[OpenAFS] OpenAFS and AD trusts

Danko Antolovic dantolov@indiana.edu
Mon, 11 Jul 2011 17:31:30 -0400


This is a multi-part message in MIME format.

------=_NextPart_000_000E_01CC3FF0.5F6D20B0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit

I am trying to get OpenAFS to work with an AD/Kerberos domain-trust
arrangement. 

 

My AFS server, afs1.bedrock.iu.edu, is a service principal in an AD domain
that is meant to be a resource domain only (no individual users have creds
there): RESOURCE.NET

 

My user creds are in an AD domain that serves as the regular user database:
IU.EDU

 

There is a one-way external trust between the two AD domains: RESOURCE.NET
trusts IU.EDU

 

The Open AFS configuration knows only about RESOURCE.NET, which is the
default (and only) Kerb domain in /etc/krb5.conf, and is also the domain
listed in /usr/afs/etc/krb.conf. I set up the AFS key with the asetkey
command, using the keytab to the RESOURCE.NET:

 

asetkey add 3   afs_keytab_file.keytab
afs/afs1.bedrock.iu.edu@RESOURCE.NET

 

I get the TGT using kinit dantolov@IU.EDU, i.e. with my regular user creds.

 

Problems start with aklog.  If I do 

 

aklog  -c afs1.bedrock.iu.edu

 

I get what looks like a valid service ticket and a token from the user's
domain, in this case IU.EDU.  This token, however, does not allow me to
touch the files in the AFS cell: file-changing operations fail with
"Permission denied."

 

If I do 

 

aklog  -c afs1.bedrock.iu.edu  -k RESOURCE.NET 

 

it fails with this error code:

 

Kerberos error code returned by get_cred : -1765328228

aklog: Couldn't get afs1.bedrock.iu.edu AFS tickets:

aklog: unknown RPC error (-1765328228) while getting AFS tickets

 

which is 

"-1765328228 KRB5_KDC_UNREACH Cannot contact any KDC for requested realm"

 

klist turns up what looks like a trust-related ticket:

 

krbtgt/RESOURCE.NET@IU.EDU

 

Finally, this AFS installation works perfectly against a simple (non-trust)
AD domain. At this point I am not sure whether this is an OpenAFS issue or
an AD trust issue.  Has anyone been down this path before?  Thank you,

 

 

Danko Antolovic

Principal Scientist, Research Technologies,

Indiana University

 


------=_NextPart_000_000E_01CC3FF0.5F6D20B0
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" =
xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PlaceType"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PlaceName"/>
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"place"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Times New Roman";
	color:windowtext;
	font-weight:normal;
	font-style:normal;
	text-decoration:none none;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>I =
am trying
to get OpenAFS to work with an AD/Kerberos domain-trust arrangement. =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>My =
AFS
server, afs1.bedrock.iu.edu, is a service principal in an AD domain that =
is
meant to be a resource domain only (no individual users have creds =
there):
RESOURCE.NET<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>My =
user creds
are in an AD domain that serves as the regular user database: =
IU.EDU<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>There is a
one-way external trust between the two AD domains: RESOURCE.NET trusts =
IU.EDU<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>The Open AFS
configuration knows only about RESOURCE.NET, which is the default (and =
only)
Kerb domain in /etc/krb5.conf, and is also the domain listed in =
/usr/afs/etc/krb.conf.
I set up the AFS key with the asetkey command, using the keytab to the
RESOURCE.NET:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>asetkey add
3&nbsp;&nbsp; afs_keytab_file.keytab&nbsp;&nbsp; =
afs/afs1.bedrock.iu.edu@RESOURCE.NET<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>I =
get the TGT
using kinit dantolov@IU.EDU, i.e. with my regular user =
creds.<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>Problems
start with aklog.&nbsp; If I do <o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>aklog&nbsp; -c
afs1.bedrock.iu.edu<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>I =
get what
looks like a valid service ticket and a token from the user's domain, in =
this
case IU.EDU.&nbsp; This token, however, does not allow me to touch the =
files in the
AFS cell: file-changing operations fail with &quot;Permission =
denied.&quot;<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>If =
I do <o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>aklog&nbsp; -c
afs1.bedrock.iu.edu&nbsp; -k RESOURCE.NET <o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span style=3D'font-size:12.0pt;color:black'>it =
fails with
this error code:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>Kerberos
error code returned by get_cred : =
-1765328228<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>aklog:
Couldn't get afs1.bedrock.iu.edu AFS =
tickets:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>aklog: unknown
RPC error (-1765328228) while getting AFS =
tickets<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:
5.0pt;margin-left:0in;text-autospace:none'><font size=3D3 color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>which is =
<o:p></o:p></span></font></p>

<p class=3DMsoNormal =
style=3D'mso-margin-top-alt:5.0pt;margin-right:0in;margin-bottom:
5.0pt;margin-left:0in;text-autospace:none'><font size=3D3 color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>&quot;-1765328228
KRB5_KDC_UNREACH Cannot contact any KDC for requested =
realm&quot;<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>klist turns
up what looks like a trust-related ticket:<o:p></o:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>krbtgt/RESOURCE.NET@IU.EDU<o:p></o=
:p></span></font></p>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'><o:p>&nbsp;</o:p></span></font></p=
>

<p class=3DMsoNormal style=3D'text-autospace:none'><font size=3D3 =
color=3Dblack
face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt;color:black'>Finally, this
AFS installation works perfectly against a simple (non-trust) AD domain. =
At
this point I am not sure whether this is an OpenAFS issue or an AD trust
issue.&nbsp; Has anyone been down this path before?&nbsp; Thank =
you,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Danko Antolovic<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'>Principal Scientist, Research =
Technologies,<o:p></o:p></span></font></p>

<p class=3DMsoNormal><st1:place w:st=3D"on"><st1:PlaceName =
w:st=3D"on"><font size=3D3
  face=3D"Times New Roman"><span =
style=3D'font-size:12.0pt'>Indiana</span></font></st1:PlaceName>
 <st1:PlaceType =
w:st=3D"on">University</st1:PlaceType></st1:place><o:p></o:p></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------=_NextPart_000_000E_01CC3FF0.5F6D20B0--