[OpenAFS] Re: gssklog-0.10 - better support for SEAM and SSPI
with cross realm
Wyllys Ingersoll
wyllys.ingersoll@sun.com
Wed, 10 Sep 2003 14:56:23 -0400
Douglas E. Engert wrote:
>
> "Douglas E. Engert" wrote:
>
>>Do you have the feature installed on the 5.8 systems?
>>http://www.sun.com/software/solaris/encryption
>>On Tue, 26 Aug 2003 10:48:53 -0400 Wyllys Ingersoll <wyllys.ingersoll@sun.com>
>>recomended that this needs to be done.
>>
>
>
> I installed the above code, and can now get the gssklog client using
> SEAM to get a token when talking to a gssklogd using the MIT gss.
> But there are some restrictions.
>
> SEAM does not understand enc_type 16, 3DES. When the user's realm is using
> an MIT KDC, the SEAM kinit says: "Program lacks support for encryption type
> while getting initial credentials. (I did not try with a single DES key
> for the user.)
*sigh*, sadly, 3DES is not available for Solaris 8 or 9. It will probably
be in the next release, though.
>
> When the User's realm is a W2K domain, the SEAM kinit says:
> "localhost: RPC: Program not registered" (I have know idea what it trying to do.)
its trying to talk to the ktkt_warnd service. Add this to your /etc/inetd.conf:
100134/1 tli rpc/ticotsord wait root /usr/lib/krb5/ktkt_warnd ktkt_warnd
$ pkill -HUP inetd
>
> If I use the MIT kinit against the W2K KDC I can get a ticket using single
> DES.
I don't think W2K AD supports 3DES, they use DES or RC4.
>
> The SEAM gss can use the above ticket to get a service ticket, but it
> must be for single des. This is the case that worked.
>
> SEAM libs does not know how to lookup the KDC using the DNS SRV records,
> so the krb5.conf file must have the realm and kdc= defined.
We do have support for DNS lookups, Im not sure if its in S9 or not.
Ask your Sun support person to file a request to get DNS support
issued in a patch if its not in S9.
>
> So there are still some interoperability issues, and the goal of using
> straight SEAM on some clients might work if the KDCs are using single
> DES, for the user and the server principals.
Some of these restrictions are from the W2K side. See the enctypes
issue above.
>
> Chris, Jerome, if you want to use SEAM, you might want to try making
> sure the user and server principals is using single des keys only.
>
> Maybe some of these restrictions have been removed in Solaris 5.9.
>
-Wyllys
>
>
>>
>>Chris McClimans wrote:
>>
>>>oak:~# /usr/sbin/gssklogd -a /etc/openafs/server/KeyFile -k
>>>/etc/krb5.keytab -G /etc/openafs/server/principal-pts-mapfile -E
>>>TTU.EDU -E CS.TTU.EDU -d
>>>E receive_message(): Incorrect buf_size read: [0]
>>
>>The client dropped the connection.
>>
>>
>>>GSS-error accepting credentials: major_status:01090000
>>>minor_status:00000000
>>>
>>>A token was invalid
>>>
>>>A required input parameter could not be read
>>>
>>>No error
>>>
>>>olive.cs.ttu.edu[129.118.29.56] FAILED for other reasons
>>>
>>>oak:~# klist -ke
>>>Keytab name: FILE:/etc/krb5.keytab
>>>KVNO Principal
>>>----
>>>------------------------------------------------------------------------
>>>--
>>> 5 host/oak.cs.ttu.edu@CS.TTU.EDU (Triple DES cbc mode with HMAC/sha1)
>>> 5 host/oak.cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)
>>> 10 afs/cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)
>>> 2 gssklog/oak.cs.ttu.edu@CS.TTU.EDU (Triple DES cbc mode with
>>>HMAC/sha1)
>>> 2 gssklog/oak.cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)
>>>
>>>(asetkey list and klist -ketK match up)
>>
>>Good, but it has not gotten that far.
>>
>>
>>># ./gssklog -server oak.cs.ttu.edu
>>>methods found: 6a838 0
>>>found cell=cs.ttu.edu
>>>smethod=0 try-maj-min (0 0 0) (-1 -1 0)
>>>N connect_to_server_sockaddr attempting connection to 129.118.18.57.
>>>N connect_to_server_sockaddr connected socket
>>>N doit: Connected to acceptor
>>>N gssklog_gss_init_sec_context(): calling gss_init_sec_context
>>>mech_use 6a820
>>>N gssklog_gss_init_sec_context(): Returned from init_sec_ctx w/token [0]
>>
>>First call to the SEAM gss_init_sec_context failed, and it did not say why.
>>
>>
>>>GSS-error init_sec_context failed: major:000d0000 minor:00000000
>>>Unspecified GSS failure. Minor code may provide more information
>>>No error
>>>Failed code = 2
>>>
>>># klist -e
>>>Ticket cache: /tmp/krb5cc_0
>>>Default principal: mccliman@CS.TTU.EDU
>>>
>>>Valid starting Expires
>>>Service principal
>>>Wed Sep 10 08:39:04 2003 Wed Sep 10 18:39:04 2003
>>>krbtgt/CS.TTU.EDU@CS.TTU.EDU
>>> renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):
>>>DES-CBC-CRC, etype 16
>>>Wed Sep 10 08:40:11 2003 Wed Sep 10 18:39:04 2003
>>>gssklog/elm.cs.ttu.edu@CS.TTU.EDU
>>> renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):
>>>DES-CBC-CRC, etype 16
>>>Wed Sep 10 08:40:11 2003 Wed Sep 10 18:39:04 2003
>>>gssklog/oak.cs.ttu.edu@CS.TTU.EDU
>>> renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):
>>>DES-CBC-CRC, etype 16
>>>
>>>On Tuesday, September 9, 2003, at 04:24 PM, Douglas E. Engert wrote:
>>>
>>>
>>>>Please try compiling with the -DDEBUG affed to the MYCFLAGS = in the
>>>>Makefile.
