[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

Jeff White jaw171@pitt.edu
Tue, 10 Jan 2012 11:39:35 -0500


This is a multi-part message in MIME format.
--------------050501060008080608060307
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

I decided to scrap my Windows box and start over again.  I was able to 
get it work this time but I don't know what was different that made it 
work.  I am able to get a ticket as the AFS principal and things seem to 
be working, at least until I run into the next problem.  For those who 
care these are my notes from the one that worked:
*

  10. On the Windows Active Directory server, enable DES encryption
      types for Kerberos
         1. Create a GPO called 'Allow_DES'
         2. Configure the following entry to allow all encryption types
            listed
               1. Computer Configuration -> Policies -> Windows Settings
                  -> Local Policies -> Security Options -> Networking
                  security: Configure encryption types allowed for Kerberos
         3. Link the 'Allow_DES' GPO to the 'Domain Controllers' OU.
         4. Reboot.
  11. Create a user in AD called 'afs-pitt-edu-cell'.
  12. In the settings for the AFS user check 'Use Kerberos DES
      encryption types for this account' then change the password.
  13. Export the keytab for it.  Note the KVNO.
         1. ktpass -princ afs/pitt.edu@PITT.EDU -mapuser
            afs-pitt-edu-cell -pass * -crypto DES-CBC-CRC +rndpass
            /mapop add +desonly /ptype KRB5_NT_PRINCIPAL +dumpsalt -out
            afs-pitt-edu-cell.keytab
  14. Copy the keytab to afs-dev-03.cssd as
      /etc/afs-pitt-edu-cell.keytab and make it root readable
         1. chmod 600 /etc/afs.keytab
  15. Using the KVNO from earlier add the keytab to AFS
         1. asetkey add 4 /etc/afs.keytab afs/pitt.edu@PITT.EDU

*
Thanks to everyone for their help.

Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD


On 01/10/2012 10:02 AM, Andrew Deason wrote:
> On Mon, 09 Jan 2012 17:13:57 -0500
> Jeff White<jaw171@pitt.edu>  wrote:
>
>> Other possibly useful pieces of information:
>>
>> sAMAccountName: afs
>> userPrincipalName: afs/pitt.edu@PITT.EDU
> Just one more possible guess: are you sure you're talking to the
> right kdc? I would expect the windows event log will log something when
> a failure occurs when you do things like:
>
>>> [root@afs-dev-03 ~]# kinit afs/pitt.edu@PITT.EDU
>>> kinit: Client not found in Kerberos database while getting initial
>>> credentials
> And maybe the log event would give more useful information. I don't
> really expect it to, but you never know. A more accurate test may be to
> try 'kinit -k -t afs.keytab afs/pitt.edu@PITT.EDU' or
> 'kvno afs/pitt.edu@PITT.EDU' (after you've "kinit"d with a normal
> princ), but of course the error you've already given is an issue.
>

