[OpenAFS] Permission denied after KDC upgrade
Andreas Donath
Andreas.Donath@aei.mpg.de
Fri, 26 Sep 2014 11:41:27 +0200
This is a cryptographically signed message in MIME format.
--------------ms080200050600080502010300
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Hi,
I have an issue accessing the file system after
an OS upgrade on one of our KRB5 Heimdal KDCs
(which is a Linux distribution called UCS(V3.2)
based on debian).
While the update process, a script was executed, that
must have altered the enctypes (or more?) of the principals.
I can do a kinit and a aklog on the clients fine, but
trying to access files ends up in "Permission denied"
klist -a shows:
---------------------------------------
Credentials cache: FILE:/tmp/krb5cc_0
Principal: john@MYCELL
Cache version: 4
Server: krbtgt/MYCELL@MYREALM
Client: john@MYCELL
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Ticket length: 315
Auth time: Sep 26 10:49:19 2014
End time: Sep 26 20:49:17 2014
Ticket flags: enc-pa-rep, pre-authent, initial, proxiable, forwardable
Addresses: addressless
Server: afs/MYCELL@MYREALM
Client: john@MYCELL
Ticket etype: aes256-cts-hmac-sha1-96, kvno 1
Session key: des-cbc-crc
Ticket length: 307
Auth time: Sep 26 10:49:19 2014
End time: Sep 26 20:49:17 2014
Ticket flags: transited-policy-checked, pre-authent, proxiable, forwardab=
le
Addresses: addressless
-------------------------------------------------------
The good thing is, that I have an old untouched
KDC which can still be used for AFS authentication.
If I check the features of the "good" old KDC for
the afs/MYCELL principal I get:
------------------------------------------------------
kadmin> get afs/MYCELL
Principal: afs/MYCELL@MYREALM
Principal expires: never
Password expires: never
Last password change: never
Max ticket life: 1 week
Max renewable life: 1 week
Kvno: 1
Mkvno: 0
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2014-09-25 07:51:29 UTC
Modifier: unknown
Attributes:
Keytypes: des-cbc-md5(pw-salt), des-cbc-md4(pw-salt),
des-cbc-crc(pw-salt), aes256-cts-hmac-sha1-96(pw-salt),
des3-cbc-sha1(pw-salt), arcfour-hmac-md5(pw-salt)
PK-INIT ACL:
Aliases:
---------------------------------------------------------
=09
on the new "bad" one I see:
---------------------------------------------------------
kadmin> get afs/MYCELL
Principal: afs/MYCELL@MYREALM
Principal expires: never
Password expires: never
Last password change: never
Max ticket life: 1 week
Max renewable life: 1 week
Kvno: 1
Mkvno: unknown
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2014-09-25 07:51:29 UTC
Modifier: unknown
Attributes:
Keytypes: des-cbc-md5(pw-salt)[1], des-cbc-md4(pw-salt)[1],
des-cbc-crc(pw-salt)[1], aes256-cts-hmac-sha1-96(pw-salt)[1],
des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1]
PK-INIT ACL:
Aliases:
----------------------------------------------------------
I'm by no means a KRB expert, but my assumption is,
that the differences here
(e.g. Mkvno or des-cbc-crc(pw-salt)[1]) might cause the
trouble. So the alterations of the afs service principal
on the new KDC do not correctly correspond to the key
that was once exported and provided to my AFSCell via
bos addkey.
My idea would be to extract the new altered key from
the new KDC and add it via bos addkey to my cell.
So my questions are:
Does that sound reasonable, or am I totally wrong here? Would =09
there be other possibilities to debug that issue?
Do I need to modify the afs/CELL principal in a certain way
before the export?
Is there a way to keep the old afs/CELL key in my environment,
because I do not want to end up in not being able to
access my cell at all, if the export/re-import of the
new key fails?
