[OpenAFS] Kerberos + Windows
Ben Huntsman
ben@huntsmans.net
Thu, 25 Aug 2022 05:06:03 +0000
--_000_MWHPR0701MB3674968F973D7319C9AD3C3FA7729MWHPR0701MB3674_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi there!
Thanks for the replies!
I got it working!!!
> In addition to the key version number you also need to know the encryptio=
n type used to
> encrypt the service private portion of the afs/mydomain.com@AD.MYDOMAIN.C=
OM service
> ticket. It is that encryption type which does not need to match either t=
he encryption type
> used to encrypt the client private portion of the ticket or the session k=
ey which needs to
> match the keys added via asetkey.
Ah! This is interesting:
# kinit adUser
Password for adUser@AD.MYDOMAIN.COM:
# klist -e
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: adUser@AD.MYDOMAIN.COM
Valid starting Expires Service principal
08/24/22 21:49:12 08/25/22 07:49:12 krbtgt/AD.MYDOMAIN.COM@AD.MYDOMAIN.CO=
M
renew until 08/25/22 21:49:10, Etype (skey, tkt): aes256-cts-hmac-s=
ha1-96, aes256-cts-hmac-sha1-96
# aklog
# klist -e
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: adUser@AD.MYDOMAIN.COM
Valid starting Expires Service principal
08/24/22 21:49:12 08/25/22 07:49:12 krbtgt/AD.MYDOMAIN.COM@AD.MYDOMAIN.CO=
M
renew until 08/25/22 21:49:10, Etype (skey, tkt): aes256-cts-hmac-s=
ha1-96, aes256-cts-hmac-sha1-96
08/24/22 21:49:26 08/25/22 07:49:12 afs/mydomain.com@AD.MYDOMAIN.COM
renew until 08/25/22 21:49:10, Etype (skey, tkt): arcfour-hmac, arc=
four-hmac
After running aklog I have one that is using arcfour-hmac. Didn't expect t=
hat.
I had only the AES types in my keytab, and hadn't run an asetkey for that o=
ne.
I had the original keytab pre-edits to remove all but the AES types, and I =
brought that back over and removed only DES, leaving the arcfour-hmac one, =
and then ran asetkey for it using the encryption type 23, bounced the serve=
r, and it worked!!
I also did end up adding in the "mydomain.com" and ".mydomain.com" entries =
in krb5.conf, and I put in a file /opt/openafs/etc/openafs/server/krb.conf =
with only one line that says "AD.MYDOMAIN.COM".
I'm glad this all working now!! Thank you all so much for the help!!
-Ben
________________________________
From: Jeffrey E Altman
Sent: Wednesday, August 24, 2022 6:49 PM
To: Ben Huntsman; openafs-info@openafs.org
Subject: Re: [OpenAFS] Kerberos + Windows
On 8/24/2022 12:53 PM, Ben Huntsman (ben@huntsmans.net<mailto:ben@huntsmans=
.net>) wrote:
Here's some configuration info:
Let's say my cell is going to be mydomain.com. My Active Directory is a=
d.mydomain.com, and my AFS service account is srvAFS.
When installing Active Directory for a domain "mydomain.com" it is best if =
the Active Directory domain is "MYDOMAIN.COM" instead of "AD.MYDOMAIN.COM".=
This is because Kerberos clients will attempt to use the DNS name of the =
host as the Kerberos realm name. The use of "AD.MYDOMAIN.COM" or "WIN.MYD=
OMAIN.COM" naming is common only in cases where there is a pre-existing Ker=
beros realm for "MYDOMAIN.COM".
Here's my krb5.conf:
[libdefaults]
default_realm =3D AD.MYDOMAIN.COM
default_keytab_name =3D [FILE:/etc/krb5/krb5.keytab]FILE:/etc/krb5/=
krb5.keytab
dns_lookup_realm =3D true
dns_lookup_kdc =3D true
forwardable =3D true
[realms]
AD.MYDOMAIN.COM =3D {
kdc =3D ad.mydomain.com:88
admin_server =3D ad.mydomain.com:749
default_domain =3D ad.mydomain.com
}
[domain_realm]
.ad.mydomain.com =3D AD.MYDOMAIN.COM
ad.mydomain.com =3D AD.MYDOMAIN.COM
You also need to add
.mydomain.com =3D AD.MYDOMAIN.COM
mydomain.com =3D AD.MYDOMAIN.COM
since the Kerberos realm is not the same as the DNS domain name used for th=
e AFS service principal.
