[OpenAFS] Re: gssklog-0.10 - better support for SEAM and SSPI with
cross realm
Douglas E. Engert
deengert@anl.gov
Wed, 10 Sep 2003 13:39:20 -0500
"Douglas E. Engert" wrote:
>
> Do you have the feature installed on the 5.8 systems?
> http://www.sun.com/software/solaris/encryption
> On Tue, 26 Aug 2003 10:48:53 -0400 Wyllys Ingersoll <wyllys.ingersoll@sun.com>
> recomended that this needs to be done.
>
I installed the above code, and can now get the gssklog client using
SEAM to get a token when talking to a gssklogd using the MIT gss.
But there are some restrictions.
SEAM does not understand enc_type 16, 3DES. When the user's realm is using
an MIT KDC, the SEAM kinit says: "Program lacks support for encryption type
while getting initial credentials. (I did not try with a single DES key
for the user.)
When the User's realm is a W2K domain, the SEAM kinit says:
"localhost: RPC: Program not registered" (I have know idea what it trying to do.)
If I use the MIT kinit against the W2K KDC I can get a ticket using single
DES.
The SEAM gss can use the above ticket to get a service ticket, but it
must be for single des. This is the case that worked.
SEAM libs does not know how to lookup the KDC using the DNS SRV records,
so the krb5.conf file must have the realm and kdc= defined.
So there are still some interoperability issues, and the goal of using
straight SEAM on some clients might work if the KDCs are using single
DES, for the user and the server principals.
Chris, Jerome, if you want to use SEAM, you might want to try making
sure the user and server principals is using single des keys only.
Maybe some of these restrictions have been removed in Solaris 5.9.
>
>
> Chris McClimans wrote:
> >
> > oak:~# /usr/sbin/gssklogd -a /etc/openafs/server/KeyFile -k
> > /etc/krb5.keytab -G /etc/openafs/server/principal-pts-mapfile -E
> > TTU.EDU -E CS.TTU.EDU -d
> > E receive_message(): Incorrect buf_size read: [0]
>
> The client dropped the connection.
>
> > GSS-error accepting credentials: major_status:01090000
> > minor_status:00000000
> >
> > A token was invalid
> >
> > A required input parameter could not be read
> >
> > No error
> >
> > olive.cs.ttu.edu[129.118.29.56] FAILED for other reasons
> >
> > oak:~# klist -ke
> > Keytab name: FILE:/etc/krb5.keytab
> > KVNO Principal
> > ----
> > ------------------------------------------------------------------------
> > --
> > 5 host/oak.cs.ttu.edu@CS.TTU.EDU (Triple DES cbc mode with HMAC/sha1)
> > 5 host/oak.cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)
> > 10 afs/cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)
> > 2 gssklog/oak.cs.ttu.edu@CS.TTU.EDU (Triple DES cbc mode with
> > HMAC/sha1)
> > 2 gssklog/oak.cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)
> >
> > (asetkey list and klist -ketK match up)
>
> Good, but it has not gotten that far.
>
> >
> > # ./gssklog -server oak.cs.ttu.edu
> > methods found: 6a838 0
> > found cell=cs.ttu.edu
> > smethod=0 try-maj-min (0 0 0) (-1 -1 0)
> > N connect_to_server_sockaddr attempting connection to 129.118.18.57.
> > N connect_to_server_sockaddr connected socket
> > N doit: Connected to acceptor
> > N gssklog_gss_init_sec_context(): calling gss_init_sec_context
> > mech_use 6a820
> > N gssklog_gss_init_sec_context(): Returned from init_sec_ctx w/token [0]
>
> First call to the SEAM gss_init_sec_context failed, and it did not say why.
>
> > GSS-error init_sec_context failed: major:000d0000 minor:00000000
> > Unspecified GSS failure. Minor code may provide more information
> > No error
> > Failed code = 2
> >
> > # klist -e
> > Ticket cache: /tmp/krb5cc_0
> > Default principal: mccliman@CS.TTU.EDU
> >
> > Valid starting Expires
> > Service principal
> > Wed Sep 10 08:39:04 2003 Wed Sep 10 18:39:04 2003
> > krbtgt/CS.TTU.EDU@CS.TTU.EDU
> > renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):
> > DES-CBC-CRC, etype 16
> > Wed Sep 10 08:40:11 2003 Wed Sep 10 18:39:04 2003
> > gssklog/elm.cs.ttu.edu@CS.TTU.EDU
> > renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):
> > DES-CBC-CRC, etype 16
> > Wed Sep 10 08:40:11 2003 Wed Sep 10 18:39:04 2003
> > gssklog/oak.cs.ttu.edu@CS.TTU.EDU
> > renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):
> > DES-CBC-CRC, etype 16
> >
> > On Tuesday, September 9, 2003, at 04:24 PM, Douglas E. Engert wrote:
> >
> > > Please try compiling with the -DDEBUG affed to the MYCFLAGS = in the
> > > Makefile.
