[OpenAFS] krb5 trust, rxkad error=19270408... I'm missing something

Stephen Joyce stephen@physics.unc.edu
Thu, 4 Mar 2010 19:19:25 -0500 (EST) 

I'm trying to test trusting a Windows 2008R2 krb5 realm and am obviously 
missing a step somewhere. I get tokens that don't work. I've been following 
the steps at 
http://www.dementia.org/twiki/bin/view/AFSLore/AdminFAQ#3_51_Can_I_authenticate_to_my_af

I've scanned the list archives and have read about the specific error, but 
it hasn't helped me solve my problem so far.

My setup:
Windows 2008R2 KDC, with afs/cellname@AD.DOMAIN DES-only ticket created.

Windows 2008R2 massaged to allow DES tickets.

1 test AFSDB
1 test AFSFS
1 test client

My keyfile contains 3 pre-existing keys that I'd like to maintain in the 
hopes of conducting a graceful migration from MIT-K5 to 2008R2-K5 auth. 
Pre-existing keys are in slots 0,1,2 of the keyfile.

I've created the afs/cellname@AD.DOMAIN princ and keytab on Windows and 
transferred to linux securely. This enctype is DES-CBC-CRC.

On the first test server, klist -e -k (new keytab) -t -K shows a KVNO of 3 
and "DES cbc mode with CRC-32". Yay!

I have configured krb5.conf on both test servers and test client.

I used asetkey add 3 (new keytab) afs/cellname@AD.DOMAIN to add the new key 
to test AFSDB and test AFSFS and bos restart'ed them.

I can successfully do the following:

server> kinit -kt (keytab) afs/cellname@AD.DOMAIN
server> klist
 	(shows krbtgt/AD.DOMAIN@AD.DOMAIN)

server> kvno afs/cellname@AD.DOMAIN
 	(shows kvno = 3)

client> kinit (regular user)
client> klist
Ticket cache: FILE:/tmp/krb5cc_uid
Default principal: user@AD

Valid starting     Expires            Service principal
03/04/10 18:23:47  03/05/10 04:23:50  krbtgt/AD.DOMAIN@AD.DOMAIN
 	renew until 03/11/10 18:23:47, Flags: FPRIA
 	Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 
CTS mode with 96-bit SHA-1 HMAC

client> aklog -d
Authenticating to cell cellname (server testafsdb.cellname).
We've deduced that we need to authenticate to realm AD.DOMAIN
Getting tickets: afs/cellname@AD.DOMAIN
Using Kerberos V5 ticket natively
About to resolve name foobar to id in cell cellname.
Id 12345
Set username to AFS ID 12345
Setting tokens. AFS ID 12345 /  @ AD.DOMAIN

client> tokens
Tokens held by the Cache Manager:

User's (AFS ID 12345) tokens for afs@cellname [Expires Mar  5 04:23]
    --End of list--

client> klist -ef
icket cache: FILE:/tmp/krb5cc_31846
Default principal: user@AD.DOMAIN

Valid starting     Expires            Service principal
03/04/10 18:23:47  03/05/10 04:23:50  krbtgt/AD.DOMAIN@AD.DOMAIN
 	renew until 03/11/10 18:23:47, Flags: FPRIA
 	Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 
CTS mode with 96-bit SHA-1 HMAC
03/04/10 18:25:53  03/05/10 04:23:50  afs/cellname@AD.DOMAIN
 	renew until 03/11/10 18:23:47, Flags: FPRA
 	Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with 
CRC-32

However I see two symptoms.
1. The client logs the following on the console:
"afs: Tokens for user of AFS id 12345 for cell cellname are discarded 
(rxkad error=19270408)"
2. The tokens don't work, of course (when trying to create a file in a 
volume on the test AFSFS, which would otherwise be allowed).

The versions of openafs on all test PCs is not *new*, but is in the 1.4.x 
line.

I'm sure that there's some step I've missed along the way. Any hints?

Cheers, Stephen