[OpenAFS] Re: Multiple Kerberos realm support
Jeff White
jaw171@pitt.edu
Thu, 10 May 2012 14:36:45 -0400
This is a multi-part message in MIME format.
--------------050601000605030307020908
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
I found something else. If I change /usr/afs/etc/krb.conf to include
both realm names I can get it to give me a permission denied rather than
hanging and generating thousands of errors:
[jaw171@afs-dev-03 ~]$ kinit jaw171@UNIV.PITT.EDU
Password for jaw171@UNIV.PITT.EDU:
[jaw171@afs-dev-03 ~]$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm UNIV.PITT.EDU.
Getting tickets: afs/pitt.edu@UNIV.PITT.EDU
Using Kerberos V5 ticket natively
About to resolve name jaw171 to id in cell pitt.edu.
Id 354461
Set username to AFS ID 354461
Setting tokens. AFS ID 354461 / @ UNIV.PITT.EDU
[jaw171@afs-dev-03 ~]$ ls /afs/pitt.edu/home/jaw171
ls: cannot open directory /afs/pitt.edu/home/jaw171: Permission denied
I also get this:
May 10 14:27:06 <kern.warning> afs-dev-03 kernel: afs: Tokens for user
of AFS id 354461 for cell pitt.edu are discarded (rxkad error=19270407)
Which I guess means this:
#define RXKADBADTICKET 19270407 /* security object was
passed a bad ticket */
It's still broken but at least it's something different.
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD
On 05/10/2012 01:17 PM, Jeff White wrote:
> Responses in-line...
> Jeff White - Linux/Unix Systems Engineer
> University of Pittsburgh - CSSD
>
> On 05/10/2012 11:57 AM, Andrew Deason wrote:
>> On Thu, 10 May 2012 10:02:10 -0400
>> Jeff White<jaw171@pitt.edu> wrote:
>>
>>> Now I tried to add support for the realm UNIV.PITT.EDU (the real one
>>> running on Windows Server 2003 AD):
>> I thought it was Windows Server 2008 R2? Or was that just PITT.EDU?
>>
> My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003.
>>> [root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab
>>> afs/pitt.edu@UNIV.PITT.EDU
>> How exactly did you generate this keytab?
>>
> The same way I did it on PITT.EDU:
> ktpass -princ afs/pitt.edu@UNIV.PITT.EDU -mapuser afskerbuser -pass *
> -crypto DES-CBC-CRC +rndpass /mapop add +desonly /ptype
> KRB5_NT_PRINCIPAL +dumpsalt -out afskerbuser.keytab
>>> [jaw171@afs-dev-03 ~]$ aklog -d
>> 'klist -e' after this? Though I expect that the ticket you've got is
>> fine.
>>
> You mean from the UNIV.PITT.EDU realm attempt?
>
> [jaw171@afs-dev-03 ~]$ kinit jaw171@UNIV.PITT.EDU
> Password for jaw171@UNIV.PITT.EDU:
> [jaw171@afs-dev-03 ~]$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_354461
> Default principal: jaw171@UNIV.PITT.EDU
>
> Valid starting Expires Service principal
> 05/10/12 13:12:45 05/10/12 23:12:48 krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU
> renew until 05/17/12 13:12:45, Etype (skey, tkt):
> arcfour-hmac, arcfour-hmac
> [jaw171@afs-dev-03 ~]$ aklog -d
> Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
> Trying to authenticate to user's realm UNIV.PITT.EDU.
> Getting tickets: afs/pitt.edu@UNIV.PITT.EDU
> Using Kerberos V5 ticket natively
> About to resolve name jaw171 to id in cell pitt.edu.
> Id 354461
> Set username to AFS ID 354461
> Setting tokens. AFS ID 354461 / @ UNIV.PITT.EDU
> [jaw171@afs-dev-03 ~]$ tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 354461) tokens for afs@pitt.edu [Expires May 10 23:12]
> --End of list--
> [jaw171@afs-dev-03 ~]$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_354461
> Default principal: jaw171@UNIV.PITT.EDU
>
> Valid starting Expires Service principal
> 05/10/12 13:12:45 05/10/12 23:12:48 krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU
> renew until 05/17/12 13:12:45, Etype (skey, tkt):
> arcfour-hmac, arcfour-hmac
> 05/10/12 13:12:59 05/10/12 23:12:48 afs/pitt.edu@UNIV.PITT.EDU
> renew until 05/17/12 13:12:45, Etype (skey, tkt): des-cbc-crc,
> des-cbc-md5
> jaw171@afs-dev-03 ~]$ touch /afs/pitt.edu/home/jaw171/foo3
> # Hangs here....
>>> Here is hangs forever and I see this being spit out to the console of
>>> the machine as fast as it can:
>>> afs: Tokens for user of AFS id 354461 for cell pitt.edu: rxkad
>>> error=19270407
>> "The KeyFile data is wrong"
>>
> Hmm...wonder what it doesn't like.
