[OpenAFS] 1.3.70 and aklog

Christopher D. Clausen cclausen@acm.org
Tue, 17 Aug 2004 01:21:46 -0500


Jeffrey Altman wrote:
> Christopher D. Clausen wrote:
>> I am logging on to my machine using my Active Directory password in
>> the AD.UIUC.EDU domain.  I then run ms2mit to populate the MIT
>> credential cache with my AD tickets.  I than attempt to obtain AFS
>> tokens.  I get a token, but its for cclausen@ad.uiuc.edu and I do
>> not have permissions within the acm.uiuc.edu cell.
>
> What version are your servers?
>
> If they are not built from 1.3.65 or later; or you have not ported the
> patches for MD5 support to the 1.2.11 build; then you cannot use AFS
> service tickets issued by Active Directory 2003.

My servers are 1.2.11 and they have not been patched for MD5 support.  I 
don't understand why I need this patch.  I do not have an AFS service 
ticket in Active Directory.  The only AFS service ticket is the one on 
the MIT KDC: afs/acm.uiuc.edu@ACM.UIUC.EDU

Or perhaps I do not understand what you mean by "AFS service ticket."

>> C:\> "C:\Program Files\OpenAFS\Client\Program\aklog.exe" -5 -d
>> Authenticating to cell acm.uiuc.edu.
>> Getting v5 tickets: afs/acm.uiuc.edu@ACM.UIUC.EDU
>> About to resolve name cclausen@AD.UIUC.EDU to id
>> Id 32766
>> doing first-time registration of cclausen@ad.uiuc.edu at acm.uiuc.edu
>> libprot: funny kvno (256) in ticket, proceeding
>> aklog.exe: unable to create remote PTS user cclausen@ad.uiuc.edu in
>> cell acm.uiuc.edu (status: 19270403).
>> Set username to cclausen@ad.uiuc.edu
>> Getting tokens.

Why is it trying to create a remote user?  I am not a remote user, I'm 
just using Kerberos trusts to obtain the ticket/token.  Is this not 
possible or am I completely misunderstanding cross-realm trusts?

> names are local identifiers in tokens.  they have no impact on how
> the server treats the tickets.  You are using Kerberos 5 cross realm
> to obtains a ticket for afs/acm.uiuc.edu@ACM.UIUC.EDU.  The Kerberos
> 5 ticket is going to have the principal name cclausen@AD.UIUC.EDU
> in it.  This should be translated to cclausen@ad.uiuc.edu by the
> AFS server.

gssklog correctly gives me a token in the acm.uiuc.edu cell.  (See 
below)

> Does "cclausen@ad.uiuc.edu" appear in your acl list
> for the acm.uiuc.edu cell?  If not, that is where your problem lies.

That ACL does not exist.

But I cannot add it either:
H:\>fs sa . cclausen@ad.uiuc.edu rl
fs:'.': code 0x19

I thought that the user @ domain syntax was only used for foreign users. 
Shouldn't I be able to use my AD.UIUC.EDU tickets to get tokens in the 
ACM.UIUC.EDU realm via the Kerberos trust?  Or am I again completely 
missing something obvious?

> What does "klist -e" report for the enctype of
> "afs/acm.uiuc.edu@ACM.UICU.EDU"?  You want it to read:
>
>  Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32

cclausen@KBS-CDC C:\>klist -ef
Ticket cache: API:krb5cc.cclausen
Default principal: cclausen@AD.UIUC.EDU

Valid starting     Expires            Service principal
08/16/04 23:03:10  08/17/04 09:03:10  krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
        renew until 08/23/04 23:03:10, Flags: FRIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/16/04 23:03:10  08/17/04 09:03:10 
host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
        renew until 08/23/04 23:03:10, Flags: FRA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/16/04 23:03:10  08/17/04 09:03:10  krbtgt/ACM.UIUC.EDU@AD.UIUC.EDU
        renew until 08/23/04 23:03:10, Flags: FRA
        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with 
RSA-MD5
08/17/04 00:17:44  08/17/04 09:03:10  afs/acm.uiuc.edu@ACM.UIUC.EDU
        renew until 08/23/04 23:03:10, Flags: FRA
        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with 
CRC-32

It looks to be DES to me.  The realm trust was used to obtain the 
afs/acm.uiuc.edu ticket.

>> C:\>tokens
>> Tokens held by the Cache Manager:
>> User cclausen@ad.uiuc.edu's tokens for afs@acm.uiuc.edu [Expires Aug
>> 17 09:03]
>>   --End of list --
>
> This looks correct.

It doesn't look correct to me.

Things work the way I think they should when I use gssklog:

C:\>unlog
C:\>kdestroy
C:\>ms2mit
C:\>klist
Ticket cache: API:krb5cc.cclausen
Default principal: cclausen@AD.UIUC.EDU

Valid starting     Expires            Service principal
08/17/04 00:47:52  08/17/04 09:03:10  krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
        renew until 08/23/04 23:03:10
08/16/04 23:03:10  08/17/04 09:03:10  krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
        renew until 08/23/04 23:03:10
08/17/04 00:31:12  08/17/04 09:03:10 
ldap/ad-dc-p1.ad.uiuc.edu@AD.UIUC.EDU
        renew until 08/23/04 23:03:10
08/17/04 00:24:22  08/17/04 09:03:10 
cifs/ad-dc-p1.ad.uiuc.edu@AD.UIUC.EDU
        renew until 08/23/04 23:03:10
08/17/04 00:24:22  08/17/04 09:03:10 
ldap/AD-DC-P2.ad.uiuc.edu/ad.uiuc.edu@AD.UIUC.EDU
        renew until 08/23/04 23:03:10
08/17/04 00:24:22  08/17/04 09:03:10 
LDAP/AD-DC-P2.ad.uiuc.edu@AD.UIUC.EDU
        renew until 08/23/04 23:03:10
08/16/04 23:03:10  08/17/04 09:03:10 
host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
        renew until 08/23/04 23:03:10

C:\>gssklog
C:\>tokens

Tokens held by the Cache Manager:

User cclausen's tokens for afs@acm.uiuc.edu [Expires Aug 17 09:03]
   --End of list --

C:\>klist -ef
Ticket cache: API:krb5cc.cclausen
Default principal: cclausen@AD.UIUC.EDU

Valid starting     Expires            Service principal
08/17/04 00:47:52  08/17/04 09:03:10  krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
        renew until 08/23/04 23:03:10, Flags: FfRA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/16/04 23:03:10  08/17/04 09:03:10  krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
        renew until 08/23/04 23:03:10, Flags: FRIA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/16/04 23:03:10  08/17/04 09:03:10 
host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
        renew until 08/23/04 23:03:10, Flags: FRA
        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
08/17/04 00:47:52  08/17/04 09:03:10  krbtgt/ACM.UIUC.EDU@AD.UIUC.EDU
        renew until 08/23/04 23:03:10, Flags: FfRA
        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with 
RSA-MD5
08/17/04 00:48:17  08/17/04 09:03:10 
gssklog/mintaka.acm.uiuc.edu@ACM.UIUC.EDU
        renew until 08/23/04 23:03:10, Flags: FfRA
        Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple 
DES cbc mode with HMAC/sha1

I have tokens for cclausen and I can correctly access my files.

Are aklog and gssklog acting differently wrt to the cross realm trust? 
I mean, they both do the same thing, set AFS tokens.  Why would one set 
tokens for cclausen and one for cclausen@ad.uiuc.edu.

Thanks for your quick response!

<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin