etype: arcfour-hmac-md5
Session key: des
Auth time:  Aug 16 18:53:14 2005
Start time: Aug 16 19:24:46 2005
End time:   Aug 17 04:53:14 2005
Ticket flags: forwarded, pre-authenticated, ok-as-delegate
Addresses: IPv4:141.52.165.254

Server: krbtgt/CG.FZK.DE@KA.FZK.DE
Ticket etype: arcfour-hmac-md5
Session key: des
Auth time:  Aug 16 18:53:14 2005
Start time: Aug 16 19:24:51 2005
End time:   Aug 17 04:53:14 2005
Ticket flags: forwarded, pre-authenticated, ok-as-delegate
Addresses: IPv4:141.52.165.254

Aug 16 19:24:51  Aug 17 04:53:14  User's (AFS ID 7597) tokens for cg.fzk.de 
(256)

The token is discarded, any attempt to access AFS fails with "permission 
denied"

also aklog happily provides me with a wrong token but throughs an error:
aklog
aklog: Unknown error 267272 so unable to create remote PTS user 
schwicke@ka.fzk.de in cell cg.fzk.de (status: 267272).

What could this Unknown error be ?

After that I also have the afs service principal for the correct cell:
Server: afs@CG.FZK.DE
Ticket etype: des-cbc-md5, kvno 5
Session key: des
Auth time:  Aug 16 18:53:14 2005
Start time: Aug 16 19:28:25 2005
End time:   Aug 17 04:53:14 2005
Ticket flags: forwarded, pre-authenticated
Addresses: IPv4:141.52.165.254

This is exactly the principal that I expected to see, and the same that I get 
if I authenticate in CG.FZK.DE which works fine. The kvno matches the one of 
the AFS master key.

Note: In KA.FZK.DE there is no AFS service principal whatsoever. We already 
tried to create one there, too, and import a second key into AFS with the 
proper KVNO but with the same results. 

Any idea what is going on? Did I miss something obvious ? Did anybody 
see/solve this (or a similar) problem out there ? I'm out of ideas now what 
else I could check. Any hint on what could be going wrong is highly welcome!

Thank's in advance,
Ulrich 

P.S.: The relevant part of /etc/krb5.conf look like this:
[libdefaults]
   default_etypes = des-cbc-crc des-cbc-md5
   default_etypes_des = des-cbc-crc des-cbc-md5
   default_realm = CG.FZK.DE
   forward = yes
   forwardable = yes
   ticket_lifetime = 168h
[domain_realm]
   .fzk.de = CG.FZK.DE
[appdefaults]
   afs-use-524 = no
   libkafs = {
     afs-use-524 = no
  ...
   }
[capath]
   KA.FZK.DE = {
     KA.FZK.DE = CG.FZK.DE
   }
-- 
__________________________________________
Dr. Ulrich Schwickerath
Forschungszentrum Karlsruhe
GRID-Computing and e-Science
Institut for Scientific Computing (IWR)
P.O. Box 36 40
76021 Karlsruhe, Germany

Tel: +49(7247)82-8607
Fax: +49(7247)82-4972 

e-mail: ulrich.schwickerath@iwr.fzk.de
PGP DH/DSS Key: ID 0xCEB9826F
Fingerprint: 5537 8473 CD26 507E 8EE2  BAAF 98E2 FD16 CEB9 826F
__________________________________________