[OpenAFS] gssklog[d] works with berkeley.edu kerberos realm,
but needed a hack -- why?
Douglas E. Engert
deengert@anl.gov
Wed, 27 Apr 2005 09:05:05 -0500
Adam Megacz wrote:
> So, I run a one-machine renegade AFS cell (reconfigurable.cs.berkeley.edu)
> and my own krb5kdc for a corresponding (krb5) realm. It's nifty.
>
Looks like they let you register the principal gssklog/...@BERKLEY.EDU
> Berkeley [finally] has a campus-wide kerberos server with a principal
> for every student, which has inspired me to attempt to recreate some
> approximation of the IT nirvana I experienced as an undergrad at a
> certain university in pittsburgh.
>
> Anyways, if I compile the stock gssklogd-0.11 with
>
> ./configure --with-afs=/usr/local/ \
> --enable-server \
> --with-gss-lib-name=gssapi_krb5 \
> --with-gss-lib-dir=/usr/lib \
> --enable-server \
> --prefix=/usr/local \
> --with-server-extra-cflags="-DUSE_KRB5_DES -DDEBUG" \
> --with-server-extra-ldflags=/usr/local/lib/libdes.a
>
> and invoke
>
> gssklogd -E BERKELEY.EDU \
> -E RECONFIGURABLE.CS.BERKELEY.EDU \
> -k /etc/krb5.keytab \
> -a /etc/openafs/server/KeyFile \
> -s gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU \
The -s option is for the GSSAPI import name, which is not the same as
a krb5 principal name, as the gss is expecting <service>@<host>
If the krb5 gss is being used, you should not need the -s option,
as the defaults for creating a principal will be gssklog/<host>@<realm>
Its not gssklog/<afscell>@<realm>
but gssklog/<host of gssklogd server>@<realm>
This follows normal Kerberos conventions of host based services.
So if you have more then one gssklogd running on each of the AFS database
servers, they will each have their own principal.
You will need a principal in the realm and the keytab for
gssklog/arachne.berkely.edu@BERKELEY.EDU
I assume that the host name of the afs/gssklogd server is arachne.berkley.edu?
Or was you IP once asigned to arachne, and DNS needs to be updated?
In any case the principal has the hostname.
Note for AFS with gssklog, you don't need your own realm. But if
you do have users in your realm and don't use cross realm
You may also want to add a principal to your own realm,
gssklog/arachne.berkley.edu@RECONFIGURABEL.CS.BERKLEY.EDU and to the
keytab. (depending on the gssapi libs, gssklogd could accept connections
using either principal. I have a mode for this if needed.)
> -G /etc/openafs/gssklog-map \
> -d
>
> I get this:
>
> len=73, name=gssklog\/reconfigurable.cs.berkeley.edu/arachne.berkeley.edu@BERKELEY.EDU
> GSS-error acquiring credentials: major:000d0000 minor:025ea101
> Miscellaneous failure
> No principal in keytab matches desired name
>
> I have *NO IDEA* what "arachne.berkeley.edu" is, or where it came from.
>
> So I tried adding this line to both gssklogd.c and gssklog_gss.c and
> deleted the conflicting definition:
>
> #define my_nt_service_name GSS_C_NT_USER_NAME
>
> Now, gssklogd starts up fine with:
>
> len=51, name=gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU
>
> Just as I wanted. So now I grab my BERKELEY.EDU tickets:
>
> megacz@reconfigurable:/usr/src/gssklog-0.11$kinit 16147012@BERKELEY.EDU
> Password for 16147012@BERKELEY.EDU:
> megacz@reconfigurable:/usr/src/gssklog-0.11$klist
> Ticket cache: FILE:/tmp/krb5cc_103
> Default principal: 16147012@BERKELEY.EDU
> Valid starting Expires Service principal
> 04/27/05 05:22:54 04/27/05 15:22:30 krbtgt/BERKELEY.EDU@BERKELEY.EDU
>
> and try to gsslkog myself with this command:
>
> ./gssklog -principal 16147012@BERKELEY.EDU \
> -cell reconfigurable.cs.berkeley.edu \
> -server reconfigurable.cs.berkeley.edu
This will expect the server to be running as:
gssklog/reconigureable.cs.berkley.edu@BERKLEY.EDU
(assuming default realm or realm from [domain_realm]
is BERKLEY.EDU.)
>
> but I get this:
>
> Client:
>
> GSS-error init_sec_context failed: major:000d0000 minor:00000000
> Miscellaneous failure
> No error
> Failed code = 2
>
> Server:
>
> N handle_connections: got connection, s = 5
> N run_acceptor: initiated on 5
> E receive_message(): Incorrect buf_size read: [0]
> GSS-error accepting credentials: major_status:01090000 minor_status:00000000
> A token was invalid
> A required input parameter could not be read
> No error
> reconfigurable.CS.Berkeley.EDU[128.32.37.206] FAILED for other reasons
> Wed Apr 27 05:23:03 - reconfigurable.CS.Berkeley.EDU[128.32.37.206] FAILED for other reasons
> N handle_connections: Listening for next.
>
> On a lark, I tried forcing the server_name by adding this to
> the top of gssklog_gss_init_sec_context() in gssklog_gss.c:
>
> service_princ_name = "gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU";
Yes as long ands the client and server agree on the principal name, and you have
it registered in the realm and keytab, it will work.
>
> Recompile, restart gssklogd, and everything works perfectly. I can
> gssklog myself, the principal gets mapped to the right local afs user,
> and I can get tokens and manipulate the filesystem just as I ought to
> be able to.
