[OpenAFS-devel] Suggestions to avoid troubling using Kerberos 5 with OpenAFS

Jim Doyle doyle@theworld.com
Fri, 9 Nov 2001 23:58:15 -0500 

I've been battling problems with aklog and pam_krb5afs for a week now.
I've discovered the cause and solution of the problem and want to put this
"on the record" incase anyone else is doing the same.

My configuration:   RH7.1 Linux, OpenAFS 1.2.2, MIT Kerberos 1.2.2 using
		    the RPMS with RedHat (i.e. krb5-server-1.2.2.rpm)

My cell:	    No kaserver running. Using 'fakeka' process.

Problem:	    Able to klog and get a token for any user OK ; the
		    fact that klog works but aklog wasnt causes much
		    stomach acid..

		    Kinit followed by aklog appeareth to giveth a valid
		    AFS service ticket, and tokens reports some kind of
		    valid token.. However, tokens generated by aklog fail
	            to give you access to file or server resources in AFS.

Cause:		    aklog is fetching a AFS service key of the wrong
		    encryption type ; it stuffs the 8-byte session key
		    into to Kernel's KTC -- however, unless this is a
		    DES-CBC-CRC32 key ; it will fail to do what needs
		    to happen.


Solution 1:	    Make SURE one and only 1 encryption key is defined in
		    the KDC.  Further, make sure that you use the '-e'
		    option on *ALL* kadmin transactions when manipulating
		    the AFS server key. See the snippet below and follow
		    along...


Solution 2:	    Aklog and friends should be instrumented to request
		    specifically a DES-CBC-CRC32 key.. If one cannot be
		    had from the TGS -- it should whine with an
		    appropriate error message.



Steps to Re-Key you AFS cell to work with Krb5.
Note careful use of the -e flag to specify enc types. Omitting -e
at the ktadd step will cause major gried.
----------------------------------------------------------------------

[ 1 :: Change the password for the AFS server instance in your KDC ]

[root@prozac etc]# kadmin.local
Authenticating as principal jdoyle/admin@EXAMPLE.COM with password.
kadmin.local:  cpw -e des-cbc-crc:afs3 afs
Enter password for principal "afs":
Re-enter password for principal "afs":
Password for "afs@EXAMPLE.COM" changed.

[ 2 :: Randomize the AFS key and write to a keytab file ]

kadmin.local:  ktadd -k /usr/afs/etc/krb5.keytab -e des-cbc-crc:afs3 afs
Entry for principal afs with kvno 5, encryption type DES cbc mode with
CRC-32 added to keytab WRFILE:krb5.keytab.
kadmin.local:  quit

[ 3 :: Use 'asetkey' to move the key from a V5 KeyTab into an AFS KeyFile ]

[root@prozac etc]# asetkey add 5 krb5.keytab afs
[root@prozac etc]# ls
CellServDB  KeyFile  krb5.keytab  ThisCell  UserList
[root@prozac etc]# asetkey list
kvno    5: key is: 7c23ef40f1ae8667
All done.

[ 4 :: Restart the bosserver ]

[root@prozac etc]# /usr/afs/bin/bosserver

[ 5 :: Test it out ]

[root@prozac etc]# kdestroy
[root@prozac etc]# kinit jdoyle
Password for jdoyle@EXAMPLE.COM:
[root@prozac etc]# aklog
[root@prozac etc]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jdoyle@EXAMPLE.COM

Valid starting     Expires            Service principal
11/10/01 00:38:54  11/10/01 10:38:54  krbtgt/EXAMPLE.COM@EXAMPLE.COM
11/10/01 00:38:57  11/10/01 10:38:54  afs@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@prozac etc]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 2) tokens for afs@example.com [Expires Nov 10 10:38]
   --End of list--
[root@prozac etc]# !touch
touch /afs/example.com/users/jdoyle/fooage
[root@prozac etc]#


[ 6 -- Rejoice that you can 'touch' files in directories that you should ]