[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 -
Questions about DES
Jeff White
jaw171@pitt.edu
Tue, 10 Jan 2012 11:39:35 -0500
This is a multi-part message in MIME format.
--------------050501060008080608060307
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
I decided to scrap my Windows box and start over again. I was able to
get it work this time but I don't know what was different that made it
work. I am able to get a ticket as the AFS principal and things seem to
be working, at least until I run into the next problem. For those who
care these are my notes from the one that worked:
*
10. On the Windows Active Directory server, enable DES encryption
types for Kerberos
1. Create a GPO called 'Allow_DES'
2. Configure the following entry to allow all encryption types
listed
1. Computer Configuration -> Policies -> Windows Settings
-> Local Policies -> Security Options -> Networking
security: Configure encryption types allowed for Kerberos
3. Link the 'Allow_DES' GPO to the 'Domain Controllers' OU.
4. Reboot.
11. Create a user in AD called 'afs-pitt-edu-cell'.
12. In the settings for the AFS user check 'Use Kerberos DES
encryption types for this account' then change the password.
13. Export the keytab for it. Note the KVNO.
1. ktpass -princ afs/pitt.edu@PITT.EDU -mapuser
afs-pitt-edu-cell -pass * -crypto DES-CBC-CRC +rndpass
/mapop add +desonly /ptype KRB5_NT_PRINCIPAL +dumpsalt -out
afs-pitt-edu-cell.keytab
14. Copy the keytab to afs-dev-03.cssd as
/etc/afs-pitt-edu-cell.keytab and make it root readable
1. chmod 600 /etc/afs.keytab
15. Using the KVNO from earlier add the keytab to AFS
1. asetkey add 4 /etc/afs.keytab afs/pitt.edu@PITT.EDU
*
Thanks to everyone for their help.
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD
On 01/10/2012 10:02 AM, Andrew Deason wrote:
> On Mon, 09 Jan 2012 17:13:57 -0500
> Jeff White<jaw171@pitt.edu> wrote:
>
>> Other possibly useful pieces of information:
>>
>> sAMAccountName: afs
>> userPrincipalName: afs/pitt.edu@PITT.EDU
> Just one more possible guess: are you sure you're talking to the
> right kdc? I would expect the windows event log will log something when
> a failure occurs when you do things like:
>
>>> [root@afs-dev-03 ~]# kinit afs/pitt.edu@PITT.EDU
>>> kinit: Client not found in Kerberos database while getting initial
>>> credentials
> And maybe the log event would give more useful information. I don't
> really expect it to, but you never know. A more accurate test may be to
> try 'kinit -k -t afs.keytab afs/pitt.edu@PITT.EDU' or
> 'kvno afs/pitt.edu@PITT.EDU' (after you've "kinit"d with a normal
> princ), but of course the error you've already given is an issue.
>
--------------050501060008080608060307
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I decided to scrap my Windows box and start over again. I was able
to get it work this time but I don't know what was different that
made it work. I am able to get a ticket as the AFS principal and
things seem to be working, at least until I run into the next
problem. For those who care these are my notes from the one that
worked:<br>
<span class="Apple-style-span" style="border-collapse: separate;
color: rgb(0, 0, 0); font-family: 'Times New Roman'; font-style:
normal; font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: 2; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; font-size: medium;">
<div style="background-color: transparent;"><b
id="internal-source-marker_0.1528664566576481"
style="font-weight: normal;">
<ol start="10">
<li style="list-style-type: decimal; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0); background-color:
transparent; font-weight: normal; font-style: normal;
font-variant: normal; text-decoration: none;
vertical-align: baseline;"><span style="font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;
white-space: pre-wrap;">On the Windows Active Directory
server, enable DES encryption types for Kerberos</span></li>
<ol>
<li style="list-style-type: lower-alpha; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;"><span
style="font-size: 15px; font-family: Arial; color:
rgb(0, 0, 0); background-color: transparent;
font-weight: normal; font-style: normal; font-variant:
normal; text-decoration: none; vertical-align:
baseline; white-space: pre-wrap;">Create a GPO called
‘Allow_DES’</span></li>
<li style="list-style-type: lower-alpha; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;"><span
style="font-size: 15px; font-family: Arial; color:
rgb(0, 0, 0); background-color: transparent;
font-weight: normal; font-style: normal; font-variant:
normal; text-decoration: none; vertical-align:
baseline; white-space: pre-wrap;">Configure the
following entry to allow all encryption types listed</span></li>
<ol>
<li style="list-style-type: lower-roman; font-size:
15px; font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;"><span
style="font-size: 15px; font-family: Arial; color:
rgb(0, 0, 0); background-color: transparent;
font-weight: normal; font-style: normal;
font-variant: normal; text-decoration: none;
vertical-align: baseline; white-space: pre-wrap;">Computer
Configuration -> Policies -> Windows Settings
-> Local Policies -> Security Options ->
Networking security: Configure encryption types
allowed for Kerberos</span></li>
</ol>
<li style="list-style-type: lower-alpha; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;"><span
style="font-size: 15px; font-family: Arial; color:
rgb(0, 0, 0); background-color: transparent;
font-weight: normal; font-style: normal; font-variant:
normal; text-decoration: none; vertical-align:
baseline; white-space: pre-wrap;">Link the ‘Allow_DES’
