[OpenAFS] asetkey, aklog and weird key/principal
Douglas E. Engert
deengert@anl.gov
Tue, 09 Jan 2007 09:53:32 -0600
FYI for all,
As an alternative approach to using ktpass for adding service principals
to AD, we use a program called msktutil, developed by Dan Perry while at
PNNL. It uses OPenLDAP, GSSAPI and SASL to authenticatate to AD, add accounts
and service principals, and update keytabs all in one step. Google for
msktuitl. You will also see a version
http://download.systemimager.org/~finley/msktutil/
packaged up by one of our people.
We have not used this to add AFS, as the AFS was added to AD years ago,
but we have used it with HTTP, cvs, pop and many host principals.
Turbo Fredriksson wrote:
>>>>>> "Douglas" == Douglas E Engert <deengert@anl.gov> writes:
>
> Douglas> The account name (ktpass -mapuser) could be city_afs and
> Douglas> the SPN=afs/europe.ad.<domain>@<DOMAIN>
>
> Oki, the admin have now create a keytab using:
>
> ----- s n i p -----
> ktpass -princ afs/<cell>@<REALM> -mapuser <city>_afs -pass * -crypto DES-CBC-MD5 -out c:\temp\unixkeytab
> Targeting domain controller: <domaincontroller>
> Successfully mapped afs/<cell> to <city>_afs.
> Type the password for afs/<cell>:
> Type the password again to confirm:
> WARNING: pType and account type do not match. This might cause problems.
> Key created.
> Output keytab to c:\temp\unixkeytab:
> Keytab version: 0x502
> keysize 75 afs/<cell>@<REALM> ptype 0
> (KRB5_NT_UNKNOWN) vno 3 etype 0x3 (DES-CBC-MD5) keylength 8 (0xe9801968ba2aada4)
> ----- s n i p -----
>
> Unfortunatly this gives me other problems:
>
> ----- s n i p -----
> root@<afsserver>:/usr/afs/etc# asetkey add 3 unixkeytab afs/<cell>@<REALM>
> root@<afsserver>:/usr/afs/etc# tokens
>
> Tokens held by the Cache Manager:
>
> --End of list--
> root@<afsserver>:/usr/afs/etc# klist
> klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> root@<afsserver>:/usr/afs/etc# kinit admin
> Password for admin@<REALM>:
> root@<afsserver>:/usr/afs/etc# aklog
> root@<afsserver>:/usr/afs/etc# pts listentries
> Name ID Owner Creator
> pts: security object was passed a bad ticket ; unable to list entries
>
> root@<afsserver>:/usr/afs/etc#
> ----- s n i p -----
>
> The only reference I found about this problem was
> http://comments.gmane.org/gmane.comp.file-systems.openafs.general/19094
> and I tried the same trick with ktutil but it did no change:
>
> ----- s n i p -----
> root@<afsserver>:/usr/afs/etc# asetkey list
> kvno 3: key is: e9801968ba2aada4
> All done.
> root@<afsserver>:/usr/afs/etc# asetkey delete 3
> root@<afsserver>:/usr/afs/etc# asetkey list
> All done.
> root@<afsserver>:/usr/afs/etc# ktutil
> ktutil: addent -password -p afs/<cell>@<REALM> -k 3 -e des-cbc-crc
> Password for afs/<cell>@<REALM>:
> ktutil: wkt ./keytab.file
> ktutil: quit
> root@<afsserver>:/usr/afs/etc# asetkey add 3 keytab.file afs/<cell>@<REALM>
> root@<afsserver>:/usr/afs/etc# tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1) tokens for afs@<cell> [Expires Jan 9 17:51]
> --End of list--
> root@<afsserver>:/usr/afs/etc# unlog
> root@<afsserver>:/usr/afs/etc# bos restart localhost -all -localauth
> root@<afsserver>:/usr/afs/etc# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin@<REALM>
>
> Valid starting Expires Service principal
> 01/09/07 11:11:00 01/09/07 17:51:00 krbtgt/<REALM>@<REALM>
> 01/09/07 11:11:07 01/09/07 17:51:00 afs/<cell>@<REALM>
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> root@<afsserver>:/usr/afs/etc# kdestroy
> root@<afsserver>:/usr/afs/etc# kinit admin
> Password for admin@<REALM>:
> root@<afsserver>:/usr/afs/etc# aklog
> root@<afsserver>:/usr/afs/etc# pts listentries
> Name ID Owner Creator
> pts: security object was passed a bad ticket ; unable to list entries
>
> root@<afsserver>:/usr/afs/etc#
> root@<afsserver>:/usr/afs/etc# klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: admin@<REALM>
>
> Valid starting Expires Service principal
> 01/09/07 11:15:42 01/09/07 17:55:42 krbtgt/<REALM>@<REALM>
> 01/09/07 11:15:48 01/09/07 17:55:42 afs/<cell>@<REALM>
>
>
> Kerberos 4 ticket cache: /tmp/tkt0
> klist: You have no tickets cached
> root@<afsserver>:/usr/afs/etc# tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1) tokens for afs@<cell> [Expires Jan 9 17:55]
> --End of list--
> root@<afsserver>:/usr/afs/etc#
> ----- s n i p -----
>
> I've inquired what version of ktpass.exe/os the're running
> on the AD, but haven't got a reply yet (probably lunch :)...
>
>
> Just if it matters, I compared the keyfiles as well.
>
> ----- s n i p -----
> root@nnwux002:/usr/afs/etc# klist -k unixkeytab -t -K
> Keytab name: FILE:unixkeytab
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 3 01/01/70 01:00:00 afs/<cell>@<REALM> (0xe9801968ba2aada4)
> root@nnwux002:/usr/afs/etc# klist -k keytab.file -t -K
> Keytab name: FILE:keytab.file
> KVNO Timestamp Principal
> ---- ----------------- --------------------------------------------------------
> 3 01/09/07 11:14:13 afs/<cell>@<REALM> (0x83dab01c6bb03701)
> root@nnwux002:/usr/afs/etc#
> ----- s n i p -----
>
> They ARE different, but since neither work... ? Did I miss restarting
> something? I'we been waiting for more than the 'AD sync time' so it
> can't be that...
>
> And the time is syncronized with ntpdate from the same NTPd as
> the AD once every hour...
>
>
> PS. I just noticed the timestamp on 'unixkeytab'... Might be nothing,
> but...
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444