Thanks for your advise
Bests
Andreas
--------------ms080200050600080502010300
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIPeDCC
BNUwggO9oAMCAQICCFBOxvU9EbRkMA0GCSqGSIb3DQEBCwUAMHExCzAJBgNVBAYTAkRFMRww
GgYDVQQKExNEZXV0c2NoZSBUZWxla29tIEFHMR8wHQYDVQQLExZULVRlbGVTZWMgVHJ1c3Qg
Q2VudGVyMSMwIQYDVQQDExpEZXV0c2NoZSBUZWxla29tIFJvb3QgQ0EgMjAeFw0xNDA3MjIx
MjA4MjZaFw0xOTA3MDkyMzU5MDBaMFoxCzAJBgNVBAYTAkRFMRMwEQYDVQQKEwpERk4tVmVy
ZWluMRAwDgYDVQQLEwdERk4tUEtJMSQwIgYDVQQDExtERk4tVmVyZWluIFBDQSBHbG9iYWwg
LSBHMDEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDpm8NnhfkNrvWNVMOWUDU9
YuluTO2U1wBblSJ01CDrNI/W7MAxBAuZgeKmFNJSoCgjhIt0iQReW+DieMF4yxbLKDU5ey2Q
RdDtoAB6fL9KDhsAw4bpXCsxEXsM84IkQ4wcOItqaACa7txPeKvSxhObdq3u3ibo7wGvdA/B
CaL2a869080UME/15eOkyGKbghoDJzANAmVgTe3RCSMqljVYJ9N2xnG2kB3E7f81hn1vM7Pb
D8URwoqDoZRdQWvY0hD1TP3KUazZve+Sg7va64sWVlZDz+HVEz2mHycwzUlU28kTNJpxdcVs
6qcLmPkhnSevPqM5OUhqjK3JmfvDEvK9AgMBAAGjggGGMIIBgjAOBgNVHQ8BAf8EBAMCAQYw
HQYDVR0OBBYEFEm3xs/oPR9/6kR7Eyn38QpwPt5kMB8GA1UdIwQYMBaAFDHDeRu69VPXF+CJ
ei0XbAqzK50zMBIGA1UdEwEB/wQIMAYBAf8CAQIwYgYDVR0gBFswWTARBg8rBgEEAYGtIYIs
AQEEAgIwEQYPKwYBBAGBrSGCLAEBBAMAMBEGDysGAQQBga0hgiwBAQQDATAPBg0rBgEEAYGt
IYIsAQEEMA0GCysGAQQBga0hgiweMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9wa2kwMzM2
LnRlbGVzZWMuZGUvcmwvRFRfUk9PVF9DQV8yLmNybDB4BggrBgEFBQcBAQRsMGowLAYIKwYB
BQUHMAGGIGh0dHA6Ly9vY3NwMDMzNi50ZWxlc2VjLmRlL29jc3ByMDoGCCsGAQUFBzAChi5o
dHRwOi8vcGtpMDMzNi50ZWxlc2VjLmRlL2NydC9EVF9ST09UX0NBXzIuY2VyMA0GCSqGSIb3
DQEBCwUAA4IBAQBjICj9nCGGcr45Rlk5MiW8qQGbDczKfUGchm0KbiyzE1l1sTOSG2EnFv/D
stU1gvuEKgFJvWa7Zi+ywgZdbj9u4wFaW8pDY1yVtuExpx/VB19N5mWCTjL5w3x6S81NXHTu
IfJ1AuxSPtLJatOQI25JZzW+f01WpOzML8+3oZeocj7JvEDWWqQIPda8gsO3tzKOsSyOam23
NQIZz/U5RFhjpyQAELC7/E6vbi84u6VXST/YblBvLJeW3B1GmmWJz67M8uXZn1OzPqEvkqnY
C8aEHwTG6x7on321e6UC8STFJGMRNMxakyAqeYg6JUKQqWU7fIbTEhUjKfws2sw5W1QXMIIF
NTCCBB2gAwIBAgIHF6QkimvBUDANBgkqhkiG9w0BAQsFADBaMQswCQYDVQQGEwJERTETMBEG
A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTEkMCIGA1UEAxMbREZOLVZlcmVp
biBQQ0EgR2xvYmFsIC0gRzAxMB4XDTE0MDUyNzE0NTM0NloXDTE5MDcwOTIzNTkwMFowXjEL
MAkGA1UEBhMCREUxIDAeBgNVBAoTF01heC1QbGFuY2stR2VzZWxsc2NoYWZ0MQ8wDQYDVQQD
EwZNUEcgQ0ExHDAaBgkqhkiG9w0BCQEWDW1wZy1jYUBtcGcuZGUwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDYUXKeoNTLgkGwbani4rlua5jzlzISfHnaj/5qS+mojQqA/eYa
