[OpenAFS] Setup Kerberos V5 Problem
Sven Oehme
oehmes@de.ibm.com
Fri, 13 Sep 2002 20:06:14 +0200
This is a multipart message in MIME format.
--=_alternative 006371FEC1256C33_=
Content-Type: text/plain; charset="us-ascii"
hy ,
here is my krb5.conf :
---------------------------------------------------------------------
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
ticket_lifetime = 24000
default_realm = MFG-MAINZ.DE.IBM.COM
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc
dns_lookup_realm = false
dns_lookup_kdc = false
[realms]
MFG-MAINZ.DE.IBM.COM = {
kdc = mfgmzdc01.mfg-mainz.de.ibm.com:88
admin_server = mfgmzdc01.mfg-mainz.de.ibm.com:749
default_domain = mfg-mainz.de.ibm.com
}
[domain_realm]
.mfg-mainz.de.ibm.com = MFG-MAINZ.DE.IBM.COM
mfg-mainz.de.ibm.com = MFG-MAINZ.DE.IBM.COM
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = true
afs_cells = mfg-mainz.de.ibm.com
[root@MFGAFS12 root]#
---------------------------------------------------------------------
my domain controller and kdc is mfgmzdc01.mfg-mainz.de.ibm.com
my Afs server is mfgafs12.mfg-mainz.de.ibm.com
Sven
Charles Clancy <security@xauth.net>
13.09.2002 19:33
To: Sven Oehme/Germany/IBM@IBMDE
cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Setup Kerberos V5 Problem
What does your /etc/krb5.conf file look like?
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
On Thu, 12 Sep 2002, Sven Oehme wrote:
> hy ,
>
> i tried to Setup an AFS Cell which is authenticating to a Windows 2000
> Active directory domain Controller (Kerberos V5)
>
> i setup a Redhat 7.2 Client , Kerberos login is working..
>
> so i added a user to the linux passwd with a junk password but can login
> with my W2k password
> so generally Kerberos is working .
>
> a klist , lists me my Kerberos ticket in the W2K Domain :
>
> ssh -l de102146 mfgafs12
>
> login as: de102146
> Sent username "de102146"
> de102146@mfgafs12's password:
> Last login: Thu Sep 12 13:23:01 2002 from oehmestp.mfg-mainz.de.ibm.com
> [de102146@MFGAFS12 de102146]$ klist
> Ticket cache: FILE:/tmp/krb5cc_500_VgI6ue
> Default principal: de102146@MFG-MAINZ.DE.IBM.COM
>
> Valid starting Expires Service principal
> 09/12/02 13:49:21 09/12/02 23:49:21
> krbtgt/MFG-MAINZ.DE.IBM.COM@MFG-MAINZ.DE.IBM.COM
> renew until 09/12/02 23:49:21
>
>
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
> [de102146@MFGAFS12 de102146]$
>
>
> i created an account afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com on
the
> W2k Server with the command :
>
> ktpass.exe -princ afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com -mapuser
> afs -pass testmich -out afs.key
>
> it was successful and i copied the key to the afs Server.
>
> here i tried to import the key to the krb5.conf with the ktutil command.
> this was also successful . output of klist :
>
> [root@MFGAFS12 root]# klist -ke
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
>
--------------------------------------------------------------------------
> 1 host/MFGAFS12.mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc
mode
> with CRC-32)
> 2 afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode with
> CRC-32)
> [root@MFGAFS12 root]#
>
> now , i tried to use the asetkey to add the key to afs using command :
>
> ./asetkey add 2 /etc/krb5.keytab afs/mfg-mainz.de.ibm.com
>
> it was unsuccessful , the version key number was not correct ..
>
> i recreated the afs account in the mfg-mainz.de.ibm.com realm with kvno
2
> .
>
> now i was able to import the key using asetkey :
>
> [root@MFGAFS12 i386_linux2]# ./asetkey list
> kvno 0: key is: 8c6785bxxxxxxxxxxxx
> kvno 1: key is: 8c6785bxxxxxxxxxxxx
> kvno 2: key is: fbef3b85a40xxxxxx
> All done.
>
> now i logged in again and tried kinit then aklog -d and it generates
the
> following error :
>
> [de102146@MFGAFS12 de102146]$ aklog -d
> Authenticating to cell mfg-mainz.de.ibm.com (server
> MFGAFS12.mfg-mainz.de.ibm.com).
> We've deduced that we need to authenticate to realm
MFG-MAINZ.DE.IBM.COM.
