[OpenAFS] OpenAFS krb5 auth problems

Carson Gaspar carson@taltos.org
Sun, 20 Feb 2011 22:07:27 -0800 

ARRGH! Of course all the krb5.conf bits were correct, but I forgot all=20
about krb.conf. Many thanks for preventing me from removing more of my ha=
ir.

Other than "duh, you should have known that", is there anything I could=20
have done to enable debugging sufficient to tell me why it was failing?

(And I look forward to the day all the legacy K4 crud can go away...)

On 2/19/11 5:10 PM, Jeffrey Altman wrote:
> MYKDOM.COM !=3D gns.etc.test.mykdom.com
>
> Do you have an afs krb.conf file that specifies that MYKDOM.COM is a
> local realm for gns.etc.test.mykdom.com?   If not, gaspac@MYKDOM.COM is
> a foreign principal to the cell.
>
>
> On 2/19/2011 6:15 PM, Carson Gaspar wrote:
>> I'm having issues setting up a new cell with krb5 auth - openafs 1.4.1=
4,
>> RHEL6. I have a nasty suspicion that all of this is being caused by an
>> AFS keytab with the wrong salt, but as I'm not the one generating the
>> keytab, I can't prove it. Below is all the debugging info I think migh=
t
>> be useful, lightly redacted and the domain names changed to protect me
>> ;-). Is this consistent with a salt problem, or is there something els=
e
>> I've done wrong? Any help would be appreciated, and I'm happy to provi=
de
>> more debugging info if what I have below isn't sufficient.
>>
>> gaspac:gns-afs-2 0 $ klist -dfane
>> Ticket cache: FILE:/tmp/krb5cc_7508
>> Default principal: gaspac@MYKDOM.COM
>>
>> Valid starting     Expires            Service principal
>> 02/19/11 18:03:00  02/20/11 18:03:00  krbtgt/MYKDOM.COM@MYKDOM.COM
>>          renew until 02/26/11 18:02:57, Flags: FRIA
>>          Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode wit=
h
>> CRC-32
>>          Addresses: (none)
>>
>> gaspac:gns-afs-2 0 $ aklog -d
>> Authenticating to cell gns.etc.test.mykdom.com (server
>> gns-afs-2.etc.test.mykdom.com).
>> Trying to authenticate to user's realm MYKDOM.COM.
>> Getting tickets: afs/gns.etc.test.mykdom.com@MYKDOM.COM
>> Using Kerberos V5 ticket natively
>> About to resolve name gaspac to id in cell gns.etc.test.mykdom.com.
>> Id 4
>> Set username to AFS ID 4
>> Setting tokens. AFS ID 4 /  @ MYKDOM.COM
>>
>> gaspac:gns-afs-2 0 $ tokens
>>
>> Tokens held by the Cache Manager:
>>
>> User's (AFS ID 4) tokens for afs@gns.etc.test.mykdom.com [Expires Feb =
20
>> 18:03]
>>     --End of list-=E2=80=94
>>
>> gaspac:gns-afs-2 0 $ pts examine gaspac
>> pts: Permission denied ; unable to find entry for (id: 4)
>>
>> root:gns-afs-2 0 # asetkey list
>> kvno    3: key is: [REDACTED - matches klist]
>> All done.
>>
>> root:gns-afs-2 1 # klist -kteK /usr/afs/etc/afs.keytab
>> Keytab name: WRFILE:/usr/afs/etc/afs.keytab
>> KVNO Timestamp         Principal
>> ---- -----------------
>> --------------------------------------------------------
>>     3 02/13/11 22:01:26 afs/gns.etc.test.mykdom.com@MYKDOM.COM (DES cb=
c
>> mode with CRC-32)  ([REDACTED - matches asetkey])
>>
>> root:gns-afs-2 0 # kinit -kt /usr/afs/etc/afs.keytab
>> afs/gns.etc.test.mykdom.com@MYKDOM.COM
>>
>> root:gns-afs-2 1 # klist -dfane
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: afs/gns.etc.test.mykdom.com@MYKDOM.COM
>>
>> Valid starting     Expires            Service principal
>> 02/19/11 17:54:35  02/20/11 17:54:35  krbtgt/MYKDOM.COM@MYKDOM.COM
>>          renew until 02/26/11 17:54:35, Flags: FRI
>>          Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode wit=
h
>> CRC-32
>>          Addresses: (none)
>>
>> root:gns-afs-2 0 # aklog -d
>> Authenticating to cell gns.etc.test.mykdom.com (server
>> gns-afs-2.etc.test.mykdom.com).
>> Trying to authenticate to user's realm MYKDOM.COM.
>> Getting tickets: afs/gns.etc.test.mykdom.com@MYKDOM.COM
>> Using Kerberos V5 ticket natively
>> About to resolve name afs.gns.etc.test.mykdom.com to id in cell
>> gns.etc.test.mykdom.com.
>> Id 3
>> Set username to AFS ID 3
>> Setting tokens. AFS ID 3 /  @ MYKDOM.COM
>>
>> root:gns-afs-2 0 # pts examine gaspac
>> pts: Permission denied ; unable to find entry for (id: 4)
>>
>> Sat Feb 19 17:56:18 ~
>> root:gns-afs-2 1 # pts examine gaspac -localauth
>> Name: gaspac, id: 4, owner: system:administrators, creator:
>> system:administrators,
>>    membership: 1, flags: S-M--, group quota: unlimited.
>>
>> Sat Feb 19 17:56:22 ~
>> root:gns-afs-2 0 # pts examine afs.gns.etc.test.mykdom.com -localauth
>> Name: afs.gns.etc.test.mykdom.com, id: 3, owner: system:administrators=
,
>> creator: system:administrators,
>>    membership: 1, flags: S----, group quota: unlimited.
>>
>> root:gns-afs-2 0 # cat /usr/afs/etc/UserList
>> admin
>> afs.gns.etc.test.mykdom.com
>> gaspac
>>
>>
>>
>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>