Fwd: [OpenAFS] "reauth" code?

Gary Gatling gsgatlin@ncsu.edu
Fri, 31 Aug 2012 15:43:51 -0400 

--20cf3079ba54e8ee1a04c89502be
Content-Type: text/plain; charset=ISO-8859-1

On Fri, Aug 31, 2012 at 2:36 PM, Booker Bense <bbense@gmail.com> wrote:
>
>
> The "best" way to create a keytab is to randomize the password and use
> kadmin
> to extract the keytab.
>
> If you have a heimdal kdc, you can extract the keytab w/o changing the
> password.
> The last time I looked the MIT code essentially randomized the
> password and updated
> the key when you created a keytab via the kadmin interface.
>
> If you have the MIT version of the ktutil command, you can use that to
> create a keytab
> if you know the password. However, you have to also know the key version
> number
> as well. ( kadmin should tell you this )
>
> ktutil is kind of a weird interface, the command you want is add_entry.
>
> Exactly what you do depends if you need to keep the password for use
> by humans or not.
>
> Once you have a keytab, k5start should allow you to do all the things you
> need.
>
>
I thought I created the keytab correctly, but it doesn't seem to work...

I have no idea how to tell what kind of kerberos we use. I think it is MIT
but I am unsure.

which ktutil

which ktutil
/usr/bin/ktutil
sh-4.1$ rpm -qf /usr/bin/ktutil
krb5-workstation-1.9-33.el6_3.2.x86_64

 ktutil:  addent -password -p engrranger@EOS.NCSU.EDU -k 1 -e aes256-cts
(type password here)
 ktutil:  write_kt /afs/unity.ncsu.edu/users/g/gsgatlin/engrranger.ktb

/usr/local/bin/k5start -U -f /afs/
unity.ncsu.edu/users/g/gsgatlin/engrranger.ktb
Kerberos initialization for engrranger@EOS.NCSU.EDU
k5start: error getting credentials: Client 'engrranger@EOS.NCSU.EDU' not
found in Kerberos database

Does this error indicate the account is not there?

I was able to test the password of engrranger via klog, eg:

pagsh
klog engrranger
Password:
sh-4.1$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 38) tokens for afs@eos.ncsu.edu [Expires Sep  1 17:07]
   --End of list--

Jack, we use kerberos 5 at this site, correct?

Anyone know what I am doing wrong?

--20cf3079ba54e8ee1a04c89502be
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<br><br><div class=3D"gmail_quote">On Fri, Aug 31, 2012 at 2:36 PM, Booker =
Bense <span dir=3D"ltr">&lt;<a href=3D"mailto:bbense@gmail.com" target=3D"_=
blank">bbense@gmail.com</a>&gt;</span> wrote:<blockquote class=3D"gmail_quo=
te" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"=
>
<div class=3D"im">
<br>
</div>The &quot;best&quot; way to create a keytab is to randomize the passw=
ord and use kadmin<br>
to extract the keytab.<br>
<br>
If you have a heimdal kdc, you can extract the keytab w/o changing the<br>
password.<br>
The last time I looked the MIT code essentially randomized the<br>
password and updated<br>
the key when you created a keytab via the kadmin interface.<br>
<br>
If you have the MIT version of the ktutil command, you can use that to<br>
create a keytab<br>
if you know the password. However, you have to also know the key version nu=
mber<br>
as well. ( kadmin should tell you this )<br>
<br>
ktutil is kind of a weird interface, the command you want is add_entry.<br>
<br>
Exactly what you do depends if you need to keep the password for use<br>
by humans or not.<br>
<br>
Once you have a keytab, k5start should allow you to do all the things you n=
eed.<br><br></blockquote><div><br></div><div>I thought I created the keytab=
 correctly, but it doesn&#39;t seem to work...</div><div><br></div><div>
I have no idea how to tell what kind of kerberos we use. I think it is MIT =
but I am unsure.</div><div><br></div><div>which ktutil</div><div><br></div>=
<div><div>which ktutil</div><div>/usr/bin/ktutil</div><div>sh-4.1$ rpm -qf =
/usr/bin/ktutil</div>
<div>krb5-workstation-1.9-33.el6_3.2.x86_64</div></div><div><br></div><div>=
=A0ktutil: =A0addent -password -p <a href=3D"mailto:engrranger@EOS.NCSU.EDU=
">engrranger@EOS.NCSU.EDU</a> -k 1 -e aes256-cts</div><div>(type password h=
ere)</div>
<div>=A0ktutil: =A0write_kt /afs/<a href=3D"http://unity.ncsu.edu/users/g/g=
sgatlin/engrranger.ktb">unity.ncsu.edu/users/g/gsgatlin/engrranger.ktb</a><=
/div><div><br></div><div><div>/usr/local/bin/k5start -U -f /afs/<a href=3D"=
http://unity.ncsu.edu/users/g/gsgatlin/engrranger.ktb">unity.ncsu.edu/users=
/g/gsgatlin/engrranger.ktb</a></div>
<div>Kerberos initialization for <a href=3D"mailto:engrranger@EOS.NCSU.EDU"=
>engrranger@EOS.NCSU.EDU</a></div><div>k5start: error getting credentials: =
Client &#39;<a href=3D"mailto:engrranger@EOS.NCSU.EDU">engrranger@EOS.NCSU.=
EDU</a>&#39; not found in Kerberos database</div>
</div><div><br></div><div>Does this error indicate the account is not there=
?</div><div><br></div><div>I was able to test the password of engrranger vi=
a klog, eg:</div><div><br></div><div>pagsh</div><div><div>klog engrranger</=
div>
<div>Password:</div><div>sh-4.1$ tokens</div></div><div><br></div><div><div=
>Tokens held by the Cache Manager:</div><div><br></div><div>User&#39;s (AFS=
 ID 38) tokens for <a href=3D"mailto:afs@eos.ncsu.edu">afs@eos.ncsu.edu</a>=
 [Expires Sep =A01 17:07]</div>
<div>=A0 =A0--End of list--</div></div><div><br></div><div>Jack, we use ker=
beros 5 at this site, correct?</div><div><br></div><div>Anyone know what I =
am doing wrong?</div><div><br></div><div><br></div><div><br></div></div>

--20cf3079ba54e8ee1a04c89502be--