[OpenAFS] permission issue when trying to switch kerberos realms.

Tim Piessens piessens@icsense.com
Mon, 15 Jan 2018 14:54:05 +0100


--Apple-Mail=_83E58355-F207-410A-997F-779CD9E8124B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Thanks all,
I was not aware of the krb.conf and kvno limitation.
Now it works
Dr. Ir. Tim Piessens
CTO and Founder

Gaston Geenslaan 14, 3001 Leuven, Belgium
Tel. +32 16 589 705 | Fax. +32 16 589 720
www.icsense.com =
<http://www.icsense.com/?utm_source=3Dmailsignature&utm_medium=3Demail&utm=
_campaign=3Demail> | piessens@icsense.com <mailto:piessens@icsense.com>
"The information contained in this e-mail may be confidential."

 <http://www.icsense.com/>

> On 15 Jan 2018, at 13:08, brandon s allbery kf8nh =
<ballbery@sinenomine.net> wrote:
>=20
> Is that literally all you did as setup? If so, you would indeed be =
able to get tokens, but the servers would not recognize their keys and =
would reject the tokens.
>=20
> It sounds like the correct extra steps for your case are to make the =
following changes on the AFS database servers:
>=20
> (1) create a file /etc/openafs/server/krb.conf containing a single =
line, with the two Kerberos realms on it separated by spaces (that is, =
"X.COM X.BIZ")
>=20
> (2) extract the afs cell principal in the X.BIZ domain to a keytab, =
and then add that to /etc/openafs/server/rxkad.keytab.
>=20
> # ktutil
> ktutil: rkt /etc/openafs/server/rxkad.keytab
> ktutil: rkt /path/to/new/keytab
> ktutil: wkt /etc/openafs/server/rxkad.keytab
>=20
> Note that the new principal must have a different kvno from the old, =
and that extracting it from the KDC will generate a new key and =
increment its kvno.
>=20
> (If for some reason you are using openafs configured in legacy mode, =
that may be /usr/afs/etc/krb.conf and/or /usr/afs/etc/KeyFile. If you =
are using KeyFile, you will need to use the asetkey utility to =
manipulate it, not ktutil.)=20
>=20
> On January 15, 2018 6:49:37 AM EST, Tim Piessens =
<piessens@icsense.com> wrote:
> Hi all,
>=20
> can somebody shed some light on this issue ?=20
> We are trying to switch between kerberos realms ( and servers ).
> original : X.COM <http://xxx.com/>
> new : X.BIZ
>=20
> cell : x.com <http://x.com/>
>=20
> I have created a new kerberos service principal afs/x.com@X.BIZ =
<mailto:afs/x.com@x.biz> in the new kerberos server.
> I have added the realm to the krb5.conf file.=20
>=20
> On the client, I can kinit / aklog for both the user@X.COM =
<mailto:user@x.com> and user@X.BIZ <mailto:user@x.biz>=20
> Both give me a token for afs-UID 1000.
>=20
> But when I try to access a folder with the X.COM <http://x.com/> =
token, it works, with the X.BIZ token, I get a permission denied.
>=20
> What could be the root cause ?=20
> How can I debug this ?=20
>=20
>=20
> Thanks,
>=20
> Tim
>=20
>=20
> --=20
> Sent from my Android device with K-9 Mail. Please excuse my brevity.


--Apple-Mail=_83E58355-F207-410A-997F-779CD9E8124B
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
	charset=us-ascii

<html><head><meta http-equiv=3D"Content-Type" content=3D"text/html =
charset=3Dus-ascii"></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Thanks all,<div class=3D"">I was not aware of the krb.conf =
and kvno limitation.</div><div class=3D"">Now it works<br class=3D""><div =
class=3D"">
<table style=3D"line-height: 18px; margin: 20px 0; padding: 0px; =
font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 12px; =
color: #333333;" width=3D"600" border=3D"0" cellspacing=3D"0" =
cellpadding=3D"0" class=3D"">
<tbody class=3D""><tr class=3D"">
<td valign=3D"top" class=3D"">
    <p class=3D""><strong class=3D"">Dr. Ir. Tim Piessens</strong><br =
class=3D"">
    CTO and Founder</p>
    <p class=3D"">Gaston Geenslaan 14, 3001 Leuven, Belgium<br class=3D"">=

 Tel. +32 16 589 705 | Fax. +32 16 589 720<br class=3D"">
        <a =
href=3D"http://www.icsense.com/?utm_source=3Dmailsignature&amp;utm_medium=3D=
email&amp;utm_campaign=3Demail" class=3D"">www.icsense.com</a> | <a =
href=3D"mailto:piessens@icsense.com" class=3D"">piessens@icsense.com</a>=20=

</p><p class=3D""><small class=3D""><em class=3D"">"The information =
contained in this e-mail may be confidential."</em></small>
</p>
</td>
<td width=3D"192" height=3D"" valign=3D"top" class=3D""><span =
style=3D"192px; float: left; display: block;margin-right: 10px;" =
class=3D""><a href=3D"http://www.icsense.com" class=3D""><img =
src=3D"http://www.icsense.com/misc/ICsense.png" border=3D"0" =
class=3D""></a></span></td>
</tr>
</tbody></table>
<p class=3D"">

