[OpenAFS] RE: [Q] aklog with a Windows 2000 KDC?

Thu, 19 Apr 2001 11:22:43 -0500

Sounds to me like you still have the keys mismatched. 

the win2k kdc always returns kvno 1. If you set the password, make the
keytab from the kdc, then update the keytab and KeyFile with that key on the
afs servers, restart all afs servers, and restart krb524d, it should work. 

Now, we're running with a krb524d that has been patched to allow keeping the
krb5 key and the afs key separate (so we didn't have to update keyfile in
our case).

Btw, if you check back on krbdev mailing list, I submitted a patch that
allows specifying a krb524d_server in the krb5 config or in the SRV record
in dns. If you want the krb524 patch for that and keyfile stuff, let me know
and I'll send it.

-- Nathan

-----Original Message-----
From: Economou, Matthew [EESUS] [mailto:MEconom@EESUS.JNJ.com]
Sent: Thursday, April 19, 2001 11:01 AM
To: @Openafs-Info (E-mail)
Subject: [OpenAFS] RE: [Q] aklog with a Windows 2000 KDC?

FYI: 

1. I'm following instructions recently posted to comp.protocols.kerberos 
   by Nathan Neulinger for getting aklog working with a Win2K KDC. 

2. The only changes to /etc/krb5.conf (as shipped with the Debianized 
   MIT Kerberos V 1.2.2) have been to add my two realms, i.e. in 
   the [realms] section: 
        IRTNOG.ORG = { 
                kdc = eco-afs1.cinci.irtnog.org:88 
                kdc = eco-dc1.cinci.irtnog.org:88 
                domain = irtnog.org 
        } 
        CINCI.IRTNOG.ORG = { 
                kdc = eco-dc2.cinci.irtnog.org:88 
                domain = cinci.irtnog.org 
        } 
   and in the [domain_realms] section: 
        .irtnog.org = IRTNOG.ORG 
        irtnog.org = IRTNOG.ORG 
        .cinci.irtnog.org = CINCI.IRTNOG.ORG 
        cinci.irtnog.org = CINCI.IRTNOG.ORG 

3. Note that eco-afs1 is not running a kdc, only "krb524d -k". 

4. Note also that I will try again tonight with a proper UDP proxy 
   and with new AFS service keys. 

-----Original Message----- 
From: Economou, Matthew [EESUS] 
Sent: Thursday, April 19, 2001 11:54 AM 
To: @Openafs-Info (E-mail) 
Subject: [Q] aklog with a Windows 2000 KDC? 

The KDC for my "real" IRTNOG.ORG is a Windows 2000 domain controller 
and have hacked things up so that aklog contacts krb524d on the AFS 
volume server (basically, by listing the volume server as a KDC; I 
couldn't get either FPipe or netcat to proxy 4444/UDP). 

As the following (partial) transcript shows, I can create a new cell, 
get a TGT and an afs (v5) ticket from the domain controller, and 
successfully convert the v5 afs to a token.  Of course, between 
experimental runs, I'm removing all OpenAFS packages and deleting 
/etc/openafs, /var/cache/openafs, /var/lib/openafs, and 
/var/log/openafs. 

But even though I have a token, it doesn't seem to be valid.  I get 
the errors "tokens for user... are discarded" and "ticket contained 
unknown key version number". 

The partial transcript is as follows.  As always, any help would be 
appreciated. 

(afs.keytab contains KVNO 1, afs@IRTNOG.ORG; I've tried this with a 
principal KVNO 1, afs/irtnog.org@IRTNOG.ORG, with similar non-results) 

# asetkey add 1 afs.keytab afs@IRTNOG.ORG 

# afs-newcell 
. 
. 
. 
bos adduser eco-afs1 sacmxe -localauth 
pt_util: /var/lib/openafs/db/prdb.DB0: Bad UBIK_MAGIC. Is 0 should be 354545

Ubik Version is: 2.0 
Error while creating system:administrators: Entry for id already exists 
pt_util: Ubik Version number changed during execution 
Old Version = 2.0, new version = 33554432.0 
. 
. 
. 
# kinit sacmxe 
Password for sacmxe@IRTNOG.ORG: 

# klist 
Ticket cache: FILE:/tmp/krb5cc_0 <FILE:/tmp/krb5cc_0>  
Default principal: sacmxe@IRTNOG.ORG 

Valid starting     Expires            Service principal 
04/18/01 23:02:34  04/19/01 08:59:32  krbtgt/IRTNOG.ORG@IRTNOG.ORG 

Kerberos 4 ticket cache: /tmp/tkt0 
klist: You have no tickets cached 

# aklog -d -c irtnog.org -k IRTNOG.ORG 
Authenticating to cell irtnog.org (server eco-afs1.cinci.irtnog.org). 
We were told to authenticate to realm IRTNOG.ORG. 
Getting tickets: afs/irtnog.org@IRTNOG.ORG 
About to resolve name sacmxe to id in cell irtnog.org. 
Id 1 
Set username to AFS ID 1 
Setting tokens. AFS ID 1 /  @ IRTNOG.ORG 

# tokens 
Tokens held by the Cache Manager: 

User's (AFS ID 1) tokens for afs@irtnog.org [Expires Apr 19 08:59] 
   --End of list-- 

# ls /afs 
afs: Tokens for user of AFS id 1 for cell irtnog.org are discarded (rxkad
error=19270408) 
ls: /afs: Permission denied 

# bos listkeys eco-afs1 
bos: ticket contained unknown key version number error encountered while
listing keys 

# bos listkeys eco-afs1 -localauth 
key 1 has cksum 4175624820 
Keys last changed on Wed Apr 18 22:57:19 2001. 
All done. 

-- 
Matthew X. Economou - EESUS Webmaster - 513-337-8486 
"Life's not fair, but the root password helps." 