[OpenAFS] ADS and MIT Kerberos transition auth continued
Eric Chris Garrison
Thu, 16 Jul 2009 14:49:04 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Okay, we continue to fight this. We found that despite having an
alternate realm name in /usr/afs/etc/krb.conf, users from that realm were
being treated as unauthorized, anonymous users, rather than being mapped
as they should be.
We looked into enctypes as a possible culprit. We were using des-cbc-crc,
but when we'd do an aklog, ADS returns des-cbc-md5, and they said they can
not restrict it to just one type, but can restrict it to just DES types.
(The ADS admin said they set the "Use Kerberos DES encryption types" flag).
So, we got a des-crc-md5 service principal from our ADS admin. Now the
ticket decoding is failing in krb5_des_decrypt() in rxkad/ticket5.c on the
After aklog, this is what klist shows for afs/afstest.iu.edu:
07/16/09 14:43:22 07/17/09 00:43:12 afs/afstest.iu.edu@ADS.IU.EDU
renew until 07/17/09 14:43:08, Etype (skey, tkt): DES cbc mode
with CRC-32, DES cbc mode with RSA-MD5
Thu Jul 16 14:27:48 2009 FindClient: authenticating connection: authClass=0
That 0 should be 2 for properly authenticated connections. At first it
failed because the enctype wasn't supported. Now that they have that DES
flag set in the kdc, it fails because it can't decrypt the encrypted part
of the k5 ticket.
Can anyone enlighten me on the encryption types we should be asking for
from the ADS admin, and what other issues might be going on here, and why
the MD5 ticket isn't being decrpted by the AFS server?
Eric Chris Garrison | Principal Mass Storage Specialist
email@example.com | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: firstname.lastname@example.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----