[OpenAFS] Re: Service principal ticket expiring (AD)

John Tang Boyland boyland@uwm.edu
Fri, 20 Jan 2012 12:08:56 -0600


I have found out more information on the "Permission Denied" problems.
It's nothing to do with AD as far as I know, but rather a set of
understandable but strange interactions with the cache manager.
Conclusion.  No problem, just be careful.

Details:

(1) If I add a new key to the (1.4.12) fileserver but don't reboot it,
    but get tokens with aklog, the cache manager accepts the tokens
    for files already in the cache.
(2) Once the fileserver is restarted, then new files can be read.

NB: I didn't seem to need a reboot for openafs-1.6.0 server.  Nice.
I was worried about the security implications of the CM
accepting tokens the FS didn't but I was unable to get the 1.6.0 server
to behave in this way.  I couldn't read ANY files, even those in the cache
if the fileserver didn't have the key, and was able to read ALL files, even
those NOT in the cache if the fileserver HAD the key.
There may be more going on than I know.  I was using the same CM throughout.

(3) If I contact a DIFFERENT fileserver that doesn't know about
    the new key, I get an error about tokens being discarded,
    and the CM rejects uses of the tokens even for files from
    the fileserver that accepted them.
(4) Strangely after the "discard message", "tokens" claims the
    tokens are still there and "aklog" won't do anything since it
    says there are duplicate tokens.
(5) "aklog -force" does the job and restores the tokens.

pabst.cs.uwm.edu% ls ~cs654
afs: Tokens for user of AFS id 920 for cell cs.uwm.edu are discarded (rxkad error=19270408)
/afs/cs.uwm.edu/users/classes/cs654 unreadable
pabst.cs.uwm.edu% tokens

Tokens held by the Cache Manager:

User's (AFS ID 920) tokens for afs@cs.uwm.edu [Expires Jan 20 21:09]
   --End of list--
pabst.cs.uwm.edu% more theory4.txt
theory4.txt: Permission denied
pabst.cs.uwm.edu% aklog -d
Authenticating to cell cs.uwm.edu (server solomons.cs.uwm.edu).
We've deduced that we need to authenticate using referrals.
Getting tickets: afs/cs.uwm.edu@
Using Kerberos V5 ticket natively
Identical tokens already exist; skipping.
pabst.cs.uwm.edu% more theory4.txt
theory4.txt: Permission denied
pabst.cs.uwm.edu% aklog -d -force
Authenticating to cell cs.uwm.edu (server solomons.cs.uwm.edu).
We've deduced that we need to authenticate using referrals.
Getting tickets: afs/cs.uwm.edu@
Using Kerberos V5 ticket natively
About to resolve name boyland@AD.UWM.EDU to id in cell cs.uwm.edu.
Id 920
Set username to AFS ID 920
Setting tokens. AFS ID 920 /  @ AD.UWM.EDU
pabst.cs.uwm.edu% more theory4.txt
******************
# 3
******************
...