[OpenAFS] OpenAFS krb5 auth problems
Carson Gaspar
carson@taltos.org
Sat, 19 Feb 2011 15:15:23 -0800
I'm having issues setting up a new cell with krb5 auth - openafs 1.4.14,=20
RHEL6. I have a nasty suspicion that all of this is being caused by an=20
AFS keytab with the wrong salt, but as I'm not the one generating the=20
keytab, I can't prove it. Below is all the debugging info I think might=20
be useful, lightly redacted and the domain names changed to protect me=20
;-). Is this consistent with a salt problem, or is there something else=20
I've done wrong? Any help would be appreciated, and I'm happy to provide=20
more debugging info if what I have below isn't sufficient.
gaspac:gns-afs-2 0 $ klist -dfane
Ticket cache: FILE:/tmp/krb5cc_7508
Default principal: gaspac@MYKDOM.COM
Valid starting Expires Service principal
02/19/11 18:03:00 02/20/11 18:03:00 krbtgt/MYKDOM.COM@MYKDOM.COM
renew until 02/26/11 18:02:57, Flags: FRIA
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with=20
CRC-32
Addresses: (none)
gaspac:gns-afs-2 0 $ aklog -d
Authenticating to cell gns.etc.test.mykdom.com (server=20
gns-afs-2.etc.test.mykdom.com).
Trying to authenticate to user's realm MYKDOM.COM.
Getting tickets: afs/gns.etc.test.mykdom.com@MYKDOM.COM
Using Kerberos V5 ticket natively
About to resolve name gaspac to id in cell gns.etc.test.mykdom.com.
Id 4
Set username to AFS ID 4
Setting tokens. AFS ID 4 / @ MYKDOM.COM
gaspac:gns-afs-2 0 $ tokens
Tokens held by the Cache Manager:
User's (AFS ID 4) tokens for afs@gns.etc.test.mykdom.com [Expires Feb 20=20
18:03]
--End of list-=97
gaspac:gns-afs-2 0 $ pts examine gaspac
pts: Permission denied ; unable to find entry for (id: 4)
root:gns-afs-2 0 # asetkey list
kvno 3: key is: [REDACTED - matches klist]
All done.
root:gns-afs-2 1 # klist -kteK /usr/afs/etc/afs.keytab
Keytab name: WRFILE:/usr/afs/etc/afs.keytab
KVNO Timestamp Principal
---- -----------------=20
--------------------------------------------------------
3 02/13/11 22:01:26 afs/gns.etc.test.mykdom.com@MYKDOM.COM (DES cbc=20
mode with CRC-32) ([REDACTED - matches asetkey])
root:gns-afs-2 0 # kinit -kt /usr/afs/etc/afs.keytab=20
afs/gns.etc.test.mykdom.com@MYKDOM.COM
root:gns-afs-2 1 # klist -dfane
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: afs/gns.etc.test.mykdom.com@MYKDOM.COM
Valid starting Expires Service principal
02/19/11 17:54:35 02/20/11 17:54:35 krbtgt/MYKDOM.COM@MYKDOM.COM
renew until 02/26/11 17:54:35, Flags: FRI
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with=20
CRC-32
Addresses: (none)
root:gns-afs-2 0 # aklog -d
Authenticating to cell gns.etc.test.mykdom.com (server=20
gns-afs-2.etc.test.mykdom.com).
Trying to authenticate to user's realm MYKDOM.COM.
Getting tickets: afs/gns.etc.test.mykdom.com@MYKDOM.COM
Using Kerberos V5 ticket natively
About to resolve name afs.gns.etc.test.mykdom.com to id in cell=20
gns.etc.test.mykdom.com.
Id 3
Set username to AFS ID 3
Setting tokens. AFS ID 3 / @ MYKDOM.COM
root:gns-afs-2 0 # pts examine gaspac
pts: Permission denied ; unable to find entry for (id: 4)
Sat Feb 19 17:56:18 ~
root:gns-afs-2 1 # pts examine gaspac -localauth
Name: gaspac, id: 4, owner: system:administrators, creator:=20
system:administrators,
membership: 1, flags: S-M--, group quota: unlimited.
Sat Feb 19 17:56:22 ~
root:gns-afs-2 0 # pts examine afs.gns.etc.test.mykdom.com -localauth
Name: afs.gns.etc.test.mykdom.com, id: 3, owner: system:administrators,=20
creator: system:administrators,
membership: 1, flags: S----, group quota: unlimited.
root:gns-afs-2 0 # cat /usr/afs/etc/UserList
admin
afs.gns.etc.test.mykdom.com
gaspac