[OpenAFS] Re: Multiple Kerberos realm support

Jeff White jaw171@pitt.edu
Thu, 10 May 2012 13:17:40 -0400


This is a multi-part message in MIME format.
--------------000909090203030504090509
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Responses in-line...

Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD


On 05/10/2012 11:57 AM, Andrew Deason wrote:
> On Thu, 10 May 2012 10:02:10 -0400
> Jeff White<jaw171@pitt.edu>  wrote:
>
>> Now I tried to add support for the realm UNIV.PITT.EDU (the real one
>> running on Windows Server 2003 AD):
> I thought it was Windows Server 2008 R2? Or was that just PITT.EDU?
>
My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003.
>> [root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab
>> afs/pitt.edu@UNIV.PITT.EDU
> How exactly did you generate this keytab?
>
The same way I did it on PITT.EDU:
ktpass -princ afs/pitt.edu@UNIV.PITT.EDU -mapuser afskerbuser -pass * 
-crypto DES-CBC-CRC +rndpass /mapop add +desonly /ptype 
KRB5_NT_PRINCIPAL +dumpsalt -out afskerbuser.keytab
>> [jaw171@afs-dev-03 ~]$ aklog -d
> 'klist -e' after this? Though I expect that the ticket you've got is
> fine.
>
You mean from the UNIV.PITT.EDU realm attempt?

[jaw171@afs-dev-03 ~]$ kinit jaw171@UNIV.PITT.EDU
Password for jaw171@UNIV.PITT.EDU:
[jaw171@afs-dev-03 ~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_354461
Default principal: jaw171@UNIV.PITT.EDU

Valid starting     Expires            Service principal
05/10/12 13:12:45  05/10/12 23:12:48  krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU
         renew until 05/17/12 13:12:45, Etype (skey, tkt): arcfour-hmac, 
arcfour-hmac
[jaw171@afs-dev-03 ~]$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm UNIV.PITT.EDU.
Getting tickets: afs/pitt.edu@UNIV.PITT.EDU
Using Kerberos V5 ticket natively
About to resolve name jaw171 to id in cell pitt.edu.
Id 354461
Set username to AFS ID 354461
Setting tokens. AFS ID 354461 /  @ UNIV.PITT.EDU
[jaw171@afs-dev-03 ~]$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 354461) tokens for afs@pitt.edu [Expires May 10 23:12]
    --End of list--
[jaw171@afs-dev-03 ~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_354461
Default principal: jaw171@UNIV.PITT.EDU

Valid starting     Expires            Service principal
05/10/12 13:12:45  05/10/12 23:12:48  krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU
         renew until 05/17/12 13:12:45, Etype (skey, tkt): arcfour-hmac, 
arcfour-hmac
05/10/12 13:12:59  05/10/12 23:12:48  afs/pitt.edu@UNIV.PITT.EDU
         renew until 05/17/12 13:12:45, Etype (skey, tkt): des-cbc-crc, 
des-cbc-md5
jaw171@afs-dev-03 ~]$ touch /afs/pitt.edu/home/jaw171/foo3
# Hangs here....
>> Here is hangs forever and I see this being spit out to the console of
>> the machine as fast as it can:
>> afs: Tokens for user of AFS id 354461 for cell pitt.edu: rxkad
>> error=19270407
> "The KeyFile data is wrong"
>
Hmm...wonder what it doesn't like.
>> So what's happening here?  Sometimes as I'm trying to do this I have
>> been able to get it to give a "Permission denied" on that touch rather
>> than hanging even though I have a token that should give me access.
>> The docs mention that the keys in the Keyfile need to be in acending
>> order.
> What page says this? It may just be describing the KeyFile format, in
> that the keys are stored in ascending kvno order.
>
http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51 Can I authenticate to my 
af 
<http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51%20Can%20I%20authenticate%20to%20my%20af>
"since keys must be in ascending order in the AFSKeyFile 
<http://wiki.openafs.org/AFSLore/KeyFile/>it will be easiest if you make 
the new kvno higher than any existing key's kvno"

I also tried switching everything (/etc/krb5.conf, /usr/afs/ets/Keyfile, 
/usr/afs/etc/krb.conf, etc.) to just UNIV.PITT.EDU but too did not work.

