Re: [OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

2012-01-05 Thread Douglas E. Engert 



On 1/5/2012 2:49 PM, Jeff White wrote:

On 01/05/2012 02:27 PM, Douglas E. Engert wrote:

Another tool that could help is Wireshark to get network traces.
It does a very nice job of formatting the Kerberos packets, and can
show problems with KDC, principal, enc-type, kvno and cross realm issues.

One other long shot to look at, is the realm of the AFS server.

Jeff Altman said in 2007:
> Where you will experience great pain is if the realm derived
> from the name of the db servers does not match the authentication
> realm of the cell. The heuristic used by aklog to obtain the
> correct service ticket is to perform a domain to realm mapping
> on the hostname of the first db server. This is either derived
> from the hostname itself or by looking at the domain_realm
> section of the local machine's krb5.conf file.

So it could be looking for CSSD.PITT.EDU


On 1/5/2012 12:14 PM, Jeff White wrote:

On 01/05/2012 12:02 PM, Andrew Deason wrote:

On Thu, 05 Jan 2012 11:31:01 -0500
Jeff White wrote:


1. He created an AD domain called ad.dementia.org.
2. He created a user with a logon name of 'afs-adtest'.
3. He exported the keytab with: ktpass -princ
afs/adtest.dementia@ad.dementia.org -mapuser afs -pass * -crypto
DES-CBC-MD5 -out afs-keytab
4. Imported the keytab with: asetkey add 3 /etc/afs.keytab
afs/adtest.dementia@ad.dementia.org

Why didn't he use the logon name afs-adtest in that ktpass command?

I don't have that presentation in front of me, but that may have just
been a mistake.


Where did 'afs/adtest.dementia@ad.dementia.org' come from,
particularly the 'afs/adtest.dementia.org' part? His logon name is
not afs and what is adtest?

I don't know the internal AD details etc, but conceptually that commands
maps the principal name afs/adtest.dementia@ad.dementia.org to the
AD user "afs" (or "afs-adtest" or whatever you call it). OpenAFS by
convention uses the principal name afs/@REALM for krb5. So,
adtest.dementia.org is the AFS cell name in that example.


$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt@pitt.edu
Kerberos error code returned by get_cred : -1765328164
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328164) while getting AFS tickets

Well, you're getting a different error this time, so that's something.
What krb5 implementation are you running on that machine? I think that
error is KRB5_REALM_CANT_RESOLVE... is PITT.EDU in krb5.conf, or in dns
or what? Anything odd with that configuration?


Jeffrey Altman:
A GPO was created to allow DES in Kerberos and linked to the Domain Controllers 
container.

Andrew Deason:
Bah, there was a DNS problem. I fixed that and I'm back to the first error. I 
made sure to use the principal afs/pitt@pitt.edu for the principal in the 
keytab which should be correct (user is afs,
cell is pitt.edu, realm is PITT.EDU). This is on RHEL 6.1 x64 and should be 
using MIT's Kerberos implementation for the client as provided by RedHat.

[root@afs-dev-03 ~]# rpm -qa | grep krb
krb5-devel-1.9-22.el6_2.1.x86_64
krb5-libs-1.9-22.el6_2.1.x86_64
krb5-workstation-1.9-22.el6_2.1.x86_64
openafs-krb5-1.6.0-1.el6.x86_64
pam_krb5-2.3.11-6.el6.x86_64

Douglas Engert:
Yes, I can get a ticket.

[root@afs-dev-03 ~]# kinit -V jaw...@pitt.edu
Using default cache: /tmp/krb5cc_0
Using principal: jaw...@pitt.edu
Password for jaw...@pitt.edu:
Authenticated to Kerberos v5

[root@afs-dev-03 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jaw...@pitt.edu

Valid starting Expires Service principal
01/05/12 12:48:35 01/05/12 22:48:37 krbtgt/pitt@pitt.edu
renew until 01/12/12 12:48:35

[root@afs-dev-03 ~]# aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt@pitt.edu
Kerberos error code returned by get_cred : -1765328370


That is:
#define KRB5KDC_ERR_ETYPE_NOSUPP (-1765328370L)

Look at the AD account for the afs/pit@pit.edu principal.

W2008 introduces the attribute msDS-supportedEncryptionTypes
 http://msdn.microsoft.com/en-us/library/cc223853(v=prot.10).aspx
to give more flexibility is setting the enc-types for a principal.

It could be that this is allowing for AES, and RC4 but not DES
because ktpass set this attribute, or the ktpass did not set the
ADS_UF_DES_DES_ONLY bit in the userAccountControl attribute is
not set.

 http://msdn.microsoft.com/en-us/library/windows/desktop/ms680832(v=vs.85).aspx

Try setting msDS-supportedEncryptionTypes to 2.
i.e. DES_CBC_MD5

On our 2008 DCs, the afs account does not have the
msDS-supportedEncryptionTypes set at all, but the
ADS_UF_USE_DES_KEY_ONLY is set in the userAccountControl
and may have been grandfathered in as our AFS account was created
when we had W2000 DCs (We also use msktutil to add service accounts
and create keytabs rather then ktpass.)



aklog: Cou

Re: [OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

2012-01-05 Thread Jeffrey Altman 
On 1/5/2012 3:49 PM, Jeff White wrote:
> Valid starting ExpiresService principal
> 01/05/12 15:28:51  01/06/12 01:28:54  krbtgt/pitt@pitt.edu
> renew until 01/12/12 15:28:51
> [root@afs-dev-03 ~]# aklog -d
> Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
> Trying to authenticate to user's realm PITT.EDU.
> Getting tickets: afs/pitt@pitt.edu
> Kerberos error code returned by get_cred : -1765328370
> aklog: Couldn't get pitt.edu AFS tickets:
> aklog: unknown RPC error (-1765328370) while getting AFS tickets

Your error is "KDC has no support for encryption type".  Therefore,
either DES is not configured for the account the SPN
"afs/pitt@pitt.edu" is mapped to OR DES is still disabled for the
server.




signature.asc
Description: OpenPGP digital signature

Re: [OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

2012-01-05 Thread Jeff White 

On 01/05/2012 02:27 PM, Douglas E. Engert wrote:

Another tool that could help is Wireshark to get network traces.
It does a very nice job of formatting the Kerberos packets, and can
show problems with KDC, principal, enc-type, kvno and cross realm issues.

One other long shot to look at, is the realm of the AFS server.

Jeff Altman said in 2007:
>  Where you will experience great pain is if the realm derived
>  from the name of the db servers does not match the authentication
>  realm of the cell.   The heuristic used by aklog to obtain the
>  correct service ticket is to perform a domain to realm mapping
>  on the hostname of the first db server.  This is either derived
>  from the hostname itself or by looking at the domain_realm
>  section of the local machine's krb5.conf file.

So it could be looking for CSSD.PITT.EDU


On 1/5/2012 12:14 PM, Jeff White wrote:

On 01/05/2012 12:02 PM, Andrew Deason wrote:

On Thu, 05 Jan 2012 11:31:01 -0500
Jeff White  wrote:


1. He created an AD domain called ad.dementia.org.
2. He created a user with a logon name of 'afs-adtest'.
3. He exported the keytab with: ktpass -princ
afs/adtest.dementia@ad.dementia.org -mapuser afs -pass * -crypto
DES-CBC-MD5 -out afs-keytab
4. Imported the keytab with: asetkey add 3 /etc/afs.keytab
afs/adtest.dementia@ad.dementia.org

Why didn't he use the logon name afs-adtest in that ktpass command?