>>>>
>>>>You can the run the server with: -d -p <portnumber>
>>>>and the client with a -port <portnumber> and maybe a -server
>>>><servername>
>>>>and see what happens.
>>>>
>>>>I had some proplems with uisng SEAM with the server. The MIT works
>>>>fine.
>>>>
>>>>ALso do a klist -e to see the enc_types. There maybe some mismatch
>>>>between the
>>>>KDC and the client or server Kerberos implementation.
>>>>
>>>>
>>>>
>>>>Chris McClimans wrote:
>>>>
>>>>>We are further along, now we at least get the gssklog/fqdn@REALM
>>>>>service tickets.
>>>>>init_sec_contexts fails, but with a major code of 'Unspecified GSS
>>>>>failure'
>>>>>The minor code is zero, so I'm not sure if that is going to provide
>>>>>any
>>>>>more information.
>>>>>
>>>>>bash-2.03# uname -a
>>>>>SunOS olive 5.8 Generic_108528-13 sun4u sparc SUNW,Sun-Blade-100
>>>>>bash-2.03# kinit mccliman@CS.TTU.EDU
>>>>>Password for mccliman@CS.TTU.EDU:
>>>>>bash-2.03# klist
>>>>>Ticket cache: /tmp/krb5cc_0
>>>>>Default principal: mccliman@CS.TTU.EDU
>>>>>
>>>>>Valid starting Expires
>>>>>Service principal
>>>>>Tue Sep 09 16:10:03 2003 Wed Sep 10 02:10:03 2003
>>>>>krbtgt/CS.TTU.EDU@CS.TTU.EDU
>>>>> renew until Tue Sep 16 16:10:03 2003
>>>>>bash-2.03# cat /etc/gss/mech
>>>>># Mechanism Name Object Identifier Shared Library Kernel
>>>>>Module
>>>>>#
>>>>>diffie_hellman_640_0 1.3.6.4.1.42.2.26.2.4 dh640-0.so.1
>>>>>diffie_hellman_1024_0 1.3.6.4.1.42.2.26.2.5 dh1024-0.so.1
>>>>>kerberos_v5 1.2.840.113554.1.2.2 gl/mech_krb5.so
>>>>>gl_kmech_krb5
>>>>>bash-2.03# ./gssklog
>>>>>GSS-error init_sec_context failed: major:000d0000 minor:00000000
>>>>>Unspecified GSS failure. Minor code may provide more information
>>>>>No error
>>>>>Problem 2 with server elm.cs.ttu.edu, trying next
>>>>>GSS-error init_sec_context failed: major:000d0000 minor:00000000
>>>>>Unspecified GSS failure. Minor code may provide more information
>>>>>No error
>>>>>Problem 2 with server oak.cs.ttu.edu
>>>>>Failed code = 2
>>>>>bash-2.03# klist
>>>>>Ticket cache: /tmp/krb5cc_0
>>>>>Default principal: mccliman@CS.TTU.EDU
>>>>>
>>>>>Valid starting Expires
>>>>>Service principal
>>>>>Tue Sep 09 16:10:03 2003 Wed Sep 10 02:10:03 2003
>>>>>krbtgt/CS.TTU.EDU@CS.TTU.EDU
>>>>> renew until Tue Sep 16 16:10:03 2003
>>>>>Tue Sep 09 16:10:14 2003 Wed Sep 10 02:10:03 2003
>>>>>gssklog/elm.cs.ttu.edu@CS.TTU.EDU
>>>>> renew until Tue Sep 16 16:10:03 2003
>>>>>Tue Sep 09 16:10:14 2003 Wed Sep 10 02:10:03 2003
>>>>>gssklog/oak.cs.ttu.edu@CS.TTU.EDU
>>>>> renew until Tue Sep 16 16:10:03 2003
>>>>
>>>>--
>>>>
>>>> Douglas E. Engert <DEEngert@anl.gov>
>>>> Argonne National Laboratory
>>>> 9700 South Cass Avenue
>>>> Argonne, Illinois 60439
>>>> (630) 252-5444
>>>>_______________________________________________
>>>>OpenAFS-info mailing list
>>>>OpenAFS-info@openafs.org
>>>>https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>
>>
>>--
>>
>> Douglas E. Engert <DEEngert@anl.gov>
>> Argonne National Laboratory
>> 9700 South Cass Avenue
>> Argonne, Illinois 60439
>> (630) 252-5444
>>_______________________________________________
>>OpenAFS-info mailing list
>>OpenAFS-info@openafs.org
>>https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
--
Wyllys Ingersoll
Sun Microsystems, Inc
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xAF353913
Fingerprint: 92CD E875 59A0 798E ED9A D75B 303A 57F0 AF35 3913