[OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
Lönroth Erik
erik.lonroth@scania.com
Wed, 3 Jan 2007 12:45:01 +0100
This is a multi-part message in MIME format.
------_=_NextPart_001_01C72F2C.9A7115A6
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello!
=20
I've been trying to get OpenAFS 1.4.2 to work with Microsoft Active =
Directory (AD) 2003 as KDC for some week now, and I starting to believe =
I should have went on that early vaccation after all. I just can't get =
it to work. It ends at:
19270407 =3D security object was passed a bad ticket
=20
I have a lab environment consisting of an AD (lab.scania.com) and one =
AFS server/cell. (cellname: sss.se.scania.com, servername: =
vmware01.scania.com)
=20
I have verified that the OpenAFS works by setting up a MIT kerberos 5 =
server in parallell (separate server) and successfully authenticatded =
and can access read,write files in my AFS directory. But swapping to the =
AD gives no luck whatsoever:
=20
This is what it ends up to.
(On AD side)
C:\>ktpass -out afs-keytab-des-cbc-md5 -princ =
afs/sss.se.scania.com@LAB.SCANIA.COM -mapuser afs -crypto DES-CBC-MD5 =
-pass *
Targeting domain controller: SeSoCoLab11.scania.se
Successfully mapped afs/sss.se.scania.com to afs.
Type the password for afs/sss.se.scania.com:
Type the password again to confirm:
WARNING: pType and account type do not match. This might cause =
problems.
Key created.
Output keytab to afs-keytab-des-cbc-md5:
Keytab version: 0x502
keysize 63 afs/sss.se.scania.com@LAB.SCANIA.COM ptype 0 =
(KRB5_NT_UNKNOWN) vno 7
etype 0x3 (DES-CBC-MD5) keylength 8 (0xd0d352801964ad19)
(I email this file to my RedHat ES4 linux server, vmware01, that also =
hold the AFS-server)
I now add the key:
[root@vmware01 ~]# asetkey add 7 afs-keytab-des-cbc-md5 =
afs/sss.se.scania.com
[root@vmware01 ~]# asetkey list
kvno 0: key is: e9d6f2e068d97386
kvno 7: key is: d0d352801964ad19
------- I now clean up any old tickets/tokens:
[root@vmware01 ~]# unlog
[root@vmware01 ~]# kdestroy
------- I get my ticket - using my AD password:
[root@vmware01 ~]# kinit -V sssler
Password for sssler@LAB.SCANIA.COM:=20
Authenticated to Kerberos v5
[root@vmware01 ~]# klist -e -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sssler@LAB.SCANIA.COM
Valid starting Expires Service principal
01/03/07 12:12:21 01/03/07 22:12:11 =
krbtgt/LAB.SCANIA.COM@LAB.SCANIA.COM
renew until 01/04/07 12:12:21, Etype (skey, tkt): DES cbc mode =
with CRC-32, ArcFour with HMAC/md5=20
------- I successfully aklog
[root@vmware01 ~]# aklog -d
Authenticating to cell sss.se.scania.com (server =
vmware01.sss.se.scania.com).
We've deduced that we need to authenticate to realm LAB.SCANIA.COM.
Getting tickets: afs/sss.se.scania.com@LAB.SCANIA.COM
Using Kerberos V5 ticket natively
About to resolve name sssler to id in cell sss.se.scania.com.
Id 4067
Set username to AFS ID 4067
Setting tokens. AFS ID 4067 / @ LAB.SCANIA.COM=20
[root@vmware01 ~]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 4067) tokens for afs@sss.se.scania.com [Expires Jan 3 =
22:30]
--End of list--
[root@vmware01 ~]# klist -e -5
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: sssler@LAB.SCANIA.COM
Valid starting Expires Service principal
01/03/07 12:30:37 01/03/07 22:30:34 =
krbtgt/LAB.SCANIA.COM@LAB.SCANIA.COM
renew until 01/04/07 12:30:37, Etype (skey, tkt): ArcFour with =
HMAC/md5, ArcFour with HMAC/md5=20
01/03/07 12:30:36 01/03/07 22:30:34 =
afs/sss.se.scania.com@LAB.SCANIA.COM
renew until 01/04/07 12:30:37, Etype (skey, tkt): DES cbc mode =
with CRC-32, DES cbc mode with RSA-MD5=20
--- from here I think I should be able to touch a file in my home =
directory, which I can do if I use MIT kerberos), but it fails with =
permission denied.
$ touch /afs/sss.se.scania.com/home/sssler
touch: cannot touch `/afs/sss.se.scania.com/home/sssler/foobar': =
Permission denied
$ tail /var/log/messages
...
