[OpenAFS] Re: Mapping btw. AFS tokens and Kerberos tickets (Heimdal)
Florian Daniel Otel
florian.otel@gmail.com
Tue, 8 Nov 2005 22:30:23 +0100
All,
After some more digging I narrowed down the problem to aklog. The
problem is that apparently "aklog" does some translation on the
Kerberos principal name.
In particular, if the Kerberos principal contains a "/" -- like e.g.
"florian/admin", aklog actually tries to resolve "florian.admin"
instead (which doesn't exist in the cell) thus resolves it as ID 32766
(i.e. "anonymous").
kdc-hostname:~# kauth florian/admin
florian/admin@DOMAIN.COM's Password:
kauth: NOTICE: ticket renewable lifetime is 1 week
kdc-hostname:~# aklog -d -force
Authenticating to cell domain.com (server kdc-hostname.domain.com).
We've deduced that we need to authenticate to realm DOMAIN.COM.
Getting tickets: afs/domain.com@DOMAIN.COM
About to resolve name florian.admin to id in cell domain.com.
Id 32766
Set username to florian.admin
Setting tokens. florian.admin / @ DOMAIN.COM
kdc-hostname:~# tokens
Tokens held by the Cache Manager:
Tokens for afs@domain.com [Expires Nov 9 07:09]
--End of list--
The only question remaining is: "Is this a feature or a bug?" i.e. is
this intentional, and/or anything I can do to fix this and still have
AFS usernames containing "/" characters ?
TIA,
Florian
On 11/8/05, Florian Daniel Otel <florian.otel@gmail.com> wrote:
> All,
>
>
> Disclaimer: Since this is my first posting to this list (hello all!) I
> might be missing smth obvious. Thanks in advace for the patience
> and/or pointers to appropriate resources (even though I google quite a
> bit before posting...)
>
>
> My problem: I am trying to setup a Heimdal Kerberos5 / OpenAFS setup
> and apparently I am not able to get right the mapping between AFS
> users and Kerberos principals: While I can get tickets from the KDC,
> "bos" and "ptserver" are not able to authenticate the user based on
> those certificates i.e. translate btw. Kerberos tickets and AFS tokens
> (??). I am also a bit confused about the output of "aklog" and
> "afslog" and when do I need which and for what (TIA for any
> explanation):
>
> Two examples (see detailed command output below):
>
> 1) The principal for administering "bos" is "florian/admin". Even
> though this principal exists, can get tickets and is listed as such in
> "bos listusers" (i.e. "/etc/openafs/UserList",
> "/etc/openafs/server/UserList"), any "bos restart" or commands
> requiring administrative priviledges fail. Some other times when
> performing "bos status" or similar, the "bos" returns "bos: no such
> entry (getting tickets)" (?!?!?!).
>
> 2) Ditto for the same principal with "ptserver" and ACLs. While that
> principal is "pts create"d, is added to "system:administrators" group,
> it is not allowed to do anything, e.g. getting/setting ACLs. The only
> thing that worked was creating a Kerberos principal called "admin" (is
> this a built-in administrator in "pts" ??) and using that one to issue
> "pts" commands and getting/setting ACLs commands
>
>
> My questions:
>
> 1) Are there any special settings needed in "/etc/krb5.conf" and/or
> "/var/lib/heimdal/kdc.conf" to get this mapping working ?
>
> 2) When and how does one use "aklog" and "afslog" and how can one
> check the mapping btw. Kerberos tickets and AFS tokens ?
>
>
> Thanks in advance for any help in clearing up the confusion
>
>
> Florian
>
>
> P.S. In both examples below the system is Debian/Sarge 3.1r0a,
> running stock Heimdal 0.6.3, openafs 1.3.81 and openafs-krb5 1.3.10-1
>
> "DOMAIN.COM" (my Kerberos realm) and "domain.com" (my DNS domain) are
> identical.
>
>
> Example 1) bos commands
>
> kdc-hostname:~# kinit florian/admin
> florian/admin@DOMAIN.COM's Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
>
> kdc-hostname:~# klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: florian/admin@DOMAIN.COM
>
> Issued Expires Principal
> Nov 8 17:58:33 Nov 9 03:58:33 krbtgt/DOMAIN.COM@DOMAIN.COM
> Nov 8 17:58:33 Nov 9 03:58:33 krbtgt/DOMAIN.COM@DOMAIN.COM
> Nov 8 17:58:33 Nov 9 03:58:33 afs@DOMAIN.COM
>
> V4-ticket file: /tmp/tkt0
> Principal: florian.admin@DOMAIN.COM
>
> Issued Expires Principal
> Nov 8 17:58:33 Nov 9 03:58:33 krbtgt.DOMAIN.COM@DOMAIN.COM
>
>
>
> kdc-hostname:~# aklog -d
> Authenticating to cell domain.com (server kdc-hostname.domain.com).
