[OpenAFS] ADS and MIT Kerberos transition auth continued

Douglas E. Engert deengert@anl.gov
Thu, 16 Jul 2009 14:08:28 -0500

Eric Chris Garrison wrote:
> Hash: SHA1
> Okay, we continue to fight this.  We found that despite having an
> alternate realm name in /usr/afs/etc/krb.conf, users from that realm were
> being treated as unauthorized, anonymous users, rather than being mapped
> as they should be.
> We looked into enctypes as a possible culprit.  We were using des-cbc-crc,
> but when we'd do an aklog, ADS returns des-cbc-md5, and they said they can
> not restrict it to just one type, but can restrict it to just DES types.
> (The ADS admin said they set the "Use Kerberos DES encryption types" flag).
> So, we got a des-crc-md5 service principal from our ADS admin.  Now the
> ticket decoding is failing in krb5_des_decrypt() in rxkad/ticket5.c on the
> server side.
> After aklog, this is what klist shows for afs/afstest.iu.edu:
> 07/16/09 14:43:22  07/17/09 00:43:12  afs/afstest.iu.edu@ADS.IU.EDU
>         renew until 07/17/09 14:43:08, Etype (skey, tkt): DES cbc mode
> with CRC-32, DES cbc mode with RSA-MD5

The enc types are OK For example, I have:
07/16/09 08:41:05  07/16/09 18:40:53  afs/anl.gov@ANL.GOV
         renew until 07/23/09 08:40:53, Etype(skey, tkt): DES cbc mode
with CRC-32, DES cbc mode with RSA-MD5

> In FileLog:
> Thu Jul 16 14:27:48 2009 FindClient: authenticating connection: authClass=0
> That 0 should be 2 for properly authenticated connections. At first it
> failed because the enctype wasn't supported.  Now that they have that DES
> flag set in the kdc, it fails because it can't decrypt the encrypted part
> of the k5 ticket.
And after you reset the desonly bit in AD, did you use ktpass with
-pass somepassword -out keytabfile
or did you use the -rndPass option?

And you put the new key in the /usr/afs/etc/KeyFile on all the servers
with the correct kvno? Not sure, but you may have to restart the servers too.

And you did a fresh kinit?

> Can anyone enlighten me on the encryption types we should be asking for
> from the ADS admin, and what other issues might be going on here, and why
> the MD5 ticket isn't being decrpted by the AFS server?

> Thanks again,
> Chris
> - --
> Eric Chris Garrison             | Principal Mass Storage Specialist
> ecgarris@iupui.edu              | Indiana University - Research Storage
> W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> pmR2Q99g+UhX9JJvl8zaBtM=
> =L3qL
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444