[OpenAFS] RE: [Q] aklog with a Windows 2000 KDC?

Economou, Matthew [EESUS] MEconom@EESUS.JNJ.com
Thu, 19 Apr 2001 12:01:17 -0400


This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C0C8E9.F7FBBFA0
Content-Type: text/plain;
	charset="iso-8859-1"

FYI:

1. I'm following instructions recently posted to comp.protocols.kerberos
   by Nathan Neulinger for getting aklog working with a Win2K KDC.

2. The only changes to /etc/krb5.conf (as shipped with the Debianized
   MIT Kerberos V 1.2.2) have been to add my two realms, i.e. in
   the [realms] section:
	IRTNOG.ORG = {
		kdc = eco-afs1.cinci.irtnog.org:88
		kdc = eco-dc1.cinci.irtnog.org:88
		domain = irtnog.org
	}
	CINCI.IRTNOG.ORG = {
		kdc = eco-dc2.cinci.irtnog.org:88
		domain = cinci.irtnog.org
	}
   and in the [domain_realms] section:
	.irtnog.org = IRTNOG.ORG
	irtnog.org = IRTNOG.ORG
	.cinci.irtnog.org = CINCI.IRTNOG.ORG
	cinci.irtnog.org = CINCI.IRTNOG.ORG

3. Note that eco-afs1 is not running a kdc, only "krb524d -k".

4. Note also that I will try again tonight with a proper UDP proxy
   and with new AFS service keys.

-----Original Message-----
From: Economou, Matthew [EESUS] 
Sent: Thursday, April 19, 2001 11:54 AM
To: @Openafs-Info (E-mail)
Subject: [Q] aklog with a Windows 2000 KDC?


The KDC for my "real" IRTNOG.ORG is a Windows 2000 domain controller
and have hacked things up so that aklog contacts krb524d on the AFS
volume server (basically, by listing the volume server as a KDC; I
couldn't get either FPipe or netcat to proxy 4444/UDP).

As the following (partial) transcript shows, I can create a new cell,
get a TGT and an afs (v5) ticket from the domain controller, and
successfully convert the v5 afs to a token.  Of course, between
experimental runs, I'm removing all OpenAFS packages and deleting
/etc/openafs, /var/cache/openafs, /var/lib/openafs, and
/var/log/openafs.

But even though I have a token, it doesn't seem to be valid.  I get
the errors "tokens for user... are discarded" and "ticket contained
unknown key version number".

The partial transcript is as follows.  As always, any help would be
appreciated.

(afs.keytab contains KVNO 1, afs@IRTNOG.ORG; I've tried this with a
principal KVNO 1, afs/irtnog.org@IRTNOG.ORG, with similar non-results)

# asetkey add 1 afs.keytab afs@IRTNOG.ORG

# afs-newcell
.
.
.
bos adduser eco-afs1 sacmxe -localauth
pt_util: /var/lib/openafs/db/prdb.DB0: Bad UBIK_MAGIC. Is 0 should be 354545
Ubik Version is: 2.0
Error while creating system:administrators: Entry for id already exists
pt_util: Ubik Version number changed during execution
Old Version = 2.0, new version = 33554432.0
.
.
.
# kinit sacmxe
Password for sacmxe@IRTNOG.ORG:


# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sacmxe@IRTNOG.ORG

Valid starting     Expires            Service principal
04/18/01 23:02:34  04/19/01 08:59:32  krbtgt/IRTNOG.ORG@IRTNOG.ORG


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


# aklog -d -c irtnog.org -k IRTNOG.ORG
Authenticating to cell irtnog.org (server eco-afs1.cinci.irtnog.org).
We were told to authenticate to realm IRTNOG.ORG.
Getting tickets: afs/irtnog.org@IRTNOG.ORG
About to resolve name sacmxe to id in cell irtnog.org.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 /  @ IRTNOG.ORG 


# tokens
Tokens held by the Cache Manager:

User's (AFS ID 1) tokens for afs@irtnog.org [Expires Apr 19 08:59]
   --End of list--

# ls /afs
afs: Tokens for user of AFS id 1 for cell irtnog.org are discarded (rxkad
error=19270408)
ls: /afs: Permission denied

# bos listkeys eco-afs1
bos: ticket contained unknown key version number error encountered while
listing keys

# bos listkeys eco-afs1 -localauth
key 1 has cksum 4175624820
Keys last changed on Wed Apr 18 22:57:19 2001.
All done.

-- 
Matthew X. Economou - EESUS Webmaster - 513-337-8486
"Life's not fair, but the root password helps."

