[OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 03 Jan 2007 11:24:45 -0500


Compare the keytab files produced with ktutil and ktpass for the same
key.  How are they different?

Jeffrey Altman


L=F6nroth Erik wrote:
> OK, I believe have resolved the problem now after 5 whole days of trial
> and error.
>=20
> It turns out that using the "KTPASS" native from Active Directory
> generates keys that is not liked by AFS.
>=20
> I instead used ktutil.exe (for windows) to generate my key that I then
> imported as usual into AFS.=20
>=20
> On Microsoft AD side:
>=20
>>ktutil
> ktutil: addent -password -p afs/sss.se.scania.com@LAB.SCANIA.COM -k 9 -=
e
> des-cbc-crc
> ktutil: wkt ./keytab.file
> ktutil: quit
>=20
> This file is then copied to linux and imported exactly as I would norma=
lly:
>=20
> asetkey add 9 keytab.file afs/sss.se.scania.com
>=20
> Now - everything works
>=20
> kinit sssler
> aklog
> touch /afs/sss.se.scania.com/home/sssler/somefile
> ls /afs/sss.se.scania.com/home/sssler/somefile
>  /afs/sss.se.scania.com/home/sssler/somefile
>=20
> Success!
>=20
> I verified this by behaviour - AGAIN - by using the "KTPASS.EXE"
> (without changing anything else) and importing the key with "asetkey" a=
s
> normal.
>=20
> C:\ktpass -out afs-keytab-md5-verify -princ
> afs/sss.se.scania.com@LAB.SCANIA.COM -mapuser afs -crypto DES-CBC-CRC=20
> -pass *
> Targeting domain controller: SeSoCoLab11.scania.se
> Successfully mapped afs/sss.se.scania.com to afs.
> Type the password for afs/sss.se.scania.com:
> Type the password again to confirm:
> WARNING: pType and account type do not match. This might cause  problem=
s.
> Key created.
> Output keytab to afs-keytab-md5-verify:
> Keytab version: 0x502
> keysize 63 afs/sss.se.scania.com@LAB.SCANIA.COM ptype 0
> (KRB5_NT_UNKNOWN) vno 9
> etype 0x1 (DES-CBC-CRC) keylength 8 (0xbff2e56b29943d3e)
>=20
> (Again publishing the key to the whole world ;-)
>=20
> ... and - using this key in AFS - I get the same error again : rxkad
> error=3D19270407
>=20
> I swapped back again to the key generated by ktutil.exe - and it works
> again.
>=20
> It seems that using the KTPASS.EXE generates bogus keys for me!
>=20
> I have not read this anywhere and I have read pretty much everyting, di=
d
> I miss something critical here or is this a bug/feature?
>=20
> /Erik
>=20
>=20
>=20
>=20
>=20
>=20
>=20
> -----Original Message-----
> From: Jeffrey Altman [mailto:jaltman@secure-endpoints.com]
> Sent: Wed 1/3/2007 3:16 PM
> To: L=F6nroth Erik
> Cc: openafs-info@openafs.org
> Subject: Re: [OpenAFS] Active Directory 2003, kerberos 5, openAFS -
> rxkad error=3D19270407, arghhhh
>=20
> L=F6nroth Erik wrote:
>> I believe I have... My file looks like this. Can I be sure this is OK?
>> In my missery I can't trust anything at the moment.
>>
>> [root@vmware01 ~]# cat /usr/afs/etc/krb.conf
>> LAB.SCANIA.COM
>> LAB.SCANIA.COM sesocolab11.scania.com
>=20
> This is fine.  Although the second line is not used by AFS so you
> can remove it.
>=20
> Did you restart the AFS servers after setting this value?
>=20
>> I have also looked in AD to se the Service principal binding (Is this
>> right?) :
>>
>> C:\setspn -A afs/sss.se.scania.com afs
>> Registering ServicePrincipalNames for
>> CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Ds
>> cania,DC=3Dcom
>>         afs/sss.se.scania.com
>> Updated object
>>
>> C:\setspn -L afs
>> Registered ServicePrincipalNames for
>> CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Dsc
>> ania,DC=3Dcom:
>>     afs/sss.se.scania.com
>>     HOST/afs
>>     HOST/afs.LAB
>>
>=20
> That is fine.
>=20
> RXKADBADTICKET can be generated if the clocks between AFS and AD
> are not synchronized.  Are they?
>=20
> Jeffrey Altman
>=20