Hi there!
Thanks for the replies! Removing the encryption types lines helped, and I
got further. This is MIT Kerberos.
Here's some configuration info:
Let's say my cell is going to be mydomain.com. My Active Directory is
ad.mydomain.com, and my AFS service account is srvAFS. Here's my krb5.conf:
[libdefaults]
default_realm = AD.MYDOMAIN.COM
default_keytab_name = FILE:/etc/krb5/krb5.keytab
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
[realms]
AD.MYDOMAIN.COM = {
kdc = ad.mydomain.com:88
admin_server = ad.mydomain.com:749
default_domain = ad.mydomain.com
}
[domain_realm]
.ad.mydomain.com = AD.MYDOMAIN.COM
ad.mydomain.com = AD.MYDOMAIN.COM
[logging]
kdc = FILE:/var/krb5/log/krb5kdc.log
admin_server = FILE:/var/krb5/log/kadmin.log
kadmin_local = FILE:/var/krb5/log/kadmin_local.log
default = FILE:/var/krb5/log/krb5lib.log
I then created the service account srvAFS, and extracted a keytab on the Domain
Controller using the following command:
ktpass /princ afs/mydomain....@ad.mydomain.com /mapuser srvAFS /mapop add /out
rxkad.keytab +rndpass /crypto all /ptype KRB5_NT_PRINCIPAL +dumpsalt
I verified that the account did not have the "Use only Kerberos DES encryption
types for this account" box checked. I then copied the rxkad.keytab over to
the UNIX host. I built OpenAFS with a prefix of /opt/openafs, so I put the
keytab in /opt/openafs/etc/openafs/server
I used ktutil to delete the two des entries in the keytab. ktutil indicates
that the KVNO is 5.
I then added the keys to OpenAFS using the command:
asetkey add rxkad_krb5 5 17 /opt/openafs/etc/openafs/server/rxkad.keytab
afs/mydomain.com
asetkey add rxkad_krb5 5 18 /opt/openafs/etc/openafs/server/rxkad.keytab
afs/mydomain.com
Now I add an AD user to OpenAFS:
pts createuser -name adUser -id 204 -localauth
pts adduser adUser system:administrators -localauth
And I try to authenticate:
kinit adUser
That gives me a password prompt, and it's accepted. Then I run:
aklog
Also accepted:
# tokens
Tokens held by the Cache Manager:
User's (AFS ID 204) rxkad tokens for mydomain.com [Expires Aug 24 18:27]
--End of list--
But things aren't quite working:
# ls /afs
afs: Tokens for user of AFS id 204 for cell mydomain.com are discarded (rxkad
error=19270408, server 192.168.0.114)
ls: /afs: The file access permissions do not allow the specified action.
# kvno adu...@ad.mydomain.com
kvno: Server not found in Kerberos database while getting credentials for
adu...@ad.mydomain.com
# vos listvol myserver
Could not fetch the list of partitions from the server
rxk: ticket contained unknown key version number
Error in vos listvol command.
rxk: ticket contained unknown key version number
# kinit -kt /opt/openafs/etc/openafs/server/rxkad.keytab
kinit: Cannot determine realm for host (principal host/myserver.mydomain.com@)
# kinit -kt /opt/openafs/etc/openafs/server/rxkad.keytab
afs/mydomain....@ad.mydomain.com
# kvno afs/mydomain....@ad.mydomain.com
afs/mydomain....@ad.mydomain.com: kvno = 5
Did I miss something, or make a mistake along the way somewhere?
Thank you so much!!
-Ben
________________________________
From: Jeffrey E Altman
Sent: Wednesday, August 24, 2022 5:02 AM
To: Ben Huntsman; openafs-info@openafs.org
Subject: Re: [OpenAFS] Kerberos + Windows
On 8/23/2022 9:24 PM, Ben Huntsman
(b...@huntsmans.net<mailto:b...@huntsmans.net>) wrote:
Hi guys-
Does anyone have a working krb5.conf that works with Windows 2012 R2 or
newer?
The docs do show how to set up using the new scheme but assume Kerberos, not
AD. I've tried a few different things but I can't seem to get
default_tkt_enctypes and default_tks_enctypes set correctly.
Ben,
A krb5.conf is configuration for an MIT or Heimdal Kerberos client but not for
a Microsoft Windows Kerberos client.
Please clarify which Kerberos client implementation you are configuring.
I agree with Ken that default_tkt_enctypes and default_tks_enctypes should
never be configured on clients.
Jeffrey Altman
