[OpenAFS] 1.3.70 and aklog

[Jeffrey Altman]

This is a cryptographically signed message in MIME format.

--------------ms050304060408000905030408
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

response in-line...

Christopher D. Clausen wrote:

> I am using it.  I submitted a bug report and it has been fixed...
> 
> ...perhaps someone can explain how the aklog with kerberos 5 support (no 
> need for krb425d) works?  I read through the previous posts on 1.3.66, 
> but I don't really understand what is going.  I believe this should work 
> as I expect and I should be able to use my AD domain tickets to get a 
> tokens in my home cell.

The Kerberos 5 ticket is used as the AFS token.  It is not converted to
a Kerberos 4 ticket first.  (krb524d is not used.)  This means that the
server MUST support the 2b token format (Kerberos 5 tickets as tokens.)

> I am running OpenAFS 1.3.70 debug build and KfW 2.6.4.  (Does the 1.3.71 
> build fix this?)

The list of fixes to 1.3.71 are available at

	http://web.mit.edu/~jaltman/Public/OpenAFS/
	/afs/athena.mit.edu/user/j/a/jaltman/Public/OpenAFS/

and were posted to openafs-win32-devel@openafs.org

> AD.UIUC.EDU is a Windows Active Directory
> ACM.UIUC.EDU is an MIT Kerberos realm that trusts AD.UIUC.EDU
> acm.uiuc.edu is the AFS cell where I want to obtain tokens.
> 
> I am logging on to my machine using my Active Directory password in the 
> AD.UIUC.EDU domain.  I then run ms2mit to populate the MIT credential 
> cache with my AD tickets.  I than attempt to obtain AFS tokens.  I get a 
> token, but its for cclausen@ad.uiuc.edu and I do not have permissions 
> within the acm.uiuc.edu cell.

What version are your servers?

If they are not built from 1.3.65 or later; or you have not ported the
patches for MD5 support to the 1.2.11 build; then you cannot use AFS 
service tickets issued by Active Directory 2003.

(If the rxdebug output is correct you are running 1.2.11.  I can't tell
if they are patched for MD5 support or not.)

> steps:
> 
> C:\>kdestroy
> C:\>ms2mit
> C:\>klist
> Ticket cache: API:krb5cc.cclausen
> Default principal: cclausen@AD.UIUC.EDU
> Valid starting     Expires            Service principal
> 08/16/04 23:03:10  08/17/04 09:03:10  krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
>        renew until 08/23/04 23:03:10
> 08/16/04 23:03:10  08/17/04 09:03:10 host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
>        renew until 08/23/04 23:03:10
> Kerberos 4 ticket cache: API:krb4cc
> klist: No ticket file (tf_util)
> 
> C:\>which -a aklog
> C:\Progra~1\MIT\Kerberos\bin\aklog.exe
> C:\Progra~1\OpenAFS\Client\Program\aklog.exe
> C:\Program Files\OpenAFS\Client\Program\aklog.exe
> 
> C:\>filever "C:\Program Files\OpenAFS\Client\Program\aklog.exe"
> --a-- W32i   APP   -      1.3.7000.0 shp     40,448 08-09-2004 aklog.exe

You might want to fix your path to remove the duplicate entry
for OpenAFS.

I will remove aklog.exe from the next release of KFW.

> C:\> "C:\Program Files\OpenAFS\Client\Program\aklog.exe" -5 -d
> Authenticating to cell acm.uiuc.edu.
> Getting v5 tickets: afs/acm.uiuc.edu@ACM.UIUC.EDU
> About to resolve name cclausen@AD.UIUC.EDU to id
> Id 32766
> doing first-time registration of cclausen@ad.uiuc.edu at acm.uiuc.edu
> libprot: funny kvno (256) in ticket, proceeding
> aklog.exe: unable to create remote PTS user cclausen@ad.uiuc.edu in cell 
> acm.uiuc.edu (status: 19270403).
> Set username to cclausen@ad.uiuc.edu
> Getting tokens.

names are local identifiers in tokens.  they have no impact on how
the server treats the tickets.  You are using Kerberos 5 cross realm
to obtains a ticket for afs/acm.uiuc.edu@ACM.UIUC.EDU.  The Kerberos
5 ticket is going to have the principal name cclausen@AD.UIUC.EDU
in it.  This should be translated to cclausen@ad.uiuc.edu by the
AFS server.  Does "cclausen@ad.uiuc.edu" appear in your acl list
for the acm.uiuc.edu cell?  If not, that is where your problem lies.

