[OpenAFS] OpenAFS krb5 auth problems

Carson Gaspar carson@taltos.org
Sat, 19 Feb 2011 15:15:23 -0800 

I'm having issues setting up a new cell with krb5 auth - openafs 1.4.14,=20
RHEL6. I have a nasty suspicion that all of this is being caused by an=20
AFS keytab with the wrong salt, but as I'm not the one generating the=20
keytab, I can't prove it. Below is all the debugging info I think might=20
be useful, lightly redacted and the domain names changed to protect me=20
;-). Is this consistent with a salt problem, or is there something else=20
I've done wrong? Any help would be appreciated, and I'm happy to provide=20
more debugging info if what I have below isn't sufficient.

gaspac:gns-afs-2 0 $ klist -dfane
Ticket cache: FILE:/tmp/krb5cc_7508
Default principal: gaspac@MYKDOM.COM

Valid starting     Expires            Service principal
02/19/11 18:03:00  02/20/11 18:03:00  krbtgt/MYKDOM.COM@MYKDOM.COM
         renew until 02/26/11 18:02:57, Flags: FRIA
         Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with=20
CRC-32
         Addresses: (none)

gaspac:gns-afs-2 0 $ aklog -d
Authenticating to cell gns.etc.test.mykdom.com (server=20
gns-afs-2.etc.test.mykdom.com).
Trying to authenticate to user's realm MYKDOM.COM.
Getting tickets: afs/gns.etc.test.mykdom.com@MYKDOM.COM
Using Kerberos V5 ticket natively
About to resolve name gaspac to id in cell gns.etc.test.mykdom.com.
Id 4
Set username to AFS ID 4
Setting tokens. AFS ID 4 /  @ MYKDOM.COM

gaspac:gns-afs-2 0 $ tokens

Tokens held by the Cache Manager:

User's (AFS ID 4) tokens for afs@gns.etc.test.mykdom.com [Expires Feb 20=20
18:03]
    --End of list-=97

gaspac:gns-afs-2 0 $ pts examine gaspac
pts: Permission denied ; unable to find entry for (id: 4)

root:gns-afs-2 0 # asetkey list
kvno    3: key is: [REDACTED - matches klist]
All done.

root:gns-afs-2 1 # klist -kteK /usr/afs/etc/afs.keytab
Keytab name: WRFILE:/usr/afs/etc/afs.keytab
KVNO Timestamp         Principal
---- -----------------=20
--------------------------------------------------------
    3 02/13/11 22:01:26 afs/gns.etc.test.mykdom.com@MYKDOM.COM (DES cbc=20
mode with CRC-32)  ([REDACTED - matches asetkey])

root:gns-afs-2 0 # kinit -kt /usr/afs/etc/afs.keytab=20
afs/gns.etc.test.mykdom.com@MYKDOM.COM

root:gns-afs-2 1 # klist -dfane
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: afs/gns.etc.test.mykdom.com@MYKDOM.COM

Valid starting     Expires            Service principal
02/19/11 17:54:35  02/20/11 17:54:35  krbtgt/MYKDOM.COM@MYKDOM.COM
         renew until 02/26/11 17:54:35, Flags: FRI
         Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with=20
CRC-32
         Addresses: (none)

root:gns-afs-2 0 # aklog -d
Authenticating to cell gns.etc.test.mykdom.com (server=20
gns-afs-2.etc.test.mykdom.com).
Trying to authenticate to user's realm MYKDOM.COM.
Getting tickets: afs/gns.etc.test.mykdom.com@MYKDOM.COM
Using Kerberos V5 ticket natively
About to resolve name afs.gns.etc.test.mykdom.com to id in cell=20
gns.etc.test.mykdom.com.
Id 3
Set username to AFS ID 3
Setting tokens. AFS ID 3 /  @ MYKDOM.COM

root:gns-afs-2 0 # pts examine gaspac
pts: Permission denied ; unable to find entry for (id: 4)

Sat Feb 19 17:56:18 ~
root:gns-afs-2 1 # pts examine gaspac -localauth
Name: gaspac, id: 4, owner: system:administrators, creator:=20
system:administrators,
   membership: 1, flags: S-M--, group quota: unlimited.

Sat Feb 19 17:56:22 ~
root:gns-afs-2 0 # pts examine afs.gns.etc.test.mykdom.com -localauth
Name: afs.gns.etc.test.mykdom.com, id: 3, owner: system:administrators,=20
creator: system:administrators,
   membership: 1, flags: S----, group quota: unlimited.

root:gns-afs-2 0 # cat /usr/afs/etc/UserList
admin
afs.gns.etc.test.mykdom.com
gaspac