------_=_NextPart_001_01C0C8E9.F7FBBFA0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2654.19">
<TITLE>RE: [Q] aklog with a Windows 2000 KDC?</TITLE>
</HEAD>
<BODY>

<P><FONT SIZE=3D2>FYI:</FONT>
</P>

<P><FONT SIZE=3D2>1. I'm following instructions recently posted to =
comp.protocols.kerberos</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; by Nathan Neulinger for getting aklog =
working with a Win2K KDC.</FONT>
</P>

<P><FONT SIZE=3D2>2. The only changes to /etc/krb5.conf (as shipped =
with the Debianized</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; MIT Kerberos V 1.2.2) have been to add =
my two realms, i.e. in</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; the [realms] section:</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
SIZE=3D2>IRTNOG.ORG =3D {</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>kdc =3D =
eco-afs1.cinci.irtnog.org:88</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>kdc =3D =
eco-dc1.cinci.irtnog.org:88</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>domain =3D =
irtnog.org</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>}</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
SIZE=3D2>CINCI.IRTNOG.ORG =3D {</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>kdc =3D =
eco-dc2.cinci.irtnog.org:88</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>domain =3D =
cinci.irtnog.org</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT SIZE=3D2>}</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; and in the [domain_realms] =
section:</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
SIZE=3D2>.irtnog.org =3D IRTNOG.ORG</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
SIZE=3D2>irtnog.org =3D IRTNOG.ORG</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
SIZE=3D2>.cinci.irtnog.org =3D CINCI.IRTNOG.ORG</FONT>
<BR>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <FONT =
SIZE=3D2>cinci.irtnog.org =3D CINCI.IRTNOG.ORG</FONT>
</P>

<P><FONT SIZE=3D2>3. Note that eco-afs1 is not running a kdc, only =
&quot;krb524d -k&quot;.</FONT>
</P>

<P><FONT SIZE=3D2>4. Note also that I will try again tonight with a =
proper UDP proxy</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; and with new AFS service keys.</FONT>
</P>

<P><FONT SIZE=3D2>-----Original Message-----</FONT>
<BR><FONT SIZE=3D2>From: Economou, Matthew [EESUS] </FONT>
<BR><FONT SIZE=3D2>Sent: Thursday, April 19, 2001 11:54 AM</FONT>
<BR><FONT SIZE=3D2>To: @Openafs-Info (E-mail)</FONT>
<BR><FONT SIZE=3D2>Subject: [Q] aklog with a Windows 2000 KDC?</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>The KDC for my &quot;real&quot; IRTNOG.ORG is a =
Windows 2000 domain controller</FONT>
<BR><FONT SIZE=3D2>and have hacked things up so that aklog contacts =
krb524d on the AFS</FONT>
<BR><FONT SIZE=3D2>volume server (basically, by listing the volume =
server as a KDC; I</FONT>
<BR><FONT SIZE=3D2>couldn't get either FPipe or netcat to proxy =
4444/UDP).</FONT>
</P>

<P><FONT SIZE=3D2>As the following (partial) transcript shows, I can =
create a new cell,</FONT>
<BR><FONT SIZE=3D2>get a TGT and an afs (v5) ticket from the domain =
controller, and</FONT>
<BR><FONT SIZE=3D2>successfully convert the v5 afs to a token.&nbsp; Of =
course, between</FONT>
<BR><FONT SIZE=3D2>experimental runs, I'm removing all OpenAFS packages =
and deleting</FONT>
<BR><FONT SIZE=3D2>/etc/openafs, /var/cache/openafs, /var/lib/openafs, =
and</FONT>
<BR><FONT SIZE=3D2>/var/log/openafs.</FONT>
</P>

<P><FONT SIZE=3D2>But even though I have a token, it doesn't seem to be =
valid.&nbsp; I get</FONT>
<BR><FONT SIZE=3D2>the errors &quot;tokens for user... are =
discarded&quot; and &quot;ticket contained</FONT>
<BR><FONT SIZE=3D2>unknown key version number&quot;.</FONT>
</P>

<P><FONT SIZE=3D2>The partial transcript is as follows.&nbsp; As =
always, any help would be</FONT>
<BR><FONT SIZE=3D2>appreciated.</FONT>
</P>

<P><FONT SIZE=3D2>(afs.keytab contains KVNO 1, afs@IRTNOG.ORG; I've =
tried this with a</FONT>
<BR><FONT SIZE=3D2>principal KVNO 1, afs/irtnog.org@IRTNOG.ORG, with =
similar non-results)</FONT>
</P>

