[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

Jeff White jaw171@pitt.edu
Thu, 05 Jan 2012 13:14:51 -0500 

On 01/05/2012 12:02 PM, Andrew Deason wrote:
> On Thu, 05 Jan 2012 11:31:01 -0500
> Jeff White<jaw171@pitt.edu>  wrote:
>
>> 1. He created an AD domain called ad.dementia.org.
>> 2. He created a user with a logon name of 'afs-adtest'.
>> 3. He exported the keytab with: ktpass -princ
>> afs/adtest.dementia.org@AD.DEMENTIA.ORG -mapuser afs -pass * -crypto
>> DES-CBC-MD5 -out afs-keytab
>> 4. Imported the keytab with: asetkey add 3 /etc/afs.keytab
>> afs/adtest.dementia.org@AD.DEMENTIA.ORG
>>
>> Why didn't he use the logon name afs-adtest in that ktpass command?
> I don't have that presentation in front of me, but that may have just
> been a mistake.
>
>> Where did 'afs/adtest.dementia.org@AD.DEMENTIA.ORG' come from,
>> particularly the 'afs/adtest.dementia.org' part?  His logon name is
>> not afs and what is adtest?
> I don't know the internal AD details etc, but conceptually that commands
> maps the principal name afs/adtest.dementia.org@AD.DEMENTIA.ORG to the
> AD user "afs" (or "afs-adtest" or whatever you call it). OpenAFS by
> convention uses the principal name afs/<cell_name>@REALM for krb5. So,
> adtest.dementia.org is the AFS cell name in that example.
>
>> $ aklog -d
>> Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
>> Trying to authenticate to user's realm PITT.EDU.
>> Getting tickets: afs/pitt.edu@PITT.EDU
>> Kerberos error code returned by get_cred : -1765328164
>> aklog: Couldn't get pitt.edu AFS tickets:
>> aklog: unknown RPC error (-1765328164) while getting AFS tickets
> Well, you're getting a different error this time, so that's something.
> What krb5 implementation are you running on that machine? I think that
> error is KRB5_REALM_CANT_RESOLVE... is PITT.EDU in krb5.conf, or in dns
> or what? Anything odd with that configuration?
>
Jeffrey Altman:
A GPO was created to allow DES in Kerberos and linked to the Domain 
Controllers container.

Andrew Deason:
Bah, there was a DNS problem.  I fixed that and I'm back to the first 
error.  I made sure to use the principal afs/pitt.edu@PITT.EDU for the 
principal in the keytab which should be correct (user is afs, cell is 
pitt.edu, realm is PITT.EDU).  This is on RHEL 6.1 x64 and should be 
using MIT's Kerberos implementation for the client as provided by RedHat.

[root@afs-dev-03 ~]# rpm -qa | grep krb
krb5-devel-1.9-22.el6_2.1.x86_64
krb5-libs-1.9-22.el6_2.1.x86_64
krb5-workstation-1.9-22.el6_2.1.x86_64
openafs-krb5-1.6.0-1.el6.x86_64
pam_krb5-2.3.11-6.el6.x86_64

Douglas Engert:
Yes, I can get a ticket.

[root@afs-dev-03 ~]# kinit -V jaw171@PITT.EDU
Using default cache: /tmp/krb5cc_0
Using principal: jaw171@PITT.EDU
Password for jaw171@PITT.EDU:
Authenticated to Kerberos v5

[root@afs-dev-03 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jaw171@PITT.EDU

Valid starting     Expires            Service principal
01/05/12 12:48:35  01/05/12 22:48:37  krbtgt/PITT.EDU@PITT.EDU
         renew until 01/12/12 12:48:35

[root@afs-dev-03 ~]# aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt.edu@PITT.EDU
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets

Yea, I shouldn't be getting user tickets/token as root but whatever, 
this is just a test box and a test principal.

I was sent the URL 
http://openafs-wiki.stanford.edu/AFSLore/win2008r2adaskdc/ by Lars 
Schimmer but making the registry change it said was needed made it so I 
can no longer log into my DC at all, even on the console.  Time to wipe 
out the DC and start everything over again.