[OpenAFS] Kerberos + Windows
Ben Huntsman
ben@huntsmans.net
Wed, 24 Aug 2022 20:19:28 +0000
--_000_MWHPR0701MB3674AAE92C3BA88F0F9CB809A7739MWHPR0701MB3674_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Thanks for the reply!
> So I'm not the expert on how AD works, so I can't speak for what happens
> if you create a service account called _one_ thing and then have a
> different principal name. Like, what name ends up in the service
> ticket? But, moving on ...
I was a little fuzzy on that, but I was under the impression that in my cas=
e the serivce principal for AFS has to be called "afs/mydomain.com". Is th=
at not so? Therefore, one could either create an AD account literally call=
ed "afs", or, let the ktpass command create a SPN for the account, and let =
it's name conform to local naming standards. Indeed we can see that the SP=
N is created, by running setspn on Windows:
C:\>setspn -L srvAFS
Registered ServicePrincipalNames for CN=3DsrvAFS,OU=3DUsers,DC=3Dad,DC=3Dmy=
domain,DC=3Dcom:
afs/mydomain.com
> kvno is used when you already have a Kerberos ticket (with kinit) and you=
're
> getting a service ticket for what you give on the command line. I think
> what you want "kinit adUser" and the "kvno afs/mydomain.com". Although
> aklog should do the same thing.
>
> It would be interesting to see what the output of "klist" is after you
> do that kinit/kvno command sequence.
$ kinit adUser
Password for adUser@AD.MYDOMAIN.COM:
$ kvno afs/mydomain.com
afs/mydomain.com@AD.MYDOMAIN.COM: kvno =3D 5
$ aklog -d
Authenticating to cell mydomain.com (server myserver).
Trying to authenticate to user's realm AD.MYDOMAIN.COM.
Getting tickets: afs/mydomain.com@AD.MYDOMAIN.COM
Using Kerberos V5 ticket natively
About to resolve name adUser to id in cell mydomain.com.
Id 204
Setting tokens. adUser @ mydomain.com
$ klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_204
Default principal: adUser@AD.MYDOMAIN.COM
Valid starting Expires Service principal
08/24/22 12:28:35 08/24/22 22:28:35 krbtgt/AD.MYDOMAIN.COM@AD.MYDOMAIN.CO=
M
renew until 08/25/22 12:28:30
08/24/22 12:28:51 08/24/22 22:28:35 afs/mydomain.com@AD.MYDOMAIN.COM
renew until 08/25/22 12:28:30
> There is some magic that asetkey does in terms of key version numbering
> for rxkad_krb5 but it escapes me now and I suspect that's not your real
> problem. I am assuming you've distributed the KeyFile to _all_ of your
> AFS servers.
This is the first AFS server, so there's no other servers to distribute it =
to yet.
# asetkey list
rxkad_krb5 kvno 5 enctype 17; key is: blahblahblah
rxkad_krb5 kvno 5 enctype 18; key is: blahblahblahblahblahblah
All done.
It seems like it's close but I'm just missing one thing... not quite sure w=
hat though.
Thank you so much!
-Ben
________________________________
From: Ken Hornstein <kenh@cmf.nrl.navy.mil>
Sent: Wednesday, August 24, 2022 11:42 AM
To: Ben Huntsman <ben@huntsmans.net>
Cc: openafs-info@openafs.org <openafs-info@openafs.org>
Subject: Re: [OpenAFS] Kerberos + Windows
>I then created the service account srvAFS, and extracted a keytab on the
>Domain Controller using the following command:
So I'm not the expert on how AD works, so I can't speak for what happens
if you create a service account called _one_ thing and then have a
different principal name. Like, what name ends up in the service
ticket? But, moving on ...
># kvno adUser@AD.MYDOMAIN.COM
>kvno: Server not found in Kerberos database while getting credentials for =
adUser@AD.MYDOMAIN.COM
kvno is used when you already have a Kerberos ticket (with kinit) and you'r=
e
getting a service ticket for what you give on the command line. I think
what you want "kinit adUser" and the "kvno afs/mydomain.com". Although
aklog should do the same thing.
It would be interesting to see what the output of "klist" is after you
do that kinit/kvno command sequence.
There is some magic that asetkey does in terms of key version numbering
for rxkad_krb5 but it escapes me now and I suspect that's not your real
problem. I am assuming you've distributed the KeyFile to _all_ of your
AFS servers.