> > >
> > > You can the run the server with: -d -p <portnumber>
> > > and the client with a -port <portnumber> and maybe a -server
> > > <servername>
> > > and see what happens.
> > >
> > > I had some proplems with uisng SEAM with the server. The MIT works
> > > fine.
> > >
> > > ALso do a klist -e to see the enc_types. There maybe some mismatch
> > > between the
> > > KDC and the client or server Kerberos implementation.
> > >
> > >
> > >
> > > Chris McClimans wrote:
> > >>
> > >> We are further along, now we at least get the gssklog/fqdn@REALM
> > >> service tickets.
> > >> init_sec_contexts fails, but with a major code of 'Unspecified GSS
> > >> failure'
> > >> The minor code is zero, so I'm not sure if that is going to provide
> > >> any
> > >> more information.
> > >>
> > >> bash-2.03# uname -a
> > >> SunOS olive 5.8 Generic_108528-13 sun4u sparc SUNW,Sun-Blade-100
> > >> bash-2.03# kinit mccliman@CS.TTU.EDU
> > >> Password for mccliman@CS.TTU.EDU:
> > >> bash-2.03# klist
> > >> Ticket cache: /tmp/krb5cc_0
> > >> Default principal: mccliman@CS.TTU.EDU
> > >>
> > >> Valid starting Expires
> > >> Service principal
> > >> Tue Sep 09 16:10:03 2003 Wed Sep 10 02:10:03 2003
> > >> krbtgt/CS.TTU.EDU@CS.TTU.EDU
> > >> renew until Tue Sep 16 16:10:03 2003
> > >> bash-2.03# cat /etc/gss/mech
> > >> # Mechanism Name Object Identifier Shared Library Kernel
> > >> Module
> > >> #
> > >> diffie_hellman_640_0 1.3.6.4.1.42.2.26.2.4 dh640-0.so.1
> > >> diffie_hellman_1024_0 1.3.6.4.1.42.2.26.2.5 dh1024-0.so.1
> > >> kerberos_v5 1.2.840.113554.1.2.2 gl/mech_krb5.so
> > >> gl_kmech_krb5
> > >> bash-2.03# ./gssklog
> > >> GSS-error init_sec_context failed: major:000d0000 minor:00000000
> > >> Unspecified GSS failure. Minor code may provide more information
> > >> No error
> > >> Problem 2 with server elm.cs.ttu.edu, trying next
> > >> GSS-error init_sec_context failed: major:000d0000 minor:00000000
> > >> Unspecified GSS failure. Minor code may provide more information
> > >> No error
> > >> Problem 2 with server oak.cs.ttu.edu
> > >> Failed code = 2
> > >> bash-2.03# klist
> > >> Ticket cache: /tmp/krb5cc_0
> > >> Default principal: mccliman@CS.TTU.EDU
> > >>
> > >> Valid starting Expires
> > >> Service principal
> > >> Tue Sep 09 16:10:03 2003 Wed Sep 10 02:10:03 2003
> > >> krbtgt/CS.TTU.EDU@CS.TTU.EDU
> > >> renew until Tue Sep 16 16:10:03 2003
> > >> Tue Sep 09 16:10:14 2003 Wed Sep 10 02:10:03 2003
> > >> gssklog/elm.cs.ttu.edu@CS.TTU.EDU
> > >> renew until Tue Sep 16 16:10:03 2003
> > >> Tue Sep 09 16:10:14 2003 Wed Sep 10 02:10:03 2003
> > >> gssklog/oak.cs.ttu.edu@CS.TTU.EDU
> > >> renew until Tue Sep 16 16:10:03 2003
> > >
> > > --
> > >
> > > Douglas E. Engert <DEEngert@anl.gov>
> > > Argonne National Laboratory
> > > 9700 South Cass Avenue
> > > Argonne, Illinois 60439
> > > (630) 252-5444
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> > >
>
> --
>
> Douglas E. Engert <DEEngert@anl.gov>
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444