Adam Megacz wrote:
So, I run a one-machine renegade AFS cell (reconfigurable.cs.berkeley.edu) and my own krb5kdc for a corresponding (krb5) realm. It's nifty.
Looks like they let you register the principal gssklog/[EMAIL PROTECTED]
Berkeley [finally] has a campus-wide kerberos server with a principal for every student, which has inspired me to attempt to recreate some approximation of the IT nirvana I experienced as an undergrad at a certain university in pittsburgh.
Anyways, if I compile the stock gssklogd-0.11 with
./configure --with-afs=/usr/local/ \
--enable-server \
--with-gss-lib-name=gssapi_krb5 \
--with-gss-lib-dir=/usr/lib \
--enable-server \
--prefix=/usr/local \
--with-server-extra-cflags="-DUSE_KRB5_DES -DDEBUG" \
--with-server-extra-ldflags=/usr/local/lib/libdes.a
and invoke
gssklogd -E BERKELEY.EDU \ -E RECONFIGURABLE.CS.BERKELEY.EDU \ -k /etc/krb5.keytab \ -a /etc/openafs/server/KeyFile \ -s gssklog/[EMAIL PROTECTED] \
The -s option is for the GSSAPI import name, which is not the same as a krb5 principal name, as the gss is expecting <service>@<host> If the krb5 gss is being used, you should not need the -s option, as the defaults for creating a principal will be gssklog/<host>@<realm>
Its not gssklog/<afscell>@<realm> but gssklog/<host of gssklogd server>@<realm> This follows normal Kerberos conventions of host based services.
So if you have more then one gssklogd running on each of the AFS database servers, they will each have their own principal.
You will need a principal in the realm and the keytab for gssklog/[EMAIL PROTECTED] I assume that the host name of the afs/gssklogd server is arachne.berkley.edu? Or was you IP once asigned to arachne, and DNS needs to be updated? In any case the principal has the hostname.
Note for AFS with gssklog, you don't need your own realm. But if you do have users in your realm and don't use cross realm You may also want to add a principal to your own realm, gssklog/[EMAIL PROTECTED] and to the keytab. (depending on the gssapi libs, gssklogd could accept connections using either principal. I have a mode for this if needed.)
-G /etc/openafs/gssklog-map \ -d
I get this:
len=73, name=gssklog\/reconfigurable.cs.berkeley.edu/[EMAIL PROTECTED] GSS-error acquiring credentials: major:000d0000 minor:025ea101 Miscellaneous failure No principal in keytab matches desired name
I have *NO IDEA* what "arachne.berkeley.edu" is, or where it came from.
So I tried adding this line to both gssklogd.c and gssklog_gss.c and deleted the conflicting definition:
#define my_nt_service_name GSS_C_NT_USER_NAME
Now, gssklogd starts up fine with:
len=51, name=gssklog/[EMAIL PROTECTED]
Just as I wanted. So now I grab my BERKELEY.EDU tickets:
[EMAIL PROTECTED]:/usr/src/gssklog-0.11$kinit [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]: [EMAIL PROTECTED]:/usr/src/gssklog-0.11$klist
Ticket cache: FILE:/tmp/krb5cc_103
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
04/27/05 05:22:54 04/27/05 15:22:30 krbtgt/[EMAIL PROTECTED]
and try to gsslkog myself with this command:
./gssklog -principal [EMAIL PROTECTED] \ -cell reconfigurable.cs.berkeley.edu \ -server reconfigurable.cs.berkeley.edu
This will expect the server to be running as: gssklog/[EMAIL PROTECTED] (assuming default realm or realm from [domain_realm] is BERKLEY.EDU.)
but I get this:
Client:
GSS-error init_sec_context failed: major:000d0000 minor:00000000
Miscellaneous failure
No error
Failed code = 2
Server:
N handle_connections: got connection, s = 5 N run_acceptor: initiated on 5 E receive_message(): Incorrect buf_size read: [0] GSS-error accepting credentials: major_status:01090000 minor_status:00000000 A token was invalid A required input parameter could not be read No error reconfigurable.CS.Berkeley.EDU[128.32.37.206] FAILED for other reasons Wed Apr 27 05:23:03 - reconfigurable.CS.Berkeley.EDU[128.32.37.206] FAILED for other reasons N handle_connections: Listening for next.
On a lark, I tried forcing the server_name by adding this to the top of gssklog_gss_init_sec_context() in gssklog_gss.c:
service_princ_name = "gssklog/[EMAIL PROTECTED]";
Yes as long ands the client and server agree on the principal name, and you have it registered in the realm and keytab, it will work.
Recompile, restart gssklogd, and everything works perfectly. I can
gssklog myself, the principal gets mapped to the right local afs user,
and I can get tokens and manipulate the filesystem just as I ought to
be able to.