I don't have that presentation in front of me, but that may have just
been a mistake.


Where did 'afs/adtest.dementia@ad.dementia.org' come from,
particularly the 'afs/adtest.dementia.org' part? His logon name is
not afs and what is adtest?

I don't know the internal AD details etc, but conceptually that commands
maps the principal name afs/adtest.dementia@ad.dementia.org to the
AD user "afs" (or "afs-adtest" or whatever you call it). OpenAFS by
convention uses the principal name afs/@REALM for krb5. So,
adtest.dementia.org is the AFS cell name in that example.


$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt@pitt.edu
Kerberos error code returned by get_cred : -1765328164
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328164) while getting AFS tickets

Well, you're getting a different error this time, so that's something.
What krb5 implementation are you running on that machine? I think that
error is KRB5_REALM_CANT_RESOLVE... is PITT.EDU in krb5.conf, or in dns
or what? Anything odd with that configuration?


Jeffrey Altman:
A GPO was created to allow DES in Kerberos and linked to the Domain Controllers 
container.

Andrew Deason:
Bah, there was a DNS problem. I fixed that and I'm back to the first error. I 
made sure to use the principal afs/pitt@pitt.edu for the principal in the 
keytab which should be correct (user is afs,
cell is pitt.edu, realm is PITT.EDU). This is on RHEL 6.1 x64 and should be 
using MIT's Kerberos implementation for the client as provided by RedHat.

[root@afs-dev-03 ~]# rpm -qa | grep krb
krb5-devel-1.9-22.el6_2.1.x86_64
krb5-libs-1.9-22.el6_2.1.x86_64
krb5-workstation-1.9-22.el6_2.1.x86_64
openafs-krb5-1.6.0-1.el6.x86_64
pam_krb5-2.3.11-6.el6.x86_64

Douglas Engert:
Yes, I can get a ticket.

[root@afs-dev-03 ~]# kinit -V jaw...@pitt.edu
Using default cache: /tmp/krb5cc_0
Using principal: jaw...@pitt.edu
Password for jaw...@pitt.edu:
Authenticated to Kerberos v5

[root@afs-dev-03 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jaw...@pitt.edu

Valid starting Expires Service principal
01/05/12 12:48:35 01/05/12 22:48:37 krbtgt/pitt@pitt.edu
renew until 01/12/12 12:48:35

[root@afs-dev-03 ~]# aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt@pitt.edu
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets

Yea, I shouldn't be getting user tickets/token as root but whatever, this is 
just a test box and a test principal.

I was sent the URL http://openafs-wiki.stanford.edu/AFSLore/win2008r2adaskdc/ 
by Lars Schimmer but making the registry change it said was needed made it so I 
can no longer log into my DC at all, even
on the console. Time to wipe out the DC and start everything over again.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


aklog says it is using the realm PITT.EDU, not CSSD. PITT. EDU so that's 
not the issue.  I tried several more time to export the key from AD and 
import it into AFS but I get the same error every time I try to aklog.


The only other thing I have found talks about creating the key 
KdcUseRequestedEtypesForTickets in 
HKLM\SYSTEM\CurrentControlSet\services\kdc and settin

Re: [OpenAFS] Strange AFS update behavior.

2012-01-05 Thread Jeffrey Altman 
Its a bug.

I'm fairly sure the problem is due to the Windows page cache contents
not being updated because IIS already has the data in memory and there
are no new file extents or file handles being opened.

Jeffrey Altman

On 1/5/2012 3:02 PM, Hugh Caldwell wrote:
> The cache not updating on my Windows 2008 R2 servers is still a
> persistent problem.  
> 
> I believe the problem may be related to IIS. Some background on what
> I've been experiencing this week.
> 
> I have three servers running IIS 7.5 with the openafs 1.7.4 client. I
> have one website that is only served from one of these servers at a
> time. What I've seen in the last few days is the web developers will
> inform me that changes they have made to the website are not showing up.
> I checked the active server and the content is indeed not showing up but
> it is available on the two stand by servers. I flush the cache on the
> active server and everything is updated. The web developers then make
> more changes a few minutes later and now the changes will not show up on
> any of the three servers. Since I had just checked the two stand by
> servers this started up the application pools in IIS for the website on
> all three servers which is what leads me to believe this may be IIS
> related.
> 
> Could anyone provide me with ideas on troubleshooting and isolating this
> problem?
> 
> Hugh Caldwell
> Astor & Sanders
> EWeb Systems Administrator
> United States Geological Survey
> 703-648-6812 (Office)
> 703-598-3472 (Cellular)
> hcaldw...@usgs.gov
> Room 2C123B
> 
> - Forwarded by Hugh Caldwell/GIO/CONT/USGS/DOI on 01/05/2012 02:50
> PM -
> From: Hugh Caldwell/GIO/CONT/USGS/DOI
> To:   openafs-info@openafs.org
> Date: 12/29/2011 05:41 PM
> Subject:  RE: [OpenAFS] Strange AFS update behavior.
> 
> 
> 
> 
> 
> The problem resurfaced again on my servers running 1.7.4 today. These
> are IIS 7.5 servers and the file in question was an aspx file.
> 
> Navigating to the the directory in powershell I see the file has the
> correct time stamp. Opening the file in notepad I see the old file.
> 
> Performing fs flushv on the directory allows me to open the correct file
> in notepad but IIS continues to serve the old file as if it hasn't
> received notification of the file change.
> 
> 
> Hugh Caldwell
> Astor & Sanders
> EWeb Systems Administrator
> United States Geological Survey
> 703-648-6812 (Office)
> 703-598-3472 (Cellular)
> hcaldw...@usgs.gov
> Room 2C123B
> 
> 
> 
> From: Hugh Caldwell 
> To:   Anders Hannus 
> Cc:   Lars Schimmer ,
> "openafs-info@openafs.org" ,
> openafs-info-ad...@openafs.org
> Date: 12/29/2011 09:54 AM
> Subject:  RE: [OpenAFS] Strange AFS update behavior.
> Sent by:  openafs-info-ad...@openafs.org
> 
> 
> 
> 
> 
> 
> I've updated all three of my servers to 1.7.4 and have not heard back
> from my users about update issues. Thinks are very quiet around here the
> last couple weeks so I wouldn't say definitively that the problem has
> been resolved as I became aware of the issues when users reported the
> inconsistencies.
> 
> I also can't really test the issue since the updates not showing up
> happened inconsistently between the servers.
> 
> Hugh Caldwell
> Astor & Sanders
> EWeb Systems Administrator
> United States Geological Survey
> 703-648-6812 (Office)
> 703-598-3472 (Cellular)
> hcaldw...@usgs.gov
> Room 2C123B
> 
> 
> From: Anders Hannus 
> To:   Lars Schimmer , "openafs-info@openafs.org"
> 
> Date: 12/29/2011 02:23 AM
> Subject:  RE: [OpenAFS] Strange AFS update behavior.
> Sent by:  openafs-info-ad...@openafs.org
> 
> 
> 
> 
> 
> 
> 
> Did upgrading to 1.7.4 fix this issue?
> 
> I have had reports on similar issues on our Windows 7 lab computers
> (with 1.7.1 and maybe 1.7.2). After upgrading to 1.7.3 I have not heard
> of this but that might not mean that the issue is gone. I have never
> been able to replicate it myself though. This and the next week we will
> upgrade to 1.7.4 and hope that it will perform even better.
> 
> /Anders Hannus
> Luleå technical university
> 
> -Original Message-
> From: openafs-info-ad...@openafs.org
> [_mailto:openafs-info-admin@openafs.org_] On Behalf Of Lars Schimmer
> Sent: den 22 december 2011 17:08
> To: openafs-info@openafs.org
> Subject: Re: [OpenAFS] Strange AFS update behavior.
> 
> On 16.12.2011 22:55, Hugh Caldwell wrote:
>> I have three Windows 2008 R2 servers running openafs 1.7.1 and one of
>> them seems to have trouble updating the cache. Navigating to the AFS
>> directories in powershell shows the modified date and file size on the
>> files to be identical. However when I open the file in an editor on
>> the problem server it opens the old file. Flushing the volume resolves
>> the issue.