GPO to the ‘Domain Controllers’ OU.</span></li>
<li style="list-style-type: lower-alpha; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;"><span
style="font-size: 15px; font-family: Arial; color:
rgb(0, 0, 0); background-color: transparent;
font-weight: normal; font-style: normal; font-variant:
normal; text-decoration: none; vertical-align:
baseline; white-space: pre-wrap;">Reboot.</span></li>
</ol>
<li style="list-style-type: decimal; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0); background-color:
transparent; font-weight: normal; font-style: normal;
font-variant: normal; text-decoration: none;
vertical-align: baseline;"><span style="font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;
white-space: pre-wrap;">Create a user in AD called
‘afs-pitt-edu-cell’.</span></li>
<li style="list-style-type: decimal; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0); background-color:
transparent; font-weight: normal; font-style: normal;
font-variant: normal; text-decoration: none;
vertical-align: baseline;"><span style="font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;
white-space: pre-wrap;">In the settings for the AFS user
check ‘Use Kerberos DES encryption types for this
account’ then change the password.</span></li>
<li style="list-style-type: decimal; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0); background-color:
transparent; font-weight: normal; font-style: normal;
font-variant: normal; text-decoration: none;
vertical-align: baseline;"><span style="font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;
white-space: pre-wrap;">Export the keytab for it. Note
the KVNO.</span></li>
<ol>
<li style="list-style-type: lower-alpha; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;"><span
style="font-size: 15px; font-family: Arial; color:
rgb(0, 0, 0); background-color: transparent;
font-weight: normal; font-style: normal; font-variant:
normal; text-decoration: none; vertical-align:
baseline; white-space: pre-wrap;">ktpass -princ
<a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a> -mapuser afs-pitt-edu-cell -pass
* -crypto DES-CBC-CRC +rndpass /mapop add +desonly
/ptype KRB5_NT_PRINCIPAL +dumpsalt -out
afs-pitt-edu-cell.keytab</span></li>
</ol>
<li style="list-style-type: decimal; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0); background-color:
transparent; font-weight: normal; font-style: normal;
font-variant: normal; text-decoration: none;
vertical-align: baseline;"><span style="font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;
white-space: pre-wrap;">Copy the keytab to
afs-dev-03.cssd as /etc/afs-pitt-edu-cell.keytab and
make it root readable</span></li>
<ol>
<li style="list-style-type: lower-alpha; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;"><span
style="font-size: 15px; font-family: Arial; color:
rgb(0, 0, 0); background-color: transparent;
font-weight: normal; font-style: normal; font-variant:
normal; text-decoration: none; vertical-align:
baseline; white-space: pre-wrap;">chmod 600
/etc/afs.keytab</span></li>
</ol>
<li style="list-style-type: decimal; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0); background-color:
transparent; font-weight: normal; font-style: normal;
font-variant: normal; text-decoration: none;
vertical-align: baseline;"><span style="font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;
white-space: pre-wrap;">Using the KVNO from earlier add
the keytab to AFS</span></li>
<ol>
<li style="list-style-type: lower-alpha; font-size: 15px;
font-family: Arial; color: rgb(0, 0, 0);
background-color: transparent; font-weight: normal;
font-style: normal; font-variant: normal;
text-decoration: none; vertical-align: baseline;"><span
style="font-size: 15px; font-family: Arial; color:
rgb(0, 0, 0); background-color: transparent;
font-weight: normal; font-style: normal; font-variant:
normal; text-decoration: none; vertical-align:
baseline; white-space: pre-wrap;">asetkey add 4
/etc/afs.keytab <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a></span></li>
</ol>
</ol>
</b></div>
</span>Thanks to everyone for their help.<br>
<pre class="moz-signature" cols="72">Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD</pre>
<br>
On 01/10/2012 10:02 AM, Andrew Deason wrote:
<blockquote
cite="mid:20120110100239.9235084a.adeason@sinenomine.net"
type="cite">
<pre wrap="">On Mon, 09 Jan 2012 17:13:57 -0500
Jeff White <a class="moz-txt-link-rfc2396E" href="mailto:jaw171@pitt.edu"><jaw171@pitt.edu></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Other possibly useful pieces of information:
sAMAccountName: afs
userPrincipalName: <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a>
</pre>
</blockquote>
<pre wrap="">
Just one more possible guess: are you sure you're talking to the
right kdc? I would expect the windows event log will log something when
a failure occurs when you do things like:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">[root@afs-dev-03 ~]# kinit <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a>
kinit: Client not found in Kerberos database while getting initial
credentials
</pre>
</blockquote>
</blockquote>
<pre wrap="">
And maybe the log event would give more useful information. I don't
really expect it to, but you never know. A more accurate test may be to
try 'kinit -k -t afs.keytab <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a>' or
'kvno <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@PITT.EDU">afs/pitt.edu@PITT.EDU</a>' (after you've "kinit"d with a normal
princ), but of course the error you've already given is an issue.
</pre>
</blockquote>
</body>
</html>
--------------050501060008080608060307--