[OpenAFS] Multiple Kerberos realm support
Jeff White
jaw171@pitt.edu
Thu, 10 May 2012 10:02:10 -0400
Well, I can't get it working. I built a new cell with 1.4.14.1-1 on
RHEL 6.2. I also built a Windows Server 2008 R2 Active Directory domain
to use as the KDC. The realm and cell are PITT.EDU and pitt.edu. This
works just fine. I can get a ticket, token, and view protected
directories in AFS. Now I want to add a secondary realm of
UNIV.PITT.EDU so that tickets from either will work then later move it
so only UNIV.PITT.EDU works. As shown here, the PITT.EDU realm works
fine with my fake pitt.edu cell:
[jaw171@afs-dev-03 logs]$ kinit jaw171@PITT.EDU
Password for jaw171@PITT.EDU:
[jaw171@afs-dev-03 logs]$ klist
Ticket cache: FILE:/tmp/krb5cc_354461
Default principal: jaw171@PITT.EDU
Valid starting Expires Service principal
05/10/12 09:41:26 05/10/12 19:41:24 krbtgt/PITT.EDU@PITT.EDU
renew until 05/17/12 09:41:26
[jaw171@afs-dev-03 logs]$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt.edu@PITT.EDU
Using Kerberos V5 ticket natively
About to resolve name jaw171 to id in cell pitt.edu.
Id 354461
Set username to AFS ID 354461
Setting tokens. AFS ID 354461 / @ PITT.EDU
[jaw171@afs-dev-03 logs]$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 354461) tokens for afs@pitt.edu [Expires May 10 19:41]
--End of list-
[jaw171@afs-dev-03 logs]$ touch /afs/pitt.edu/home/jaw171/foo2
[jaw171@afs-dev-03 logs]$ fs la /afs/pitt.edu/home/jaw171
Access list for /afs/pitt.edu/home/jaw171 is
Normal rights:
system:administrators rlidwka
jaw171 rlidwka
[jaw171@afs-dev-03 logs]$ unlog
[jaw171@afs-dev-03 logs]$ touch /afs/pitt.edu/home/jaw171/foo3
touch: cannot touch `/afs/pitt.edu/home/jaw171/foo3': Permission denied
Now I tried to add support for the realm UNIV.PITT.EDU (the real one
running on Windows Server 2003 AD):
[root@afs-dev-03 ~]# service openafs-client stop
Stopping openafs-client:
[root@afs-dev-03 ~]# service openafs-server stop
Stopping openafs-server: [ OK ]
[root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab
afs/pitt.edu@UNIV.PITT.EDU
# Changed /etc/krb5.conf to still list PITT.EDU as the default realm but
also specify where a KDC of UNIV.PITT.EDU lives.
[root@afs-dev-03 ~]# echo "UNIV.PITT.EDU" > /usr/afs/etc/krb.conf
[root@afs-dev-03 ~]# reboot
I can get a ticket from UNIV.PITT.EDU, a token from pitt.edu, but it
doesn't work:
[root@afs-dev-03 ~]# kill -TSTP 1404 # The fileserver process
[root@afs-dev-03 ~]# kill -TSTP 1404 # The fileserver process
[root@afs-dev-03 ~]# kill -TSTP 1404 # The fileserver process
[root@afs-dev-03 ~]# kill -TSTP 1404 # The fileserver process
[jaw171@afs-dev-03 ~]$ unlog
[jaw171@afs-dev-03 ~]$ kdestroy
[jaw171@afs-dev-03 ~]$ kinit jaw171@UNIV.PITT.EDU
Password for jaw171@UNIV.PITT.EDU:
[jaw171@afs-dev-03 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_354461
Default principal: jaw171@UNIV.PITT.EDU
Valid starting Expires Service principal
05/10/12 09:53:40 05/10/12 19:53:44 krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU
renew until 05/17/12 09:53:40
[jaw171@afs-dev-03 ~]$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm UNIV.PITT.EDU.
Getting tickets: afs/pitt.edu@UNIV.PITT.EDU
Using Kerberos V5 ticket natively
About to resolve name jaw171 to id in cell pitt.edu.
Id 354461
Set username to AFS ID 354461
Setting tokens. AFS ID 354461 / @ UNIV.PITT.EDU
[jaw171@afs-dev-03 ~]$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 354461) tokens for afs@pitt.edu [Expires May 10 19:53]
--End of list--
[jaw171@afs-dev-03 ~]$ touch /afs/pitt.edu/home/jaw171/foo3
Here is hangs forever and I see this being spit out to the console of
the machine as fast as it can:
afs: Tokens for user of AFS id 354461 for cell pitt.edu: rxkad
error=19270407
I see this in the FileLog:
[root@afs-dev-03 ~]# tail /usr/afs/logs/FileLog
Thu May 10 09:51:55 2012 Set Debug On level = 1
Thu May 10 09:51:56 2012 [0] Set Debug On level = 5
Thu May 10 09:51:56 2012 [0] Set Debug On level = 25
Thu May 10 09:51:56 2012 [0] Set Debug On level = 125
Thu May 10 09:55:37 2012 [15] Checking for fsync events
Thu May 10 09:55:37 2012 [15] Looking for FileEntries to unchain
Thu May 10 09:55:37 2012 [16] Checking for dead venii & clients
Thu May 10 09:55:37 2012 [17] Cleaning up timed out callbacks
Thu May 10 09:55:37 2012 [17] CCB: deleted 0 timed out callbacks
Thu May 10 09:55:37 2012 [17] Set disk usage statistics
So what's happening here? Sometimes as I'm trying to do this I have
been able to get it to give a "Permission denied" on that touch rather
than hanging even though I have a token that should give me access. The
docs mention that the keys in the Keyfile need to be in acending order.
Does that mean if my KVNO for UNIV.PITT.EDU is 4 and PITT.EDU is 6 I
*must* do the asetkey on UNIV first because it's lower? When I do that
this still fails.
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD
On 04/26/2012 08:52 PM, Russ Allbery wrote:
> Derrick Brashear<shadow@gmail.com> writes:
>
>> as long as your cell is the same as your kaserver "realm" (which it is)
>> you should be able to put *only* UNIV.PITT.EDU in /usr/afs/etc/krb.conf
>> and have the right thing happen, but only if the username space is the
>> same between realms.
> And that functionality (adding one additional realm via krb.conf) has been
> around for forever. Certainly longer than anything you're likely to still
> be running.
>