[OpenAFS] Setup Kerberos V5 Problem

Sven Oehme oehmes@de.ibm.com
Thu, 12 Sep 2002 17:03:00 +0200 

This is a multipart message in MIME format.
--=_alternative 0052AD23C1256C32_=
Content-Type: text/plain; charset="us-ascii"

hy , 

i tried to Setup an AFS Cell which is authenticating to a Windows 2000 
Active directory domain Controller (Kerberos V5)

i setup a Redhat 7.2 Client , Kerberos login is working..

so i added a user to the linux passwd with a junk password but can login 
with my W2k password 
so generally Kerberos is working .

a klist , lists me my Kerberos ticket in the W2K Domain  :

ssh -l de102146 mfgafs12

login as: de102146
Sent username "de102146"
de102146@mfgafs12's password:
Last login: Thu Sep 12 13:23:01 2002 from oehmestp.mfg-mainz.de.ibm.com
[de102146@MFGAFS12 de102146]$ klist
Ticket cache: FILE:/tmp/krb5cc_500_VgI6ue
Default principal: de102146@MFG-MAINZ.DE.IBM.COM

Valid starting     Expires            Service principal
09/12/02 13:49:21  09/12/02 23:49:21 
krbtgt/MFG-MAINZ.DE.IBM.COM@MFG-MAINZ.DE.IBM.COM
        renew until 09/12/02 23:49:21


Kerberos 4 ticket cache: /tmp/tkt500
klist: You have no tickets cached
[de102146@MFGAFS12 de102146]$


i created an account afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com on the 
W2k Server with the command :

ktpass.exe -princ afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com -mapuser 
afs -pass testmich -out afs.key

it was successful and i copied the key to the afs Server.

here i tried to import the key to the krb5.conf with the ktutil command.
this was also successful . output of klist :

[root@MFGAFS12 root]# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- 
--------------------------------------------------------------------------
   1 host/MFGAFS12.mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode 
with CRC-32)
   2 afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode with 
CRC-32)
[root@MFGAFS12 root]#

now , i tried to use the  asetkey to add the key to afs using command :

./asetkey add 2 /etc/krb5.keytab afs/mfg-mainz.de.ibm.com

it was unsuccessful , the version key number was not correct ..

i recreated the afs account in the mfg-mainz.de.ibm.com realm with kvno 2 
.

now i was able to import the key using asetkey :

[root@MFGAFS12 i386_linux2]# ./asetkey list
kvno    0: key is: 8c6785bxxxxxxxxxxxx
kvno    1: key is: 8c6785bxxxxxxxxxxxx
kvno    2: key is: fbef3b85a40xxxxxx
All done.

now i logged in again and tried kinit then aklog -d  and it  generates the 
following error :

[de102146@MFGAFS12 de102146]$ aklog -d
Authenticating to cell mfg-mainz.de.ibm.com (server 
MFGAFS12.mfg-mainz.de.ibm.com).
We've deduced that we need to authenticate to realm MFG-MAINZ.DE.IBM.COM.
Getting tickets: afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM
Kerberos error code returned by get_cred: -1765328228
aklog: Couldn't get mfg-mainz.de.ibm.com AFS tickets:
aklog: Cannot contact any KDC for requested realm while getting AFS 
tickets
[de102146@MFGAFS12 de102146]$

has anybody an idea , what the problem could be ??
how can i debug , this stuff ??

Sven
--=_alternative 0052AD23C1256C32_=
Content-Type: text/html; charset="us-ascii"


