[OpenAFS] Windows AD Kerberos - "bad ticket" error

Brandon S. Allbery KF8NH allbery@ece.cmu.edu
Fri, 26 Feb 2010 14:12:34 -0500 

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--Apple-Mail-41--1005937652
Content-Type: multipart/alternative; boundary=Apple-Mail-40--1005937690


--Apple-Mail-40--1005937690
Content-Type: text/plain;
	charset=US-ASCII;
	format=flowed;
	delsp=yes
Content-Transfer-Encoding: 7bit

> I'm speculating, but that would be a problem with how Windows  
> implements the "ktpass mapuser" function and then returns tickets  
> for a mapped user with the same kvno as the principal.  So both the  
> user "afs" and the principal "afs/mycell.edu" are returning tickets  
> with the same kvno.  And I don't think there are separate entries  
> for these principals in the kerberos database.

Are you saying these are being mapped to the same principal in AD?  If  
so, it's confusing but should be irrelevant.

> Otherwise, is there a way for aklog to not bother getting a ticket  
> for the "afs@MYCELL.EDU" principal, and just use "afs/mycell.edu@MYCELL.EDU 
> "?


That's what it should be doing; only if that principal can't be found  
or otherwise fails will it fall back to afs@.

-- 
brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university    KF8NH



--Apple-Mail-40--1005937690
Content-Type: text/html;
	charset=US-ASCII
Content-Transfer-Encoding: quoted-printable

<html><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; =
-webkit-line-break: after-white-space; "><div><blockquote =
type=3D"cite"><div class=3D"gmail_quote"><div>I'm speculating, but that =
would be a problem with how Windows implements the "ktpass mapuser" =
function and then returns tickets for a mapped user with the same kvno =
as the principal.&nbsp; So both the user "afs" and the principal "afs/<a =
href=3D"http://mycell.edu">mycell.edu</a>" are returning tickets with =
the same kvno.&nbsp; And I don't think there are separate entries for =
these principals in the kerberos =
database.<br></div></div></blockquote><div><br></div><div>Are you saying =
these are being mapped to the same principal in AD? &nbsp;If so, it's =
confusing but should be irrelevant.</div><div><br></div><blockquote =
type=3D"cite"><div class=3D"gmail_quote"><div>Otherwise, is there a way =
for aklog to not bother getting a ticket for the "<a =
href=3D"mailto:afs@MYCELL.EDU">afs@MYCELL.EDU</a>" principal, and just =
use "afs/<a href=3D"http://mycell.edu">mycell.edu</a>@<a =
href=3D"http://MYCELL.EDU">MYCELL.EDU</a>"?<br></div></div></blockquote></=
div><div><br></div><div>That's what it should be doing; only if that =
principal can't be found or otherwise fails will it fall back to =
afs@.</div><br><div apple-content-edited=3D"true"> <span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 11px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><div =
style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; "><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px 0px; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><span =
class=3D"Apple-style-span" style=3D"border-collapse: separate; =
border-spacing: 0px 0px; color: rgb(0, 0, 0); font-family: Helvetica; =
font-size: 11px; font-style: normal; font-variant: normal; font-weight: =
normal; letter-spacing: normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><div><font =
class=3D"Apple-style-span" face=3D"Monaco"><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; "><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; =
">--&nbsp;</span></span></font></div><div><font class=3D"Apple-style-span"=
 face=3D"Monaco"><span class=3D"Apple-style-span" style=3D"font-family: =
Monaco; "><span class=3D"Apple-style-span" style=3D"font-family: Monaco; =
">brandon s. allbery [solaris,freebsd,perl,pugs,haskell] <a =
href=3D"mailto:allbery@kf8nh.com">allbery@kf8nh.com</a></span></span></fon=
t></div><div><font class=3D"Apple-style-span" face=3D"Monaco"><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; "><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; ">system =
administrator [openafs,heimdal,too many hats] <a =
href=3D"mailto:allbery@ece.cmu.edu">allbery@ece.cmu.edu</a></span></span><=
/font></div><div><font class=3D"Apple-style-span" face=3D"Monaco"><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; "><span =
class=3D"Apple-style-span" style=3D"font-family: Monaco; ">electrical =
and computer engineering, carnegie mellon university &nbsp; =
&nbsp;KF8NH</span></span></font></div><span class=3D"Apple-style-span" =
style=3D"border-collapse: separate; border-spacing: 0px 0px; color: =
rgb(0, 0, 0); font-family: Helvetica; font-size: 11px; font-style: =
normal; font-variant: normal; font-weight: normal; letter-spacing: =
normal; line-height: normal; text-align: auto; =
-khtml-text-decorations-in-effect: none; text-indent: 0px; =
-apple-text-size-adjust: auto; text-transform: none; orphans: 2; =
white-space: normal; widows: 2; word-spacing: 0px; "><br =
class=3D"Apple-interchange-newline"></span></span></span></div></span> =
</div><br></body></html>=

--Apple-Mail-40--1005937690--

--Apple-Mail-41--1005937652
content-type: application/pgp-signature; x-mac-type=70674453;
	name=PGP.sig
content-description: This is a digitally signed message part
content-disposition: inline; filename=PGP.sig
content-transfer-encoding: 7bit

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (Darwin)

iEYEARECAAYFAkuIHSIACgkQIn7hlCsL25WMGgCgw28iLhytCOabHWp8kKh0VLnl
04wAn1/l5a++0D3q10Jj7NjS5l7NHrn1
=9Fbg
-----END PGP SIGNATURE-----

--Apple-Mail-41--1005937652--