Hi there!
Thanks for the replies!
I got it working!!!
> In addition to the key version number you also need to know the encryption
> type used to
> encrypt the service private portion of the afs/mydomain....@ad.mydomain.com
> service
> ticket. It is that encryption type which does not need to match either the
> encryption type
> used to encrypt the client private portion of the ticket or the session key
> which needs to
> match the keys added via asetkey.
Ah! This is interesting:
# kinit adUser
Password for adu...@ad.mydomain.com:
# klist -e
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: adu...@ad.mydomain.com
Valid starting Expires Service principal
08/24/22 21:49:12 08/25/22 07:49:12 krbtgt/ad.mydomain....@ad.mydomain.com
renew until 08/25/22 21:49:10, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
# aklog
# klist -e
Ticket cache: FILE:/var/krb5/security/creds/krb5cc_0
Default principal: adu...@ad.mydomain.com
Valid starting Expires Service principal
08/24/22 21:49:12 08/25/22 07:49:12 krbtgt/ad.mydomain....@ad.mydomain.com
renew until 08/25/22 21:49:10, Etype (skey, tkt):
aes256-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96
08/24/22 21:49:26 08/25/22 07:49:12 afs/mydomain....@ad.mydomain.com
renew until 08/25/22 21:49:10, Etype (skey, tkt): arcfour-hmac,
arcfour-hmac
After running aklog I have one that is using arcfour-hmac. Didn't expect that.
I had only the AES types in my keytab, and hadn't run an asetkey for that one.
I had the original keytab pre-edits to remove all but the AES types, and I
brought that back over and removed only DES, leaving the arcfour-hmac one, and
then ran asetkey for it using the encryption type 23, bounced the server, and
it worked!!
I also did end up adding in the "mydomain.com" and ".mydomain.com" entries in
krb5.conf, and I put in a file /opt/openafs/etc/openafs/server/krb.conf with
only one line that says "AD.MYDOMAIN.COM".
I'm glad this all working now!! Thank you all so much for the help!!
-Ben
________________________________
From: Jeffrey E Altman
Sent: Wednesday, August 24, 2022 6:49 PM
To: Ben Huntsman; openafs-info@openafs.org
Subject: Re: [OpenAFS] Kerberos + Windows
On 8/24/2022 12:53 PM, Ben Huntsman
(b...@huntsmans.net<mailto:b...@huntsmans.net>) wrote:
Here's some configuration info:
Let's say my cell is going to be mydomain.com. My Active Directory is
ad.mydomain.com, and my AFS service account is srvAFS.
When installing Active Directory for a domain "mydomain.com" it is best if the
Active Directory domain is "MYDOMAIN.COM" instead of "AD.MYDOMAIN.COM". This
is because Kerberos clients will attempt to use the DNS name of the host as the
Kerberos realm name. The use of "AD.MYDOMAIN.COM" or "WIN.MYDOMAIN.COM"
naming is common only in cases where there is a pre-existing Kerberos realm for
"MYDOMAIN.COM".
Here's my krb5.conf:
[libdefaults]
default_realm = AD.MYDOMAIN.COM
default_keytab_name =
[FILE:/etc/krb5/krb5.keytab]FILE:/etc/krb5/krb5.keytab
dns_lookup_realm = true
dns_lookup_kdc = true
forwardable = true
[realms]
AD.MYDOMAIN.COM = {
kdc = ad.mydomain.com:88
admin_server = ad.mydomain.com:749
default_domain = ad.mydomain.com
}
[domain_realm]
.ad.mydomain.com = AD.MYDOMAIN.COM
ad.mydomain.com = AD.MYDOMAIN.COM
You also need to add
.mydomain.com = AD.MYDOMAIN.COM
mydomain.com = AD.MYDOMAIN.COM
since the Kerberos realm is not the same as the DNS domain name used for the
AFS service principal.
