[OpenAFS] gssklog[d] works with berkeley.edu kerberos realm, but needed a
hack -- why?
Adam Megacz
megacz@cs.berkeley.edu
Tue, 26 Apr 2005 23:54:42 -0700
So, I run a one-machine renegade AFS cell (reconfigurable.cs.berkeley.edu)
and my own krb5kdc for a corresponding (krb5) realm. It's nifty.
Berkeley [finally] has a campus-wide kerberos server with a principal
for every student, which has inspired me to attempt to recreate some
approximation of the IT nirvana I experienced as an undergrad at a
certain university in pittsburgh.
Anyways, if I compile the stock gssklogd-0.11 with
./configure --with-afs=/usr/local/ \
--enable-server \
--with-gss-lib-name=gssapi_krb5 \
--with-gss-lib-dir=/usr/lib \
--enable-server \
--prefix=/usr/local \
--with-server-extra-cflags="-DUSE_KRB5_DES -DDEBUG" \
--with-server-extra-ldflags=/usr/local/lib/libdes.a
and invoke
gssklogd -E BERKELEY.EDU \
-E RECONFIGURABLE.CS.BERKELEY.EDU \
-k /etc/krb5.keytab \
-a /etc/openafs/server/KeyFile \
-s gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU \
-G /etc/openafs/gssklog-map \
-d
I get this:
len=73, name=gssklog\/reconfigurable.cs.berkeley.edu/arachne.berkeley.edu@BERKELEY.EDU
GSS-error acquiring credentials: major:000d0000 minor:025ea101
Miscellaneous failure
No principal in keytab matches desired name
I have *NO IDEA* what "arachne.berkeley.edu" is, or where it came from.
So I tried adding this line to both gssklogd.c and gssklog_gss.c and
deleted the conflicting definition:
#define my_nt_service_name GSS_C_NT_USER_NAME
Now, gssklogd starts up fine with:
len=51, name=gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU
Just as I wanted. So now I grab my BERKELEY.EDU tickets:
megacz@reconfigurable:/usr/src/gssklog-0.11$kinit 16147012@BERKELEY.EDU
Password for 16147012@BERKELEY.EDU:
megacz@reconfigurable:/usr/src/gssklog-0.11$klist
Ticket cache: FILE:/tmp/krb5cc_103
Default principal: 16147012@BERKELEY.EDU
Valid starting Expires Service principal
04/27/05 05:22:54 04/27/05 15:22:30 krbtgt/BERKELEY.EDU@BERKELEY.EDU
and try to gsslkog myself with this command:
./gssklog -principal 16147012@BERKELEY.EDU \
-cell reconfigurable.cs.berkeley.edu \
-server reconfigurable.cs.berkeley.edu
but I get this:
Client:
GSS-error init_sec_context failed: major:000d0000 minor:00000000
Miscellaneous failure
No error
Failed code = 2
Server:
N handle_connections: got connection, s = 5
N run_acceptor: initiated on 5
E receive_message(): Incorrect buf_size read: [0]
GSS-error accepting credentials: major_status:01090000 minor_status:00000000
A token was invalid
A required input parameter could not be read
No error
reconfigurable.CS.Berkeley.EDU[128.32.37.206] FAILED for other reasons
Wed Apr 27 05:23:03 - reconfigurable.CS.Berkeley.EDU[128.32.37.206] FAILED for other reasons
N handle_connections: Listening for next.
On a lark, I tried forcing the server_name by adding this to
the top of gssklog_gss_init_sec_context() in gssklog_gss.c:
service_princ_name = "gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU";
Recompile, restart gssklogd, and everything works perfectly. I can
gssklog myself, the principal gets mapped to the right local afs user,
and I can get tokens and manipulate the filesystem just as I ought to
be able to.
Client:
megacz@reconfigurable:/usr/src/gssklog-0.11$tokens
Tokens held by the Cache Manager:
User's (AFS ID 5) tokens for afs@reconfigurable.cs.berkeley.edu [Expires Apr 27 15:22]
--End of list--
Server:
N handle_connections: got connection, s = 5
N run_acceptor: initiated on 5
N run_acceptor: calling gss_accept_sec_context
N run_acceptor: sending output token: [114]
N run_acceptor: security context accepted
N: client_name:16147012@BERKELEY.EDU
Looking in gridmap for 16147012@BERKELEY.EDU : 16147012
globus_gss_assist_userok: 16147012@BERKELEY.EDU:16147012
from env:/etc/openafs/gssklog-map
gridmap_default_path:/etc/openafs/gssklog-map
gridmap fopen returned OK
line="16147012@BERKELEY.EDU" megacz
gline->dn:16147012@BERKELEY.EDU
gline->userid:megacz
cname=16147012 cell=reconfigurable.cs.berkeley.edu rl=0 gl=35707
Times:startTime=1114579643,endTime=1114615350,glife=35707,rlife=35707
Wed Apr 27 05:27:23 - reconfigurable.CS.Berkeley.EDU[128.32.37.206] AFS token for 16147012 to 16147012@BERKELEY.EDU
N run_acceptor: security context being shutdown
N handle_connections: Listening for next.
So, the big question of the day is, why did I need to add these two
hacks? Should I have configured something differently in order to not
need them?
Relevant configuration stuff follows...
Thanks for any help you guys can offer!
- a
______________________________________________________________________________
My keytab (/etc/krb5.keytab)
root@reconfigurable:~#klist -ket
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 04/20/05 01:07:35 afs@RECONFIGURABLE.CS.BERKELEY.EDU (DES cbc mode with CRC-32)
3 04/24/05 22:09:35 gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU (DES cbc mode with CRC-32)
______________________________________________________________________________
Debian packages I'm using:
megacz@reconfigurable:~$dpkg -l | grep '\(afs\|krb\|gss\)'
ii krb5-admin-ser 1.3.6-3 MIT Kerberos master server (kadmind)
ii krb5-clients 1.3.6-3 Secure replacements for ftp, telnet and rsh
ii krb5-config 1.6 Configuration files for Kerberos Version 5
ii krb5-kdc 1.3.6-3 MIT Kerberos key server (KDC)
ii krb5-user 1.3.6-3 Basic programs to authenticate using MIT Ker
ii libkrb5-dev 1.3.6-3 Headers and development libraries for MIT Ke
ii libkrb53 1.3.6-3 MIT Kerberos runtime libraries
ii libopenafs-dev 1.3.81-3 The AFS distributed filesystem- development
ii openafs-client 1.3.81-3 The AFS distributed filesystem- client suppo
ii openafs-dbserv 1.3.81-3 The AFS distributed filesystem- database ser
ii openafs-filese 1.3.81-3 The AFS distributed filesystem- file server
ii openafs-krb5 1.3-10 The AFS distributed filesystem- Kerberos 5 I
ii openafs-module 1.3.81-3 The AFS distributed filesystem- Module Sourc
______________________________________________________________________________
/etc/krb5.conf:
[libdefaults]
default_realm = RECONFIGURABLE.CS.BERKELEY.EDU
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
[realms]
BERKELEY.EDU = {
kdc = kerberos.berkeley.edu:88
kdc = kerberos-1.berkeley.edu:88
admin_server = kerberos.berkeley.edu
default_domain = berkeley.edu
}
EECS.BERKELEY.EDU = {
kdc = kerberos1.CS.Berkeley.EDU
kdc = kerberos2.EECS.Berkeley.EDU
admin_server = kerberos1.CS.Berkeley.EDU
default_domain = cs.berkeley.edu
}
RECONFIGURABLE.CS.BERKELEY.EDU = {
kdc = reconfigurable.cs.berkeley.edu:88
admin_server = reconfigurable.cs.berkeley.edu
default_domain = reconfigurable.cs.berkeley.edu
}
[domain_realm]
.reconfigurable.cs.berkeley.edu = RECONFIGURABLE.CS.BERKELEY.EDU
reconfigurable.cs.berkeley.edu = RECONFIGURABLE.CS.BERKELEY.EDU
.berkeley.edu = BERKELEY.EDU
.net.berkeley.edu = BERKELEY.EDU
.hip.berkeley.edu = BERKELEY.EDU
.cs.berkeley.edu = EECS.BERKELEY.EDU
.eecs.berkeley.edu = EECS.BERKELEY.EDU
.bmrc.berkeley.edu = EECS.BERKELEY.EDU
.coe.berkeley.edu = EECS.BERKELEY.EDU
[login]
krb4_convert = true
krb4_get_tickets = true
[logging]
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log
[appdefaults]
autologin = true
forward = true
krb5_aklog_path = /usr/bin/aklog
login = {
forwardable = true
krb5_run_aklog = true
krb5_get_tickets = true
krb4_get_tickets = false
krb4_convert = false
}
kinit = {
forwardable = true
krb5_run_aklog = true
}
sshd = {
forwardable = true
krb5_run_aklog = true
krb5_get_tickets = true
}