[OpenAFS] Windows AD Kerberos - "bad ticket" error
Jonathan Nilsson
jnilsson@uci.edu
Fri, 26 Feb 2010 11:54:51 -0800
--0016e6498532f8da52048086469a
Content-Type: text/plain; charset=UTF-8
First, thanks so much for the detailed and fast responses from both of you
(Douglas and Brandon). And for being willing to work through some of these
details with me. I'll reply to some of your questions, though I suspect
that I know what I need to do now...
- The "afs/mycell.edu" service principal was created by creating an
>> account
>> called "afs" in AD, checking the boxes for "Use DES encryption types for
>> this
>> account" and "Do not require Kerberos preauthentication", and then running
>> "ktpass mapuser afs princ afs/mycell.edu@MYCELL.EDU"
>>
>
> Was this the full ktpass command? Did you have it create a keytab?
>
That was the full ktpass command to map the principal "afs/mycell.edu" to a
user account "afs". I also ran:
ktpass out afs.keytab pass mysecret princ afs/mycell.edu@MYCELL.EDU kvno 2
to generate a keytab. I specified kvno 2 because in previous tests, the
ktpass command always defaulted to using kvno 1 in generated keytabs, even
though I could see in my kerberos cache that the kvno was 2. This would
cause problems where instead of "bad ticket" errors, I would get "wrong
kvno" errors. I have tried this repeatedly, deleting the account in AD,
remaking it, and regenerating keytabs with and without specifying kvno.
Using this method described above was the only way I have gotten "aklog" to
work at all.
> And how did you use asetkey with the keytab?
>
I used WinSCP to transfer the keytab to my afs server, and then ran
asetkey add 2 /root/afs.keytab afs/mycell.edu
And of course then restarting the service openafs-server.
> There is a problem with the W2003 SP1 ktpass. See:
> http://support.microsoft.com/kb/919557
>
> Have you looked at:
> http://www.dementia.org/twiki/bin/view/AFSLore/WindowsK5AfsServicePrincipal
I was not aware of these articles. I will delete my existing "afs" account,
apply the hotfix in 919557, and follow the steps in the dementia.org site.
On Fri, Feb 26, 2010 at 11:12, Brandon S. Allbery KF8NH <allbery@ece.cmu.edu
> wrote:
> I'm speculating, but that would be a problem with how Windows implements
> the "ktpass mapuser" function and then returns tickets for a mapped user
> with the same kvno as the principal. So both the user "afs" and the
> principal "afs/mycell.edu" are returning tickets with the same kvno. And
> I don't think there are separate entries for these principals in the
> kerberos database.
>
>
> Are you saying these are being mapped to the same principal in AD? If so,
> it's confusing but should be irrelevant.
>
Yes, my afs/mycell.edu principal is mapped to a Windows account called
"afs" - there was only one account, and a principal mapped to that
account. What I tried to say was that if I ran ktpass to generate a keytab
for either the afs or afs/mycell.edu principals, I would get the same key
back - identical kvno and identical checksum.
Otherwise, is there a way for aklog to not bother getting a ticket for the "
> afs@MYCELL.EDU" principal, and just use "afs/mycell.edu@MYCELL.EDU<http://mycell.edu/>
> "?
>
>
> That's what it should be doing; only if that principal can't be found or
> otherwise fails will it fall back to afs@.
>
Ok, thanks for that clarification... hopefully, as Douglas suggested, using
an account name other than "afs" on windows will cause less confusion, so
that aklog only uses the afs/mycell.edu principal.
--
Jonathan Nilsson, jnilsson@uci.edu
Social Sciences Computing Services
949.824.1536, SSPA 4110, UC Irvine
--0016e6498532f8da52048086469a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
First, thanks so much for the detailed and fast responses from both of you =
(Douglas and Brandon). And for being willing to work through some of these =
details with me.=C2=A0 I'll reply to some of your questions, though I s=
uspect that I know what I need to do now...<br>
<br><div class=3D"gmail_quote"><blockquote class=3D"gmail_quote" style=3D"b=
order-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; paddin=
g-left: 1ex;"><div class=3D"im"><blockquote class=3D"gmail_quote" style=3D"=
border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; paddi=
ng-left: 1ex;">
=C2=A0
- The "afs/<a href=3D"http://mycell.edu" target=3D"_blank">mycell.edu=
</a>" service principal was created by creating an account<br>
called "afs" in AD, checking the boxes for "Use DES encrypti=
on types for this<br>
account" and "Do not require Kerberos preauthentication", an=
d then running<br>
"ktpass mapuser afs princ afs/<a href=3D"http://mycell.edu" target=3D"=
_blank">mycell.edu</a>@<a href=3D"http://MYCELL.EDU" target=3D"_blank">MYCE=
LL.EDU</a>"<br>
</blockquote>
<br></div>
Was this the full ktpass command? Did you have it create a keytab?<br></blo=
ckquote><div>=C2=A0<br>That was the full ktpass command to map the principa=
l "afs/<a href=3D"http://mycell.edu">mycell.edu</a>" to a user ac=
