[OpenAFS] Got afs token I think... but can't access cell

Douglas E. Engert deengert@anl.gov
Fri, 21 May 2004 10:38:07 -0500


I think I see the problem. 

Looking at the MIT 1.3.2 src/krb524/krb524d.c  code, in the handle_clasic_v4
routine, it looks like it tries to lookup the service key with ENCTYPE_DES_CBC_CRC.
But since the Windows 2003 was using DES-CBC-MD5 this key may not be in the 
keytab.  

(We have run a modified krb524d for years that would decrypt using the keytab
and if it was for AFS, encrypt the new ticket using a key found in a copy of 
the AFS KeyFile. So we have avoided many of these key synchronization problems.) 

I believe if you add another entry to the keytab used by krb524d using the same
key and kvno but with DES-CBC-CRC it will work. You need both, as the
input key is DES-CBC-MD5. I have not tried this.     


"Davis, Adam" wrote:
> 
> It is Windows 2003 and Openafs 1.2.11 on redhat enterprise 3, krb5-1.3.3
> for krb524d

On the Windows 2003, when your admin ran the ktpass command to add the key
to AD if you used the /out parameter it would have created a keytab file. 
It would have also listed the contents with 

Output keytab to c:\...
Keytab version: 0x502
keytabsize ... vno X ...
(DES_CBC_MD5) keylength 8 (0x...)

This last line is the DES key in hex, and the vno is the kvno

To get the DES-CBC_CRC version, you can run the same command as a user if 
you know the password used to create another keytab and use the 
/crypto DES-CBC-CRC then use this to merge in to the keytab used by krb524d.
The key and kvno are the same just the enctype is different.    

> 
> I am finding it hard to confirm that the keys are the same. How would I
> list the key on the windows machine and also on the afs server so I can
> make sure they are the same.

The krb524d needs the -k option so it will use the keytab, either the
default one for the host, or one setup using the KRB5_KTNAME env variable
its running under. (I thinks it KRB5_KTNAME, double check this.)

You can use the MIT  klist -k -K to list the keytab and the keys. 
The keytab krb524d uses must have the entry from the output of the ktpass.
THe principal, kvno and key must match. 

The AFS /usr/afs/etc/KeyFile must also have the key and kvno, 
you can do an    od -x /usr/afs/etc/KeyFile
and look for them. 

> 
> I have krb524d running on the afs server and added the "krb524_server =
> to the krb5.conf"

the krb524_server= is need by the client. 
 

Some caviots with Windows:  

Windows 2003 will create tickets uisng DES-CBC-MD5 rather the DES-CBC-CRC 
that 2000 did.  

The krb524d can handle this, and normally produces a V4 ticket using DES-CBC-CRC 
It looks like it needs to have both the DES-CBC-MD5 and DES-CBC-MD4 entries
in the keytab. I think this is the problem.   

The krb524d might be trying to return a V5 ticket rather then 
a V4 ticket, if you have afs_krb5 in the krb5.conf file. 

The 1.2.11 AFS servers can't handle MD5, and can not handle large tickets.
Changes are in the OpenAFS CVS to fix these. So make sure the krb524d
is not using afs_krb5 with a Windows KDC. 

(I am currently updating our AFS 1.2.11 server to support MD5 and large ticket,
as we have seen some similiar problems with KfW and OpenAFS trying to 
use a large ticket with MD5 agains our servers, and I would like this to work
two of the three are runing these mods today.)
    
This would then also allow them to accept V5 tickets as tokens directly,
theu avoid then need to have to use krb524d. 


> 
> Thanks
> 
> Adam.....
> 
> -----Original Message-----
> From: Douglas E. Engert [mailto:deengert@anl.gov]
> Sent: 21 May 2004 13:44
> To: Davis, Adam
> Cc: openafs-info@openafs.org
> Subject: Re: [OpenAFS] Got afs token I think... but can't access cell
> 
> Do you have krb524d running? You may need to add krb524_server = to the
> krb5.conf or add DNS SRV records to point at the krb524d
> 
> The assumption is that krb524d is running on the KDC machine, but since
> that is windows, you may have to run it on the AFS server(s).
> 
> There are a log of changes going on in this area, so it might help to
> know the versions of Windows KDC, 20002/2003? OpenAFS on the client and
> on the server, and Kerberos version of the krb524d and aklog.
> 
> 
> 
> "Davis, Adam" wrote:
> >
> > I have a "Windows KDC" a "OpenAFS on linux" and a "linux client"
> >
> > I do on the client......
> >
> > kinit    ##no errors everything fine
> >
> > aklog -d ic.ac.uk -k IC.AC.UK
> > Authenticating to cell ic.ac.uk (server server1.cc.ic.ac.uk). We were
> > told to authenticate to realm IC.AC.UK. Getting tickets:
> > afs/ic.ac.uk@IC.AC.UK Principal not found, trying alternate service
> > name: afs/@IC.AC.UK Kerberos error code returned by get_cred:
> > -1765328228
> > aklog: Couldn't get ic.ac.uk AFS tickets:
> > aklog: Cannot contact any KDC for requested realm while getting AFS
> > tickets
> >
> > [root@client1]# klist -e -f
> > Ticket cache: FILE:/tmp/krb5cc_0
> > Default principal: user1@IC.AC.UK
> >
> > Valid starting     Expires            Service principal
> > 05/20/04 16:57:03  05/21/04 00:57:16  krbtgt/IC.AC.UK@IC.AC.UK
> >         Flags: IA, Etype (skey, tkt): DES cbc mode with RSA-MD5, DES
> > cbc mode with RSA-MD5 05/20/04 17:03:07  05/20/04 18:03:07
> afs@IC.AC.UK
> >         Flags: A, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc
> 
> > mode with CRC-32
> >
> > Kerberos 4 ticket cache: /tmp/tkt0
> > klist: You have no tickets cached
> > -----------------------------------------------------
> >
> > I am guessing I have not set the principle correctly, what do people
> > use to set this ??? I used bos_util addes 0 <pwd>IC.AC.UKafsic.ac.uk
> >
> > But it returns a "bos_util: failed to set key, code 512." is there an
> > easy way of seeing what is going on.
> >
> > Thanks
> >
> > Adam...
> >
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> --
> 
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444