[OpenAFS] Re: Strange AFS update behavior.

2012-01-05 Thread Andrew Deason 
On Thu, 5 Jan 2012 15:02:01 -0500
Hugh Caldwell  wrote:

> Could anyone provide me with ideas on troubleshooting and isolating
> this problem?

First of all, do the IP addresses for the servers in question appear in
FileLog anywhere?

-- 
Andrew Deason
adea...@sinenomine.net

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Strange AFS update behavior.

2012-01-05 Thread Hugh Caldwell 
The cache not updating on my Windows 2008 R2 servers is still a persistent 
problem. 

I believe the problem may be related to IIS. Some background on what I've 
been experiencing this week.

I have three servers running IIS 7.5 with the openafs 1.7.4 client. I have 
one website that is only served from one of these servers at a time. What 
I've seen in the last few days is the web developers will inform me that 
changes they have made to the website are not showing up. I checked the 
active server and the content is indeed not showing up but it is available 
on the two stand by servers. I flush the cache on the active server and 
everything is updated. The web developers then make more changes a few 
minutes later and now the changes will not show up on any of the three 
servers. Since I had just checked the two stand by servers this started up 
the application pools in IIS for the website on all three servers which is 
what leads me to believe this may be IIS related.

Could anyone provide me with ideas on troubleshooting and isolating this 
problem?

Hugh Caldwell
Astor & Sanders
EWeb Systems Administrator
United States Geological Survey
 703-648-6812 (Office)
 703-598-3472 (Cellular)
hcaldw...@usgs.gov
Room 2C123B

- Forwarded by Hugh Caldwell/GIO/CONT/USGS/DOI on 01/05/2012 02:50 PM 
-

From:
Hugh Caldwell/GIO/CONT/USGS/DOI
To:
openafs-info@openafs.org
Date:
12/29/2011 05:41 PM
Subject:
RE: [OpenAFS] Strange AFS update behavior.


The problem resurfaced again on my servers running 1.7.4 today. These are 
IIS 7.5 servers and the file in question was an aspx file.

Navigating to the the directory in powershell I see the file has the 
correct time stamp. Opening the file in notepad I see the old file.

Performing fs flushv on the directory allows me to open the correct file 
in notepad but IIS continues to serve the old file as if it hasn't 
received notification of the file change.


Hugh Caldwell
Astor & Sanders
EWeb Systems Administrator
United States Geological Survey
 703-648-6812 (Office)
 703-598-3472 (Cellular)
hcaldw...@usgs.gov
Room 2C123B




From:
Hugh Caldwell 
To:
Anders Hannus 
Cc:
Lars Schimmer , "openafs-info@openafs.org" 
, openafs-info-ad...@openafs.org
Date:
12/29/2011 09:54 AM
Subject:
RE: [OpenAFS] Strange AFS update behavior.
Sent by:
openafs-info-ad...@openafs.org



I've updated all three of my servers to 1.7.4 and have not heard back from 
my users about update issues. Thinks are very quiet around here the last 
couple weeks so I wouldn't say definitively that the problem has been 
resolved as I became aware of the issues when users reported the 
inconsistencies. 

I also can't really test the issue since the updates not showing up 
happened inconsistently between the servers. 

Hugh Caldwell
Astor & Sanders
EWeb Systems Administrator
United States Geological Survey
703-648-6812 (Office)
703-598-3472 (Cellular)
hcaldw...@usgs.gov
Room 2C123B



From: 
Anders Hannus  
To: 
Lars Schimmer , "openafs-info@openafs.org" 
 
Date: 
12/29/2011 02:23 AM 
Subject: 
RE: [OpenAFS] Strange AFS update behavior. 
Sent by: 
openafs-info-ad...@openafs.org




Did upgrading to 1.7.4 fix this issue?

I have had reports on similar issues on our Windows 7 lab computers (with 
1.7.1 and maybe 1.7.2). After upgrading to 1.7.3 I have not heard of this 
but that might not mean that the issue is gone. I have never been able to 
replicate it myself though. This and the next week we will upgrade to 
1.7.4 and hope that it will perform even better.

/Anders Hannus
Luleå technical university

-Original Message-
From: openafs-info-ad...@openafs.org [
mailto:openafs-info-ad...@openafs.org] On Behalf Of Lars Schimmer
Sent: den 22 december 2011 17:08
To: openafs-info@openafs.org
Subject: Re: [OpenAFS] Strange AFS update behavior.

On 16.12.2011 22:55, Hugh Caldwell wrote:
> I have three Windows 2008 R2 servers running openafs 1.7.1 and one of 
> them seems to have trouble updating the cache. Navigating to the AFS 
> directories in powershell shows the modified date and file size on the 
> files to be identical. However when I open the file in an editor on 
> the problem server it opens the old file. Flushing the volume resolves 
> the issue. Any ideas on what might be causing this behavior?

Try upgrading to 1.7.4.

> Thanks,
> 
> Hugh Caldwell
> Astor & Sanders
> EWeb Systems Administrator


MfG,
Lars Schimmer
--
-
TU Graz, Institut für ComputerGraphik & WissensVisualisierung
Tel: +43 316 873-5405   E-Mail: l.schim...@cgv.tugraz.at
Fax: +43 316 873-5402   PGP-Key-ID: 0x4A9B1723
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

2012-01-05 Thread Douglas E. Engert 

Another tool that could help is Wireshark to get network traces.
It does a very nice job of formatting the Kerberos packets, and can
show problems with KDC, principal, enc-type, kvno and cross realm issues.

One other long shot to look at, is the realm of the AFS server.

Jeff Altman said in 2007:
  > Where you will experience great pain is if the realm derived
  > from the name of the db servers does not match the authentication
  > realm of the cell.   The heuristic used by aklog to obtain the
  > correct service ticket is to perform a domain to realm mapping
  > on the hostname of the first db server.  This is either derived
  > from the hostname itself or by looking at the domain_realm
  > section of the local machine's krb5.conf file.