[logging]
kdc =3D [FILE:/var/krb5/log/krb5kdc.log]FILE:/var/krb5/log/krb5kdc.=
log
admin_server =3D [FILE:/var/krb5/log/kadmin.log]FILE:/var/krb5/log/=
kadmin.log
kadmin_local =3D [FILE:/var/krb5/log/kadmin_local.log]FILE:/var/krb=
5/log/kadmin_local.log
default =3D [FILE:/var/krb5/log/krb5lib.log]FILE:/var/krb5/log/krb5=
lib.log
I then created the service account srvAFS, and extracted a keytab on the Do=
main Controller using the following command:
ktpass /princ afs/mydomain.com@AD.MYDOMAIN.COM<mailto:afs/mydomain.com@AD.M=
YDOMAIN.COM> /mapuser srvAFS /mapop add /out rxkad.keytab +rndpass /crypto =
all /ptype KRB5_NT_PRINCIPAL +dumpsalt
The use of "afs/mydomain.com@AD.MYDOMAIN.COM"<mailto:afs/mydomain.com@AD.MY=
DOMAIN.COM> is correct. The "afs@AD.MYDOMAIN.COM"<mailto:afs@AD.MYDOMAI=
N.COM> service principal name should no longer be used and must never be us=
ed with Active Directory.
I verified that the account did not have the "Use only Kerberos DES encrypt=
ion types for this account" box checked. I then copied the rxkad.keytab ov=
er to the UNIX host. I built OpenAFS with a prefix of /opt/openafs, so I p=
ut the keytab in /opt/openafs/etc/openafs/server
I used ktutil to delete the two des entries in the keytab. ktutil indicate=
s that the KVNO is 5.
I then added the keys to OpenAFS using the command:
asetkey add rxkad_krb5 5 17 /opt/openafs/etc/openafs/server/rxkad.keytab af=
s/mydomain.com
asetkey add rxkad_krb5 5 18 /opt/openafs/etc/openafs/server/rxkad.keytab af=
s/mydomain.com
For an Active Directory realm you most likely also need to add rc4-hmac, en=
ctype 23.
Did the above "asetkey" commands succeed? Since the cell is named "mydoma=
in.com" I would expect asetkey to expand "afs/mydomain.com" to "afs/mydomai=
n.com@MYDOMAIN.COM"<mailto:afs/mydomain.com@MYDOMAIN.COM> which is not goin=
g to be present in the rxkad.keytab file.
What is the output of "asetkey list" after the above commands were executed=
?
But things aren't quite working:
# ls /afs
afs: Tokens for user of AFS id 204 for cell mydomain.com are discarded (rxk=
ad error=3D19270408, server 192.168.0.114)
ls: /afs: The file access permissions do not allow the specified action.
# kvno adUser@AD.MYDOMAIN.COM<mailto:adUser@AD.MYDOMAIN.COM>
kvno: Server not found in Kerberos database while getting credentials for a=
dUser@AD.MYDOMAIN.COM<mailto:adUser@AD.MYDOMAIN.COM>
This is not expected to work.
# vos listvol myserver
Could not fetch the list of partitions from the server
rxk: ticket contained unknown key version number
Error in vos listvol command.
rxk: ticket contained unknown key version number
19270408 =3D rxk: ticket contained unknown key version number
It means the OpenAFS servers are not finding the expected key entry. Ther=
e is not a match for the combination of enctype and key version number and =
name.
# kinit -kt /opt/openafs/etc/openafs/server/rxkad.keytab afs/mydomain.com@A=
D.MYDOMAIN.COM<mailto:afs/mydomain.com@AD.MYDOMAIN.COM>
The above command is using the afs/mydomain.com@AD.MYDOMAIN.COM<mailto:afs/=
mydomain.com@AD.MYDOMAIN.COM> keytab entry to obtain a client Ticket Granti=
ng Ticket. I doubt that is what you intended.
Instead you wanted to "kinit" using a client principal and then execute the=
kvno command below.
# kvno afs/mydomain.com@AD.MYDOMAIN.COM<mailto:afs/mydomain.com@AD.MYDOMAIN=
.COM>
afs/mydomain.com@AD.MYDOMAIN.COM<mailto:afs/mydomain.com@AD.MYDOMAIN.COM>: =
kvno =3D 5
In addition to the key version number you also need to know the encryption =
type used to encrypt the service private portion of the afs/mydomain.com@AD=
.MYDOMAIN.COM<mailto:afs/mydomain.com@AD.MYDOMAIN.COM> service ticket. It =
is that encryption type which does not need to match either the encryption =
type used to encrypt the client private portion of the ticket or the sessio=
n key which needs to match the keys added via asetkey.
