[OpenAFS] 1.3.70 and aklog

Douglas E. Engert deengert@anl.gov
Tue, 17 Aug 2004 07:01:26 -0500


Christopher D. Clausen wrote:

> Jeffrey Altman wrote:
> 
>> Christopher D. Clausen wrote:
>>
>>> Jeffrey Altman wrote:
>>
>>
>>> My servers are 1.2.11 and they have not been patched for MD5
>>> support.  I don't understand why I need this patch.  I do not have
>>> an AFS service ticket in Active Directory.  The only AFS service
>>> ticket is the one on the MIT KDC: afs/acm.uiuc.edu@ACM.UIUC.EDU
>>

The large tickets could be a problem, as Jeff points out later
notes in this thread. We patched the 1.2.11 servers to support large
tickets, and the MD* enctypes. In our case the AFS cell name matches
the W2003 AD domain name and AD has an afs/cell@realm principal
so it can issue a ticket for afs/cell. Unix users are still using
krb524d or gssklog so the size of the ticket is not a problem on the
unix clients which have not yet been modified.

Drop me a note if you want the patches to update the 1.2.11 servers.


>>
>> What enctype is this ticket?
> 
> 
> DES cbc mode with CRC-32 and no salt
> 
> 
>>> Why is it trying to create a remote user?  I am not a remote user,
>>> I'm just using Kerberos trusts to obtain the ticket/token.  Is this
>>> not possible or am I completely misunderstanding cross-realm trusts?
>>
>>
>> You are a remote user as long as you are obtaining the token via
>> a cross-realm trust.  If you were to obtain a TGT directly from
>> ACM.UIUC.EDU you would be a local user.
> 
> 
> Ok.  Thank you.  I'm starting to understand.
> 
> Couldn't I just create a afs/acm.uiuc.edu@AD.UIUC.EDU AFS service 
> principal using ktpass.exe, add it my AFS servers and use that to 
> authenticate from the AD.UIUC.EDU realm / domain instead of trying to 
> setup this foreign user stuff?
> 
> So I would need to set up:
> 1) pts creategroup system:authuser@ad.uiuc.edu system:administrators 
> -cell acm.uiuc.edu
> 2) create a pts user cclausen@ad.uiuc.edu (is this needed)?
> 3) add cclausen@ad.uiuc.edu to ACLs.
> 4) try aklog (which works once the above are done.)
> 
> Will this work if the Kerberos trust is only one way?
> ACM.UIUC.EDU trusts AD.UIUC.EDU
> AD.UIUC.EDU DOES NOT trust ACM.UIUC.EDU
> 
> Or does there need to be a trust in each direction for the cross-realm 
> authentication to work?
> 
> Also, the ACM.UIUC.EDU realm is running MIT krb5-1.2.4-5 (Debian woody). 
> Would the KDCs need to be upgraded for this cross-realm stuff to work?
> 
> I assume that I still need to have newer servers, or otherwise patch 
> them to support the MD5 enctype:
> C:\>vos examine user.cclausen
> vsu_ClientInit: funny kvno (256) in ticket, proceeding
> rxk: Ticket length too long or too short
> 
> The above is the result of me acutally having a cclausen@ad.uiuc.edu 
> token and not having upgraded AFS servers, correct?  As it works just 
> fine if I unlog.
> 
>> You have obtained a token for acm.uiuc.edu.  The name of the principal
>> associated with the token is cclausen@ad.uiuc.edu.  Therefore, you
>> are a foreign user.
> 
> 
> Ok.
> 
>> Because you don't understand cross realm.
> 
> 
> Indeed.  I'm trying to fix that, which is why I am asking questions.
> 
>>> I have tokens for cclausen and I can correctly access my files.
>>
>>
>> yes.  but gssklogd exists solely within the realm ACM.UIUC.EDU and it
>> has been configured to use the first component of the principal name
>> as the AFS username.  The token which is generated contains the user
>> principal name "cclausen@ACM.UIUC.EDU"; it does not contain the
>> cross-realm principal name "cclausen@AD.UIUC.EDU".  gssklogd throws
>> away the foreign realm and substitutes the local realm.
