[OpenAFS] More Kerberos + Windows issues

Ben Huntsman ben@huntsmans.net
Wed, 3 May 2023 15:45:46 +0000


--_000_MWHPR0701MB3674E4BF05966CC2201F4891A76C9MWHPR0701MB3674_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hi there!
   I had this working before, but had to rebuild, and I can't seem to remem=
ber seeing this issue last time:

$ kinit
Password for adUser@AD.MYDOMAIN.COM:
$ klist
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_204
Default principal: adUser@AD.MYDOMAIN.COM

Valid starting     Expires            Service principal
05/03/23 08:28:01  05/03/23 18:28:01  krbtgt/AD.MYDOMAIN.COM@AD.MYDOMAIN.CO=
M
        renew until 05/04/23 08:27:57
$ aklog -d
Authenticating to cell mydomain.com (server aix61bld01).
Trying to authenticate to user's realm AD.MYDOMAIN.COM.
Getting tickets: afs/mydomain.com@AD.MYDOMAIN.COM
Using Kerberos V5 ticket natively
About to resolve name adUser to id in cell mydomain.com.
Id 204
Setting tokens. adUser @ mydomain.com
aklog: a pioctl failed while setting tokens for cell mydomain.com

I don't recall seeing the pioctl error before...  Here's some details on th=
e AFS kerberos config:

$ cat /opt/openafs/etc/openafs/server/krb.conf
AD.MYDOMAIN.COM
$ /usr/krb5/sbin/ktutil
ktutil:  rkt /opt/openafs/etc/openafs/server/rxkad.keytab
ktutil:  list -e
slot KVNO Principal
---- ---- -----------------------------------------------------------------=
----
   1    5 afs/mydomain.com@AD.MYDOMAIN.COM (arcfour-hmac)
   2    5 afs/mydomain.com@AD.MYDOMAIN.COM (aes256-cts-hmac-sha1-96)
   3    5 afs/mydomain.com@AD.MYDOMAIN.COM (aes128-cts-hmac-sha1-96)
ktutil:  quit

$ asetkey list
All done.

Interesting, can't read that info as the user.  Let's try root:

$ ^D
# asetkey list
rxkad_krb5      kvno    5 enctype 17; key is: blahblahblah
rxkad_krb5      kvno    5 enctype 18; key is: blahblahblahblahblahblah
rxkad_krb5      kvno    5 enctype 23; key is: blahblahblah
All done.


I didn't change the krb5.conf on this system from before when it was workin=
g, so I'm going to assume that is fine.  I can post if needed, but from the=
 above it looks like kinit is working, so the problem seems to be on the Op=
enAFS side.  Also, yes, the kernel extension is loaded.

Any idea what the pioctl error is about and how to solve?

Thanks in advance!