> C:\>klist
> Ticket cache: API:krb5cc.cclausen
> Default principal: cclausen@AD.UIUC.EDU
> 
> Valid starting     Expires            Service principal
> 08/16/04 23:03:10  08/17/04 09:03:10  krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
>        renew until 08/23/04 23:03:10
> 08/16/04 23:03:10  08/17/04 09:03:10 host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
>        renew until 08/23/04 23:03:10
> 08/16/04 23:03:10  08/17/04 09:03:10  krbtgt/ACM.UIUC.EDU@AD.UIUC.EDU
>        renew until 08/23/04 23:03:10
> 08/16/04 23:05:32  08/17/04 09:03:10  afs/acm.uiuc.edu@ACM.UIUC.EDU
>        renew until 08/23/04 23:03:10
> 
> Kerberos 4 ticket cache: API:krb4cc
> klist: No ticket file (tf_util)

What does "klist -e" report for the enctype of 
"afs/acm.uiuc.edu@ACM.UICU.EDU"?  You want it to read:

  Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32

If your MIT kdc is issuing DES-CBC-MD5 tickets for the AFS tickets
that is where your problem lies since you are using the 1.2.11 build.

> C:\>tokens
> Tokens held by the Cache Manager:
> User cclausen@ad.uiuc.edu's tokens for afs@acm.uiuc.edu [Expires Aug 17 
> 09:03]
>   --End of list --

This looks correct.

> C:\>h:
> H:\>ls -l
> (this hangs for a few minutes b/c I don't actually have permission in 
> the cell.)
> 
> Am I doing something wrong?  Have something misconfigured?

see above.

> Also, I'm pretty sure I should be able to specify the command line 
> options to aklog in any order.  (The first one just prints a help 
> message, so I assume it does not work.)  Is there a reason to require 
> parameters in a particular order?

There is no reason that I am aware of.  If there is an order requirement
it was simply because someone coded it that way.  The sources are at
src/WINNT/aklog/.  Patches are appreciated.

