[OpenAFS] aklog and aklog -524

Russ Allbery rra@stanford.edu
Tue, 14 Nov 2006 08:54:45 -0800

vladimir konrad <v.konrad@lse.ac.uk> writes:

> i am in the process of upgrading clients from debian sarge to tebian
> etch. the servers run debian woody:

> what is running where:
>   servers:	openafs 1.2.11, kerberos 5 with krb524 daemon running
>   sarge client:	aklog from opeaafs-krb5 1.3
>   etch client:	aklog from openafs-krb5 1.4.2-2

> under sarge, aklog works without any glitch, under etch - it only works
> with option -524 (this has to do something with kerberos ticket
> conversion from version 5 to version 4).

Right.  It means that you're running krb524d to return K4 tickets to
applications that needed them, like AFS.  As of OpenAFS 1.2.8, the server
supports native K5 tickets, so you shouldn't have to do this any longer.
The aklog that ships with OpenAFS 1.4 is the new version that does native
K5 tickets by default (as opposed to the version that shipped with sarge,
which was from the Kerberos Migration Kit and did 524 by default).

> when doing aklog from sarge, the kerberos server log shows two requests
> for principals:
> 	afs/domain-name@kerberos-realm
> 	afs@kerberos-realm

> when doing the same from etch with -524 option, the log shows only one
> request for principal:
> 	afs/domain-name@kerberos-realm

> there is only one principal in the kerberos database for afs:
> afs@kerberos-realm.

But the latter works anyway?

Is your AFS cell name the same as your Kerberos realm name?

> i would like to have etch to do aklog without -524 option against our
> existing servers (this way i would not have to hack the pam module). i
> have spoken to the debian developers and the reply was following:

> "It's actually the AFS configuration that matters, not the Kerberos
> configuration.  The AFS servers need to have the DES key of the K5
> principal in their KeyFiles and, if the Kerberos realm is different than
> the AFS cell, have a krb.conf file in the server configuration directory
> listing the Kerberos realm."

> to the best of my knowledge the kerberos 5 principal for afs is des.

You can double-check this in kadmin with getprinc afs@kerberos-realm.

Note that for native K5 authentication to work, this principal needs to
have only one key which is of type des-cbc-crc.  The hashes don't matter
but the encryption type does.  If it has other, stronger encryption types,
you'll get a K5 service ticket for the stronger encryption type, aklog
will try to use that as a token, and it won't work.

> my guess is that i am supposed to have the
> afs/domain-name@kerberos-realm principal and not the afs@kerberos-realm
> principal. is this the case or there is something else in play here?

You only have to have afs/cell-name@kerberos-realm if your cell name is
different than your Kerberos realm.  Otherwise, either will work, although
the latter form is recommended these days.

Also, if your cell name is not the same as your realm name, you'll need to
create a file named krb.conf in the same directory as your ThisCell and
CellServDB files on the *server* (not the client files), and put in it the
name of your Kerberos realm on a line by itself.  This is needed on both
the database servers and the file servers, and the servers will have to be
restarted to pick up this change.

/usr/share/doc/openafs-fileserver/README.servers.gz may be helpful,
although it's targetted at new installations rather than upgrades.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>