[OpenAFS] ADS and MIT Kerberos transition auth continued

Douglas E. Engert deengert@anl.gov
Wed, 08 Jul 2009 15:02:02 -0500 

Garrison, Eric C wrote:
> Quoting Jeffrey Altman <jaltman@secure-endpoints.com>:
> 
>> Eric Chris Garrison wrote:
>>
>>> ...but as ecgarris@ADS.IU.EDU:
>>>
>>> Wed Jul  1 15:58:37 2009 [6] EVENT AFS_Aud_Unauth CODE -1 STR 
>>> AFS_SRX_StData
>>> Wed Jul  1 15:58:37 2009 [6] EVENT AFS_SRX_StData CODE 0 NAME --UnAuth--
>>> HOST 149.166.144.33 ID 32766 FID 536870933:2:2
>>>
>>> So the ADS.IU.EDU user is showing as unauthorized?  Strange that if I
>>> create a file, its UNIX permissions show as owned by ecgarris though.
>>>
>>>> I would also verify that the keytabs that you are using are in fact
>>>> correct.  You can do so using the MIT Kerberos kvno command.  Obtain a
>>>> TGT for ecgarris@ADS.IU.EDU and then issue:
>>>
>>>>   kvno -k <keytab> afs/afstest.iu.edu@ADS.IU.EDU
>>
>> Your Rx connection is unauthenticated.  That means that
>>
>> (a) either you do not have an AFS token
>>
>> (b) the token contains a kvno that is not recognized by the AFS server
>>
>> (c) the token is bad in some other way

Could be the keys don't match.
Looks like AD is giving you a ticket with AES! Must be W2008 server,
and you did not specify des-only with ktpass for the AFS key.

How did you create the AD entry and key? Using ktpass?
Is it DES only?

How did you add the key to the AFS key file in the servers?

If you have problems, with ktpass, there is a version of msktutil
that will work with Windows 2008.

     http://download.systemimager.org/~finley/msktutil/
(Finley is here at ANL.)


>>
>> On Windows using the MIT KFW klist command, what does "klist -e" show
>> when you have an afs/afstest.iu.edu@ADS.IU.EDU service ticket in the 
>> cache?
> 
> 
> I have done an "aklog -c afstest.iu.edu" giving the following output for 
> "tokens":
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 37302) tokens for afs@afstest.iu.edu [Expires Jul  9 00:53]
>  --End of list--
> 
> The kvno command comes back with the right kvno, as seen by ktutil for 
> the keytab, just
> as it was when I added it with astekey.
> 
> Here's what "klist -e" says:
> 
> Default principal: ecgarris@ADS.IU.EDU
> 
> Valid starting     Expires            Service principal
> 07/08/09 14:53:40  07/09/09 00:53:44  krbtgt/ADS.IU.EDU@ADS.IU.EDU
>       renew until 07/09/09 14:53:40, Etype (skey, tkt): AES-256 CTS mode 
> with 96-bit
> SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
> 07/08/09 14:53:56  07/09/09 00:53:44  afs/afstest.iu.edu@ADS.IU.EDU
>       renew until 07/09/09 14:53:40, Etype (skey, tkt): AES-256 CTS mode 
> with 96-bit
> SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC

The AFS tickets and keys must be DES today. Your server must be W2008.

> 
> So what else should I look for in the token being bad in another way?
> 
> Thanks again,
> 
> Chris
> 
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444