[OpenAFS] Setup OpenAFS, Heimdahl ans Keyfiles
Holger Brückner
lists@net-labs.de
19 Sep 2002 15:04:56 +0200
Hello,
i'm trying to setup openafs with a heimdal kdc .. i'm currently stuck in
the process of creating correct keyfiles. what i've done so far:
compile and setup heimdal kdc with the following krb5.conf:
[libdefaults]
default_realm = NETLABS.DEV
default_tgs_enctypes = des-cbc-crc
default_tkt_enctypes = des-cbc-crc
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
clockskew = 300
checksum_type = 1
v4_instance_resolve = false
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
imap = imap
smtp = smtp
lmtp = lmtp
ldap = ldap
acap = acap
}
}
[realms]
NETLABS.DEV = {
kdc = krb.net-labs.dev
admin_server = krb.net-labs.dev
default_domain = net-labs.dev
v4_domains = net-labs.dev
}
[domain_realm]
.net-labs.dev = NETLABS.DEV
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/heimdal/kdc.log
admin_server = FILE:/var/heimdal/kadm5.log
[kdc]
enable-kerberos4 = true
enable-kaserver = true
enable-524 = true
[kadmin]
default_keys = v4 v5
then i compiled and installe openafs (1.2.7rc4) and followed the setup
guide on grand.central.org Wiki
i created an afs entry with ktadmin and exported it to a keytab file:
kdc:~ # ktutil -k /etc/afskeytab.krb5 list
/etc/afskeytab.krb5:
Vno Type Principal
1 des-cbc-crc afs@NETLABS.DEV
1 des-cbc-md4 afs@NETLABS.DEV
1 des-cbc-md5 afs@NETLABS.DEV
1 des3-cbc-sha1 afs@NETLABS.DEV
looking through the mailinglist archives i read that the des3-cbc-sha1
key might cause problems with aklog so i removed this one:
kdc:~ # ktutil -k /etc/afskeytab.krb5 remove -p afs@NETLABS.DEV -e
des3-cbc-sha1
kdc:~ # ktutil -k /etc/afskeytab.krb5 list
/etc/afskeytab.krb5:
Vno Type Principal
1 des-cbc-crc afs@NETLABS.DEV
1 des-cbc-md4 afs@NETLABS.DEV
1 des-cbc-md5 afs@NETLABS.DEV
now i created the afs Keyfile:
kdc:~ # ktutil copy FILE:/etc/afskeytab.krb5
AFSKEYFILE:/usr/afs/etc/KeyFile
kdc:~ # ktutil -k /usr/afs/etc/KeyFile list
ktutil: krb5_kt_start_seq_get /usr/afs/etc/KeyFile: Unsupported key
table format version number
kdc:~ # ktutil -k AFSKEYFILE:/usr/afs/etc/KeyFile list
AFSKEYFILE:/usr/afs/etc/KeyFile:
Vno Type Principal
1 des-cbc-md5 afs/netlabs.dev@NETLABS.DEV
1 des-cbc-md5 afs/netlabs.dev@NETLABS.DEV
kdc:~ #
next step was adding an admin user to the kdc and creating the
appropriate pts entries
then restarting bos server to activate the keyfile
now i tried to get the afs ticket for user admin:
kdc:/etc # kinit admin
admin@NETLABS.DEV's Password:
kdc:/etc # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: admin@NETLABS.DEV
Issued Expires Principal
Sep 19 16:46:55 Sep 20 02:46:55 krbtgt/NETLABS.DEV@NETLABS.DEV
V4-ticket file: /tmp/tkt0
Principal: admin@NETLABS.DEV
Issued Expires Principal
Sep 19 16:46:55 Sep 20 02:46:55 krbtgt.NETLABS.DEV@NETLABS.DEV
so far so good, but aklog fails:
kdc:/etc # /download/i386_linux2/aklog -d
Authenticating to cell netlabs.dev (server kdc).
We've deduced that we need to authenticate to realm NETLABS.DEV.
Getting tickets: afs/@NETLABS.DEV
About to resolve name admin to id in cell netlabs.dev.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 / @ NETLABS.DEV
aklog: unable to obtain tokens for cell netlabs.dev (status: 11862791).
kdc:/etc # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: admin@NETLABS.DEV
Issued Expires Principal
Sep 19 16:46:55 Sep 20 02:46:55 krbtgt/NETLABS.DEV@NETLABS.DEV
Sep 19 16:47:05 Sep 20 02:46:55 afs@NETLABS.DEV
V4-ticket file: /tmp/tkt0
Principal: admin@NETLABS.DEV
Issued Expires Principal
Sep 19 16:46:55 Sep 20 02:46:55 krbtgt.NETLABS.DEV@NETLABS.DEV
what the heck is going wrong here ?!? i see that i get a krb5 ticket but
the needed(?) krb4 ticket isnt issued, although it is send by the kdc:
2002-09-19T16:47:05 TGS-REQ admin@NETLABS.DEV from IPv4:10.0.1.76 for
afs@NETLABS.DEV
2002-09-19T16:47:05 sending 491 bytes to IPv4:10.0.1.76
2002-09-19T16:47:05 524-REQ admin@NETLABS.DEV from IPv4:10.0.1.76 for
afs@NETLABS.DEV
2002-09-19T16:47:05 sending 1266 bytes to IPv4:10.0.1.76
can anyone explain to me what is going wrong and how i can resolve the
problem ?
thanks a lot
Holger Brueckner