>
> Client:
>
> megacz@reconfigurable:/usr/src/gssklog-0.11$tokens
> Tokens held by the Cache Manager:
> User's (AFS ID 5) tokens for afs@reconfigurable.cs.berkeley.edu [Expires Apr 27 15:22]
> --End of list--
>
> Server:
>
> N handle_connections: got connection, s = 5
> N run_acceptor: initiated on 5
> N run_acceptor: calling gss_accept_sec_context
> N run_acceptor: sending output token: [114]
> N run_acceptor: security context accepted
> N: client_name:16147012@BERKELEY.EDU
> Looking in gridmap for 16147012@BERKELEY.EDU : 16147012
> globus_gss_assist_userok: 16147012@BERKELEY.EDU:16147012
> from env:/etc/openafs/gssklog-map
> gridmap_default_path:/etc/openafs/gssklog-map
> gridmap fopen returned OK
> line="16147012@BERKELEY.EDU" megacz
> gline->dn:16147012@BERKELEY.EDU
> gline->userid:megacz
> cname=16147012 cell=reconfigurable.cs.berkeley.edu rl=0 gl=35707
> Times:startTime=1114579643,endTime=1114615350,glife=35707,rlife=35707
> Wed Apr 27 05:27:23 - reconfigurable.CS.Berkeley.EDU[128.32.37.206] AFS token for 16147012 to 16147012@BERKELEY.EDU
> N run_acceptor: security context being shutdown
> N handle_connections: Listening for next.
>
> So, the big question of the day is, why did I need to add these two
> hacks? Should I have configured something differently in order to not
> need them?
>
Answer:Mis-understanding of the -s option and the principals used by default.
> Relevant configuration stuff follows...
>
> Thanks for any help you guys can offer!
>
> - a
>
>
> ______________________________________________________________________________
> My keytab (/etc/krb5.keytab)
>
> root@reconfigurable:~#klist -ket
> Keytab name: FILE:/etc/krb5.keytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 3 04/20/05 01:07:35 afs@RECONFIGURABLE.CS.BERKELEY.EDU (DES cbc mode with CRC-32)
> 3 04/24/05 22:09:35 gssklog/reconfigurable.cs.berkeley.edu@BERKELEY.EDU (DES cbc mode with CRC-32)
>
>
> ______________________________________________________________________________
> Debian packages I'm using:
>
> megacz@reconfigurable:~$dpkg -l | grep '\(afs\|krb\|gss\)'
> ii krb5-admin-ser 1.3.6-3 MIT Kerberos master server (kadmind)
> ii krb5-clients 1.3.6-3 Secure replacements for ftp, telnet and rsh
> ii krb5-config 1.6 Configuration files for Kerberos Version 5
> ii krb5-kdc 1.3.6-3 MIT Kerberos key server (KDC)
> ii krb5-user 1.3.6-3 Basic programs to authenticate using MIT Ker
> ii libkrb5-dev 1.3.6-3 Headers and development libraries for MIT Ke
> ii libkrb53 1.3.6-3 MIT Kerberos runtime libraries
> ii libopenafs-dev 1.3.81-3 The AFS distributed filesystem- development
> ii openafs-client 1.3.81-3 The AFS distributed filesystem- client suppo
> ii openafs-dbserv 1.3.81-3 The AFS distributed filesystem- database ser
> ii openafs-filese 1.3.81-3 The AFS distributed filesystem- file server
> ii openafs-krb5 1.3-10 The AFS distributed filesystem- Kerberos 5 I
> ii openafs-module 1.3.81-3 The AFS distributed filesystem- Module Sourc
>
> ______________________________________________________________________________
> /etc/krb5.conf:
>
> [libdefaults]
> default_realm = RECONFIGURABLE.CS.BERKELEY.EDU
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
>
> [realms]
> BERKELEY.EDU = {
> kdc = kerberos.berkeley.edu:88
> kdc = kerberos-1.berkeley.edu:88
> admin_server = kerberos.berkeley.edu
> default_domain = berkeley.edu
> }
> EECS.BERKELEY.EDU = {
> kdc = kerberos1.CS.Berkeley.EDU
> kdc = kerberos2.EECS.Berkeley.EDU
> admin_server = kerberos1.CS.Berkeley.EDU
> default_domain = cs.berkeley.edu
> }
> RECONFIGURABLE.CS.BERKELEY.EDU = {
> kdc = reconfigurable.cs.berkeley.edu:88
> admin_server = reconfigurable.cs.berkeley.edu
> default_domain = reconfigurable.cs.berkeley.edu
> }
>
> [domain_realm]
> .reconfigurable.cs.berkeley.edu = RECONFIGURABLE.CS.BERKELEY.EDU
> reconfigurable.cs.berkeley.edu = RECONFIGURABLE.CS.BERKELEY.EDU
> .berkeley.edu = BERKELEY.EDU
> .net.berkeley.edu = BERKELEY.EDU
> .hip.berkeley.edu = BERKELEY.EDU
> .cs.berkeley.edu = EECS.BERKELEY.EDU
> .eecs.berkeley.edu = EECS.BERKELEY.EDU
> .bmrc.berkeley.edu = EECS.BERKELEY.EDU
> .coe.berkeley.edu = EECS.BERKELEY.EDU
>
> [login]
> krb4_convert = true
> krb4_get_tickets = true
>
> [logging]
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmin.log
> default = FILE:/var/log/krb5lib.log
>
> [appdefaults]
> autologin = true
> forward = true
> krb5_aklog_path = /usr/bin/aklog
>
> login = {
> forwardable = true
> krb5_run_aklog = true
> krb5_get_tickets = true
> krb4_get_tickets = false
> krb4_convert = false
> }
> kinit = {
> forwardable = true
> krb5_run_aklog = true
> }
> sshd = {
> forwardable = true
> krb5_run_aklog = true
> krb5_get_tickets = true
> }
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444