After adding the keys via "asetkey" did you install KeyFileExt on every ser=
ver in the cell?
Did you restart the services or touch the server instance of the CellServDB=
file to force the new keys to be loaded?
Did I miss something, or make a mistake along the way somewhere?
Ben mentions in a separate reply that the OpenAFS krb.conf file needs to be=
created and specify the local authentication realm as "AD.MYDOMAIN.COM". =
Failure to do so will prevent authorization from succeeding but would not r=
esult in a key version not found error.
Jeffrey Altman
--_000_MWHPR0701MB3674968F973D7319C9AD3C3FA7729MWHPR0701MB3674_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
Hi there!</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
Thanks for the replies!</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
I got it working!!!</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<span style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255=
)">> In addition to the key version number you also need to know th=
e encryption type used to </span>
<div style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255)=
">> encrypt the service private portion of the afs/mydomain.com@AD.MYDOM=
AIN.COM service </div>
<div style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255)=
">> ticket. It is that encryption type which does not need to matc=
h either the encryption type</div>
<div style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255)=
">> used <span style=3D"margin:0px">t</span><span style=3D"margin:0=
px">o encrypt the client private portion of the ticket or the session key w=
hich needs to </span></div>
<div style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255)=
"><span style=3D"margin:0px">> match the keys added via asetkey.</span><=
/div>
<div style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255)=
"><span style=3D"margin:0px"><br>
</span></div>
<div style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255)=
"><span style=3D"margin:0px">Ah! This is interesting:</span></div>
<div style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255)=
"><span style=3D"margin:0px"><br>
</span></div>
<div style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255)=
"><span style=3D"margin:0px"># kinit adUser
<div style=3D"margin:0px">Password for adUser@AD.MYDOMAIN.COM:</div>
<div style=3D"margin:0px"># klist -e</div>
<div style=3D"margin:0px">Ticket cache: FILE:/var/krb5/security/creds/krb5c=
c_0</div>
<div style=3D"margin:0px">Default principal: adUser@AD.MYDOMAIN.COM</div>
<div style=3D"margin:0px"><br>
</div>
<div style=3D"margin:0px">Valid starting Expires  =
; Service principal</div>
<div style=3D"margin:0px">08/24/22 21:49:12 08/25/22 07:49:12 k=
rbtgt/AD.MYDOMAIN.COM@AD.MYDOMAIN.COM</div>
<div style=3D"margin:0px"> renew until 08/25/22 =
21:49:10, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-=
96</div>
<div style=3D"margin:0px"># aklog</div>
<div style=3D"margin:0px"># klist -e</div>
<div style=3D"margin:0px">Ticket cache: FILE:/var/krb5/security/creds/krb5c=
c_0</div>
<div style=3D"margin:0px">Default principal: adUser@AD.MYDOMAIN.COM</div>
<div style=3D"margin:0px"><br>
</div>
<div style=3D"margin:0px">Valid starting Expires  =
; Service principal</div>
<div style=3D"margin:0px">08/24/22 21:49:12 08/25/22 07:49:12 k=
rbtgt/AD.MYDOMAIN.COM@AD.MYDOMAIN.COM</div>
<div style=3D"margin:0px"> renew until 08/25/22 =
21:49:10, Etype (skey, tkt): aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-=
96</div>
<div style=3D"margin:0px">08/24/22 21:49:26 08/25/22 07:49:12 a=
fs/mydomain.com@AD.MYDOMAIN.COM</div>
<div style=3D"margin:0px"> renew until 08/25/22 =
21:49:10, Etype (skey, tkt): arcfour-hmac, arcfour-hmac</div>
<br>
</span></div>
</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<span style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255=
)"><span style=3D"margin:0px">After running aklog I have one that is using =
arcfour-hmac. Didn't expect that.</span></span><br>
</div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<span style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255=
)"><span style=3D"margin:0px"><br>
</span></span></div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<span style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255=
)"><span style=3D"margin:0px">I had only the AES types in my keytab, and ha=
dn't run an asetkey for that one.</span></span></div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<span style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255=