Jan 3 10:59:49 vmware01 kernel: afs: Tokens for user of AFS id 4067 for =
cell sss.se.scania.com are discarded (rxkad error=3D19270407)
=20
=20
Basically, this is what I have done on the AD side:
=20
* Created the user "afs" (afs/sss.se.scania.com) and set the options in =
the "Account" tab:
=20
[Account is sensitive and cannot be delegated]
[use DES encryption types]
[Password never expires]
[Do not require Kerberos preauthentication]
=20
* I have set in the "Delegation" tab
[Trust user for delegation to any Service (Kerberos only)]
=20
This is my /etc/krb5.conf
[libdefaults]
default_realm =3D LAB.SCANIA.COM
dns_lookup_realm =3D false
dns_lookup_kdc =3D false
default_tkt_enctypes =3D des-cbc-crc des-cbc-md5
default_tgs_enctypes =3D des-cbc-crc des-cbc-md5
[realms]
LAB.SCANIA.COM =3D {
kdc =3D sesoco0206.scania.com
default_domain =3D scania.com
}
[domain_realm]
.scania.se =3D LAB.SCANIA.COM
scania.se =3D LAB.SCANIA.COM
.scania.com =3D LAB.SCANIA.COM
scania.com =3D LAB.SCANIA.COM
[appdefaults]
kinit =3D {
renewable =3D true
forwardable=3D true
}
What am I doing wrong as it seems it should be fairly straight forward?
/Erik L=F6nroth
------_=_NextPart_001_01C72F2C.9A7115A6
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7650.28">
<TITLE>Active Directory 2003, kerberos 5, openAFS - rxkad =
error=3D19270407, arghhhh</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=3D2>Hello!<BR>
<BR>
I've been trying to get OpenAFS 1.4.2 to work with Microsoft Active =
Directory (AD) 2003 as KDC for some week now, and I starting to believe =
I should have went on that early vaccation after all. I just can't get =
it to work. It ends at:<BR>
<BR>
19270407 =3D security object was passed a bad ticket<BR>
<BR>
I have a lab environment consisting of an AD (lab.scania.com) and one =
AFS server/cell. (cellname: sss.se.scania.com, servername: =
vmware01.scania.com)<BR>
<BR>
I have verified that the OpenAFS works by setting up a MIT kerberos 5 =
server in parallell (separate server) and successfully authenticatded =
and can access read,write files in my AFS directory. But swapping to the =
AD gives no luck whatsoever:<BR>
<BR>
This is what it ends up to.<BR>
<BR>
(On AD side)<BR>
<BR>
C:\>ktpass -out afs-keytab-des-cbc-md5 -princ =
afs/sss.se.scania.com@LAB.SCANIA.COM -mapuser afs -crypto =
DES-CBC-MD5 -pass *<BR>
Targeting domain controller: SeSoCoLab11.scania.se<BR>
Successfully mapped afs/sss.se.scania.com to afs.<BR>
Type the password for afs/sss.se.scania.com:<BR>
Type the password again to confirm:<BR>
WARNING: pType and account type do not match. This might cause =
problems.<BR>
Key created.<BR>
Output keytab to afs-keytab-des-cbc-md5:<BR>
Keytab version: 0x502<BR>
keysize 63 afs/sss.se.scania.com@LAB.SCANIA.COM ptype 0 =
(KRB5_NT_UNKNOWN) vno 7<BR>
etype 0x3 (DES-CBC-MD5) keylength 8 (0xd0d352801964ad19)<BR>
<BR>
(I email this file to my RedHat ES4 linux server, vmware01, that also =
hold the AFS-server)<BR>
<BR>
I now add the key:<BR>
[root@vmware01 ~]# asetkey add 7 afs-keytab-des-cbc-md5 =
afs/sss.se.scania.com<BR>
[root@vmware01 ~]# asetkey list<BR>
kvno 0: key is: e9d6f2e068d97386<BR>
kvno 7: key is: d0d352801964ad19<BR>
<BR>
------- I now clean up any old tickets/tokens:<BR>
<BR>
[root@vmware01 ~]# unlog<BR>
[root@vmware01 ~]# kdestroy<BR>
<BR>
------- I get my ticket - using my AD password:<BR>
<BR>
[root@vmware01 ~]# kinit -V sssler<BR>
Password for sssler@LAB.SCANIA.COM:<BR>