> We've deduced that we need to authenticate to realm DOMAIN.COM.
> Getting tickets: afs/domain.com@DOMAIN.COM
> Identical tokens already exist; skipping.
>
>
> kdc-hostname:~# tokens
>
> Tokens held by the Cache Manager:
>
> Tokens for afs@domain.com [Expires Nov 8 08:46]
> --End of list--
>
>
> kdc-hostname:~# bos listusers localhost -localauth
> SUsers are: florian/admin
>
> kdc-hostname:~# bos restart localhost vlserver
> bos: failed to restart instance vlserver (you are not authorized for
> this operation)
>
> Relelvant parts of "strace"ing the above command:
> [...]sendmsg(3, {msg_name(16)=3D{sa_family=3DAF_INET,
> sin_port=3Dhtons(7007), sin_addr=3Dinet_addr("127.0.0.1")},
> msg_iov(2)=3D[{"\211{Q\6\373G7\264\0\0\0\1\0\0\0\1\0\0\0\1\1\5\0\2&\t\0".=
..,
> 28}, {"\0\0\0h\0\0\0\10vlserver", 16}], msg_controllen=3D0,
> msg_flags=3D0}, 0) =3D 44
> getitimer(ITIMER_REAL, {it_interval=3D{0, 0}, it_value=3D{3599, 985718}})=
=3D 0
> getitimer(ITIMER_REAL, {it_interval=3D{0, 0}, it_value=3D{3599, 985718}})=
=3D 0
> gettimeofday({1131400433, 740910}, NULL) =3D 0
> gettimeofday({1131400433, 741060}, NULL) =3D 0
> select(4, [3], NULL, NULL, {1, 998850}) =3D 1 (in [3], left {1, 999000})
> recvmsg(3, {msg_name(16)=3D{sa_family=3DAF_INET, sin_port=3Dhtons(7007),
> sin_addr=3Dinet_addr("127.0.0.1")},
> msg_iov(7)=3D[{"\211{Q\6\373G7\264\0\0\0\0\0\0\0\0\0\0\0\1\6\0\0\2\0\0"..=
.,
> 28}, {"\0\0\0\2\25\376\234B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1420}], msg_controllen=3D0, msg_flags=3D0}, 0) =3D 44
> sendmsg(3, {msg_name(16)=3D{sa_family=3DAF_INET, sin_port=3Dhtons(7007),
> sin_addr=3Dinet_addr("127.0.0.1")},
> msg_iov(2)=3D[{"\211{Q\6\373G7\264\0\0\0\0\0\0\0\0\0\0\0\2\7\1\0\2\0\0"..=
.,
> 28}, {"\0\0\0\2\0\0\0\0\f\241\206\271\252\320\203-s\377m\311\273"...,
> 275}], msg_controllen=3D0, msg_flags=3D0}, 0) =3D 303
> getitimer(ITIMER_REAL, {it_interval=3D{0, 0}, it_value=3D{3599, 984719}})=
=3D 0
> gettimeofday({1131400433, 742303}, NULL) =3D 0
> select(4, [3], NULL, NULL, {1, 996758}) =3D 1 (in [3], left {1, 997000})
> recvmsg(3, {msg_name(16)=3D{sa_family=3DAF_INET, sin_port=3Dhtons(7007),
> sin_addr=3Dinet_addr("127.0.0.1")},
> msg_iov(7)=3D[{"\211{Q\6\373G7\264\0\0\0\1\0\0\0\0\0\0\0\2\4\0\0\2\0\0"..=
.,
> 28}, {"\0\0
> \232\6\0\0\0\0\f\241\206\271\252\320\203-s\377m\311"..., 1416},
> {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1416},
> {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0"..., 1416},
> {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1416},
> {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1416},
> {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
> \0\0\0\0\0\0\0\0\0\0\0\0"..., 1420}], msg_controllen=3D0, msg_flags=3D0},=
0) =3D 32
> getitimer(ITIMER_REAL, {it_interval=3D{0, 0}, it_value=3D{3599, 982719}})=
=3D 0
> getitimer(ITIMER_REAL, {it_interval=3D{0, 0}, it_value=3D{3599, 982719}})=
=3D 0
> fstat64(1, {st_mode=3DS_IFIFO|0600, st_size=3D0, ...}) =3D 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) =3D 0xb7e15000
> write(1, "bos: failed to restart instance "..., 85bos: failed to
> restart instance vlserver (you are not authorized for this operation)
> [...]
>
>
> The only "suspicious" entry in the logs per se is from "fileserver" proce=
ss:
>
> kdc-hostname:/var/log/openafs# cat FileLog
> Mon Nov 7 22:45:25 2005 File server starting
> Mon Nov 7 22:45:25 2005 afs_krb_get_lrealm failed, using domain.com.
