All,
After some more digging I narrowed down the problem to aklog. The
problem is that apparently "aklog" does some translation on the
Kerberos principal name.
In particular, if the Kerberos principal contains a "/" -- like e.g.
"florian/admin", aklog actually tries to resolve "florian.admin"
instead (which doesn't exist in the cell) thus resolves it as ID 32766
(i.e. "anonymous").
kdc-hostname:~# kauth florian/admin
florian/[EMAIL PROTECTED]'s Password:
kauth: NOTICE: ticket renewable lifetime is 1 week
kdc-hostname:~# aklog -d -force
Authenticating to cell domain.com (server kdc-hostname.domain.com).
We've deduced that we need to authenticate to realm DOMAIN.COM.
Getting tickets: afs/[EMAIL PROTECTED]
About to resolve name florian.admin to id in cell domain.com.
Id 32766
Set username to florian.admin
Setting tokens. florian.admin / @ DOMAIN.COM
kdc-hostname:~# tokens
Tokens held by the Cache Manager:
Tokens for [EMAIL PROTECTED] [Expires Nov 9 07:09]
--End of list--
The only question remaining is: "Is this a feature or a bug?" i.e. is
this intentional, and/or anything I can do to fix this and still have
AFS usernames containing "/" characters ?
TIA,
Florian
On 11/8/05, Florian Daniel Otel <[EMAIL PROTECTED]> wrote:
> All,
>
>
> Disclaimer: Since this is my first posting to this list (hello all!) I
> might be missing smth obvious. Thanks in advace for the patience
> and/or pointers to appropriate resources (even though I google quite a
> bit before posting...)
>
>
> My problem: I am trying to setup a Heimdal Kerberos5 / OpenAFS setup
> and apparently I am not able to get right the mapping between AFS
> users and Kerberos principals: While I can get tickets from the KDC,
> "bos" and "ptserver" are not able to authenticate the user based on
> those certificates i.e. translate btw. Kerberos tickets and AFS tokens
> (??). I am also a bit confused about the output of "aklog" and
> "afslog" and when do I need which and for what (TIA for any
> explanation):
>
> Two examples (see detailed command output below):
>
> 1) The principal for administering "bos" is "florian/admin". Even
> though this principal exists, can get tickets and is listed as such in
> "bos listusers" (i.e. "/etc/openafs/UserList",
> "/etc/openafs/server/UserList"), any "bos restart" or commands
> requiring administrative priviledges fail. Some other times when
> performing "bos status" or similar, the "bos" returns "bos: no such
> entry (getting tickets)" (?!?!?!).
>
> 2) Ditto for the same principal with "ptserver" and ACLs. While that
> principal is "pts create"d, is added to "system:administrators" group,
> it is not allowed to do anything, e.g. getting/setting ACLs. The only
> thing that worked was creating a Kerberos principal called "admin" (is
> this a built-in administrator in "pts" ??) and using that one to issue
> "pts" commands and getting/setting ACLs commands
>
>
> My questions:
>
> 1) Are there any special settings needed in "/etc/krb5.conf" and/or
> "/var/lib/heimdal/kdc.conf" to get this mapping working ?
>
> 2) When and how does one use "aklog" and "afslog" and how can one
> check the mapping btw. Kerberos tickets and AFS tokens ?
>
>
> Thanks in advance for any help in clearing up the confusion
>
>
> Florian
>
>
> P.S. In both examples below the system is Debian/Sarge 3.1r0a,
> running stock Heimdal 0.6.3, openafs 1.3.81 and openafs-krb5 1.3.10-1
>
> "DOMAIN.COM" (my Kerberos realm) and "domain.com" (my DNS domain) are
> identical.
>
>
> Example 1) bos commands
>
> kdc-hostname:~# kinit florian/admin
> florian/[EMAIL PROTECTED]'s Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
>
> kdc-hostname:~# klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: florian/[EMAIL PROTECTED]
>
> Issued Expires Principal
> Nov 8 17:58:33 Nov 9 03:58:33 krbtgt/[EMAIL PROTECTED]
> Nov 8 17:58:33 Nov 9 03:58:33 krbtgt/[EMAIL PROTECTED]
> Nov 8 17:58:33 Nov 9 03:58:33 [EMAIL PROTECTED]
>
> V4-ticket file: /tmp/tkt0
> Principal: [EMAIL PROTECTED]
>
> Issued Expires Principal
> Nov 8 17:58:33 Nov 9 03:58:33 [EMAIL PROTECTED]
>
>
>
> kdc-hostname:~# aklog -d
> Authenticating to cell domain.com (server kdc-hostname.domain.com).
> We've deduced that we need to authenticate to realm DOMAIN.COM.
> Getting tickets: afs/[EMAIL PROTECTED]
> Identical tokens already exist; skipping.