[logging]
kdc = [FILE:/var/krb5/log/krb5kdc.log]FILE:/var/krb5/log/krb5kdc.log
admin_server =
[FILE:/var/krb5/log/kadmin.log]FILE:/var/krb5/log/kadmin.log
kadmin_local =
[FILE:/var/krb5/log/kadmin_local.log]FILE:/var/krb5/log/kadmin_local.log
default = [FILE:/var/krb5/log/krb5lib.log]FILE:/var/krb5/log/krb5lib.log
I then created the service account srvAFS, and extracted a keytab on the Domain
Controller using the following command:
ktpass /princ
afs/mydomain....@ad.mydomain.com<mailto:afs/mydomain....@ad.mydomain.com>
/mapuser srvAFS /mapop add /out rxkad.keytab +rndpass /crypto all /ptype
KRB5_NT_PRINCIPAL +dumpsalt
The use of
"afs/mydomain....@ad.mydomain.com"<mailto:afs/mydomain....@ad.mydomain.com> is
correct. The "a...@ad.mydomain.com"<mailto:a...@ad.mydomain.com> service
principal name should no longer be used and must never be used with Active
Directory.
I verified that the account did not have the "Use only Kerberos DES encryption
types for this account" box checked. I then copied the rxkad.keytab over to
the UNIX host. I built OpenAFS with a prefix of /opt/openafs, so I put the
keytab in /opt/openafs/etc/openafs/server
I used ktutil to delete the two des entries in the keytab. ktutil indicates
that the KVNO is 5.
I then added the keys to OpenAFS using the command:
asetkey add rxkad_krb5 5 17 /opt/openafs/etc/openafs/server/rxkad.keytab
afs/mydomain.com
asetkey add rxkad_krb5 5 18 /opt/openafs/etc/openafs/server/rxkad.keytab
afs/mydomain.com
For an Active Directory realm you most likely also need to add rc4-hmac,
enctype 23.
Did the above "asetkey" commands succeed? Since the cell is named
"mydomain.com" I would expect asetkey to expand "afs/mydomain.com" to
"afs/mydomain....@mydomain.com"<mailto:afs/mydomain....@mydomain.com> which is
not going to be present in the rxkad.keytab file.
What is the output of "asetkey list" after the above commands were executed?
But things aren't quite working:
# ls /afs
afs: Tokens for user of AFS id 204 for cell mydomain.com are discarded (rxkad
error=19270408, server 192.168.0.114)
ls: /afs: The file access permissions do not allow the specified action.
# kvno adu...@ad.mydomain.com<mailto:adu...@ad.mydomain.com>
kvno: Server not found in Kerberos database while getting credentials for
adu...@ad.mydomain.com<mailto:adu...@ad.mydomain.com>
This is not expected to work.
# vos listvol myserver
Could not fetch the list of partitions from the server
rxk: ticket contained unknown key version number
Error in vos listvol command.
rxk: ticket contained unknown key version number
19270408 = rxk: ticket contained unknown key version number
It means the OpenAFS servers are not finding the expected key entry. There is
not a match for the combination of enctype and key version number and name.
# kinit -kt /opt/openafs/etc/openafs/server/rxkad.keytab
afs/mydomain....@ad.mydomain.com<mailto:afs/mydomain....@ad.mydomain.com>
The above command is using the
afs/mydomain....@ad.mydomain.com<mailto:afs/mydomain....@ad.mydomain.com>
keytab entry to obtain a client Ticket Granting Ticket. I doubt that is what
you intended.
Instead you wanted to "kinit" using a client principal and then execute the
kvno command below.
# kvno afs/mydomain....@ad.mydomain.com<mailto:afs/mydomain....@ad.mydomain.com>
afs/mydomain....@ad.mydomain.com<mailto:afs/mydomain....@ad.mydomain.com>: kvno
= 5
In addition to the key version number you also need to know the encryption type
used to encrypt the service private portion of the
afs/mydomain....@ad.mydomain.com<mailto:afs/mydomain....@ad.mydomain.com>
service ticket. It is that encryption type which does not need to match either
the encryption type used to encrypt the client private portion of the ticket or
the session key which needs to match the keys added via asetkey.
After adding the keys via "asetkey" did you install KeyFileExt on every server
in the cell?
Did you restart the services or touch the server instance of the CellServDB
file to force the new keys to be loaded?
Did I miss something, or make a mistake along the way somewhere?
Ben mentions in a separate reply that the OpenAFS krb.conf file needs to be
created and specify the local authentication realm as "AD.MYDOMAIN.COM".
Failure to do so will prevent authorization from succeeding but would not
result in a key version not found error.
Jeffrey Altman
