[OpenAFS] krb5 trust, rxkad error=19270408... I'm missing something
Jeffrey Altman
jaltman@secure-endpoints.com
Thu, 04 Mar 2010 22:27:30 -0500
This is a cryptographically signed message in MIME format.
--------------ms070707080106070506000401
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
[C:\]translate_et 19270408
19270408 =3D ticket contained unknown key version number
What does kvno report when using the regular user?
Is it still three? My guess is not.
You should not using the -kvno option when creating a keytab with
ktpass. Doing places a kvno into the keytab but does not set the
kvno within AD. Leaving off the -kvno option writes the actual
kvno to the keytab.
Jeffrey Altman
On 3/4/2010 7:19 PM, Stephen Joyce wrote:
> I'm trying to test trusting a Windows 2008R2 krb5 realm and am obviousl=
y
> missing a step somewhere. I get tokens that don't work. I've been
> following the steps at
> http://www.dementia.org/twiki/bin/view/AFSLore/AdminFAQ#3_51_Can_I_auth=
enticate_to_my_af
>=20
>=20
> I've scanned the list archives and have read about the specific error,
> but it hasn't helped me solve my problem so far.
>=20
> My setup:
> Windows 2008R2 KDC, with afs/cellname@AD.DOMAIN DES-only ticket created=
=2E
>=20
> Windows 2008R2 massaged to allow DES tickets.
>=20
> 1 test AFSDB
> 1 test AFSFS
> 1 test client
>=20
> My keyfile contains 3 pre-existing keys that I'd like to maintain in th=
e
> hopes of conducting a graceful migration from MIT-K5 to 2008R2-K5 auth.=
> Pre-existing keys are in slots 0,1,2 of the keyfile.
>=20
> I've created the afs/cellname@AD.DOMAIN princ and keytab on Windows and=
> transferred to linux securely. This enctype is DES-CBC-CRC.
>=20
> On the first test server, klist -e -k (new keytab) -t -K shows a KVNO o=
f
> 3 and "DES cbc mode with CRC-32". Yay!
>=20
> I have configured krb5.conf on both test servers and test client.
>=20
> I used asetkey add 3 (new keytab) afs/cellname@AD.DOMAIN to add the new=
> key to test AFSDB and test AFSFS and bos restart'ed them.
>=20
> I can successfully do the following:
>=20
> server> kinit -kt (keytab) afs/cellname@AD.DOMAIN
> server> klist
> (shows krbtgt/AD.DOMAIN@AD.DOMAIN)
>=20
> server> kvno afs/cellname@AD.DOMAIN
> (shows kvno =3D 3)
>=20
> client> kinit (regular user)
> client> klist
> Ticket cache: FILE:/tmp/krb5cc_uid
> Default principal: user@AD
>=20
> Valid starting Expires Service principal
> 03/04/10 18:23:47 03/05/10 04:23:50 krbtgt/AD.DOMAIN@AD.DOMAIN
> renew until 03/11/10 18:23:47, Flags: FPRIA
> Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256=
> CTS mode with 96-bit SHA-1 HMAC
>=20
> client> aklog -d
> Authenticating to cell cellname (server testafsdb.cellname).
> We've deduced that we need to authenticate to realm AD.DOMAIN
> Getting tickets: afs/cellname@AD.DOMAIN
> Using Kerberos V5 ticket natively
> About to resolve name foobar to id in cell cellname.
> Id 12345
> Set username to AFS ID 12345
> Setting tokens. AFS ID 12345 / @ AD.DOMAIN
>=20
> client> tokens
> Tokens held by the Cache Manager:
>=20
> User's (AFS ID 12345) tokens for afs@cellname [Expires Mar 5 04:23]
> --End of list--
>=20
> client> klist -ef
> icket cache: FILE:/tmp/krb5cc_31846
> Default principal: user@AD.DOMAIN
>=20
> Valid starting Expires Service principal
> 03/04/10 18:23:47 03/05/10 04:23:50 krbtgt/AD.DOMAIN@AD.DOMAIN
> renew until 03/11/10 18:23:47, Flags: FPRIA
> Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256=
> CTS mode with 96-bit SHA-1 HMAC
> 03/04/10 18:25:53 03/05/10 04:23:50 afs/cellname@AD.DOMAIN
> renew until 03/11/10 18:23:47, Flags: FPRA
> Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-=
32
>=20
> However I see two symptoms.
> 1. The client logs the following on the console:
> "afs: Tokens for user of AFS id 12345 for cell cellname are discarded
> (rxkad error=3D19270408)"
> 2. The tokens don't work, of course (when trying to create a file in a
> volume on the test AFSFS, which would otherwise be allowed).
>=20
> The versions of openafs on all test PCs is not *new*, but is in the
> 1.4.x line.
>=20
> I'm sure that there's some step I've missed along the way. Any hints?
