[OpenAFS] OpenAFS and AD trusts
Danko Antolovic
dantolov@indiana.edu
Mon, 11 Jul 2011 17:31:30 -0400
This is a multi-part message in MIME format.
------=_NextPart_000_000E_01CC3FF0.5F6D20B0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
I am trying to get OpenAFS to work with an AD/Kerberos domain-trust
arrangement.
My AFS server, afs1.bedrock.iu.edu, is a service principal in an AD domain
that is meant to be a resource domain only (no individual users have creds
there): RESOURCE.NET
My user creds are in an AD domain that serves as the regular user database:
IU.EDU
There is a one-way external trust between the two AD domains: RESOURCE.NET
trusts IU.EDU
The Open AFS configuration knows only about RESOURCE.NET, which is the
default (and only) Kerb domain in /etc/krb5.conf, and is also the domain
listed in /usr/afs/etc/krb.conf. I set up the AFS key with the asetkey
command, using the keytab to the RESOURCE.NET:
asetkey add 3 afs_keytab_file.keytab
afs/afs1.bedrock.iu.edu@RESOURCE.NET
I get the TGT using kinit dantolov@IU.EDU, i.e. with my regular user creds.
Problems start with aklog. If I do
aklog -c afs1.bedrock.iu.edu
I get what looks like a valid service ticket and a token from the user's
domain, in this case IU.EDU. This token, however, does not allow me to
touch the files in the AFS cell: file-changing operations fail with
"Permission denied."
If I do
aklog -c afs1.bedrock.iu.edu -k RESOURCE.NET
it fails with this error code:
Kerberos error code returned by get_cred : -1765328228
aklog: Couldn't get afs1.bedrock.iu.edu AFS tickets:
aklog: unknown RPC error (-1765328228) while getting AFS tickets
which is
"-1765328228 KRB5_KDC_UNREACH Cannot contact any KDC for requested realm"
klist turns up what looks like a trust-related ticket:
krbtgt/RESOURCE.NET@IU.EDU
Finally, this AFS installation works perfectly against a simple (non-trust)
AD domain. At this point I am not sure whether this is an OpenAFS issue or
an AD trust issue. Has anyone been down this path before? Thank you,
Danko Antolovic
Principal Scientist, Research Technologies,
Indiana University
------=_NextPart_000_000E_01CC3FF0.5F6D20B0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PlaceType"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"PlaceName"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Times New Roman";
color:windowtext;
font-weight:normal;
font-style:normal;
text-decoration:none none;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>I =
am trying
to get OpenAFS to work with an AD/Kerberos domain-trust arrangement. =
<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>My =
AFS
server, afs1.bedrock.iu.edu, is a service principal in an AD domain that =
is
meant to be a resource domain only (no individual users have creds =
there):
RESOURCE.NET<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>My =
user creds
are in an AD domain that serves as the regular user database: =
IU.EDU<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>There is a
one-way external trust between the two AD domains: RESOURCE.NET trusts =
IU.EDU<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>The Open AFS
configuration knows only about RESOURCE.NET, which is the default (and =
only)
Kerb domain in /etc/krb5.conf, and is also the domain listed in =
/usr/afs/etc/krb.conf.
I set up the AFS key with the asetkey command, using the keytab to the
RESOURCE.NET:<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>asetkey add
3 afs_keytab_file.keytab =
afs/afs1.bedrock.iu.edu@RESOURCE.NET<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>I =
get the TGT
using kinit dantolov@IU.EDU, i.e. with my regular user =
creds.<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>Problems
start with aklog. If I do <o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>aklog -c
afs1.bedrock.iu.edu<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>I =
get what
looks like a valid service ticket and a token from the user's domain, in =
this
case IU.EDU. This token, however, does not allow me to touch the =
files in the
AFS cell: file-changing operations fail with "Permission =
denied."<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>If =
I do <o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>aklog -c
afs1.bedrock.iu.edu -k RESOURCE.NET <o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>it =
fails with
this error code:<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>Kerberos
error code returned by get_cred : =
-1765328228<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>aklog:
Couldn't get afs1.bedrock.iu.edu AFS =
tickets:<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>aklog: unknown
RPC error (-1765328228) while getting AFS =
tickets<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:
5.0pt;margin-left:0in;text-autospace:none'><font size=3D3 color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>which is =
<o:p></o:p></span></font></p>
<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:
5.0pt;margin-left:0in;text-autospace:none'><font size=3D3 color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>"-1765328228
KRB5_KDC_UNREACH Cannot contact any KDC for requested =
realm"<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>klist turns
up what looks like a trust-related ticket:<o:p></o:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>krbtgt/RESOURCE.NET@IU.EDU<o:p></o=
:p></span></font></p>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p> </o:p></span></font></p=
>
<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>Finally, this
AFS installation works perfectly against a simple (non-trust) AD domain. =
At
this point I am not sure whether this is an OpenAFS issue or an AD trust
issue. Has anyone been down this path before? Thank =
you,<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Danko Antolovic<o:p></o:p></span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Principal Scientist, Research =
Technologies,<o:p></o:p></span></font></p>
<p class=3DMsoNormal><st1:place w:st=3D"on"><st1:PlaceName =
w:st=3D"on"><font size=3D3
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>Indiana</span></font></st1:PlaceName>
<st1:PlaceType =
w:st=3D"on">University</st1:PlaceType></st1:place><o:p></o:p></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p> </o:p></span></font></p>
</div>
</body>
</html>
------=_NextPart_000_000E_01CC3FF0.5F6D20B0--