Re: RE: Re: Re: RE: [OpenAFS] ad+openafs
The keytabs Brandon was referring to are host/ keytabs for the specific hosts where users are logging in. Upon receipt of the user's password, the PAM stack gets a TGT using the user's password, and then makes a TGS-REQ to get a service ticket for the host/ principal of the host in question. Only if that service ticket validates, can the user be said to be authenticated. Merely receiving an AS-REP from the internet that decodes as a TGT+session key does not indicate authentication, since anyone on the network could send a packet that is properly formatted like that. Also, there is no need for DES-CBC-CRC in any new kerberos or OpenAFS installation; please do not use it. -Ben On Mon, 9 May 2016, zhaoxy...@ustc.edu.cn wrote: > > hi, > ktpass -princ afs/pc@pc.com -mapuser > t...@pc.com -mapOp add -out afs.keytab +rndPass > -crypto DES-CBC-CRC +DesOnly -ptype KRB5_NT_PRINCIPAL > +DumpSalt > i use the ktpass command to create afs.keytab on windows ad and then copy the > afs.keytab file to the openafs server,after that ,i use the command 'asetkey > add 3 afs.keytab afs/suzhou.powercore.com.cn' on openafs server, but it does > not work. > > -原始邮件- > > 发件人: "Brandon Allbery" <ballb...@sinenomine.net> > > 发送时间: 2016-05-10 03:16:51 (星期二) > > 收件人: "zhaoxy...@ustc.edu.cn" <zhaoxy...@ustc.edu.cn>, "Benjamin Kaduk" > > <ka...@mit.edu> > > 抄送: "openafs-info@openafs.org" <openafs-info@openafs.org> > > 主题: RE: Re: Re: RE: [OpenAFS] ad+openafs > > > > Do your systems have keytabs on them, with host instances? Using Kerberos > > for login requires a validation step; it's not enough just to get a ticket, > > because it's an opaque blob that you can't verify directly (and so might > > have been injected by an attacker). The only way to validate it is to > > attempt to use it to authenticate to a service; so pam_krb5, after getting > > your TGT, uses it to get a service ticket for the host you're logging in to > > and then uses the copy of the service key in /etc/krb5.keytab to decrypt > > the service ticket. If this fails, login is rejected. > > > > If the host you're logging in to doesn’t have a keytab then you will need > > to make one. I can't help you with this for AD, aside from noting that this > > will usually be created from an AD machine account, that is, joining the > > machine to the AD domain using e.g. Samba. (I think it is also possible to > > create the account directly and extract the keytab, but I don't know any > > details.) > > > > Winbind uses a different (and less secure: while it is encrypted, the key > > is fixed and well known) mechanism. > > > > -----Original Message----- > > From: zhaoxy...@ustc.edu.cn [mailto:zhaoxy...@ustc.edu.cn] > > Sent: Sunday, May 8, 2016 10:31 PM > > To: Benjamin Kaduk <ka...@mit.edu> > > Cc: openafs-info@openafs.org; Brandon Allbery <ballb...@sinenomine.net> > > Subject: Re: Re: Re: RE: [OpenAFS] ad+openafs > > > > hi, > > sorry,i need to add something . > > i have three servers. > > ad +kerberos win2008 > > nis server openafs server linux redhat 6.7 > > nis slave openafs client linux redhat 6.7 > > i can use the ad accounts to login the linux server and can get tokens.but > > the pam configuration with pam_krb5 seems not working.if i use > > ad+winbind+openafs,the pam configuraiton with pam_krb5 is working fine.do i > > miss some pam packages? > > > > > > > > > > hi, > > > i modified the /etc/pam.d/system-auth file ,but it did not work,how can i > > > debug this error?Are there any other files that need to be modified? > > > > > > root@test-afs002 cai]# vi /etc/pam.d/system-auth > > > #%PAM-1.0 > > > # This file is auto-generated. > > > # User changes will be destroyed the next time authconfig is run. > > > authrequired pam_env.so > > > authsufficientpam_unix.so nullok try_first_pass > > > authrequisite pam_succeed_if.so uid >= 500 quiet > > > authsufficientpam_krb5.afs.so use_first_pass ignore_root > > > authrequired pam_deny.so > > > > > > account required pam_unix.so broken_shadow > > > account sufficientpam_succeed_if.so uid < 500 quiet > > > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > > > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > > > cached_login > > > account required pam_permit.so > > &g
