[OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh

Lönroth Erik erik.lonroth@scania.com
Wed, 3 Jan 2007 16:40:33 +0100


This is a multi-part message in MIME format.

------_=_NextPart_001_01C72F4D.B4C63582
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Correction on that:

The "ktutil" was run on the linux host! (not windows)

But still... the ktpass.exe gives me bogus keyfiles.

/Erik


-----Original Message-----
From: openafs-info-admin@openafs.org on behalf of L=F6nroth Erik
Sent: Wed 1/3/2007 4:34 PM
To: Jeffrey Altman
Cc: openafs-info@openafs.org
Subject: RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - =
rxkad error=3D19270407, arghhhh
=20
OK, I believe have resolved the problem now after 5 whole days of trial =
and error.

It turns out that using the "KTPASS" native from Active Directory =
generates keys that is not liked by AFS.

I instead used ktutil.exe (for windows) to generate my key that I then =
imported as usual into AFS. =20

On Microsoft AD side:

>ktutil
ktutil: addent -password -p afs/sss.se.scania.com@LAB.SCANIA.COM -k 9 -e =
des-cbc-crc
ktutil: wkt ./keytab.file
ktutil: quit=20

This file is then copied to linux and imported exactly as I would =
normally:

asetkey add 9 keytab.file afs/sss.se.scania.com

Now - everything works=20

kinit sssler
aklog
touch /afs/sss.se.scania.com/home/sssler/somefile
ls /afs/sss.se.scania.com/home/sssler/somefile
 /afs/sss.se.scania.com/home/sssler/somefile

Success!

I verified this by behaviour - AGAIN - by using the "KTPASS.EXE" =
(without changing anything else) and importing the key with "asetkey" as =
normal.

C:\ktpass -out afs-keytab-md5-verify -princ =
afs/sss.se.scania.com@LAB.SCANIA.COM -mapuser afs -crypto DES-CBC-CRC  =
-pass *
Targeting domain controller: SeSoCoLab11.scania.se
Successfully mapped afs/sss.se.scania.com to afs.
Type the password for afs/sss.se.scania.com:
Type the password again to confirm:
WARNING: pType and account type do not match. This might cause  =
problems.
Key created.
Output keytab to afs-keytab-md5-verify:
Keytab version: 0x502
keysize 63 afs/sss.se.scania.com@LAB.SCANIA.COM ptype 0 =
(KRB5_NT_UNKNOWN) vno 9
etype 0x1 (DES-CBC-CRC) keylength 8 (0xbff2e56b29943d3e)

(Again publishing the key to the whole world ;-)=20

... and - using this key in AFS - I get the same error again : rxkad =
error=3D19270407

I swapped back again to the key generated by ktutil.exe - and it works =
again.

It seems that using the KTPASS.EXE generates bogus keys for me!

I have not read this anywhere and I have read pretty much everyting, did =
I miss something critical here or is this a bug/feature?

/Erik




=20


-----Original Message-----
From: Jeffrey Altman [mailto:jaltman@secure-endpoints.com]
Sent: Wed 1/3/2007 3:16 PM
To: L=F6nroth Erik
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - =
rxkad error=3D19270407, arghhhh
=20
L=F6nroth Erik wrote:
> I believe I have... My file looks like this. Can I be sure this is OK?
> In my missery I can't trust anything at the moment.
>=20
> [root@vmware01 ~]# cat /usr/afs/etc/krb.conf
> LAB.SCANIA.COM
> LAB.SCANIA.COM sesocolab11.scania.com

This is fine.  Although the second line is not used by AFS so you
can remove it.

Did you restart the AFS servers after setting this value?

> I have also looked in AD to se the Service principal binding (Is this
> right?) :
>=20
> C:\setspn -A afs/sss.se.scania.com afs
> Registering ServicePrincipalNames for
> CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Ds
> cania,DC=3Dcom
>         afs/sss.se.scania.com
> Updated object
>=20
> C:\setspn -L afs
> Registered ServicePrincipalNames for
> CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Dsc
> ania,DC=3Dcom:
>     afs/sss.se.scania.com
>     HOST/afs
>     HOST/afs.LAB
>=20

That is fine.

RXKADBADTICKET can be generated if the clocks between AFS and AD
are not synchronized.  Are they?

Jeffrey Altman



------_=_NextPart_001_01C72F4D.B4C63582
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.5.7650.28">
<TITLE>RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad =
error=3D19270407, arghhhh</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/plain format -->

