The keytabs Brandon was referring to are host/ keytabs for the specific hosts where users are logging in. Upon receipt of the user's password, the PAM stack gets a TGT using the user's password, and then makes a TGS-REQ to get a service ticket for the host/ principal of the host in question. Only if that service ticket validates, can the user be said to be authenticated. Merely receiving an AS-REP from the internet that decodes as a TGT+session key does not indicate authentication, since anyone on the network could send a packet that is properly formatted like that.
Also, there is no need for DES-CBC-CRC in any new kerberos or OpenAFS installation; please do not use it. -Ben On Mon, 9 May 2016, zhaoxy...@ustc.edu.cn wrote: > > hi, > ktpass -princ afs/pc....@pc.com -mapuser > t...@pc.com -mapOp add -out afs.keytab +rndPass > -crypto DES-CBC-CRC +DesOnly -ptype KRB5_NT_PRINCIPAL > +DumpSalt > i use the ktpass command to create afs.keytab on windows ad and then copy the > afs.keytab file to the openafs server,after that ,i use the command 'asetkey > add 3 afs.keytab afs/suzhou.powercore.com.cn' on openafs server, but it does > not work. > > -----原始邮件----- > > 发件人: "Brandon Allbery" <ballb...@sinenomine.net> > > 发送时间: 2016-05-10 03:16:51 (星期二) > > 收件人: "zhaoxy...@ustc.edu.cn" <zhaoxy...@ustc.edu.cn>, "Benjamin Kaduk" > > <ka...@mit.edu> > > 抄送: "openafs-info@openafs.org" <openafs-info@openafs.org> > > 主题: RE: Re: Re: RE: [OpenAFS] ad+openafs > > > > Do your systems have keytabs on them, with host instances? Using Kerberos > > for login requires a validation step; it's not enough just to get a ticket, > > because it's an opaque blob that you can't verify directly (and so might > > have been injected by an attacker). The only way to validate it is to > > attempt to use it to authenticate to a service; so pam_krb5, after getting > > your TGT, uses it to get a service ticket for the host you're logging in to > > and then uses the copy of the service key in /etc/krb5.keytab to decrypt > > the service ticket. If this fails, login is rejected. > > > > If the host you're logging in to doesn’t have a keytab then you will need > > to make one. I can't help you with this for AD, aside from noting that this > > will usually be created from an AD machine account, that is, joining the > > machine to the AD domain using e.g. Samba. (I think it is also possible to > > create the account directly and extract the keytab, but I don't know any > > details.) > > > > Winbind uses a different (and less secure: while it is encrypted, the key > > is fixed and well known) mechanism. > > > > -----Original Message----- > > From: zhaoxy...@ustc.edu.cn [mailto:zhaoxy...@ustc.edu.cn] > > Sent: Sunday, May 8, 2016 10:31 PM > > To: Benjamin Kaduk <ka...@mit.edu> > > Cc: openafs-info@openafs.org; Brandon Allbery <ballb...@sinenomine.net> > > Subject: Re: Re: Re: RE: [OpenAFS] ad+openafs > > > > hi, > > sorry,i need to add something . > > i have three servers. > > ad +kerberos win2008 > > nis server openafs server linux redhat 6.7 > > nis slave openafs client linux redhat 6.7 > > i can use the ad accounts to login the linux server and can get tokens.but > > the pam configuration with pam_krb5 seems not working.if i use > > ad+winbind+openafs,the pam configuraiton with pam_krb5 is working fine.do i > > miss some pam packages? > > > > > > > > > > hi, > > > i modified the /etc/pam.d/system-auth file ,but it did not work,how can i > > > debug this error?Are there any other files that need to be modified? > > > > > > root@test-afs002 cai]# vi /etc/pam.d/system-auth > > > #%PAM-1.0 > > > # This file is auto-generated. > > > # User changes will be destroyed the next time authconfig is run. > > > auth required pam_env.so > > > auth sufficient pam_unix.so nullok try_first_pass > > > auth requisite pam_succeed_if.so uid >= 500 quiet > > > auth sufficient pam_krb5.afs.so use_first_pass ignore_root > > > auth required pam_deny.so > > > > > > account required pam_unix.so broken_shadow > > > account sufficient pam_succeed_if.so uid < 500 quiet > > > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > > > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > > > cached_login > > > account required pam_permit.so > > > > > > password requisite pam_cracklib.so try_first_pass retry=3 type= > > > password sufficient pam_unix.so md5 shadow nullok try_first_pass > > > use_authtok > > > password sufficient pam_krb5afs.so use_authtok > > > password sufficient pam_winbind.so cached_login use_authtok > > > password required pam_deny.so > > > > > > session optional pam_keyinit.so revoke > > > session required pam_limits.so > > > session optional pam_oddjob_mkhomedir.so umask=0077 > > > session [success=1 default=ignore] pam_succeed_if.so service in crond > > > quiet use_uid > > > session required pam_unix.so > > > session optional pam_krb5afs.so > > > > > > ~ > > > > > > > > > > > > > -----原始邮件----- > > > > 发件人: "Benjamin Kaduk" <ka...