[OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh
Lönroth Erik
erik.lonroth@scania.com
Wed, 3 Jan 2007 16:40:33 +0100
This is a multi-part message in MIME format.
------_=_NextPart_001_01C72F4D.B4C63582
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Correction on that:
The "ktutil" was run on the linux host! (not windows)
But still... the ktpass.exe gives me bogus keyfiles.
/Erik
-----Original Message-----
From: openafs-info-admin@openafs.org on behalf of L=F6nroth Erik
Sent: Wed 1/3/2007 4:34 PM
To: Jeffrey Altman
Cc: openafs-info@openafs.org
Subject: RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - =
rxkad error=3D19270407, arghhhh
=20
OK, I believe have resolved the problem now after 5 whole days of trial =
and error.
It turns out that using the "KTPASS" native from Active Directory =
generates keys that is not liked by AFS.
I instead used ktutil.exe (for windows) to generate my key that I then =
imported as usual into AFS. =20
On Microsoft AD side:
>ktutil
ktutil: addent -password -p afs/sss.se.scania.com@LAB.SCANIA.COM -k 9 -e =
des-cbc-crc
ktutil: wkt ./keytab.file
ktutil: quit=20
This file is then copied to linux and imported exactly as I would =
normally:
asetkey add 9 keytab.file afs/sss.se.scania.com
Now - everything works=20
kinit sssler
aklog
touch /afs/sss.se.scania.com/home/sssler/somefile
ls /afs/sss.se.scania.com/home/sssler/somefile
/afs/sss.se.scania.com/home/sssler/somefile
Success!
I verified this by behaviour - AGAIN - by using the "KTPASS.EXE" =
(without changing anything else) and importing the key with "asetkey" as =
normal.
C:\ktpass -out afs-keytab-md5-verify -princ =
afs/sss.se.scania.com@LAB.SCANIA.COM -mapuser afs -crypto DES-CBC-CRC =
-pass *
Targeting domain controller: SeSoCoLab11.scania.se
Successfully mapped afs/sss.se.scania.com to afs.
Type the password for afs/sss.se.scania.com:
Type the password again to confirm:
WARNING: pType and account type do not match. This might cause =
problems.
Key created.
Output keytab to afs-keytab-md5-verify:
Keytab version: 0x502
keysize 63 afs/sss.se.scania.com@LAB.SCANIA.COM ptype 0 =
(KRB5_NT_UNKNOWN) vno 9
etype 0x1 (DES-CBC-CRC) keylength 8 (0xbff2e56b29943d3e)
(Again publishing the key to the whole world ;-)=20
... and - using this key in AFS - I get the same error again : rxkad =
error=3D19270407
I swapped back again to the key generated by ktutil.exe - and it works =
again.
It seems that using the KTPASS.EXE generates bogus keys for me!
I have not read this anywhere and I have read pretty much everyting, did =
I miss something critical here or is this a bug/feature?
/Erik
=20
-----Original Message-----
From: Jeffrey Altman [mailto:jaltman@secure-endpoints.com]
Sent: Wed 1/3/2007 3:16 PM
To: L=F6nroth Erik
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - =
rxkad error=3D19270407, arghhhh
=20
L=F6nroth Erik wrote:
> I believe I have... My file looks like this. Can I be sure this is OK?
> In my missery I can't trust anything at the moment.
>=20
> [root@vmware01 ~]# cat /usr/afs/etc/krb.conf
> LAB.SCANIA.COM
> LAB.SCANIA.COM sesocolab11.scania.com
This is fine. Although the second line is not used by AFS so you
can remove it.
Did you restart the AFS servers after setting this value?
> I have also looked in AD to se the Service principal binding (Is this
> right?) :
>=20
> C:\setspn -A afs/sss.se.scania.com afs
> Registering ServicePrincipalNames for
> CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Ds
> cania,DC=3Dcom
> afs/sss.se.scania.com
> Updated object
>=20
> C:\setspn -L afs
> Registered ServicePrincipalNames for
> CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Dsc
> ania,DC=3Dcom:
> afs/sss.se.scania.com
> HOST/afs
> HOST/afs.LAB
>=20
That is fine.
RXKADBADTICKET can be generated if the clocks between AFS and AD
are not synchronized. Are they?
