[OpenAFS] Windows AD Kerberos - "bad ticket" error

Douglas E. Engert deengert@anl.gov
Fri, 26 Feb 2010 13:08:29 -0600


Jonathan Nilsson wrote:
> Hello,
> 
> I've spent a good amount of time trying to figure out how to use Windows Active
> Directory as my Kerberos Realm.  So first off, tell me if this is not a
> supported scenario... although from the reading I've done, it should work.  That
> said, I am having strange problems with my tickets/tokens and kvno miss-matches.
> 
> First let me describe my environment:
> 
>  - my one and only (for now) OpenAFS server (afs1.mycell.edu), version 1.4.11 on
> Fedora 11, kernel 2.6.30.10-105.2.16.fc11.i686.PAE, installed using RPMs from
> the openafs.org site (this is a VMware virtual machine, if that matters)
>   - two Windows servers running all the other support services: NTP, Kerberos,
> DNS, LDAP (for nss_ldap on my linux boxes).
>   - My AD domain and my AFS Cellname are identical.
>   - The "afs/mycell.edu" service principal was created by creating an account
> called "afs" in AD, checking the boxes for "Use DES encryption types for this
> account" and "Do not require Kerberos preauthentication", and then running
> "ktpass mapuser afs princ afs/mycell.edu@MYCELL.EDU"

Was this the full ktpass command? Did you have it create a keytab?

And how did you use asetkey with the keytab?


There is a problem with the W2003 SP1 ktpass. See:
http://support.microsoft.com/kb/919557

Have you looked at:
http://www.dementia.org/twiki/bin/view/AFSLore/WindowsK5AfsServicePrincipal

> 
> I can "kinit" and "aklog" to get a token.  At this point I can read my AFS
> root.afs volume and root.cell volume, which have "system:anyuser rl" permissions.
> 
> However, doing pretty much anything else fails, unless I append "-localauth"
> 
> [09:36 root@afs1 ~]# bos listusers afs1 -localauth
> SUsers are: afsadmin
> [09:42 root@afs1 ~]# bos listusers afs1
> bos: failed to retrieve super-user list (security object was passed a bad ticket)
> 
> [09:52 root@afs1 ~]# pts mem afsadmin -localauth
> Groups afsadmin (id: 1) is a member of:
>   system:administrators
> [09:53 root@afs1 ~]# pts mem afsadmin
> pts: security object was passed a bad ticket so couldn't look up names
> 
> I'm not sure what is wrong with my ticket... Here's some additional output from
> klist, tokens, asetkey and kvno that might prove useful:
> 
> [09:56 root@afs1 ~]# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: afsadmin@MYCELL.EDU
> 
> Valid starting     Expires            Service principal
> 02/26/10 09:25:50  02/26/10 19:25:07  krbtgt/MYCELL.EDU@MYCELL.EDU
> 	renew until 02/27/10 09:25:50
> 02/26/10 09:25:12  02/26/10 19:25:07  afs/mycell.edu@MYCELL.EDU
> 	renew until 02/27/10 09:25:50
> 
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> [09:57 root@afs1 ~]# tokens
> 
> Tokens held by the Cache Manager:
> 
> User's (AFS ID 1) tokens for afs@mycell.edu [Expires Feb 26 19:25]
>    --End of list--
> [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs
> afs@SS2K-DEVEL.UCI.EDU: kvno = 2
> [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs/mycell.edu
> afs/mycell.edu@MYCELL.EDU: kvno = 2
> [09:57 root@afs1 ~]# asetkey list
> kvno    2: key is: <key_obscured>
> All done.
> 
> 
> Let me know if there is any other information I can supply that would be helpful.
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444