[OpenAFS] gssklogd access from windows

Douglas E. Engert deengert@anl.gov
Thu, 04 Sep 2003 14:27:53 -0500 

The problems have to do with how the client determines the realm of the 
gssklog server. 

The gssklog gives the MS SSPI or GSSAPI the "gssklog@elm.cs.ttu.edu" 
( The "@" is a GSSAPI thing, not the realm seperator. Its a host based service.) 

The MIT client code will derive a realm name using DNS or the krb5.conf 
[domain_realm] mapping or assume the realm is the DNS domain in uppercase as 
CS.TTTU.EDU.  In this case it will then ask the client's KDC for a cross realm tgt,
and then ask the server's realm for a service ticket. (Tihs is the case that
worked for you below.)      

The SSPI does not have that client mapping  but will ask the client's KDC for a 
ticket for gssklog/elm.cs.ttu.edu and let the KDC determine the realm. If the KDC 
is a W2K domain and the server is in the same forest, the client's KDC can return 
a refferal to the client thus getting the cross realm tgt and service tickets. 

But if the Client's KDC is a W2K domain and the server's is MIT KDC,
the W2K does not know what realm the server is in, and thus fails to return
a ticket.  

There are two ways to solve this. 

 o The SSPI can actually allow the client to specify the realm,
   using some mapping of its own.  host@realm would be passed in
   I don't have this in the gssklog, but could add one, for example 
   if the initial attempt failed, try the domain name as the realm, or use DNS etc.   
   
 o Add a gssklog/elm.cs.ttu.edu@TTU.EDU to the client's KDC. 
   and have the gssklogd accept either. (This is what we do,
   but it takes a mod to the server's gssapi lib to aceppt either. 

I will look into the mapping. 

Chris McClimans wrote:
> 
> Here are some gssklog attempts from a windows box that is part of the
> TTU.EDU realm/domain.
> The afs cell is cs.ttu.edu in realm CS.TTU.EDU
> There is a one way trust where users in TTU.EDU can get
> krbtgt/CS.TTU.EDU but not the other way around.
> 
> I think the problem here is that the tickets retrieved from MIT and MS
> differ somewhat, but in what manner I am unsure.
> Any comments or suggestions are welcome.
> 
> ## Attempt to use gssklog using ms credential cache. (this would be the
> prefered way)
> ## I have logged into the computer using the normal GINA as
> cmcclima@TTU.EDU
> 
> C:\gssklog>klist tickets
> 
> Cached Tickets: (5)
> 
>     Server: krbtgt/TTU.EDU@TTU.EDU
>        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>        End Time: 9/4/2003 22:45:16
>        Renew Time: 9/11/2003 12:45:16
> 
>     Server: krbtgt/TTU.EDU@TTU.EDU
>        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>        End Time: 9/4/2003 22:45:16
>        Renew Time: 9/11/2003 12:45:16
> 
>     Server: CERBERUS$@TTU.EDU
>        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>        End Time: 9/4/2003 22:45:16
>        Renew Time: 9/11/2003 12:45:16
> 
>     Server: ldap/stheno.ttu.edu/ttu.edu@TTU.EDU
>        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>        End Time: 9/4/2003 22:45:16
>        Renew Time: 9/11/2003 12:45:16
> 
>     Server: STHENO$@TTU.EDU
>        KerbTicket Encryption Type: RSADSI RC4-HMAC(NT)
>        End Time: 9/4/2003 22:45:16
>        Renew Time: 9/11/2003 12:45:16
> 
> C:\gssklog>gssklog.exe -ms
> SSPI-error init_sec_context failed: major:80090303 minor:0012f200
> The specified target is unknown or unreachable

This is the SSPI saying it can not find the target principal in 
its Domain and can not sned a refferal. 

i.e. the client is asking TTU.EDU for gssklog/elm.cs.ttu.edu@TTU.EDU



> 
> Problem 2 with server elm.cs.ttu.edu, trying next
> SSPI-error init_sec_context failed: major:80090303 minor:0012f1f0
> The specified target is unknown or unreachable
> 
> Problem 2 with server oak.cs.ttu.edu
> Failed code = 2
> 
> ## Attempt to use gssklog via MIT (converting MS credentials to MIT
> cache)
> ## I have logged into the computer via normal GINA as cmcclima@TTU.EDU
> ## however this time klist/ kinit / ms2mit etc are all the MIT versions.
> 
> C:\Documents and Settings\cmcclima\Desktop\gssklog-mit> klist
> klist: No credentials cache found (ticket cache API:krb5cc)
> 
> C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>ms2mit
> 
> C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>klist
> Ticket cache: API:krb5cc
> Default principal: cmcclima@TTU.EDU
> 
> Valid starting     Expires            Service principal
> 09/04/03 12:45:16  09/04/03 22:45:16  krbtgt/TTU.EDU@TTU.EDU
>          renew until 09/11/03 12:45:16
> 
> C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>gssklog
> GSS-error init_sec_context failed: major:000d0000 minor:00000000
> Miscellaneous failure
> No error
> Problem 2 with server elm.cs.ttu.edu, trying next
> GSS-error init_sec_context failed: major:000d0000 minor:00000000
> Miscellaneous failure
> No error
> Problem 2 with server oak.cs.ttu.edu
> Failed code = 2
> 
> C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>gssklog -ms
> SSPI-error init_sec_context failed: major:80090303 minor:0012f200
> The specified target is unknown or unreachable
> 
> Problem 2 with server elm.cs.ttu.edu, trying next
> SSPI-error init_sec_context failed: major:80090303 minor:0012f1f0
> The specified target is unknown or unreachable
> 
> Problem 2 with server oak.cs.ttu.edu
> Failed code = 2
> 
> ## Attempt to use gssklog via MIT only, starting with an empty
> credential cache
> ## This is the only method that appears to work (and seems to prove
> that the servers are
> ## configured correctly.) What might I have configured wrong in the
> above attempts?
> 
> C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>klist
> klist: No credentials cache found (ticket cache API:krb5cc)
> 
> C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>kinit
> cmcclima@TTU.EDU
> Password for cmcclima@TTU.EDU:
> 
> C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>klist
> Ticket cache: API:krb5cc
> Default principal: cmcclima@TTU.EDU
> 
> Valid starting     Expires            Service principal
> 09/04/03 12:49:26  09/04/03 22:49:26  krbtgt/TTU.EDU@TTU.EDU
> 
> C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>gssklog
> 
> C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>klist
> Ticket cache: API:krb5cc
> Default principal: cmcclima@TTU.EDU
> 
> Valid starting     Expires            Service principal
> 09/04/03 12:49:26  09/04/03 22:49:26  krbtgt/TTU.EDU@TTU.EDU
> 09/04/03 12:49:26  09/04/03 22:49:26  krbtgt/CS.TTU.EDU@TTU.EDU
> 09/04/03 12:49:35  09/04/03 22:49:26  gssklog/elm.cs.ttu.edu@CS.TTU.EDU
> 
> C:\Documents and Settings\cmcclima\Desktop\gssklog-mit>tokens
> 
> Tokens held by the Cache Manager:
> 
> User cmcclima's tokens for afs@cs.ttu.edu [Expires Sep 04 22:49]
>     --End of list --
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444