Client:
[EMAIL PROTECTED]:/usr/src/gssklog-0.11$tokens Tokens held by the Cache Manager: User's (AFS ID 5) tokens for [EMAIL PROTECTED] [Expires Apr 27 15:22] --End of list--
Server:
N handle_connections: got connection, s = 5 N run_acceptor: initiated on 5 N run_acceptor: calling gss_accept_sec_context N run_acceptor: sending output token: [114] N run_acceptor: security context accepted N: client_name:[EMAIL PROTECTED] Looking in gridmap for [EMAIL PROTECTED] : 16147012 globus_gss_assist_userok: [EMAIL PROTECTED]:16147012 from env:/etc/openafs/gssklog-map gridmap_default_path:/etc/openafs/gssklog-map gridmap fopen returned OK line="[EMAIL PROTECTED]" megacz gline->dn:[EMAIL PROTECTED] gline->userid:megacz cname=16147012 cell=reconfigurable.cs.berkeley.edu rl=0 gl=35707 Times:startTime=1114579643,endTime=1114615350,glife=35707,rlife=35707 Wed Apr 27 05:27:23 - reconfigurable.CS.Berkeley.EDU[128.32.37.206] AFS token for 16147012 to [EMAIL PROTECTED] N run_acceptor: security context being shutdown N handle_connections: Listening for next.
So, the big question of the day is, why did I need to add these two hacks? Should I have configured something differently in order to not need them?
Answer:Mis-understanding of the -s option and the principals used by default.
Relevant configuration stuff follows...
Thanks for any help you guys can offer!
- a
______________________________________________________________________________ My keytab (/etc/krb5.keytab)
[EMAIL PROTECTED]:~#klist -ket
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 04/20/05 01:07:35 [EMAIL PROTECTED] (DES cbc mode with CRC-32) 3 04/24/05 22:09:35 gssklog/[EMAIL PROTECTED] (DES cbc mode with CRC-32)
______________________________________________________________________________ Debian packages I'm using:
[EMAIL PROTECTED]:~$dpkg -l | grep '\(afs\|krb\|gss\)'
ii krb5-admin-ser 1.3.6-3 MIT Kerberos master server (kadmind)
ii krb5-clients 1.3.6-3 Secure replacements for ftp, telnet and rsh ii krb5-config 1.6 Configuration files for Kerberos Version 5
ii krb5-kdc 1.3.6-3 MIT Kerberos key server (KDC)
ii krb5-user 1.3.6-3 Basic programs to authenticate using MIT Ker
ii libkrb5-dev 1.3.6-3 Headers and development libraries for MIT Ke
ii libkrb53 1.3.6-3 MIT Kerberos runtime libraries
ii libopenafs-dev 1.3.81-3 The AFS distributed filesystem- development ii openafs-client 1.3.81-3 The AFS distributed filesystem- client suppo
ii openafs-dbserv 1.3.81-3 The AFS distributed filesystem- database ser
ii openafs-filese 1.3.81-3 The AFS distributed filesystem- file server
ii openafs-krb5 1.3-10 The AFS distributed filesystem- Kerberos 5 I
ii openafs-module 1.3.81-3 The AFS distributed filesystem- Module Sourc
______________________________________________________________________________ /etc/krb5.conf:
[libdefaults] default_realm = RECONFIGURABLE.CS.BERKELEY.EDU krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true
[realms] BERKELEY.EDU = { kdc = kerberos.berkeley.edu:88 kdc = kerberos-1.berkeley.edu:88 admin_server = kerberos.berkeley.edu default_domain = berkeley.edu } EECS.BERKELEY.EDU = { kdc = kerberos1.CS.Berkeley.EDU kdc = kerberos2.EECS.Berkeley.EDU admin_server = kerberos1.CS.Berkeley.EDU default_domain = cs.berkeley.edu } RECONFIGURABLE.CS.BERKELEY.EDU = { kdc = reconfigurable.cs.berkeley.edu:88 admin_server = reconfigurable.cs.berkeley.edu default_domain = reconfigurable.cs.berkeley.edu }
[domain_realm]
.reconfigurable.cs.berkeley.edu = RECONFIGURABLE.CS.BERKELEY.EDU
reconfigurable.cs.berkeley.edu = RECONFIGURABLE.CS.BERKELEY.EDU
.berkeley.edu = BERKELEY.EDU
.net.berkeley.edu = BERKELEY.EDU
.hip.berkeley.edu = BERKELEY.EDU
.cs.berkeley.edu = EECS.BERKELEY.EDU
.eecs.berkeley.edu = EECS.BERKELEY.EDU
.bmrc.berkeley.edu = EECS.BERKELEY.EDU
.coe.berkeley.edu = EECS.BERKELEY.EDU
[login] krb4_convert = true krb4_get_tickets = true
[logging] kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmin.log default = FILE:/var/log/krb5lib.log
[appdefaults] autologin = true forward = true krb5_aklog_path = /usr/bin/aklog
login = { forwardable = true krb5_run_aklog = true krb5_get_tickets = true krb4_get_tickets = false krb4_convert = false } kinit = { forwardable = true krb5_run_aklog = true } sshd = { forwardable = true krb5_run_aklog = true krb5_get_tickets = true }
_______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