count "afs".=C2=A0 I also ran:<br>
<br>ktpass out afs.keytab pass mysecret princ afs/<a href=3D"http://mycell.=
edu">mycell.edu</a>@<a href=3D"http://MYCELL.EDU">MYCELL.EDU</a> kvno 2<br>=
<br>to generate a keytab.=C2=A0 I specified kvno 2 because in previous test=
s, the ktpass command always defaulted to using kvno 1 in generated keytabs=
, even though I could see in my kerberos cache that the kvno was 2.=C2=A0 T=
his would cause problems where instead of "bad ticket" errors, I =
would get "wrong kvno" errors.=C2=A0 I have tried this repeatedly=
, deleting the account in AD, remaking it, and regenerating keytabs with an=
d without specifying kvno.=C2=A0 Using this method described above was the =
only way I have gotten "aklog" to work at all.<br>
=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"border-left: 1px sol=
id rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
And how did you use asetkey with the keytab?<br></blockquote><div><br>I use=
d WinSCP to transfer the keytab to my afs server, and then ran<br><br>asetk=
ey add 2 /root/afs.keytab afs/<a href=3D"http://mycell.edu">mycell.edu</a><=
br>
<br>And of course then restarting the service openafs-server.<br></div><div=
>=C2=A0<br></div><blockquote class=3D"gmail_quote" style=3D"border-left: 1p=
x solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
There is a problem with the W2003 SP1 ktpass. See:<br>
<a href=3D"http://support.microsoft.com/kb/919557" target=3D"_blank">http:/=
/support.microsoft.com/kb/919557</a><br>
<br>
Have you looked at:<br>
<a href=3D"http://www.dementia.org/twiki/bin/view/AFSLore/WindowsK5AfsServi=
cePrincipal" target=3D"_blank">http://www.dementia.org/twiki/bin/view/AFSLo=
re/WindowsK5AfsServicePrincipal</a></blockquote><div><br>I was not aware of=
these articles. I will delete my existing "afs" account, apply t=
he hotfix in 919557, and follow the steps in the <a href=3D"http://dementia=
.org">dementia.org</a> site.<br>
<br>On Fri, Feb 26, 2010 at 11:12, Brandon S. Allbery KF8NH <span dir=3D"lt=
r"><<a href=3D"mailto:allbery@ece.cmu.edu">allbery@ece.cmu.edu</a>></=
span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"border-left: 1px=
solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div style=3D"word-wrap: break-word;"><div><div class=3D"im"><blockquote ty=
pe=3D"cite"><div class=3D"gmail_quote"><div>I'm
speculating, but that would be a problem with how Windows implements
the "ktpass mapuser" function and then returns tickets for a mapp=
ed
user with the same kvno as the principal.=C2=A0 So both the user "afs&=
quot; and
the principal "afs/<a href=3D"http://mycell.edu/" target=3D"_blank">my=
cell.edu</a>"
are returning tickets with the same kvno.=C2=A0 And I don't think there=
are
separate entries for these principals in the kerberos database.<br></div></=
div></blockquote><div><br></div></div><div>Are you saying these are being m=
apped to the same principal in AD? =C2=A0If so, it's confusing but shou=
ld be irrelevant.</div>
</div></div></blockquote><div><br>Yes, my afs/<a href=3D"http://mycell.edu"=
>mycell.edu</a> principal is mapped to a Windows account called "afs&q=
uot;=C2=A0 - there was only one account, and a principal mapped to that acc=
ount.=C2=A0 What I tried to say was that if I ran ktpass to generate a keyt=
ab for either the afs or afs/<a href=3D"http://mycell.edu">mycell.edu</a> p=
rincipals, I would get the same key back - identical kvno and identical che=
cksum.<br>
</div><br><blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid=
rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div st=
yle=3D"word-wrap: break-word;"><div><div class=3D"im"><blockquote type=3D"c=
ite">
<div class=3D"gmail_quote">
<div>Otherwise, is there a way for aklog to not bother getting a ticket for=
the "<a href=3D"mailto:afs@MYCELL.EDU" target=3D"_blank">afs@MYCELL.E=
DU</a>" principal, and just use "afs/<a href=3D"http://mycell.edu=
/" target=3D"_blank">mycell.edu</a>@<a href=3D"http://mycell.edu/" target=
=3D"_blank">MYCELL.EDU</a>"?<br>
</div></div></blockquote></div></div><div><br></div><div>That's what it=
should be doing; only if that principal can't be found or otherwise fa=
ils will it fall back to afs@.</div></div></blockquote><div><br><span style=
=3D"border-collapse: separate; border-spacing: 0px; color: rgb(0, 0, 0); fo=
nt-family: Helvetica; font-size: 11px; font-style: normal; font-variant: no=
rmal; font-weight: normal; letter-spacing: normal; line-height: normal; tex=
t-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px=
;"></span>Ok, thanks for that clarification... hopefully, as Douglas sugges=
ted, using an account name other than "afs" on windows will cause=
less confusion, so that aklog only uses the afs/<a href=3D"http://mycell.e=
du">mycell.edu</a> principal.<br>
</div></div><div><br>--<br>Jonathan Nilsson, <a href=3D"mailto:jnilsson@uci=
.edu">jnilsson@uci.edu</a><br>Social Sciences Computing Services<br>949.824=
.1536, SSPA 4110, UC Irvine<br>=C2=A0
<br></div></div><br>
--0016e6498532f8da52048086469a--