--------------000909090203030504090509
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#ffffff" text="#000000">
    Responses in-line...<br>
    <pre class="moz-signature" cols="72">Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD</pre>
    <br>
    On 05/10/2012 11:57 AM, Andrew Deason wrote:
    <blockquote
      cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
      type="cite">
      <pre wrap="">On Thu, 10 May 2012 10:02:10 -0400
Jeff White <a class="moz-txt-link-rfc2396E" href="mailto:jaw171@pitt.edu">&lt;jaw171@pitt.edu&gt;</a> wrote:

</pre>
      <blockquote type="cite">
        <pre wrap="">Now I tried to add support for the realm UNIV.PITT.EDU (the real one 
running on Windows Server 2003 AD):
</pre>
      </blockquote>
      <pre wrap="">
I thought it was Windows Server 2008 R2? Or was that just PITT.EDU?

</pre>
    </blockquote>
    My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003.<br>
    <blockquote
      cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
      type="cite">
      <pre wrap=""></pre>
      <blockquote type="cite">
        <pre wrap="">[root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab 
<a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a>
</pre>
      </blockquote>
      <pre wrap="">
How exactly did you generate this keytab?

</pre>
    </blockquote>
    The same way I did it on PITT.EDU:<br>
    ktpass -princ <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a> -mapuser afskerbuser -pass
    * -crypto DES-CBC-CRC +rndpass /mapop add +desonly /ptype
    KRB5_NT_PRINCIPAL +dumpsalt -out afskerbuser.keytab<br>
    <blockquote
      cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
      type="cite">
      <pre wrap=""></pre>
      <blockquote type="cite">
        <pre wrap="">[jaw171@afs-dev-03 ~]$ aklog -d
</pre>
      </blockquote>
      <pre wrap="">
'klist -e' after this? Though I expect that the ticket you've got is
fine.

</pre>
    </blockquote>
    You mean from the UNIV.PITT.EDU realm attempt?<br>
    <br>
    [jaw171@afs-dev-03 ~]$ kinit <a class="moz-txt-link-abbreviated" href="mailto:jaw171@UNIV.PITT.EDU">jaw171@UNIV.PITT.EDU</a><br>
    Password for <a class="moz-txt-link-abbreviated" href="mailto:jaw171@UNIV.PITT.EDU:">jaw171@UNIV.PITT.EDU:</a> <br>
    [jaw171@afs-dev-03 ~]$ klist -e<br>
    Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_354461">FILE:/tmp/krb5cc_354461</a><br>
    Default principal: <a class="moz-txt-link-abbreviated" href="mailto:jaw171@UNIV.PITT.EDU">jaw171@UNIV.PITT.EDU</a><br>
    <br>
    Valid starting&nbsp;&nbsp;&nbsp;&nbsp; Expires&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Service principal<br>
    05/10/12 13:12:45&nbsp; 05/10/12 23:12:48&nbsp;
    <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU">krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU</a><br>
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; renew until 05/17/12 13:12:45, Etype (skey, tkt):
    arcfour-hmac, arcfour-hmac <br>
    [jaw171@afs-dev-03 ~]$ aklog -d<br>
    Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).<br>
    Trying to authenticate to user's realm UNIV.PITT.EDU.<br>
    Getting tickets: <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a><br>
    Using Kerberos V5 ticket natively<br>
    About to resolve name jaw171 to id in cell pitt.edu.<br>
    Id 354461<br>
    Set username to AFS ID 354461<br>
    Setting tokens. AFS ID 354461 /&nbsp; @ UNIV.PITT.EDU <br>
    [jaw171@afs-dev-03 ~]$ tokens<br>
    <br>
    Tokens held by the Cache Manager:<br>
    <br>
    User's (AFS ID 354461) tokens for <a class="moz-txt-link-abbreviated" href="mailto:afs@pitt.edu">afs@pitt.edu</a> [Expires May 10
    23:12]<br>
    &nbsp;&nbsp; --End of list--<br>
    [jaw171@afs-dev-03 ~]$ klist -e<br>
    Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_354461">FILE:/tmp/krb5cc_354461</a><br>
    Default principal: <a class="moz-txt-link-abbreviated" href="mailto:jaw171@UNIV.PITT.EDU">jaw171@UNIV.PITT.EDU</a><br>
    <br>
    Valid starting&nbsp;&nbsp;&nbsp;&nbsp; Expires&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Service principal<br>
    05/10/12 13:12:45&nbsp; 05/10/12 23:12:48&nbsp;
    <a class="moz-txt-link-abbreviated" href="mailto:krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU">krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU</a><br>
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; renew until 05/17/12 13:12:45, Etype (skey, tkt):
    arcfour-hmac, arcfour-hmac <br>
    05/10/12 13:12:59&nbsp; 05/10/12 23:12:48&nbsp; <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a><br>
    &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; renew until 05/17/12 13:12:45, Etype (skey, tkt):
    des-cbc-crc, des-cbc-md5<br>
    jaw171@afs-dev-03 ~]$ touch /afs/pitt.edu/home/jaw171/foo3<br>
    # Hangs here....<br>
    <blockquote
      cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
      type="cite">
      <pre wrap=""></pre>
      <blockquote type="cite">
        <pre wrap="">Here is hangs forever and I see this being spit out to the console of 
the machine as fast as it can:
afs: Tokens for user of AFS id 354461 for cell pitt.edu: rxkad  
error=19270407
</pre>
      </blockquote>
      <pre wrap="">
"The KeyFile data is wrong"