Re: RE: Re: Re: RE: [OpenAFS] ad+openafs
hi, ktpass -princ afs/pc@pc.com -mapuser t...@pc.com -mapOp add -out afs.keytab +rndPass -crypto DES-CBC-CRC +DesOnly -ptype KRB5_NT_PRINCIPAL +DumpSalt i use the ktpass command to create afs.keytab on windows ad and then copy the afs.keytab file to the openafs server,after that ,i use the command 'asetkey add 3 afs.keytab afs/suzhou.powercore.com.cn' on openafs server, but it does not work. > -原始邮件- > 发件人: "Brandon Allbery" <ballb...@sinenomine.net> > 发送时间: 2016-05-10 03:16:51 (星期二) > 收件人: "zhaoxy...@ustc.edu.cn" <zhaoxy...@ustc.edu.cn>, "Benjamin Kaduk" > <ka...@mit.edu> > 抄送: "openafs-info@openafs.org" <openafs-info@openafs.org> > 主题: RE: Re: Re: RE: [OpenAFS] ad+openafs > > Do your systems have keytabs on them, with host instances? Using Kerberos for > login requires a validation step; it's not enough just to get a ticket, > because it's an opaque blob that you can't verify directly (and so might have > been injected by an attacker). The only way to validate it is to attempt to > use it to authenticate to a service; so pam_krb5, after getting your TGT, > uses it to get a service ticket for the host you're logging in to and then > uses the copy of the service key in /etc/krb5.keytab to decrypt the service > ticket. If this fails, login is rejected. > > If the host you're logging in to doesn’t have a keytab then you will need to > make one. I can't help you with this for AD, aside from noting that this will > usually be created from an AD machine account, that is, joining the machine > to the AD domain using e.g. Samba. (I think it is also possible to create the > account directly and extract the keytab, but I don't know any details.) > > Winbind uses a different (and less secure: while it is encrypted, the key is > fixed and well known) mechanism. > > -Original Message- > From: zhaoxy...@ustc.edu.cn [mailto:zhaoxy...@ustc.edu.cn] > Sent: Sunday, May 8, 2016 10:31 PM > To: Benjamin Kaduk <ka...@mit.edu> > Cc: openafs-info@openafs.org; Brandon Allbery <ballb...@sinenomine.net> > Subject: Re: Re: Re: RE: [OpenAFS] ad+openafs > > hi, > sorry,i need to add something . > i have three servers. > ad +kerberos win2008 > nis server openafs server linux redhat 6.7 > nis slave openafs client linux redhat 6.7 > i can use the ad accounts to login the linux server and can get tokens.but > the pam configuration with pam_krb5 seems not working.if i use > ad+winbind+openafs,the pam configuraiton with pam_krb5 is working fine.do i > miss some pam packages? > > > > > > hi, > > i modified the /etc/pam.d/system-auth file ,but it did not work,how can i > > debug this error?Are there any other files that need to be modified? > > > > root@test-afs002 cai]# vi /etc/pam.d/system-auth > > #%PAM-1.0 > > # This file is auto-generated. > > # User changes will be destroyed the next time authconfig is run. > > authrequired pam_env.so > > authsufficientpam_unix.so nullok try_first_pass > > authrequisite pam_succeed_if.so uid >= 500 quiet > > authsufficientpam_krb5.afs.so use_first_pass ignore_root > > authrequired pam_deny.so > > > > account required pam_unix.so broken_shadow > > account sufficientpam_succeed_if.so uid < 500 quiet > > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > > cached_login > > account required pam_permit.so > > > > passwordrequisite pam_cracklib.so try_first_pass retry=3 type= > > passwordsufficientpam_unix.so md5 shadow nullok try_first_pass > > use_authtok > > passwordsufficientpam_krb5afs.so use_authtok > > passwordsufficientpam_winbind.so cached_login use_authtok > > passwordrequired pam_deny.so > > > > session optional pam_keyinit.so revoke > > session required pam_limits.so > > session optional pam_oddjob_mkhomedir.so umask=0077 > > session [success=1 default=ignore] pam_succeed_if.so service in crond > > quiet use_uid > > session required pam_unix.so > > session optional pam_krb5afs.so > > > > ~ > > > > > > > > > -原始邮件- > > > 发件人: "Benjamin Kaduk" <ka...