[OpenAFS] ADS and MIT Kerberos transition auth continued
Douglas E. Engert
Thu, 16 Jul 2009 14:08:28 -0500
Eric Chris Garrison wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> Okay, we continue to fight this. We found that despite having an
> alternate realm name in /usr/afs/etc/krb.conf, users from that realm were
> being treated as unauthorized, anonymous users, rather than being mapped
> as they should be.
> We looked into enctypes as a possible culprit. We were using des-cbc-crc,
> but when we'd do an aklog, ADS returns des-cbc-md5, and they said they can
> not restrict it to just one type, but can restrict it to just DES types.
> (The ADS admin said they set the "Use Kerberos DES encryption types" flag).
> So, we got a des-crc-md5 service principal from our ADS admin. Now the
> ticket decoding is failing in krb5_des_decrypt() in rxkad/ticket5.c on the
> server side.
> After aklog, this is what klist shows for afs/afstest.iu.edu:
> 07/16/09 14:43:22 07/17/09 00:43:12 afs/afstest.iu.edu@ADS.IU.EDU
> renew until 07/17/09 14:43:08, Etype (skey, tkt): DES cbc mode
> with CRC-32, DES cbc mode with RSA-MD5
The enc types are OK For example, I have:
07/16/09 08:41:05 07/16/09 18:40:53 afs/anl.gov@ANL.GOV
renew until 07/23/09 08:40:53, Etype(skey, tkt): DES cbc mode
with CRC-32, DES cbc mode with RSA-MD5
> In FileLog:
> Thu Jul 16 14:27:48 2009 FindClient: authenticating connection: authClass=0
> That 0 should be 2 for properly authenticated connections. At first it
> failed because the enctype wasn't supported. Now that they have that DES
> flag set in the kdc, it fails because it can't decrypt the encrypted part
> of the k5 ticket.
And after you reset the desonly bit in AD, did you use ktpass with
-pass somepassword -out keytabfile
or did you use the -rndPass option?
And you put the new key in the /usr/afs/etc/KeyFile on all the servers
with the correct kvno? Not sure, but you may have to restart the servers too.
And you did a fresh kinit?
> Can anyone enlighten me on the encryption types we should be asking for
> from the ADS admin, and what other issues might be going on here, and why
> the MD5 ticket isn't being decrpted by the AFS server?
> Thanks again,
> - --
> Eric Chris Garrison | Principal Mass Storage Specialist
> firstname.lastname@example.org | Indiana University - Research Storage
> W: 317-278-1207 M: 317-250-8649 | Jabber IM: email@example.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> -----END PGP SIGNATURE-----
> OpenAFS-info mailing list
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439