[OpenAFS] OpenAFS 1.6.5 on OSX

Jeffrey Altman jaltman@your-file-system.com
Sun, 26 Apr 2015 09:13:02 -0400


This is a cryptographically signed message in MIME format.

--------------ms040004070308000109040503
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

On 4/26/2015 5:55 AM, Turbo Fredriksson wrote:
> But aklog don't want to work:
>=20
> 	Turbo-Fredrikssons-MacBook:~ turbo$ aklog -d
> 	Authenticating to cell int.bayour.com (server Celia.bayour.com).
> 	Trying to authenticate to user's realm INT.BAYOUR.COM.
> 	Getting tickets: afs/int.bayour.com@INT.BAYOUR.COM
> 	Kerberos error code returned by get_cred : -1765328228
> 	aklog: Couldn't get int.bayour.com AFS tickets:
> 	aklog: unknown RPC error (-1765328228) while getting AFS tickets
>=20
> Apparently that error indicates that it can't reach 'something' (unsure=

> of what - haven't found a good google search to revile anything).

-1765328228 (krb5).156 =3D Cannot contact any KDC for requested realm

It means that the Kerberos library cannot find the KDCs for your realm
via DNS SRV records or local configuration.


> I've been trying to add 'stuff' to the krb5.conf file, but none seems
> to be working (from an OpenAFS standpoint anyway):
>=20
> 	Turbo-Fredrikssons-MacBook:~ turbo$ cat /etc/krb5.conf

I believe the correct system path for krb5.conf on OSX is

/Library/Preferences/edu.mit.Kerberos


> 	[libdefaults]
> 		 default_realm =3D INT.BAYOUR.COM
> 		 allow_weak_crypto =3D true
> =09
> 		 forwardable =3D true
> 		 proxiable =3D true

Do you really want proxiable tickets?

> =09
> 		 dns_lookup_kdc =3D false
> 		 dns_lookup_realm =3D false

DNS lookups are disabled.

> 		 allow_weak_crypto =3D true

This is specified twice.  Note that OSX Yosemite doesn't support weak
crypto under any circumstances and you must use non-DES keys for
Kerberos to address OPENAFS-SA-2013-003

  https://www.openafs.org/pages/security/#OPENAFS-SA-2013-003

Only OpenAFS 1.6.5 or later can be used with non-DES keys for OpenAFS.

> =09
> 	[domain_realm]
> 		.bayour.com =3D INT.BAYOUR.COM
> 		 bayour.com =3D INT.BAYOUR.COM
> =09
> 	[realms]
> 		 INT.BAYOUR.COM =3D {
> 		 	kdc =3D celia.bayour.com
> 		 	admin_server =3D celia.bayour.com
> 		}
> =09
> 	[logging]
> 		kdc =3D FILE:/var/log/kdc.log
> 		kdc =3D SYSLOG:INFO
> 		default =3D SYSLOG:INFO:USER
> =09
> 	[login]
> 		krb4_convert =3D true
> 		krb4_get_tickets =3D false

kerberos 4 is dead.