>>> So what's happening here? Sometimes as I'm trying to do this I have
>>> been able to get it to give a "Permission denied" on that touch rather
>>> than hanging even though I have a token that should give me access.
>>> The docs mention that the keys in the Keyfile need to be in acending
>>> order.
>> What page says this? It may just be describing the KeyFile format, in
>> that the keys are stored in ascending kvno order.
>>
> http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51 Can I authenticate to
> my af
> <http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51%20Can%20I%20authenticate%20to%20my%20af>
> "since keys must be in ascending order in the AFSKeyFile
> <http://wiki.openafs.org/AFSLore/KeyFile/>it will be easiest if you
> make the new kvno higher than any existing key's kvno"
>
> I also tried switching everything (/etc/krb5.conf,
> /usr/afs/ets/Keyfile, /usr/afs/etc/krb.conf, etc.) to just
> UNIV.PITT.EDU but too did not work.
--------------050601000605030307020908
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
I found something else. If I change /usr/afs/etc/krb.conf to
include both realm names I can get it to give me a permission denied
rather than hanging and generating thousands of errors:<br>
<br>
[jaw171@afs-dev-03 ~]$ kinit <a class="moz-txt-link-abbreviated" href="mailto:jaw171@UNIV.PITT.EDU">jaw171@UNIV.PITT.EDU</a><br>
Password for <a class="moz-txt-link-abbreviated" href="mailto:jaw171@UNIV.PITT.EDU:">jaw171@UNIV.PITT.EDU:</a> <br>
[jaw171@afs-dev-03 ~]$ aklog -d<br>
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).<br>
Trying to authenticate to user's realm UNIV.PITT.EDU.<br>
Getting tickets: <a class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a><br>
Using Kerberos V5 ticket natively<br>
About to resolve name jaw171 to id in cell pitt.edu.<br>
Id 354461<br>
Set username to AFS ID 354461<br>
Setting tokens. AFS ID 354461 / @ UNIV.PITT.EDU <br>
[jaw171@afs-dev-03 ~]$ ls /afs/pitt.edu/home/jaw171<br>
ls: cannot open directory /afs/pitt.edu/home/jaw171: Permission
denied<br>
<br>
I also get this:<br>
May 10 14:27:06 <kern.warning> afs-dev-03 kernel: afs: Tokens
for user of AFS id 354461 for cell pitt.edu are discarded (rxkad
error=19270407)<br>
<br>
Which I guess means this:<br>
#define RXKADBADTICKET 19270407 /* security object
was passed a bad ticket */<br>
<br>
It's still broken but at least it's something different.<br>
<pre class="moz-signature" cols="72">Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD</pre>
<br>
On 05/10/2012 01:17 PM, Jeff White wrote:
<blockquote cite="mid:4FABF834.6000000@pitt.edu" type="cite">
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
Responses in-line...<br>
<pre class="moz-signature" cols="72">Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD</pre>
<br>
On 05/10/2012 11:57 AM, Andrew Deason wrote:
<blockquote
cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
type="cite">
<pre wrap="">On Thu, 10 May 2012 10:02:10 -0400
Jeff White <a moz-do-not-send="true" class="moz-txt-link-rfc2396E" href="mailto:jaw171@pitt.edu"><jaw171@pitt.edu></a> wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Now I tried to add support for the realm UNIV.PITT.EDU (the real one
running on Windows Server 2003 AD):
</pre>
</blockquote>
<pre wrap="">I thought it was Windows Server 2008 R2? Or was that just PITT.EDU?
</pre>
</blockquote>
My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003.<br>
<blockquote
cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
type="cite">
<blockquote type="cite">
<pre wrap="">[root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab
<a moz-do-not-send="true" class="moz-txt-link-abbreviated" href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a>
</pre>
</blockquote>
<pre wrap="">How exactly did you generate this keytab?
</pre>
</blockquote>
The same way I did it on PITT.EDU:<br>
ktpass -princ <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a>
-mapuser afskerbuser -pass * -crypto DES-CBC-CRC +rndpass /mapop
add +desonly /ptype KRB5_NT_PRINCIPAL +dumpsalt -out
afskerbuser.keytab<br>
<blockquote
cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
type="cite">
<blockquote type="cite">
<pre wrap="">[jaw171@afs-dev-03 ~]$ aklog -d
</pre>
</blockquote>
<pre wrap="">'klist -e' after this? Though I expect that the ticket you've got is
fine.