-Ben


--_000_MWHPR0701MB3674E4BF05966CC2201F4891A76C9MWHPR0701MB3674_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=
1">
<style type=3D"text/css" style=3D"display:none;"> P {margin-top:0;margin-bo=
ttom:0;} </style>
</head>
<body dir=3D"ltr">
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
Hi there!</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
&nbsp; &nbsp;I had this working before, but had to rebuild, and I can't see=
m to remember seeing this issue last time:</div>
<div class=3D"elementToProof" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
$ kinit
<div class=3D"ContentPasted0 elementToProof">Password for adUser@AD.MYDOMAI=
N.COM:</div>
<div class=3D"ContentPasted0">$ klist</div>
<div class=3D"ContentPasted0">Ticket cache: FILE:/var/krb5/security/creds/k=
rb5cc_204</div>
<div class=3D"ContentPasted0 elementToProof">Default principal: adUser@AD.M=
YDOMAIN.COM</div>
<div><br class=3D"ContentPasted0">
</div>
<div class=3D"ContentPasted0">Valid starting &nbsp; &nbsp; Expires &nbsp; &=
nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Service principal</div>
<div class=3D"ContentPasted0 elementToProof">05/03/23 08:28:01 &nbsp;05/03/=
23 18:28:01 &nbsp;krbtgt/AD.MYDOMAIN.COM@AD.MYDOMAIN.COM</div>
<div class=3D"ContentPasted0">&nbsp; &nbsp; &nbsp; &nbsp; renew until 05/04=
/23 08:27:57</div>
<div class=3D"ContentPasted0 elementToProof"></div>
$ aklog -d
<div class=3D"ContentPasted1 elementToProof">Authenticating to cell mydomai=
n.com (server aix61bld01).</div>
<div class=3D"ContentPasted1 elementToProof">Trying to authenticate to user=
's realm AD.MYDOMAIN.COM.</div>
<div class=3D"ContentPasted1 elementToProof">Getting tickets: afs/mydomain.=
com@AD.MYDOMAIN.COM</div>
<div class=3D"ContentPasted1">Using Kerberos V5 ticket natively</div>
<div class=3D"ContentPasted1 elementToProof">About to resolve name adUser t=
o id in cell mydomain.com.</div>
<div class=3D"ContentPasted1">Id 204</div>
<div class=3D"ContentPasted1 elementToProof">Setting tokens. adUser @ mydom=
ain.com</div>
<div class=3D"ContentPasted1 elementToProof">aklog: a pioctl failed while s=
etting tokens for cell mydomain.com</div>
<div class=3D"ContentPasted0"></div>
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
I don't recall seeing the pioctl error before...&nbsp; Here's some details =
on the AFS kerberos config:</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1 ContentPasted2" =
style=3D"font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12p=
t; color: rgb(0, 0, 0);">
$ cat /opt/openafs/etc/openafs/server/krb.conf
<div class=3D"ContentPasted2 elementToProof">AD.MYDOMAIN.COM</div>
<div class=3D"ContentPasted2">$ /usr/krb5/sbin/ktutil</div>
<div class=3D"ContentPasted2">ktutil: &nbsp;rkt /opt/openafs/etc/openafs/se=
rver/rxkad.keytab</div>
<div class=3D"ContentPasted2">ktutil: &nbsp;list -e</div>
<div class=3D"ContentPasted2">slot KVNO Principal</div>
<div class=3D"ContentPasted2">---- ---- -----------------------------------=
----------------------------------</div>
<div class=3D"ContentPasted2 elementToProof">&nbsp; &nbsp;1 &nbsp; &nbsp;5 =
afs/mydomain.com@AD.MYDOMAIN.COM (arcfour-hmac)</div>
<div class=3D"ContentPasted2 elementToProof">&nbsp; &nbsp;2 &nbsp; &nbsp;5 =
afs/mydomain.com@AD.MYDOMAIN.COM (aes256-cts-hmac-sha1-96)</div>
<div class=3D"ContentPasted2 elementToProof">&nbsp; &nbsp;3 &nbsp; &nbsp;5 =
afs/mydomain.com@AD.MYDOMAIN.COM (aes128-cts-hmac-sha1-96)</div>
<div class=3D"ContentPasted2">ktutil: &nbsp;quit</div>
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1 ContentPasted2 C=
ontentPasted3" style=3D"font-family: Calibri, Arial, Helvetica, sans-serif;=
 font-size: 12pt; color: rgb(0, 0, 0);">
$ asetkey list
<div class=3D"ContentPasted3">All done.</div>
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1 ContentPasted2 C=
ontentPasted3" style=3D"font-family: Calibri, Arial, Helvetica, sans-serif;=
 font-size: 12pt; color: rgb(0, 0, 0);">
Interesting, can't read that info as the user.&nbsp; Let's try root:</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1 ContentPasted2 C=
ontentPasted3" style=3D"font-family: Calibri, Arial, Helvetica, sans-serif;=
 font-size: 12pt; color: rgb(0, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1 ContentPasted2 C=
ontentPasted3 ContentPasted4" style=3D"font-family: Calibri, Arial, Helveti=
ca, sans-serif; font-size: 12pt; color: rgb(0, 0, 0);">
$ ^D
<div class=3D"ContentPasted4"># asetkey list</div>
<div class=3D"ContentPasted4 elementToProof">rxkad_krb5 &nbsp; &nbsp; &nbsp=
;kvno &nbsp; &nbsp;5 enctype 17; key is: blahblahblah</div>
<div class=3D"ContentPasted4 elementToProof">rxkad_krb5 &nbsp; &nbsp; &nbsp=
;kvno &nbsp; &nbsp;5 enctype 18; key is: blahblahblahblahblahblah</div>
<div class=3D"ContentPasted4 elementToProof">rxkad_krb5 &nbsp; &nbsp; &nbsp=
;kvno &nbsp; &nbsp;5 enctype 23; key is: blahblahblah</div>
<div class=3D"ContentPasted4">All done.</div>
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
I didn't change the krb5.conf on this system from before when it was workin=
g, so I'm going to assume that is fine.&nbsp; I can post if needed, but fro=
m the above it looks like kinit is working, so the problem seems to be on t=
he OpenAFS side.&nbsp; Also, yes, the kernel
 extension is loaded.</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
Any idea what the pioctl error is about and how to solve?</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
Thanks in advance!</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
-Ben</div>
<div class=3D"elementToProof ContentPasted0 ContentPasted1" style=3D"font-f=
amily: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0=
, 0, 0);">
<br>
</div>
</body>
</html>

--_000_MWHPR0701MB3674E4BF05966CC2201F4891A76C9MWHPR0701MB3674_--