[OpenAFS] asetkey, aklog and weird key/principal

Jeffrey Altman jaltman@secure-endpoints.com
Tue, 09 Jan 2007 09:45:48 -0500


This is a cryptographically signed message in MIME format.

--------------ms010900040503000507070509
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Turbo Fredriksson wrote:
>>>>>> "Douglas" == Douglas E Engert <deengert@anl.gov> writes:
> 
>     Douglas> The account name (ktpass -mapuser) could be city_afs and
>     Douglas> the SPN=afs/europe.ad.<domain>@<DOMAIN>
> 
> Oki, the admin have now create a keytab using:
> 
> ----- s n i p -----
> ktpass -princ afs/<cell>@<REALM> -mapuser <city>_afs -pass * -crypto DES-CBC-MD5 -out c:\temp\unixkeytab
> Targeting domain controller: <domaincontroller>
> Successfully mapped afs/<cell> to <city>_afs.
> Type the password for afs/<cell>:
> Type the password again to confirm:
> WARNING: pType and account type do not match. This might cause  problems.
> Key created.
> Output keytab to c:\temp\unixkeytab:
> Keytab version: 0x502
> keysize 75 afs/<cell>@<REALM> ptype 0
> (KRB5_NT_UNKNOWN) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xe9801968ba2aada4) 

The avoid the pType warning add

  -pType KRB5_NT_PRINCIPAL

Be aware that you just published your key to the world.  of course this
one doesn't work, but the one created with ktutil is correct and is of
course now public.

Has -DesOnly been set on the account?

> ----- s n i p -----
> 
> Unfortunatly this gives me other problems:
> 
> ----- s n i p -----
> root@<afsserver>:/usr/afs/etc# asetkey add 3 unixkeytab afs/<cell>@<REALM>

Did you restart the servers?  Or touch the server's "CellServDB" file?

> root@<afsserver>:/usr/afs/etc# bos restart localhost -all -localauth

Now you did.

> root@<afsserver>:/usr/afs/etc# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin@<REALM>
> 
> Valid starting     Expires            Service principal
> 01/09/07 11:11:00  01/09/07 17:51:00  krbtgt/<REALM>@<REALM>
> 01/09/07 11:11:07  01/09/07 17:51:00  afs/<cell>@<REALM>

What does "klist -e" report the enc-types as?

> I've inquired what version of ktpass.exe/os the're running
> on the AD, but haven't got a reply yet (probably lunch :)...

> Just if it matters, I compared the keyfiles as well.
> 
> ----- s n i p -----
> root@nnwux002:/usr/afs/etc# klist -k unixkeytab -t -K
> Keytab name: FILE:unixkeytab
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>    3 01/01/70 01:00:00 afs/<cell>@<REALM> (0xe9801968ba2aada4)
> root@nnwux002:/usr/afs/etc# klist -k keytab.file -t -K
> Keytab name: FILE:keytab.file
> KVNO Timestamp         Principal
> ---- ----------------- --------------------------------------------------------
>    3 01/09/07 11:14:13 afs/<cell>@<REALM> (0x83dab01c6bb03701)
> root@nnwux002:/usr/afs/etc# 
> ----- s n i p -----
> 
> They ARE different, but since neither work... ? Did I miss restarting
> something?  I'we been waiting for more than the 'AD sync time' so it
> can't be that...

You have already restarted everything via the bos restart command so
you should be good from that perspective.  I'm going to place my bet on
the enc-type of the ticket.