--Ken
--_000_MWHPR0701MB3674AAE92C3BA88F0F9CB809A7739MWHPR0701MB3674_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
Thanks for the reply!</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
> So I'm not the expert on how AD works, so I can't speak for what happe=
ns
<div>> if you create a service account called _one_ thing and then have =
a</div>
<div>> different principal name. Like, what name ends up in the se=
rvice</div>
> ticket? But, moving on ...<br>
</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<br>
</div>
<div id=3D"signature_bookmark"></div>
<div id=3D"appendonsend"></div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
I was a little fuzzy on that, but I was under the impression that in my cas=
e the serivce principal for AFS has to be called "afs/mydomain.com&quo=
t;. Is that not so? Therefore, one could either create an AD ac=
count literally called "afs", or, let the ktpass command
create a SPN for the account, and let it's name conform to local naming st=
andards. Indeed we can see that the SPN is created, by running setspn=
on Windows:</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
C:\>setspn -L srvAFS
<div>Registered ServicePrincipalNames for CN=3DsrvAFS,OU=3DUsers,DC=3Dad,DC=
=3Dmydomain,DC=3Dcom:</div>
<div> afs/mydomain.com</div>
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
> kvno is used when you already have a Kerberos ticket (with kinit) and =
you're
<div>> getting a service ticket for what you give on the command line. &=
nbsp;I think</div>
<div>> what you want "kinit adUser" and the "kvno afs/myd=
omain.com". Although</div>
<div>> aklog should do the same thing.</div>
<div>></div>
<div>> It would be interesting to see what the output of "klist&quo=
t; is after you</div>
> do that kinit/kvno command sequence.<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
$ kinit adUser
<div>Password for adUser@AD.MYDOMAIN.COM:</div>
<div>$ kvno afs/mydomain.com</div>
<div>afs/mydomain.com@AD.MYDOMAIN.COM: kvno =3D 5</div>
<div>$ aklog -d</div>
<div>Authenticating to cell mydomain.com (server myserver).</div>
<div>Trying to authenticate to user's realm AD.MYDOMAIN.COM.</div>
<div>Getting tickets: afs/mydomain.com@AD.MYDOMAIN.COM</div>
<div>Using Kerberos V5 ticket natively</div>
<div>About to resolve name adUser to id in cell mydomain.com.</div>
<div>Id 204</div>
<div>Setting tokens. adUser @ mydomain.com</div>
$ klist
<div>Ticket cache: FILE:/var/krb5/security/creds/krb5cc_204</div>
<div>Default principal: adUser@AD.MYDOMAIN.COM</div>
<div><br>
</div>
<div>Valid starting Expires  =
; Service principal</div>
<div>08/24/22 12:28:35 08/24/22 22:28:35 krbtgt/AD.MYDOMAIN.COM=
@AD.MYDOMAIN.COM</div>
<div> renew until 08/25/22 12:28:30</div>
<div>08/24/22 12:28:51 08/24/22 22:28:35 afs/mydomain.com@AD.MY=
DOMAIN.COM</div>
<div> renew until 08/25/22 12:28:30</div>
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
> There is some magic that asetkey does in terms of key version numberin=
g
<div>> for rxkad_krb5 but it escapes me now and I suspect that's not you=
r real</div>
<div>> problem. I am assuming you've distributed the KeyFile to _a=
ll_ of your</div>
> AFS servers.<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
This is the first AFS server, so there's no other servers to distribute it =
to yet.</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
# asetkey list
<div>rxkad_krb5 kvno 5 enctype 17; key is:=
blahblahblah</div>
<div>rxkad_krb5 kvno 5 enctype 18; key is:=
blahblahblahblahblahblah</div>
<div>All done.</div>
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
It seems like it's close but I'm just missing one thing... not quite sure w=
hat though.</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
Thank you so much!</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
-Ben</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0)" class=3D"elementToProof">
<br>
</div>
<hr tabindex=3D"-1" style=3D"display:inline-block; width:98%">
<div id=3D"divRplyFwdMsg" dir=3D"ltr"><font face=3D"Calibri, sans-serif" co=
lor=3D"#000000" style=3D"font-size:11pt"><b>From:</b> Ken Hornstein <ken=
h@cmf.nrl.navy.mil><br>
<b>Sent:</b> Wednesday, August 24, 2022 11:42 AM<br>
<b>To:</b> Ben Huntsman <ben@huntsmans.net><br>
<b>Cc:</b> openafs-info@openafs.org <openafs-info@openafs.org><br>
<b>Subject:</b> Re: [OpenAFS] Kerberos + Windows</font>
<div> </div>
</div>
<div class=3D"BodyFragment"><font size=3D"2"><span style=3D"font-size:11pt"=
>
<div class=3D"PlainText elementToProof">>I then created the service acco=
unt srvAFS, and extracted a keytab on the<br>
>Domain Controller using the following command:<br>
<br>
So I'm not the expert on how AD works, so I can't speak for what happens<br=
>
if you create a service account called _one_ thing and then have a<br>
different principal name. Like, what name ends up in the service<br>
ticket? But, moving on ...<br>
<br>
># kvno adUser@AD.MYDOMAIN.COM<br>
>kvno: Server not found in Kerberos database while getting credentials f=
or adUser@AD.MYDOMAIN.COM<br>
<br>
kvno is used when you already have a Kerberos ticket (with kinit) and you'r=
e<br>
getting a service ticket for what you give on the command line. I thi=
nk<br>
what you want "kinit adUser" and the "kvno afs/mydomain.com&=
quot;. Although<br>
aklog should do the same thing.<br>
<br>
It would be interesting to see what the output of "klist" is afte=
r you<br>
do that kinit/kvno command sequence.<br>
<br>
There is some magic that asetkey does in terms of key version numbering<br>
for rxkad_krb5 but it escapes me now and I suspect that's not your real<br>
problem. I am assuming you've distributed the KeyFile to _all_ of you=
r<br>
AFS servers.<br>
<br>
--Ken<br>
</div>
</span></font></div>
</body>
</html>
--_000_MWHPR0701MB3674AAE92C3BA88F0F9CB809A7739MWHPR0701MB3674_--