> <<CDC
> Christopher D. Clausen
> ACM@UIUC SysAdmin


--------------ms050304060408000905030408
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJPzCC
AvowggJjoAMCAQICAwxk8TANBgkqhkiG9w0BAQQFADBiMQswCQYDVQQGEwJaQTElMCMGA1UE
ChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNv
bmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwHhcNMDQwNTI3MTc1ODU4WhcNMDUwNTI3MTc1ODU4
WjBrMQ8wDQYDVQQEEwZBbHRtYW4xFTATBgNVBCoTDEplZmZyZXkgRXJpYzEcMBoGA1UEAxMT
SmVmZnJleSBFcmljIEFsdG1hbjEjMCEGCSqGSIb3DQEJARYUamFsdG1hbkBjb2x1bWJpYS5l
ZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDc3JqO5AsZrozd+mJ2mPuCTYo2
+nJ9Qq6jtUYtp7YTMW4d2Q6GLhNaHb1l9m74SxuY4f5vP6JtZjr6p9+LCCxD0w0NVLKRgUDp
z+tKFitbkJe9BSCxCURRvY3vdWA71gSCUvZAN3346hHb4oGVqgdpmfFJXYAHWpC46wiL72N9
WxySzY17/0eU0c8+r9dNoLpPQeL43O66O80jCl1qnXMaXaakZPsfm+5W90MYXhpQ1WIQpv02
lBn3BH5YE8xwbsNrw5AF4v7pjMuW85GI6FrDmfbpJX473Rpl5rmv3TpXkJ+7UsIIO1puyS8r
1o7kjDZ5EUYJxxglTGR6XL/RNzqHAgMBAAGjMTAvMB8GA1UdEQQYMBaBFGphbHRtYW5AY29s
dW1iaWEuZWR1MAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQEEBQADgYEAZYeVFCMP0iV+UVa0
eFoXkzMVl61CNAVY2YQ9/QQazO3G4qNiif35ArrnjPRDRj5M7WTeOCFqPVuvCttyJRiDKsEe
L4Yah22mRA3mR7x52j2FquPYZ9qCr1IhrNGzsMk+gopX5G0fTHZb6+uDu5SeMPNNcIznGA7M
CMpXAJ2PcKgwggL6MIICY6ADAgECAgMMZPEwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMC
WkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1Ro
YXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA0MDUyNzE3NTg1OFoXDTA1
MDUyNzE3NTg1OFowazEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMx
HDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xIzAhBgkqhkiG9w0BCQEWFGphbHRtYW5A
Y29sdW1iaWEuZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3NyajuQLGa6M
3fpidpj7gk2KNvpyfUKuo7VGLae2EzFuHdkOhi4TWh29ZfZu+EsbmOH+bz+ibWY6+qffiwgs
Q9MNDVSykYFA6c/rShYrW5CXvQUgsQlEUb2N73VgO9YEglL2QDd9+OoR2+KBlaoHaZnxSV2A
B1qQuOsIi+9jfVscks2Ne/9HlNHPPq/XTaC6T0Hi+NzuujvNIwpdap1zGl2mpGT7H5vuVvdD
GF4aUNViEKb9NpQZ9wR+WBPMcG7Da8OQBeL+6YzLlvORiOhaw5n26SV+O90aZea5r906V5Cf
u1LCCDtabskvK9aO5Iw2eRFGCccYJUxkely/0Tc6hwIDAQABozEwLzAfBgNVHREEGDAWgRRq
YWx0bWFuQGNvbHVtYmlhLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUAA4GBAGWH
lRQjD9IlflFWtHhaF5MzFZetQjQFWNmEPf0EGsztxuKjYon9+QK654z0Q0Y+TO1k3jghaj1b
rwrbciUYgyrBHi+GGodtpkQN5ke8edo9harj2Gfagq9SIazRs7DJPoKKV+RtH0x2W+vrg7uU
njDzTXCM5xgOzAjKVwCdj3CoMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUFADCB0TEL
MAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2FwZSBUb3du
MRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNhdGlvbiBT
ZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIENB
MSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4XDTAzMDcx
NzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxVc1X7TrnK
mVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J8CuFWqo/
cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9IBH+nttE8
YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0fBDwwOjA4
oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1haWxDQS5j
cmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRlTGFiZWwy
LTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aUnX9MIbj4
Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3dqZw5jowg
T2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCAzswggM3AgEB
MGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0
ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAgMMZPEw
CQYFKw4DAhoFAKCCAacwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUx
DxcNMDQwODE3MDUxMDM0WjAjBgkqhkiG9w0BCQQxFgQUUW8CN16mbhbsblVnuPl56fUhdpEw
UgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcN
AwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgweAYJKwYBBAGCNxAEMWswaTBiMQswCQYD
VQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UE
AxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECAwxk8TB6BgsqhkiG9w0B
CRACCzFroGkwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ
dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB
AgMMZPEwDQYJKoZIhvcNAQEBBQAEggEAMi6wOhlXPTC+Qa52Nxru6Ncao4VCaVp8mkBZZnF6
IohZZ95Vj1NvwtdhH17tL0u6JNdEL+BwLMDOLpidyoOGsDbPixs4W9JXH6E2UD1OG8V8ibcR
e3wm0aBSzcpzYVTHJHixOzlsN1JPG3Ka+vfl1M48UE4nq7d/+rpaIcK1RLxk2ECf3/2hc7KI
FUwPHewTM74h0gIDOEVU4+cuNI6pTZWEzCXpYAdX7bdVPT8dVQcX9BEls+UG1uaBMottHua6
C8CzysO0jjoaNzONnK4LgxOqGVcaasGhKi7+/Hnp6O3GvvbXgbB3QcH3ac9wfvbx/8Yeb3NR
P1JwDmshla/TxwAAAAAAAA==
--------------ms050304060408000905030408--