[OpenAFS] gssklog

David Hajek hajek@systinet.com
Wed, 15 May 2002 10:33:15 +0200


Doug,

<inlined>

> As I said in a seperate message, this looks like the AD is generating
> a K5 ticket using an encryption type which the server can not handle. 
> This could be a missing:
> 
> krb5.conf:
>  [libdefaults]
>  default_tkt_enctypes = des-cbc-md5
>  default_tgs_enctypes = des-cbc-md5

Its already there, I'll test cbc-crc, because you said it works
for you.

> 
> (Or dce-cbc-crc)
> 
> Or the way the keytab entry for the gssklogd was generated has a problem.

This will be probably the cause. Here is what I did. I created new
gssklog user account in AD. Then I used magic ktpass syntax:

ktpass -princ gssklog/hostname@REALM -crypto DES-CBC-MD5 -mapuser gssklog
-pass * -out gssklog.keytab

Then I moved gssklog.keytab to the afs server and put it as a -k argument
to the gssklogd server.

> 
> Do a klist -e 
> on the client to see what the tickets look like.

[root@kerberos gssklog-0.2]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: hajek@REALM

Valid starting     Expires            Service principal
05/14/02 16:04:38  05/15/02 02:04:38  krbtgt/REALM@REALM
        Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode with
	RSA-MD5 
	05/14/02 19:10:05  05/15/02 02:04:38
	gssklog/HOSTNAME@REALM
	Etype (skey, tkt): DES cbc mode with RSA-MD5, DES cbc mode
	with RSA-MD5 


Thanks,

David


> David Hajek wrote:
> > 
> > Hello,
> > 
> > I'm trying to setup afs, where authentication is done with W2k AD
> > using gssklog. I'm able to get receive kerberos tokens from AD on
> > both linux and windows. But I'm still unable to get AFS tokens.
> > I'm using gssklog for this.
> > AFS is running on Redhat Linux 7.2. I am still unable to get
> > AFS tokens.
> > 
> > ./gssklogd -d -k /etc/gssklog.keytab -p 750
> > len=42, name=gssklog/kerberos.foo.com@FOO.COM
> > N handle_connections: got connection, s = 5
> > N run_acceptor: initiated on 5
> > N receive_message(): Received message: [1120]
> > N run_acceptor: calling gss_accept_sec_context
> > N run_acceptor: sending output token: [121]
> > N send_message(): Sending   data: [121]
> > N send_message(): Message sent [121].
> > GSS-error accepting credentials: major_status:000d0000 minor_status:96c73abc
> > Miscellaneous failure
> > Bad encryption type
> > Tue May 14 14:16:36 - kerberos.foo.com[10.0.0.171] FAILED for above
> > reasons
> > N handle_connections: Listening for next.
> > 
> > ./gssklog
> > found cell=foo.com
> > after gssklog_acquire_credN connect_to_server_sockaddr attempting connection
> > to 10.0.0.171.
> > N connect_to_server_sockaddr connected socket
> > N gssklog_doit(): Connected to acceptor
> > N gssklog_doit(): calling gss_init_sec_context
> > N gssklog_doit(): Returned from init_sec_ctx w/token [1120]
> > N send_message(): Sending   data: [1120]
> > N send_message(): Message sent [1120].
> > N gssklog_doit(): Sent output token [1120], waiting for new token
> > N receive_message(): Received message: [121]
> > N gssklog_doit(): Received token: [121]
> > N gssklog_doit(): calling gss_init_sec_context
> > N gssklog_doit(): Returned from init_sec_ctx w/token [0]
> > GSS-error init_sec_context failed: major_status:000d0000
> > minor_status:96c73a3c
> > Miscellaneous failure
> > unknown RPC error (-1765328324)
> > Failed
> > 
> > Have you got any idea, whats wrong?
> > 
> > -David
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> -- 
> 
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439 
>  (630) 252-5444
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info