Responses in-line...
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD
On 05/10/2012 11:57 AM, Andrew Deason wrote:
On Thu, 10 May 2012 10:02:10 -0400
Jeff White<jaw...@pitt.edu> wrote:
Now I tried to add support for the realm UNIV.PITT.EDU (the real one
running on Windows Server 2003 AD):
I thought it was Windows Server 2008 R2? Or was that just PITT.EDU?
My fake PITT.EDU cell runs on 2008 R2, UNIV.PITT.EDU is 2003.
[root@afs-dev-03 ~]# asetkey add 4 /var/tmp/afskerbuser.keytab
afs/pitt....@univ.pitt.edu
How exactly did you generate this keytab?
The same way I did it on PITT.EDU:
ktpass -princ afs/pitt....@univ.pitt.edu -mapuser afskerbuser -pass *
-crypto DES-CBC-CRC +rndpass /mapop add +desonly /ptype
KRB5_NT_PRINCIPAL +dumpsalt -out afskerbuser.keytab
[jaw171@afs-dev-03 ~]$ aklog -d
'klist -e' after this? Though I expect that the ticket you've got is
fine.
You mean from the UNIV.PITT.EDU realm attempt?
[jaw171@afs-dev-03 ~]$ kinit jaw...@univ.pitt.edu
Password for jaw...@univ.pitt.edu:
[jaw171@afs-dev-03 ~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_354461
Default principal: jaw...@univ.pitt.edu
Valid starting Expires Service principal
05/10/12 13:12:45 05/10/12 23:12:48 krbtgt/univ.pitt....@univ.pitt.edu
renew until 05/17/12 13:12:45, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
[jaw171@afs-dev-03 ~]$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm UNIV.PITT.EDU.
Getting tickets: afs/pitt....@univ.pitt.edu
Using Kerberos V5 ticket natively
About to resolve name jaw171 to id in cell pitt.edu.
Id 354461
Set username to AFS ID 354461
Setting tokens. AFS ID 354461 / @ UNIV.PITT.EDU
[jaw171@afs-dev-03 ~]$ tokens
Tokens held by the Cache Manager:
User's (AFS ID 354461) tokens for a...@pitt.edu [Expires May 10 23:12]
--End of list--
[jaw171@afs-dev-03 ~]$ klist -e
Ticket cache: FILE:/tmp/krb5cc_354461
Default principal: jaw...@univ.pitt.edu
Valid starting Expires Service principal
05/10/12 13:12:45 05/10/12 23:12:48 krbtgt/univ.pitt....@univ.pitt.edu
renew until 05/17/12 13:12:45, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
05/10/12 13:12:59 05/10/12 23:12:48 afs/pitt....@univ.pitt.edu
renew until 05/17/12 13:12:45, Etype (skey, tkt): des-cbc-crc,
des-cbc-md5
jaw171@afs-dev-03 ~]$ touch /afs/pitt.edu/home/jaw171/foo3
# Hangs here....
Here is hangs forever and I see this being spit out to the console of
the machine as fast as it can:
afs: Tokens for user of AFS id 354461 for cell pitt.edu: rxkad
error=19270407
"The KeyFile data is wrong"
Hmm...wonder what it doesn't like.
So what's happening here? Sometimes as I'm trying to do this I have
been able to get it to give a "Permission denied" on that touch rather
than hanging even though I have a token that should give me access.
The docs mention that the keys in the Keyfile need to be in acending
order.
What page says this? It may just be describing the KeyFile format, in
that the keys are stored in ascending kvno order.
http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51 Can I authenticate to my
af
<http://wiki.openafs.org/AFSLore/AdminFAQ/#3.51%20Can%20I%20authenticate%20to%20my%20af>
"since keys must be in ascending order in the AFSKeyFile
<http://wiki.openafs.org/AFSLore/KeyFile/>it will be easiest if you make
the new kvno higher than any existing key's kvno"
I also tried switching everything (/etc/krb5.conf, /usr/afs/ets/Keyfile,
/usr/afs/etc/krb.conf, etc.) to just UNIV.PITT.EDU but too did not work.
