[OpenAFS] Re: Multiple Kerberos realm support
Jeff White
jaw171@pitt.edu
Thu, 10 May 2012 13:17:40 -0400
This is a multi-part message in MIME format.
--------------000909090203030504090509
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Responses in-line...
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD
On 05/10/2012 11:57 AM, Andrew Deason wrote:
> On Thu, 10 May 2012 10:02:10 -0400
> Jeff White<jaw171@pitt.edu> wrote:
>
>> Now I tried to add support for the realm UNIV.PITT.EDU (the real one
>> running on Windows Server 2003 AD):
> I thought it was Windows Server 2008 R2? Or was that just PITT.EDU?
>
My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003.
>> [root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab
>> afs/pitt.edu@UNIV.PITT.EDU
> How exactly did you generate this keytab?
>
The same way I did it on PITT.EDU:
ktpass -princ afs/pitt.edu@UNIV.PITT.EDU -mapuser afskerbuser -pass *
-crypto DES-CBC-CRC +rndpass /mapop add +desonly /ptype
KRB5_NT_PRINCIPAL +dumpsalt -out afskerbuser.keytab
>> [jaw171@afs-dev-03 ~]$ aklog -d
> 'klist -e' after this? Though I expect that the ticket you've got is
> fine.
>
You mean from the UNIV.PITT.EDU realm attempt?
[jaw171@afs-dev-03 ~]$ kinit jaw171@UNIV.PITT.EDU
Password for jaw171@UNIV.PITT.EDU:
[jaw171@afs-dev-03 ~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_354461
Default principal: jaw171@UNIV.PITT.EDU
Valid starting Expires Service principal
05/10/12 13:12:45 05/10/12 23:12:48 krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU
renew until 05/17/12 13:12:45, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
[jaw171@afs-dev-03 ~]$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm UNIV.PITT.EDU.
Getting tickets: afs/pitt.edu@UNIV.PITT.EDU
Using Kerberos V5 ticket natively
About to resolve name jaw171 to id in cell pitt.edu.
Id 354461
Set username to AFS ID 354461
Setting tokens. AFS ID 354461 / @ UNIV.PITT.EDU
[jaw171@afs-dev-03 ~]$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 354461) tokens for afs@pitt.edu [Expires May 10 23:12]
--End of list--
[jaw171@afs-dev-03 ~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_354461
Default principal: jaw171@UNIV.PITT.EDU
Valid starting Expires Service principal
05/10/12 13:12:45 05/10/12 23:12:48 krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU
renew until 05/17/12 13:12:45, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
05/10/12 13:12:59 05/10/12 23:12:48 afs/pitt.edu@UNIV.PITT.EDU
renew until 05/17/12 13:12:45, Etype (skey, tkt): des-cbc-crc,
des-cbc-md5
jaw171@afs-dev-03 ~]$ touch /afs/pitt.edu/home/jaw171/foo3
# Hangs here....
>> Here is hangs forever and I see this being spit out to the console of
>> the machine as fast as it can:
>> afs: Tokens for user of AFS id 354461 for cell pitt.edu: rxkad
>> error=19270407
> "The KeyFile data is wrong"
>
Hmm...wonder what it doesn't like.
>> So what's happening here? Sometimes as I'm trying to do this I have
>> been able to get it to give a "Permission denied" on that touch rather
>> than hanging even though I have a token that should give me access.
>> The docs mention that the keys in the Keyfile need to be in acending
>> order.
> What page says this? It may just be describing the KeyFile format, in
> that the keys are stored in ascending kvno order.
>
http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51 Can I authenticate to my
af
<http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51%20Can%20I%20authenticate%20to%20my%20af>
"since keys must be in ascending order in the AFSKeyFile
<http://wiki.openafs.org/AFSLore/KeyFile/>it will be easiest if you make
the new kvno higher than any existing key's kvno"
I also tried switching everything (/etc/krb5.conf, /usr/afs/ets/Keyfile,
/usr/afs/etc/krb.conf, etc.) to just UNIV.PITT.EDU but too did not work.
--------------000909090203030504090509
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Responses in-line...<br>
<pre class="moz-signature" cols="72">Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD</pre>
<br>
On 05/10/2012 11:57 AM, Andrew Deason wrote:
<blockquote
cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
type="cite">
<pre wrap="">On Thu, 10 May 2012 10:02:10 -0400
Jeff White <a class="moz-txt-link-rfc2396E" href="mailto:jaw171@pitt.edu"><jaw171@pitt.edu></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Now I tried to add support for the realm UNIV.PITT.EDU (the real one
running on Windows Server 2003 AD):
</pre>
</blockquote>
<pre wrap="">
I thought it was Windows Server 2008 R2? Or was that just PITT.EDU?
</pre>
</blockquote>
My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003.<br>
<blockquote
cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
type="cite">
<pre wrap=""></pre>
<blockquote type="cite">
<pre wrap="">[root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab
<a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a>
</pre>
</blockquote>
<pre wrap="">
How exactly did you generate this keytab?
</pre>
</blockquote>
The same way I did it on PITT.EDU:<br>
ktpass -princ <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a> -mapuser afskerbuser -pass
* -crypto DES-CBC-CRC +rndpass /mapop add +desonly /ptype
KRB5_NT_PRINCIPAL +dumpsalt -out afskerbuser.keytab<br>
<blockquote
cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
type="cite">
<pre wrap=""></pre>
<blockquote type="cite">
<pre wrap="">[jaw171@afs-dev-03 ~]$ aklog -d
</pre>
</blockquote>
<pre wrap="">
'klist -e' after this? Though I expect that the ticket you've got is
fine.