--------------ms040004070308000109040503
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIINXTCC
BkIwggUqoAMCAQICEDirAC//rpa3Vv85Wvtd5xswDQYJKoZIhvcNAQEFBQAwgcoxCzAJBgNV
BAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1
c3QgTmV0d29yazE6MDgGA1UECxMxKGMpIDE5OTkgVmVyaVNpZ24sIEluYy4gLSBGb3IgYXV0
aG9yaXplZCB1c2Ugb25seTFFMEMGA1UEAxM8VmVyaVNpZ24gQ2xhc3MgMSBQdWJsaWMgUHJp
bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEczMB4XDTExMDkwMTAwMDAwMFoXDTIx
MDgzMTIzNTk1OVowgaYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBDb3Jwb3Jh
dGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMVUGVyc29u
YSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2aWR1YWwg
U3Vic2NyaWJlciBDQSAtIEc0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxuwn
/R1j9DsdisHTHMjIgoa2uEqGkqqBXHLKMA0vnkEiVzAhJZCao/SsKsaIF4ZhchN2LuwDyyeb
jyCAN+DkitpVplAP/LlcI2mJQqG6H6/vDvmkyQrx+DeyxtmSSq5937hEH5u6P4wG/tgjT0hR
I2pghKjuJy9g35byGiqMPI8AzE/L+iCOvDX24fCatgXz/B0/xhR7DtryBeTTgwKmxWlwtKnk
VunbHVz0pjbia7UeKi3cvrvuOgSwMAitX2hsxr0GloiE5+apZC28ODC7iCbDZ2ZmtLR3+cCh
xw5y72bi5bnK4POFdzWY3tQcsP5mceI4y258T0BV65fZqBge7QIDAQABo4ICRDCCAkAwOAYI
KwYBBQUHAQEELDAqMCgGCCsGAQUFBzABhhxodHRwOi8vcGtpLW9jc3AudmVyaXNpZ24uY29t
MBIGA1UdEwEB/wQIMAYBAf8CAQAwbAYDVR0gBGUwYzBhBgtghkgBhvhFAQcXATBSMCYGCCsG
AQUFBwIBFhpodHRwOi8vd3d3LnN5bWF1dGguY29tL2NwczAoBggrBgEFBQcCAjAcGhpodHRw
Oi8vd3d3LnN5bWF1dGguY29tL3JwYTA0BgNVHR8ELTArMCmgJ6AlhiNodHRwOi8vY3JsLnZl
cmlzaWduLmNvbS9wY2ExLWczLmNybDAOBgNVHQ8BAf8EBAMCAQYwKQYDVR0RBCIwIKQeMBwx
GjAYBgNVBAMTEVZlcmlTaWduTVBLSS0yLTk3MB0GA1UdDgQWBBSt+cOTci21uShh5KTXYNXE
Cl4aATCB8QYDVR0jBIHpMIHmoYHQpIHNMIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVy
aVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsT
MShjKSAxOTk5IFZlcmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBD
BgNVBAMTPFZlcmlTaWduIENsYXNzIDEgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB
dXRob3JpdHkgLSBHM4IRAItbdVaEVIULAM+vOEjOsaQwDQYJKoZIhvcNAQEFBQADggEBANaP
wdqbiPKzbE0fWC+6AVFddMFG6MO4e5/WQPHv/zK6iWvADjRDn6SZ5qTwXUgzYoWFYf4jiCKM
YJsrnGVJlMSiOCRIpVylUEto6WIip5PomSJuPVu7EEIOH0x1RzRWCY/4vYw881y70pZwVHBi
Te/REL6dSCxe7IZrB4LwPeElJygs4BZ2HrP95WKW0oo9Xyuu+1zCE7dlY8s0dkOf1oeZq26t
