On 8/24/2022 12:53 PM, Ben Huntsman (b...@huntsmans.net) wrote:
Here's some configuration info:Let's say my cell is going to be mydomain.com. My Active Directory is ad.mydomain.com, and my AFS service account is srvAFS.
When installing Active Directory for a domain "mydomain.com" it is best if the Active Directory domain is "MYDOMAIN.COM" instead of "AD.MYDOMAIN.COM". This is because Kerberos clients will attempt to use the DNS name of the host as the Kerberos realm name. The use of "AD.MYDOMAIN.COM" or "WIN.MYDOMAIN.COM" naming is common only in cases where there is a pre-existing Kerberos realm for "MYDOMAIN.COM".
Here's my krb5.conf: [libdefaults] default_realm = AD.MYDOMAIN.COM default_keytab_name = FILE:/etc/krb5/krb5.keytab dns_lookup_realm = true dns_lookup_kdc = true forwardable = true [realms] AD.MYDOMAIN.COM = { kdc = ad.mydomain.com:88 admin_server = ad.mydomain.com:749 default_domain = ad.mydomain.com } [domain_realm] .ad.mydomain.com = AD.MYDOMAIN.COM ad.mydomain.com = AD.MYDOMAIN.COM
You also need to add .mydomain.com = AD.MYDOMAIN.COM mydomain.com = AD.MYDOMAIN.COMsince the Kerberos realm is not the same as the DNS domain name used for the AFS service principal.
[logging] kdc = FILE:/var/krb5/log/krb5kdc.log admin_server = FILE:/var/krb5/log/kadmin.log kadmin_local = FILE:/var/krb5/log/kadmin_local.log default = FILE:/var/krb5/log/krb5lib.logI then created the service account srvAFS, and extracted a keytab on the Domain Controller using the following command:ktpass /princ afs/mydomain....@ad.mydomain.com /mapuser srvAFS /mapop add /out rxkad.keytab +rndpass /crypto all /ptype KRB5_NT_PRINCIPAL +dumpsalt
The use of "afs/mydomain....@ad.mydomain.com" is correct. The "a...@ad.mydomain.com" service principal name should no longer be used and must never be used with Active Directory.
I verified that the account did not have the "Use only Kerberos DES encryption types for this account" box checked. I then copied the rxkad.keytab over to the UNIX host. I built OpenAFS with a prefix of /opt/openafs, so I put the keytab in /opt/openafs/etc/openafs/serverI used ktutil to delete the two des entries in the keytab. ktutil indicates that the KVNO is 5.I then added the keys to OpenAFS using the command:asetkey add rxkad_krb5 5 17 /opt/openafs/etc/openafs/server/rxkad.keytab afs/mydomain.com asetkey add rxkad_krb5 5 18 /opt/openafs/etc/openafs/server/rxkad.keytab afs/mydomain.com
For an Active Directory realm you most likely also need to add rc4-hmac, enctype 23.
Did the above "asetkey" commands succeed? Since the cell is named "mydomain.com" I would expect asetkey to expand "afs/mydomain.com" to "afs/mydomain....@mydomain.com" which is not going to be present in the rxkad.keytab file.
What is the output of "asetkey list" after the above commands were executed?
But things aren't quite working: # ls /afsafs: Tokens for user of AFS id 204 for cell mydomain.com are discarded (rxkad error=19270408, server 192.168.0.114)ls: /afs: The file access permissions do not allow the specified action. # kvno adu...@ad.mydomain.comkvno: Server not found in Kerberos database while getting credentials for adu...@ad.mydomain.com
This is not expected to work.
# vos listvol myserver Could not fetch the list of partitions from the server rxk: ticket contained unknown key version number Error in vos listvol command. rxk: ticket contained unknown key version number
19270408 = rxk: ticket contained unknown key version numberIt means the OpenAFS servers are not finding the expected key entry. There is not a match for the combination of enctype and key version number and name.
# kinit -kt /opt/openafs/etc/openafs/server/rxkad.keytab afs/mydomain....@ad.mydomain.comThe above command is using the afs/mydomain....@ad.mydomain.com keytab entry to obtain a client Ticket Granting Ticket. I doubt that is what you intended.
Instead you wanted to "kinit" using a client principal and then execute the kvno command below.
# kvno afs/mydomain....@ad.mydomain.com afs/mydomain....@ad.mydomain.com: kvno = 5
In addition to the key version number you also need to know the encryption type used to encrypt the service private portion of the afs/mydomain....@ad.mydomain.com service ticket. It is that encryption type which does not need to match either the encryption type used to encrypt the client private portion of the ticket or the session key which needs to match the keys added via asetkey.
After adding the keys via "asetkey" did you install KeyFileExt on every server in the cell?
Did you restart the services or touch the server instance of the CellServDB file to force the new keys to be loaded?
Did I miss something, or make a mistake along the way somewhere?
Ben mentions in a separate reply that the OpenAFS krb.conf file needs to be created and specify the local authentication realm as "AD.MYDOMAIN.COM". Failure to do so will prevent authorization from succeeding but would not result in a key version not found error.
Jeffrey Altman
smime.p7s
Description: S/MIME Cryptographic Signature