[OpenAFS] Windows AD Kerberos - "bad ticket" error

Jonathan Nilsson jnilsson@uci.edu
Fri, 26 Feb 2010 11:03:26 -0800


--0016367b689e2eeccc0480858f1b
Content-Type: text/plain; charset=UTF-8

On Fri, Feb 26, 2010 at 10:44, Brandon S. Allbery KF8NH <allbery@ece.cmu.edu
> wrote:

> On Feb 26, 2010, at 13:24 , Jonathan Nilsson wrote:
>
>> [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs
>> afs@SS2K-DEVEL.UCI.EDU: kvno = 2
>> [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs/mycell.edu
>> afs/mycell.edu@MYCELL.EDU: kvno = 2
>>
>
> You put both of these in the KeyFile?  With the same kvno?  This will
> break, because the KeyFile doesn't contain principals, and picks entries by
> kvno.  You'll need to change one of them and then regenerate the KeyFile.
>
>
Hmm, part of that is a text-replacement error... oops, I was trying to
obfuscate my real REALM name, but clearly failed.  That line should read "
afs@MYCELL.EDU" to be consistent with the rest of my output.

However, I'm not sure what you mean by "both of those in the KeyFile" - my
output of asetkey and bos listkeys shows that I only have one key in the
KeyFile:

[09:57 root@afs1 ~]# asetkey list
kvno    2: key is: <key_obscured>
All done.
[10:01 root@afs1 ~]# bos listkeys afs1 -localauth
key 2 has cksum 1847647929
Keys last changed on Fri Feb 26 10:00:22 2010.
All done.

However, in my Kerberos ticket cache I do indeed have two tickets with the
same kvno.

I'm speculating, but that would be a problem with how Windows implements the
"ktpass mapuser" function and then returns tickets for a mapped user with
the same kvno as the principal.  So both the user "afs" and the principal
"afs/mycell.edu" are returning tickets with the same kvno.  And I don't
think there are separate entries for these principals in the kerberos
database.

I'll try changing the password on the "afs" user account and then see what
kvno I get.

Otherwise, is there a way for aklog to not bother getting a ticket for the "
afs@MYCELL.EDU" principal, and just use "afs/mycell.edu@MYCELL.EDU"?

--
Jonathan Nilsson, jnilsson@uci.edu
Social Sciences Computing Services
949.824.1536, 4110 SSPA, UC Irvine


> --
> brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
> system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
> electrical and computer engineering, carnegie mellon university    KF8NH
>
>
>

--0016367b689e2eeccc0480858f1b
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<br><div class=3D"gmail_quote">On Fri, Feb 26, 2010 at 10:44, Brandon S. Al=
lbery KF8NH <span dir=3D"ltr">&lt;<a href=3D"mailto:allbery@ece.cmu.edu">al=
lbery@ece.cmu.edu</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote=
" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0=
.8ex; padding-left: 1ex;">

<div class=3D"im">On Feb 26, 2010, at 13:24 , Jonathan Nilsson wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
[09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs<br>
<a href=3D"mailto:afs@SS2K-DEVEL.UCI.EDU" target=3D"_blank">afs@SS2K-DEVEL.=
UCI.EDU</a>: kvno =3D 2<br>
[09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs/<a href=3D"http://mycell.edu=
" target=3D"_blank">mycell.edu</a><br>
afs/<a href=3D"http://mycell.edu" target=3D"_blank">mycell.edu</a>@<a href=
=3D"http://MYCELL.EDU" target=3D"_blank">MYCELL.EDU</a>: kvno =3D 2<br>
</blockquote>
<br></div>
You put both of these in the KeyFile? =C2=A0With the same kvno? =C2=A0This =
will break, because the KeyFile doesn&#39;t contain principals, and picks e=
ntries by kvno. =C2=A0You&#39;ll need to change one of them and then regene=
rate the KeyFile.<br>

<font color=3D"#888888">
<br></font></blockquote><div><br>Hmm, part of that is a text-replacement er=
ror... oops, I was trying to obfuscate my real REALM name, but clearly fail=
ed.=C2=A0 That line should read &quot;<a href=3D"mailto:afs@MYCELL.EDU">afs=
@MYCELL.EDU</a>&quot; to be consistent with the rest of my output.<br>

<br>However, I&#39;m not sure what you mean by &quot;both of those in the K=
eyFile&quot; - my output of asetkey and bos listkeys shows that I only have=
 one key in the KeyFile:<br><br>[09:57 root@afs1 ~]# asetkey list<br>
kvno =C2=A0 =C2=A02: key is: &lt;key_obscured&gt;<br>
All done.<br>[10:01 root@afs1 ~]# bos listkeys afs1 -localauth<br>key 2 has=
 cksum 1847647929<br>Keys last changed on Fri Feb 26 10:00:22 2010.<br>All =
done.<br><br>However, in my Kerberos ticket cache I do indeed have two tick=
ets with the same kvno.<br>

<br>I&#39;m speculating, but that would be a problem with how Windows imple=
ments the &quot;ktpass mapuser&quot; function and then returns tickets for =
a mapped user with the same kvno as the principal.=C2=A0 So both the user &=
quot;afs&quot; and the principal &quot;afs/<a href=3D"http://mycell.edu">my=
cell.edu</a>&quot; are returning tickets with the same kvno.=C2=A0 And I do=
n&#39;t think there are separate entries for these principals in the kerber=
os database.<br>

<br>I&#39;ll try changing the password on the &quot;afs&quot; user account =
and then see what kvno I get.<br><br>Otherwise, is there a way for aklog to=
 not bother getting a ticket for the &quot;<a href=3D"mailto:afs@MYCELL.EDU=
">afs@MYCELL.EDU</a>&quot; principal, and just use &quot;afs/<a href=3D"htt=
p://mycell.edu">mycell.edu</a>@<a href=3D"http://MYCELL.EDU">MYCELL.EDU</a>=
&quot;?<br>

<font color=3D"#888888"><br>
--<br>
Jonathan Nilsson, <a href=3D"mailto:jnilsson@uci.edu">jnilsson@uci.edu</a><=
br>
Social Sciences Computing Services<br>
949.824.1536, 4110 SSPA, UC Irvine</font><br>=C2=A0</div><blockquote class=
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><font color=3D"#888888">
-- <br>
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] <a href=3D"mailto:al=
lbery@kf8nh.com" target=3D"_blank">allbery@kf8nh.com</a><br>
system administrator [openafs,heimdal,too many hats] <a href=3D"mailto:allb=
ery@ece.cmu.edu" target=3D"_blank">allbery@ece.cmu.edu</a><br>
electrical and computer engineering, carnegie mellon university =C2=A0 =C2=
=A0KF8NH<br>
<br>
<br>
</font></blockquote></div><br>

--0016367b689e2eeccc0480858f1b--