So it could be looking for CSSD.PITT.EDU


On 1/5/2012 12:14 PM, Jeff White wrote:

On 01/05/2012 12:02 PM, Andrew Deason wrote:

On Thu, 05 Jan 2012 11:31:01 -0500
Jeff White wrote:


1. He created an AD domain called ad.dementia.org.
2. He created a user with a logon name of 'afs-adtest'.
3. He exported the keytab with: ktpass -princ
afs/adtest.dementia@ad.dementia.org -mapuser afs -pass * -crypto
DES-CBC-MD5 -out afs-keytab
4. Imported the keytab with: asetkey add 3 /etc/afs.keytab
afs/adtest.dementia@ad.dementia.org

Why didn't he use the logon name afs-adtest in that ktpass command?

I don't have that presentation in front of me, but that may have just
been a mistake.


Where did 'afs/adtest.dementia@ad.dementia.org' come from,
particularly the 'afs/adtest.dementia.org' part? His logon name is
not afs and what is adtest?

I don't know the internal AD details etc, but conceptually that commands
maps the principal name afs/adtest.dementia@ad.dementia.org to the
AD user "afs" (or "afs-adtest" or whatever you call it). OpenAFS by
convention uses the principal name afs/@REALM for krb5. So,
adtest.dementia.org is the AFS cell name in that example.


$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt@pitt.edu
Kerberos error code returned by get_cred : -1765328164
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328164) while getting AFS tickets

Well, you're getting a different error this time, so that's something.
What krb5 implementation are you running on that machine? I think that
error is KRB5_REALM_CANT_RESOLVE... is PITT.EDU in krb5.conf, or in dns
or what? Anything odd with that configuration?


Jeffrey Altman:
A GPO was created to allow DES in Kerberos and linked to the Domain Controllers 
container.

Andrew Deason:
Bah, there was a DNS problem. I fixed that and I'm back to the first error. I 
made sure to use the principal afs/pitt@pitt.edu for the principal in the 
keytab which should be correct (user is afs,
cell is pitt.edu, realm is PITT.EDU). This is on RHEL 6.1 x64 and should be 
using MIT's Kerberos implementation for the client as provided by RedHat.

[root@afs-dev-03 ~]# rpm -qa | grep krb
krb5-devel-1.9-22.el6_2.1.x86_64
krb5-libs-1.9-22.el6_2.1.x86_64
krb5-workstation-1.9-22.el6_2.1.x86_64
openafs-krb5-1.6.0-1.el6.x86_64
pam_krb5-2.3.11-6.el6.x86_64

Douglas Engert:
Yes, I can get a ticket.

[root@afs-dev-03 ~]# kinit -V jaw...@pitt.edu
Using default cache: /tmp/krb5cc_0
Using principal: jaw...@pitt.edu
Password for jaw...@pitt.edu:
Authenticated to Kerberos v5

[root@afs-dev-03 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jaw...@pitt.edu

Valid starting Expires Service principal
01/05/12 12:48:35 01/05/12 22:48:37 krbtgt/pitt@pitt.edu
renew until 01/12/12 12:48:35

[root@afs-dev-03 ~]# aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt@pitt.edu
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets

Yea, I shouldn't be getting user tickets/token as root but whatever, this is 
just a test box and a test principal.

I was sent the URL http://openafs-wiki.stanford.edu/AFSLore/win2008r2adaskdc/ 
by Lars Schimmer but making the registry change it said was needed made it so I 
can no longer log into my DC at all, even
on the console. Time to wipe out the DC and start everything over again.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info




--

 Douglas E. Engert  
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Re: OpenAFS on OpenSuse 12.1: No connection to filesystem

2012-01-05 Thread Andrew Deason 
On Thu, 5 Jan 2012 09:02:27 -0800 (PST)
Starl8gazer  wrote:

> :~ > klog.krb5 -noprdb
> Password for user_name@employer_domain: 
> [the _first_ time this results in]
> klog: unknown RPC error (-1765328252) Unable to authenticate to use afs

You're sure you didn't hit CTRL-C or something during this? That error
just means "something interrupted klog.krb5 while it was prompting you
for a password".

> > However, that warning suggests that you may not be able to reach
> > your employer's servers. Can you access /afs/employer_domain at all?
> 
> :~ > cd /afs/employer_domain/
> :/afs/employer_domain > /bin/ls -a
> /bin/ls: cannot open directory .: Connection timed out

It's a little harder to guess at what's going on without knowing the
actual cell name... can you access /afs/openafs.org/ ? Do you have any
idea if you have a firewall on that could be blocking this traffic?

-- 
Andrew Deason
adea...@sinenomine.net

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] openafs-1.6.0 build fails on kernel-3.2.0

2012-01-05 Thread Dale Pontius 

On 01/05/2012 12:29 PM, Ken Dreyer wrote:

On Thu, Jan 5, 2012 at 10:06 AM, Dale Pontius  wrote:

This morning Gentoo distributed a shiny new kernel-3.2.0, so of course I had
to build it. Next I had to rebuild all of the out-of-tree kernel modules,
including openafs-1.6.0. It failed, relevant lines:

Did you try 1.6.1pre1?
It builds OK on kernel-3.2, on x86_64.  I'm building now on x86.  I'm 
going to move over ASAP, because I feel guilty using 1.6.0 with its ping 
problems in an enterprise environment.


Thanks,
Dale Pontius

--
Dale Pontius
Senior Engineer
IBM Corporation
Phone: (802) 769-6850
Tie-Line: 446-6850
email: pont...@us.ibm.com

This e-mail and its attachments, if any, may contain confidential and 
privileged material for the sole use of the intended recipient. Any review, 
use, distribution or disclosure by others is strictly prohibited. If you are 
not the intended recipient (or authorized to receive for the recipient), please 
contact the sender by reply e-mail and delete all copies of this message from 
your system without copying it and notify sender of the misdirection by reply 
e-mail.

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] openafs-1.6.0 build fails on kernel-3.2.0

2012-01-05 Thread Dale Pontius 

On 01/05/2012 12:29 PM, Ken Dreyer wrote:

On Thu, Jan 5, 2012 at 10:06 AM, Dale Pontius  wrote:

This morning Gentoo distributed a shiny new kernel-3.2.0, so of course I had
to build it. Next I had to rebuild all of the out-of-tree kernel modules,
including openafs-1.6.0. It failed, relevant lines:

Did you try 1.6.1pre1?
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Not yet.  A few weeks back I heard about 1.6.1 relative to the ping 
problem, and at the time when I looked it wasn't available.  I just 
looked, and see that it is now.  It's not in Gentoo, so I'll have to gen 
up a private ebuild to try it out.  I'll reply when I have something.


Dale

--
Dale Pontius
Senior Engineer
IBM Corporation
Phone: (802) 769-6850
Tie-Line: 446-6850
email: pont...@us.ibm.com

This e-mail and its attachments, if any, may contain confidential and 
privileged material for the sole use of the intended recipient. Any review, 
use, distribution or disclosure by others is strictly prohibited. If you are 
not the intended recipient (or authorized to receive for the recipient), please 
contact the sender by reply e-mail and delete all copies of this message from 
your system without copying it and notify sender of the misdirection by reply 
e-mail.