</pre>
</blockquote>
You mean from the UNIV.PITT.EDU realm attempt?<br>
<br>
[jaw171@afs-dev-03 ~]$ kinit <a class="moz-txt-link-abbreviated" href="mailto:jaw171@UNIV.PITT.EDU">jaw171@UNIV.PITT.EDU</a><br>
Password for <a class="moz-txt-link-abbreviated" href="mailto:jaw171@UNIV.PITT.EDU:">jaw171@UNIV.PITT.EDU:</a> <br>
[jaw171@afs-dev-03 ~]$ klist -e<br>
Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_354461">FILE:/tmp/krb5cc_354461</a><br>
Default principal: <a class="moz-txt-link-abbreviated" href="mailto:jaw171@UNIV.PITT.EDU">jaw171@UNIV.PITT.EDU</a><br>
<br>
Valid starting Expires Service principal<br>
05/10/12 13:12:45 05/10/12 23:12:48
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU">krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU</a><br>
renew until 05/17/12 13:12:45, Etype (skey, tkt):
arcfour-hmac, arcfour-hmac <br>
[jaw171@afs-dev-03 ~]$ aklog -d<br>
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).<br>
Trying to authenticate to user's realm UNIV.PITT.EDU.<br>
Getting tickets: <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a><br>
Using Kerberos V5 ticket natively<br>
About to resolve name jaw171 to id in cell pitt.edu.<br>
Id 354461<br>
Set username to AFS ID 354461<br>
Setting tokens. AFS ID 354461 / @ UNIV.PITT.EDU <br>
[jaw171@afs-dev-03 ~]$ tokens<br>
<br>
Tokens held by the Cache Manager:<br>
<br>
User's (AFS ID 354461) tokens for <a class="moz-txt-link-abbreviated" href="mailto:afs@pitt.edu">afs@pitt.edu</a> [Expires May 10
23:12]<br>
--End of list--<br>
[jaw171@afs-dev-03 ~]$ klist -e<br>
Ticket cache: <a class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_354461">FILE:/tmp/krb5cc_354461</a><br>
Default principal: <a class="moz-txt-link-abbreviated" href="mailto:jaw171@UNIV.PITT.EDU">jaw171@UNIV.PITT.EDU</a><br>
<br>
Valid starting Expires Service principal<br>
05/10/12 13:12:45 05/10/12 23:12:48
<a class="moz-txt-link-abbreviated" href="mailto:krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU">krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU</a><br>
renew until 05/17/12 13:12:45, Etype (skey, tkt):
arcfour-hmac, arcfour-hmac <br>
05/10/12 13:12:59 05/10/12 23:12:48 <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a><br>
renew until 05/17/12 13:12:45, Etype (skey, tkt):
des-cbc-crc, des-cbc-md5<br>
jaw171@afs-dev-03 ~]$ touch /afs/pitt.edu/home/jaw171/foo3<br>
# Hangs here....<br>
<blockquote
cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
type="cite">
<pre wrap=""></pre>
<blockquote type="cite">
<pre wrap="">Here is hangs forever and I see this being spit out to the console of
the machine as fast as it can:
afs: Tokens for user of AFS id 354461 for cell pitt.edu: rxkad
error=19270407
</pre>
</blockquote>
<pre wrap="">
"The KeyFile data is wrong"
</pre>
</blockquote>
Hmm...wonder what it doesn't like.<br>
<blockquote
cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
type="cite">
<pre wrap=""></pre>
<blockquote type="cite">
<pre wrap="">So what's happening here? Sometimes as I'm trying to do this I have
been able to get it to give a "Permission denied" on that touch rather
than hanging even though I have a token that should give me access.
The docs mention that the keys in the Keyfile need to be in acending
order.
</pre>
</blockquote>
<pre wrap="">
What page says this? It may just be describing the KeyFile format, in
that the keys are stored in ascending kvno order.
</pre>
</blockquote>
<a
href="http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51%20Can%20I%20authenticate%20to%20my%20af">http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51
Can I authenticate to my af</a><br>
"<span style="color: rgb(0, 0, 0); font-family: 'Times New Roman';
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: 2;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; font-size: medium; display: inline !
important; float: none;">since keys must be in ascending order in
the AFS<span class="Apple-converted-space"> </span></span><a
href="http://wiki.openafs.org/AFSLore/KeyFile/"
style="font-family: 'Times New Roman'; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing: normal;
line-height: normal; orphans: 2; text-indent: 0px; text-transform:
none; white-space: normal; widows: 2; word-spacing: 0px;
font-size: medium;">KeyFile</a><span style="color: rgb(0, 0, 0);
font-family: 'Times New Roman'; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: 2; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px; font-size:
medium; display: inline ! important; float: none;"><span
class="Apple-converted-space"> </span>it will be easiest if you
make the new kvno higher than any existing key's kvno"<br>
<br>
</span>I also tried switching everything (/etc/krb5.conf,
/usr/afs/ets/Keyfile, /usr/afs/etc/krb.conf, etc.) to just
UNIV.PITT.EDU but too did not work.<span style="color: rgb(0, 0, 0);
font-family: 'Times New Roman'; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; line-height:
normal; orphans: 2; text-indent: 0px; text-transform: none;
white-space: normal; widows: 2; word-spacing: 0px; font-size:
medium; display: inline ! important; float: none;"><br>
</span>
</body>
</html>
--------------000909090203030504090509--