[OpenAFS] asetkey, aklog and weird key/principal

Turbo Fredriksson turbo@bayour.com
Tue, 09 Jan 2007 11:26:34 +0100 

>>>>> "Douglas" == Douglas E Engert <deengert@anl.gov> writes:

    Douglas> The account name (ktpass -mapuser) could be city_afs and
    Douglas> the SPN=afs/europe.ad.<domain>@<DOMAIN>

Oki, the admin have now create a keytab using:

----- s n i p -----
ktpass -princ afs/<cell>@<REALM> -mapuser <city>_afs -pass * -crypto DES-CBC-MD5 -out c:\temp\unixkeytab
Targeting domain controller: <domaincontroller>
Successfully mapped afs/<cell> to <city>_afs.
Type the password for afs/<cell>:
Type the password again to confirm:
WARNING: pType and account type do not match. This might cause  problems.
Key created.
Output keytab to c:\temp\unixkeytab:
Keytab version: 0x502
keysize 75 afs/<cell>@<REALM> ptype 0
(KRB5_NT_UNKNOWN) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xe9801968ba2aada4) 
----- s n i p -----

Unfortunatly this gives me other problems:

----- s n i p -----
root@<afsserver>:/usr/afs/etc# asetkey add 3 unixkeytab afs/<cell>@<REALM>
root@<afsserver>:/usr/afs/etc# tokens

Tokens held by the Cache Manager:

   --End of list--
root@<afsserver>:/usr/afs/etc# klist 
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@<afsserver>:/usr/afs/etc# kinit admin
Password for admin@<REALM>: 
root@<afsserver>:/usr/afs/etc# aklog
root@<afsserver>:/usr/afs/etc# pts listentries
Name                          ID  Owner Creator
pts: security object was passed a bad ticket ; unable to list entries

root@<afsserver>:/usr/afs/etc# 
----- s n i p -----

The only reference I found about this problem was 
http://comments.gmane.org/gmane.comp.file-systems.openafs.general/19094
and I tried the same trick with ktutil but it did no change:

----- s n i p -----
root@<afsserver>:/usr/afs/etc# asetkey list
kvno    3: key is: e9801968ba2aada4
All done.
root@<afsserver>:/usr/afs/etc# asetkey delete 3
root@<afsserver>:/usr/afs/etc# asetkey list
All done.
root@<afsserver>:/usr/afs/etc# ktutil 
ktutil:  addent -password -p afs/<cell>@<REALM> -k 3 -e des-cbc-crc
Password for afs/<cell>@<REALM>: 
ktutil:  wkt ./keytab.file
ktutil:  quit
root@<afsserver>:/usr/afs/etc# asetkey add 3 keytab.file afs/<cell>@<REALM>
root@<afsserver>:/usr/afs/etc# tokens

Tokens held by the Cache Manager:

User's (AFS ID 1) tokens for afs@<cell> [Expires Jan  9 17:51]
   --End of list--
root@<afsserver>:/usr/afs/etc# unlog 
root@<afsserver>:/usr/afs/etc# bos restart localhost -all -localauth
root@<afsserver>:/usr/afs/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@<REALM>

Valid starting     Expires            Service principal
01/09/07 11:11:00  01/09/07 17:51:00  krbtgt/<REALM>@<REALM>
01/09/07 11:11:07  01/09/07 17:51:00  afs/<cell>@<REALM>


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@<afsserver>:/usr/afs/etc# kdestroy 
root@<afsserver>:/usr/afs/etc# kinit admin
Password for admin@<REALM>: 
root@<afsserver>:/usr/afs/etc# aklog
root@<afsserver>:/usr/afs/etc# pts listentries
Name                          ID  Owner Creator
pts: security object was passed a bad ticket ; unable to list entries

root@<afsserver>:/usr/afs/etc# 
root@<afsserver>:/usr/afs/etc# klist 
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@<REALM>

Valid starting     Expires            Service principal
01/09/07 11:15:42  01/09/07 17:55:42  krbtgt/<REALM>@<REALM>
01/09/07 11:15:48  01/09/07 17:55:42  afs/<cell>@<REALM>


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
root@<afsserver>:/usr/afs/etc# tokens

Tokens held by the Cache Manager:

User's (AFS ID 1) tokens for afs@<cell> [Expires Jan  9 17:55]
   --End of list--
root@<afsserver>:/usr/afs/etc# 
----- s n i p -----

I've inquired what version of ktpass.exe/os the're running
on the AD, but haven't got a reply yet (probably lunch :)...


Just if it matters, I compared the keyfiles as well.

----- s n i p -----
root@nnwux002:/usr/afs/etc# klist -k unixkeytab -t -K
Keytab name: FILE:unixkeytab
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 01/01/70 01:00:00 afs/<cell>@<REALM> (0xe9801968ba2aada4)
root@nnwux002:/usr/afs/etc# klist -k keytab.file -t -K
Keytab name: FILE:keytab.file
KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 01/09/07 11:14:13 afs/<cell>@<REALM> (0x83dab01c6bb03701)
root@nnwux002:/usr/afs/etc# 
----- s n i p -----

They ARE different, but since neither work... ? Did I miss restarting
something?  I'we been waiting for more than the 'AD sync time' so it
can't be that...

And the time is syncronized with ntpdate from the same NTPd as
the AD once every hour...


PS. I just noticed the timestamp on 'unixkeytab'... Might be nothing,
    but...