[OpenAFS] permission issue when trying to switch kerberos realms.

brandon s allbery kf8nh ballbery@sinenomine.net
Mon, 15 Jan 2018 07:08:36 -0500


------G46MXVC0YN69YC3U2QE6OMPUN9IZDY
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable

Is that literally all you did as setup? If so, you would indeed be able to =
get tokens, but the servers would not recognize their keys and would reject=
 the tokens=2E

It sounds like the correct extra steps for your case are to make the follo=
wing changes on the AFS database servers:

(1) create a file /etc/openafs/server/krb=2Econf containing a single line,=
 with the two Kerberos realms on it separated by spaces (that is, "X=2ECOM =
X=2EBIZ")

(2) extract the afs cell principal in the X=2EBIZ domain to a keytab, and =
then add that to /etc/openafs/server/rxkad=2Ekeytab=2E

# ktutil
ktutil: rkt /etc/openafs/server/rxkad=2Ekeytab
ktutil: rkt /path/to/new/keytab
ktutil: wkt /etc/openafs/server/rxkad=2Ekeytab

Note that the new principal must have a different kvno from the old, and t=
hat extracting it from the KDC will generate a new key and increment its kv=
no=2E

(If for some reason you are using openafs configured in legacy mode, that =
may be /usr/afs/etc/krb=2Econf and/or /usr/afs/etc/KeyFile=2E If you are us=
ing KeyFile, you will need to use the asetkey utility to manipulate it, not=
 ktutil=2E)=20

On January 15, 2018 6:49:37 AM EST, Tim Piessens <piessens@icsense=2Ecom> =
wrote:
>Hi all,
>
>can somebody shed some light on this issue ?=20
>We are trying to switch between kerberos realms ( and servers )=2E
>original : X=2ECOM <http://xxx=2Ecom/>
>new : X=2EBIZ
>
>cell : x=2Ecom <http://x=2Ecom/>
>
>I have created a new kerberos service principal afs/x=2Ecom@X=2EBIZ
><mailto:afs/x=2Ecom@x=2Ebiz> in the new kerberos server=2E
>I have added the realm to the krb5=2Econf file=2E=20
>
>On the client, I can kinit / aklog for both the user@X=2ECOM
><mailto:user@x=2Ecom> and user@X=2EBIZ <mailto:user@x=2Ebiz>=20
>Both give me a token for afs-UID 1000=2E
>
>But when I try to access a folder with the X=2ECOM <http://x=2Ecom/> toke=
n,
>it works, with the X=2EBIZ token, I get a permission denied=2E
>
>What could be the root cause ?=20
>How can I debug this ?=20
>
>
>Thanks,
>
>Tim

--=20
Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E
------G46MXVC0YN69YC3U2QE6OMPUN9IZDY
Content-Type: text/html;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable

<html><head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii=
"></head><body style=3D"word-wrap: break-word; -webkit-nbsp-mode: space; -w=
ebkit-line-break: after-white-space;" class=3D"">Is that literally all you =
did as setup? If so, you would indeed be able to get tokens, but the server=
s would not recognize their keys and would reject the tokens=2E<br>
<br>
It sounds like the correct extra steps for your case are to make the follo=
wing changes on the AFS database servers:<br>
<br>
(1) create a file /etc/openafs/server/krb=2Econf containing a single line,=
 with the two Kerberos realms on it separated by spaces (that is, &quot;X=
=2ECOM X=2EBIZ&quot;)<br>
<br>
(2) extract the afs cell principal in the X=2EBIZ domain to a keytab, and =
then add that to /etc/openafs/server/rxkad=2Ekeytab=2E<br>
<br>
# ktutil<br>
ktutil: rkt /etc/openafs/server/rxkad=2Ekeytab<br>
ktutil: rkt /path/to/new/keytab<br>
ktutil: wkt /etc/openafs/server/rxkad=2Ekeytab<br>
<br>
Note that the new principal must have a different kvno from the old, and t=
hat extracting it from the KDC will generate a new key and increment its kv=
no=2E<br>
<br>
(If for some reason you are using openafs configured in legacy mode, that =
may be /usr/afs/etc/krb=2Econf and/or /usr/afs/etc/KeyFile=2E If you are us=
ing KeyFile, you will need to use the asetkey utility to manipulate it, not=
 ktutil=2E) <br><br><div class=3D"gmail_quote">On January 15, 2018 6:49:37 =
AM EST, Tim Piessens &lt;piessens@icsense=2Ecom&gt; wrote:<blockquote class=
=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0=2E8ex; border-left: 1px sol=
id rgb(204, 204, 204); padding-left: 1ex;">
Hi all,<div class=3D""><br class=3D""></div><div class=3D"">can somebody s=
hed some light on this issue ?&nbsp;</div><div class=3D"">We are trying to =
switch between kerberos realms ( and servers )=2E</div><div class=3D"">orig=
inal : <a href=3D"http://xxx=2Ecom" class=3D"">X=2ECOM</a></div><div class=
=3D"">new : X=2EBIZ</div><div class=3D""><br class=3D""></div><div class=3D=
"">cell : <a href=3D"http://x=2Ecom" class=3D"">x=2Ecom</a></div><div class=
=3D""><br class=3D""></div><div class=3D"">I have created a new kerberos se=
rvice principal <a href=3D"mailto:afs/x=2Ecom@x=2Ebiz" class=3D"">afs/x=2Ec=
om@X=2EBIZ</a>&nbsp;in the new kerberos server=2E</div><div class=3D"">I ha=
ve added the realm to the krb5=2Econf file=2E&nbsp;</div><div class=3D""><b=
r class=3D""></div><div class=3D"">On the client, I can kinit / aklog for b=
oth the <a href=3D"mailto:user@x=2Ecom" class=3D"">user@X=2ECOM</a>&nbsp;an=
d <a href=3D"mailto:user@x=2Ebiz" class=3D"">user@X=2EBIZ</a>&nbsp;</div><d=
iv class=3D"">Both give me a token for afs-UID 1000=2E</div><div class=3D""=
><br class=3D""></div><div class=3D"">But when I try to access a folder wit=
h the <a href=3D"http://x=2Ecom" class=3D"">X=2ECOM</a>&nbsp;token, it work=
s, with the X=2EBIZ token, I get a permission denied=2E</div><div class=3D"=
"><br class=3D""></div><div class=3D"">What could be the root cause ?&nbsp;=
</div><div class=3D"">How can I debug this ?&nbsp;</div><div class=3D""><br=
 class=3D""></div><div class=3D""><br class=3D""></div><div class=3D"">Than=
ks,</div><div class=3D""><br class=3D""></div><div class=3D"">Tim</div><div=
 class=3D""><br class=3D""></div></blockquote></div><br>
-- <br>
Sent from my Android device with K-9 Mail=2E Please excuse my brevity=2E</=
body></html>
------G46MXVC0YN69YC3U2QE6OMPUN9IZDY--