[OpenAFS] 1.3.70 and aklog

Douglas E. Engert deengert@anl.gov
Tue, 17 Aug 2004 06:41:07 -0500 

Jeffrey Altman wrote:

> response in-line...
> 
> Christopher D. Clausen wrote:
> 
> 
>> AD.UIUC.EDU is a Windows Active Directory
>> ACM.UIUC.EDU is an MIT Kerberos realm that trusts AD.UIUC.EDU
>> acm.uiuc.edu is the AFS cell where I want to obtain tokens.
>>
>> I am logging on to my machine using my Active Directory password in 
>> the AD.UIUC.EDU domain.  I then run ms2mit to populate the MIT 
>> credential cache with my AD tickets.  I than attempt to obtain AFS 
>> tokens.  I get a token, but its for cclausen@ad.uiuc.edu and I do not 
>> have permissions within the acm.uiuc.edu cell.
> 

The issue is the AFS cell name is not the same as the user's realm name.
The K5 is using cross realm, where as in the past the krb524d could have
covered this up.

This goes back to what is the difference between a realm and a cell.
I would argue a cell is an authorization domain, a realm is authorization
domain. AFS needs to be able to map a principal in a realm to an afs
user in it cell. By default AFS is assuming the cell name matches the
realm name, or if the realm-of-cell file (forgot the name) is set, then
the cell is in that realm. It needs more flexibility to map foreign
principals to local cell.

This is a practical issue, as newer realms are coming on line which
don't match the older AFS cell names.


> 
> What version are your servers?
> 
> If they are not built from 1.3.65 or later; or you have not ported the
> patches for MD5 support to the 1.2.11 build; then you cannot use AFS 
> service tickets issued by Active Directory 2003.
> 
> (If the rxdebug output is correct you are running 1.2.11.  I can't tell
> if they are patched for MD5 support or not.)
> 
>> steps:
>>
>> C:\>kdestroy
>> C:\>ms2mit
>> C:\>klist
>> Ticket cache: API:krb5cc.cclausen
>> Default principal: cclausen@AD.UIUC.EDU
>> Valid starting     Expires            Service principal
>> 08/16/04 23:03:10  08/17/04 09:03:10  krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
>>        renew until 08/23/04 23:03:10
>> 08/16/04 23:03:10  08/17/04 09:03:10 host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
>>        renew until 08/23/04 23:03:10
>> Kerberos 4 ticket cache: API:krb4cc
>> klist: No ticket file (tf_util)
>>
>> C:\>which -a aklog
>> C:\Progra~1\MIT\Kerberos\bin\aklog.exe
>> C:\Progra~1\OpenAFS\Client\Program\aklog.exe
>> C:\Program Files\OpenAFS\Client\Program\aklog.exe
>>
>> C:\>filever "C:\Program Files\OpenAFS\Client\Program\aklog.exe"
>> --a-- W32i   APP   -      1.3.7000.0 shp     40,448 08-09-2004 aklog.exe
> 
> 
> You might want to fix your path to remove the duplicate entry
> for OpenAFS.
> 
> I will remove aklog.exe from the next release of KFW.
> 
>> C:\> "C:\Program Files\OpenAFS\Client\Program\aklog.exe" -5 -d
>> Authenticating to cell acm.uiuc.edu.
>> Getting v5 tickets: afs/acm.uiuc.edu@ACM.UIUC.EDU
>> About to resolve name cclausen@AD.UIUC.EDU to id
>> Id 32766
>> doing first-time registration of cclausen@ad.uiuc.edu at acm.uiuc.edu
>> libprot: funny kvno (256) in ticket, proceeding
>> aklog.exe: unable to create remote PTS user cclausen@ad.uiuc.edu in 
>> cell acm.uiuc.edu (status: 19270403).
>> Set username to cclausen@ad.uiuc.edu
>> Getting tokens.
> 
> 
> names are local identifiers in tokens.  they have no impact on how
> the server treats the tickets.  You are using Kerberos 5 cross realm
> to obtains a ticket for afs/acm.uiuc.edu@ACM.UIUC.EDU.  The Kerberos
> 5 ticket is going to have the principal name cclausen@AD.UIUC.EDU
> in it.  This should be translated to cclausen@ad.uiuc.edu by the
> AFS server.  Does "cclausen@ad.uiuc.edu" appear in your acl list
> for the acm.uiuc.edu cell?  If not, that is where your problem lies.
> 
>> C:\>klist
>> Ticket cache: API:krb5cc.cclausen
>> Default principal: cclausen@AD.UIUC.EDU
>>
>> Valid starting     Expires            Service principal
>> 08/16/04 23:03:10  08/17/04 09:03:10  krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
>>        renew until 08/23/04 23:03:10
>> 08/16/04 23:03:10  08/17/04 09:03:10 host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
>>        renew until 08/23/04 23:03:10
>> 08/16/04 23:03:10  08/17/04 09:03:10  krbtgt/ACM.UIUC.EDU@AD.UIUC.EDU
>>        renew until 08/23/04 23:03:10
>> 08/16/04 23:05:32  08/17/04 09:03:10  afs/acm.uiuc.edu@ACM.UIUC.EDU
>>        renew until 08/23/04 23:03:10
>>
>> Kerberos 4 ticket cache: API:krb4cc
>> klist: No ticket file (tf_util)
> 
> 
> What does "klist -e" report for the enctype of 
> "afs/acm.uiuc.edu@ACM.UICU.EDU"?  You want it to read:
> 
>  Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
> 
> If your MIT kdc is issuing DES-CBC-MD5 tickets for the AFS tickets
> that is where your problem lies since you are using the 1.2.11 build.
> 
>> C:\>tokens
>> Tokens held by the Cache Manager:
>> User cclausen@ad.uiuc.edu's tokens for afs@acm.uiuc.edu [Expires Aug 
>> 17 09:03]
>>   --End of list --
> 
> 
> This looks correct.
> 
>> C:\>h:
>> H:\>ls -l
>> (this hangs for a few minutes b/c I don't actually have permission in 
>> the cell.)
>>
>> Am I doing something wrong?  Have something misconfigured?
> 
> 
> see above.
> 
>> Also, I'm pretty sure I should be able to specify the command line 
>> options to aklog in any order.  (The first one just prints a help 
>> message, so I assume it does not work.)  Is there a reason to require 
>> parameters in a particular order?
> 
> 
> There is no reason that I am aware of.  If there is an order requirement
> it was simply because someone coded it that way.  The sources are at
> src/WINNT/aklog/.  Patches are appreciated.
> 
>> <<CDC
>> Christopher D. Clausen
>> ACM@UIUC SysAdmin
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444