[OpenAFS] Re: AFS + CrossRealm + FreeIPA + Migration

Andreas Ladanyi andreas.ladanyi@kit.edu
Tue, 11 Nov 2014 09:28:35 +0100


This is a cryptographically signed message in MIME format.

--------------ms000302080807010100060004
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

> On Mon, 10 Nov 2014 10:09:54 +0100
> Andreas Ladanyi <andreas.ladanyi@kit.edu> wrote:
>
>> Now aklog works and i can get a AFS token. Why are all this keys
>> important for aklog ? Or which key exeptly the DES key is important ?
> That is indeed a bit puzzling; it's possible ipa-getkeytab does
> something else that makes this work, but I don't know enough about the
> details of what that does. I assume the tokens you get with 'aklog' wor=
k
> fine?
I also created a principal afs/cellname@REALM B with kadmin.local in
FreeIPA to test it without "ipa-getkeytab" FreeIPA tool:
ank -randkey -e des-cbc-crc:v4,aes256-cts:special afs/info.uni-karlsruhe.=
de

The result is:

Key: vno 1, des-cbc-crc, no salt
Key: vno 1, aes256-cts-hmac-sha1-96, no salt

klist -ef:

Valid starting       Expires              Service principal
11.11.2014 09:02:45  12.11.2014 09:02:42  krbtgt/REALM@REALM B ("the
FreeIPA Realm on the new kerberos/LDAP server")
    Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
11.11.2014 09:02:51  12.11.2014 09:02:42  afs/cellname@REALM B
    Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96


No the token from aklog doesnt work fine. I could only list the user
directories (name of the users). I could not enter the user directories.
I couldnt enter my own directory. The AFS ID of the token is ok and
matches the owner uid of my user directory.

Another thing is:

pts listentries on the Testclient PC:

Name                          ID  Owner Creator
pts: ticket contained unknown key version number ; unable to list entries=

>
> What enctype is listed for the afs/cell@REALM principal if you run
> 'klist -ef' after you have a token?=20
Valid starting       Expires              Service principal
11.11.2014 09:02:45  12.11.2014 09:02:42  krbtgt/REALM@REALM B ("the
FreeIPA Realm on the new kerberos/LDAP server")
    Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
11.11.2014 09:02:51  12.11.2014 09:02:42  afs/cellname@REALM B
    Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96

> What version of openafs is on the
> client where you're running 'aklog'?
>
Ubuntu 14.04, openafs-client 1.6.7-1