)"><span style=3D"margin:0px">I had the original keytab pre-edits to remove=
all but the AES types, and I brought that back over and removed only DES, =
leaving the arcfour-hmac one, and then
ran asetkey for it using the encryption type 23, bounced the server, and i=
t worked!!</span></span></div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<span style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255=
)"><span style=3D"margin:0px"><br>
</span></span></div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<span style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255=
)"><span style=3D"margin:0px">I also did end up adding in the "mydomai=
n.com" and ".mydomain.com" entries in krb5.conf, and I put i=
n a file /opt/openafs/etc/openafs/server/krb.conf with only
one line that says "AD.MYDOMAIN.COM". </span></span><=
/div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<span style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255=
)"><span style=3D"margin:0px"><br>
</span></span></div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<span style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255=
)"><span style=3D"margin:0px">I'm glad this all working now!! Thank y=
ou all so much for the help!!</span></span></div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<span style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255=
)"><span style=3D"margin:0px"><br>
</span></span></div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<span style=3D"font-size:12pt;margin:0px;background-color:rgb(255, 255, 255=
)"><span style=3D"margin:0px">-Ben</span></span></div>
<div style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size=
: 12pt; color: rgb(0, 0, 0);" class=3D"elementToProof">
<br>
</div>
<div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0);" class=3D"elementToProof">
<br>
</div>
<div style=3D"font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12p=
t; color:rgb(0,0,0);" class=3D"elementToProof">
<br>
<hr tabindex=3D"-1" style=3D"display:inline-block; width:98%;">
<b>From:</b> Jeffrey E Altman<br>
<b>Sent:</b> Wednesday, August 24, 2022 6:49 PM<br>
<b>To:</b> Ben Huntsman; openafs-info@openafs.org<br>
<b>Subject:</b> Re: [OpenAFS] Kerberos + Windows
<div><br>
</div>
</div>
<div class=3D"rps_476d">
<div>
<div class=3D"x_moz-cite-prefix">On 8/24/2022 12:53 PM, Ben Huntsman (<a hr=
ef=3D"mailto:ben@huntsmans.net" target=3D"_blank" rel=3D"noopener noreferre=
r" data-auth=3D"NotApplicable" class=3D"x_moz-txt-link-abbreviated">ben@hun=
tsmans.net</a>) wrote:<br>
</div>
<blockquote type=3D"cite">
<div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Here's some configuration info:</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Let's say my cell is going to be mydomain.com. My Active=
Directory is ad.mydomain.com, and my AFS service account is srvAFS.</div>
</div>
</blockquote>
<p style=3D"margin-top: 0px; margin-bottom: 0px;" class=3D"elementToProof">=
When installing Active Directory for a domain "mydomain.com" it i=
s best if the Active Directory domain is "MYDOMAIN.COM" instead o=
f "AD.MYDOMAIN.COM". This is because Kerberos clients will
attempt to use the DNS name of the host as the Kerberos realm name. &=
nbsp; The use of "AD.MYDOMAIN.COM" or "WIN.MYDOMAIN.COM"=
; naming is common only in cases where there is a pre-existing Kerberos rea=
lm for "MYDOMAIN.COM".<br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<blockquote type=3D"cite">
<div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Here's my krb5.conf:</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
[libdefaults]
<div> default_realm =3D AD.MYDOMAIN.COM</div>
<div> default_keytab_name =3D [FILE:/etc/krb5/kr=
b5.keytab]FILE:/etc/krb5/krb5.keytab</div>
<div> dns_lookup_realm =3D true</div>
<div> dns_lookup_kdc =3D true</div>
<div> forwardable =3D true</div>
<div><br>
</div>
<div>[realms]</div>
<div> AD.MYDOMAIN.COM =3D {</div>
<div> kdc =3D ad.myd=
omain.com:88</div>
<div> admin_server =
=3D ad.mydomain.com:749</div>
<div> default_domain=
=3D ad.mydomain.com</div>
<div> }</div>
<div><br>
</div>
<div>[domain_realm]</div>
<div> .ad.mydomain.com =3D AD.MYDOMAIN.COM</div>
<div> ad.mydomain.com =3D AD.MYDOMAIN.COM</div>
</div>
</div>
</blockquote>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">You also need to add</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"> .mydom=
