[OpenAFS] Setup Kerberos V5 Problem
klaas hagemann
klaas@northsailor.de
Mon, 16 Sep 2002 09:00:20 +0200
This is a multi-part message in MIME format.
------=_NextPart_000_0023_01C25D5F.7C57CB80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi Sven,
you need Kerberos IV or a kerberos524-konverter (krb524d in =
MIT-Kerberos) to run with Kerberos.
I don't know whether windows active directory provides this.
Klaas
----- Original Message -----=20
From: Sven Oehme=20
To: Charles Clancy=20
Cc: openafs-info@openafs.org=20
Sent: Friday, September 13, 2002 8:06 PM
Subject: Re: [OpenAFS] Setup Kerberos V5 Problem
hy ,=20
here is my krb5.conf :=20
---------------------------------------------------------------------=20
[logging]=20
default =3D FILE:/var/log/krb5libs.log=20
kdc =3D FILE:/var/log/krb5kdc.log=20
admin_server =3D FILE:/var/log/kadmind.log=20
[libdefaults]=20
ticket_lifetime =3D 24000=20
default_realm =3D MFG-MAINZ.DE.IBM.COM=20
default_tkt_enctypes =3D des-cbc-crc=20
default_tgs_enctypes =3D des-cbc-crc=20
dns_lookup_realm =3D false=20
dns_lookup_kdc =3D false=20
[realms]=20
MFG-MAINZ.DE.IBM.COM =3D {=20
kdc =3D mfgmzdc01.mfg-mainz.de.ibm.com:88=20
admin_server =3D mfgmzdc01.mfg-mainz.de.ibm.com:749=20
default_domain =3D mfg-mainz.de.ibm.com=20
}=20
[domain_realm]=20
.mfg-mainz.de.ibm.com =3D MFG-MAINZ.DE.IBM.COM=20
mfg-mainz.de.ibm.com =3D MFG-MAINZ.DE.IBM.COM=20
[kdc]=20
profile =3D /var/kerberos/krb5kdc/kdc.conf=20
[pam]=20
debug =3D false=20
ticket_lifetime =3D 36000=20
renew_lifetime =3D 36000=20
forwardable =3D true=20
krb4_convert =3D true=20
afs_cells =3D mfg-mainz.de.ibm.com=20
[root@MFGAFS12 root]#=20
---------------------------------------------------------------------=20
my domain controller and kdc is mfgmzdc01.mfg-mainz.de.ibm.com=20
my Afs server is mfgafs12.mfg-mainz.de.ibm.com=20
Sven=20
Charles Clancy <security@xauth.net>=20
13.09.2002 19:33=20
=20
To: Sven Oehme/Germany/IBM@IBMDE=20
cc: openafs-info@openafs.org=20
Subject: Re: [OpenAFS] Setup Kerberos V5 Problem=20
=20
What does your /etc/krb5.conf file look like?
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]
On Thu, 12 Sep 2002, Sven Oehme wrote:
> hy ,
>
> i tried to Setup an AFS Cell which is authenticating to a Windows =
2000
> Active directory domain Controller (Kerberos V5)
>
> i setup a Redhat 7.2 Client , Kerberos login is working..
>
> so i added a user to the linux passwd with a junk password but can =
login
> with my W2k password
> so generally Kerberos is working .
>
> a klist , lists me my Kerberos ticket in the W2K Domain :
>
> ssh -l de102146 mfgafs12
>
> login as: de102146
> Sent username "de102146"
> de102146@mfgafs12's password:
> Last login: Thu Sep 12 13:23:01 2002 from =
oehmestp.mfg-mainz.de.ibm.com
> [de102146@MFGAFS12 de102146]$ klist
> Ticket cache: FILE:/tmp/krb5cc_500_VgI6ue
> Default principal: de102146@MFG-MAINZ.DE.IBM.COM
>
> Valid starting Expires Service principal
> 09/12/02 13:49:21 09/12/02 23:49:21
> krbtgt/MFG-MAINZ.DE.IBM.COM@MFG-MAINZ.DE.IBM.COM
> renew until 09/12/02 23:49:21
>
>
> Kerberos 4 ticket cache: /tmp/tkt500
> klist: You have no tickets cached
> [de102146@MFGAFS12 de102146]$
>
>
> i created an account afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com =
on the
> W2k Server with the command :
>
> ktpass.exe -princ afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com =
-mapuser
> afs -pass testmich -out afs.key
>
> it was successful and i copied the key to the afs Server.
>
> here i tried to import the key to the krb5.conf with the ktutil =
command.