@mit.edu> > > > 发送时间: 2016-05-06 23:17:46 (星期五) > > > 收件人: zhaoxy...@ustc.edu.cn > > > 抄送: > > > 主题: Re: RE: [OpenAFS] ad+openafs > > > >
Re: Re: Re: RE: [OpenAFS] ad+openafs
hi, sorry,i need to add something . i have three servers. ad +kerberos win2008 nis server openafs server linux redhat 6.7 nis slave openafs client linux redhat 6.7 i can use the ad accounts to login the linux server and can get tokens.but the pam configuration with pam_krb5 seems not working.if i use ad+winbind+openafs,the pam configuraiton with pam_krb5 is working fine.do i miss some pam packages? > > hi, > i modified the /etc/pam.d/system-auth file ,but it did not work,how can i > debug this error?Are there any other files that need to be modified? > > root@test-afs002 cai]# vi /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > authrequired pam_env.so > authsufficientpam_unix.so nullok try_first_pass > authrequisite pam_succeed_if.so uid >= 500 quiet > authsufficientpam_krb5.afs.so use_first_pass ignore_root > authrequired pam_deny.so > > account required pam_unix.so broken_shadow > account sufficientpam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > cached_login > account required pam_permit.so > > passwordrequisite pam_cracklib.so try_first_pass retry=3 type= > passwordsufficientpam_unix.so md5 shadow nullok try_first_pass > use_authtok > passwordsufficientpam_krb5afs.so use_authtok > passwordsufficientpam_winbind.so cached_login use_authtok > passwordrequired pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_krb5afs.so > > ~ > > > > > -原始邮件----- > > 发件人: "Benjamin Kaduk" <ka...@mit.edu> > > 发送时间: 2016-05-06 23:17:46 (星期五) > > 收件人: zhaoxy...@ustc.edu.cn > > 抄送: > > 主题: Re: RE: [OpenAFS] ad+openafs > > > > You should keep the list cc'd for this thread; there are many other people > > with more experience in this regardn than me. > > > > That said, it sounds like you want pam_krb5 and pam_afs_session on the > > linux client, with some configuration knobs set accordingly. > > > > -Ben > > > > On Thu, 5 May 2016, zhaoxy...@ustc.edu.cn wrote: > > > > > > > > hi, > > > the system works now,but i want to get tokens when i login the linux > > > system without input the kinit and aklog command,how can i achieve this > > > goal?do i need to install some packages? > > > > > > sotfware configuration : ad(win 2008 server ) + nis+ openafs 1.6.14 > > > > > > > -原始邮件- > > > > 发件人: "Benjamin Kaduk" <ka...@mit.edu> > > > > 发送时间: 2016-05-04 13:44:00 (星期三) > > > > 收件人: "Brandon Allbery" <ballb...@sinenomine.net> > > > > 抄送: "zhaoxy...@ustc.edu.cn" <zhaoxy...@ustc.edu.cn>, > > > > "openafs-info@openafs.org" <openafs-info@openafs.org> > > > > 主题: RE: [OpenAFS] ad+openafs > > > > > > > > 1.6.14 doesn't need to have single-DES enabled; we shouldn't be > > > > recommending it. The rxkad.keytab method should work fine with AES > > > > keys. > > > > > > > > -Ben > > > > > > > > On Tue, 3 May 2016, Brandon Allbery wrote: > > > > > > > > > -1765328370 is KRB5KDC_ERR_ETYPE_NOSUPP. This often means that DES is > > > > > disabled somewhere. Note that the client library *also* needs DES > > > > > enabled; you might need to add to the [libdefaults] section of > > > > > /etc/krb5.conf on the RH system, > > > > > > > > > > allow_weak_crypto = true > > > > > > > > > > From: openafs-info-ad...@openafs.org > > > > > [mailto:openafs-info-ad...@openafs.org] On Behalf Of > > > > > zhaoxy...@ustc.edu.cn > > > > > Sent: Tuesday, May 3, 2016 4:39 AM > > > > > To: openafs-info@openafs.org > > > > > Subject: [OpenAFS] ad+openafs > > > > > > > > > > > > > > > hi > > > > > > > > > > i install openafs1.6.14 on redhat 6.7 and i want to use the