ain.com =3D AD.MYDOMAIN.COM</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"> mydoma=
in.com =3D AD.MYDOMAIN.COM</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">since the Kerberos realm =
is not the same as the DNS domain name used for the AFS service principal.<=
br>
</p>
<blockquote type=3D"cite">
<div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div><br>
</div>
<div>[logging]</div>
<div> kdc =3D [FILE:/var/krb5/log/krb5kdc.log]FI=
LE:/var/krb5/log/krb5kdc.log</div>
<div> admin_server =3D [FILE:/var/krb5/log/kadmi=
n.log]FILE:/var/krb5/log/kadmin.log</div>
<div> kadmin_local =3D [FILE:/var/krb5/log/kadmi=
n_local.log]FILE:/var/krb5/log/kadmin_local.log</div>
<div> default =3D [FILE:/var/krb5/log/krb5lib.lo=
g]FILE:/var/krb5/log/krb5lib.log</div>
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I then created the service account srvAFS, and extracted a keytab on the Do=
main Controller using the following command:</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
ktpass /princ <a href=3D"mailto:afs/mydomain.com@AD.MYDOMAIN.COM" target=3D=
"_blank" rel=3D"noopener noreferrer" data-auth=3D"NotApplicable" class=3D"x=
_moz-txt-link-abbreviated">
afs/mydomain.com@AD.MYDOMAIN.COM</a> /mapuser srvAFS /mapop add /out rxkad.=
keytab +rndpass /crypto all /ptype KRB5_NT_PRINCIPAL +dumpsalt<br>
</div>
</div>
</blockquote>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">The use of <a href=3D"mai=
lto:afs/mydomain.com@AD.MYDOMAIN.COM" target=3D"_blank" rel=3D"noopener nor=
eferrer" data-auth=3D"NotApplicable" class=3D"x_moz-txt-link-rfc2396E">
"afs/mydomain.com@AD.MYDOMAIN.COM"</a> is correct. &nb=
sp; The <a href=3D"mailto:afs@AD.MYDOMAIN.COM" target=3D"_blank" rel=
=3D"noopener noreferrer" data-auth=3D"NotApplicable" class=3D"x_moz-txt-lin=
k-rfc2396E">
"afs@AD.MYDOMAIN.COM"</a> service principal name should no longer=
be used and must never be used with Active Directory.<br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<blockquote type=3D"cite">
<div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I verified that the account did not have the "Use only Kerberos DES en=
cryption types for this account" box checked. I then copied the =
rxkad.keytab over to the UNIX host. I built OpenAFS with a prefix of =
/opt/openafs, so I put the keytab in /opt/openafs/etc/openafs/server</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I used ktutil to delete the two des entries in the keytab. ktutil ind=
icates that the KVNO is 5.</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
I then added the keys to OpenAFS using the command:</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
asetkey add rxkad_krb5 5 17 /opt/openafs/etc/openafs/server/rxkad.keytab af=
s/mydomain.com<br>
</div>
<div class=3D"x_elementToProof elementToProof" style=3D"font-family:Calibri=
,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0)">
asetkey add rxkad_krb5 5 18 /opt/openafs/etc/openafs/server/rxkad.keytab af=
s/mydomain.com<br>
</div>
</div>
</blockquote>
<p style=3D"margin-top: 0px; margin-bottom: 0px;" class=3D"elementToProof">=
For an Active Directory realm you most likely also need to add rc4-hmac, en=
ctype 23.</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;" class=3D"elementToProof">=
Did the above "asetkey" commands succeed? Since the c=
ell is named "mydomain.com" I would expect asetkey to expand &quo=
t;afs/mydomain.com" to
<a href=3D"mailto:afs/mydomain.com@MYDOMAIN.COM" target=3D"_blank" rel=3D"n=
oopener noreferrer" data-auth=3D"NotApplicable" class=3D"x_moz-txt-link-rfc=
2396E">
"afs/mydomain.com@MYDOMAIN.COM"</a> which is not going to be pres=
ent in the rxkad.keytab file.</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;" class=3D"elementToProof">=
What is the output of "asetkey list" after the above commands wer=
e executed?<br>
</p>
<blockquote type=3D"cite">
<div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
But things aren't quite working:
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
# ls /afs
<div>afs: Tokens for user of AFS id 204 for cell mydomain.com are discarded=
(rxkad error=3D19270408, server 192.168.0.114)</div>
<div>ls: /afs: The file access permissions do not allow the specified actio=
n.</div>
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
# kvno <a href=3D"mailto:adUser@AD.MYDOMAIN.COM" target=3D"_blank" rel=3D"n=
oopener noreferrer" data-auth=3D"NotApplicable" class=3D"x_moz-txt-link-abb=
reviated">
adUser@AD.MYDOMAIN.COM</a><br>
