[OpenAFS] Re: gssklog-0.10 - better support for SEAM and SSPI with cross realm

Douglas E. Engert deengert@anl.gov
Wed, 10 Sep 2003 09:55:03 -0500 

Do you have the feature installed on the 5.8 systems?
http://www.sun.com/software/solaris/encryption
On Tue, 26 Aug 2003 10:48:53 -0400 Wyllys Ingersoll <wyllys.ingersoll@sun.com>
recomended that this needs to be done. 
  

The test I did get to partially work was using the MIT KDC for the user,
the gssklog seam client uisng SEAM, and the gssklod server using MIT gss.
It got pass the authenticaiton, and failed on on encryption for wrap. 

As I said earlier, I don't have a good test system for SEAM,
I don't have this package installed yet. I will see what I can do later
today.
 


Chris McClimans wrote:
> 
> oak:~# /usr/sbin/gssklogd -a /etc/openafs/server/KeyFile -k
> /etc/krb5.keytab -G /etc/openafs/server/principal-pts-mapfile -E
> TTU.EDU -E CS.TTU.EDU -d
> E receive_message(): Incorrect buf_size read: [0]

The client dropped the connection.

> GSS-error accepting credentials: major_status:01090000
> minor_status:00000000
> 
> A token was invalid
> 
> A required input parameter could not be read
> 
> No error
> 
> olive.cs.ttu.edu[129.118.29.56] FAILED for other reasons
> 
> oak:~# klist -ke
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Principal
> ----
> ------------------------------------------------------------------------
> --
>     5 host/oak.cs.ttu.edu@CS.TTU.EDU (Triple DES cbc mode with HMAC/sha1)
>     5 host/oak.cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)
>    10 afs/cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)
>     2 gssklog/oak.cs.ttu.edu@CS.TTU.EDU (Triple DES cbc mode with
> HMAC/sha1)
>     2 gssklog/oak.cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)
> 
> (asetkey list and klist -ketK match up)

Good, but it has not gotten that far.
 
> 
> # ./gssklog -server oak.cs.ttu.edu
> methods found: 6a838 0
> found cell=cs.ttu.edu
> smethod=0 try-maj-min (0 0 0) (-1 -1 0)
> N connect_to_server_sockaddr attempting connection to 129.118.18.57.
> N connect_to_server_sockaddr connected socket
> N doit: Connected to acceptor
> N gssklog_gss_init_sec_context(): calling gss_init_sec_context
> mech_use 6a820
> N gssklog_gss_init_sec_context(): Returned from init_sec_ctx w/token [0]

First call to the SEAM gss_init_sec_context failed, and it did not say why. 

> GSS-error init_sec_context failed: major:000d0000 minor:00000000
> Unspecified GSS failure.  Minor code may provide more information
> No error
> Failed code = 2
> 
> # klist -e
> Ticket cache: /tmp/krb5cc_0
> Default principal: mccliman@CS.TTU.EDU
> 
> Valid starting                       Expires
> Service principal
> Wed Sep 10 08:39:04 2003  Wed Sep 10 18:39:04 2003
> krbtgt/CS.TTU.EDU@CS.TTU.EDU
>          renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):
> DES-CBC-CRC, etype 16
> Wed Sep 10 08:40:11 2003  Wed Sep 10 18:39:04 2003
> gssklog/elm.cs.ttu.edu@CS.TTU.EDU
>          renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):
> DES-CBC-CRC, etype 16
> Wed Sep 10 08:40:11 2003  Wed Sep 10 18:39:04 2003
> gssklog/oak.cs.ttu.edu@CS.TTU.EDU
>          renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):
> DES-CBC-CRC, etype 16
> 
> On Tuesday, September 9, 2003, at 04:24  PM, Douglas E. Engert wrote:
> 
> > Please try compiling with the -DDEBUG affed to the MYCFLAGS = in the
> > Makefile.
> >
> > You can the run the server with: -d -p <portnumber>
> > and the client with a -port <portnumber> and maybe a -server
> > <servername>
> > and see what happens.
> >
> > I had some proplems with uisng SEAM with the server. The MIT works
> > fine.
> >
> > ALso do a klist -e to see the enc_types. There maybe some mismatch
> > between the
> > KDC and the client or server Kerberos implementation.
> >
> >
> >
> > Chris McClimans wrote:
> >>
> >> We are further along, now we at least get the gssklog/fqdn@REALM
> >> service tickets.
> >> init_sec_contexts fails, but with a major code of 'Unspecified GSS
> >> failure'
> >> The minor code is zero, so I'm not sure if that is going to provide
> >> any
> >> more information.
> >>
> >> bash-2.03# uname -a
> >> SunOS olive 5.8 Generic_108528-13 sun4u sparc SUNW,Sun-Blade-100
> >> bash-2.03# kinit mccliman@CS.TTU.EDU
> >> Password for mccliman@CS.TTU.EDU:
> >> bash-2.03# klist
> >> Ticket cache: /tmp/krb5cc_0
> >> Default principal: mccliman@CS.TTU.EDU
> >>
> >> Valid starting                       Expires
> >> Service principal
> >> Tue Sep 09 16:10:03 2003  Wed Sep 10 02:10:03 2003
> >> krbtgt/CS.TTU.EDU@CS.TTU.EDU
> >>          renew until Tue Sep 16 16:10:03 2003
> >> bash-2.03# cat /etc/gss/mech
> >> # Mechanism Name        Object Identifier       Shared Library  Kernel
> >> Module
> >> #
> >> diffie_hellman_640_0    1.3.6.4.1.42.2.26.2.4   dh640-0.so.1
> >> diffie_hellman_1024_0   1.3.6.4.1.42.2.26.2.5   dh1024-0.so.1
> >> kerberos_v5             1.2.840.113554.1.2.2    gl/mech_krb5.so
> >> gl_kmech_krb5
> >> bash-2.03# ./gssklog
> >> GSS-error init_sec_context failed: major:000d0000 minor:00000000
> >> Unspecified GSS failure.  Minor code may provide more information
> >> No error
> >> Problem 2 with server elm.cs.ttu.edu, trying next
> >> GSS-error init_sec_context failed: major:000d0000 minor:00000000
> >> Unspecified GSS failure.  Minor code may provide more information
> >> No error
> >> Problem 2 with server oak.cs.ttu.edu
> >> Failed code = 2
> >> bash-2.03# klist
> >> Ticket cache: /tmp/krb5cc_0
> >> Default principal: mccliman@CS.TTU.EDU
> >>
> >> Valid starting                       Expires
> >> Service principal
> >> Tue Sep 09 16:10:03 2003  Wed Sep 10 02:10:03 2003
> >> krbtgt/CS.TTU.EDU@CS.TTU.EDU
> >>          renew until Tue Sep 16 16:10:03 2003
> >> Tue Sep 09 16:10:14 2003  Wed Sep 10 02:10:03 2003
> >> gssklog/elm.cs.ttu.edu@CS.TTU.EDU
> >>          renew until Tue Sep 16 16:10:03 2003
> >> Tue Sep 09 16:10:14 2003  Wed Sep 10 02:10:03 2003
> >> gssklog/oak.cs.ttu.edu@CS.TTU.EDU
> >>          renew until Tue Sep 16 16:10:03 2003
> >
> > --
> >
> >  Douglas E. Engert  <DEEngert@anl.gov>
> >  Argonne National Laboratory
> >  9700 South Cass Avenue
> >  Argonne, Illinois  60439
> >  (630) 252-5444
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> >

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444