[OpenAFS] Setup Kerberos V5 Problem
Matthew N. Andrews
matt@slackers.net
Fri, 13 Sep 2002 18:09:10 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hmmm, how does the krb5 aklog generate a krb4 service ticket?
does this require that a krb524d be running somewhere with
the afs service key in a keytab? I seem to remember that this
is necessary.
- -Matthew Andrews
Sven Oehme wrote:
|
| hy ,
|
| here is my krb5.conf :
| ---------------------------------------------------------------------
| [logging]
| default = FILE:/var/log/krb5libs.log
| kdc = FILE:/var/log/krb5kdc.log
| admin_server = FILE:/var/log/kadmind.log
|
| [libdefaults]
| ticket_lifetime = 24000
| default_realm = MFG-MAINZ.DE.IBM.COM
| default_tkt_enctypes = des-cbc-crc
| default_tgs_enctypes = des-cbc-crc
| dns_lookup_realm = false
| dns_lookup_kdc = false
|
| [realms]
| MFG-MAINZ.DE.IBM.COM = {
| kdc = mfgmzdc01.mfg-mainz.de.ibm.com:88
| admin_server = mfgmzdc01.mfg-mainz.de.ibm.com:749
| default_domain = mfg-mainz.de.ibm.com
| }
|
| [domain_realm]
| .mfg-mainz.de.ibm.com = MFG-MAINZ.DE.IBM.COM
| mfg-mainz.de.ibm.com = MFG-MAINZ.DE.IBM.COM
|
| [kdc]
| profile = /var/kerberos/krb5kdc/kdc.conf
|
| [pam]
| debug = false
| ticket_lifetime = 36000
| renew_lifetime = 36000
| forwardable = true
| krb4_convert = true
| afs_cells = mfg-mainz.de.ibm.com
| [root@MFGAFS12 root]#
| ---------------------------------------------------------------------
|
| my domain controller and kdc is mfgmzdc01.mfg-mainz.de.ibm.com
| my Afs server is mfgafs12.mfg-mainz.de.ibm.com
|
| Sven
|
|
|
|
| *Charles Clancy <security@xauth.net>*
|
| 13.09.2002 19:33
|
|
| To: Sven Oehme/Germany/IBM@IBMDE
| cc: openafs-info@openafs.org
| Subject: Re: [OpenAFS] Setup Kerberos V5 Problem
|
|
|
|
|
| What does your /etc/krb5.conf file look like?
|
| [ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
|
| On Thu, 12 Sep 2002, Sven Oehme wrote:
|
| > hy ,
| >
| > i tried to Setup an AFS Cell which is authenticating to a Windows 2000
| > Active directory domain Controller (Kerberos V5)
| >
| > i setup a Redhat 7.2 Client , Kerberos login is working..
| >
| > so i added a user to the linux passwd with a junk password but can login
| > with my W2k password
| > so generally Kerberos is working .
| >
| > a klist , lists me my Kerberos ticket in the W2K Domain :
| >
| > ssh -l de102146 mfgafs12
| >
| > login as: de102146
| > Sent username "de102146"
| > de102146@mfgafs12's password:
| > Last login: Thu Sep 12 13:23:01 2002 from oehmestp.mfg-mainz.de.ibm.com
| > [de102146@MFGAFS12 de102146]$ klist
| > Ticket cache: FILE:/tmp/krb5cc_500_VgI6ue
| > Default principal: de102146@MFG-MAINZ.DE.IBM.COM
| >
| > Valid starting Expires Service principal
| > 09/12/02 13:49:21 09/12/02 23:49:21
| > krbtgt/MFG-MAINZ.DE.IBM.COM@MFG-MAINZ.DE.IBM.COM
| > renew until 09/12/02 23:49:21
| >
| >
| > Kerberos 4 ticket cache: /tmp/tkt500
| > klist: You have no tickets cached
| > [de102146@MFGAFS12 de102146]$
| >
| >
| > i created an account afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com on the
| > W2k Server with the command :
| >
| > ktpass.exe -princ afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com -mapuser
| > afs -pass testmich -out afs.key
| >
| > it was successful and i copied the key to the afs Server.
| >
| > here i tried to import the key to the krb5.conf with the ktutil command.
| > this was also successful . output of klist :
| >
| > [root@MFGAFS12 root]# klist -ke
| > Keytab name: FILE:/etc/krb5.keytab
| > KVNO Principal
| > ----
| >
| --------------------------------------------------------------------------
| > 1 host/MFGAFS12.mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc
| mode
| > with CRC-32)
| > 2 afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode with
| > CRC-32)
| > [root@MFGAFS12 root]#
| >
| > now , i tried to use the asetkey to add the key to afs using command :
| >
| > ./asetkey add 2 /etc/krb5.keytab afs/mfg-mainz.de.ibm.com
| >
| > it was unsuccessful , the version key number was not correct ..
| >
| > i recreated the afs account in the mfg-mainz.de.ibm.com realm with kvno 2
| > .
| >
| > now i was able to import the key using asetkey :
| >
| > [root@MFGAFS12 i386_linux2]# ./asetkey list
| > kvno 0: key is: 8c6785bxxxxxxxxxxxx
| > kvno 1: key is: 8c6785bxxxxxxxxxxxx
| > kvno 2: key is: fbef3b85a40xxxxxx
| > All done.
| >
| > now i logged in again and tried kinit then aklog -d and it
| generates the
| > following error :
| >
| > [de102146@MFGAFS12 de102146]$ aklog -d
| > Authenticating to cell mfg-mainz.de.ibm.com (server
| > MFGAFS12.mfg-mainz.de.ibm.com).
| > We've deduced that we need to authenticate to realm MFG-MAINZ.DE.IBM.COM.
| > Getting tickets: afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM
| > Kerberos error code returned by get_cred: -1765328228
| > aklog: Couldn't get mfg-mainz.de.ibm.com AFS tickets:
| > aklog: Cannot contact any KDC for requested realm while getting AFS
| > tickets
| > [de102146@MFGAFS12 de102146]$
| >
| > has anybody an idea , what the problem could be ??
| > how can i debug , this stuff ??
| >
| > Sven
|
|
|
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE9gow2pLF3UzlwZVgRApFUAJ9BI6s08KqD654vB7TRdRQ5ztckJQCg8PVK
qxIrYHF8AyN0zKIejgkb8v8=
=4Vtf
-----END PGP SIGNATURE-----