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

2012-01-05 Thread Jeff White 

On 01/05/2012 12:02 PM, Andrew Deason wrote:

On Thu, 05 Jan 2012 11:31:01 -0500
Jeff White  wrote:


1. He created an AD domain called ad.dementia.org.
2. He created a user with a logon name of 'afs-adtest'.
3. He exported the keytab with: ktpass -princ
afs/adtest.dementia@ad.dementia.org -mapuser afs -pass * -crypto
DES-CBC-MD5 -out afs-keytab
4. Imported the keytab with: asetkey add 3 /etc/afs.keytab
afs/adtest.dementia@ad.dementia.org

Why didn't he use the logon name afs-adtest in that ktpass command?

I don't have that presentation in front of me, but that may have just
been a mistake.


Where did 'afs/adtest.dementia@ad.dementia.org' come from,
particularly the 'afs/adtest.dementia.org' part?  His logon name is
not afs and what is adtest?

I don't know the internal AD details etc, but conceptually that commands
maps the principal name afs/adtest.dementia@ad.dementia.org to the
AD user "afs" (or "afs-adtest" or whatever you call it). OpenAFS by
convention uses the principal name afs/@REALM for krb5. So,
adtest.dementia.org is the AFS cell name in that example.


$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt@pitt.edu
Kerberos error code returned by get_cred : -1765328164
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328164) while getting AFS tickets

Well, you're getting a different error this time, so that's something.
What krb5 implementation are you running on that machine? I think that
error is KRB5_REALM_CANT_RESOLVE... is PITT.EDU in krb5.conf, or in dns
or what? Anything odd with that configuration?


Jeffrey Altman:
A GPO was created to allow DES in Kerberos and linked to the Domain 
Controllers container.


Andrew Deason:
Bah, there was a DNS problem.  I fixed that and I'm back to the first 
error.  I made sure to use the principal afs/pitt@pitt.edu for the 
principal in the keytab which should be correct (user is afs, cell is 
pitt.edu, realm is PITT.EDU).  This is on RHEL 6.1 x64 and should be 
using MIT's Kerberos implementation for the client as provided by RedHat.


[root@afs-dev-03 ~]# rpm -qa | grep krb
krb5-devel-1.9-22.el6_2.1.x86_64
krb5-libs-1.9-22.el6_2.1.x86_64
krb5-workstation-1.9-22.el6_2.1.x86_64
openafs-krb5-1.6.0-1.el6.x86_64
pam_krb5-2.3.11-6.el6.x86_64

Douglas Engert:
Yes, I can get a ticket.

[root@afs-dev-03 ~]# kinit -V jaw...@pitt.edu
Using default cache: /tmp/krb5cc_0
Using principal: jaw...@pitt.edu
Password for jaw...@pitt.edu:
Authenticated to Kerberos v5

[root@afs-dev-03 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jaw...@pitt.edu

Valid starting ExpiresService principal
01/05/12 12:48:35  01/05/12 22:48:37  krbtgt/pitt@pitt.edu
renew until 01/12/12 12:48:35

[root@afs-dev-03 ~]# aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt@pitt.edu
Kerberos error code returned by get_cred : -1765328370
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets

Yea, I shouldn't be getting user tickets/token as root but whatever, 
this is just a test box and a test principal.


I was sent the URL 
http://openafs-wiki.stanford.edu/AFSLore/win2008r2adaskdc/ by Lars 
Schimmer but making the registry change it said was needed made it so I 
can no longer log into my DC at all, even on the console.  Time to wipe 
out the DC and start everything over again.

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] openafs-1.6.0 build fails on kernel-3.2.0

2012-01-05 Thread Ken Dreyer 
On Thu, Jan 5, 2012 at 10:06 AM, Dale Pontius  wrote:
> This morning Gentoo distributed a shiny new kernel-3.2.0, so of course I had
> to build it. Next I had to rebuild all of the out-of-tree kernel modules,
> including openafs-1.6.0. It failed, relevant lines:

Did you try 1.6.1pre1?
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

2012-01-05 Thread Douglas E. Engert 



On 1/5/2012 10:31 AM, Jeff White wrote:

I tried removing the afs account, adding it again, checking the DES box, 
resetting the password, exporting the keytab, removing the old keytab, and 
adding the new keytab. I still can't aklog.

I'm a little confused on the syntax of ktpass to export the keytab from AD. I'm 
using a presentation from Derrick Brashear but I don't understand his syntax:

1. He created an AD domain called ad.dementia.org.
2. He created a user with a logon name of 'afs-adtest'.
3. He exported the keytab with: ktpass -princ 
afs/adtest.dementia@ad.dementia.org -mapuser afs -pass * -crypto 
DES-CBC-MD5 -out afs-keytab
4. Imported the keytab with: asetkey add 3 /etc/afs.keytab 
afs/adtest.dementia@ad.dementia.org

Why didn't he use the logon name afs-adtest in that ktpass command? Where did 
'afs/adtest.dementia@ad.dementia.org' come from, particularly the 
'afs/adtest.dementia.org' part? His logon name is
not afs and what is adtest?

I did this:

1. Created an AD domain called pitt.edu.
2. Created the GPO to allow DES and applied it to the Domain Controllers.
3. Created a user with a logon name of 'afs'.
4. Exported the keytab with: ktpass -princ afs/pitt@pitt.edu -mapuser afs 
-pass * -crypto DES-CBC-MD5 -out afs.keytab
5. Imported the keytab with: asetkey add 4 /etc/afs.keytab afs/pitt@pitt.edu

I still get an error but I'm not sure if I'm exporting/importing the keytab 
correctly. I've tried a variety of principals but all fail to let me aklog. 
What principal should be used?

$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt@pitt.edu
Kerberos error code returned by get_cred : -1765328164


#define KRB5_REALM_CANT_RESOLVE  (-1765328164L)

Do you have a krb5.conf file and added the PITT.EDU realm,
and the KDC= entries?

Before doing the aklog, try doing
kinit someu...@pitt.edu
klist




aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328164) while getting AFS tickets

Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD


On 01/05/2012 10:33 AM, Andrew Deason wrote:

On Thu, 05 Jan 2012 10:07:09 -0500
Jeff White wrote:


I noticed there is a box which says 'Use Kerberos DES encryption types
for this account' in the settings of each account, do I need to set
that?

Yes.


Just on the afs principal/user or on every user of AFS in the
realm?

Just on the afs/pitt.edu princ. It is also advisable to turn off the PAC
for that principal if you haven't already (though that doesn't have
anything to do with the current error). That is, turn this on:
.


Do I need to do the export and asetkey again after the changes I made?

Not sure on this one. I would guess "no", but I've never done this in
that order.


Also, is there a way to have all our users in AD without enabling DES?
I recall hearing that it was possible by having an MIT Kerberos box to
hold the AFS principal alone with DES enabled but have all the user
principals in AD without DES.

You can do this, but either way the afs/pitt.edu princ is the only one
that has DES enabled. But yeah, if you just want to be able to turn off
the "enable DES" checkbox in AD to be able to show someone that you're
mostly not running with DES, that's an option.


