[OpenAFS] Re: rxk error: caller not authorized

J Maynard Gelinas gelinas@lns.mit.edu
Sun, 25 Apr 2004 15:09:08 -0400 (EDT)


   Dereck, Christian: thanks both for your helpful replies,

   OK. So I dumped out the kerberos database on my master server to a text
file and editied it with emacs such that I added a new key named
afs/lns.mit.edu@LNS.MIT.EDU from the old afs@LNS.MIT.EDU. The only tricky
part was noticing that field #2 from 0 expects a number containing the
number of chars in the principal name. Once I figured that part out I was
able to load the db from ascii back in place and start performing tests. I
still have original db files if reverting is necessary.

   Here's what I found:

   1) aklog now authenticates against the new afs/lns.mit.edu@LNS.MIT.EDU 
principal:

[gelinas@swg gelinas]$ aklog -d
Authenticating to cell lns.mit.edu (server afs1.lns.mit.edu.).
We've deduced that we need to authenticate to realm LNS.MIT.EDU.
Getting tickets: afs/lns.mit.edu@LNS.MIT.EDU
About to resolve name gelinas to id in cell lns.mit.edu.
Id 1126
Set username to AFS ID 1126
Setting tokens. AFS ID 1126 /  @ LNS.MIT.EDU 

  so that works. 

  2) My authentication problem against slave KDCs persists. If I set the 
client host to point to a slave kdc instead of the master and then try to 
login, I see in var/log/secure (Redhat 7.3 client):

Apr 25 14:15:21 swg sshd[11113]: pam_krb5afs: afslog() to cell 
`lns.mit.edu'
Apr 25 14:15:21 swg sshd[11113]: pam_krb5afs: afslog() returned 31
Apr 25 14:15:21 swg sshd[11113]: pam_krb5afs: setting ownership on 
`/tmp/krb5cc_1126_mdpA1p' to 1126/1126

Whereas if I force authentication against the master kerberos server I'll
get:

Apr 25 14:13:05 swg sshd[11047]: pam_krb5afs: afslog() to cell 
`lns.mit.edu'
Apr 25 14:13:05 swg sshd[11047]: pam_krb5afs: afslog() returned 0

   It's not the databases, I've manually propagated them and even scp'd
the dbs over to a slave just as a test. The two machines are pretty close
images of one another; krb4 configs between the two are the same as is the
krb5.conf. Interestingly, the openafs aklog bin generates a usable token
against my slave kdc from a V5 TGT:

[login banner on client]

Could not chdir to home directory /afs/lns.mit.edu/user/gelinas: 
Permission denied
bash: /afs/lns.mit.edu/user/gelinas/.bash_profile: Permission denied
bash-2.05a$ aklog -d
Authenticating to cell lns.mit.edu (server afs1.lns.mit.edu.).
We've deduced that we need to authenticate to realm LNS.MIT.EDU.
Getting tickets: afs/lns.mit.edu@LNS.MIT.EDU
About to resolve name gelinas to id in cell lns.mit.edu.
Id 1126
Set username to AFS ID 1126
Setting tokens. AFS ID 1126 /  @ LNS.MIT.EDU 
bash-2.05a$ klist
Ticket cache: FILE:/tmp/krb5cc_1126_t8HwOL
Default principal: gelinas@LNS.MIT.EDU

Valid starting     Expires            Service principal
04/25/04 15:02:28  04/26/04 15:02:28  krbtgt/LNS.MIT.EDU@LNS.MIT.EDU
        renew until 04/26/04 16:02:28
04/25/04 15:02:34  04/26/04 15:02:28  afs/lns.mit.edu@LNS.MIT.EDU
        renew until 04/26/04 16:02:28


Kerberos 4 ticket cache: /tmp/tkt1126_wjXAlq
Principal: gelinas@LNS.MIT.EDU

  Issued              Expires             Principal
04/25/04 15:02:28  04/26/04 12:17:28  krbtgt.LNS.MIT.EDU@LNS.MIT.EDU
bash-2.05a$ ls ~
[my homedir contents listed]

If I log out and force the client to authenticate against the master kdc 
here are the tickets I get:

[gelinas@swg gelinas]$ klist
Ticket cache: FILE:/tmp/krb5cc_1126_bxRTPA
Default principal: gelinas@LNS.MIT.EDU

Valid starting     Expires            Service principal
04/25/04 14:52:39  04/26/04 14:52:39  krbtgt/LNS.MIT.EDU@LNS.MIT.EDU
        renew until 04/26/04 15:52:39


Kerberos 4 ticket cache: /tmp/tkt1126_xnl3LU
Principal: gelinas@LNS.MIT.EDU

  Issued              Expires             Principal
04/25/04 14:52:39  04/26/04 12:07:39  krbtgt.LNS.MIT.EDU@LNS.MIT.EDU
04/25/04 14:52:40  04/26/04 02:37:40  afs.lns.mit.edu@LNS.MIT.EDU
[gelinas@swg gelinas]$ 

  Against the slave kdc:

bash-2.05a$ klist
Ticket cache: FILE:/tmp/krb5cc_1126_xAMDOD
Default principal: gelinas@LNS.MIT.EDU

Valid starting     Expires            Service principal
04/25/04 14:54:09  04/26/04 14:54:09  krbtgt/LNS.MIT.EDU@LNS.MIT.EDU
        renew until 04/26/04 15:54:09


Kerberos 4 ticket cache: /tmp/tkt1126_0END2w
Principal: gelinas@LNS.MIT.EDU

  Issued              Expires             Principal
04/25/04 14:54:09  04/26/04 12:09:09  krbtgt.LNS.MIT.EDU@LNS.MIT.EDU
bash-2.05a$ 

So, it appears that the client afslog is unable to generate a usable token
from my slave krb524d server(s). Finally, if I request a V5 TGT from a
slave server, change the client krb5.conf to the master kdc, and then use
that to convert to a V4 TGT, I can run afslog on the client just fine.
Further showing that whatever is going on, it's limited to V5 to V4
conversion on my slaves, and the master krb524d still works. 

I have no idea what changed. Any suggestions? And thanks for the replies!

Best,
--Maynard

On Sun, 25 Apr 2004, Derrick J Brashear wrote:

> On Sun, 25 Apr 2004, Christian Ospelkaus wrote:
> 
> > I don't know if MIT gives you that option, but under heimdal, you can do the
> > following: using kadmin's dump -d command, you can dump the whole database
> > into a text file in a human-readable form. You can then delete all lines
> > except the afs principal from the file, change the name of the principal in
> > the one remaining line and import it back into the database using kadmin's
> > merge command. Then you have both the afs and the afs/cell principals with
> > identical keys. You don't need to mess with your fileservers. Experts, is it
> 
> Even if you rename it, your fileservers don't care.
> 
> Having both keys in the KDC is fine.
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>