[OpenAFS] Re: Permission denied after KDC upgrade

Andrew Deason adeason@sinenomine.net
Fri, 26 Sep 2014 10:24:39 -0500

On Fri, 26 Sep 2014 11:41:27 +0200
Andreas Donath <Andreas.Donath@aei.mpg.de> wrote:

> 	I have an issue accessing the file system after
> 	an OS upgrade on one of our KRB5 Heimdal KDCs
> 	(which is a Linux distribution called UCS(V3.2)
> 	based on debian).
> 	While the update process, a script was executed, that
> 	must have altered the enctypes (or more?) of the principals.

Was upgrading Heimdal a part of this process? At least some versions of
Heimdal are known to have behaviors/bugs that break rxkad-k5 behavior.

> 	I can do a kinit and a aklog on the clients fine, but
> 	trying to access files ends up in "Permission denied"
> 	klist -a shows:

What about a 'klist -a' when using the KDC that works? What does that
look like?

> 	I'm by no means a KRB expert, but my assumption is,
> 	that the differences here
> 	(e.g. Mkvno or des-cbc-crc(pw-salt)[1]) might cause the
> 	trouble. So the alterations of the afs service principal
> 	on the new KDC do not correctly correspond to the key
> 	that was once exported and provided to my AFSCell via
> 	bos addkey.

It looks like those differences in output may just be due to a different
Heimdal version, but I'm not sure (someone more familiar with Heimdal
can probably say). You could try extracting the AFS principal key (make
sure not to change they key when you do so), and comparing the keytab on
the new 'broken' KDC against the old 'working' one, and see if the
keytabs differ at all. It doesn't seem to me like the keying material
has changed, so that won't do anything, but who knows.

However, what is more concerning is that you mention adding the key via
'bos addkey', which implies using DES keys. Are you not using
rxkad.keytab? The kadmin output you provide suggests you are using
non-DES enctypes and rxkad-k5, and so you should be extracting keys to
an rxkad.keytab file. I'm not sure how your old environment could have
been working without doing that, since your 'old' KDC reports non-DES
keys. Do you not have an rxkad.keytab file anywhere?

> 	Is there a way to keep the old afs/CELL key in my environment,
> 	because I do not want to end up in not being able to
> 	access my cell at all, if the export/re-import of the
> 	new key fails?

You can keep the old key on openafs's side of things, yes, but the keys
have to have two different kvnos. Trying to keep two different keys in
the KDC database is more tricky, I believe.

Andrew Deason