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info




--

 Douglas E. Engert  
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] openafs-1.6.0 build fails on kernel-3.2.0

2012-01-05 Thread Dale Pontius 
This morning Gentoo distributed a shiny new kernel-3.2.0, so of course I 
had to build it. Next I had to rebuild all of the out-of-tree kernel 
modules, including openafs-1.6.0. It failed, relevant lines:


CC [M] 
/var/tmp/portage/net-fs/openafs-kernel-1.6.0/work/openafs-1.6.0/src/libafs/MODLOAD-3.2.0-gentoo-MP/osi_vfsops.o
/var/tmp/portage/net-fs/openafs-kernel-1.6.0/work/openafs-1.6.0/src/libafs/MODLOAD-3.2.0-gentoo-MP/osi_vfsops.c: 
In function ‘vattr2inode’:
/var/tmp/portage/net-fs/openafs-kernel-1.6.0/work/openafs-1.6.0/src/libafs/MODLOAD-3.2.0-gentoo-MP/osi_vfsops.c:442:5: 
error: assignment of read-only member ‘i_nlink’
make[6]: *** 
[/var/tmp/portage/net-fs/openafs-kernel-1.6.0/work/openafs-1.6.0/src/libafs/MODLOAD-3.2.0-gentoo-MP/osi_vfsops.o] 
Error 1
make[5]: *** 
[_module_/var/tmp/portage/net-fs/openafs-kernel-1.6.0/work/openafs-1.6.0/src/libafs/MODLOAD-3.2.0-gentoo-MP] 
Error 2

make[5]: Leaving directory `/usr/src/linux-3.2.0-gentoo'

I presume that someone already knows about this, but I haven't seen it 
mentioned here or on openafs-devel. I also presume that it's something 
that has changed in kernel-3.2.0, etc, etc, etc.


Dale Pontius

--
Dale Pontius
Senior Engineer
IBM Corporation
Phone: (802) 769-6850
Tie-Line: 446-6850
email: pont...@us.ibm.com

This e-mail and its attachments, if any, may contain confidential and 
privileged material for the sole use of the intended recipient. Any review, 
use, distribution or disclosure by others is strictly prohibited. If you are 
not the intended recipient (or authorized to receive for the recipient), please 
contact the sender by reply e-mail and delete all copies of this message from 
your system without copying it and notify sender of the misdirection by reply 
e-mail.

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

2012-01-05 Thread Andrew Deason 
On Thu, 05 Jan 2012 11:31:01 -0500
Jeff White  wrote:

> 1. He created an AD domain called ad.dementia.org.
> 2. He created a user with a logon name of 'afs-adtest'.
> 3. He exported the keytab with: ktpass -princ 
> afs/adtest.dementia@ad.dementia.org -mapuser afs -pass * -crypto 
> DES-CBC-MD5 -out afs-keytab
> 4. Imported the keytab with: asetkey add 3 /etc/afs.keytab 
> afs/adtest.dementia@ad.dementia.org
> 
> Why didn't he use the logon name afs-adtest in that ktpass command?  

I don't have that presentation in front of me, but that may have just
been a mistake.

> Where did 'afs/adtest.dementia@ad.dementia.org' come from,
> particularly the 'afs/adtest.dementia.org' part?  His logon name is
> not afs and what is adtest?

I don't know the internal AD details etc, but conceptually that commands
maps the principal name afs/adtest.dementia@ad.dementia.org to the
AD user "afs" (or "afs-adtest" or whatever you call it). OpenAFS by
convention uses the principal name afs/@REALM for krb5. So,
adtest.dementia.org is the AFS cell name in that example.

> $ aklog -d
> Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
> Trying to authenticate to user's realm PITT.EDU.
> Getting tickets: afs/pitt@pitt.edu
> Kerberos error code returned by get_cred : -1765328164
> aklog: Couldn't get pitt.edu AFS tickets:
> aklog: unknown RPC error (-1765328164) while getting AFS tickets

Well, you're getting a different error this time, so that's something.
What krb5 implementation are you running on that machine? I think that
error is KRB5_REALM_CANT_RESOLVE... is PITT.EDU in krb5.conf, or in dns
or what? Anything odd with that configuration?

-- 
Andrew Deason
adea...@sinenomine.net

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Re: OpenAFS on OpenSuse 12.1: No connection to filesystem

2012-01-05 Thread Starl8gazer 
>>  :~ > klog.krb5 user_name

>>  Password for user_name@employer_domain: 
>>  [after quite a while...]
>>  klog: server or network not responding Can't get your viceid for cell  
>> employer_domain
>>  :~ > klog.krb5 -tmp
>>  Password for user_name@employer_domain: 
>>  Wrote ticket file to /tmp/krb5cc_1000
>>  klog: server or network not responding Can't get your viceid for cell  
>> employer_domain
> 
> This is not necessarily an error, but a warning. Try running 'klog.krb5 
> -noprdb' instead. Run 'tokens' afterwards to see if 
> you have authenticated and have access tokens. 

:~ > klog.krb5 -noprdb
Password for user_name@employer_domain: 
[the _first_ time this results in]
klog: unknown RPC error (-1765328252) Unable to authenticate to use afs
:~ > klog.krb5 -noprdb
Password for user_name@employer_domain: 
[no further output!]

:~ > tokens

Tokens held by the Cache Manager:

Tokens for afs@employer_domain [Expires Jan  6 17:51]
   --End of list--


> However, that warning suggests that you may not be able to reach your 
> employer's servers. Can you access /afs/employer_domain at all?

:~ > cd /afs/employer_domain/
:/afs/employer_domain > /bin/ls -a
/bin/ls: cannot open directory .: Connection timed out
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

2012-01-05 Thread Jeffrey Altman 
Windows Server 2008 R2 does not support DES by default.  In order to use
DES for any principal, DES must be enabled by group policy.



signature.asc
Description: OpenPGP digital signature

[OpenAFS] Re: OpenAFS on OpenSuse 12.1: No connection to filesystem

2012-01-05 Thread Andrew Deason 
On Thu, 5 Jan 2012 08:07:43 -0800 (PST)
Starl8gazer  wrote:

> :~ > klog.krb5 user_name
> Password for user_name@employer_domain: 
> [after quite a while...]
> klog: server or network not responding Can't get your viceid for cell 
> employer_domain
> :~ > klog.krb5 -tmp
> Password for user_name@employer_domain: 
> Wrote ticket file to /tmp/krb5cc_1000
> klog: server or network not responding Can't get your viceid for cell 
> employer_domain

This is not necessarily an error, but a warning. Try running
'klog.krb5 -noprdb' instead. Run 'tokens' afterwards to see if you have
authenticated and have access tokens. If you have access, it should look
like:

>> $ tokens
>> 
>> Tokens held by the Cache Manager:
>> 
>> User's (AFS ID 1) tokens for afs@localcell [Expires Jan  6 10:26]
>>--End of list--

However, that warning suggests that you may not be able to reach your
employer's servers. Can you access /afs/employer_domain at all?

-- 
Andrew Deason
adea...@sinenomine.net

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

2012-01-05 Thread Jeff White 
I tried removing the afs account, adding it again, checking the DES box, 
resetting the password, exporting the keytab, removing the old keytab, 
and adding the new keytab.  I still can't aklog.


I'm a little confused on the syntax of ktpass to export the keytab from 
AD.  I'm using a presentation from Derrick Brashear but I don't 
understand his syntax:


1. He created an AD domain called ad.dementia.org.
2. He created a user with a logon name of 'afs-adtest'.
3. He exported the keytab with: ktpass -princ 
afs/adtest.dementia@ad.dementia.org -mapuser afs -pass * -crypto 
DES-CBC-MD5 -out afs-keytab
4. Imported the keytab with: asetkey add 3 /etc/afs.keytab 
afs/adtest.dementia@ad.dementia.org


Why didn't he use the logon name afs-adtest in that ktpass command?  
Where did 'afs/adtest.dementia@ad.dementia.org' come from, 
particularly the 'afs/adtest.dementia.org' part?  His logon name is not 
afs and what is adtest?