@mit.edu> > > > > 发送时间: 2016-05-06 23:17:46 (星期五) > > > > 收件人: zhaoxy...@ustc.edu.cn > > > > 抄送: > > > > 主题: Re: RE: [OpenAFS] ad+openafs > > > > > > > > You should keep the list cc'd for this thread; there are many other > > > > people with more experience in this regardn than me. > > > > > > > > That said, it sounds like you want pam_krb5 and pam_afs_session on > > > > the linux client, with some configuration knobs set accordingly. > > > > > > > > -Ben > > > > > > > > On Thu, 5 May 2016, zhaoxy...@ustc.edu.cn wrote: > > > > > > > > > > > > > > hi, > > > > > the system works now,but i want to get tokens when i login the > > > > > linux system without input the kinit and aklog command,how can i > > > > > achieve this goal?do i need to install some packages? > > > > > > > > > > sotfware configuration : ad(win 2008 server ) + nis+ openafs > > > > > 1.6.14 > > > > > > > > > > > -----原始邮件----- > > > > > > 发件人: "Benjamin Kaduk" <ka...@mit.edu> > > > > > > 发送时间: 2016-05-04 13:44:00 (星期三) > > > > > > 收件人: "Brandon Allbery" <ballb...@sinenomine.net> > > > > > > 抄送: "zhaoxy...@ustc.edu.cn" <zhaoxy...@ustc.edu.cn>, > > > > > > "openafs-info@openafs.org" <openafs-info@openafs.org> > > > > > > 主题: RE: [OpenAFS] ad+openafs > > > > > > > > > > > > 1.6.14 doesn't need to have single-DES enabled; we shouldn't be > > > > > > recommending it. The rxkad.keytab method should work fine with AES > > > > > > keys. > > > > > > > > > > > > -Ben > > > > > > > > > > > > On Tue, 3 May 2016, Brandon Allbery wrote: > > > > > > > > > > > > > -1765328370 is KRB5KDC_ERR_ETYPE_NOSUPP. This often means that > > > > > > > DES is disabled somewhere. Note that the client library *also* > > > > > > > needs DES enabled; you might need to add to the [libdefaults] > > > > > > > section of /etc/krb5.conf on the RH system, > > > > > > > > > > > > > > allow_weak_crypto = true > > > > > > > > > > > > > > From: openafs-info-ad...@openafs.org > > > > > > > [mailto:openafs-info-ad...@openafs.org] On Behalf Of > > > > > > > zhaoxy...@ustc.edu.cn > > > > > > > Sent: Tuesday, May 3, 2016 4:39 AM > > > > > > > To: openafs-info@openafs.org > > > > > > > Subject: [OpenAFS] ad+openafs > > > > > > > > > > > > > > > > > > > > > hi > > > > > > > > > > > > > > i install openafs1.6.14 on redhat 6.7 and i want to use the ad as > > > > > > > krb5 auth . > > > > > > > > > > > > > > here is my steps: > > > > > > > > > > > > > > 1 install openafs1.6.14 on redhat6.7 > > > > > > > > > > > > > > 2 install ad on windows 2008 r2 > > > > > > > > > > > > > > 3 ktpass -princ afs/cellname@ADDOMAINNAME -mapuser > > > > > > > afscell@ADDOMAINNAME \ -mapOp add -out afs-keytab +rndPass > > > > > > > -crypto DES-CBC-CRC +DesOnly \ -ptype KRB5_NT_PRINCIPAL > > > > > > > +DumpSalt ) > > > > > > > > > > > > > > 4 use kinit wang > > > > > > > > > > > > > > aklog > > > > > > > > > > > > > > [root@test-afs002 ]# klist -e -f Ticket cache: > > > > > > > FILE:/tmp/krb5cc_0 Default principal: > > > > > > > w...@pc.com<mailto:w...@pc.com> > > > > > > > > > > > > > > Valid starting Expires Service principal > > > > > > > 05/03/16 16:26:46 05/04/16 02:26:33 > > > > > > > krbtgt/pc....@pc.com<mailto:krbtgt/pc....@pc.com> > > > > > > > renew until 05/10/16 16:26:46, Flags: FRIA > > > > > > > Etype (skey, tkt): aes256-cts-hmac-sha1-96, > > > > > > > aes256-cts-hmac-sha1-96 > > > > > > > 05/03/16 16:27:04 05/04/16 02:26:33 > > > > > > > afs/pc....@pc.com<mailto:afs/pc....@pc.com> > > > > > > > renew until 05/10/16 16:26:46, Flags: FRA > > > > > > > Etype (skey, tkt): arcfour-hmac, arcfour-hmac > > > > > > > [root@test-afs002 ]# ls /afs/pc.com/ > > > > > > > ls: cannot open directory /afs/pc.com/: Permission denied > > > > > > > [root@test-afs002 ]# > > > > > > > > > > > > > > if Create a afs user in the AD as a normal user with the login > > > > > > > afs, set user cannot change passwordd, password never expires. > > > > > > > Try to set "Use Kerberos DES encryption types for this > > > > > > > account" on the Account tab. then when i use the command > > > > > > > > > > > > > > [root@test-afs002 ]# kinit wang Password for > > > > > > > w...@pc.com<mailto:w...@pc.com>: > > > > > > > [root@test-afs002 ]# aklog > > > > > > > aklog: Couldn't get pc.com AFS tickets: > > > > > > > aklog: unknown RPC error (-1765328370) while getting AFS > > > > > > > tickets > > > > > > > [root@test-afs002 ]# > > > > > > > > > > > > > > i configure the ad follow the web > > > > > > > https://wiki.openafs.org/win2008r2adaskdc/,but i can't find what > > > > > > > is wrong with me ?can you tell me ? > > > > > > > > > > > > > > thanks > > > > > > > > > > > > > > > > > > > > > > > > > > > :??????