--------------050501060008080608060307
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    I decided to scrap my Windows box and start over again.&nbsp; I was able
    to get it work this time but I don't know what was different that
    made it work.&nbsp; I am able to get a ticket as the AFS principal and
    things seem to be working, at least until I run into the next
    problem.&nbsp; For those who care these are my notes from the one that
    worked:<br>
    <span class="Apple-style-span" style="border-collapse: separate;
      color: rgb(0, 0, 0); font-family: 'Times New Roman'; font-style:
      normal; font-variant: normal; font-weight: normal; letter-spacing:
      normal; line-height: normal; orphans: 2; text-indent: 0px;
      text-transform: none; white-space: normal; widows: 2;
      word-spacing: 0px; font-size: medium;">
      <div style="background-color: transparent;"><b
          id="internal-source-marker_0.1528664566576481"
          style="font-weight: normal;">
          <ol start="10">
            <li style="list-style-type: decimal; font-size: 15px;
              font-family: Arial; color: rgb(0, 0, 0); background-color:
              transparent; font-weight: normal; font-style: normal;
              font-variant: normal; text-decoration: none;
              vertical-align: baseline;"><span style="font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;
                white-space: pre-wrap;">On the Windows Active Directory
                server, enable DES encryption types for Kerberos</span></li>
            <ol>
              <li style="list-style-type: lower-alpha; font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;"><span
                  style="font-size: 15px; font-family: Arial; color:
                  rgb(0, 0, 0); background-color: transparent;
                  font-weight: normal; font-style: normal; font-variant:
                  normal; text-decoration: none; vertical-align:
                  baseline; white-space: pre-wrap;">Create a GPO called
                  &#8216;Allow_DES&#8217;</span></li>
              <li style="list-style-type: lower-alpha; font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;"><span
                  style="font-size: 15px; font-family: Arial; color:
                  rgb(0, 0, 0); background-color: transparent;
                  font-weight: normal; font-style: normal; font-variant:
                  normal; text-decoration: none; vertical-align:
                  baseline; white-space: pre-wrap;">Configure the
                  following entry to allow all encryption types listed</span></li>
              <ol>
                <li style="list-style-type: lower-roman; font-size:
                  15px; font-family: Arial; color: rgb(0, 0, 0);
                  background-color: transparent; font-weight: normal;
                  font-style: normal; font-variant: normal;
                  text-decoration: none; vertical-align: baseline;"><span
                    style="font-size: 15px; font-family: Arial; color:
                    rgb(0, 0, 0); background-color: transparent;
                    font-weight: normal; font-style: normal;
                    font-variant: normal; text-decoration: none;
                    vertical-align: baseline; white-space: pre-wrap;">Computer
                    Configuration -&gt; Policies -&gt; Windows Settings
                    -&gt; Local Policies -&gt; Security Options -&gt;
                    Networking security: Configure encryption types
                    allowed for Kerberos</span></li>
              </ol>
              <li style="list-style-type: lower-alpha; font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;"><span
                  style="font-size: 15px; font-family: Arial; color:
                  rgb(0, 0, 0); background-color: transparent;
                  font-weight: normal; font-style: normal; font-variant:
                  normal; text-decoration: none; vertical-align:
                  baseline; white-space: pre-wrap;">Link the &#8216;Allow_DES&#8217;
                  GPO to the &#8216;Domain Controllers&#8217; OU.</span></li>
              <li style="list-style-type: lower-alpha; font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;"><span
                  style="font-size: 15px; font-family: Arial; color:
                  rgb(0, 0, 0); background-color: transparent;
                  font-weight: normal; font-style: normal; font-variant:
                  normal; text-decoration: none; vertical-align:
                  baseline; white-space: pre-wrap;">Reboot.</span></li>
            </ol>
            <li style="list-style-type: decimal; font-size: 15px;
              font-family: Arial; color: rgb(0, 0, 0); background-color:
              transparent; font-weight: normal; font-style: normal;
              font-variant: normal; text-decoration: none;
              vertical-align: baseline;"><span style="font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;
                white-space: pre-wrap;">Create a user in AD called
                &#8216;afs-pitt-edu-cell&#8217;.</span></li>
            <li style="list-style-type: decimal; font-size: 15px;
              font-family: Arial; color: rgb(0, 0, 0); background-color:
              transparent; font-weight: normal; font-style: normal;
              font-variant: normal; text-decoration: none;
              vertical-align: baseline;"><span style="font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;