cheers,
Andreas


--------------ms000302080807010100060004
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIP+jCC
BNUwggO9oAMCAQICCFBOxvU9EbRkMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAkRFMRww
GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3Qg
Q2VudGVyMSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0xNDA3MjIx
MjA4MjZaFw0xOTA3MDkyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVy
ZWluMRAwDgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwg
LSBHMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9
YuluTO2U1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2Q
RdDtoAB6fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/B
CaL2a869080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7Pb
D8URwoqDoZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs
6qcLmPkhnSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjggGGMIIBgjAOBgNVHQ8BAf8EBAMCAQYw
HQYDVR0OBBYEFEm3xs/oPR9/6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJ
ei0XbAqzK50zMBIGA1UdEwEB/wQIMAYBAf8CAQIwYgYDVR0gBFswWTARBg8rBgEEAYGtIYIs
AQEEAgIwEQYPKwYBBAGBrSGCLAEBBAMAMBEGDysGAQQBga0hgiwBAQQDATAPBg0rBgEEAYGt
IYIsAQEEMA0GCysGAQQBga0hgiweMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9wa2kwMzM2
LnRlbGVzZWMuZGUvcmwvRFRfUk9PVF9DQV8yLmNybDB4BggrBgEFBQcBAQRsMGowLAYIKwYB
BQUHMAGGIGh0dHA6Ly9vY3NwMDMzNi50ZWxlc2VjLmRlL29jc3ByMDoGCCsGAQUFBzAChi5o
dHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL2NydC9EVF9ST09UX0NBXzIuY2VyMA0GCSqGSIb3
DQEBCwUAA4IBAQBjICj9nCGGcr45Rlk5MiW8qQGbDczKfUGchm0KbiyzE1l1sTOSG2EnFv/D
stU1gvuEKgFJvWa7Zi+ywgZdbj9u4wFaW8pDY1yVtuExpx/VB19N5mWCTjL5w3x6S81NXHTu
IfJ1AuxSPtLJatOQI25JZzW+f01WpOzML8+3oZeocj7JvEDWWqQIPda8gsO3tzKOsSyOam23
NQIZz/U5RFhjpyQAELC7/E6vbi84u6VXST/YblBvLJeW3B1GmmWJz67M8uXZn1OzPqEvkqnY
C8aEHwTG6x7on321e6UC8STFJGMRNMxakyAqeYg6JUKQqWU7fIbTEhUjKfws2sw5W1QXMIIF
hTCCBG2gAwIBAgIHGG3Jfo2QSjANBgkqhkiG9w0BAQsFADCBvzELMAkGA1UEBhMCREUxGzAZ
BgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQK
EyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVj
aCBDZW50cmUgZm9yIENvbXB1dGluZzEPMA0GA1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkB
FgpjYUBraXQuZWR1MB4XDTE0MTAyNzEzNDMxMFoXDTE3MTAyNjEzNDMxMFowUzELMAkGA1UE
BhMCREUxKjAoBgNVBAoTIUthcmxzcnVoZSBJbnN0aXR1dGUgb2YgVGVjaG5vbG9neTEYMBYG
A1UEAxMPQW5kcmVhcyBMYWRhbnlpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
tL0UuEE0MQWYP5MZOt+SBBDmGHZDf99xUzsFwyxvBaoS3TBZC/hul8ylNsOTrOvNbdJFOPTB
izqfYQGf+JIxAgPomyG4jomQvMXhKXcf/obhf5lj2eBN0np/wLktMvFvj+HIEBh38/1o3ZXE
SV4aMhvNW9VO116K0fh3/7TElksZ95zNj77js/JoEMQB8mGw27hw5u8VOKrDEWuzTBu4M7Vg
MdzNrYi+m3AiYv1m110i6rJ4otbThGRfcEbDHwqfONfminidzyS4aHpNyO7U98xmn360m8qs
q3smEn7XRGRgVlpzu7lNuJ8AvKZGPrM4OJ1Rhgxo5enuS1XVw29IBwIDAQABo4IB7zCCAesw
QAYDVR0gBDkwNzARBg8rBgEEAYGtIYIsAQEEAwIwEQYPKwYBBAGBrSGCLAIBBAMBMA8GDSsG
AQQBga0hgiwBAQQwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUH
AwIGCCsGAQUFBwMEMB0GA1UdDgQWBBRSBxcWWTqn7d35eE0sUlWSXfPOizAfBgNVHSMEGDAW
gBQfdGX0mh169jHp32EbcysNbdAzSTAiBgNVHREEGzAZgRdhbmRyZWFzLmxhZGFueWlAa2l0
LmVkdTB3BgNVHR8EcDBuMDWgM6Axhi9odHRwOi8vY2RwMS5wY2EuZGZuLmRlL2tpdC1jYS9w
dWIvY3JsL2NhY3JsLmNybDA1oDOgMYYvaHR0cDovL2NkcDIucGNhLmRmbi5kZS9raXQtY2Ev
cHViL2NybC9jYWNybC5jcmwwgZIGCCsGAQUFBwEBBIGFMIGCMD8GCCsGAQUFBzAChjNodHRw
Oi8vY2RwMS5wY2EuZGZuLmRlL2tpdC1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwPwYIKwYB
BQUHMAKGM2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUva2l0LWNhL3B1Yi9jYWNlcnQvY2FjZXJ0
LmNydDANBgkqhkiG9w0BAQsFAAOCAQEALmsJ+qKYuD1TTYxYAYcOUc7Pw3SBI+PX941ze1n2
coAeuXY2Ldd2lrjyirS8eHuPCZihmbVlMe/26WqBwDLN/vk7FC5c0aatidQz6MoquWJWnHSj
1XlB/AOv9aD4tKLHURw7ejFvY3imott/vrLJrt2WjYvPaMvwAoZKgTY2bXEZQjWYnGJRthuK
1OG4CFJlQphREiewuqzjCxABnC3Rmo7BWy/yGeMGSkMsTg+uhOwv8568KtJE3z4uTWtN1w0d
T1uI1/uJ5jrsyoodUg/q31lGGgtrmElCwrHJSk+6Hp6KCXilzY9d/N/CQXkHnNLu6aDgc8gX
