[OpenAFS] Windows AD Kerberos - "bad ticket" error
Brandon S. Allbery KF8NH
allbery@ece.cmu.edu
Fri, 26 Feb 2010 14:10:20 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-38--1006071405
Content-Type: multipart/alternative; boundary=Apple-Mail-37--1006071441
--Apple-Mail-37--1006071441
Content-Type: text/plain;
charset=US-ASCII;
format=flowed;
delsp=yes
Content-Transfer-Encoding: 7bit
On Feb 26, 2010, at 14:03 , Jonathan Nilsson wrote:
> On Fri, Feb 26, 2010 at 10:44, Brandon S. Allbery KF8NH <allbery@ece.cmu.edu
> > wrote:
> On Feb 26, 2010, at 13:24 , Jonathan Nilsson wrote:
> [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs
> afs@SS2K-DEVEL.UCI.EDU: kvno = 2
> [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs/mycell.edu
> afs/mycell.edu@MYCELL.EDU: kvno = 2
>
> You put both of these in the KeyFile? With the same kvno? This
> will break, because the KeyFile doesn't contain principals, and
> picks entries by kvno. You'll need to change one of them and then
> regenerate the KeyFile.
>
> Hmm, part of that is a text-replacement error... oops, I was trying
> to obfuscate my real REALM name, but clearly failed. That line
> should read "afs@MYCELL.EDU" to be consistent with the rest of my
> output.
>
> However, I'm not sure what you mean by "both of those in the
> KeyFile" - my output of asetkey and bos listkeys shows that I only
> have one key in the KeyFile:
Right: because if you try to put two keys with the same kvno into a
KeyFile, only the last one added will actually be saved. That was
what I was trying to tell you; if both of those principals have kvno
2, only one of them will actually be valid. If you use aklog, it will
try afs/cell first, but if the key for afs was added after the key for
afs/cell, and they both have the same kvno, you will have a token that
AFS can't decipher.
> However, in my Kerberos ticket cache I do indeed have two tickets
> with the same kvno.
(1) The restriction I mentioned doesn't apply to ticket caches (or
indeed to Kerberos in general); it's specific to the way the AFS
KeyFile works.
(2) The only ticket(s) in your ccache that matter are afs/cell or
afs. If I read your original message correctly, one ticket was an AFS
service ticket and the other was your TGT (expected, and irrelevant
for this case).
--
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university KF8NH
--Apple-Mail-37--1006071441
Content-Type: text/html;
charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div><div>On Feb 26, 2010, at =
14:03 , Jonathan Nilsson wrote:</div><blockquote type=3D"cite"><div =
class=3D"gmail_quote">On Fri, Feb 26, 2010 at 10:44, Brandon S. Allbery =
KF8NH <span dir=3D"ltr"><<a =
href=3D"mailto:allbery@ece.cmu.edu">allbery@ece.cmu.edu</a>></span> =
wrote:<br><blockquote class=3D"gmail_quote" style=3D"border-left-width: =
1px; border-left-style: solid; border-left-color: rgb(204, 204, 204); =
margin-top: 0pt; margin-right: 0pt; margin-bottom: 0pt; margin-left: =
0.8ex; padding-left: 1ex; position: static; z-index: auto; "> <div =
class=3D"im">On Feb 26, 2010, at 13:24 , Jonathan Nilsson wrote:<br> =
<blockquote class=3D"gmail_quote" style=3D"border-left-width: 1px; =
border-left-style: solid; border-left-color: rgb(204, 204, 204); =
margin-top: 0pt; margin-right: 0pt; margin-bottom: 0pt; margin-left: =
0.8ex; padding-left: 1ex; position: static; z-index: auto; "> [09:57 =
root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs<br> <a =
href=3D"mailto:afs@SS2K-DEVEL.UCI.EDU" =
target=3D"_blank">afs@SS2K-DEVEL.UCI.EDU</a>: kvno =3D 2<br> [09:57 =
root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs/<a href=3D"http://mycell.edu" =
target=3D"_blank">mycell.edu</a><br> afs/<a href=3D"http://mycell.edu" =
target=3D"_blank">mycell.edu</a>@<a href=3D"http://MYCELL.EDU" =
target=3D"_blank">MYCELL.EDU</a>: kvno =3D 2<br> </blockquote> =