> this was also successful . output of klist :=20
>
> [root@MFGAFS12 root]# klist -ke
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> =
-------------------------------------------------------------------------=
-
> 1 host/MFGAFS12.mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES =
cbc mode
> with CRC-32)
> 2 afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode =
with
> CRC-32)
> [root@MFGAFS12 root]#
>
> now , i tried to use the asetkey to add the key to afs using =
command :
>
> ./asetkey add 2 /etc/krb5.keytab afs/mfg-mainz.de.ibm.com
>
> it was unsuccessful , the version key number was not correct ..
>
> i recreated the afs account in the mfg-mainz.de.ibm.com realm with =
kvno 2
> .
>
> now i was able to import the key using asetkey :
>
> [root@MFGAFS12 i386_linux2]# ./asetkey list
> kvno 0: key is: 8c6785bxxxxxxxxxxxx
> kvno 1: key is: 8c6785bxxxxxxxxxxxx
> kvno 2: key is: fbef3b85a40xxxxxx
> All done.
>
> now i logged in again and tried kinit then aklog -d and it =
generates the
> following error :
>
> [de102146@MFGAFS12 de102146]$ aklog -d
> Authenticating to cell mfg-mainz.de.ibm.com (server
> MFGAFS12.mfg-mainz.de.ibm.com).
> We've deduced that we need to authenticate to realm =
MFG-MAINZ.DE.IBM.COM.
> Getting tickets: afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM
> Kerberos error code returned by get_cred: -1765328228
> aklog: Couldn't get mfg-mainz.de.ibm.com AFS tickets:
> aklog: Cannot contact any KDC for requested realm while getting AFS
> tickets
> [de102146@MFGAFS12 de102146]$
>
> has anybody an idea , what the problem could be ??
> how can i debug , this stuff ??
>
> Sven
------=_NextPart_000_0023_01C25D5F.7C57CB80
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2600.0" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hi Sven,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>you need Kerberos IV or a =
kerberos524-konverter=20
(krb524d in MIT-Kerberos) to run with Kerberos.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>I don't know whether windows active =
directory=20
provides this.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Klaas</FONT></DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style=3D"FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV=20
style=3D"BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: =
black"><B>From:</B>=20
<A title=3Doehmes@de.ibm.com href=3D"mailto:oehmes@de.ibm.com">Sven =
Oehme</A>=20
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>To:</B> <A =
title=3Dsecurity@xauth.net=20
href=3D"mailto:security@xauth.net">Charles Clancy</A> </DIV>
<DIV style=3D"FONT: 10pt arial"><B>Cc:</B> <A =
title=3Dopenafs-info@openafs.org=20
href=3D"mailto:openafs-info@openafs.org">openafs-info@openafs.org</A> =
</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Sent:</B> Friday, September 13, =
2002 8:06=20
PM</DIV>
<DIV style=3D"FONT: 10pt arial"><B>Subject:</B> Re: [OpenAFS] Setup =
Kerberos V5=20
Problem</DIV>
<DIV><BR></DIV><BR><FONT face=3Dsans-serif size=3D2>hy , =
</FONT><BR><BR><FONT=20
face=3Dsans-serif size=3D2>here is my krb5.conf :</FONT> <BR><FONT =
face=3Dsans-serif=20
=
size=3D2>----------------------------------------------------------------=
-----</FONT>=20
<BR><FONT face=3Dsans-serif size=3D2>[logging]</FONT> <BR><FONT =
face=3Dsans-serif=20
size=3D2> default =3D FILE:/var/log/krb5libs.log</FONT> <BR><FONT =
face=3Dsans-serif size=3D2> kdc =3D =
FILE:/var/log/krb5kdc.log</FONT> <BR><FONT=20