n9Y/cLepRKKZvzCCBZQwggR8oAMCAQICBxev928jIukwDQYJKoZIhvcNAQELBQAwWjELMAkG
A1UEBhMCREUxEzARBgNVBAoTCkRGTi1WZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJDAiBgNV
BAMTG0RGTi1WZXJlaW4gUENBIEdsb2JhbCAtIEcwMTAeFw0xNDA2MDUxNDA4MzFaFw0xOTA3
MDkyMzU5MDBaMIG/MQswCQYDVQQGEwJERTEbMBkGA1UECBMSQmFkZW4tV3VlcnR0ZW1iZXJn
MRIwEAYDVQQHEwlLYXJsc3J1aGUxKjAoBgNVBAoTIUthcmxzcnVoZSBJbnN0aXR1dGUgb2Yg
VGVjaG5vbG9neTEnMCUGA1UECxMeU3RlaW5idWNoIENlbnRyZSBmb3IgQ29tcHV0aW5nMQ8w
DQYDVQQDEwZLSVQtQ0ExGTAXBgkqhkiG9w0BCQEWCmNhQGtpdC5lZHUwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQDMsqiKiaKAQVEpL20dPB0IejTRPrajRK7mwwXpqBo/APNN
8IPtcb16pITtb5wQAaeVPvu8YA+bi5U3Dm/xeFBayQQcvUAp04cwm/nqhvveCMOpvC41qgiq
K/ZSsDQlIre78zQDgndK9IjQmFdv8XCvLR0h8N5hl4L8H2NBfY9eJ1BIPZ3eZD6tAMPYkBw7
mJzs9wPDVU6V6Uws4kEwmSUGBEw7Avp8p0DdrLwJgFd1dRyUXvwA+oncv+hzdBLQCDj5RNac
deDRUuEmalJPxeLw/KcUs/2FMGwhiuCB9+1fW3G0JgPDTTSgbRS6l9faL7kJ99pUcElvws9x
4/s0kT9zAgMBAAGjggH3MIIB8zASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIB
BjARBgNVHSAECjAIMAYGBFUdIAAwHQYDVR0OBBYEFB90ZfSaHXr2MenfYRtzKw1t0DNJMB8G
A1UdIwQYMBaAFEm3xs/oPR9/6kR7Eyn38QpwPt5kMBUGA1UdEQQOMAyBCmNhQGtpdC5lZHUw
gYgGA1UdHwSBgDB+MD2gO6A5hjdodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290
LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMD2gO6A5hjdodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2ds
b2JhbC1yb290LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIHXBggrBgEFBQcBAQSByjCBxzAzBggr
BgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEcGCCsG
AQUFBzAChjtodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9jYWNl
cnQvY2FjZXJ0LmNydDBHBggrBgEFBQcwAoY7aHR0cDovL2NkcDIucGNhLmRmbi5kZS9nbG9i
YWwtcm9vdC1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBADoW
Jv/UVyB9nfsoym9xKp8a7sOLa4XSPU/xrKF4Dp3UdlKdzDK2JvzCziF50SiH54ZuKbsKUa6Y
XwHiWHO7tsUW2+r6cnbf6FGcvylyeOtetQsoKvB2bMhEG0fn1B4+9k5IuXJpcQSHiKZhRa/l
qNWO95hKHvhtUO8dlTYtlTaSEmv6RAcfw2JcYKiB2GC97h3YpwimDC15sfzwYdnhTdSXF54C
VPgwHPL85cR/YI7KlQtjvI6yz14mma7ffYN6W7UBDPPc/5emiYIgxbwEBFZ5orfkvPtfeJUu
T3FI7RBmE8mPl/betefdZzqF1F357emrpuGH9gZbJp98SgruQqgxggSCMIIEfgIBATCByzCB
vzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzESMBAGA1UEBxMJ
S2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRlY2hub2xvZ3kx
JzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1dGluZzEPMA0GA1UEAxMGS0lU
LUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1AgcYbcl+jZBKMAkGBSsOAwIaBQCgggKL
MBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTE0MTExMTA4Mjgz
NVowIwYJKoZIhvcNAQkEMRYEFNCag4KYCjwkssy0auKi7jrQb7obMGwGCSqGSIb3DQEJDzFf
MF0wCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBAjAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgIC
AIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcNAwICASgwgdwGCSsGAQQBgjcQ
BDGBzjCByzCBvzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0dGVtYmVyZzES
MBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0dXRlIG9mIFRl
Y2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1dGluZzEPMA0G
A1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1AgcYbcl+jZBKMIHeBgsq
hkiG9w0BCRACCzGBzqCByzCBvzELMAkGA1UEBhMCREUxGzAZBgNVBAgTEkJhZGVuLVd1ZXJ0
dGVtYmVyZzESMBAGA1UEBxMJS2FybHNydWhlMSowKAYDVQQKEyFLYXJsc3J1aGUgSW5zdGl0
dXRlIG9mIFRlY2hub2xvZ3kxJzAlBgNVBAsTHlN0ZWluYnVjaCBDZW50cmUgZm9yIENvbXB1
dGluZzEPMA0GA1UEAxMGS0lULUNBMRkwFwYJKoZIhvcNAQkBFgpjYUBraXQuZWR1AgcYbcl+
jZBKMA0GCSqGSIb3DQEBAQUABIIBAHAg6qBkmQOF8p+daqXU/IGLSzUaVkCpz1sTuzoOIkGT
NWxYqkGHuSlJdddgH7BYLUYAdFm6OJF2y8IEWOs8kLRUDbANjHeIcTaFETNyp4u4cDLeuGUj
k/pmijhw1t5VAgd42WLwS/rAXWrOpToj/UxEmuGPViRDaM7fhCBQ2YmpSqMtVT+r7pnRxzjW
7FviZaBIdm/a45OCpD777SdVeZZdF4aBGlYMHjut7qwbIWRFJZaN1TfAWZgcz6pI2CbjKcKP
BQUPmEdG1iQKrThfk+X1eL1z9S6EijpRISKrF5m9e+t6IKmqdRpprkKjV5PXOPH8bxuuvvlx
Iu4LXOEaZ2YAAAAAAAA=
--------------ms000302080807010100060004--