</pre>
    </blockquote>
    Hmm...wonder what it doesn't like.<br>
    <blockquote
      cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
      type="cite">
      <pre wrap=""></pre>
      <blockquote type="cite">
        <pre wrap="">So what's happening here?  Sometimes as I'm trying to do this I have
been able to get it to give a "Permission denied" on that touch rather
than hanging even though I have a token that should give me access.
The docs mention that the keys in the Keyfile need to be in acending
order.
</pre>
      </blockquote>
      <pre wrap="">
What page says this? It may just be describing the KeyFile format, in
that the keys are stored in ascending kvno order.

</pre>
    </blockquote>
    <a
href="http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51%20Can%20I%20authenticate%20to%20my%20af">http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51
      Can I authenticate to my af</a><br>
    "<span style="color: rgb(0, 0, 0); font-family: 'Times New Roman';
      font-style: normal; font-variant: normal; font-weight: normal;
      letter-spacing: normal; line-height: normal; orphans: 2;
      text-indent: 0px; text-transform: none; white-space: normal;
      widows: 2; word-spacing: 0px; font-size: medium; display: inline !
      important; float: none;">since keys must be in ascending order in
      the AFS<span class="Apple-converted-space">&nbsp;</span></span><a
      href="http://wiki.openafs.org/AFSLore/KeyFile/"
      style="font-family: 'Times New Roman'; font-style: normal;
      font-variant: normal; font-weight: normal; letter-spacing: normal;
      line-height: normal; orphans: 2; text-indent: 0px; text-transform:
      none; white-space: normal; widows: 2; word-spacing: 0px;
      font-size: medium;">KeyFile</a><span style="color: rgb(0, 0, 0);
      font-family: 'Times New Roman'; font-style: normal; font-variant:
      normal; font-weight: normal; letter-spacing: normal; line-height:
      normal; orphans: 2; text-indent: 0px; text-transform: none;
      white-space: normal; widows: 2; word-spacing: 0px; font-size:
      medium; display: inline ! important; float: none;"><span
        class="Apple-converted-space">&nbsp;</span>it will be easiest if you
      make the new kvno higher than any existing key's kvno"<br>
      <br>
    </span>I also tried switching everything (/etc/krb5.conf,
    /usr/afs/ets/Keyfile, /usr/afs/etc/krb.conf, etc.) to just
    UNIV.PITT.EDU but too did not work.<span style="color: rgb(0, 0, 0);
      font-family: 'Times New Roman'; font-style: normal; font-variant:
      normal; font-weight: normal; letter-spacing: normal; line-height:
      normal; orphans: 2; text-indent: 0px; text-transform: none;
      white-space: normal; widows: 2; word-spacing: 0px; font-size:
      medium; display: inline ! important; float: none;"><br>
    </span>
  </body>
</html>

--------------000909090203030504090509--