> Getting tickets: afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM
> Kerberos error code returned by get_cred: -1765328228
> aklog: Couldn't get mfg-mainz.de.ibm.com AFS tickets:
> aklog: Cannot contact any KDC for requested realm while getting AFS
> tickets
> [de102146@MFGAFS12 de102146]$
>
> has anybody an idea , what the problem could be ??
> how can i debug , this stuff ??
>
> Sven
--=_alternative 006371FEC1256C33_=
Content-Type: text/html; charset="us-ascii"
<br><font size=2 face="sans-serif">hy , </font>
<br>
<br><font size=2 face="sans-serif">here is my krb5.conf :</font>
<br><font size=2 face="sans-serif">---------------------------------------------------------------------</font>
<br><font size=2 face="sans-serif">[logging]</font>
<br><font size=2 face="sans-serif"> default = FILE:/var/log/krb5libs.log</font>
<br><font size=2 face="sans-serif"> kdc = FILE:/var/log/krb5kdc.log</font>
<br><font size=2 face="sans-serif"> admin_server = FILE:/var/log/kadmind.log</font>
<br>
<br><font size=2 face="sans-serif">[libdefaults]</font>
<br><font size=2 face="sans-serif"> ticket_lifetime = 24000</font>
<br><font size=2 face="sans-serif"> default_realm = MFG-MAINZ.DE.IBM.COM</font>
<br><font size=2 face="sans-serif"> default_tkt_enctypes = des-cbc-crc</font>
<br><font size=2 face="sans-serif"> default_tgs_enctypes = des-cbc-crc</font>
<br><font size=2 face="sans-serif"> dns_lookup_realm = false</font>
<br><font size=2 face="sans-serif"> dns_lookup_kdc = false</font>
<br>
<br><font size=2 face="sans-serif">[realms]</font>
<br><font size=2 face="sans-serif"> MFG-MAINZ.DE.IBM.COM = {</font>
<br><font size=2 face="sans-serif"> kdc = mfgmzdc01.mfg-mainz.de.ibm.com:88</font>
<br><font size=2 face="sans-serif"> admin_server = mfgmzdc01.mfg-mainz.de.ibm.com:749</font>
<br><font size=2 face="sans-serif"> default_domain = mfg-mainz.de.ibm.com</font>
<br><font size=2 face="sans-serif"> }</font>
<br>
<br><font size=2 face="sans-serif">[domain_realm]</font>
<br><font size=2 face="sans-serif"> .mfg-mainz.de.ibm.com = MFG-MAINZ.DE.IBM.COM</font>
<br><font size=2 face="sans-serif"> mfg-mainz.de.ibm.com = MFG-MAINZ.DE.IBM.COM</font>
<br>
<br><font size=2 face="sans-serif">[kdc]</font>
<br><font size=2 face="sans-serif"> profile = /var/kerberos/krb5kdc/kdc.conf</font>
<br>
<br><font size=2 face="sans-serif">[pam]</font>
<br><font size=2 face="sans-serif"> debug = false</font>
<br><font size=2 face="sans-serif"> ticket_lifetime = 36000</font>
<br><font size=2 face="sans-serif"> renew_lifetime = 36000</font>
<br><font size=2 face="sans-serif"> forwardable = true</font>
<br><font size=2 face="sans-serif"> krb4_convert = true</font>
<br><font size=2 face="sans-serif"> afs_cells = mfg-mainz.de.ibm.com</font>
<br><font size=2 face="sans-serif">[root@MFGAFS12 root]#</font>
<br><font size=2 face="sans-serif">---------------------------------------------------------------------</font>
<br>
<br><font size=2 face="sans-serif">my domain controller and kdc is mfgmzdc01.mfg-mainz.de.ibm.com</font>
<br><font size=2 face="sans-serif">my Afs server is mfgafs12.mfg-mainz.de.ibm.com</font>
<br>
<br><font size=2 face="sans-serif">Sven</font>
<br>
<br>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Charles Clancy <security@xauth.net></b></font>
<p><font size=1 face="sans-serif">13.09.2002 19:33</font>
<br>
<td><font size=1 face="Arial"> </font>
<br><font size=1 face="sans-serif"> To: Sven Oehme/Germany/IBM@IBMDE</font>
<br><font size=1 face="sans-serif"> cc: openafs-info@openafs.org</font>
<br><font size=1 face="sans-serif"> Subject: Re: [OpenAFS] Setup Kerberos V5 Problem</font>
<br>
<br><font size=1 face="Arial"> </font></table>
