[OpenAFS] Windows AD Kerberos - "bad ticket" error

Douglas E. Engert deengert@anl.gov
Fri, 26 Feb 2010 13:20:48 -0600 

Jonathan Nilsson wrote:
> 
> On Fri, Feb 26, 2010 at 10:44, Brandon S. Allbery KF8NH 
> <allbery@ece.cmu.edu <mailto:allbery@ece.cmu.edu>> wrote:
> 
>     On Feb 26, 2010, at 13:24 , Jonathan Nilsson wrote:
> 
>         [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs
>         afs@SS2K-DEVEL.UCI.EDU <mailto:afs@SS2K-DEVEL.UCI.EDU>: kvno = 2
>         [09:57 root@afs1 ~]# kvno -c /tmp/krb5cc_0 afs/mycell.edu
>         <http://mycell.edu>
>         afs/mycell.edu <http://mycell.edu>@MYCELL.EDU
>         <http://MYCELL.EDU>: kvno = 2
> 
> 
>     You put both of these in the KeyFile?  With the same kvno?  This
>     will break, because the KeyFile doesn't contain principals, and
>     picks entries by kvno.  You'll need to change one of them and then
>     regenerate the KeyFile.
> 
> 
> Hmm, part of that is a text-replacement error... oops, I was trying to 
> obfuscate my real REALM name, but clearly failed.  That line should read 
> "afs@MYCELL.EDU <mailto:afs@MYCELL.EDU>" to be consistent with the rest 
> of my output.
> 
> However, I'm not sure what you mean by "both of those in the KeyFile" - 
> my output of asetkey and bos listkeys shows that I only have one key in 
> the KeyFile:
> 
> [09:57 root@afs1 ~]# asetkey list
> kvno    2: key is: <key_obscured>
> All done.
> [10:01 root@afs1 ~]# bos listkeys afs1 -localauth
> key 2 has cksum 1847647929
> Keys last changed on Fri Feb 26 10:00:22 2010.
> All done.
> 
> However, in my Kerberos ticket cache I do indeed have two tickets with 
> the same kvno.
> 
> I'm speculating, but that would be a problem with how Windows implements 
> the "ktpass mapuser" function and then returns tickets for a mapped user 
> with the same kvno as the principal.  So both the user "afs" and the 
> principal "afs/mycell.edu <http://mycell.edu>" are returning tickets 
> with the same kvno.  And I don't think there are separate entries for 
> these principals in the kerberos database.
> 
> I'll try changing the password on the "afs" user account and then see 
> what kvno I get.

Try using a name other then afs for the account name as it can confuse
the issue.  The use of  afs@<REALM> is obsolete. Using afs/<cell>@<REALM>
can allow multiple cellsto use the same Kerberos realm.

> 
> Otherwise, is there a way for aklog to not bother getting a ticket for 
> the "afs@MYCELL.EDU <mailto:afs@MYCELL.EDU>" principal, and just use 
> "afs/mycell.edu <http://mycell.edu>@MYCELL.EDU <http://MYCELL.EDU>"?
> 
> --
> Jonathan Nilsson, jnilsson@uci.edu <mailto:jnilsson@uci.edu>
> Social Sciences Computing Services
> 949.824.1536, 4110 SSPA, UC Irvine
>  
> 
>     -- 
>     brandon s. allbery [solaris,freebsd,perl,pugs,haskell]
>     allbery@kf8nh.com <mailto:allbery@kf8nh.com>
>     system administrator [openafs,heimdal,too many hats]
>     allbery@ece.cmu.edu <mailto:allbery@ece.cmu.edu>
>     electrical and computer engineering, carnegie mellon university    KF8NH
> 
> 
> 

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444