0bGucylV5hyQuyJz7d4gRckdhMDV8DZIxERUIsFlXFj6HGHjaZjlhIHbo4S12GjLhTH5YZ37
O7MHVw0L/JhhzUIxESM1ZfRT/xLqhz2idJYjT98W9OFvzPgT0yrdieMzkLUz5X/fpY8MuyYB
gxnddBJRw6ZtlhdCml4F8Q35pSb8J2qANiwuJVu3WCTgL/ydo3eA8vDieMMZ7O+L1wAnCzBb
HAjJ5H6xU1B7mlwmu7V3pToKPgcWmlO0HcTpa68McNTGGiY8pO0/Rn1fXkqDYf8z0lPdWUWx
bM1RAgMBAAGjggH6MIIB9jASBgNVHRMBAf8ECDAGAQH/AgEBMA4GA1UdDwEB/wQEAwIBBjAR
BgNVHSAECjAIMAYGBFUdIAAwHQYDVR0OBBYEFALWHm4Jq79YZacKPEgzYdHOfcNbMB8GA1Ud
IwQYMBaAFEm3xs/oPR9/6kR7Eyn38QpwPt5kMBgGA1UdEQQRMA+BDW1wZy1jYUBtcGcuZGUw
gYgGA1UdHwSBgDB+MD2gO6A5hjdodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290
LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMD2gO6A5hjdodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2ds
b2JhbC1yb290LWNhL3B1Yi9jcmwvY2FjcmwuY3JsMIHXBggrBgEFBQcBAQSByjCBxzAzBggr
BgEFBQcwAYYnaHR0cDovL29jc3AucGNhLmRmbi5kZS9PQ1NQLVNlcnZlci9PQ1NQMEcGCCsG
AQUFBzAChjtodHRwOi8vY2RwMS5wY2EuZGZuLmRlL2dsb2JhbC1yb290LWNhL3B1Yi9jYWNl
cnQvY2FjZXJ0LmNydDBHBggrBgEFBQcwAoY7aHR0cDovL2NkcDIucGNhLmRmbi5kZS9nbG9i
YWwtcm9vdC1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQwDQYJKoZIhvcNAQELBQADggEBAD/c
d8LT8GRsriCROVmv9Ojss/K0uhmahZ17jQdZuPg4/1R9XYBdW3yym4ZIYWvb7YvdjngbXWIP
5s/Kr3hSZH63dFzwV/8V6n7e56XKc9729bQduTnAs++YTxUUy05pFna47Nv9BCbiS5ETXUKZ
PMIJA01XwA7yXkFP+bRdmJRsFn8weKbjnOE1dm64tX6upfP1N8hWkGfsIwyO2N47STHrv0/V
PlHhKxYdLWQ07qbE1p/IvQWymISQewLBjmO72gWB4ocGA2fTrD73wn29X4ZsR1Hn05xi6PLQ
06HQOxGRrS9eED0UQoHYzf1F0a3o+zY6OnyNacCmd4VrYGdStBwwggViMIIESqADAgECAgcU
2CO80B72MA0GCSqGSIb3DQEBBQUAMF4xCzAJBgNVBAYTAkRFMSAwHgYDVQQKExdNYXgtUGxh
bmNrLUdlc2VsbHNjaGFmdDEPMA0GA1UEAxMGTVBHIENBMRwwGgYJKoZIhvcNAQkBFg1tcGct
Y2FAbXBnLmRlMB4XDTEyMTEzMDEyMjcyNFoXDTE1MTEzMDEyMjcyNFowgaAxCzAJBgNVBAYT
AkRFMSAwHgYDVQQKExdNYXgtUGxhbmNrLUdlc2VsbHNjaGFmdDE/MD0GA1UECxM2TVBJIGZ1
ZXIgR3Jhdml0YXRpb25zcGh5c2lrIChBbGJlcnQtRWluc3RlaW4tSW5zdGl0dXQpMRUwEwYD
VQQLEwxJVC1BYnRlaWx1bmcxFzAVBgNVBAMTDkFuZHJlYXMgRG9uYXRoMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2BDxCJ9oUX3DHKR31UYfb5APpl28pMM4lwQs5z2eCbNB
v1SyGXjq8qZhkoQiEPbDa2FZNPDpyTUopee7A8io+K911XlgLXFx8qcMGfecOKs9C7BksEQD
5t2fy1pO4dPfd8XO2UJ9/y6FZt2BBuj8pS6iZJ3DsKD3iRZByZ0zjbz0DyqoJJXt+VOrVPrp
yhD0J9bqY8pTCojeCej1PXZ/kpQTqjIN9oMoBr009cOGod07PtH6rC8VqkdD7fQoHc0OekEF
AHX2NCQuxRwBMlD0o6QY/eVhuNeQWpQIbZIdDJVlVRMiCNOFVPbYi9S3yaoNS7daZMj8/BE4