face=3Dsans-serif size=3D2> admin_server =3D =
FILE:/var/log/kadmind.log</FONT>=20
<BR><BR><FONT face=3Dsans-serif size=3D2>[libdefaults]</FONT> =
<BR><FONT=20
face=3Dsans-serif size=3D2> ticket_lifetime =3D 24000</FONT> =
<BR><FONT=20
face=3Dsans-serif size=3D2> default_realm =3D =
MFG-MAINZ.DE.IBM.COM</FONT>=20
<BR><FONT face=3Dsans-serif size=3D2> default_tkt_enctypes =3D=20
des-cbc-crc</FONT> <BR><FONT face=3Dsans-serif =
size=3D2> default_tgs_enctypes=20
=3D des-cbc-crc</FONT> <BR><FONT face=3Dsans-serif =
size=3D2> dns_lookup_realm =3D=20
false</FONT> <BR><FONT face=3Dsans-serif size=3D2> dns_lookup_kdc =
=3D=20
false</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>[realms]</FONT> =
<BR><FONT=20
face=3Dsans-serif size=3D2> MFG-MAINZ.DE.IBM.COM =3D {</FONT> =
<BR><FONT=20
face=3Dsans-serif size=3D2> kdc =3D =
mfgmzdc01.mfg-mainz.de.ibm.com:88</FONT>=20
<BR><FONT face=3Dsans-serif size=3D2> admin_server =3D=20
mfgmzdc01.mfg-mainz.de.ibm.com:749</FONT> <BR><FONT face=3Dsans-serif=20
size=3D2> default_domain =3D mfg-mainz.de.ibm.com</FONT> =
<BR><FONT=20
face=3Dsans-serif size=3D2> }</FONT> <BR><BR><FONT =
face=3Dsans-serif=20
size=3D2>[domain_realm]</FONT> <BR><FONT face=3Dsans-serif=20
size=3D2> .mfg-mainz.de.ibm.com =3D MFG-MAINZ.DE.IBM.COM</FONT> =
<BR><FONT=20
face=3Dsans-serif size=3D2> mfg-mainz.de.ibm.com =3D=20
MFG-MAINZ.DE.IBM.COM</FONT> <BR><BR><FONT face=3Dsans-serif =
size=3D2>[kdc]</FONT>=20
<BR><FONT face=3Dsans-serif size=3D2> profile =3D=20
/var/kerberos/krb5kdc/kdc.conf</FONT> <BR><BR><FONT face=3Dsans-serif=20
size=3D2>[pam]</FONT> <BR><FONT face=3Dsans-serif size=3D2> debug =
=3D=20
false</FONT> <BR><FONT face=3Dsans-serif =
size=3D2> ticket_lifetime =3D=20
36000</FONT> <BR><FONT face=3Dsans-serif size=3D2> renew_lifetime =
=3D=20
36000</FONT> <BR><FONT face=3Dsans-serif size=3D2> forwardable =
=3D true</FONT>=20
<BR><FONT face=3Dsans-serif size=3D2> krb4_convert =3D =
true</FONT> <BR><FONT=20
face=3Dsans-serif size=3D2> afs_cells =3D =
mfg-mainz.de.ibm.com</FONT> <BR><FONT=20
face=3Dsans-serif size=3D2>[root@MFGAFS12 root]#</FONT> <BR><FONT =
face=3Dsans-serif=20
=
size=3D2>----------------------------------------------------------------=
-----</FONT>=20
<BR><BR><FONT face=3Dsans-serif size=3D2>my domain controller and kdc =
is=20
mfgmzdc01.mfg-mainz.de.ibm.com</FONT> <BR><FONT face=3Dsans-serif =
size=3D2>my Afs=20
server is mfgafs12.mfg-mainz.de.ibm.com</FONT> <BR><BR><FONT =
face=3Dsans-serif=20
size=3D2>Sven</FONT> <BR><BR><BR><BR><BR>
<TABLE width=3D"100%">
<TBODY>
<TR vAlign=3Dtop>
<TD>
<TD><FONT face=3Dsans-serif size=3D1><B>Charles Clancy=20
<security@xauth.net></B></FONT>=20
<P><FONT face=3Dsans-serif size=3D1>13.09.2002 19:33</FONT> =
<BR></P>
<TD><FONT face=3DArial size=3D1> =
</FONT><BR><FONT=20
face=3Dsans-serif size=3D1> To: =
=20
Sven Oehme/Germany/IBM@IBMDE</FONT> <BR><FONT=20
face=3Dsans-serif size=3D1> cc: =
=20
openafs-info@openafs.org</FONT> <BR><FONT =
face=3Dsans-serif=20
size=3D1> Subject: =
=20
Re: [OpenAFS] Setup Kerberos V5 Problem</FONT> =
<BR><BR><FONT=20
face=3DArial size=3D1> =20
</FONT></TR></TBODY></TABLE><BR><BR><FONT face=3D"Courier New" =
size=3D2>What=20
does your /etc/krb5.conf file look like?<BR><BR>[ t charles clancy =
]--[=20
tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]<BR><BR>On Thu, 12 Sep =
2002, Sven=20
Oehme wrote:<BR><BR>> hy ,<BR>><BR>> i tried to Setup an AFS =
Cell=20
which is authenticating to a Windows 2000<BR>> Active directory =
domain=20
Controller (Kerberos V5)<BR>><BR>> i setup a Redhat 7.2 Client , =
Kerberos login is working..<BR>><BR>> so i added a user to the =
linux=20
passwd with a junk password but can login<BR>> with my W2k =
password<BR>>=20
so generally Kerberos is working .<BR>><BR>> a klist , lists me =
my=20
Kerberos ticket in the W2K Domain :<BR>><BR>> ssh -l =
de102146=20
mfgafs12<BR>><BR>> login as: de102146<BR>> Sent username=20
"de102146"<BR>> de102146@mfgafs12's password:<BR>> Last login: =
Thu Sep=20
12 13:23:01 2002 from oehmestp.mfg-mainz.de.ibm.com<BR>> =
[de102146@MFGAFS12=20
de102146]$ klist<BR>> Ticket cache: =
FILE:/tmp/krb5cc_500_VgI6ue<BR>>=20
Default principal: de102146@MFG-MAINZ.DE.IBM.COM<BR>><BR>> Valid =
starting Expires =20
Service principal<BR>> 09/12/02 13:49:21 09/12/02=20
23:49:21<BR>> =
krbtgt/MFG-MAINZ.DE.IBM.COM@MFG-MAINZ.DE.IBM.COM<BR>>=20
renew until 09/12/02=20
23:49:21<BR>><BR>><BR>> Kerberos 4 ticket cache: =
/tmp/tkt500<BR>>=20
klist: You have no tickets cached<BR>> [de102146@MFGAFS12=20
de102146]$<BR>><BR>><BR>> i created an account=20
afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com on the<BR>> W2k =
Server with=20
the command :<BR>><BR>> ktpass.exe -princ=20
afs/mfg-mainz.de.ibm.com@mfg-mainz.de.ibm.com -mapuser<BR>> afs =
-pass=20
testmich -out afs.key<BR>><BR>> it was successful and i copied =
the key=20
to the afs Server.<BR>><BR>> here i tried to import the key to =
the=20
krb5.conf with the ktutil command.<BR>> this was also successful . =
output=20
of klist :</FONT> <BR><FONT face=3D"Courier New" size=3D2>><BR>> =
[root@MFGAFS12 root]# klist -ke<BR>> Keytab name:=20
FILE:/etc/krb5.keytab<BR>> KVNO Principal<BR>> ----<BR>>=20
=
-------------------------------------------------------------------------=
-<BR>>=20
1 host/MFGAFS12.mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM =
(DES=20
cbc mode<BR>> with CRC-32)<BR>> 2=20
afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM (DES cbc mode =
with<BR>>=20
CRC-32)<BR>> [root@MFGAFS12 root]#<BR>><BR>> now , i tried to =
use the=20
asetkey to add the key to afs using command :<BR>><BR>> =
./asetkey=20
add 2 /etc/krb5.keytab afs/mfg-mainz.de.ibm.com<BR>><BR>> it was =
unsuccessful , the version key number was not correct =
..<BR>><BR>> i=20
recreated the afs account in the mfg-mainz.de.ibm.com realm with kvno=20
2<BR>> .<BR>><BR>> now i was able to import the key using =
asetkey=20
:<BR>><BR>> [root@MFGAFS12 i386_linux2]# ./asetkey list<BR>> =
kvno=20
0: key is: 8c6785bxxxxxxxxxxxx<BR>> kvno =
1: key=20
is: 8c6785bxxxxxxxxxxxx<BR>> kvno 2: key is:=20
fbef3b85a40xxxxxx<BR>> All done.<BR>><BR>> now i logged in =
again and=20
tried kinit then aklog -d and it generates the<BR>> =
following=20
error :<BR>><BR>> [de102146@MFGAFS12 de102146]$ aklog -d<BR>> =
Authenticating to cell mfg-mainz.de.ibm.com (server<BR>>=20
MFGAFS12.mfg-mainz.de.ibm.com).<BR>> We've deduced that we need to=20
authenticate to realm MFG-MAINZ.DE.IBM.COM.<BR>> Getting tickets:=20
afs/mfg-mainz.de.ibm.com@MFG-MAINZ.DE.IBM.COM<BR>> Kerberos error =
code=20
returned by get_cred: -1765328228<BR>> aklog: Couldn't get=20
mfg-mainz.de.ibm.com AFS tickets:<BR>> aklog: Cannot contact any =
KDC for=20
requested realm while getting AFS<BR>> tickets<BR>> =
[de102146@MFGAFS12=20
de102146]$<BR>><BR>> has anybody an idea , what the problem =
could be=20
??<BR>> how can i debug , this stuff ??<BR>><BR>>=20
Sven<BR><BR></FONT><BR><BR></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0023_01C25D5F.7C57CB80--