[OpenAFS] Mapping btw. AFS tokens and Kerberos tickets (Heimdal)
Florian Daniel Otel
florian.otel@gmail.com
Tue, 8 Nov 2005 18:03:03 +0100
All,
Disclaimer: Since this is my first posting to this list (hello all!) I
might be missing smth obvious. Thanks in advace for the patience
and/or pointers to appropriate resources (even though I google quite a
bit before posting...)
My problem: I am trying to setup a Heimdal Kerberos5 / OpenAFS setup
and apparently I am not able to get right the mapping between AFS
users and Kerberos principals: While I can get tickets from the KDC,
"bos" and "ptserver" are not able to authenticate the user based on
those certificates i.e. translate btw. Kerberos tickets and AFS tokens
(??). I am also a bit confused about the output of "aklog" and
"afslog" and when do I need which and for what (TIA for any
explanation):
Two examples (see detailed command output below):
1) The principal for administering "bos" is "florian/admin". Even
though this principal exists, can get tickets and is listed as such in
"bos listusers" (i.e. "/etc/openafs/UserList",
"/etc/openafs/server/UserList"), any "bos restart" or commands
requiring administrative priviledges fail. Some other times when
performing "bos status" or similar, the "bos" returns "bos: no such
entry (getting tickets)" (?!?!?!).
2) Ditto for the same principal with "ptserver" and ACLs. While that
principal is "pts create"d, is added to "system:administrators" group,
it is not allowed to do anything, e.g. getting/setting ACLs. The only
thing that worked was creating a Kerberos principal called "admin" (is
this a built-in administrator in "pts" ??) and using that one to issue
"pts" commands and getting/setting ACLs commands
My questions:
1) Are there any special settings needed in "/etc/krb5.conf" and/or
"/var/lib/heimdal/kdc.conf" to get this mapping working ?
2) When and how does one use "aklog" and "afslog" and how can one
check the mapping btw. Kerberos tickets and AFS tokens ?
Thanks in advance for any help in clearing up the confusion
Florian
P.S. In both examples below the system is Debian/Sarge 3.1r0a,
running stock Heimdal 0.6.3, openafs 1.3.81 and openafs-krb5 1.3.10-1
"DOMAIN.COM" (my Kerberos realm) and "domain.com" (my DNS domain) are
identical.
Example 1) bos commands
kdc-hostname:~# kinit florian/admin
florian/admin@DOMAIN.COM's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
kdc-hostname:~# klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: florian/admin@DOMAIN.COM
Issued Expires Principal
Nov 8 17:58:33 Nov 9 03:58:33 krbtgt/DOMAIN.COM@DOMAIN.COM
Nov 8 17:58:33 Nov 9 03:58:33 krbtgt/DOMAIN.COM@DOMAIN.COM
Nov 8 17:58:33 Nov 9 03:58:33 afs@DOMAIN.COM
V4-ticket file: /tmp/tkt0
Principal: florian.admin@DOMAIN.COM
Issued Expires Principal
Nov 8 17:58:33 Nov 9 03:58:33 krbtgt.DOMAIN.COM@DOMAIN.COM
kdc-hostname:~# aklog -d
Authenticating to cell domain.com (server kdc-hostname.domain.com).
We've deduced that we need to authenticate to realm DOMAIN.COM.
Getting tickets: afs/domain.com@DOMAIN.COM
Identical tokens already exist; skipping.
kdc-hostname:~# tokens
Tokens held by the Cache Manager:
Tokens for afs@domain.com [Expires Nov 8 08:46]
--End of list--
kdc-hostname:~# bos listusers localhost -localauth
SUsers are: florian/admin
kdc-hostname:~# bos restart localhost vlserver
bos: failed to restart instance vlserver (you are not authorized for
this operation)
Relelvant parts of "strace"ing the above command:
[...]sendmsg(3, {msg_name(16)=3D{sa_family=3DAF_INET,
sin_port=3Dhtons(7007), sin_addr=3Dinet_addr("127.0.0.1")},
msg_iov(2)=3D[{"\211{Q\6\373G7\264\0\0\0\1\0\0\0\1\0\0\0\1\1\5\0\2&\t\0"...=
,
28}, {"\0\0\0h\0\0\0\10vlserver", 16}], msg_controllen=3D0,
msg_flags=3D0}, 0) =3D 44
getitimer(ITIMER_REAL, {it_interval=3D{0, 0}, it_value=3D{3599, 985718}}) =
=3D 0
getitimer(ITIMER_REAL, {it_interval=3D{0, 0}, it_value=3D{3599, 985718}}) =
=3D 0
gettimeofday({1131400433, 740910}, NULL) =3D 0
gettimeofday({1131400433, 741060}, NULL) =3D 0
select(4, [3], NULL, NULL, {1, 998850}) =3D 1 (in [3], left {1, 999000})
recvmsg(3, {msg_name(16)=3D{sa_family=3DAF_INET, sin_port=3Dhtons(7007),
sin_addr=3Dinet_addr("127.0.0.1")},
msg_iov(7)=3D[{"\211{Q\6\373G7\264\0\0\0\0\0\0\0\0\0\0\0\1\6\0\0\2\0\0"...,
28}, {"\0\0\0\2\25\376\234B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1420}], msg_controllen=3D0, msg_flags=3D0}, 0) =3D 44
sendmsg(3, {msg_name(16)=3D{sa_family=3DAF_INET, sin_port=3Dhtons(7007),
sin_addr=3Dinet_addr("127.0.0.1")},
msg_iov(2)=3D[{"\211{Q\6\373G7\264\0\0\0\0\0\0\0\0\0\0\0\2\7\1\0\2\0\0"...,
28}, {"\0\0\0\2\0\0\0\0\f\241\206\271\252\320\203-s\377m\311\273"...,
275}], msg_controllen=3D0, msg_flags=3D0}, 0) =3D 303
getitimer(ITIMER_REAL, {it_interval=3D{0, 0}, it_value=3D{3599, 984719}}) =
=3D 0
gettimeofday({1131400433, 742303}, NULL) =3D 0
select(4, [3], NULL, NULL, {1, 996758}) =3D 1 (in [3], left {1, 997000})
recvmsg(3, {msg_name(16)=3D{sa_family=3DAF_INET, sin_port=3Dhtons(7007),
sin_addr=3Dinet_addr("127.0.0.1")},
msg_iov(7)=3D[{"\211{Q\6\373G7\264\0\0\0\1\0\0\0\0\0\0\0\2\4\0\0\2\0\0"...,
28}, {"\0\0
\232\6\0\0\0\0\f\241\206\271\252\320\203-s\377m\311"..., 1416},
{"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1416},
{"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
0\0"..., 1416},
{"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1416},
{"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1416},
{"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0\0\0"..., 1420}], msg_controllen=3D0, msg_flags=3D0}, 0=
) =3D 32
getitimer(ITIMER_REAL, {it_interval=3D{0, 0}, it_value=3D{3599, 982719}}) =
=3D 0
getitimer(ITIMER_REAL, {it_interval=3D{0, 0}, it_value=3D{3599, 982719}}) =
=3D 0
fstat64(1, {st_mode=3DS_IFIFO|0600, st_size=3D0, ...}) =3D 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) =3D 0xb7e15000
write(1, "bos: failed to restart instance "..., 85bos: failed to
restart instance vlserver (you are not authorized for this operation)
[...]
The only "suspicious" entry in the logs per se is from "fileserver" process=
:
kdc-hostname:/var/log/openafs# cat FileLog
Mon Nov 7 22:45:25 2005 File server starting
Mon Nov 7 22:45:25 2005 afs_krb_get_lrealm failed, using domain.com.
Mon Nov 7 22:45:25 2005 VL_RegisterAddrs rpc failed; will retry
periodically (code=3D5376, err=3D2)
Mon Nov 7 22:45:26 2005 Set thread id 14 for FSYNC_sync
....
