[OpenAFS] Kerberos 5, AFS, and no krb524d

Derek Atkins warlord@MIT.EDU
09 Jun 2003 11:41:30 -0400 

Nicholas Henke <henken@seas.upenn.edu> writes:

> Ok, this seems to be fixed now:
> kadmin:  getprinc afs/roughneck.liniac.upenn.edu
> Principal: afs/roughneck.liniac.upenn.edu@UPENN.EDU
> Expiration date: [never]
> Last password change: Thu Jun 05 16:04:26 EDT 2003
> Password expiration date: [none]
> Maximum ticket life: 0 days 10:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Thu Jun 05 16:04:26 EDT 2003
> (henken/kadmin-liniac.upenn.edu@UPENN.EDU)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 1, DES cbc mode with CRC-32, no salt
> Attributes: REQUIRES_PRE_AUTH DISALLOW_SVR

Hmm...  This second attribute is problematic...

> Policy: default
> 
> [root@roughneck root]# klist -k -e -t -K
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp         Principal
> ---- -----------------
> --------------------------------------------------------
>    1 06/05/03 16:04:26 afs/roughneck.liniac.upenn.edu@UPENN.EDU (DES cbc
> mode with CRC-32)  (0x588fe6078915e58c)
> 
> > 
> > Question: what do you plan to do with this "afsadmin/<host>"
> > principal?  AFS certainly doesn't need it for anything.
> 
> I was using it as the administrative user -- superuser.

Oh, I would just use your own ID for now -- you can add a "role"
account later.  Or use henken/root@UPENN.EDU.

> The problem now seems to be with aklog. It is failing with the message
> below. While running under strace it doesnt appear to be trying to get a
> krb524 server -- rather it tried to contact them on the 'regular' ports
> of 88 and 750. 
> 
> [root@roughneck root]# aklog -d
> Authenticating to cell roughneck.liniac.upenn.edu (server
> roughneck.liniac.upenn.edu).
> We've deduced that we need to authenticate to realm UPENN.EDU.
> Getting tickets: afs/roughneck.liniac.upenn.edu@UPENN.EDU
> Kerberos error code returned by get_cred: -1765328377
> aklog: Couldn't get roughneck.liniac.upenn.edu AFS tickets:
> aklog: Server not found in Kerberos database while getting AFS tickets

The problem here is that it's not getting far enough to get to
krb524d.  If you klist after running this I bet you do NOT have
an afs/roughneck.liniac.upenn.edu service ticket in your credential
cache!

See above about the DISALLOW_SVR attribute?  This is preventing the
TGS_REQ from happening, so aklog cannot get the afs credential.  Fix
your attributes to turn the afs principal into a service principal.

> Thanks!
> Nic

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available