[OpenAFS] Kerberos 5, AFS, and no krb524d

Douglas E. Engert deengert@anl.gov
Thu, 05 Jun 2003 15:29:04 -0500


Nicholas Henke wrote:
> 
> On Thu, 2003-06-05 at 15:32, Douglas E. Engert wrote:
> > If you Kerberos admins will not run the krb524d (and I don't know
> > why not) there are some other options:
> >
> >  o An aklog that just used the k5 ticket would be good, but is there one
> >    yet? This would in efect be a klog, using k5, and the K5 realm must
> >    match the AFS cell. The AFS servers need to be 1.2.9
> 
> Why must the K5 realm match the AFS cell ? I think this would not work,
> as we have a static K5 realm of UPENN.EDU and are looking to migrate
> each of our linux clusters to it's own AFS cell.

You are correct. If the K5 realm can issue tickets for something like
afs/<cell>@<realm>

> 
> >
> >  o Run krb524d -k on a seperate machine, but the client need to know where
> >    it is, as well as the lib. We do this for the W2K KDC, The krb5.conf
> >    [realms] entry has a krb524d = <host> where the krb524d runs on UNIX.
> 

I will let someone else answer this, as modified krb524d we use uses one key
for the K5 ticket to decrypt it, then reads the AFS keyfile to get the key
in which to encrypt the AFS token, thus avoidning many of these key sync issues.
like enctypes or kvno don't have to match. 

(We took down our AFS cell once trying to get these keys in sync, and said
that was once to many, so we made this mod.) 