>=20
> Cheers, Stephen
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>=20
--------------ms070707080106070506000401
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJeTCC
AxcwggKAoAMCAQICEAMF9RTCGOz151fTpHLih+cwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDgyODA0MDExOVoX
DTEwMDgyODA0MDExOVowczEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDZNscYIvF6xzGSAfa/QUIqiElyn0EUxL2b86eKiYqe91bj0gLr/MJoErLnb+OmokxqSAH6
y0zlFqSbiFwgNM8m69K6m/6YO+x3+5zBc+u6snwTWMEWygnhx3rQ/lMhoQOgArraL+/k9aWL
kNdaXQKk6EZVW9pfV2A4Lk4DoZGFjY8tJRWWDLlFkYnxDuIEpLYwJpwakv3QHOaq/G8KW0iE
jVhVzPobuZzwD2tuepY/bsClwqxz/gfAEpUvAn/lYTqnoT7RYljZlCIdbrgcG/HSYMxAy1Zp
Yh8Fx+9cqsG8O4nqo26SVfYZvrYhh8m6OqW8Vakdt7vBLCTa/QhIdJ4hAgMBAAGjOTA3MCcG
A1UdEQQgMB6BHGphbHRtYW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQUFAAOBgQBvbvJNXUJ4atv1CExIe0J38jZqoEUTttkXOfCDT9e3mSmVboOK
ifHDyLZQC4qSsCUfP7vdwAXjKtjak22HbfX2sEKCUgtnOkxRqXMM2V/NW/ESNVQZF0TO7L/Z
cW3icObO9FIZCSmgFMt2Al7VPfMQmaJNlqu9SLmXSwbRFJ5b4zCCAxcwggKAoAMCAQICEAMF
9RTCGOz151fTpHLih+cwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT
HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDgyODA0MDExOVoXDTEwMDgyODA0MDExOVow
czEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMxHDAaBgNVBAMTE0pl
ZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRtYW5Ac2VjdXJlLWVuZHBv
aW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZNscYIvF6xzGSAfa/
QUIqiElyn0EUxL2b86eKiYqe91bj0gLr/MJoErLnb+OmokxqSAH6y0zlFqSbiFwgNM8m69K6
m/6YO+x3+5zBc+u6snwTWMEWygnhx3rQ/lMhoQOgArraL+/k9aWLkNdaXQKk6EZVW9pfV2A4
Lk4DoZGFjY8tJRWWDLlFkYnxDuIEpLYwJpwakv3QHOaq/G8KW0iEjVhVzPobuZzwD2tuepY/
bsClwqxz/gfAEpUvAn/lYTqnoT7RYljZlCIdbrgcG/HSYMxAy1ZpYh8Fx+9cqsG8O4nqo26S
VfYZvrYhh8m6OqW8Vakdt7vBLCTa/QhIdJ4hAgMBAAGjOTA3MCcGA1UdEQQgMB6BHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB
gQBvbvJNXUJ4atv1CExIe0J38jZqoEUTttkXOfCDT9e3mSmVboOKifHDyLZQC4qSsCUfP7vd
wAXjKtjak22HbfX2sEKCUgtnOkxRqXMM2V/NW/ESNVQZF0TO7L/ZcW3icObO9FIZCSmgFMt2
Al7VPfMQmaJNlqu9SLmXSwbRFJ5b4zCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAw
gdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0w
MzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfAr
hVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8
MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWls
Q0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxh
YmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/
TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amc
OY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNxMIID
bQIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQ
AwX1FMIY7PXnV9OkcuKH5zAJBgUrDgMCGgUAoIIB0DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0xMDAzMDUwMzI3MzBaMCMGCSqGSIb3DQEJBDEWBBRUb3+Q
+qRLVEZ4On0w1ZNSv1TJpTBfBgkqhkiG9w0BCQ8xUjBQMAsGCWCGSAFlAwQBAjAKBggqhkiG
9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN
AwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBAhADBfUUwhjs9edX06Ry4ofnMIGHBgsqhkiG9w0BCRACCzF4oHYw
YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x
LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhADBfUUwhjs
9edX06Ry4ofnMA0GCSqGSIb3DQEBAQUABIIBABT7jmvOvUGiw+G+EHAcb5g+deN1epq09hYh
5Fa4PxrgpVCiNwF/xHuomX0B7gvo7s/NlMiysemVtCwT8vMGrkPM314FMn/+k/Nsgp2LJVrx
GERIkHjvvfO5pNx2hkJem8HriYN45zJK7P8laqnVFzSYBpeM8p7Ic93h45cA/9cQgu943HSu
2dv5i1atPFuXQfJfEJ27TPCU7zO78VcdSUsicbHjL+i45w2e0Jb8eKI4IxjtTq7OmQ/OnCtx
DrdA13mfot4rB67tt4o/bdpKGrPwBgK/2OhVFaU+QxRJpnfWctgnbq5kuBeSeJ5Uc/5K6u/s
DrSDsIebkJJbfdYzDHcAAAAAAAA=
--------------ms070707080106070506000401--