I did this:

1. Created an AD domain called pitt.edu.
2. Created the GPO to allow DES and applied it to the Domain Controllers.
3. Created a user with a logon name of 'afs'.
4. Exported the keytab with: ktpass -princ afs/pitt@pitt.edu 
-mapuser afs -pass * -crypto DES-CBC-MD5 -out afs.keytab
5. Imported the keytab with: asetkey add 4 /etc/afs.keytab 
afs/pitt@pitt.edu


I still get an error but I'm not sure if I'm exporting/importing the 
keytab correctly.  I've tried a variety of principals but all fail to 
let me aklog.  What principal should be used?


$ aklog -d
Authenticating to cell pitt.edu (server afs-dev-03.cssd.pitt.edu).
Trying to authenticate to user's realm PITT.EDU.
Getting tickets: afs/pitt@pitt.edu
Kerberos error code returned by get_cred : -1765328164
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328164) while getting AFS tickets

Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD


On 01/05/2012 10:33 AM, Andrew Deason wrote:

On Thu, 05 Jan 2012 10:07:09 -0500
Jeff White  wrote:


I noticed there is a box which says 'Use Kerberos DES encryption types
for this account' in the settings of each account, do I need to set
that?

Yes.


Just on the afs principal/user or on every user of AFS in the
realm?

Just on the afs/pitt.edu princ. It is also advisable to turn off the PAC
for that principal if you haven't already (though that doesn't have
anything to do with the current error). That is, turn this on:
.


Do I need to do the export and asetkey again after the changes I made?

Not sure on this one. I would guess "no", but I've never done this in
that order.


Also, is there a way to have all our users in AD without enabling DES?
I recall hearing that it was possible by having an MIT Kerberos box to
hold the AFS principal alone with DES enabled but have all the user
principals in AD without DES.

You can do this, but either way the afs/pitt.edu princ is the only one
that has DES enabled. But yeah, if you just want to be able to turn off
the "enable DES" checkbox in AD to be able to show someone that you're
mostly not running with DES, that's an option.


___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] OpenAFS on OpenSuse 12.1: No connection to filesystem

2012-01-05 Thread Ted Creedon 
Works fine here but I compiled my own on 4 Suse 12.1 boxes.

tedc

[OpenAFS] OpenAFS on OpenSuse 12.1: No connection to filesystem

2012-01-05 Thread Starl8gazer 
Hello, 

I cannot get OpenAFS to connect to my employer's filesystem and would like to 
know what is wrong and how to fix it. 

Local system information
--

Opensuse 12.1 online install, all updates included, kernel 3.1.0-1.2-desktop


OpenAFS installation
--

from http://download.opensuse.org/repositories/filesystems/openSUSE_12.1/ 
installed packages openafs, openafs-client, openafs-docs, openafs-kmp-desktop, 
openafs-krb5-mit

I believe the following packages may also be important to mention: krb5, 
krb5-32bit, krb5-client, krb5-devel, pam_krb5


OpenAFS configuration
--

put in place files /etc/krb5.conf, /etc/openafs/CellServDB, 
/etc/openafs/ThisCell; these files work for other users on Ubuntu Linux to 
connect to the desired filesystem


Observations
--

* as root after installation and reboot: 

:~ # /etc/init.d/openafs-client status
redirecting to systemctl
openafs-client.service - LSB: Start OpenAFS Client
  Loaded: loaded (/etc/init.d/openafs-client)
  Active: inactive (dead)
  CGroup: name=systemd:/system/openafs-client.service
:~ # /etc/init.d/openafs-client start
redirecting to systemctl
:~ # /etc/init.d/openafs-client status
redirecting to systemctl
openafs-client.service - LSB: Start OpenAFS Client
  Loaded: loaded (/etc/init.d/openafs-client)
  Active: active (running) since Thu, 05 Jan 2012 15:33:20 +0100; 21s 
ago
 Process: 3937 ExecStart=/etc/init.d/openafs-client start (code=exited, 
status=0/SUCCESS)
  CGroup: name=systemd:/system/openafs-client.service
  └ 3959 /usr/sbin/afsd -stat 2000 -daemons 3 -volumes 70 
-memcache -dynroot -fakestat -afsdb


* as user: 

:~ > ps -e | grep -i afs
 3948 ?    00:00:00 afs_pagecopy
 3955 ?    00:00:00 afs_callback
 3957 ?    00:00:00 afs_rxevent
 3958 ?    00:00:00 afs_rxlistener
 3959 ?    00:00:00 afsd
 3963 ?    00:00:00 afsd
 3964 ?    00:00:00 afs_checkserver
 3966 ?    00:00:00 afs_background
 3967 ?    00:00:00 afs_background
 3970 ?    00:00:00 afs_background
 3971 ?    00:00:00 afs_cachetrim
:~ > lsmod | grep -i afs
libafs    817957  2 
:~ > dir /afs
total 20
drwxr-xr-x   1 2048 Jan  1  1970 .:mount/
lrwxr-xr-x   1   12 Jan  1  1970 .openafs -> .openafs.org/
drwxr-xr-x 100 4096 Jan  1  1970 .openafs.org/
drwxr-xr-x 100 4096 Jan  1  1970 .employer_domain/
lrwxr-xr-x   1   11 Jan  1  1970 openafs -> openafs.org/
drwxr-xr-x 100 4096 Jan  1  1970 openafs.org/
drwxr-xr-x 100 4096 Jan  1  1970 employer_domain/
:~ > kinit -V
Using default cache: /tmp/krb5cc_1000
Using principal: user_name@employer_domain
Password for user_name@employer_domain: 
Authenticated to Kerberos v5
:~ > klog.krb5 user_name
Password for user_name@employer_domain: 
[after quite a while...]
klog: server or network not responding Can't get your viceid for cell 
employer_domain
:~ > klog.krb5 -tmp
Password for user_name@employer_domain: 
Wrote ticket file to /tmp/krb5cc_1000
klog: server or network not responding Can't get your viceid for cell 
employer_domain



My goal is to manually establish the connection with the filesystem as user, 
i.e., I do not need it to happen automatically when I log in to my machine (a 
laptop). 

In your replies, please be as specific as possible since I am usually rather a 
top-level user of Linux. 

Many thanks in advance.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Re: OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

2012-01-05 Thread Andrew Deason 
On Thu, 05 Jan 2012 10:07:09 -0500
Jeff White  wrote:

> I noticed there is a box which says 'Use Kerberos DES encryption types 
> for this account' in the settings of each account, do I need to set 
> that?

Yes.

> Just on the afs principal/user or on every user of AFS in the 
> realm?

Just on the afs/pitt.edu princ. It is also advisable to turn off the PAC
for that principal if you haven't already (though that doesn't have
anything to do with the current error). That is, turn this on:
.

> Do I need to do the export and asetkey again after the changes I made?

Not sure on this one. I would guess "no", but I've never done this in
that order.