Re: Re: RE: [OpenAFS] ad+openafs
hi, i modified the /etc/pam.d/system-auth file ,but it did not work,how can i debug this error?Are there any other files that need to be modified? root@test-afs002 cai]# vi /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid >= 500 quiet authsufficientpam_krb5.afs.so use_first_pass ignore_root authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so cached_login account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 type= passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_krb5afs.so use_authtok passwordsufficientpam_winbind.so cached_login use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5afs.so ~ > -原始邮件- > 发件人: "Benjamin Kaduk" <ka...@mit.edu> > 发送时间: 2016-05-06 23:17:46 (星期五) > 收件人: zhaoxy...@ustc.edu.cn > 抄送: > 主题: Re: RE: [OpenAFS] ad+openafs > > You should keep the list cc'd for this thread; there are many other people > with more experience in this regardn than me. > > That said, it sounds like you want pam_krb5 and pam_afs_session on the > linux client, with some configuration knobs set accordingly. > > -Ben > > On Thu, 5 May 2016, zhaoxy...@ustc.edu.cn wrote: > > > > > hi, > > the system works now,but i want to get tokens when i login the linux > > system without input the kinit and aklog command,how can i achieve this > > goal?do i need to install some packages? > > > > sotfware configuration : ad(win 2008 server ) + nis+ openafs 1.6.14 > > > > > -原始邮件- > > > 发件人: "Benjamin Kaduk" <ka...@mit.edu> > > > 发送时间: 2016-05-04 13:44:00 (星期三) > > > 收件人: "Brandon Allbery" <ballb...@sinenomine.net> > > > 抄送: "zhaoxy...@ustc.edu.cn" <zhaoxy...@ustc.edu.cn>, > > > "openafs-info@openafs.org" <openafs-info@openafs.org> > > > 主题: RE: [OpenAFS] ad+openafs > > > > > > 1.6.14 doesn't need to have single-DES enabled; we shouldn't be > > > recommending it. The rxkad.keytab method should work fine with AES keys. > > > > > > -Ben > > > > > > On Tue, 3 May 2016, Brandon Allbery wrote: > > > > > > > -1765328370 is KRB5KDC_ERR_ETYPE_NOSUPP. This often means that DES is > > > > disabled somewhere. Note that the client library *also* needs DES > > > > enabled; you might need to add to the [libdefaults] section of > > > > /etc/krb5.conf on the RH system, > > > > > > > > allow_weak_crypto = true > > > > > > > > From: openafs-info-ad...@openafs.org > > > > [mailto:openafs-info-ad...@openafs.org] On Behalf Of > > > > zhaoxy...@ustc.edu.cn > > > > Sent: Tuesday, May 3, 2016 4:39 AM > > > > To: openafs-info@openafs.org > > > > Subject: [OpenAFS] ad+openafs > > > > > > > > > > > > hi > > > > > > > > i install openafs1.6.14 on redhat 6.7 and i want to use the ad as krb5 > > > > auth . > > > > > > > > here is my steps: > > > > > > > > 1 install openafs1.6.14 on redhat6.7 > > > > > > > > 2 install ad on windows 2008 r2 > > > > > > > > 3 ktpass -princ afs/cellname@ADDOMAINNAME -mapuser > > > > afscell@ADDOMAINNAME \ -mapOp add -out afs-keytab +rndPass -crypto > > > > DES-CBC-CRC +DesOnly \ -ptype KRB5_NT_PRINCIPAL +DumpSalt ) > > > > > > > > 4 use kinit wang > > > > > > > >aklog > > > > > > > > [root@test-afs002 ]# klist -e -f > > > > Ticket cache: FILE:/tmp/krb5cc_0 > > > > Default principal: w...@pc.com<mailto:w...@pc.com> > > > > > > > > Valid starting ExpiresService principal > > > > 0
RE: Re: Re: RE: [OpenAFS] ad+openafs
