[OpenAFS] Openafs 1.4.7, Active Directory 2003 user could not access AFS home
directory
Wenping Yang
yangw3@umdnj.edu
Wed, 15 Oct 2008 12:31:01 -0400
Hello,
I was trying to setup openafs 1.4.7 working with both Microsoft active
directory and MIT Kerberos 5 server, but it didn't work well.
My goal is to enable both AD user and AFS user to access AFS space. The
current situation is that both AD and MIT Kerberos authentication work
fine, users on both sides could get tickets and tokens, but only AFS
user is able to access its AFS home directory, AD users got "Permission
denied" error.
My AFS and MIT kerberos server is running Linux CentOS 5 - kernel
2.6.18-92.1.10.el5
AD server is Windows 2003 Enterprise edition SP2
AD domain: MESH.UMDNJ.EDU
MIT Kerberos realm: MED.UMDNJ.EDU
I have two users:
MIT Kerberos user: user1
AD user: user101
Here is what I have done:
On AD side:
C:\Program Files\Support Tools>ktpass.exe -princ
afs/med.umdnj.edu@MESH.UMDNJ.ED
U -mapuser afsmed@MESH.UMDNJ.EDU -mapOp add -out keytab.afs +rndPass
-crypto DES
-CBC-CRC +DesOnly -ptype KRB5_NT_PRINCIPAL +DumpSalt
Targeting domain controller: rarwjmsist2.mesh.umdnj.edu
Using legacy password setting method
Successfully mapped afs/med.umdnj.edu to afsmed.
Building salt with principalname afs/med.umdnj.edu and domain
MESH.UMDNJ.EDU...
Hashing password with salt "MESH.UMDNJ.EDUafsmed.umdnj.edu".
Key created.
Output keytab to keytab.afs:
Keytab version: 0x502
keysize 59 afs/med.umdnj.edu@MESH.UMDNJ.EDU ptype 1 (KRB5_NT_PRINCIPAL)
vno 4 et
ype 0x1 (DES-CBC-CRC) keylength 8 (0x01255b6b83402068)
Account afsmed has been set for DES-only encryption.
ktpass.exe version is 5.2.3790.3959
Add the key
[root@RArwjmsIST1 ~]# asetkey add 4 /etc/krb5.keytab
afs/med.umdnj.edu@MESH.UMDNJ.EDU
[root@RArwjmsIST1 ~]# asetkey list
kvno 3: key is: b0c49b017ffb9440
kvno 4: key is: 61a443c4b55197cd
In /etc/krb5.keytab:
ktutil: rkt krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 4 afs/med.umdnj.edu@MESH.UMDNJ.EDU
2 3 afs/med.umdnj.edu@MED.UMDNJ.EDU
3 3 afs@MED.UMDNJ.EDU
root@RArwjmsIST1 ~]# klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@RArwjmsIST1 ~]# tokens
Tokens held by the Cache Manager:
--End of list--
[root@RArwjmsIST1 ~]# kinit user1
Password for user1@MED.UMDNJ.EDU:
[root@RArwjmsIST1 ~]# aklog
[root@RArwjmsIST1 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user1@MED.UMDNJ.EDU
Valid starting Expires Service principal
10/15/08 11:41:54 10/16/08 11:41:54 krbtgt/MED.UMDNJ.EDU@MED.UMDNJ.EDU
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES
cbc mode with HMAC/sha1
10/15/08 11:41:56 10/16/08 11:41:54 afs/med.umdnj.edu@MED.UMDNJ.EDU
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@RArwjmsIST1 ~]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 10001) tokens for afs@med.umdnj.edu [Expires Oct 16 11:41]
--End of list--
[root@RArwjmsIST1 ~]# ls -l /afs/med.umdnj.edu/home/user1
total 8
-rw-r--r-- 1 user1 root 9 Sep 3 12:13 testfile
drwxrwxrwx 2 user1 root 2048 Sep 4 12:46 testdir
drwxrwxrwx 5 root root 2048 Sep 5 14:35 Yesterday
From above you can see MIT kerberos user works well. Next I tested with
AD user:
[root@RArwjmsIST1 ~]#
[root@RArwjmsIST1 ~]# unlog
[root@RArwjmsIST1 ~]# kdestroy
[root@RArwjmsIST1 ~]# klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@RArwjmsIST1 ~]# tokens
Tokens held by the Cache Manager:
--End of list--
[root@RArwjmsIST1 ~]# kinit user101@MESH.UMDNJ.EDU
Password for user101@MESH.UMDNJ.EDU:
[root@RArwjmsIST1 ~]# aklog
[root@RArwjmsIST1 ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: user101@MESH.UMDNJ.EDU
Valid starting Expires Service principal
10/15/08 11:43:07 10/15/08 21:43:06 krbtgt/MESH.UMDNJ.EDU@MESH.UMDNJ.EDU
renew until 10/16/08 11:43:07, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
10/15/08 11:43:09 10/15/08 21:43:06 afs/med.umdnj.edu@MESH.UMDNJ.EDU
renew until 10/16/08 11:43:07, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with RSA-MD5
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@RArwjmsIST1 ~]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 10006) tokens for afs@med.umdnj.edu [Expires Oct 15 21:43]
--End of list--
[root@RArwjmsIST1 ~]# ls -l /afs/med.umdnj.edu/home/user101
ls: /afs/med.umdnj.edu/home/user101: Permission denied
[root@RArwjmsIST1 ~]# touch /afs/med.umdnj.edu/home/user101/test
touch: cannot touch `/afs/med.umdnj.edu/home/user101/test': Permission
denied
You see user101 has tiekets and token, but could not access its AFS home
directory. Permission under /afs/med.umdnj.edu/home/user101 is
[admin@RArwjmsIST1 user101]$ fs la .
Access list for . is
Normal rights:
system:administrators rlidwka
user101 rlidwk
Here is krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MED.UMDNJ.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
noaddresses = false
[realms]
MED.UMDNJ.EDU = {
kdc = RArwjmsIST1.umdnj.edu:88
admin_server = RArwjmsIST1.umdnj.edu:749
default_domain = med.umdnj.edu
}
MESH.UMDNJ.EDU = {
kdc = RArwjmsIST2.umdnj.edu:88
admin_server = RArwjmsIST2.umdnj.edu:749
default_domain = mesh.umdnj.edu
}
[domain_realm]
.med.umdnj.edu = MED.UMDNJ.EDU
med.umdnj.edu = MED.UMDNJ.EDU
.mesh.umdnj.edu = MESH.UMDNJ.EDU
mesh.umdnj.edu = MESH.UMDNJ.EDU
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
I also tried linux ktutil to generate keytab file:
ktutil: addent -password -p afs/med.umdnj.edu@MESH.UMDNJ.EDU -k 5 -e
des-cbc-crc
still I got the same results.
I could not figure out why it doesn't work. Any advise would be appreciated.
Wenping Yang