</p></div>
<br class=3D""><div><blockquote type=3D"cite" class=3D""><div =
class=3D"">On 15 Jan 2018, at 13:08, brandon s allbery kf8nh &lt;<a =
href=3D"mailto:ballbery@sinenomine.net" =
class=3D"">ballbery@sinenomine.net</a>&gt; wrote:</div><br =
class=3D"Apple-interchange-newline"><div class=3D"">
<meta http-equiv=3D"Content-Type" content=3D"text/html; =
charset=3Dus-ascii" class=3D""><div style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" =
class=3D"">Is that literally all you did as setup? If so, you would =
indeed be able to get tokens, but the servers would not recognize their =
keys and would reject the tokens.<br class=3D"">
<br class=3D"">
It sounds like the correct extra steps for your case are to make the =
following changes on the AFS database servers:<br class=3D"">
<br class=3D"">
(1) create a file /etc/openafs/server/krb.conf containing a single line, =
with the two Kerberos realms on it separated by spaces (that is, "<a =
href=3D"http://x.com" class=3D"">X.COM</a> X.BIZ")<br class=3D"">
<br class=3D"">
(2) extract the afs cell principal in the X.BIZ domain to a keytab, and =
then add that to /etc/openafs/server/rxkad.keytab.<br class=3D"">
<br class=3D"">
# ktutil<br class=3D"">
ktutil: rkt /etc/openafs/server/rxkad.keytab<br class=3D"">
ktutil: rkt /path/to/new/keytab<br class=3D"">
ktutil: wkt /etc/openafs/server/rxkad.keytab<br class=3D"">
<br class=3D"">
Note that the new principal must have a different kvno from the old, and =
that extracting it from the KDC will generate a new key and increment =
its kvno.<br class=3D"">
<br class=3D"">
(If for some reason you are using openafs configured in legacy mode, =
that may be /usr/afs/etc/krb.conf and/or /usr/afs/etc/KeyFile. If you =
are using KeyFile, you will need to use the asetkey utility to =
manipulate it, not ktutil.) <br class=3D""><br class=3D""><div =
class=3D"gmail_quote">On January 15, 2018 6:49:37 AM EST, Tim Piessens =
&lt;<a href=3D"mailto:piessens@icsense.com" =
class=3D"">piessens@icsense.com</a>&gt; wrote:<blockquote =
class=3D"gmail_quote" style=3D"margin: 0pt 0pt 0pt 0.8ex; border-left: =
1px solid rgb(204, 204, 204); padding-left: 1ex;">
Hi all,<div class=3D""><br class=3D""></div><div class=3D"">can somebody =
shed some light on this issue ?&nbsp;</div><div class=3D"">We are trying =
to switch between kerberos realms ( and servers ).</div><div =
class=3D"">original : <a href=3D"http://xxx.com/" =
class=3D"">X.COM</a></div><div class=3D"">new : X.BIZ</div><div =
class=3D""><br class=3D""></div><div class=3D"">cell : <a =
href=3D"http://x.com/" class=3D"">x.com</a></div><div class=3D""><br =
class=3D""></div><div class=3D"">I have created a new kerberos service =
principal <a href=3D"mailto:afs/x.com@x.biz" =
class=3D"">afs/x.com@X.BIZ</a>&nbsp;in the new kerberos =
server.</div><div class=3D"">I have added the realm to the krb5.conf =
file.&nbsp;</div><div class=3D""><br class=3D""></div><div class=3D"">On =
the client, I can kinit / aklog for both the <a href=3D"mailto:user@x.com"=
 class=3D"">user@X.COM</a>&nbsp;and <a href=3D"mailto:user@x.biz" =
class=3D"">user@X.BIZ</a>&nbsp;</div><div class=3D"">Both give me a =
token for afs-UID 1000.</div><div class=3D""><br class=3D""></div><div =
class=3D"">But when I try to access a folder with the <a =
href=3D"http://x.com/" class=3D"">X.COM</a>&nbsp;token, it works, with =
the X.BIZ token, I get a permission denied.</div><div class=3D""><br =
class=3D""></div><div class=3D"">What could be the root cause =
?&nbsp;</div><div class=3D"">How can I debug this ?&nbsp;</div><div =
class=3D""><br class=3D""></div><div class=3D""><br class=3D""></div><div =
class=3D"">Thanks,</div><div class=3D""><br class=3D""></div><div =
class=3D"">Tim</div><div class=3D""><br =
class=3D""></div></blockquote></div><br class=3D"">
-- <br class=3D"">
Sent from my Android device with K-9 Mail. Please excuse my =
brevity.</div></div></blockquote></div><br class=3D""></div></body></html>=

--Apple-Mail=_83E58355-F207-410A-997F-779CD9E8124B--