[OpenAFS] klog.krb5 incompatible with Heimdal 1.5.1?

Andreas Haupt ahaupt@ifh.de
Thu, 13 Oct 2011 15:50:46 +0200 

Hi Harald,

thanks for your reply. Comments inside:

On Thu, 2011-10-13 at 15:11 +0200, Harald Barth wrote:
> What is the name of your AFS service ticket 
> 
> afs@IFH.DE
> afs/ifh.de@IFH.DE
> something else?

[remus] /root # /usr/heimdal/sbin/kadmin -l
kadmin> get afs
            Principal: afs@IFH.DE
    Principal expires: never
     Password expires: never
 Last password change: never
      Max ticket life: 1 day 1 hour
   Max renewable life: 1 month
                 Kvno: 2
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2011-10-12 11:49:48 UTC
             Modifier: kadmin/admin@IFH.DE
           Attributes: 
             Keytypes: des-cbc-md5(afs3-salt(ifh.de)), des-cbc-md4(afs3-salt(ifh.de)), des-cbc-crc(afs3-salt(ifh.de))
          PK-INIT ACL: 
              Aliases: 

kadmin> get afs/ifh.de
kadmin: get afs/ifh.de: Principal does not exist

> and what version number do these tickets have? Could it be that
> you haver both the afs@IFH.DE and the afs/ifh.de@IFH.DE in 
> your KDC but only one in the AFS server? 

No (see output).

> What does the KDC log say when you compare
> 
> > [oreade38] ~ % klog.krb5   
> > Password for ahaupt@IFH.DE: 
> > klog: ticket contained unknown key version number Can't get your viceid for cell ifh.de
> 
> with 
> 
> > [oreade38] ~ % klog.krb5 -tmp
> > Password for ahaupt@IFH.DE: 
> > Wrote ticket file to /tmp/krb5cc_yF6bKY
> 
> 
> ? I guess the KDC does deny something in the first operation.

No, it sends out the ticket. Here's the Heimdal KDC log with debugging
infos when doing 'klog.krb5':

Oct 13 15:37:11 remus kdc[771]: AS-REQ ahaupt@IFH.DE from IPv4:141.34.2.11 for afs/ifh.de@IFH.DE
Oct 13 15:37:11 remus kdc[771]: UNKNOWN -- afs/ifh.de@IFH.DE: no such entry found in hdb
Oct 13 15:37:11 remus kdc[771]: sending 112 bytes to IPv4:141.34.2.11
Oct 13 15:37:11 remus kdc[771]: AS-REQ ahaupt@IFH.DE from IPv4:141.34.2.11 for afs@IFH.DE
Oct 13 15:37:11 remus kdc[771]: Client sent patypes: 149
Oct 13 15:37:11 remus kdc[771]: Looking for PKINIT pa-data -- ahaupt@IFH.DE
Oct 13 15:37:11 remus kdc[771]: Looking for ENC-TS pa-data -- ahaupt@IFH.DE
Oct 13 15:37:11 remus kdc[771]: No preauth found, returning PREAUTH-REQUIRED -- ahaupt@IFH.DE
Oct 13 15:37:11 remus kdc[771]: sending 234 bytes to IPv4:141.34.2.11
Oct 13 15:37:14 remus kdc[771]: AS-REQ ahaupt@IFH.DE from IPv4:141.34.2.11 for afs@IFH.DE
Oct 13 15:37:14 remus kdc[771]: Client sent patypes: encrypted-timestamp, 149
Oct 13 15:37:14 remus kdc[771]: Looking for PKINIT pa-data -- ahaupt@IFH.DE
Oct 13 15:37:14 remus kdc[771]: Looking for ENC-TS pa-data -- ahaupt@IFH.DE
Oct 13 15:37:14 remus kdc[771]: ENC-TS Pre-authentication succeeded -- ahaupt@IFH.DE using aes256-cts-hmac-sha1-96
Oct 13 15:37:14 remus kdc[771]: AS-REQ authtime: 2011-10-13T15:37:14 starttime: unset endtime: 2011-10-14T16:37:11 renew till: 2011-11-12T14:37:11
Oct 13 15:37:14 remus kdc[771]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, des-cbc-md5, des-cbc-md4, using aes256-cts-hmac-sha1-96/des-cbc-md5
Oct 13 15:37:14 remus kdc[771]: Requested flags: renewable, forwardable
Oct 13 15:37:14 remus kdc[771]: sending 679 bytes to IPv4:141.34.2.11

And this happens when doing 'klog.krb5 -tmp':