                white-space: pre-wrap;">In the settings for the AFS user
                check &#8216;Use Kerberos DES encryption types for this
                account&#8217; then change the password.</span></li>
            <li style="list-style-type: decimal; font-size: 15px;
              font-family: Arial; color: rgb(0, 0, 0); background-color:
              transparent; font-weight: normal; font-style: normal;
              font-variant: normal; text-decoration: none;
              vertical-align: baseline;"><span style="font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;
                white-space: pre-wrap;">Export the keytab for it. &nbsp;Note
                the KVNO.</span></li>
            <ol>
              <li style="list-style-type: lower-alpha; font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;"><span
                  style="font-size: 15px; font-family: Arial; color:
                  rgb(0, 0, 0); background-color: transparent;
                  font-weight: normal; font-style: normal; font-variant:
                  normal; text-decoration: none; vertical-align:
                  baseline; white-space: pre-wrap;">ktpass -princ
                  <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a> -mapuser afs-pitt-edu-cell -pass
                  * -crypto DES-CBC-CRC +rndpass /mapop add +desonly
                  /ptype KRB5_NT_PRINCIPAL +dumpsalt -out
                  afs-pitt-edu-cell.keytab</span></li>
            </ol>
            <li style="list-style-type: decimal; font-size: 15px;
              font-family: Arial; color: rgb(0, 0, 0); background-color:
              transparent; font-weight: normal; font-style: normal;
              font-variant: normal; text-decoration: none;
              vertical-align: baseline;"><span style="font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;
                white-space: pre-wrap;">Copy the keytab to
                afs-dev-03.cssd as /etc/afs-pitt-edu-cell.keytab and
                make it root readable</span></li>
            <ol>
              <li style="list-style-type: lower-alpha; font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;"><span
                  style="font-size: 15px; font-family: Arial; color:
                  rgb(0, 0, 0); background-color: transparent;
                  font-weight: normal; font-style: normal; font-variant:
                  normal; text-decoration: none; vertical-align:
                  baseline; white-space: pre-wrap;">chmod 600
                  /etc/afs.keytab</span></li>
            </ol>
            <li style="list-style-type: decimal; font-size: 15px;
              font-family: Arial; color: rgb(0, 0, 0); background-color:
              transparent; font-weight: normal; font-style: normal;
              font-variant: normal; text-decoration: none;
              vertical-align: baseline;"><span style="font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;
                white-space: pre-wrap;">Using the KVNO from earlier add
                the keytab to AFS</span></li>
            <ol>
              <li style="list-style-type: lower-alpha; font-size: 15px;
                font-family: Arial; color: rgb(0, 0, 0);
                background-color: transparent; font-weight: normal;
                font-style: normal; font-variant: normal;
                text-decoration: none; vertical-align: baseline;"><span
                  style="font-size: 15px; font-family: Arial; color:
                  rgb(0, 0, 0); background-color: transparent;
                  font-weight: normal; font-style: normal; font-variant:
                  normal; text-decoration: none; vertical-align:
                  baseline; white-space: pre-wrap;">asetkey add 4
                  /etc/afs.keytab <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a></span></li>
            </ol>
          </ol>
        </b></div>
    </span>Thanks to everyone for their help.<br>
    <pre class="moz-signature" cols="72">Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD</pre>
    <br>
    On 01/10/2012 10:02 AM, Andrew Deason wrote:
    <blockquote
      cite="mid:20120110100239.9235084a.adeason@sinenomine.net"
      type="cite">
      <pre wrap="">On Mon, 09 Jan 2012 17:13:57 -0500
Jeff White <a class="moz-txt-link-rfc2396E" href="mailto:jaw171@pitt.edu">&lt;jaw171@pitt.edu&gt;</a> wrote:

</pre>
      <blockquote type="cite">
        <pre wrap="">Other possibly useful pieces of information:

sAMAccountName: afs
userPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a>
</pre>
      </blockquote>
      <pre wrap="">
Just one more possible guess: are you sure you're talking to the
right kdc? I would expect the windows event log will log something when
a failure occurs when you do things like:

</pre>
      <blockquote type="cite">
        <blockquote type="cite">
          <pre wrap="">[root@afs-dev-03 ~]# kinit <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a>
kinit: Client not found in Kerberos database while getting initial
credentials
</pre>
        </blockquote>
      </blockquote>
      <pre wrap="">
And maybe the log event would give more useful information. I don't
really expect it to, but you never know. A more accurate test may be to
try 'kinit -k -t afs.keytab <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a>' or
'kvno <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a>' (after you've "kinit"d with a normal
princ), but of course the error you've already given is an issue.

</pre>
    </blockquote>
  </body>
</html>

--------------050501060008080608060307--