[OpenAFS] Windows AD Kerberos - "bad ticket" error
Douglas E. Engert
Fri, 26 Feb 2010 13:08:29 -0600
Jonathan Nilsson wrote:
> I've spent a good amount of time trying to figure out how to use Windows Active
> Directory as my Kerberos Realm. So first off, tell me if this is not a
> supported scenario... although from the reading I've done, it should work. That
> said, I am having strange problems with my tickets/tokens and kvno miss-matches.
> First let me describe my environment:
> - my one and only (for now) OpenAFS server (afs1.mycell.edu), version 1.4.11 on
> Fedora 11, kernel 220.127.116.11-105.2.16.fc11.i686.PAE, installed using RPMs from
> the openafs.org site (this is a VMware virtual machine, if that matters)
> - two Windows servers running all the other support services: NTP, Kerberos,
> DNS, LDAP (for nss_ldap on my linux boxes).
> - My AD domain and my AFS Cellname are identical.
> - The "afs/mycell.edu" service principal was created by creating an account
> called "afs" in AD, checking the boxes for "Use DES encryption types for this
> account" and "Do not require Kerberos preauthentication", and then running
> "ktpass mapuser afs princ afs/mycell.edu@MYCELL.EDU"
Was this the full ktpass command? Did you have it create a keytab?
And how did you use asetkey with the keytab?
There is a problem with the W2003 SP1 ktpass. See:
Have you looked at:
> I can "kinit" and "aklog" to get a token. At this point I can read my AFS
> root.afs volume and root.cell volume, which have "system:anyuser rl" permissions.
> However, doing pretty much anything else fails, unless I append "-localauth"
> [09:36 root@afs1 ~]# bos listusers afs1 -localauth
> SUsers are: afsadmin
> [09:42 root@afs1 ~]# bos listusers afs1
> bos: failed to retrieve super-user list (security object was passed a bad ticket)
> [09:52 root@afs1 ~]# pts mem afsadmin -localauth
> Groups afsadmin (id: 1) is a member of:
> [09:53 root@afs1 ~]# pts mem afsadmin
> pts: security object was passed a bad ticket so couldn't look up names
> I'm not sure what is wrong with my ticket... Here's some additional output from
> klist, tokens, asetkey and kvno that might prove useful:
> [09:56 root@afs1 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: afsadmin@MYCELL.EDU
> Valid starting Expires Service principal
> 02/26/10 09:25:50 02/26/10 19:25:07 krbtgt/MYCELL.EDU@MYCELL.EDU
> renew until 02/27/10 09:25:50
> 02/26/10 09:25:12 02/26/10 19:25:07 afs/mycell.edu@MYCELL.EDU
> renew until 02/27/10 09:25:50
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [09:57 root@afs1 ~]# tokens
> Tokens held by the Cache Manager:
> User's (AFS ID 1) tokens for firstname.lastname@example.org [Expires Feb 26 19:25]
> --End of list--
> [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs
> afs@SS2K-DEVEL.UCI.EDU: kvno = 2
> [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs/mycell.edu
> afs/mycell.edu@MYCELL.EDU: kvno = 2
> [09:57 root@afs1 ~]# asetkey list
> kvno 2: key is: <key_obscured>
> All done.
> Let me know if there is any other information I can supply that would be helpful.
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439