[OpenAFS] Re: asetkey: failed to set key, code 70354694

Jeff Blaine jblaine@kickflop.net
Fri, 07 Jan 2011 20:44:50 -0500


Hi Andrew,

>> How could it be that pam_krb5 (Russ's) and pam_afs_session
>> are broken due to a key change?

Ignore me above there.  pam_krb5RA and pam_afs_session are
working fine.  I was mistaken on that part.

Let's stick to plain old klog below as you suggest.

> If you changed the key, and someone has an old afs service key (from
> before the key change), their access is not going to work.

Understood (finally).  See below.

> So, do you mean it works when you 'kinit; aklog', but you get an error
> when you login normally? (as in, using a password) Whether that be via
> ssh or whatever.

What I've found is that any authentication to kaserver
ends up with a token that gets trashed/"discarded".
That is, I can run klog, seemingly get tokens fine, and
then they are discarded when I run the 'tokens' command.

We still offer kaserver auth for about 30 boxes that are
in the process of being upgraded to a newer OS rev where
we have implemented MIT krb5 auth + tokens.

Here's an example:

~:cairo> klog
Password:
~:cairo> pwd
/afs/rcf/user/jblaine
~:cairo> fs la .
afs: Tokens for user of AFS id 26560 for cell rcf.our.org: rxkad 
error=19270408
afs: Tokens for user of AFS id 26560 for cell rcf.our.org: rxkad 
error=19270408
afs: Tokens for user of AFS id 26560 for cell rcf.our.org are discarded 
(rxkad error=19270408)
Access list for . is
Normal rights:
   system:anyuser rl
   jblaine rlidwka
~:cairo> tokens

Tokens held by the Cache Manager:

User's (AFS ID 26560) tokens for afs@rcf.our.org [Expires Jan 22 05:36]
    --End of list--
~:cairo> touch file-in-home
touch: file-in-home cannot create
~:cairo> echo tokens-are-bogus-but-listed
tokens-are-bogus-but-listed

Authenticating to our MIT krb5 KDC + aklog works fine.

~:cairo> kinit
Password for jblaine@RCF.OUR.ORG:
~:cairo> aklog
~:cairo> touch file-in-home
~:cairo> rm file-in-home
~:cairo>

And here is all of our servers showing matching keys (key 17
is the one ktadd made which we then asetkey'd):

% for i in sonia shiva svetlana ur bunky canaan ephesus
babylon; do bos listkeys $i | grep 'key 17'; done
key 17 has cksum 1172998608
key 17 has cksum 1172998608
key 17 has cksum 1172998608
key 17 has cksum 1172998608
key 17 has cksum 1172998608
key 17 has cksum 1172998608
key 17 has cksum 1172998608
key 17 has cksum 1172998608
%

And here's another example after a reboot + OpenAFS upgrade
on one of the client boxes:

#
# I have valid krb5 creds + token from those krb5 creds
# at first here (from pam_krb5 + pam_afs_session).
#
~:one> pwd
/afs/rcf/user/jblaine
~:one> touch bar
~:one> rm bar
~:one> klog
Password:
~:one> fs la .
# there is a 2-3 second hang here
Access list for . is
Normal rights:
   system:anyuser rl
   jblaine rlidwka
~:one> touch bar
touch: cannot touch `bar': Permission denied
~:one> uptime
  20:39:53 up  2:50,  1 user,  load average: 0.00, 0.02, 0.00
~:one> strings /usr/vice/etc/afsd | grep OpenAFS
@(#) OpenAFS 1.4.12.1 built  2010-09-02
~:one>