Oct 13 15:46:12 remus kdc[771]: AS-REQ ahaupt@IFH.DE from IPv4:141.34.2.11 for krbtgt/IFH.DE@IFH.DE
Oct 13 15:46:12 remus kdc[771]: Client sent patypes: 149
Oct 13 15:46:12 remus kdc[771]: Looking for PKINIT pa-data -- ahaupt@IFH.DE
Oct 13 15:46:12 remus kdc[771]: Looking for ENC-TS pa-data -- ahaupt@IFH.DE
Oct 13 15:46:12 remus kdc[771]: No preauth found, returning PREAUTH-REQUIRED -- ahaupt@IFH.DE
Oct 13 15:46:12 remus kdc[771]: sending 245 bytes to IPv4:141.34.2.11
Oct 13 15:46:14 remus kdc[771]: AS-REQ ahaupt@IFH.DE from IPv4:141.34.2.11 for krbtgt/IFH.DE@IFH.DE
Oct 13 15:46:14 remus kdc[771]: Client sent patypes: encrypted-timestamp, 149
Oct 13 15:46:14 remus kdc[771]: Looking for PKINIT pa-data -- ahaupt@IFH.DE
Oct 13 15:46:14 remus kdc[771]: Looking for ENC-TS pa-data -- ahaupt@IFH.DE
Oct 13 15:46:14 remus kdc[771]: ENC-TS Pre-authentication succeeded -- ahaupt@IFH.DE using aes256-cts-hmac-sha1-96
Oct 13 15:46:14 remus kdc[771]: AS-REQ authtime: 2011-10-13T15:46:14 starttime: unset endtime: 2011-10-14T16:46:12 renew till: 2011-11-12T14:46:12
Oct 13 15:46:14 remus kdc[771]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, des-cbc-md5, des-cbc-md4, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96
Oct 13 15:46:14 remus kdc[771]: Requested flags: renewable, forwardable
Oct 13 15:46:14 remus kdc[771]: sending 692 bytes to IPv4:141.34.2.11
Oct 13 15:46:14 remus kdc[771]: TGS-REQ ahaupt@IFH.DE from IPv4:141.34.2.11 for afs/ifh.de@IFH.DE [canonicalize, renewable, forwardable]
Oct 13 15:46:14 remus kdc[771]: Searching referral for ifh.de
Oct 13 15:46:14 remus kdc[771]: Returning a referral to realm DE for server afs/ifh.de@IFH.DE that was not found
Oct 13 15:46:14 remus kdc[771]: Server not found in database: krbtgt/DE@IFH.DE: no such entry found in hdb
Oct 13 15:46:14 remus kdc[771]: Failed building TGS-REP to IPv4:141.34.2.11
Oct 13 15:46:14 remus kdc[771]: sending 107 bytes to IPv4:141.34.2.11
Oct 13 15:46:14 remus kdc[771]: TGS-REQ ahaupt@IFH.DE from IPv4:141.34.2.11 for afs/ifh.de@IFH.DE [renewable, forwardable]
Oct 13 15:46:14 remus kdc[771]: Server not found in database: afs/ifh.de@IFH.DE: no such entry found in hdb
Oct 13 15:46:14 remus kdc[771]: Failed building TGS-REP to IPv4:141.34.2.11
Oct 13 15:46:14 remus kdc[771]: sending 107 bytes to IPv4:141.34.2.11
Oct 13 15:46:14 remus kdc[771]: TGS-REQ ahaupt@IFH.DE from IPv4:141.34.2.11 for afs@IFH.DE [canonicalize, renewable, forwardable]
Oct 13 15:46:14 remus kdc[771]: TGS-REQ authtime: 2011-10-13T15:46:14 starttime: 2011-10-13T15:46:14 endtime: 2011-10-14T16:46:12 renew till: 2011-11-12T14:46:12
Oct 13 15:46:14 remus kdc[771]: sending 589 bytes to IPv4:141.34.2.11

So from the KDC side everything is correct in both cases (or did I miss
something?).

> I tried to read the source code of klog.c , but was a bit turned down
> by the use of for() { goto ; break } for most flow control....
>  
> ...
>    if (service) {
>         afscred = incred;
>     } else {
>         for (;;writeTicketFile = 0) {
>             if (writeTicketFile) {
>                 what = "getting default ccache";
> ...
> 
> So I have no idea what it uses as service ticket name and in which
> order.

Well, yes - I'm currently facing the same misery trying to understand
the code ...

> IMHO if klog.krb5's behaviour differs with and without -tmp, this is a bug of klog.krb5.

Yes. As I already wrote: without -tmp it requests the afs@IFH.DE ticket
directly whereas with -tmp it requests krbtgt/IFH.DE first and uses this
one to get a afs@IFH.DE service ticket (kinit/aklog behaviour) ...

Cheers,
Andreas
-- 
| Andreas Haupt             | E-Mail: andreas.haupt@desy.de
|  DESY Zeuthen             | WWW:    http://www-zeuthen.desy.de/~ahaupt
|  Platanenallee 6          | Phone:  +49/33762/7-7359
|  D-15738 Zeuthen          | Fax:    +49/33762/7-7216