> Mon Nov 7 22:45:25 2005 VL_RegisterAddrs rpc failed; will retry
> periodically (code=3D5376, err=3D2)
> Mon Nov 7 22:45:26 2005 Set thread id 14 for FSYNC_sync
> ....
>
>
> Example 2) ptserver problem
>
> As above, even though "florian/admin@DOMAIN.COM" was the intented
> principal to be member of the "system:administrators" group, the only
> one that works (of a fashion) is the "admin@DOMAIN.COM" principal that
> I added only afterwards.
>
>
> - With "admin@DOMAIN.COM":
>
> [...]
> florian@kdc-hostname:~$ kinit admin
> admin@DOMAIN.COM's Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
>
> florian@kdc-hostname:~$ aklog -d
> Authenticating to cell domain.com (server kdc-hostname.domain.com).
> We've deduced that we need to authenticate to realm DOMAIN.COM.
> Getting tickets: afs/domain.com@DOMAIN.COM
> Identical tokens already exist; skipping.
> florian@kdc-hostname:~$ tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1000) tokens for afs@domain.com [Expires Nov 8 09:00]
> --End of list--
>
> florian@kdc-hostname:~$ pts membership system:administrators
> Members of system:administrators (id: -204) are:
> florian/admin
> admin
>
> florian@kdc-hostname:~$ pts examine florian/admin
> Name: florian/admin, id: 1, owner: system:administrators, creator: anonym=
ous,
> membership: 1, flags: S----, group quota: unlimited.
>
>
> florian@kdc-hostname:~$ pts examine admin
> Name: admin, id: 3, owner: system:administrators, creator: anonymous,
> membership: 1, flags: S----, group quota: unlimited.
>
> florian@kdc-hostname:~$ pts listentries -users
> Name ID Owner Creator
> anonymous 32766 -204 -204
> florian/admin 1 -204 32766
> florian 2 -204 32766
> admin 3 -204 32766
>
>
> florian@kdc-hostname:~$ fs listacl /afs/domain.com/
> Access list for /afs/domain.com/ is
> Normal rights:
> system:administrators rlidwka
> system:anyuser rl
> [...]
>
>
> However, trying to use "florian/admin" instead doesn't work. Note
> also that the output of the "tokens" command does not output any "AFS
> ID" as the one for "admin" above (!?!?!).
>
> [...]
> kdc-hostname:~# kinit florian/admin
> florian/admin@DOMAIN.COM's Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
>
> kdc-hostname:~# tokens
>
> Tokens held by the Cache Manager:
>
> Tokens for afs@domain.com [Expires Nov 8 09:04]
> --End of list--
>
> kdc-hostname:~# pts membership "system:administrators"
> pts: Permission denied ; unable to get membership of
> system:administrators (id: -204)
>
> kdc-hostname:~# pts examine florian/admin
> pts: Permission denied ; unable to find entry for (id: 1)
>
>
> kdc-hostname:~# fs setacl /afs/domain.com/ system:anyuser rl
> fs: You don't have the required access rights on '/afs/domain.com/'
> [...]
>
>
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D /etc/krb5.conf =3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
> [libdefaults]
> default_realm =3D DOMAIN.COM
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config =3D /etc/krb.conf
> krb4_realms =3D /etc/krb.realms
> kdc_timesync =3D 1
> ccache_type =3D 4
> forwardable =3D true
> proxiable =3D true
> # Get Kerberos 4 tickets
> krb4_get_tickets =3D true
>
> v4_instance_resolve =3D true
> v4_name_convert =3D {
> host =3D {
> rcmd =3D host
> ftp =3D ftp
> }
> }
>
> [realms]
> DOMAIN.COM =3D {
> kdc =3D kdc-hostname.domain.com.
> admin_server =3D kdc-hostname.domain.com.
> }
>
> [kdc]
> use_2b=3D{
> afs@DOMAIN.COM =3D true
> afs/DOMAIN.COM@DOMAIN.COM =3D true
> }
>
> [domain_realm]
> .domain.com =3D DOMAIN.COM
>
> # This below is for kerberos-enabled login.
> [login]
> krb4_convert =3D true
> krb4_get_tickets =3D true
>
>
> =3D=3D=3D=3D=3D=3D=3D=3D=3D /var/lib/heimdal-kdc/kdc.conf =3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D
>
> [kdc]
> logging =3D FILE:/var/log/heimdal-kdc.log
>
> # respond to Kerberos 4 requests
> enable-kerberos4 =3D true
>
> # respond to 524 requests
> enable-524 =3D true
>
> v4-realm =3D DOMAIN.COM
>
> # Enable kaserver emulation (in case it's compiled in).
> enable-kaserver =3D true
>
>
> # [kadmin]
> # default_keys =3D list of strings
> # Maybe this will help ?
> default_keys =3D v4 v5 afs3-salt:domain.com
>