[OpenAFS] ADS and MIT Kerberos transition auth continued

Eric Chris Garrison ecgarris@iupui.edu
Fri, 17 Jul 2009 15:01:21 -0400 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jeffrey Altman wrote:
> Eric Chris Garrison wrote:
>> Anything else that we might be missing?  I keep thinking it must be
>> something simple.
> 
> It has to be key related.  An authenticated/encrypted connection is
> possible provided that the key works.  Even if the user name is not
> found in the protection database.
> 
> I would verify once again using kvno that the key in fact works and that
> you are in fact obtaining des based enctypes.

So, here's the kvno test:

 [root@rufus2 x86_64]# kvno afs/afstest.iu.edu@ADS.IU.EDU
 afs/afstest.iu.edu@ADS.IU.EDU: kvno = 8
 [root@rufus2 x86_64]# asetkey list
 kvno    5: key is: XXXXXXXXXXXXXXXX
 kvno    8: key is: XXXXXXXXXXXXXXXX
 All done.

Here's a look at the keytab they sent me:

 [root@rufus2 etc]# ktutil
 ktutil:  rkt afstest-md5.keytab
 ktutil:  list
 slot KVNO Principal
 ---------------------------------------------------------------------
    1    8            afs/afstest.iu.edu@ADS.IU.EDU

Also, I can kinit with the keytab they gave me for the service principal:

 [root@rufus2 etc]# kinit -k -t afstest-md5.keytab
afs/afstest.iu.edu@ADS.IU.EDU
 [root@rufus2 etc]# klist -e
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: afs/afstest.iu.edu@ADS.IU.EDU

 Valid starting     Expires            Service principal
 07/17/09 14:34:44  07/18/09 00:34:44  krbtgt/ADS.IU.EDU@ADS.IU.EDU
         renew until 07/18/09 14:34:44, Etype (skey, tkt): AES-256 CTS
mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC


 Kerberos 4 ticket cache: /tmp/tkt0

Here's a test with a principal (ecgarris) that is in ADS.IU.EDU,
AFSTEST.IU.EDU and also in the pts database as a user:

 [root@rufus2 etc]# kinit ecgarris@ADS.IU.EDU
 Password for ecgarris@ADS.IU.EDU:

 [root@rufus2 etc]# klist -e
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: ecgarris@ADS.IU.EDU

 Valid starting     Expires            Service principal
 07/17/09 14:38:51  07/18/09 00:38:55  krbtgt/ADS.IU.EDU@ADS.IU.EDU
         renew until 07/18/09 14:38:51, Etype (skey, tkt): AES-256 CTS
mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
07/17/09 14:38:58  07/18/09 00:38:55  afs/afstest.iu.edu@ADS.IU.EDU
         renew until 07/18/09 14:38:51, Etype (skey, tkt): DES cbc mode
with CRC-32, DES cbc mode with RSA-MD5


 Kerberos 4 ticket cache: /tmp/tkt0
 klist: You have no tickets cached

 [root@rufus2 etc]# aklog -d
 Authenticating to cell afstest.iu.edu (server rufus2.uits.iupui.edu).
 Trying to authenticate to user's realm ADS.IU.EDU.
 Getting tickets: afs/afstest.iu.edu@ADS.IU.EDU
 Using Kerberos V5 ticket natively
 About to resolve name ecgarris to id in cell afstest.iu.edu.
 Id 37302
 Set username to AFS ID 37302
 Setting tokens. AFS ID 37302 /  @ ADS.IU.EDU

So here's the real problem, I've set ecgarris's homedir with the proper
ACLs, which work from ecgarris@AFSTEST.IU.EDU but not ecgarris@ADS.IU.EDU:

 [root@rufus2 etc]# ls /afs/iu.edu/home/ecgarris
 ls: /afs/iu.edu/home/ecgarris: No such file or directory
 [root@rufus2 etc]# ls /afs/afstest.iu.edu/home/ecgarris
 ls: /afs/afstest.iu.edu/home/ecgarris: Permission denied

The following message appears in dmesg:

 afs: Tokens for user of AFS id 37302 for cell afstest.iu.edu are
discarded (rxkad error=19270407)

 [root@rufus2 x86_64]# translate_et 19270407
 19270407 (rxk).7 = security object was passed a bad ticket

I'm still waiting to hear back from My ADS admin on the other questions
that Douglas Engert asked about that side of things, since that's
something we don't control.  We have our own test KDC, but it's a MIT
Kerberos server.   The service principal from AFTEST.IU.EDU works fine,
just not the ADS side of things.

Just for fun, I updated the openafs server/client on the test machine to
1.4.11 today, it was 1.4.10 before.  I also made sure the machine is as
up2date as it can be for RHEL4. It didn't make a difference, though I
didn't really think it would.

Hopefully, something will shake loose for the ADS admin, because I'm
really running our of ideas on my end.  Any other suggestions/ideas are
very welcome.

Thanks for all your help so far.

Chris
- --
Eric Chris Garrison             | Principal Mass Storage Specialist
ecgarris@iupui.edu              | Indiana University - Research Storage
W: 317-278-1207 M: 317-250-8649 | Jabber IM: ecgarris@iupui.edu
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKYMqBG2WsK8XoJWURAlNsAJ0ceKIF1ppfpb71wTDwlszNeV6UCQCeJaa5
MDnN/3AXVjJPhvAhqpbWxxY=
=1AhP
-----END PGP SIGNATURE-----