[OpenAFS] More Kerberos + Windows issues
Ben Huntsman
ben@huntsmans.net
Wed, 3 May 2023 15:45:46 +0000
--_000_MWHPR0701MB3674E4BF05966CC2201F4891A76C9MWHPR0701MB3674_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hi there!
I had this working before, but had to rebuild, and I can't seem to remem=
ber seeing this issue last time:
$ kinit
Password for adUser@AD.MYDOMAIN.COM:
$ klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_204
Default principal: adUser@AD.MYDOMAIN.COM
Valid starting Expires Service principal
05/03/23 08:28:01 05/03/23 18:28:01 krbtgt/AD.MYDOMAIN.COM@AD.MYDOMAIN.CO=
M
renew until 05/04/23 08:27:57
$ aklog -d
Authenticating to cell mydomain.com (server aix61bld01).
Trying to authenticate to user's realm AD.MYDOMAIN.COM.
Getting tickets: afs/mydomain.com@AD.MYDOMAIN.COM
Using Kerberos V5 ticket natively
About to resolve name adUser to id in cell mydomain.com.
Id 204
Setting tokens. adUser @ mydomain.com
aklog: a pioctl failed while setting tokens for cell mydomain.com
I don't recall seeing the pioctl error before... Here's some details on th=
e AFS kerberos config:
$ cat /opt/openafs/etc/openafs/server/krb.conf
AD.MYDOMAIN.COM
$ /usr/krb5/sbin/ktutil
ktutil: rkt /opt/openafs/etc/openafs/server/rxkad.keytab
ktutil: list -e
slot KVNO Principal
---- ---- -----------------------------------------------------------------=
----
1 5 afs/mydomain.com@AD.MYDOMAIN.COM (arcfour-hmac)
2 5 afs/mydomain.com@AD.MYDOMAIN.COM (aes256-cts-hmac-sha1-96)
3 5 afs/mydomain.com@AD.MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
ktutil: quit
$ asetkey list
All done.
Interesting, can't read that info as the user. Let's try root:
$ ^D
# asetkey list
rxkad_krb5 kvno 5 enctype 17; key is: blahblahblah
rxkad_krb5 kvno 5 enctype 18; key is: blahblahblahblahblahblah
rxkad_krb5 kvno 5 enctype 23; key is: blahblahblah
All done.
I didn't change the krb5.conf on this system from before when it was workin=
g, so I'm going to assume that is fine. I can post if needed, but from the=
above it looks like kinit is working, so the problem seems to be on the Op=
enAFS side. Also, yes, the kernel extension is loaded.
Any idea what the pioctl error is about and how to solve?
Thanks in advance!
-Ben
--_000_MWHPR0701MB3674E4BF05966CC2201F4891A76C9MWHPR0701MB3674_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi there!</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
I had this working before, but had to rebuild, and I can't see=
m to remember seeing this issue last time:</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
$ kinit
<div class=3D"ContentPasted0 elementToProof">Password for adUser@AD.MYDOMAI=
N.COM:</div>
<div class=3D"ContentPasted0">$ klist</div>
<div class=3D"ContentPasted0">Ticket cache: FILE:/var/krb5/security/creds/k=
rb5cc_204</div>
<div class=3D"ContentPasted0 elementToProof">Default principal: adUser@AD.M=
YDOMAIN.COM</div>
<div><br class=3D"ContentPasted0">
</div>
<div class=3D"ContentPasted0">Valid starting Expires &=
nbsp; Service principal</div>
<div class=3D"ContentPasted0 elementToProof">05/03/23 08:28:01 05/03/=
23 18:28:01 krbtgt/AD.MYDOMAIN.COM@AD.MYDOMAIN.COM</div>
<div class=3D"ContentPasted0"> renew until 05/04=
/23 08:27:57</div>
<div class=3D"ContentPasted0 elementToProof"></div>
$ aklog -d
<div class=3D"ContentPasted1 elementToProof">Authenticating to cell mydomai=
n.com (server aix61bld01).</div>
<div class=3D"ContentPasted1 elementToProof">Trying to authenticate to user=
's realm AD.MYDOMAIN.COM.</div>
<div class=3D"ContentPasted1 elementToProof">Getting tickets: afs/mydomain.=
com@AD.MYDOMAIN.COM</div>