Jeffrey Altman


--------------ms010900040503000507070509
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJeTCC
AxcwggKAoAMCAQICEBW00lKwoWJXt8wbmTl1M0kwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDUyNzIyMDMzMloX
DTA3MDUyNzIyMDMzMlowczEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC19SD7DncCP/+wfQlLzAAcxf1nJ/7UQgh4o/nxzvuY55XwHdLQjqWuFUnM5vecfyZKwq0o
fGCucDfcQbSIrkhHD9z4TZ8vDaYWVY9Foz8Rp8G0PNdbRFoFtfJbaeVBX5hG3aQXIc/T1b9U
8uN3kLyqXAFIGWKO8DJVGTKKtOiPVOp1U+9CwujyYmUSKF+suutKABhhK1ZGHsTnFczLZ2g0
ma0H7PiFJ2kLfOf///07E1fbr4IRb+cd87kpWLcjtEZ0rbBr9HlOy9dkeEii/qFoo1ahfKCD
A9bNErMiOXA3dudaNNzXlN/70slq5fboBXbepamJGrsnXYcCsS9+LtCTAgMBAAGjOTA3MCcG
A1UdEQQgMB6BHGphbHRtYW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQQFAAOBgQDBzWhkrW+ol3iyT1rV8ZBQB0+z/6dFH3djQfNf7jDXNoXx4Vbo
pA7BAR4ihAPibv7j7ZaxmyMxWiDACRGS934uvUS0K6L6q14hTWMostJgFsAEDArrmbrES03v
L3EVETiGFqTB2sLp5MLc6+z+72pLXRuDPL3lO2GOQuBbILswRzCCAxcwggKAoAMCAQICEBW0
0lKwoWJXt8wbmTl1M0kwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT
HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDUyNzIyMDMzMloXDTA3MDUyNzIyMDMzMlow
czEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMxHDAaBgNVBAMTE0pl
ZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRtYW5Ac2VjdXJlLWVuZHBv
aW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC19SD7DncCP/+wfQlL
zAAcxf1nJ/7UQgh4o/nxzvuY55XwHdLQjqWuFUnM5vecfyZKwq0ofGCucDfcQbSIrkhHD9z4
TZ8vDaYWVY9Foz8Rp8G0PNdbRFoFtfJbaeVBX5hG3aQXIc/T1b9U8uN3kLyqXAFIGWKO8DJV
GTKKtOiPVOp1U+9CwujyYmUSKF+suutKABhhK1ZGHsTnFczLZ2g0ma0H7PiFJ2kLfOf///07
E1fbr4IRb+cd87kpWLcjtEZ0rbBr9HlOy9dkeEii/qFoo1ahfKCDA9bNErMiOXA3dudaNNzX
lN/70slq5fboBXbepamJGrsnXYcCsS9+LtCTAgMBAAGjOTA3MCcGA1UdEQQgMB6BHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQQFAAOB
gQDBzWhkrW+ol3iyT1rV8ZBQB0+z/6dFH3djQfNf7jDXNoXx4VbopA7BAR4ihAPibv7j7Zax
myMxWiDACRGS934uvUS0K6L6q14hTWMostJgFsAEDArrmbrES03vL3EVETiGFqTB2sLp5MLc
6+z+72pLXRuDPL3lO2GOQuBbILswRzCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAw
gdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0w
MzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfAr
hVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8
MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWls
Q0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxh
YmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/
TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amc
OY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNkMIID
YAIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQ
FbTSUrChYle3zBuZOXUzSTAJBgUrDgMCGgUAoIIBwzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0wNzAxMDkxNDQ1NDhaMCMGCSqGSIb3DQEJBDEWBBR4dQaC
WYCtsfLhN0R6zQl0GrotojBSBgkqhkiG9w0BCQ8xRTBDMAoGCCqGSIb3DQMHMA4GCCqGSIb3
DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBhQYJKwYB
BAGCNxAEMXgwdjBiMQswCQYDVQQGEwJaQTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcg
KFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3Vpbmcg
Q0ECEBW00lKwoWJXt8wbmTl1M0kwgYcGCyqGSIb3DQEJEAILMXigdjBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhh
d3RlIFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEBW00lKwoWJXt8wbmTl1M0kwDQYJ
KoZIhvcNAQEBBQAEggEABEGehGeqONSpcu6pBdJlmLgEyLcZyExPCKz3RJ3W42i5/Ko9dSPJ
ccwwmxiONEOj1/qAX4WYGI5FWETyR7jhSKLk3T65EFoEgDBsu80vq442XWngzoXXh+LYftVL
6lcIWW/YLEEcKgCKD9r4ofGThkzSAt3xJPGk/bT7LuV5vBjUOOEY6L7cZ7kdOtzIgUkMjCTt
m7Tjm7/pArEz6R8vp5YNXN8PELvX3o0DY4dUL79jUtCqrk2RnAmZsyBegsZ9w6B8WvQ59TI5
hXETgMJBThERuBiPSlTsKk2WS100tlGmaKcWe98GW1s5QPNwyoApP1tvPJlfBXRUNMdaKFwq
CwAAAAAAAA==
--------------ms010900040503000507070509--