<br>
<br><font size=2 face="Courier New">What does your /etc/krb5.conf file look like?<br>
<br>
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]<br>
<br>
On Thu, 12 Sep 2002, Sven Oehme wrote:<br>
<br>
> hy ,<br>
><br>
> i tried to Setup an AFS Cell which is authenticating to a Windows 2000<br>
> Active directory domain Controller (Kerberos V5)<br>
><br>
> i setup a Redhat 7.2 Client , Kerberos login is working..<br>
><br>
> so i added a user to the linux passwd with a junk password but can login<br>
> with my W2k password<br>
> so generally Kerberos is working .<br>
><br>
> a klist , lists me my Kerberos ticket in the W2K Domain :<br>
><br>
> ssh -l de102146 mfgafs12<br>
><br>
> login as: de102146<br>
> Sent username "de102146"<br>
> de102146@mfgafs12's password:<br>
> Last login: Thu Sep 12 13:23:01 2002 from oehmestp.mfg-mainz.de.ibm.com<br>
> [de102146@MFGAFS12 de102146]$ klist<br>
> Ticket cache: FILE:/tmp/krb5cc_500_VgI6ue<br>
> Default principal: de102146@MFG-MAINZ.DE.IBM.COM<br>
><br>
> Valid starting Expires Service principal<br>
> 09/12/02 13:49:21 09/12/02 23:49:21<br>
> krbtgt/MFG-MAINZ.DE.IBM.COM@MFG-MAINZ.DE.IBM.COM<br>
> renew until 09/12/02 23:49:21<br>
><br>
><br>
> Kerberos 4 ticket cache: /tmp/tkt500<br>
> klist: You have no tickets cached<br>
> [de102146@MFGAFS12 de102146]$<br>
><br>
><br>
> i created an account afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com on the<br>
> W2k Server with the command :<br>
><br>
> ktpass.exe -princ afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com -mapuser<br>
> afs -pass testmich -out afs.key<br>
><br>
> it was successful and i copied the key to the afs Server.<br>
><br>
> here i tried to import the key to the krb5.conf with the ktutil command.<br>
> this was also successful . output of klist :</font>
<br><font size=2 face="Courier New">><br>
> [root@MFGAFS12 root]# klist -ke<br>
> Keytab name: FILE:/etc/krb5.keytab<br>
> KVNO Principal<br>
> ----<br>
> --------------------------------------------------------------------------<br>
> 1 host/MFGAFS12.mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode<br>
> with CRC-32)<br>
> 2 afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode with<br>
> CRC-32)<br>
> [root@MFGAFS12 root]#<br>
><br>
> now , i tried to use the asetkey to add the key to afs using command :<br>
><br>
> ./asetkey add 2 /etc/krb5.keytab afs/mfg-mainz.de.ibm.com<br>
><br>
> it was unsuccessful , the version key number was not correct ..<br>
><br>
> i recreated the afs account in the mfg-mainz.de.ibm.com realm with kvno 2<br>
> .<br>
><br>
> now i was able to import the key using asetkey :<br>
><br>
> [root@MFGAFS12 i386_linux2]# ./asetkey list<br>
> kvno 0: key is: 8c6785bxxxxxxxxxxxx<br>
> kvno 1: key is: 8c6785bxxxxxxxxxxxx<br>
> kvno 2: key is: fbef3b85a40xxxxxx<br>
> All done.<br>
><br>
> now i logged in again and tried kinit then aklog -d and it generates the<br>
> following error :<br>
><br>
> [de102146@MFGAFS12 de102146]$ aklog -d<br>
> Authenticating to cell mfg-mainz.de.ibm.com (server<br>
> MFGAFS12.mfg-mainz.de.ibm.com).<br>
> We've deduced that we need to authenticate to realm MFG-MAINZ.DE.IBM.COM.<br>
> Getting tickets: afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM<br>
> Kerberos error code returned by get_cred: -1765328228<br>
> aklog: Couldn't get mfg-mainz.de.ibm.com AFS tickets:<br>
> aklog: Cannot contact any KDC for requested realm while getting AFS<br>
> tickets<br>
> [de102146@MFGAFS12 de102146]$<br>
><br>
> has anybody an idea , what the problem could be ??<br>
> how can i debug , this stuff ??<br>
><br>
> Sven<br>
<br>
</font>
<br>
<br>
--=_alternative 006371FEC1256C33_=--