lcEAP0Yngf813iMOQ9wUXzL5yinvwlIw9ZnduYH4OiUgjYJo8rkhhXRmBOGGORYy8i3WKqjJ
3tkAAk/jGCDFpYFWtpXe04Kt+HslvmR8LqC6cCz4+XXidE0HbYQwggcTMIIF+6ADAgECAhAW
xDBJuKAcJVa7b+TJhwvEMA0GCSqGSIb3DQEBBQUAMIGmMQswCQYDVQQGEwJVUzEdMBsGA1UE
ChMUU3ltYW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdv
cmsxHjAcBgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMg
Q2xhc3MgMSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNDAeFw0xNDEyMTgwMDAwMDBa
Fw0xNTEyMTkyMzU5NTlaMIHOMS4wLAYDVQQDDCVQZXJzb25hIE5vdCBWYWxpZGF0ZWQgLSAx
NDE4ODgyMzg2MTAyMSswKQYJKoZIhvcNAQkBFhxqYWx0bWFuQHlvdXItZmlsZS1zeXN0ZW0u
Y29tMQ8wDQYDVQQLDAZTL01JTUUxHjAcBgNVBAsMFVBlcnNvbmEgTm90IFZhbGlkYXRlZDEf
MB0GA1UECwwWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEdMBsGA1UECgwUU3ltYW50ZWMgQ29y
cG9yYXRpb24wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCteTFLbuPm2vx85lH2
Y6LHdMIqcKQPN9m4XYVTe0L8ZvMvnJ1YQ720ET52CF18RYdTc4to92+ffdmjWlBedK4YtLam
htsUkJ6WL3krwNVTYfeej0wgF9kVQ2FI8XTNngxnJ2CRkQX4Z9/1TI4wTkSNcAw5T0Y2HKM9
4p7wAJOefl+3oPwxXn338w8T7LsfwS9FOADZ8uRItv/J7S8BJEP0XtjZZlBoSyqQ4qxl5PtI
uybHVdwoo2PlK8LxU6r8Vcje1+OXmc5VoCBlXiYDWHl/wSDtZEWR6431/az1Z45n1AHHber2
G+Ijb0nF4RLiiFMkyJl3qx+46wqcqWrjrRxDAgMBAAGjggMRMIIDDTAMBgNVHRMBAf8EAjAA
MA4GA1UdDwEB/wQEAwIFoDAgBgNVHSUBAf8EFjAUBggrBgEFBQcDBAYIKwYBBQUHAwIwHQYD
VR0OBBYEFBUlv/9jizZz4uwaFtPzwdX6FsqwMCcGA1UdEQQgMB6BHGphbHRtYW5AeW91ci1m
aWxlLXN5c3RlbS5jb20wHwYDVR0jBBgwFoAUrfnDk3IttbkoYeSk12DVxApeGgEwggErBggr
BgEFBQcBAQSCAR0wggEZMIIBFQYIKwYBBQUHMAKGggEHbGRhcDovL2RpcmVjdG9yeS52ZXJp
c2lnbi5jb20vQ04lMjAlM0QlMjBTeW1hbnRlYyUyMENsYXNzJTIwMSUyMEluZGl2aWR1YWwl
MjBTdWJzY3JpYmVyJTIwQ0ElMjAtJTIwRzQlMkMlMjBPVSUyMCUzRCUyMFBlcnNvbmElMjBO
b3QlMjBWYWxpZGF0ZWQlMkMlMjBPVSUyMCUzRCUyMFN5bWFudGVjJTIwVHJ1c3QlMjBOZXR3
b3JrJTJDJTIwTyUyMCUzRCUyMFN5bWFudGVjJTIwQ29ycG9yYXRpb24lMkMlMjBDJTIwJTNE
JTIwVVM/Y0FDZXJ0aWZpY2F0ZTtiaW5hcnkwXQYDVR0fBFYwVDBSoFCgToZMaHR0cDovL3Br
aS1jcmwuc3ltYXV0aC5jb20vY2FfNTYxYzEwMzY5MGM5N2E2OTI0N2EwZWYwNzFhYzgxYWYv
TGF0ZXN0Q1JMLmNybDBsBgNVHSAEZTBjMGEGC2CGSAGG+EUBBxcBMFIwJgYIKwYBBQUHAgEW
Gmh0dHA6Ly93d3cuc3ltYXV0aC5jb20vY3BzMCgGCCsGAQUFBwICMBwaGmh0dHA6Ly93d3cu