9iRpgc133wIDAQABo4IB4DCCAdwwLwYDVR0gBCgwJjARBg8rBgEEAYGtIYIsAQEEAwAwEQYP
KwYBBAGBrSGCLAIBBAMAMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXgMB0GA1UdJQQWMBQGCCsG
AQUFBwMCBggrBgEFBQcDBDAdBgNVHQ4EFgQUsZju2zr1R+4gl3YfqSohdQZJziAwHwYDVR0j
BBgwFoAUAtYebgmrv1hlpwo8SDNh0c59w1swJAYDVR0RBB0wG4EZQW5kcmVhcy5Eb25hdGhA
YWVpLm1wZy5kZTB3BgNVHR8EcDBuMDWgM6Axhi9odHRwOi8vY2RwMS5wY2EuZGZuLmRlL21w
Zy1jYS9wdWIvY3JsL2NhY3JsLmNybDA1oDOgMYYvaHR0cDovL2NkcDIucGNhLmRmbi5kZS9t
cGctY2EvcHViL2NybC9jYWNybC5jcmwwgZIGCCsGAQUFBwEBBIGFMIGCMD8GCCsGAQUFBzAC
hjNodHRwOi8vY2RwMS5wY2EuZGZuLmRlL21wZy1jYS9wdWIvY2FjZXJ0L2NhY2VydC5jcnQw
PwYIKwYBBQUHMAKGM2h0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvbXBnLWNhL3B1Yi9jYWNlcnQv
Y2FjZXJ0LmNydDANBgkqhkiG9w0BAQUFAAOCAQEAyw5Ekb7FKNt8gms6vEIsUZGvsxf5eMWK
5df75YI3nbIasltiNtltwyBp4+iNiE1CsGGPledBiSJatRwq6Dzc5w8VIwuBkypeim/BW8n0
hech/DihDXLPFkHbZnE5UUm1iWLWee8gS+m++Wzob103YtSEHtN4rcLqsIvTTBDpJmKtvrIe
8uVxhy5jaCqTbGPCSPfDI57MpulZYTbT7XYrfLSUj0cKmDyFzsj0TRUI3dcYBOdKtiurSKLm
5kfUTqizz5uuhtHNB4rUae9SVRn/kAKudpSbc7R6QMV3kHun3N1v5+uLNm01tH527owgwKSQ
UWp5xcUSHHn87UTZabRZFDGCA1UwggNRAgEBMGkwXjELMAkGA1UEBhMCREUxIDAeBgNVBAoT
F01heC1QbGFuY2stR2VzZWxsc2NoYWZ0MQ8wDQYDVQQDEwZNUEcgQ0ExHDAaBgkqhkiG9w0B
CQEWDW1wZy1jYUBtcGcuZGUCBxTYI7zQHvYwCQYFKw4DAhoFAKCCAcEwGAYJKoZIhvcNAQkD
MQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMTQwOTI2MDk0MTI3WjAjBgkqhkiG9w0B
CQQxFgQUUi1KsZsLXCfZ5XTCYTI6sVOl7tAwbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQME
ASowCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0D
AgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDB4BgkrBgEEAYI3EAQxazBpMF4xCzAJBgNV
BAYTAkRFMSAwHgYDVQQKExdNYXgtUGxhbmNrLUdlc2VsbHNjaGFmdDEPMA0GA1UEAxMGTVBH
IENBMRwwGgYJKoZIhvcNAQkBFg1tcGctY2FAbXBnLmRlAgcU2CO80B72MHoGCyqGSIb3DQEJ
EAILMWugaTBeMQswCQYDVQQGEwJERTEgMB4GA1UEChMXTWF4LVBsYW5jay1HZXNlbGxzY2hh
ZnQxDzANBgNVBAMTBk1QRyBDQTEcMBoGCSqGSIb3DQEJARYNbXBnLWNhQG1wZy5kZQIHFNgj
vNAe9jANBgkqhkiG9w0BAQEFAASCAQBsHlkVzSsAcA/1s8PAruKpz7bVZUsshPxstcSau/eE
LDJgPpwZRmuYiCjQcOs182NmN58f9RrArHtnJ2pKDhriEGPVVtB5/uJJNbvPnbG7xxg3KLUn
UFdbCPRdWINHhUkYc1ItWg0LKVvYUzvA6xdCOuOPWvfAt3k2C5AiC/Y06nsK25KWZrmav6h7
3fkHS7Px9DYg+c1MicfLxStNyTUKJiJddCyEUXKIgUYPCqdJmtOeOmsQbSs7j2uCRUjIPOE6
T2z1l6PxfXKwoDHfxn3ATmYxBTrKBOGkdY4R2X4Vkgo+NdLMiLKp0C6qRg00ZtPuT6bjoFPs
I0j6UvXXquerAAAAAAAA
--------------ms080200050600080502010300--