Example 2) ptserver problem
As above, even though "florian/admin@DOMAIN.COM" was the intented
principal to be member of the "system:administrators" group, the only
one that works (of a fashion) is the "admin@DOMAIN.COM" principal that
I added only afterwards.
- With "admin@DOMAIN.COM":
[...]
florian@kdc-hostname:~$ kinit admin
admin@DOMAIN.COM's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
florian@kdc-hostname:~$ aklog -d
Authenticating to cell domain.com (server kdc-hostname.domain.com).
We've deduced that we need to authenticate to realm DOMAIN.COM.
Getting tickets: afs/domain.com@DOMAIN.COM
Identical tokens already exist; skipping.
florian@kdc-hostname:~$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 1000) tokens for afs@domain.com [Expires Nov 8 09:00]
--End of list--
florian@kdc-hostname:~$ pts membership system:administrators
Members of system:administrators (id: -204) are:
florian/admin
admin
florian@kdc-hostname:~$ pts examine florian/admin
Name: florian/admin, id: 1, owner: system:administrators, creator: anonymou=
s,
membership: 1, flags: S----, group quota: unlimited.
florian@kdc-hostname:~$ pts examine admin
Name: admin, id: 3, owner: system:administrators, creator: anonymous,
membership: 1, flags: S----, group quota: unlimited.
florian@kdc-hostname:~$ pts listentries -users
Name ID Owner Creator
anonymous 32766 -204 -204
florian/admin 1 -204 32766
florian 2 -204 32766
admin 3 -204 32766
florian@kdc-hostname:~$ fs listacl /afs/domain.com/
Access list for /afs/domain.com/ is
Normal rights:
system:administrators rlidwka
system:anyuser rl
[...]
However, trying to use "florian/admin" instead doesn't work. Note
also that the output of the "tokens" command does not output any "AFS
ID" as the one for "admin" above (!?!?!).
[...]
kdc-hostname:~# kinit florian/admin
florian/admin@DOMAIN.COM's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
kdc-hostname:~# tokens
Tokens held by the Cache Manager:
Tokens for afs@domain.com [Expires Nov 8 09:04]
--End of list--
kdc-hostname:~# pts membership "system:administrators"
pts: Permission denied ; unable to get membership of
system:administrators (id: -204)
kdc-hostname:~# pts examine florian/admin
pts: Permission denied ; unable to find entry for (id: 1)
kdc-hostname:~# fs setacl /afs/domain.com/ system:anyuser rl
fs: You don't have the required access rights on '/afs/domain.com/'
[...]
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D /etc/krb5.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
[libdefaults]
default_realm =3D DOMAIN.COM
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config =3D /etc/krb.conf
krb4_realms =3D /etc/krb.realms
kdc_timesync =3D 1
ccache_type =3D 4
forwardable =3D true
proxiable =3D true
# Get Kerberos 4 tickets
krb4_get_tickets =3D true
v4_instance_resolve =3D true
v4_name_convert =3D {
host =3D {
rcmd =3D host
ftp =3D ftp
}
}
[realms]
DOMAIN.COM =3D {
kdc =3D kdc-hostname.domain.com.
admin_server =3D kdc-hostname.domain.com.
}
[kdc]
use_2b=3D{
afs@DOMAIN.COM =3D true
afs/DOMAIN.COM@DOMAIN.COM =3D true
}
[domain_realm]
.domain.com =3D DOMAIN.COM
# This below is for kerberos-enabled login.
[login]
krb4_convert =3D true
krb4_get_tickets =3D true
=3D=3D=3D=3D=3D=3D=3D=3D=3D /var/lib/heimdal-kdc/kdc.conf =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
[kdc]
logging =3D FILE:/var/log/heimdal-kdc.log
# respond to Kerberos 4 requests
enable-kerberos4 =3D true
# respond to 524 requests
enable-524 =3D true
v4-realm =3D DOMAIN.COM
# Enable kaserver emulation (in case it's compiled in).
enable-kaserver =3D true
# [kadmin]
# default_keys =3D list of strings
# Maybe this will help ?
default_keys =3D v4 v5 afs3-salt:domain.com