Authenticated to Kerberos v5<BR>
<BR>
[root@vmware01 ~]# klist -e -5<BR>
Ticket cache: <A HREF=3D"FILE:/tmp/krb5cc_0">FILE:/tmp/krb5cc_0</A><BR>
Default principal: sssler@LAB.SCANIA.COM<BR>
<BR>
Valid starting =
Expires =
Service principal<BR>
01/03/07 12:12:21 01/03/07 22:12:11 =
krbtgt/LAB.SCANIA.COM@LAB.SCANIA.COM<BR>
renew until 01/04/07 =
12:12:21, Etype (skey, tkt): DES cbc mode with CRC-32, ArcFour with =
HMAC/md5<BR>
<BR>
------- I successfully aklog<BR>
<BR>
[root@vmware01 ~]# aklog -d<BR>
Authenticating to cell sss.se.scania.com (server =
vmware01.sss.se.scania.com).<BR>
We've deduced that we need to authenticate to realm LAB.SCANIA.COM.<BR>
Getting tickets: afs/sss.se.scania.com@LAB.SCANIA.COM<BR>
Using Kerberos V5 ticket natively<BR>
About to resolve name sssler to id in cell sss.se.scania.com.<BR>
Id 4067<BR>
Set username to AFS ID 4067<BR>
Setting tokens. AFS ID 4067 / @ LAB.SCANIA.COM<BR>
<BR>
[root@vmware01 ~]# tokens<BR>
<BR>
Tokens held by the Cache Manager:<BR>
<BR>
User's (AFS ID 4067) tokens for afs@sss.se.scania.com [Expires Jan =
3 22:30]<BR>
--End of list--<BR>
<BR>
[root@vmware01 ~]# klist -e -5<BR>
Ticket cache: <A HREF=3D"FILE:/tmp/krb5cc_0">FILE:/tmp/krb5cc_0</A><BR>
Default principal: sssler@LAB.SCANIA.COM<BR>
<BR>
Valid starting =
Expires =
Service principal<BR>
01/03/07 12:30:37 01/03/07 22:30:34 =
krbtgt/LAB.SCANIA.COM@LAB.SCANIA.COM<BR>
renew until 01/04/07 =
12:30:37, Etype (skey, tkt): ArcFour with HMAC/md5, ArcFour with =
HMAC/md5<BR>
01/03/07 12:30:36 01/03/07 22:30:34 =
afs/sss.se.scania.com@LAB.SCANIA.COM<BR>
renew until 01/04/07 =
12:30:37, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with =
RSA-MD5<BR>
<BR>
<BR>
--- from here I think I should be able to touch a file in my home =
directory, which I can do if I use MIT kerberos), but it fails with =
permission denied.<BR>
<BR>
$ touch /afs/sss.se.scania.com/home/sssler<BR>
touch: cannot touch `/afs/sss.se.scania.com/home/sssler/foobar': =
Permission denied<BR>
$ tail /var/log/messages<BR>
...<BR>
Jan 3 10:59:49 vmware01 kernel: afs: Tokens for user of AFS id =
4067 for cell sss.se.scania.com are discarded (rxkad =
error=3D19270407)<BR>
<BR>
<BR>
<BR>
<BR>
Basically, this is what I have done on the AD side:<BR>
<BR>
* Created the user "afs" (afs/sss.se.scania.com) and set the =
options in the "Account" tab:<BR>
<BR>
[Account is sensitive and cannot be delegated]<BR>
[use DES encryption types]<BR>
[Password never expires]<BR>
[Do not require Kerberos preauthentication]<BR>
<BR>
* I have set in the "Delegation" tab<BR>
[Trust user for delegation to any Service (Kerberos only)]<BR>
<BR>
This is my /etc/krb5.conf<BR>
[libdefaults]<BR>
default_realm =3D LAB.SCANIA.COM<BR>
dns_lookup_realm =3D false<BR>
dns_lookup_kdc =3D false<BR>
default_tkt_enctypes =3D des-cbc-crc des-cbc-md5<BR>
default_tgs_enctypes =3D des-cbc-crc des-cbc-md5<BR>
<BR>
[realms]<BR>
LAB.SCANIA.COM =3D {<BR>
kdc =3D sesoco0206.scania.com<BR>
default_domain =3D scania.com<BR>
}<BR>
<BR>
[domain_realm]<BR>
.scania.se =3D LAB.SCANIA.COM<BR>
scania.se =3D LAB.SCANIA.COM<BR>
.scania.com =3D LAB.SCANIA.COM<BR>
scania.com =3D LAB.SCANIA.COM<BR>
<BR>
[appdefaults]<BR>
kinit =3D {<BR>
renewable =3D =
true<BR>
forwardable=3D =
true<BR>
}<BR>
<BR>
<BR>
What am I doing wrong as it seems it should be fairly straight =
forward?<BR>
<BR>
/Erik L=F6nroth</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C72F2C.9A7115A6--