[OpenAFS] Windows AD Kerberos - "bad ticket" error

Jonathan Nilsson jnilsson@uci.edu
Fri, 26 Feb 2010 10:24:37 -0800


I've spent a good amount of time trying to figure out how to use Windows Active
Directory as my Kerberos Realm.  So first off, tell me if this is not a
supported scenario... although from the reading I've done, it should work.  That
said, I am having strange problems with my tickets/tokens and kvno miss-matches.

First let me describe my environment:

 - my one and only (for now) OpenAFS server (afs1.mycell.edu), version 1.4.11 on
Fedora 11, kernel, installed using RPMs from
the openafs.org site (this is a VMware virtual machine, if that matters)
  - two Windows servers running all the other support services: NTP, Kerberos,
DNS, LDAP (for nss_ldap on my linux boxes).
  - My AD domain and my AFS Cellname are identical.
  - The "afs/mycell.edu" service principal was created by creating an account
called "afs" in AD, checking the boxes for "Use DES encryption types for this
account" and "Do not require Kerberos preauthentication", and then running
"ktpass mapuser afs princ afs/mycell.edu@MYCELL.EDU"

I can "kinit" and "aklog" to get a token.  At this point I can read my AFS
root.afs volume and root.cell volume, which have "system:anyuser rl" permissions.

However, doing pretty much anything else fails, unless I append "-localauth"

[09:36 root@afs1 ~]# bos listusers afs1 -localauth
SUsers are: afsadmin
[09:42 root@afs1 ~]# bos listusers afs1
bos: failed to retrieve super-user list (security object was passed a bad ticket)

[09:52 root@afs1 ~]# pts mem afsadmin -localauth
Groups afsadmin (id: 1) is a member of:
[09:53 root@afs1 ~]# pts mem afsadmin
pts: security object was passed a bad ticket so couldn't look up names

I'm not sure what is wrong with my ticket... Here's some additional output from
klist, tokens, asetkey and kvno that might prove useful:

[09:56 root@afs1 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: afsadmin@MYCELL.EDU

Valid starting     Expires            Service principal
02/26/10 09:25:50  02/26/10 19:25:07  krbtgt/MYCELL.EDU@MYCELL.EDU
	renew until 02/27/10 09:25:50
02/26/10 09:25:12  02/26/10 19:25:07  afs/mycell.edu@MYCELL.EDU
	renew until 02/27/10 09:25:50

Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[09:57 root@afs1 ~]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 1) tokens for afs@mycell.edu [Expires Feb 26 19:25]
   --End of list--
[09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs
afs@SS2K-DEVEL.UCI.EDU: kvno = 2
[09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs/mycell.edu
afs/mycell.edu@MYCELL.EDU: kvno = 2
[09:57 root@afs1 ~]# asetkey list
kvno    2: key is: <key_obscured>
All done.

Let me know if there is any other information I can supply that would be helpful.

Jonathan Nilsson, jnilsson@uci.edu
Social Sciences Computing Services
949.824.1536, 4110 SSPA, UC Irvine