c3ltYXV0aC5jb20vcnBhMCsGCmCGSAGG+EUBEAMEHTAbBhJghkgBhvhFARABAgIEAYbHzm8W
BTEwOTIyMDkGCmCGSAGG+EUBEAUEKzApAgEAFiRhSFIwY0hNNkx5OXdhMmt0Y21FdWMzbHRZ
WFYwYUM1amIyMD0wDQYJKoZIhvcNAQEFBQADggEBAJIvoMatM56/QjaVAlEUbeWZNOPkwuiC
gaaekWJi1h33fAVfdF+WZqh7dF4hBNalyPuxRcyZX7HxuPyBc3ajDCqew9MlmCJ3Cm4Co3fZ
Yh50OX4jnem2RmpHeKbJW6zUjZcAGqV6DPMl04kgrI2whJX7729HoRyUPwZS7CZSRFZO147X
2+/JogDYKffa/+q5AwgrHYvdECHxc3Iz9KnHSmit+DhWS9t+XxE0gHr3sW7zwcQ/GYyrJ3s3
VdWHTjM+3iGFeTOI06h1aBgFR/+8fTmuZXZz9+OdWVar0Crt9bn0cFN3u00Q6YAyjYhRnbXy
zYVIOS4oJmRoK79p/xodeDUxggRSMIIETgIBATCBuzCBpjELMAkGA1UEBhMCVVMxHTAbBgNV
BAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8wHQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3
b3JrMR4wHAYDVQQLExVQZXJzb25hIE5vdCBWYWxpZGF0ZWQxNzA1BgNVBAMTLlN5bWFudGVj
IENsYXNzIDEgSW5kaXZpZHVhbCBTdWJzY3JpYmVyIENBIC0gRzQCEBbEMEm4oBwlVrtv5MmH
C8QwCQYFKw4DAhoFAKCCAmswGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0B
CQUxDxcNMTUwNDI2MTMxMzAyWjAjBgkqhkiG9w0BCQQxFgQU63hba7YQiIxK31j233AtXV6W
Nh8wbAYJKoZIhvcNAQkPMV8wXTALBglghkgBZQMEASowCwYJYIZIAWUDBAECMAoGCCqGSIb3
DQMHMA4GCCqGSIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0D
AgIBKDCBzAYJKwYBBAGCNxAEMYG+MIG7MIGmMQswCQYDVQQGEwJVUzEdMBsGA1UEChMUU3lt
YW50ZWMgQ29ycG9yYXRpb24xHzAdBgNVBAsTFlN5bWFudGVjIFRydXN0IE5ldHdvcmsxHjAc
BgNVBAsTFVBlcnNvbmEgTm90IFZhbGlkYXRlZDE3MDUGA1UEAxMuU3ltYW50ZWMgQ2xhc3Mg
MSBJbmRpdmlkdWFsIFN1YnNjcmliZXIgQ0EgLSBHNAIQFsQwSbigHCVWu2/kyYcLxDCBzgYL
KoZIhvcNAQkQAgsxgb6ggbswgaYxCzAJBgNVBAYTAlVTMR0wGwYDVQQKExRTeW1hbnRlYyBD
b3Jwb3JhdGlvbjEfMB0GA1UECxMWU3ltYW50ZWMgVHJ1c3QgTmV0d29yazEeMBwGA1UECxMV
UGVyc29uYSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5TeW1hbnRlYyBDbGFzcyAxIEluZGl2
aWR1YWwgU3Vic2NyaWJlciBDQSAtIEc0AhAWxDBJuKAcJVa7b+TJhwvEMA0GCSqGSIb3DQEB
AQUABIIBAKC9zmjA2wQHEmzpCpisPjtwbS8P3atUIQvoGjbmNL38QuGdTYQxO4TaoJSR+c3y
Bnp5ZAZcpcyx5rewrUIxJ7D8B1vsLvT/LAh52ieXmatwptmwbGlbNi2LbK8IEKGp74MLHwsz
bzCwoj9JhexHni7maNX2ghAU02r4Olm4eQOUHL6bQqti+av5BlDbjWnLJQSKYAGv/YqMmmat
pLmSYafhv/YWlkdoMi329T0ATrpSDL3prR+Ynltf8oz/eXAZ7/Cs94glc16IQ0rEvff4JzwQ
/d1qOAipeDErkK/JHQROlZFdeyIu5hlpD6ZKgFqiWNP+9RF5k7qOJ/GyGKJqhPoAAAAAAAA=
--------------ms040004070308000109040503--