Jeffrey Altman
------_=_NextPart_001_01C72F4D.B4C63582
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7650.28">
<TITLE>RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad =
error=3D19270407, arghhhh</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->
<P><FONT SIZE=3D2>Correction on that:<BR>
<BR>
The "ktutil" was run on the linux host! (not windows)<BR>
<BR>
But still... the ktpass.exe gives me bogus keyfiles.<BR>
<BR>
/Erik<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: openafs-info-admin@openafs.org on behalf of L=F6nroth Erik<BR>
Sent: Wed 1/3/2007 4:34 PM<BR>
To: Jeffrey Altman<BR>
Cc: openafs-info@openafs.org<BR>
Subject: RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - =
rxkad error=3D19270407, arghhhh<BR>
<BR>
OK, I believe have resolved the problem now after 5 whole days of trial =
and error.<BR>
<BR>
It turns out that using the "KTPASS" native from Active =
Directory generates keys that is not liked by AFS.<BR>
<BR>
I instead used ktutil.exe (for windows) to generate my key that I then =
imported as usual into AFS. <BR>
<BR>
On Microsoft AD side:<BR>
<BR>
>ktutil<BR>
ktutil: addent -password -p afs/sss.se.scania.com@LAB.SCANIA.COM -k 9 -e =
des-cbc-crc<BR>
ktutil: wkt ./keytab.file<BR>
ktutil: quit<BR>
<BR>
This file is then copied to linux and imported exactly as I would =
normally:<BR>
<BR>
asetkey add 9 keytab.file afs/sss.se.scania.com<BR>
<BR>
Now - everything works<BR>
<BR>
kinit sssler<BR>
aklog<BR>
touch /afs/sss.se.scania.com/home/sssler/somefile<BR>
ls /afs/sss.se.scania.com/home/sssler/somefile<BR>
/afs/sss.se.scania.com/home/sssler/somefile<BR>
<BR>
Success!<BR>
<BR>
I verified this by behaviour - AGAIN - by using the =
"KTPASS.EXE" (without changing anything else) and importing =
the key with "asetkey" as normal.<BR>
<BR>
C:\ktpass -out afs-keytab-md5-verify -princ =
afs/sss.se.scania.com@LAB.SCANIA.COM -mapuser afs -crypto =
DES-CBC-CRC -pass *<BR>
Targeting domain controller: SeSoCoLab11.scania.se<BR>
Successfully mapped afs/sss.se.scania.com to afs.<BR>
Type the password for afs/sss.se.scania.com:<BR>
Type the password again to confirm:<BR>
WARNING: pType and account type do not match. This might cause =
problems.<BR>
Key created.<BR>
Output keytab to afs-keytab-md5-verify:<BR>
Keytab version: 0x502<BR>
keysize 63 afs/sss.se.scania.com@LAB.SCANIA.COM ptype 0 =
(KRB5_NT_UNKNOWN) vno 9<BR>
etype 0x1 (DES-CBC-CRC) keylength 8 (0xbff2e56b29943d3e)<BR>
<BR>
(Again publishing the key to the whole world ;-)<BR>
<BR>
... and - using this key in AFS - I get the same error again : rxkad =
error=3D19270407<BR>
<BR>
I swapped back again to the key generated by ktutil.exe - and it works =
again.<BR>
<BR>
It seems that using the KTPASS.EXE generates bogus keys for me!<BR>
<BR>
I have not read this anywhere and I have read pretty much everyting, did =
I miss something critical here or is this a bug/feature?<BR>
<BR>
/Erik<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Jeffrey Altman [<A =
HREF=3D"mailto:jaltman@secure-endpoints.com">mailto:jaltman@secure-endpoi=
nts.com</A>]<BR>
Sent: Wed 1/3/2007 3:16 PM<BR>
To: L=F6nroth Erik<BR>
Cc: openafs-info@openafs.org<BR>
Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - =
rxkad error=3D19270407, arghhhh<BR>
<BR>
L=F6nroth Erik wrote:<BR>
> I believe I have... My file looks like this. Can I be sure this is =
OK?<BR>
> In my missery I can't trust anything at the moment.<BR>
><BR>
> [root@vmware01 ~]# cat /usr/afs/etc/krb.conf<BR>
> LAB.SCANIA.COM<BR>
> LAB.SCANIA.COM sesocolab11.scania.com<BR>
<BR>
This is fine. Although the second line is not used by AFS so =
you<BR>
can remove it.<BR>
<BR>
Did you restart the AFS servers after setting this value?<BR>
<BR>
> I have also looked in AD to se the Service principal binding (Is =
this<BR>
> right?) :<BR>
><BR>
> C:\setspn -A afs/sss.se.scania.com afs<BR>
> Registering ServicePrincipalNames for<BR>
> CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Ds<BR>
> cania,DC=3Dcom<BR>
> =
afs/sss.se.scania.com<BR>
> Updated object<BR>
><BR>
> C:\setspn -L afs<BR>
> Registered ServicePrincipalNames for<BR>
> CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Dsc<BR>
> ania,DC=3Dcom:<BR>
> afs/sss.se.scania.com<BR>
> HOST/afs<BR>
> HOST/afs.LAB<BR>
><BR>
<BR>
That is fine.<BR>
<BR>
RXKADBADTICKET can be generated if the clocks between AFS and AD<BR>
are not synchronized. Are they?<BR>
<BR>
Jeffrey Altman<BR>
<BR>
<BR>
</FONT>
</P>
</BODY>
</HTML>
------_=_NextPart_001_01C72F4D.B4C63582--