> Ok -- here are the steps that I did to try to get this to work...where
> did I go wrong ?
> kadmin:  addprinc -e des-cbc-crc:v4 afs/roughneck.liniac.upenn.edu
> NOTICE: no policy specified for
> afs/roughneck.liniac.upenn.edu@UPENN.EDU; assigning "default"
> Enter password for principal "afs/roughneck.liniac.upenn.edu@UPENN.EDU":
> 
> kadmin:  addprinc -e des-cbc-crc:v4 afsadmin/roughneck.liniac.upenn.edu
> NOTICE: no policy specified for
> afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU; assigning "default"
> Enter password for principal
> "afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU":
> 
> kadmin:  getprinc afs/roughneck.liniac.upenn.edu
> Principal: afs/roughneck.liniac.upenn.edu@UPENN.EDU
> Expiration date: [never]
> Last password change: Thu Jun 05 15:40:55 EDT 2003
> Password expiration date: [none]
> Maximum ticket life: 0 days 10:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Thu Jun 05 15:40:55 EDT 2003
> (henken/kadmin-liniac.upenn.edu@UPENN.EDU)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 1, DES cbc mode with CRC-32, Version 4
> Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
> Policy: default
> 
> kadmin:  getprinc afsadmin/roughneck.liniac.upenn.edu
> Principal: afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU
> Expiration date: [never]
> Last password change: Thu Jun 05 15:41:16 EDT 2003
> Password expiration date: [none]
> Maximum ticket life: 0 days 10:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Thu Jun 05 15:41:16 EDT 2003
> (henken/kadmin-liniac.upenn.edu@UPENN.EDU)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 1, DES cbc mode with CRC-32, Version 4
> Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
> Policy: default
> 
> kadmin:  modprinc -kvno 0 afs/roughneck.liniac.upenn.edu
> Principal "afs/roughneck.liniac.upenn.edu@UPENN.EDU" modified.
> 
> kadmin:  getprinc afs/roughneck.liniac.upenn.edu
> Principal: afs/roughneck.liniac.upenn.edu@UPENN.EDU
> Expiration date: [never]
> Last password change: Thu Jun 05 15:40:55 EDT 2003
> Password expiration date: [none]
> Maximum ticket life: 0 days 10:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Thu Jun 05 16:03:37 EDT 2003
> (henken/kadmin-liniac.upenn.edu@UPENN.EDU)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 0, DES cbc mode with CRC-32, Version 4
> Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
> Policy: default
> 
> kadmin:  ktadd -e des-cbc-crc:v4 afs/roughneck.liniac.upenn.edu
> Entry for principal afs/roughneck.liniac.upenn.edu with kvno 1,
> encryption type DES cbc mode with CRC-32 added to keytab
> WRFILE:/etc/krb5.keytab.
> 
> kadmin:  ktadd -e des-cbc-crc:v4 afsadmin/roughneck.liniac.upenn.edu
> Entry for principal afsadmin/roughneck.liniac.upenn.edu with kvno 2,
> encryption type DES cbc mode with CRC-32 added to keytab
> WRFILE:/etc/krb5.keytab.
> 
> [root@roughneck root]# klist -k -e -t -K
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    1 06/05/03 16:04:26 afs/roughneck.liniac.upenn.edu@UPENN.EDU (DES cbc
> mode with CRC-32)  (0x588fe6078915e58c)
>    2 06/05/03 16:04:38 afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU
> (DES cbc mode with CRC-32)  (0xcb193ef19d31f1ea)
> 
> [root@roughneck root]# krb524d -k -nofork
> 
> edit /etc/krb5.conf to add roughneck.liniac.upenn.edu as a kdc and
> krb524_server
> 
> [root@roughneck root]# asetkey add 1 /etc/krb5.keytab
> afs/roughneck.liniac.upenn.edu
> 
> [root@roughneck root]# asetkey list
> kvno    1: key is: 588fe6078915e58c
> All done.
> 
> [root@roughneck root]# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> 
> [root@roughneck root]# kinit -p afsadmin/roughneck.liniac.upenn.edu
> Password for afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU:
> kinit(v5): Preauthentication failed while getting initial credentials
> 
> I know I typed in the passwd correctly -- but I do not get
> authenticated. Now I change the password for afsadmin:
> 
> kadmin : cpw -e des-cbc-crc:v4 afsadmin/roughneck.liniac.upenn.edu
> Enter password for principal "afsadmin/roughneck.liniac.upenn.edu":
> 
> kadmin:  getprinc afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU
> Principal: afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU
> Expiration date: [never]
> Last password change: Thu Jun 05 16:12:50 EDT 2003
> Password expiration date: [none]
> Maximum ticket life: 0 days 10:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Thu Jun 05 16:12:50 EDT 2003
> (henken/kadmin-liniac.upenn.edu@UPENN.EDU)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 3, DES cbc mode with CRC-32, Version 4
> Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
> Policy: default
> 
> Ok -- the kvno has changed, so I need the new key in the keytab:
> 
> kadmin:  ktadd -e des-cbc-crc:v4 afsadmin/roughneck.liniac.upenn.edu
> Entry for principal afsadmin/roughneck.liniac.upenn.edu with kvno 4,
> encryption type DES cbc mode with CRC-32 added to keytab
> WRFILE:/etc/krb5.keytab.
> 
> Now -- If I try kinit'ing before the ktadd, it works, but after I get
> Preauthentication failed... Is ktadd changing the password ? What other
> information can I send to debug this ?
> 
> >
> >  o Use gssklog, where the gssklogd deamons run on the AFS database servers.
> >    The clients run on Unix or Windows. The realm of the KDC does not have to
> >    match the AFS cell name, as the gssklogd does a mapping from the GSS
> >    client_name to the AFS uid name, and returns an AFS token.
> >    It needs the GSSAPI and on Windows I am using the MIT, but I am going
> >    to try and get it to work directly with the SSPI.
> >
> >    See  ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.6.tar
> 
> I will take a look at this, but I am leaning towards the previos 2
> options. To me they seem easier.
> 
> Nic
> --
> Nicholas Henke
> Penguin Herder & Linux Cluster System Programmer
> Liniac Project - Univ. of Pennsylvania

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444