[OpenAFS-devel] aklog on OS X does not contact KDC to obtain AFS serivce principal

Marcus Crestani crestani@informatik.uni-tuebingen.de
Thu, 31 Jul 2014 20:38:17 +0200 

>>>>>"BK" == Benjamin Kaduk <kaduk@MIT.EDU> writes:
BK> 1.6.6 predates rxkad-kdf and rxkad-k5, so aklog will be calling
BK> krb5_enctype_enable() and explicitly requesting a key of type
BK> ENCTYPE_DES_CBC_CRC.  kgetgred does not do so, and can receive other
BK> enctypes.  Hmm, this doesn't make perfect sense, though, as aklog
BK> would still need to be able to use the session key in order to claim
BK> success, I think.

kgetcred uses an des3-cbc-sha1 session key in our setup.

BK> Regardless, can you please provide the 'klist -v' output after kgetcred?

# /usr/bin/klist -v
Credentials cache: API:E61913F9-6666-40E8-9112-D30F7A1DB831
        Principal: mc@INFORMATIK.UNI-TUEBINGEN.DE
    Cache version: 0

Server: krbtgt/INFORMATIK.UNI-TUEBINGEN.DE@INFORMATIK.UNI-TUEBINGEN.DE
Client: mc@INFORMATIK.UNI-TUEBINGEN.DE
Ticket etype: des3-cbc-sha1, kvno 2
Ticket length: 370
Auth time:  Jul 31 20:35:55 2014
End time:   Aug  1 21:35:55 2014
Ticket flags: enc-pa-rep, pre-authent, initial, proxiable, forwardable
Addresses: addressless

Server: afs/informatik.uni-tuebingen.de@INFORMATIK.UNI-TUEBINGEN.DE
Client: mc@INFORMATIK.UNI-TUEBINGEN.DE
Ticket etype: des3-cbc-sha1, kvno 3
Ticket length: 385
Auth time:  Jul 31 20:35:55 2014
Start time: Jul 31 20:36:12 2014
End time:   Aug  1 21:35:55 2014
Ticket flags: enc-pa-rep, transited-policy-checked, pre-authent, proxiable, forwardable
Addresses: addressless


aklog with the above ccache works immedately (with no "Getting tickets"
retries):

# aklog -d
Authenticating to cell informatik.uni-tuebingen.de (server afsdb1.informatik.uni-tuebingen.de).
Trying to authenticate to user's realm INFORMATIK.UNI-TUEBINGEN.DE.
Getting tickets: afs/informatik.uni-tuebingen.de@INFORMATIK.UNI-TUEBINGEN.DE
Using Kerberos V5 ticket natively
About to resolve name mc to id in cell informatik.uni-tuebingen.de.
Id 5564
Set username to AFS ID 5564
Setting tokens. AFS ID 5564 @ informatik.uni-tuebingen.de 

-- 
Marcus