[OpenAFS] ADS and MIT Kerberos transition auth continued

Eric Chris Garrison ecgarris@iupui.edu
Thu, 16 Jul 2009 14:49:04 -0400

Hash: SHA1

Okay, we continue to fight this.  We found that despite having an
alternate realm name in /usr/afs/etc/krb.conf, users from that realm were
being treated as unauthorized, anonymous users, rather than being mapped
as they should be.

We looked into enctypes as a possible culprit.  We were using des-cbc-crc,
but when we'd do an aklog, ADS returns des-cbc-md5, and they said they can
not restrict it to just one type, but can restrict it to just DES types.
(The ADS admin said they set the "Use Kerberos DES encryption types" flag).

So, we got a des-crc-md5 service principal from our ADS admin.  Now the
ticket decoding is failing in krb5_des_decrypt() in rxkad/ticket5.c on the
server side.

After aklog, this is what klist shows for afs/afstest.iu.edu:
07/16/09 14:43:22  07/17/09 00:43:12  afs/afstest.iu.edu@ADS.IU.EDU
        renew until 07/17/09 14:43:08, Etype (skey, tkt): DES cbc mode
with CRC-32, DES cbc mode with RSA-MD5

In FileLog:
Thu Jul 16 14:27:48 2009 FindClient: authenticating connection: authClass=0

That 0 should be 2 for properly authenticated connections. At first it
failed because the enctype wasn't supported.  Now that they have that DES
flag set in the kdc, it fails because it can't decrypt the encrypted part
of the k5 ticket.

Can anyone enlighten me on the encryption types we should be asking for
from the ADS admin, and what other issues might be going on here, and why
the MD5 ticket isn't being decrpted by the AFS server?

Thanks again,

- --
Eric Chris Garrison             | Principal Mass Storage Specialist
ecgarris@iupui.edu              | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org