[OpenAFS] Fresh install with AES key only. Can't authenticate.

GALAMBOS Daniel dancsa@dancsa.hu
Fri, 08 Aug 2014 21:21:15 +0200


Hi,

We wanted a fresh new AFS server as a single server new cell for testing
purpose.

On Debian wheezy installed openafs-fileserver and openafs-dbserver from
wheezy-backports.

Created new an kerberos principal with only aes256-cts-hmac-sha1-96 encty=
pe

bos adduser dancsa
created the db processes
pts createu dancsa -lo
pts adduser dancsa system:administrators

reboot.

root@afstest:~# bos listu -lo localhost
SUsers are: dancsa (...and others)

root@afstest:/etc/openafs/server# pts mem dancsa -lo
Groups dancsa (id: 1) is a member of:
  system:administrators

root@afstest:~# ktutil -k /etc/openafs/server/rxkad.keytab list
/etc/openafs/server/rxkad.keytab:

Vno  Type                     Principal                    Aliases
  1  aes256-cts-hmac-sha1-96  afs/afstest.elte.hu@ELTE.HU=20


root@afstest:~# aklog -d
Authenticating to cell afstest.elte.hu (server afstest.elte.hu).
Trying to authenticate to user's realm ELTE.HU.
Getting tickets: afs/afstest.elte.hu@ELTE.HU
Using Kerberos V5 ticket natively
About to resolve name dancsa to id in cell afstest.elte.hu.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 @ afstest.elte.hu
root@afstest:~# tokens

Tokens held by the Cache Manager:

User's (AFS ID 1) tokens for afs@afstest.elte.hu [Expires Aug  9 06:35]
   --End of list--

I can acquire tokens, bos and pts doesn't print out that run
unauthenticated, yet i got permission denied

# pts mem dancsa
pts: Permission denied ; unable to get membership of dancsa (id: 1)
//audit and debug log at the end of mail.

root@afstest:~# bos restart -all localhost
bos: failed to restart servers (you are not authorized for this operation=
)

Then I started the bosserver under GDB, and asked the restart again.  at
afsconf_SuperUser  auth/userok.c:364 rx_SecurityClassOf(tconn) returns
with zero and the following comment is placed there /* not authenticated
at all, answer is no */.

tcpdump records this:
cpdump: listening on lo, link-type EN10MB (Ethernet), capture size 65535
bytes
20:48:31.886856 IP (tos 0x0, ttl 64, id 59999, offset 0, flags [none],
proto UDP (17), length 60)
    127.0.0.1.52578 > 127.0.0.1.7007: [bad udp cksum 0xfe3b -> 0x1d28!]=20
rx data cid 6306f090 call# 1 seq 1 ser 1 secindex 2 serviceid 1
<client-init>,<last-pckt> bos call restart-all (32)
20:48:31.886925 IP (tos 0x0, ttl 64, id 60000, offset 0, flags [none],
proto UDP (17), length 72)
    127.0.0.1.7007 > 127.0.0.1.52578: [bad udp cksum 0xfe47 -> 0x348b!]=20
rx challenge cid 6306f090 call# 0 seq 0 ser 1 secindex 2 serviceid 1 (44)=

20:48:31.887041 IP (tos 0x0, ttl 64, id 60001, offset 0, flags [none],
proto UDP (17), length 456)
    127.0.0.1.52578 > 127.0.0.1.7007: [bad udp cksum 0xffc7 -> 0x8a28!]=20
rx response cid 6306f090 call# 0 seq 0 ser 2 secindex 2 serviceid 1
<client-init> (428)
20:48:31.887163 IP (tos 0x0, ttl 64, id 60002, offset 0, flags [none],
proto UDP (17), length 60)
    127.0.0.1.7007 > 127.0.0.1.52578: [bad udp cksum 0xfe3b -> 0xa4f3!]=20
rx abort cid 6306f090 call# 1 seq 0 ser 2 secindex 2 serviceid 1 bos
reply restart-all errcode 39430 (32)


With localauth, the same query runs without problem.

Could this be my fault at somewhere (altought i tried to follow the
manual) or is this some kind of bug?

Thanks,
Dancsa


root@afstest:/var/log/openafs# cat ptaudit
Fri Aug  8 21:08:15 2014 EVENT AFS_PTS_Start CODE 0
Fri Aug  8 21:08:17 2014 EVENT AFS_PTS_NmToId CODE 0 STR dancsa ID 1
Fri Aug  8 21:08:17 2014 EVENT AFS_PTS_NmToId CODE 0 NAME dancsa@ELTE.HU
HOST 157.181.151.42
Fri Aug  8 21:08:17 2014 EVENT AFS_PTS_NmToId CODE 0 STR dancsa ID 1
Fri Aug  8 21:08:17 2014 EVENT AFS_PTS_NmToId CODE 0 NAME dancsa@ELTE.HU
HOST 157.181.151.42
Fri Aug  8 21:08:17 2014 EVENT AFS_PTS_IdToNm CODE 0 NAME dancsa@ELTE.HU
HOST 157.181.151.42
Fri Aug  8 21:08:17 2014 EVENT AFS_PTS_LstEle CODE 267269 NAME
dancsa@ELTE.HU HOST 157.181.151.42 ID 1

root@afstest:/var/log/openafs# cat PtLog
Fri Aug  8 21:08:15 2014 Using 157.181.151.42 as my primary address
Fri Aug  8 21:08:15 2014 Starting AFS ptserver 1.1
(/usr/lib/openafs/ptserver -d 255 -auditlog /var/log/openafs/ptaudit)
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 PTS_NameToID: code 0 aname dancsa aid 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 PTS_NameToID: code 0
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 PTS_NameToID: code 0 aname dancsa aid 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 PTS_NameToID: code 0
Fri Aug  8 21:08:17 2014 PTS_IDToName: code 0
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 allbetter checking
Fri Aug  8 21:08:17 2014 allbetter: returning 1
Fri Aug  8 21:08:17 2014 PTS_ListElements: code 267269 cid 32766 aid 1
Fri Aug  8 21:08:19 2014 recovery running in state 0