kvno: Server not found in Kerberos database while getting credentials for <=
a href=3D"mailto:adUser@AD.MYDOMAIN.COM" target=3D"_blank" rel=3D"noopener =
noreferrer" data-auth=3D"NotApplicable" class=3D"x_moz-txt-link-abbreviated=
">
adUser@AD.MYDOMAIN.COM</a><br>
</div>
</div>
</blockquote>
This is not expected to work.<br>
<blockquote type=3D"cite">
<div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
# vos listvol myserver
<div>Could not fetch the list of partitions from the server</div>
<div>rxk: ticket contained unknown key version number</div>
<div>Error in vos listvol command.</div>
<div>rxk: ticket contained unknown key version number</div>
</div>
</div>
</blockquote>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">19270408 =3D rxk: ticket =
contained unknown key version number</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">It means the OpenAFS serv=
ers are not finding the expected key entry. There is not a matc=
h for the combination of enctype and key version number and name.</p>
<br>
<blockquote type=3D"cite">
<div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div># kinit -kt /opt/openafs/etc/openafs/server/rxkad.keytab <a href=3D"ma=
ilto:afs/mydomain.com@AD.MYDOMAIN.COM" target=3D"_blank" rel=3D"noopener no=
referrer" data-auth=3D"NotApplicable" class=3D"x_moz-txt-link-abbreviated">
afs/mydomain.com@AD.MYDOMAIN.COM</a></div>
<div><br>
</div>
</div>
</div>
</blockquote>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">The above command is usin=
g the <a href=3D"mailto:afs/mydomain.com@AD.MYDOMAIN.COM" target=3D"_blank"=
rel=3D"noopener noreferrer" data-auth=3D"NotApplicable" class=3D"x_moz-txt=
-link-abbreviated">
afs/mydomain.com@AD.MYDOMAIN.COM</a> keytab entry to obtain a client Ticket=
Granting Ticket. I doubt that is what you intended.</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">Instead you wanted to &qu=
ot;kinit" using a client principal and then execute the kvno command b=
elow.<br>
</p>
<blockquote type=3D"cite">
<div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<div># kvno <a href=3D"mailto:afs/mydomain.com@AD.MYDOMAIN.COM" target=3D"_=
blank" rel=3D"noopener noreferrer" data-auth=3D"NotApplicable" class=3D"x_m=
oz-txt-link-abbreviated">
afs/mydomain.com@AD.MYDOMAIN.COM</a><br>
<a href=3D"mailto:afs/mydomain.com@AD.MYDOMAIN.COM" target=3D"_blank" rel=
=3D"noopener noreferrer" data-auth=3D"NotApplicable" class=3D"x_moz-txt-lin=
k-abbreviated">afs/mydomain.com@AD.MYDOMAIN.COM</a>: kvno =3D 5</div>
</div>
</div>
</blockquote>
<p style=3D"margin-top: 0px; margin-bottom: 0px;" class=3D"elementToProof">=
In addition to the key version number you also need to know the encryption =
type used to encrypt the service private portion of the
<a href=3D"mailto:afs/mydomain.com@AD.MYDOMAIN.COM" target=3D"_blank" rel=
=3D"noopener noreferrer" data-auth=3D"NotApplicable" class=3D"x_moz-txt-lin=
k-abbreviated">
afs/mydomain.com@AD.MYDOMAIN.COM</a> service ticket. It is that encry=
ption type which does not need to match either the encryption type used to =
encrypt the client private portion of the ticket or the session key which n=
eeds to match the keys added via asetkey.</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;" class=3D"elementToProof">=
After adding the keys via "asetkey" did you install KeyFileExt on=
every server in the cell?</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;" class=3D"elementToProof">=
Did you restart the services or touch the server instance of the CellServDB=
file to force the new keys to be loaded?<br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"> <br>
</p>
<blockquote type=3D"cite">
<div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
<br>
</div>
<div class=3D"x_elementToProof" style=3D"font-family:Calibri,Arial,Helvetic=
a,sans-serif; font-size:12pt; color:rgb(0,0,0)">
Did I miss something, or make a mistake along the way somewhere?</div>
</div>
</blockquote>
<p style=3D"margin-top: 0px; margin-bottom: 0px;" class=3D"elementToProof">=
Ben mentions in a separate reply that the OpenAFS krb.conf file needs to be=
created and specify the local authentication realm as "AD.MYDOMAIN.CO=
M". Failure to do so will prevent authorization
from succeeding but would not result in a key version not found error.<br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;">Jeffrey Altman</p>
<p style=3D"margin-top: 0px; margin-bottom: 0px;"><br>
</p>
</div>
</div>
</div>
</body>
</html>
--_000_MWHPR0701MB3674968F973D7319C9AD3C3FA7729MWHPR0701MB3674_--