Do your systems have keytabs on them, with host instances? Using Kerberos for login requires a validation step; it's not enough just to get a ticket, because it's an opaque blob that you can't verify directly (and so might have been injected by an attacker). The only way to validate it is to attempt to use it to authenticate to a service; so pam_krb5, after getting your TGT, uses it to get a service ticket for the host you're logging in to and then uses the copy of the service key in /etc/krb5.keytab to decrypt the service ticket. If this fails, login is rejected. If the host you're logging in to doesn’t have a keytab then you will need to make one. I can't help you with this for AD, aside from noting that this will usually be created from an AD machine account, that is, joining the machine to the AD domain using e.g. Samba. (I think it is also possible to create the account directly and extract the keytab, but I don't know any details.) Winbind uses a different (and less secure: while it is encrypted, the key is fixed and well known) mechanism. -Original Message- From: zhaoxy...@ustc.edu.cn [mailto:zhaoxy...@ustc.edu.cn] Sent: Sunday, May 8, 2016 10:31 PM To: Benjamin Kaduk <ka...@mit.edu> Cc: openafs-info@openafs.org; Brandon Allbery <ballb...@sinenomine.net> Subject: Re: Re: Re: RE: [OpenAFS] ad+openafs hi, sorry,i need to add something . i have three servers. ad +kerberos win2008 nis server openafs server linux redhat 6.7 nis slave openafs client linux redhat 6.7 i can use the ad accounts to login the linux server and can get tokens.but the pam configuration with pam_krb5 seems not working.if i use ad+winbind+openafs,the pam configuraiton with pam_krb5 is working fine.do i miss some pam packages? > > hi, > i modified the /etc/pam.d/system-auth file ,but it did not work,how can i > debug this error?Are there any other files that need to be modified? > > root@test-afs002 cai]# vi /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > authrequired pam_env.so > authsufficientpam_unix.so nullok try_first_pass > authrequisite pam_succeed_if.so uid >= 500 quiet > authsufficientpam_krb5.afs.so use_first_pass ignore_root > authrequired pam_deny.so > > account required pam_unix.so broken_shadow > account sufficientpam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_krb5.so > account [default=bad success=ok user_unknown=ignore] pam_winbind.so > cached_login > account required pam_permit.so > > passwordrequisite pam_cracklib.so try_first_pass retry=3 type= > passwordsufficientpam_unix.so md5 shadow nullok try_first_pass > use_authtok > passwordsufficientpam_krb5afs.so use_authtok > passwordsufficientpam_winbind.so cached_login use_authtok > passwordrequired pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > session optional pam_oddjob_mkhomedir.so umask=0077 > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_krb5afs.so > > ~ > > > > > -----原始邮件----- > > 发件人: "Benjamin Kaduk" <ka...@mit.edu> > > 发送时间: 2016-05-06 23:17:46 (星期五) > > 收件人: zhaoxy...@ustc.edu.cn > > 抄送: > > 主题: Re: RE: [OpenAFS] ad+openafs > > > > You should keep the list cc'd for this thread; there are many other > > people with more experience in this regardn than me. > > > > That said, it sounds like you want pam_krb5 and pam_afs_session on > > the linux client, with some configuration knobs set accordingly. > > > > -Ben > > > > On Thu, 5 May 2016, zhaoxy...@ustc.edu.cn wrote: > > > > > > > > hi, > > > the system works now,but i want to get tokens when i login the linux > > > system without input the kinit and aklog command,how can i achieve this > > > goal?do i need to install some packages? > > > > > > sotfware configuration : ad(win 2008 server ) + nis+ openafs > > > 1.6.14 > > > > > > > -原始邮件- > > > > 发件人: "Benjamin Kaduk" <ka...@mit.edu> > > > > 发送时间: 2016-05-04 13:44:00 (星期三) > > > > 收件人: "Brandon Allbery" <ballb...@sinenomine.net> > > > > 抄送: "zhaoxy...@ustc.edu.cn" <zhaoxy...@ustc.edu.cn>, > > > > "openafs-info@openafs.org" <openafs-info@openafs.org> > > > >