</pre>
</blockquote>
You mean from the UNIV.PITT.EDU realm attempt?<br>
<br>
[jaw171@afs-dev-03 ~]$ kinit <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:jaw171@UNIV.PITT.EDU">jaw171@UNIV.PITT.EDU</a><br>
Password for <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:jaw171@UNIV.PITT.EDU:">jaw171@UNIV.PITT.EDU:</a> <br>
[jaw171@afs-dev-03 ~]$ klist -e<br>
Ticket cache: <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_354461">FILE:/tmp/krb5cc_354461</a><br>
Default principal: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:jaw171@UNIV.PITT.EDU">jaw171@UNIV.PITT.EDU</a><br>
<br>
Valid starting Expires Service principal<br>
05/10/12 13:12:45 05/10/12 23:12:48 <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU">krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU</a><br>
renew until 05/17/12 13:12:45, Etype (skey, tkt):
arcfour-hmac, arcfour-hmac <br>
[jaw171@afs-dev-03 ~]$ aklog -d<br>
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).<br>
Trying to authenticate to user's realm UNIV.PITT.EDU.<br>
Getting tickets: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a><br>
Using Kerberos V5 ticket natively<br>
About to resolve name jaw171 to id in cell pitt.edu.<br>
Id 354461<br>
Set username to AFS ID 354461<br>
Setting tokens. AFS ID 354461 / @ UNIV.PITT.EDU <br>
[jaw171@afs-dev-03 ~]$ tokens<br>
<br>
Tokens held by the Cache Manager:<br>
<br>
User's (AFS ID 354461) tokens for <a moz-do-not-send="true"
class="moz-txt-link-abbreviated" href="mailto:afs@pitt.edu">afs@pitt.edu</a>
[Expires May 10 23:12]<br>
--End of list--<br>
[jaw171@afs-dev-03 ~]$ klist -e<br>
Ticket cache: <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="FILE:/tmp/krb5cc_354461">FILE:/tmp/krb5cc_354461</a><br>
Default principal: <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:jaw171@UNIV.PITT.EDU">jaw171@UNIV.PITT.EDU</a><br>
<br>
Valid starting Expires Service principal<br>
05/10/12 13:12:45 05/10/12 23:12:48 <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU">krbtgt/UNIV.PITT.EDU@UNIV.PITT.EDU</a><br>
renew until 05/17/12 13:12:45, Etype (skey, tkt):
arcfour-hmac, arcfour-hmac <br>
05/10/12 13:12:59 05/10/12 23:12:48 <a moz-do-not-send="true"
class="moz-txt-link-abbreviated"
href="mailto:afs/pitt.edu@UNIV.PITT.EDU">afs/pitt.edu@UNIV.PITT.EDU</a><br>
renew until 05/17/12 13:12:45, Etype (skey, tkt):
des-cbc-crc, des-cbc-md5<br>
jaw171@afs-dev-03 ~]$ touch /afs/pitt.edu/home/jaw171/foo3<br>
# Hangs here....<br>
<blockquote
cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
type="cite">
<blockquote type="cite">
<pre wrap="">Here is hangs forever and I see this being spit out to the console of
the machine as fast as it can:
afs: Tokens for user of AFS id 354461 for cell pitt.edu: rxkad
error=19270407
</pre>
</blockquote>
<pre wrap="">"The KeyFile data is wrong"
</pre>
</blockquote>
Hmm...wonder what it doesn't like.<br>
<blockquote
cite="mid:20120510105747.3626d01d.adeason@sinenomine.net"
type="cite">
<blockquote type="cite">
<pre wrap="">So what's happening here? Sometimes as I'm trying to do this I have
been able to get it to give a "Permission denied" on that touch rather
than hanging even though I have a token that should give me access.
The docs mention that the keys in the Keyfile need to be in acending
order.
</pre>
</blockquote>
<pre wrap="">What page says this? It may just be describing the KeyFile format, in
that the keys are stored in ascending kvno order.
</pre>
</blockquote>
<a moz-do-not-send="true"
href="http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51%20Can%20I%20authenticate%20to%20my%20af">http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51
Can I authenticate to my af</a><br>
"<span style="color: rgb(0, 0, 0); font-family: 'Times New Roman';
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: 2;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; font-size: medium; display: inline
! important; float: none;">since keys must be in ascending order
in the AFS<span class="Apple-converted-space"> </span></span><a
moz-do-not-send="true"
href="http://wiki.openafs.org/AFSLore/KeyFile/"
style="font-family: 'Times New Roman'; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: 2; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; font-size: medium;">KeyFile</a><span
style="color: rgb(0, 0, 0); font-family: 'Times New Roman';
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: normal; orphans: 2;
text-indent: 0px; text-transform: none; white-space: normal;
widows: 2; word-spacing: 0px; font-size: medium; display: inline
! important; float: none;"><span class="Apple-converted-space"> </span>it
will be easiest if you make the new kvno higher than any
existing key's kvno"<br>
<br>
</span>I also tried switching everything (/etc/krb5.conf,
/usr/afs/ets/Keyfile, /usr/afs/etc/krb.conf, etc.) to just
UNIV.PITT.EDU but too did not work.<span style="color: rgb(0, 0,
0); font-family: 'Times New Roman'; font-style: normal;
font-variant: normal; font-weight: normal; letter-spacing:
normal; line-height: normal; orphans: 2; text-indent: 0px;
text-transform: none; white-space: normal; widows: 2;
word-spacing: 0px; font-size: medium; display: inline !
important; float: none;"><br>
</span> </blockquote>
</body>
</html>
--------------050601000605030307020908--