> Also, is there a way to have all our users in AD without enabling DES?
> I recall hearing that it was possible by having an MIT Kerberos box to
> hold the AFS principal alone with DES enabled but have all the user
> principals in AD without DES.

You can do this, but either way the afs/pitt.edu princ is the only one
that has DES enabled. But yeah, if you just want to be able to turn off
the "enable DES" checkbox in AD to be able to show someone that you're
mostly not running with DES, that's an option.

-- 
Andrew Deason
adea...@sinenomine.net
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] OpenAFS 1.6.0 with Microsoft Active Directory 2008 - Questions about DES

2012-01-05 Thread Jeff White 
As part of an AFS/Kerberos upgrade project I am building a test cell to 
mimic what we may eventually have in production by using Microsoft 
Active Directory as my KDC.  This test cell has one Windows Server 2008 
R2 box running Active Directory and one RHEL 6.1 box with the OpenAFS 
software running on it.


I'm following the guide and the  'Verifying the AFS Initialization 
Script' section where aklog is ran for the first time is where I am 
stuck.  I can kinit and get a ticket from AD but when I aklog I get an 
error:


$ klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jaw...@pitt.edu

Valid starting ExpiresService principal
01/05/12 09:35:12  01/05/12 19:35:14  krbtgt/pitt@pitt.edu
renew until 01/12/12 09:35:12

$ aklog
aklog: Couldn't get pitt.edu AFS tickets:
aklog: unknown RPC error (-1765328370) while getting AFS tickets

It seems that error means the KDC does not support DES-CBC-CRC.  I added 
'allow_weak_crypto = true' to /etc/krb5.conf, same error.  I created a 
GPO in AD which allows DES-CBC-CRC and applied this GPO to the 'Domain 
Controllers' container.  Same error with aklog.  What else do I have to 
do to make DES-CBC-CRC work in Active Directory 2008?


I noticed there is a box which says 'Use Kerberos DES encryption types 
for this account' in the settings of each account, do I need to set 
that?  Just on the afs principal/user or on every user of AFS in the 
realm?  I exported the key for the afs principal from AD using 'ktpass 
-princ afs/pitt@pitt.edu -mapuser afs -pass * -crypto DES-CBC-MD5 
-out afs.keytab'.  Do I need to do the export and asetkey again after 
the changes I made?


Also, is there a way to have all our users in AD without enabling DES?  
I recall hearing that it was possible by having an MIT Kerberos box to 
hold the AFS principal alone with DES enabled but have all the user 
principals in AD without DES.


--
Jeff White - Linux/Unix Systems Engineer
University of Pittsburgh - CSSD

___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Administrators with a slash

2012-01-05 Thread Jonathan Billings 
On Thu, Jan 05, 2012 at 12:40:32PM +, Bobb Crosbie wrote:
> Both principles are in the system:administrators group  (this run when
> authenticated as bobb.crosbie)

Here's your problem.  Due to OpenAFS's history, krb5 principals with a
slash (such as username/admin@REALM) are converted to their krb4 form,
username.admin.  

By default, the ptserver disallows dotted principals to avoid the
confusion of equivocating the krb5 principals user.admin@REALM and
user/admin@REALM. 

If you are absolutely sure there are no such collisions in your realm,
you can run your servers with -allow-dotted-principals.

For more documentation:
http://docs.openafs.org/Reference/8/ptserver.html

-- 
Jonathan Billings 
College of Engineering - CAEN - Unix and Linux Support
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Administrators with a slash

2012-01-05 Thread Coy Hile 
The problem is likely related to the fact that you're using both dots
*AND* slashes.  As I recall, the principal example/admin@YOURREALM
would automatically map itself to pts user example.admin, so my WAG is
that ptserver is trying to map to 'bobb.crosbie/admin' and coming up
with 'bobb.crossbie.admin' or somethning like that.

Others can certainly speak with more definitive voices than I.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

[OpenAFS] Administrators with a slash

2012-01-05 Thread Bobb Crosbie 
Hey,

We are trying to tidy things up with our administrator principles in
kerberos and AFS.
Rather than having our normal accounts in the AFS system:administrators
group, we thought it would be better to use the /admin principles we use in
Kerberos.
However, we are having some difficulties which seem to be caused by the
slashes in the principle names.

Both principles are in the system:administrators group  (this run when
authenticated as bobb.crosbie)

 bobb@ophelia:~$ pts membership bobb.crosbie
 Groups bobb.crosbie (id: 5021) is a member of:
  system:administrators

 bobb@ophelia:~$ pts membership bobb.crosbie/admin
 Groups bobb.crosbie/admin (id: 4021) is a member of:
  system:administrators

Both principles are also SUsers:

 bobb@ophelia:~$ bos listusers -server afs01
 bos: running unauthenticated
 SUsers are: admin bobb.crosbie bobb.crosbie/admin []


Authenticating as bobb.crosbie works fine:

 bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie; aklog
 Password for bobb.cros...@cremelabs.com:

 bobb@ophelia:~$ klist
 Ticket cache: FILE:/tmp/krb5cc_1000
 Default principal: bobb.cros...@cremelabs.com

 Valid starting ExpiresService principal
 01/05/12 12:24:06  01/05/12 20:24:06  krbtgt/
cremelabs@cremelabs.com
 renew until 01/06/12 12:23:03
 01/05/12 12:24:06  01/05/12 20:24:06  afs/cremelabs@cremelabs.com
 renew until 01/06/12 12:23:03

 bobb@ophelia:~$ tokens
 Tokens held by the Cache Manager:

 User's (AFS ID 5021) tokens for a...@cremelabs.com [Expires Jan  5
20:24]
   --End of list--


I can authenticate against kerberos as bobb.crosbie/admin

 bobb@ophelia:~$ kdestroy; unlog; kinit bobb.crosbie/admin; aklog;
klist; tokens
 Password for bobb.crosbie/ad...@cremelabs.com:

 bobb@ophelia:~$ klist
 Ticket cache: FILE:/tmp/krb5cc_1000
 Default principal: bobb.crosbie/ad...@cremelabs.com

 Valid starting ExpiresService principal
 01/05/12 12:24:46  01/05/12 20:24:46  krbtgt/
cremelabs@cremelabs.com
 renew until 01/06/12 12:23:44
 01/05/12 12:24:46  01/05/12 20:24:46  afs/cremelabs@cremelabs.com
renew until 01/06/12 12:23:44

But I don't seem to get a proper token from AFS - There's no: "(AFS ID
4021)" bit

 bobb@ophelia:~$ tokens
 Tokens held by the Cache Manager:

 Tokens for a...@cremelabs.com [Expires Jan  5 20:24]
--End of list--

And bobb.crosbie/admin doesn't have permission to look at group memberships

 bobb@ophelia:~$ pts membership bobb.crosbie/admin
 pts: Permission denied ; unable to get membership of
bobb.crosbie/admin (id: 4021)


Everything seems to work fine if we create another principle in kerberos
without the slash (bobbadmin, say), create that user user in pts and add it
to the system:administrators group.  The slash seems to be the only issue.

Any Ideas ?
Are users/principles with slashes supported ?  Or is it recommended to do
things another way ?
A number of documents (like this:
http://techpubs.spinlocksolutions.com/dklar/afs.html) suggest that slashes
are used.


Many Thanks,

- bobb