[OpenAFS] Re: Multiple Kerberos realm support

Andrew Deason adeason@sinenomine.net
Thu, 10 May 2012 14:42:53 -0500


On Thu, 10 May 2012 13:17:40 -0400
Jeff White <jaw171@pitt.edu> wrote:

> >> Now I tried to add support for the realm UNIV.PITT.EDU (the real one
> >> running on Windows Server 2003 AD):
> > I thought it was Windows Server 2008 R2? Or was that just PITT.EDU?
>
> My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003.

But according to the thread OP, I thought PITT.EDU was kaserver?

> >> [root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab
> >> afs/pitt.edu@UNIV.PITT.EDU
> > How exactly did you generate this keytab?
>
> The same way I did it on PITT.EDU:
> ktpass -princ afs/pitt.edu@UNIV.PITT.EDU -mapuser afskerbuser -pass * 
> -crypto DES-CBC-CRC +rndpass /mapop add +desonly /ptype 
> KRB5_NT_PRINCIPAL +dumpsalt -out afskerbuser.keytab

I've been told some of the versions of the ktpass tool with 2003 can
generate incorrect keytabs; this step in general in my experience is a
source of a lot of problems. I don't know much about AD so I'm not
exactly sure on the ways to check this, but are you able to kinit with
that keytab? Like, 'kinit -kt foo.keytab afs/pitt.edu@UNIV.PITT.EDU' ?

Not that you normally want to do that, but I think AD usually allows AS
requests on it, since iirc you just create the 'afs' user similarly as a
normal user account.

> >> [jaw171@afs-dev-03 ~]$ aklog -d
> > 'klist -e' after this? Though I expect that the ticket you've got is
> > fine.
>
> You mean from the UNIV.PITT.EDU realm attempt?

Yes, and yes that looks fine. Can you check the kvno? After kinit,
'kvno afs/pitt.edu@UNIV.PITT.EDU'

> I also tried switching everything (/etc/krb5.conf, /usr/afs/ets/Keyfile, 
> /usr/afs/etc/krb.conf, etc.) to just UNIV.PITT.EDU but too did not work.

I don't think anything besides the KeyFile will make much of a
difference at this level. We're not looking at realms and cells, etc,
yet since the fileserver is just trying to decrypt the given token using
the des key according to the given kvno. If it can't get beyond that, it
doesn't look at anything else.

That is, even if you just had the key in the KeyFile, but didn't have
UNIV.PITT.EDU anywhere in the config, you wouldn't be getting this
error. You'd just be treated as a 'foreign' user by AFS.

-- 
Andrew Deason
adeason@sinenomine.net