[OpenAFS] ADS and MIT Kerberos transition auth continued

Eric Chris Garrison ecgarris@iupui.edu
Wed, 01 Jul 2009 16:52:05 -0400

Hash: SHA1

Jeffrey Altman wrote:
> Eric Chris Garrison wrote:
>>> From: Andrew Deason <adeason@sinenomine.net>
>>>> I've added an afs service principal from each of two realms to the
>>>> KeyFile using asetkey.   I've added both realms in /etc/krb.conf, the
>>>> first two lines of the file being the two realms.
>>> You probably want /usr/afs/etc/krb.conf (if using transarc paths), or
>>> /etc/openafs/server/krb.conf.
>> Thanks, that did help, I've gotten further now.
>> What I'm seeing now though, is that although used asetkey to add the
>> service principal from the ADS realm to my test cell, permissions aren't
>> working as I'd expect.
>> So, we have realm AFSTEST.IU.EDU and ADS.IU.EDU.  Both in the KeyFile and
>> in the /usr/afs/etc/krb.conf and both listed in the /etc/krb5.conf.
>> On a client machine, I can kinit as the original, as
>> ecgarris@AFSTEST.IU.EDU and can get permissions as expected to OpenAFS
>> directories with ACLs granted to OpenAFS user ecgarris.
>> I would expect on a multi-realm cell, that I could come in as
>> ecgarris@ADS.IU.EDU and have the same permissions as
>> ecgarris@AFSTEST.IU.EDU, but I don't, I get permission denied.  If I
>> create a file in an anyuser-writable directory, the UNIX permissions show
>> it as owned by ecgarris, but I still get Permission Denied when I try to
>> access directories owned by OpenAFS ecgarris.
>> If I make the ONLY realm ADS.IU.EDU I have the same problem as well.
>> Does this mean if we switch domains, all existing users will need extra
>> ACLs inserted to accommodate the new domain?  Is there a better answer?
>> Am I just missing something simple?
> it means you have done something wrong.

I'm sure I have, I just don't know what yet.

> what adding multiple realm names to /usr/afs/etc/krb.conf tells the AFS
> services after a restart is that all of the specified realms should be
> considered as sources of local authentication identities.  If the
> krb.conf file states

It does.

> then both the name ecgarris@ADS.IU.EDU and ecgarris@AFSTEST.IU.EDU will
> be treated as "ecgarris".

They aren't.

> When debugging authentication you should turn auditing on for all of
> your services so that you can see what the authentication identities are
> from the perspective of each service.

I turned auditing on and I do see a difference in the fileserver audit:


Wed Jul  1 15:59:13 2009 [7] EVENT AFS_SRX_FchStat CODE 0 NAME ecgarris
HOST ID 32766 FID 536870918:1:1

...but as ecgarris@ADS.IU.EDU:

Wed Jul  1 15:58:37 2009 [6] EVENT AFS_Aud_Unauth CODE -1 STR AFS_SRX_StData
Wed Jul  1 15:58:37 2009 [6] EVENT AFS_SRX_StData CODE 0 NAME --UnAuth--
HOST ID 32766 FID 536870933:2:2

So the ADS.IU.EDU user is showing as unauthorized?  Strange that if I
create a file, its UNIX permissions show as owned by ecgarris though.

> I would also verify that the keytabs that you are using are in fact
> correct.  You can do so using the MIT Kerberos kvno command.  Obtain a
> TGT for ecgarris@ADS.IU.EDU and then issue:
>   kvno -k <keytab> afs/afstest.iu.edu@ADS.IU.EDU
> If the key verifies then it can be imported into the AFS KeyFile and
> distributed to all of your services.

It does verify, with kvno = 6, which is no the same as the other service
principal's kvno.

So what else could be wrong?

- --
Eric Chris Garrison             | Principal Mass Storage Specialist
ecgarris@iupui.edu              | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org