[OpenAFS] Setup Kerberos V5 Problem

Charles Clancy security@xauth.net
Fri, 13 Sep 2002 12:33:17 -0500 (CDT) 

What does your /etc/krb5.conf file look like?

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]

On Thu, 12 Sep 2002, Sven Oehme wrote:

> hy ,
>
> i tried to Setup an AFS Cell which is authenticating to a Windows 2000
> Active directory domain Controller (Kerberos V5)
>
> i setup a Redhat 7.2 Client , Kerberos login is working..
>
> so i added a user to the linux passwd with a junk password but can login
> with my W2k password
> so generally Kerberos is working .
>
> a klist , lists me my Kerberos ticket in the W2K Domain  :
>
> ssh -l de102146 mfgafs12
>
> login as: de102146
> Sent username "de102146"
> de102146@mfgafs12's password:
> Last login: Thu Sep 12 13:23:01 2002 from oehmestp.mfg-mainz.de.ibm.com
> [de102146@MFGAFS12 de102146]$ klist
> Ticket cache: FILE:/tmp/krb5cc_500_VgI6ue
> Default principal: de102146@MFG-MAINZ.DE.IBM.COM
>
> Valid starting     Expires            Service principal
> 09/12/02 13:49:21  09/12/02 23:49:21
> krbtgt/MFG-MAINZ.DE.IBM.COM@MFG-MAINZ.DE.IBM.COM
>         renew until 09/12/02 23:49:21
>
>
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
> [de102146@MFGAFS12 de102146]$
>
>
> i created an account afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com on the
> W2k Server with the command :
>
> ktpass.exe -princ afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com -mapuser
> afs -pass testmich -out afs.key
>
> it was successful and i copied the key to the afs Server.
>
> here i tried to import the key to the krb5.conf with the ktutil command.
> this was also successful . output of klist :
>
> [root@MFGAFS12 root]# klist -ke
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> --------------------------------------------------------------------------
>    1 host/MFGAFS12.mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode
> with CRC-32)
>    2 afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode with
> CRC-32)
> [root@MFGAFS12 root]#
>
> now , i tried to use the  asetkey to add the key to afs using command :
>
> ./asetkey add 2 /etc/krb5.keytab afs/mfg-mainz.de.ibm.com
>
> it was unsuccessful , the version key number was not correct ..
>
> i recreated the afs account in the mfg-mainz.de.ibm.com realm with kvno 2
> .
>
> now i was able to import the key using asetkey :
>
> [root@MFGAFS12 i386_linux2]# ./asetkey list
> kvno    0: key is: 8c6785bxxxxxxxxxxxx
> kvno    1: key is: 8c6785bxxxxxxxxxxxx
> kvno    2: key is: fbef3b85a40xxxxxx
> All done.
>
> now i logged in again and tried kinit then aklog -d  and it  generates the
> following error :
>
> [de102146@MFGAFS12 de102146]$ aklog -d
> Authenticating to cell mfg-mainz.de.ibm.com (server
> MFGAFS12.mfg-mainz.de.ibm.com).
> We've deduced that we need to authenticate to realm MFG-MAINZ.DE.IBM.COM.
> Getting tickets: afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM
> Kerberos error code returned by get_cred: -1765328228
> aklog: Couldn't get mfg-mainz.de.ibm.com AFS tickets:
> aklog: Cannot contact any KDC for requested realm while getting AFS
> tickets
> [de102146@MFGAFS12 de102146]$
>
> has anybody an idea , what the problem could be ??
> how can i debug , this stuff ??
>
> Sven