<P><FONT SIZE=3D2>Correction on that:<BR>
<BR>
The &quot;ktutil&quot; was run on the linux host! (not windows)<BR>
<BR>
But still... the ktpass.exe gives me bogus keyfiles.<BR>
<BR>
/Erik<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: openafs-info-admin@openafs.org on behalf of L=F6nroth Erik<BR>
Sent: Wed 1/3/2007 4:34 PM<BR>
To: Jeffrey Altman<BR>
Cc: openafs-info@openafs.org<BR>
Subject: RE: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - =
rxkad error=3D19270407, arghhhh<BR>
<BR>
OK, I believe have resolved the problem now after 5 whole days of trial =
and error.<BR>
<BR>
It turns out that using the &quot;KTPASS&quot; native from Active =
Directory generates keys that is not liked by AFS.<BR>
<BR>
I instead used ktutil.exe (for windows) to generate my key that I then =
imported as usual into AFS.&nbsp;<BR>
<BR>
On Microsoft AD side:<BR>
<BR>
&gt;ktutil<BR>
ktutil: addent -password -p afs/sss.se.scania.com@LAB.SCANIA.COM -k 9 -e =
des-cbc-crc<BR>
ktutil: wkt ./keytab.file<BR>
ktutil: quit<BR>
<BR>
This file is then copied to linux and imported exactly as I would =
normally:<BR>
<BR>
asetkey add 9 keytab.file afs/sss.se.scania.com<BR>
<BR>
Now - everything works<BR>
<BR>
kinit sssler<BR>
aklog<BR>
touch /afs/sss.se.scania.com/home/sssler/somefile<BR>
ls /afs/sss.se.scania.com/home/sssler/somefile<BR>
&nbsp;/afs/sss.se.scania.com/home/sssler/somefile<BR>
<BR>
Success!<BR>
<BR>
I verified this by behaviour - AGAIN - by using the =
&quot;KTPASS.EXE&quot; (without changing anything else) and importing =
the key with &quot;asetkey&quot; as normal.<BR>
<BR>
C:\ktpass -out afs-keytab-md5-verify -princ =
afs/sss.se.scania.com@LAB.SCANIA.COM -mapuser afs -crypto =
DES-CBC-CRC&nbsp; -pass *<BR>
Targeting domain controller: SeSoCoLab11.scania.se<BR>
Successfully mapped afs/sss.se.scania.com to afs.<BR>
Type the password for afs/sss.se.scania.com:<BR>
Type the password again to confirm:<BR>
WARNING: pType and account type do not match. This might cause&nbsp; =
problems.<BR>
Key created.<BR>
Output keytab to afs-keytab-md5-verify:<BR>
Keytab version: 0x502<BR>
keysize 63 afs/sss.se.scania.com@LAB.SCANIA.COM ptype 0 =
(KRB5_NT_UNKNOWN) vno 9<BR>
etype 0x1 (DES-CBC-CRC) keylength 8 (0xbff2e56b29943d3e)<BR>
<BR>
(Again publishing the key to the whole world ;-)<BR>
<BR>
... and - using this key in AFS - I get the same error again : rxkad =
error=3D19270407<BR>
<BR>
I swapped back again to the key generated by ktutil.exe - and it works =
again.<BR>
<BR>
It seems that using the KTPASS.EXE generates bogus keys for me!<BR>
<BR>
I have not read this anywhere and I have read pretty much everyting, did =
I miss something critical here or is this a bug/feature?<BR>
<BR>
/Erik<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
<BR>
-----Original Message-----<BR>
From: Jeffrey Altman [<A =
HREF=3D"mailto:jaltman@secure-endpoints.com">mailto:jaltman@secure-endpoi=
nts.com</A>]<BR>
Sent: Wed 1/3/2007 3:16 PM<BR>
To: L=F6nroth Erik<BR>
Cc: openafs-info@openafs.org<BR>
Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS - =
rxkad error=3D19270407, arghhhh<BR>
<BR>
L=F6nroth Erik wrote:<BR>
&gt; I believe I have... My file looks like this. Can I be sure this is =
OK?<BR>
&gt; In my missery I can't trust anything at the moment.<BR>
&gt;<BR>
&gt; [root@vmware01 ~]# cat /usr/afs/etc/krb.conf<BR>
&gt; LAB.SCANIA.COM<BR>
&gt; LAB.SCANIA.COM sesocolab11.scania.com<BR>
<BR>
This is fine.&nbsp; Although the second line is not used by AFS so =
you<BR>
can remove it.<BR>
<BR>
Did you restart the AFS servers after setting this value?<BR>
<BR>
&gt; I have also looked in AD to se the Service principal binding (Is =
this<BR>
&gt; right?) :<BR>
&gt;<BR>
&gt; C:\setspn -A afs/sss.se.scania.com afs<BR>
&gt; Registering ServicePrincipalNames for<BR>
&gt; CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Ds<BR>
&gt; cania,DC=3Dcom<BR>
&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; =
afs/sss.se.scania.com<BR>
&gt; Updated object<BR>
&gt;<BR>
&gt; C:\setspn -L afs<BR>
&gt; Registered ServicePrincipalNames for<BR>
&gt; CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Dsc<BR>
&gt; ania,DC=3Dcom:<BR>
&gt;&nbsp;&nbsp;&nbsp;&nbsp; afs/sss.se.scania.com<BR>
&gt;&nbsp;&nbsp;&nbsp;&nbsp; HOST/afs<BR>
&gt;&nbsp;&nbsp;&nbsp;&nbsp; HOST/afs.LAB<BR>
&gt;<BR>
<BR>
That is fine.<BR>
<BR>
RXKADBADTICKET can be generated if the clocks between AFS and AD<BR>
are not synchronized.&nbsp; Are they?<BR>
<BR>
Jeffrey Altman<BR>
<BR>
<BR>
</FONT>
</P>

</BODY>
</HTML>
------_=_NextPart_001_01C72F4D.B4C63582--