[OpenAFS] Windows AD Kerberos - "bad ticket" error
Douglas E. Engert
Fri, 26 Feb 2010 13:20:48 -0600
Jonathan Nilsson wrote:
> On Fri, Feb 26, 2010 at 10:44, Brandon S. Allbery KF8NH
> <firstname.lastname@example.org <mailto:email@example.com>> wrote:
> On Feb 26, 2010, at 13:24 , Jonathan Nilsson wrote:
> [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs
> afs@SS2K-DEVEL.UCI.EDU <mailto:afs@SS2K-DEVEL.UCI.EDU>: kvno = 2
> [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs/mycell.edu
> afs/mycell.edu <http://mycell.edu>@MYCELL.EDU
> <http://MYCELL.EDU>: kvno = 2
> You put both of these in the KeyFile? With the same kvno? This
> will break, because the KeyFile doesn't contain principals, and
> picks entries by kvno. You'll need to change one of them and then
> regenerate the KeyFile.
> Hmm, part of that is a text-replacement error... oops, I was trying to
> obfuscate my real REALM name, but clearly failed. That line should read
> "afs@MYCELL.EDU <mailto:afs@MYCELL.EDU>" to be consistent with the rest
> of my output.
> However, I'm not sure what you mean by "both of those in the KeyFile" -
> my output of asetkey and bos listkeys shows that I only have one key in
> the KeyFile:
> [09:57 root@afs1 ~]# asetkey list
> kvno 2: key is: <key_obscured>
> All done.
> [10:01 root@afs1 ~]# bos listkeys afs1 -localauth
> key 2 has cksum 1847647929
> Keys last changed on Fri Feb 26 10:00:22 2010.
> All done.
> However, in my Kerberos ticket cache I do indeed have two tickets with
> the same kvno.
> I'm speculating, but that would be a problem with how Windows implements
> the "ktpass mapuser" function and then returns tickets for a mapped user
> with the same kvno as the principal. So both the user "afs" and the
> principal "afs/mycell.edu <http://mycell.edu>" are returning tickets
> with the same kvno. And I don't think there are separate entries for
> these principals in the kerberos database.
> I'll try changing the password on the "afs" user account and then see
> what kvno I get.
Try using a name other then afs for the account name as it can confuse
the issue. The use of afs@<REALM> is obsolete. Using afs/<cell>@<REALM>
can allow multiple cellsto use the same Kerberos realm.
> Otherwise, is there a way for aklog to not bother getting a ticket for
> the "afs@MYCELL.EDU <mailto:afs@MYCELL.EDU>" principal, and just use
> "afs/mycell.edu <http://mycell.edu>@MYCELL.EDU <http://MYCELL.EDU>"?
> Jonathan Nilsson, firstname.lastname@example.org <mailto:email@example.com>
> Social Sciences Computing Services
> 949.824.1536, 4110 SSPA, UC Irvine
> brandon s. allbery [solaris,freebsd,perl,pugs,haskell]
> firstname.lastname@example.org <mailto:email@example.com>
> system administrator [openafs,heimdal,too many hats]
> firstname.lastname@example.org <mailto:email@example.com>
> electrical and computer engineering, carnegie mellon university KF8NH
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439