> 
> 
> Ok.
> 
>> Are you able to access your home directory when you destroy your
>> tokens with unlog.exe?
> 
> 
> If I do not have tokens, I can only list files in my home directory, as 
> per the system:anyuser l ACL.
> 
>> I'm concerned that you unable to access the volume at all.
> 
> 
> I can access it just fine either when I kinit to cclausen@ACM.UIUC.EDU 
> or use gssklog to obtain tokens.
> 
> I do however seem to have problems accessing anything in AFS when I have 
> cclausen@ad.uiuc.edu tokens (after setting up some of the foreign user 
> stuff listed above.)  If I unlog, things go back to normal.  (I assume 
> this is either b/c of the older AFS servers or some configuration option 
> I've overlooked.)
> 
> C:\>ms2mit
> 
> C:\>klist
> Ticket cache: API:krb5cc.cclausen
> Default principal: cclausen@AD.UIUC.EDU
> 
> Valid starting     Expires            Service principal
> 08/17/04 03:25:14  08/17/04 13:25:14  krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
>        renew until 08/24/04 03:25:14
> 08/17/04 03:25:14  08/17/04 13:25:14 host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
>        renew until 08/24/04 03:25:14
> 
> 
> Kerberos 4 ticket cache: API:krb4cc
> klist: No ticket file (tf_util)
> 
> C:\>"c:\Program Files\OpenAFS\Client\Program\aklog.exe" -d -5 -c 
> acm.uiuc.edu
> Authenticating to cell acm.uiuc.edu.
> Getting v5 tickets: afs/acm.uiuc.edu@ACM.UIUC.EDU
> About to resolve name cclausen@AD.UIUC.EDU to id
> Id 130742
> Set username to AFS ID 130742
> Getting tokens.
> 
> C:\>tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 130742) tokens for afs@acm.uiuc.edu [Expires Aug 17 13:25]
>   --End of list --
> 
> C:\>dir h:\
> Volume in drive H is AFS
> Volume Serial Number is 0000-04D2
> 
> Directory of h:\
> 
> 17-Aug-04  01:47 AM    <DIR>          .
> 17-Aug-04  01:47 AM    <DIR>          ..
> 24-Jul-04  12:23 AM    <DIR>          Desktop
> 04-May-04  02:27 AM    <DIR>          Library
> 15-May-04  02:17 PM    <DIR>          Movies
> 23-Mar-04  06:49 PM    <DIR>          Music
> 15-May-04  05:49 AM    <DIR>          ncsa
> 08-Aug-04  12:42 AM    <DIR>          Public
> 15-Aug-04  09:10 PM    <DIR>          public_html
> 03-Aug-04  06:07 PM    <DIR>          src
> 31-Dec-69  10:59 PM                 0 Private
> .
> . (snip)
> .
>              10 File(s)      5,147,963 bytes
>              10 Dir(s)  1,099,511,626,752 bytes free
> 
> C:\>h:
> H:\>dir
> (hangs for several seconds before returning same list as above.)
> 
> H:\>klist -ef
> Ticket cache: API:krb5cc.cclausen
> Default principal: cclausen@AD.UIUC.EDU
> 
> Valid starting     Expires            Service principal
> 08/17/04 03:25:14  08/17/04 13:25:14  krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
>        renew until 08/24/04 03:25:14, Flags: FRIA
>        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
> 08/17/04 03:25:14  08/17/04 13:25:14 host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
>        renew until 08/24/04 03:25:14, Flags: FRA
>        Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with HMAC/md5
> 08/17/04 03:25:14  08/17/04 13:25:14  krbtgt/ACM.UIUC.EDU@AD.UIUC.EDU
>        renew until 08/24/04 03:25:14, Flags: FRA
>        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with 
> RSA-MD5
> 08/17/04 03:46:55  08/17/04 13:25:14  afs/acm.uiuc.edu@ACM.UIUC.EDU
>        renew until 08/24/04 03:25:14, Flags: FRA
>        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with 
> CRC-32
> 
> Please don't reply to the list AND to me.  I am on the list, even if I 
> don't understand everything.
> 
> <<CDC
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444