[OpenAFS] Kerberos 5, AFS, and no krb524d

Nicholas Henke henken@seas.upenn.edu
09 Jun 2003 10:30:49 -0400 

On Thu, 2003-06-05 at 19:58, Derek Atkins wrote:
> Nicholas Henke <henken@seas.upenn.edu> writes:
> 
> > On Thu, 2003-06-05 at 15:32, Douglas E. Engert wrote:
> > > If you Kerberos admins will not run the krb524d (and I don't know
> > > why not) there are some other options:
> > > 
> > >  o An aklog that just used the k5 ticket would be good, but is there one
> > >    yet? This would in efect be a klog, using k5, and the K5 realm must
> > >    match the AFS cell. The AFS servers need to be 1.2.9 
> > 
> > Why must the K5 realm match the AFS cell ? I think this would not work,
> > as we have a static K5 realm of UPENN.EDU and are looking to migrate
> > each of our linux clusters to it's own AFS cell.
> 
> Well, it doesn't HAVE to, but it works better that way.  If nothing
> else you need to configure your krb5.conf to tell kerberos that the
> realm for .liniac.upenn.edu is UPENN.EDU.  It should work with cell !=
> REALM, but it's certainly much EASIER to cope when cell = REALM.

Thanks -- this helps. I now do not have to add host and realm to the
aklog call

[snipped]

> Are you sure that you've got kvno #1 after the ktadd?  If your kvno
> doesn't match then you'll have a problem.

Ok, this seems to be fixed now:
kadmin:  getprinc afs/roughneck.liniac.upenn.edu
Principal: afs/roughneck.liniac.upenn.edu@UPENN.EDU
Expiration date: [never]
Last password change: Thu Jun 05 16:04:26 EDT 2003
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jun 05 16:04:26 EDT 2003
(henken/kadmin-liniac.upenn.edu@UPENN.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR
Policy: default

[root@roughneck root]# klist -k -e -t -K
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
   1 06/05/03 16:04:26 afs/roughneck.liniac.upenn.edu@UPENN.EDU (DES cbc
mode with CRC-32)  (0x588fe6078915e58c)

> 
> Question: what do you plan to do with this "afsadmin/<host>"
> principal?  AFS certainly doesn't need it for anything.

I was using it as the administrative user -- superuser.

> 
> > Now -- If I try kinit'ing before the ktadd, it works, but after I get
> > Preauthentication failed... Is ktadd changing the password ? What other
> > information can I send to debug this ?
> 
> Yes, ktadd is changing the password.
> 
> -derek

Ok -- I have changed afsadmin's password, and can now kinit.

The problem now seems to be with aklog. It is failing with the message
below. While running under strace it doesnt appear to be trying to get a
krb524 server -- rather it tried to contact them on the 'regular' ports
of 88 and 750. 

[root@roughneck root]# aklog -d
Authenticating to cell roughneck.liniac.upenn.edu (server
roughneck.liniac.upenn.edu).
We've deduced that we need to authenticate to realm UPENN.EDU.
Getting tickets: afs/roughneck.liniac.upenn.edu@UPENN.EDU
Kerberos error code returned by get_cred: -1765328377
aklog: Couldn't get roughneck.liniac.upenn.edu AFS tickets:
aklog: Server not found in Kerberos database while getting AFS tickets

Thanks!
Nic
-- 
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania