[OpenAFS] Kerberos 5, AFS, and no krb524d

Nicholas Henke henken@seas.upenn.edu
05 Jun 2003 16:20:13 -0400 

On Thu, 2003-06-05 at 15:32, Douglas E. Engert wrote:
> If you Kerberos admins will not run the krb524d (and I don't know
> why not) there are some other options:
> 
>  o An aklog that just used the k5 ticket would be good, but is there one
>    yet? This would in efect be a klog, using k5, and the K5 realm must
>    match the AFS cell. The AFS servers need to be 1.2.9 

Why must the K5 realm match the AFS cell ? I think this would not work,
as we have a static K5 realm of UPENN.EDU and are looking to migrate
each of our linux clusters to it's own AFS cell.

> 
>  o Run krb524d -k on a seperate machine, but the client need to know where
>    it is, as well as the lib. We do this for the W2K KDC, The krb5.conf 
>    [realms] entry has a krb524d = <host> where the krb524d runs on UNIX.

Ok -- here are the steps that I did to try to get this to work...where
did I go wrong ?
kadmin:  addprinc -e des-cbc-crc:v4 afs/roughneck.liniac.upenn.edu
NOTICE: no policy specified for
afs/roughneck.liniac.upenn.edu@UPENN.EDU; assigning "default"
Enter password for principal "afs/roughneck.liniac.upenn.edu@UPENN.EDU":

kadmin:  addprinc -e des-cbc-crc:v4 afsadmin/roughneck.liniac.upenn.edu
NOTICE: no policy specified for
afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU; assigning "default"
Enter password for principal
"afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU":

kadmin:  getprinc afs/roughneck.liniac.upenn.edu
Principal: afs/roughneck.liniac.upenn.edu@UPENN.EDU
Expiration date: [never]
Last password change: Thu Jun 05 15:40:55 EDT 2003
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jun 05 15:40:55 EDT 2003
(henken/kadmin-liniac.upenn.edu@UPENN.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
Policy: default

kadmin:  getprinc afsadmin/roughneck.liniac.upenn.edu
Principal: afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU
Expiration date: [never]
Last password change: Thu Jun 05 15:41:16 EDT 2003
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jun 05 15:41:16 EDT 2003
(henken/kadmin-liniac.upenn.edu@UPENN.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
Policy: default

kadmin:  modprinc -kvno 0 afs/roughneck.liniac.upenn.edu
Principal "afs/roughneck.liniac.upenn.edu@UPENN.EDU" modified.

kadmin:  getprinc afs/roughneck.liniac.upenn.edu
Principal: afs/roughneck.liniac.upenn.edu@UPENN.EDU
Expiration date: [never]
Last password change: Thu Jun 05 15:40:55 EDT 2003
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jun 05 16:03:37 EDT 2003
(henken/kadmin-liniac.upenn.edu@UPENN.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 0, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
Policy: default

kadmin:  ktadd -e des-cbc-crc:v4 afs/roughneck.liniac.upenn.edu
Entry for principal afs/roughneck.liniac.upenn.edu with kvno 1,
encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/etc/krb5.keytab.

kadmin:  ktadd -e des-cbc-crc:v4 afsadmin/roughneck.liniac.upenn.edu
Entry for principal afsadmin/roughneck.liniac.upenn.edu with kvno 2,
encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/etc/krb5.keytab.


[root@roughneck root]# klist -k -e -t -K
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   1 06/05/03 16:04:26 afs/roughneck.liniac.upenn.edu@UPENN.EDU (DES cbc
mode with CRC-32)  (0x588fe6078915e58c)
   2 06/05/03 16:04:38 afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU
(DES cbc mode with CRC-32)  (0xcb193ef19d31f1ea)

[root@roughneck root]# krb524d -k -nofork

edit /etc/krb5.conf to add roughneck.liniac.upenn.edu as a kdc and
krb524_server

[root@roughneck root]# asetkey add 1 /etc/krb5.keytab
afs/roughneck.liniac.upenn.edu

[root@roughneck root]# asetkey list
kvno    1: key is: 588fe6078915e58c
All done.

[root@roughneck root]# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

[root@roughneck root]# kinit -p afsadmin/roughneck.liniac.upenn.edu
Password for afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU:
kinit(v5): Preauthentication failed while getting initial credentials

I know I typed in the passwd correctly -- but I do not get
authenticated. Now I change the password for afsadmin:

kadmin : cpw -e des-cbc-crc:v4 afsadmin/roughneck.liniac.upenn.edu
Enter password for principal "afsadmin/roughneck.liniac.upenn.edu":

kadmin:  getprinc afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU
Principal: afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU
Expiration date: [never]
Last password change: Thu Jun 05 16:12:50 EDT 2003
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jun 05 16:12:50 EDT 2003
(henken/kadmin-liniac.upenn.edu@UPENN.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 3, DES cbc mode with CRC-32, Version 4
Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
Policy: default

Ok -- the kvno has changed, so I need the new key in the keytab:

kadmin:  ktadd -e des-cbc-crc:v4 afsadmin/roughneck.liniac.upenn.edu
Entry for principal afsadmin/roughneck.liniac.upenn.edu with kvno 4,
encryption type DES cbc mode with CRC-32 added to keytab
WRFILE:/etc/krb5.keytab.

Now -- If I try kinit'ing before the ktadd, it works, but after I get
Preauthentication failed... Is ktadd changing the password ? What other
information can I send to debug this ?

> 
>  o Use gssklog, where the gssklogd deamons run on the AFS database servers.
>    The clients run on Unix or Windows. The realm of the KDC does not have to
>    match the AFS cell name, as the gssklogd does a mapping from the GSS 
>    client_name to the AFS uid name, and returns an AFS token.
>    It needs the GSSAPI and on Windows I am using the MIT, but I am going 
>    to try and get it to work directly with the SSPI.
>  
>    See  ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.6.tar

I will take a look at this, but I am leaning towards the previos 2
options. To me they seem easier.

Nic
-- 
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania