[OpenAFS] ad+openafs

Benjamin Kaduk kaduk@MIT.EDU
Sat, 14 May 2016 14:23:33 -0400 (EDT)


  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

---559023410-1251256264-1463250213=:26829
Content-Type: TEXT/PLAIN; charset=UTF-8
Content-Transfer-Encoding: QUOTED-PRINTABLE

The keytabs Brandon was referring to are host/ keytabs for the specific
hosts where users are logging in.  Upon receipt of the user's password,
the PAM stack gets a TGT using the user's password, and then makes a
TGS-REQ to get a service ticket for the host/ principal of the host in
question.  Only if that service ticket validates, can the user be said to
be authenticated.  Merely receiving an AS-REP from the internet that
decodes as a TGT+session key does not indicate authentication, since
anyone on the network could send a packet that is properly formatted like
that.

Also, there is no need for DES-CBC-CRC in any new kerberos or OpenAFS
installation; please do not use it.

-Ben

On Mon, 9 May 2016, zhaoxy299@ustc.edu.cn wrote:

>
> hi=EF=BC=8C
>  ktpass -princ afs/pc.com@PC.COM -mapuser
>  test@PC.COM   -mapOp add -out afs.keytab +rndPass
>  -crypto DES-CBC-CRC +DesOnly   -ptype KRB5_NT_PRINCIPAL
>  +DumpSalt
> i use the ktpass command to create afs.keytab on windows ad and then copy=
 the afs.keytab file to  the openafs server,after that ,i use the command '=
asetkey add 3 afs.keytab afs/suzhou.powercore.com.cn' on openafs server,  b=
ut it does not work.
> > -----=E5=8E=9F=E5=A7=8B=E9=82=AE=E4=BB=B6-----
> > =E5=8F=91=E4=BB=B6=E4=BA=BA: "Brandon Allbery" <ballbery@sinenomine.net=
>
> > =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2016-05-10 03:16:51 (=E6=98=9F=E6=
=9C=9F=E4=BA=8C)
> > =E6=94=B6=E4=BB=B6=E4=BA=BA: "zhaoxy299@ustc.edu.cn" <zhaoxy299@ustc.ed=
u.cn>, "Benjamin Kaduk" <kaduk@MIT.EDU>
> > =E6=8A=84=E9=80=81: "openafs-info@openafs.org" <openafs-info@openafs.or=
g>
> > =E4=B8=BB=E9=A2=98: RE: Re: Re: RE: [OpenAFS] ad+openafs
> >
> > Do your systems have keytabs on them, with host instances? Using Kerber=
os for login requires a validation step; it's not enough just to get a tick=
et, because it's an opaque blob that you can't verify directly (and so migh=
t have been injected by an attacker). The only way to validate it is to att=
empt to use it to authenticate to a service; so pam_krb5, after getting you=
r TGT, uses it to get a service ticket for the host you're logging in to an=
d then uses the copy of the service key in /etc/krb5.keytab to decrypt the =
service ticket. If this fails, login is rejected.
> >
> > If the host you're logging in to doesn=E2=80=99t have a keytab then you=
 will need to make one. I can't help you with this for AD, aside from notin=
g that this will usually be created from an AD machine account, that is, jo=
ining the machine to the AD domain using e.g. Samba. (I think it is also po=
ssible to create the account directly and extract the keytab, but I don't k=
now any details.)
> >
> > Winbind uses a different (and less secure: while it is encrypted, the k=
ey is fixed and well known) mechanism.
> >
> > -----Original Message-----
> > From: zhaoxy299@ustc.edu.cn [mailto:zhaoxy299@ustc.edu.cn]
> > Sent: Sunday, May 8, 2016 10:31 PM
> > To: Benjamin Kaduk <kaduk@MIT.EDU>
> > Cc: openafs-info@openafs.org; Brandon Allbery <ballbery@sinenomine.net>
> > Subject: Re: Re: Re: RE: [OpenAFS] ad+openafs
> >
> > hi,
> > sorry,i need to add something .
> > i have three servers.
> >  ad +kerberos  win2008
> >  nis server openafs server   linux redhat 6.7
> >  nis slave  openafs client   linux redhat 6.7
> > i can use the ad accounts to login the linux server and can get tokens.=
but the pam configuration with pam_krb5 seems not working.if i use ad+winbi=
nd+openafs,the pam configuraiton with pam_krb5 is working fine.do i miss so=
me pam packages?
> >
> >
> > >
> > > hi,
> > > i modified the /etc/pam.d/system-auth file ,but it did not work,how c=
an i debug this error?Are there any other files that need to be modified?
> > >
> > > root@test-afs002 cai]# vi /etc/pam.d/system-auth
> > > #%PAM-1.0
> > > # This file is auto-generated.
> > > # User changes will be destroyed the next time authconfig is run.
> > > auth        required      pam_env.so
> > > auth        sufficient    pam_unix.so nullok try_first_pass
> > > auth        requisite     pam_succeed_if.so uid >=3D 500 quiet
> > > auth        sufficient    pam_krb5.afs.so use_first_pass ignore_root
> > > auth        required      pam_deny.so
> > >
> > > account     required      pam_unix.so broken_shadow
> > > account     sufficient    pam_succeed_if.so uid < 500 quiet
> > > account     [default=3Dbad success=3Dok user_unknown=3Dignore] pam_kr=
b5.so
> > > account     [default=3Dbad success=3Dok user_unknown=3Dignore] pam_wi=
nbind.so cached_login
> > > account     required      pam_permit.so
> > >
> > > password    requisite     pam_cracklib.so try_first_pass retry=3D3 ty=
pe=3D
> > > password    sufficient    pam_unix.so md5 shadow nullok try_first_pas=
s use_authtok
> > > password    sufficient    pam_krb5afs.so use_authtok
> > > password    sufficient    pam_winbind.so cached_login use_authtok
> > > password    required      pam_deny.so
> > >
> > > session     optional      pam_keyinit.so revoke
> > > session     required      pam_limits.so
> > > session     optional      pam_oddjob_mkhomedir.so umask=3D0077
> > > session     [success=3D1 default=3Dignore] pam_succeed_if.so service =
in crond quiet use_uid
> > > session     required      pam_unix.so
> > > session     optional      pam_krb5afs.so
> > >
> > > ~
> > >
> > >
> > >
> > > > -----=E5=8E=9F=E5=A7=8B=E9=82=AE=E4=BB=B6-----
> > > > =E5=8F=91=E4=BB=B6=E4=BA=BA: "Benjamin Kaduk" <kaduk@MIT.EDU>
> > > > =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2016-05-06 23:17:46 (=E6=98=
=9F=E6=9C=9F=E4=BA=94)
> > > > =E6=94=B6=E4=BB=B6=E4=BA=BA: zhaoxy299@ustc.edu.cn
> > > > =E6=8A=84=E9=80=81:
> > > > =E4=B8=BB=E9=A2=98: Re: RE: [OpenAFS] ad+openafs
> > > >
> > > > You should keep the list cc'd for this thread; there are many other
> > > > people with more experience in this regardn than me.
> > > >
> > > > That said, it sounds like you want pam_krb5 and pam_afs_session on
> > > > the linux client, with some configuration knobs set accordingly.
> > > >
> > > > -Ben
> > > >
> > > > On Thu, 5 May 2016, zhaoxy299@ustc.edu.cn wrote:
> > > >
> > > > >
> > > > > hi=EF=BC=8C
> > > > >  the system works now,but i want to get  tokens when i login the =
linux system without input the kinit and aklog command,how can i achieve th=
is goal?do i need to install some packages?
> > > > >
> > > > > sotfware configuration : ad(win 2008 server ) + nis+ openafs
> > > > > 1.6.14
> > > > >
> > > > > > -----=E5=8E=9F=E5=A7=8B=E9=82=AE=E4=BB=B6-----
> > > > > > =E5=8F=91=E4=BB=B6=E4=BA=BA: "Benjamin Kaduk" <kaduk@MIT.EDU>
> > > > > > =E5=8F=91=E9=80=81=E6=97=B6=E9=97=B4: 2016-05-04 13:44:00 (=E6=
=98=9F=E6=9C=9F=E4=B8=89)
> > > > > > =E6=94=B6=E4=BB=B6=E4=BA=BA: "Brandon Allbery" <ballbery@sineno=
mine.net>
> > > > > > =E6=8A=84=E9=80=81: "zhaoxy299@ustc.edu.cn" <zhaoxy299@ustc.edu=
=2Ecn>,
> > > > > > "openafs-info@openafs.org" <openafs-info@openafs.org>
> > > > > > =E4=B8=BB=E9=A2=98: RE: [OpenAFS] ad+openafs
> > > > > >
> > > > > > 1.6.14 doesn't need to have single-DES enabled; we shouldn't be
> > > > > > recommending it.  The rxkad.keytab method should work fine with=
 AES keys.
> > > > > >
> > > > > > -Ben
> > > > > >
> > > > > > On Tue, 3 May 2016, Brandon Allbery wrote:
> > > > > >
> > > > > > > -1765328370 is KRB5KDC_ERR_ETYPE_NOSUPP. This often means tha=
t
> > > > > > > DES is disabled somewhere. Note that the client library *also=
*
> > > > > > > needs DES enabled; you might need to add to the [libdefaults]
> > > > > > > section of /etc/krb5.conf on the RH system,
> > > > > > >
> > > > > > >     allow_weak_crypto =3D true
> > > > > > >
> > > > > > > From: openafs-info-admin@openafs.org
> > > > > > > [mailto:openafs-info-admin@openafs.org] On Behalf Of
> > > > > > > zhaoxy299@ustc.edu.cn
> > > > > > > Sent: Tuesday, May 3, 2016 4:39 AM
> > > > > > > To: openafs-info@openafs.org
> > > > > > > Subject: [OpenAFS] ad+openafs
> > > > > > >
> > > > > > >
> > > > > > > hi
> > > > > > >
> > > > > > > i install openafs1.6.14 on redhat 6.7 and i want to use the a=
d as krb5 auth .
> > > > > > >
> > > > > > > here is my steps:
> > > > > > >
> > > > > > > 1  install openafs1.6.14 on redhat6.7
> > > > > > >
> > > > > > > 2  install ad on windows 2008 r2
> > > > > > >
> > > > > > > 3  ktpass -princ afs/cellname@ADDOMAINNAME -mapuser
> > > > > > > afscell@ADDOMAINNAME \ -mapOp add -out afs-keytab +rndPass
> > > > > > > -crypto DES-CBC-CRC +DesOnly \ -ptype KRB5_NT_PRINCIPAL
> > > > > > > +DumpSalt )
> > > > > > >
> > > > > > > 4 use kinit wang
> > > > > > >
> > > > > > >    aklog
> > > > > > >
> > > > > > > [root@test-afs002 ]# klist -e -f Ticket cache:
> > > > > > > FILE:/tmp/krb5cc_0 Default principal:
> > > > > > > wang@PC.COM<mailto:wang@PC.COM>
> > > > > > >
> > > > > > > Valid starting     Expires            Service principal
> > > > > > > 05/03/16 16:26:46  05/04/16 02:26:33  krbtgt/PC.COM@PC.COM<ma=
ilto:krbtgt/PC.COM@PC.COM>
> > > > > > >         renew until 05/10/16 16:26:46, Flags: FRIA
> > > > > > >         Etype (skey, tkt): aes256-cts-hmac-sha1-96,
> > > > > > > aes256-cts-hmac-sha1-96
> > > > > > > 05/03/16 16:27:04  05/04/16 02:26:33  afs/pc.com@PC.COM<mailt=
o:afs/pc.com@PC.COM>
> > > > > > >         renew until 05/10/16 16:26:46, Flags: FRA
> > > > > > >         Etype (skey, tkt): arcfour-hmac, arcfour-hmac
> > > > > > > [root@test-afs002 ]# ls /afs/pc.com/
> > > > > > > ls: cannot open directory /afs/pc.com/: Permission denied
> > > > > > > [root@test-afs002 ]#
> > > > > > >
> > > > > > > if Create a afs user in the AD as a normal user with the logi=
n
> > > > > > > afs, set user cannot change passwordd, password never expires=
=2E
> > > > > > > Try to set "Use Kerberos DES encryption types for this
> > > > > > > account" on the Account tab. then when i use the command
> > > > > > >
> > > > > > > [root@test-afs002 ]# kinit wang Password for
> > > > > > > wang@PC.COM<mailto:wang@PC.COM>:
> > > > > > > [root@test-afs002 ]# aklog
> > > > > > > aklog: Couldn't get pc.com AFS tickets:
> > > > > > > aklog: unknown RPC error (-1765328370) while getting AFS
> > > > > > > tickets
> > > > > > > [root@test-afs002 ]#
> > > > > > >
> > > > > > > i configure the ad follow the web https://wiki.openafs.org/wi=
n2008r2adaskdc/,but i can't find what is wrong with me ?can you tell me ?
> > > > > > >
> > > > > > > thanks
> > > > > > >
> > > > > > >
> > > > > > >
> > > > >
> :??????
---559023410-1251256264-1463250213=:26829--