<br><font size=2 face="sans-serif">hy , </font>
<br>
<br><font size=2 face="sans-serif">i tried to Setup an AFS Cell which is authenticating to a Windows 2000 Active directory domain Controller (Kerberos V5)</font>
<br>
<br><font size=2 face="sans-serif">i setup a Redhat 7.2 Client , Kerberos login is working..</font>
<br>
<br><font size=2 face="sans-serif">so i added a user to the linux passwd with a junk password but can login with my W2k password </font>
<br><font size=2 face="sans-serif">so generally Kerberos is working .</font>
<br>
<br><font size=2 face="sans-serif">a klist , lists me my Kerberos ticket in the W2K Domain &nbsp;:</font>
<br>
<br><font size=2 face="sans-serif">ssh -l de102146 mfgafs12</font>
<br>
<br><font size=2 face="sans-serif">login as: de102146</font>
<br><font size=2 face="sans-serif">Sent username &quot;de102146&quot;</font>
<br><font size=2 face="sans-serif">de102146@mfgafs12's password:</font>
<br><font size=2 face="sans-serif">Last login: Thu Sep 12 13:23:01 2002 from oehmestp.mfg-mainz.de.ibm.com</font>
<br><font size=2 face="sans-serif">[de102146@MFGAFS12 de102146]$ klist</font>
<br><font size=2 face="sans-serif">Ticket cache: FILE:/tmp/krb5cc_500_VgI6ue</font>
<br><font size=2 face="sans-serif">Default principal: de102146@MFG-MAINZ.DE.IBM.COM</font>
<br>
<br><font size=2 face="sans-serif">Valid starting &nbsp; &nbsp; Expires &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Service principal</font>
<br><font size=2 face="sans-serif">09/12/02 13:49:21 &nbsp;09/12/02 23:49:21 &nbsp;krbtgt/MFG-MAINZ.DE.IBM.COM@MFG-MAINZ.DE.IBM.COM</font>
<br><font size=2 face="sans-serif">&nbsp; &nbsp; &nbsp; &nbsp; renew until 09/12/02 23:49:21</font>
<br>
<br>
<br><font size=2 face="sans-serif">Kerberos 4 ticket cache: /tmp/tkt500</font>
<br><font size=2 face="sans-serif">klist: You have no tickets cached</font>
<br><font size=2 face="sans-serif">[de102146@MFGAFS12 de102146]$</font>
<br>
<br>
<br><font size=2 face="sans-serif">i created an account afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com on the W2k Server with the command :</font>
<br>
<br><font size=2 face="sans-serif">ktpass.exe -princ afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com -mapuser afs -pass testmich -out afs.key</font>
<br>
<br><font size=2 face="sans-serif">it was successful and i copied the key to the afs Server.</font>
<br>
<br><font size=2 face="sans-serif">here i tried to import the key to the krb5.conf with the ktutil command.</font>
<br><font size=2 face="sans-serif">this was also successful . output of klist :</font>
<br>
<br><font size=2 face="sans-serif">[root@MFGAFS12 root]# klist -ke</font>
<br><font size=2 face="sans-serif">Keytab name: FILE:/etc/krb5.keytab</font>
<br><font size=2 face="sans-serif">KVNO Principal</font>
<br><font size=2 face="sans-serif">---- --------------------------------------------------------------------------</font>
<br><font size=2 face="sans-serif">&nbsp; &nbsp;1 host/MFGAFS12.mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode with CRC-32)</font>
<br><font size=2 face="sans-serif">&nbsp; &nbsp;2 afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode with CRC-32)</font>
<br><font size=2 face="sans-serif">[root@MFGAFS12 root]#</font>
<br>
<br><font size=2 face="sans-serif">now , i tried to use the &nbsp;asetkey to add the key to afs using command :</font>
<br>
<br><font size=2 face="sans-serif">./asetkey add 2 /etc/krb5.keytab afs/mfg-mainz.de.ibm.com</font>
<br>
<br><font size=2 face="sans-serif">it was unsuccessful , the version key number was not correct ..</font>
<br>
<br><font size=2 face="sans-serif">i recreated the afs account in the mfg-mainz.de.ibm.com realm with kvno 2 .</font>
<br>
<br><font size=2 face="sans-serif">now i was able to import the key using asetkey :</font>
<br>
<br><font size=2 face="sans-serif">[root@MFGAFS12 i386_linux2]# ./asetkey list</font>
<br><font size=2 face="sans-serif">kvno &nbsp; &nbsp;0: key is: 8c6785bxxxxxxxxxxxx</font>
<br><font size=2 face="sans-serif">kvno &nbsp; &nbsp;1: key is: 8c6785bxxxxxxxxxxxx</font>
<br><font size=2 face="sans-serif">kvno &nbsp; &nbsp;2: key is: fbef3b85a40xxxxxx</font>
<br><font size=2 face="sans-serif">All done.</font>
<br>
<br><font size=2 face="sans-serif">now i logged in again and tried kinit then aklog -d &nbsp;and it &nbsp;generates the following error :</font>
<br>
<br><font size=2 face="sans-serif">[de102146@MFGAFS12 de102146]$ aklog -d</font>
<br><font size=2 face="sans-serif">Authenticating to cell mfg-mainz.de.ibm.com (server MFGAFS12.mfg-mainz.de.ibm.com).</font>
<br><font size=2 face="sans-serif">We've deduced that we need to authenticate to realm MFG-MAINZ.DE.IBM.COM.</font>
<br><font size=2 face="sans-serif">Getting tickets: afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM</font>
<br><font size=2 face="sans-serif">Kerberos error code returned by get_cred: -1765328228</font>
<br><font size=2 face="sans-serif">aklog: Couldn't get mfg-mainz.de.ibm.com AFS tickets:</font>
<br><font size=2 face="sans-serif">aklog: Cannot contact any KDC for requested realm while getting AFS tickets</font>
<br><font size=2 face="sans-serif">[de102146@MFGAFS12 de102146]$</font>
<br>
<br><font size=2 face="sans-serif">has anybody an idea , what the problem could be ??</font>
<br><font size=2 face="sans-serif">how can i debug , this stuff ??</font>
<br>
<br><font size=2 face="sans-serif">Sven</font>
--=_alternative 0052AD23C1256C32_=--