[OpenAFS] ADS and MIT Kerberos transition auth continued
Eric Chris Garrison
ecgarris@iupui.edu
Fri, 17 Jul 2009 15:01:21 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jeffrey Altman wrote:
> Eric Chris Garrison wrote:
>> Anything else that we might be missing? I keep thinking it must be
>> something simple.
>
> It has to be key related. An authenticated/encrypted connection is
> possible provided that the key works. Even if the user name is not
> found in the protection database.
>
> I would verify once again using kvno that the key in fact works and that
> you are in fact obtaining des based enctypes.
So, here's the kvno test:
[root@rufus2 x86_64]# kvno afs/afstest.iu.edu@ADS.IU.EDU
afs/afstest.iu.edu@ADS.IU.EDU: kvno = 8
[root@rufus2 x86_64]# asetkey list
kvno 5: key is: XXXXXXXXXXXXXXXX
kvno 8: key is: XXXXXXXXXXXXXXXX
All done.
Here's a look at the keytab they sent me:
[root@rufus2 etc]# ktutil
ktutil: rkt afstest-md5.keytab
ktutil: list
slot KVNO Principal
---------------------------------------------------------------------
1 8 afs/afstest.iu.edu@ADS.IU.EDU
Also, I can kinit with the keytab they gave me for the service principal:
[root@rufus2 etc]# kinit -k -t afstest-md5.keytab
afs/afstest.iu.edu@ADS.IU.EDU
[root@rufus2 etc]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: afs/afstest.iu.edu@ADS.IU.EDU
Valid starting Expires Service principal
07/17/09 14:34:44 07/18/09 00:34:44 krbtgt/ADS.IU.EDU@ADS.IU.EDU
renew until 07/18/09 14:34:44, Etype (skey, tkt): AES-256 CTS
mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
Kerberos 4 ticket cache: /tmp/tkt0
Here's a test with a principal (ecgarris) that is in ADS.IU.EDU,
AFSTEST.IU.EDU and also in the pts database as a user:
[root@rufus2 etc]# kinit ecgarris@ADS.IU.EDU
Password for ecgarris@ADS.IU.EDU:
[root@rufus2 etc]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ecgarris@ADS.IU.EDU
Valid starting Expires Service principal
07/17/09 14:38:51 07/18/09 00:38:55 krbtgt/ADS.IU.EDU@ADS.IU.EDU
renew until 07/18/09 14:38:51, Etype (skey, tkt): AES-256 CTS
mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
07/17/09 14:38:58 07/18/09 00:38:55 afs/afstest.iu.edu@ADS.IU.EDU
renew until 07/18/09 14:38:51, Etype (skey, tkt): DES cbc mode
with CRC-32, DES cbc mode with RSA-MD5
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@rufus2 etc]# aklog -d
Authenticating to cell afstest.iu.edu (server rufus2.uits.iupui.edu).
Trying to authenticate to user's realm ADS.IU.EDU.
Getting tickets: afs/afstest.iu.edu@ADS.IU.EDU
Using Kerberos V5 ticket natively
About to resolve name ecgarris to id in cell afstest.iu.edu.
Id 37302
Set username to AFS ID 37302
Setting tokens. AFS ID 37302 / @ ADS.IU.EDU
So here's the real problem, I've set ecgarris's homedir with the proper
ACLs, which work from ecgarris@AFSTEST.IU.EDU but not ecgarris@ADS.IU.EDU:
[root@rufus2 etc]# ls /afs/iu.edu/home/ecgarris
ls: /afs/iu.edu/home/ecgarris: No such file or directory
[root@rufus2 etc]# ls /afs/afstest.iu.edu/home/ecgarris
ls: /afs/afstest.iu.edu/home/ecgarris: Permission denied
The following message appears in dmesg:
afs: Tokens for user of AFS id 37302 for cell afstest.iu.edu are
discarded (rxkad error=19270407)
[root@rufus2 x86_64]# translate_et 19270407
19270407 (rxk).7 = security object was passed a bad ticket
I'm still waiting to hear back from My ADS admin on the other questions
that Douglas Engert asked about that side of things, since that's
something we don't control. We have our own test KDC, but it's a MIT
Kerberos server. The service principal from AFTEST.IU.EDU works fine,
just not the ADS side of things.
Just for fun, I updated the openafs server/client on the test machine to
1.4.11 today, it was 1.4.10 before. I also made sure the machine is as
up2date as it can be for RHEL4. It didn't make a difference, though I
didn't really think it would.
Hopefully, something will shake loose for the ADS admin, because I'm
really running our of ideas on my end. Any other suggestions/ideas are
very welcome.
Thanks for all your help so far.
Chris
- --
Eric Chris Garrison | Principal Mass Storage Specialist
ecgarris@iupui.edu | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFKYMqBG2WsK8XoJWURAlNsAJ0ceKIF1ppfpb71wTDwlszNeV6UCQCeJaa5
MDnN/3AXVjJPhvAhqpbWxxY=
=1AhP
-----END PGP SIGNATURE-----