<div class=3D"ContentPasted1">Using Kerberos V5 ticket natively</div>
<div class=3D"ContentPasted1 elementToProof">About to resolve name adUser t=
o id in cell mydomain.com.</div>
<div class=3D"ContentPasted1">Id 204</div>
<div class=3D"ContentPasted1 elementToProof">Setting tokens. adUser @ mydom=
ain.com</div>
<div class=3D"ContentPasted1 elementToProof">aklog: a pioctl failed while s=
etting tokens for cell mydomain.com</div>
<div class=3D"ContentPasted0"></div>
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
I don't recall seeing the pioctl error before... Here's some details =
on the AFS kerberos config:</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1 ContentPasted2" =
style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12p=
t; color: rgb(0, 0, 0);">
$ cat /opt/openafs/etc/openafs/server/krb.conf
<div class=3D"ContentPasted2 elementToProof">AD.MYDOMAIN.COM</div>
<div class=3D"ContentPasted2">$ /usr/krb5/sbin/ktutil</div>
<div class=3D"ContentPasted2">ktutil: rkt /opt/openafs/etc/openafs/se=
rver/rxkad.keytab</div>
<div class=3D"ContentPasted2">ktutil: list -e</div>
<div class=3D"ContentPasted2">slot KVNO Principal</div>
<div class=3D"ContentPasted2">---- ---- -----------------------------------=
----------------------------------</div>
<div class=3D"ContentPasted2 elementToProof"> 1 5 =
afs/mydomain.com@AD.MYDOMAIN.COM (arcfour-hmac)</div>
<div class=3D"ContentPasted2 elementToProof"> 2 5 =
afs/mydomain.com@AD.MYDOMAIN.COM (aes256-cts-hmac-sha1-96)</div>
<div class=3D"ContentPasted2 elementToProof"> 3 5 =
afs/mydomain.com@AD.MYDOMAIN.COM (aes128-cts-hmac-sha1-96)</div>
<div class=3D"ContentPasted2">ktutil: quit</div>
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1 ContentPasted2 C=
ontentPasted3" style=3D"font-family: Calibri, Arial, Helvetica, sans-serif;=
font-size: 12pt; color: rgb(0, 0, 0);">
$ asetkey list
<div class=3D"ContentPasted3">All done.</div>
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1 ContentPasted2 C=
ontentPasted3" style=3D"font-family: Calibri, Arial, Helvetica, sans-serif;=
font-size: 12pt; color: rgb(0, 0, 0);">
Interesting, can't read that info as the user. Let's try root:</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1 ContentPasted2 C=
ontentPasted3" style=3D"font-family: Calibri, Arial, Helvetica, sans-serif;=
font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1 ContentPasted2 C=
ontentPasted3 ContentPasted4" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
$ ^D
<div class=3D"ContentPasted4"># asetkey list</div>
<div class=3D"ContentPasted4 elementToProof">rxkad_krb5  =
;kvno 5 enctype 17; key is: blahblahblah</div>
<div class=3D"ContentPasted4 elementToProof">rxkad_krb5  =
;kvno 5 enctype 18; key is: blahblahblahblahblahblah</div>
<div class=3D"ContentPasted4 elementToProof">rxkad_krb5  =
;kvno 5 enctype 23; key is: blahblahblah</div>
<div class=3D"ContentPasted4">All done.</div>
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
I didn't change the krb5.conf on this system from before when it was workin=
g, so I'm going to assume that is fine. I can post if needed, but fro=
m the above it looks like kinit is working, so the problem seems to be on t=
he OpenAFS side. Also, yes, the kernel
extension is loaded.</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
Any idea what the pioctl error is about and how to solve?</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
Thanks in advance!</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
-Ben</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
</body>
</html>
--_000_MWHPR0701MB3674E4BF05966CC2201F4891A76C9MWHPR0701MB3674_--