<br></div> You put both of these in the KeyFile? With the same =
kvno? This will break, because the KeyFile doesn't contain =
principals, and picks entries by kvno. You'll need to change one =
of them and then regenerate the KeyFile.<font =
color=3D"#888888"><br></font></blockquote><div><br>Hmm, part of that is =
a text-replacement error... oops, I was trying to obfuscate my real =
REALM name, but clearly failed. That line should read "<a =
href=3D"mailto:afs@MYCELL.EDU">afs@MYCELL.EDU</a>" to be consistent with =
the rest of my output.<br> <br>However, I'm not sure what you mean by =
"both of those in the KeyFile" - my output of asetkey and bos listkeys =
shows that I only have one key in the =
KeyFile:<br></div></div></blockquote><div><br></div><div>Right: =
because if you try to put two keys with the same kvno into a =
KeyFile, only the last one added will actually be saved. That was =
what I was trying to tell you; if both of those principals have kvno 2, =
only one of them will actually be valid. If you use aklog, it will =
try afs/cell first, but if the key for afs was added after the key for =
afs/cell, and they both have the same kvno, you will have a token that =
AFS can't decipher.</div><div><br></div><blockquote type=3D"cite"><div =
class=3D"gmail_quote"><div>However, in my Kerberos ticket cache I do =
indeed have two tickets with the same =
kvno.<br></div></div></blockquote><div><br></div><div>(1) The =
restriction I mentioned doesn't apply to ticket caches (or indeed to =
Kerberos in general); it's specific to the way the AFS KeyFile =
works.</div><div><br></div><div>(2) The only ticket(s) in your ccache =
that matter are afs/cell or afs. If I read your original message =
correctly, one ticket was an AFS service ticket and the other was your =
TGT (expected, and irrelevant for this case).</div></div><br><div =
apple-content-edited=3D"true"> <span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px 0px; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><div =
style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px 0px; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 11px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><div><font =
class=3D"Apple-style-span" face=3D"Monaco"><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; "><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; =
">-- </span></span></font></div><div><font class=3D"Apple-style-span"=
face=3D"Monaco"><span class=3D"Apple-style-span" style=3D"font-family: =
Monaco; "><span class=3D"Apple-style-span" style=3D"font-family: Monaco; =
">brandon s. allbery [solaris,freebsd,perl,pugs,haskell] <a =
href=3D"mailto:allbery@kf8nh.com">allbery@kf8nh.com</a></span></span></fon=
t></div><div><font class=3D"Apple-style-span" face=3D"Monaco"><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; "><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; ">system =
administrator [openafs,heimdal,too many hats] <a =
href=3D"mailto:allbery@ece.cmu.edu">allbery@ece.cmu.edu</a></span></span><=
/font></div><div><font class=3D"Apple-style-span" face=3D"Monaco"><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; "><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; ">electrical =
and computer engineering, carnegie mellon university =
KF8NH</span></span></font></div><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px 0px; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><br =
class=3D"Apple-interchange-newline"></span></span></span></div></span> =
</div><br></body></html>=
--Apple-Mail-37--1006071441--
--Apple-Mail-38--1006071405
content-type: application/pgp-signature; x-mac-type=70674453;
name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)
iEYEARECAAYFAkuIHKYACgkQIn7hlCsL25U7CACcCL3VIvwfx9oMZpVLrN1HPR+S
njIAnjmKl6KLTl1KeHtY8hNv/U4jWZ3y
=uPS1
-----END PGP SIGNATURE-----
--Apple-Mail-38--1006071405--