<P><FONT SIZE=3D2># asetkey add 1 afs.keytab afs@IRTNOG.ORG</FONT>
</P>

<P><FONT SIZE=3D2># afs-newcell</FONT>
<BR><FONT SIZE=3D2>.</FONT>
<BR><FONT SIZE=3D2>.</FONT>
<BR><FONT SIZE=3D2>.</FONT>
<BR><FONT SIZE=3D2>bos adduser eco-afs1 sacmxe -localauth</FONT>
<BR><FONT SIZE=3D2>pt_util: /var/lib/openafs/db/prdb.DB0: Bad =
UBIK_MAGIC. Is 0 should be 354545</FONT>
<BR><FONT SIZE=3D2>Ubik Version is: 2.0</FONT>
<BR><FONT SIZE=3D2>Error while creating system:administrators: Entry =
for id already exists</FONT>
<BR><FONT SIZE=3D2>pt_util: Ubik Version number changed during =
execution</FONT>
<BR><FONT SIZE=3D2>Old Version =3D 2.0, new version =3D =
33554432.0</FONT>
<BR><FONT SIZE=3D2>.</FONT>
<BR><FONT SIZE=3D2>.</FONT>
<BR><FONT SIZE=3D2>.</FONT>
<BR><FONT SIZE=3D2># kinit sacmxe</FONT>
<BR><FONT SIZE=3D2>Password for sacmxe@IRTNOG.ORG:</FONT>
</P>
<BR>

<P><FONT SIZE=3D2># klist</FONT>
<BR><FONT SIZE=3D2>Ticket cache: <A HREF=3D"FILE:/tmp/krb5cc_0" =
TARGET=3D"_blank">FILE:/tmp/krb5cc_0</A></FONT>
<BR><FONT SIZE=3D2>Default principal: sacmxe@IRTNOG.ORG</FONT>
</P>

<P><FONT SIZE=3D2>Valid starting&nbsp;&nbsp;&nbsp;&nbsp; =
Expires&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
; Service principal</FONT>
<BR><FONT SIZE=3D2>04/18/01 23:02:34&nbsp; 04/19/01 08:59:32&nbsp; =
krbtgt/IRTNOG.ORG@IRTNOG.ORG</FONT>
</P>
<BR>

<P><FONT SIZE=3D2>Kerberos 4 ticket cache: /tmp/tkt0</FONT>
<BR><FONT SIZE=3D2>klist: You have no tickets cached</FONT>
</P>
<BR>

<P><FONT SIZE=3D2># aklog -d -c irtnog.org -k IRTNOG.ORG</FONT>
<BR><FONT SIZE=3D2>Authenticating to cell irtnog.org (server =
eco-afs1.cinci.irtnog.org).</FONT>
<BR><FONT SIZE=3D2>We were told to authenticate to realm =
IRTNOG.ORG.</FONT>
<BR><FONT SIZE=3D2>Getting tickets: afs/irtnog.org@IRTNOG.ORG</FONT>
<BR><FONT SIZE=3D2>About to resolve name sacmxe to id in cell =
irtnog.org.</FONT>
<BR><FONT SIZE=3D2>Id 1</FONT>
<BR><FONT SIZE=3D2>Set username to AFS ID 1</FONT>
<BR><FONT SIZE=3D2>Setting tokens. AFS ID 1 /&nbsp; @ IRTNOG.ORG =
</FONT>
</P>
<BR>

<P><FONT SIZE=3D2># tokens</FONT>
<BR><FONT SIZE=3D2>Tokens held by the Cache Manager:</FONT>
</P>

<P><FONT SIZE=3D2>User's (AFS ID 1) tokens for afs@irtnog.org [Expires =
Apr 19 08:59]</FONT>
<BR><FONT SIZE=3D2>&nbsp;&nbsp; --End of list--</FONT>
</P>

<P><FONT SIZE=3D2># ls /afs</FONT>
<BR><FONT SIZE=3D2>afs: Tokens for user of AFS id 1 for cell irtnog.org =
are discarded (rxkad error=3D19270408)</FONT>
<BR><FONT SIZE=3D2>ls: /afs: Permission denied</FONT>
</P>

<P><FONT SIZE=3D2># bos listkeys eco-afs1</FONT>
<BR><FONT SIZE=3D2>bos: ticket contained unknown key version number =
error encountered while listing keys</FONT>
</P>

<P><FONT SIZE=3D2># bos listkeys eco-afs1 -localauth</FONT>
<BR><FONT SIZE=3D2>key 1 has cksum 4175624820</FONT>
<BR><FONT SIZE=3D2>Keys last changed on Wed Apr 18 22:57:19 =
2001.</FONT>
<BR><FONT SIZE=3D2>All done.</FONT>
</P>

<P><FONT SIZE=3D2>-- </FONT>
<BR><FONT SIZE=3D2>Matthew X. Economou - EESUS Webmaster - =
513-337-8486</FONT>
<BR><FONT SIZE=3D2>&quot;Life's not fair, but the root password =
helps.&quot;</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C0C8E9.F7FBBFA0--