[OpenAFS] asetkey, aklog and weird key/principal
Turbo Fredriksson
turbo@bayour.com
Tue, 09 Jan 2007 11:26:34 +0100
>>>>> "Douglas" == Douglas E Engert <deengert@anl.gov> writes:
Douglas> The account name (ktpass -mapuser) could be city_afs and
Douglas> the SPN=afs/europe.ad.<domain>@<DOMAIN>
Oki, the admin have now create a keytab using:
----- s n i p -----
ktpass -princ afs/<cell>@<REALM> -mapuser <city>_afs -pass * -crypto DES-CBC-MD5 -out c:\temp\unixkeytab
Targeting domain controller: <domaincontroller>
Successfully mapped afs/<cell> to <city>_afs.
Type the password for afs/<cell>:
Type the password again to confirm:
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to c:\temp\unixkeytab:
Keytab version: 0x502
keysize 75 afs/<cell>@<REALM> ptype 0
(KRB5_NT_UNKNOWN) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xe9801968ba2aada4)
----- s n i p -----
Unfortunatly this gives me other problems:
----- s n i p -----
root@<afsserver>:/usr/afs/etc# asetkey add 3 unixkeytab afs/<cell>@<REALM>
root@<afsserver>:/usr/afs/etc# tokens
Tokens held by the Cache Manager:
--End of list--
root@<afsserver>:/usr/afs/etc# klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@<afsserver>:/usr/afs/etc# kinit admin
Password for admin@<REALM>:
root@<afsserver>:/usr/afs/etc# aklog
root@<afsserver>:/usr/afs/etc# pts listentries
Name ID Owner Creator
pts: security object was passed a bad ticket ; unable to list entries
root@<afsserver>:/usr/afs/etc#
----- s n i p -----
The only reference I found about this problem was
http://comments.gmane.org/gmane.comp.file-systems.openafs.general/19094
and I tried the same trick with ktutil but it did no change:
----- s n i p -----
root@<afsserver>:/usr/afs/etc# asetkey list
kvno 3: key is: e9801968ba2aada4
All done.
root@<afsserver>:/usr/afs/etc# asetkey delete 3
root@<afsserver>:/usr/afs/etc# asetkey list
All done.
root@<afsserver>:/usr/afs/etc# ktutil
ktutil: addent -password -p afs/<cell>@<REALM> -k 3 -e des-cbc-crc
Password for afs/<cell>@<REALM>:
ktutil: wkt ./keytab.file
ktutil: quit
root@<afsserver>:/usr/afs/etc# asetkey add 3 keytab.file afs/<cell>@<REALM>
root@<afsserver>:/usr/afs/etc# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@<cell> [Expires Jan 9 17:51]
--End of list--
root@<afsserver>:/usr/afs/etc# unlog
root@<afsserver>:/usr/afs/etc# bos restart localhost -all -localauth
root@<afsserver>:/usr/afs/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@<REALM>
Valid starting Expires Service principal
01/09/07 11:11:00 01/09/07 17:51:00 krbtgt/<REALM>@<REALM>
01/09/07 11:11:07 01/09/07 17:51:00 afs/<cell>@<REALM>
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@<afsserver>:/usr/afs/etc# kdestroy
root@<afsserver>:/usr/afs/etc# kinit admin
Password for admin@<REALM>:
root@<afsserver>:/usr/afs/etc# aklog
root@<afsserver>:/usr/afs/etc# pts listentries
Name ID Owner Creator
pts: security object was passed a bad ticket ; unable to list entries
root@<afsserver>:/usr/afs/etc#
root@<afsserver>:/usr/afs/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@<REALM>
Valid starting Expires Service principal
01/09/07 11:15:42 01/09/07 17:55:42 krbtgt/<REALM>@<REALM>
01/09/07 11:15:48 01/09/07 17:55:42 afs/<cell>@<REALM>
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@<afsserver>:/usr/afs/etc# tokens
Tokens held by the Cache Manager:
User's (AFS ID 1) tokens for afs@<cell> [Expires Jan 9 17:55]
--End of list--
root@<afsserver>:/usr/afs/etc#
----- s n i p -----
I've inquired what version of ktpass.exe/os the're running
on the AD, but haven't got a reply yet (probably lunch :)...
Just if it matters, I compared the keyfiles as well.
----- s n i p -----
root@nnwux002:/usr/afs/etc# klist -k unixkeytab -t -K
Keytab name: FILE:unixkeytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/01/70 01:00:00 afs/<cell>@<REALM> (0xe9801968ba2aada4)
root@nnwux002:/usr/afs/etc# klist -k keytab.file -t -K
Keytab name: FILE:keytab.file
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/09/07 11:14:13 afs/<cell>@<REALM> (0x83dab01c6bb03701)
root@nnwux002:/usr/afs/etc#
----- s n i p -----
They ARE different, but since neither work... ? Did I miss restarting
something? I'we been waiting for more than the 'AD sync time' so it
can't be that...
And the time is syncronized with ntpdate from the same NTPd as
the AD once every hour...
PS. I just noticed the timestamp on 'unixkeytab'... Might be nothing,
but...