[OpenAFS] Multiple Kerberos realm support

Jeff White jaw171@pitt.edu
Thu, 10 May 2012 10:02:10 -0400 

Well, I can't get it working.  I built a new cell with 1.4.14.1-1 on 
RHEL 6.2.  I also built a Windows Server 2008 R2 Active Directory domain 
to use as the KDC.  The realm and cell are PITT.EDU and pitt.edu.  This 
works just fine.  I can get a ticket, token, and view protected 
directories in AFS.  Now I want to add a secondary realm of 
UNIV.PITT.EDU so that tickets from either will work then later move it 
so only UNIV.PITT.EDU works.  As shown here, the PITT.EDU realm works 
fine with my fake pitt.edu cell:

[jaw171@afs-dev-03 logs]$ kinit jaw171@PITT.EDU
Password for jaw171@PITT.EDU:
[jaw171@afs-dev-03 logs]$ klist
Ticket cache: FILE:/tmp/krb5cc_354461
Default principal: jaw171@PITT.EDU

Valid starting     Expires            Service principal
05/10/12 09:41:26  05/10/12 19:41:24  krbtgt/PITT.EDU@PITT.EDU
         renew until 05/17/12 09:41:26
[jaw171@afs-dev-03 logs]$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt.edu@PITT.EDU
Using Kerberos V5 ticket natively
About to resolve name jaw171 to id in cell pitt.edu.
Id 354461
Set username to AFS ID 354461
Setting tokens. AFS ID 354461 /  @ PITT.EDU
[jaw171@afs-dev-03 logs]$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 354461) tokens for afs@pitt.edu [Expires May 10 19:41]
    --End of list-
[jaw171@afs-dev-03 logs]$ touch /afs/pitt.edu/home/jaw171/foo2
[jaw171@afs-dev-03 logs]$ fs la /afs/pitt.edu/home/jaw171
Access list for /afs/pitt.edu/home/jaw171 is
Normal rights:
   system:administrators rlidwka
   jaw171 rlidwka
[jaw171@afs-dev-03 logs]$ unlog
[jaw171@afs-dev-03 logs]$ touch /afs/pitt.edu/home/jaw171/foo3
touch: cannot touch `/afs/pitt.edu/home/jaw171/foo3': Permission denied



Now I tried to add support for the realm UNIV.PITT.EDU (the real one 
running on Windows Server 2003 AD):

[root@afs-dev-03 ~]# service openafs-client stop
Stopping openafs-client:
[root@afs-dev-03 ~]# service openafs-server stop
Stopping openafs-server:                                   [  OK  ]
[root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab 
afs/pitt.edu@UNIV.PITT.EDU
# Changed /etc/krb5.conf to still list PITT.EDU as the default realm but 
also specify where a KDC of UNIV.PITT.EDU lives.
[root@afs-dev-03 ~]# echo "UNIV.PITT.EDU" > /usr/afs/etc/krb.conf
[root@afs-dev-03 ~]# reboot



I can get a ticket from UNIV.PITT.EDU, a token from pitt.edu, but it 
doesn't work:

[root@afs-dev-03 ~]# kill -TSTP 1404 # The fileserver process
[root@afs-dev-03 ~]# kill -TSTP 1404 # The fileserver process
[root@afs-dev-03 ~]# kill -TSTP 1404 # The fileserver process
[root@afs-dev-03 ~]# kill -TSTP 1404 # The fileserver process
[jaw171@afs-dev-03 ~]$ unlog
[jaw171@afs-dev-03 ~]$ kdestroy
[jaw171@afs-dev-03 ~]$ kinit jaw171@UNIV.PITT.EDU
Password for jaw171@UNIV.PITT.EDU:
[jaw171@afs-dev-03 ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_354461
Default principal: jaw171@UNIV.PITT.EDU

Valid starting     Expires            Service principal
05/10/12 09:53:40  05/10/12 19:53:44  krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU
         renew until 05/17/12 09:53:40
[jaw171@afs-dev-03 ~]$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm UNIV.PITT.EDU.
Getting tickets: afs/pitt.edu@UNIV.PITT.EDU
Using Kerberos V5 ticket natively
About to resolve name jaw171 to id in cell pitt.edu.
Id 354461
Set username to AFS ID 354461
Setting tokens. AFS ID 354461 /  @ UNIV.PITT.EDU
[jaw171@afs-dev-03 ~]$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 354461) tokens for afs@pitt.edu [Expires May 10 19:53]
    --End of list--
[jaw171@afs-dev-03 ~]$ touch /afs/pitt.edu/home/jaw171/foo3


Here is hangs forever and I see this being spit out to the console of 
the machine as fast as it can:
afs: Tokens for user of AFS id 354461 for cell pitt.edu: rxkad  
error=19270407



I see this in the FileLog:

[root@afs-dev-03 ~]# tail /usr/afs/logs/FileLog
Thu May 10 09:51:55 2012 Set Debug On level = 1
Thu May 10 09:51:56 2012 [0] Set Debug On level = 5
Thu May 10 09:51:56 2012 [0] Set Debug On level = 25
Thu May 10 09:51:56 2012 [0] Set Debug On level = 125
Thu May 10 09:55:37 2012 [15] Checking for fsync events
Thu May 10 09:55:37 2012 [15] Looking for FileEntries to unchain
Thu May 10 09:55:37 2012 [16] Checking for dead venii & clients
Thu May 10 09:55:37 2012 [17] Cleaning up timed out callbacks
Thu May 10 09:55:37 2012 [17] CCB: deleted 0 timed out callbacks
Thu May 10 09:55:37 2012 [17] Set disk usage statistics


So what's happening here?  Sometimes as I'm trying to do this I have 
been able to get it to give a "Permission denied" on that touch rather 
than hanging even though I have a token that should give me access.  The 
docs mention that the keys in the Keyfile need to be in acending order.  
Does that mean if my KVNO for UNIV.PITT.EDU is 4 and PITT.EDU is 6 I 
*must* do the asetkey on UNIV first because it's lower?  When I do that 
this still fails.

Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD


On 04/26/2012 08:52 PM, Russ Allbery wrote:
> Derrick Brashear<shadow@gmail.com>  writes:
>
>> as long as your cell is the same as your kaserver "realm" (which it is)
>> you should be able to put *only* UNIV.PITT.EDU in /usr/afs/etc/krb.conf
>> and have the right thing happen, but only if the username space is the
>> same between realms.
> And that functionality (adding one additional realm via krb.conf) has been
> around for forever.  Certainly longer than anything you're likely to still
> be running.
>