>
>
> kdc-hostname:~# tokens
>
> Tokens held by the Cache Manager:
>
> Tokens for [EMAIL PROTECTED] [Expires Nov 8 08:46]
> --End of list--
>
>
> kdc-hostname:~# bos listusers localhost -localauth
> SUsers are: florian/admin
>
> kdc-hostname:~# bos restart localhost vlserver
> bos: failed to restart instance vlserver (you are not authorized for
> this operation)
>
> Relelvant parts of "strace"ing the above command:
> [...]sendmsg(3, {msg_name(16)={sa_family=AF_INET,
> sin_port=htons(7007), sin_addr=inet_addr("127.0.0.1")},
> msg_iov(2)=[{"\211{Q\6\373G7\264\0\0\0\1\0\0\0\1\0\0\0\1\1\5\0\2&\t\0"...,
> 28}, {"\0\0\0h\0\0\0\10vlserver", 16}], msg_controllen=0,
> msg_flags=0}, 0) = 44
> getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={3599, 985718}}) = 0
> getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={3599, 985718}}) = 0
> gettimeofday({1131400433, 740910}, NULL) = 0
> gettimeofday({1131400433, 741060}, NULL) = 0
> select(4, [3], NULL, NULL, {1, 998850}) = 1 (in [3], left {1, 999000})
> recvmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(7007),
> sin_addr=inet_addr("127.0.0.1")},
> msg_iov(7)=[{"\211{Q\6\373G7\264\0\0\0\0\0\0\0\0\0\0\0\1\6\0\0\2\0\0"...,
> 28}, {"\0\0\0\2\25\376\234B\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1416}, {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
> 1420}], msg_controllen=0, msg_flags=0}, 0) = 44
> sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(7007),
> sin_addr=inet_addr("127.0.0.1")},
> msg_iov(2)=[{"\211{Q\6\373G7\264\0\0\0\0\0\0\0\0\0\0\0\2\7\1\0\2\0\0"...,
> 28}, {"\0\0\0\2\0\0\0\0\f\241\206\271\252\320\203-s\377m\311\273"...,
> 275}], msg_controllen=0, msg_flags=0}, 0) = 303
> getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={3599, 984719}}) = 0
> gettimeofday({1131400433, 742303}, NULL) = 0
> select(4, [3], NULL, NULL, {1, 996758}) = 1 (in [3], left {1, 997000})
> recvmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(7007),
> sin_addr=inet_addr("127.0.0.1")},
> msg_iov(7)=[{"\211{Q\6\373G7\264\0\0\0\1\0\0\0\0\0\0\0\2\4\0\0\2\0\0"...,
> 28}, {"\0\0
> \232\6\0\0\0\0\f\241\206\271\252\320\203-s\377m\311"..., 1416},
> {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1416},
> {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\
> 0\0"..., 1416},
> {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1416},
> {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 1416},
> {"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
> \0\0\0\0\0\0\0\0\0\0\0\0"..., 1420}], msg_controllen=0, msg_flags=0}, 0) = 32
> getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={3599, 982719}}) = 0
> getitimer(ITIMER_REAL, {it_interval={0, 0}, it_value={3599, 982719}}) = 0
> fstat64(1, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
> mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
> 0) = 0xb7e15000
> write(1, "bos: failed to restart instance "..., 85bos: failed to
> restart instance vlserver (you are not authorized for this operation)
> [...]
>
>
> The only "suspicious" entry in the logs per se is from "fileserver" process:
>
> kdc-hostname:/var/log/openafs# cat FileLog
> Mon Nov 7 22:45:25 2005 File server starting
> Mon Nov 7 22:45:25 2005 afs_krb_get_lrealm failed, using domain.com.
> Mon Nov 7 22:45:25 2005 VL_RegisterAddrs rpc failed; will retry
> periodically (code=5376, err=2)
> Mon Nov 7 22:45:26 2005 Set thread id 14 for FSYNC_sync
> ....
>
>
> Example 2) ptserver problem
>
> As above, even though "florian/[EMAIL PROTECTED]" was the intented
> principal to be member of the "system:administrators" group, the only
> one that works (of a fashion) is the "[EMAIL PROTECTED]" principal that
> I added only afterwards.
>
>
> - With "[EMAIL PROTECTED]":
>
> [...]
> [EMAIL PROTECTED]:~$ kinit admin
> [EMAIL PROTECTED]'s Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
>
> [EMAIL PROTECTED]:~$ aklog -d
> Authenticating to cell domain.com (server kdc-hostname.domain.com).
> We've deduced that we need to authenticate to realm DOMAIN.COM.
> Getting tickets: afs/[EMAIL PROTECTED]
> Identical tokens already exist; skipping.
> [EMAIL PROTECTED]:~$ tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 1000) tokens for [EMAIL PROTECTED] [Expires Nov 8 09:00]
> --End of list--
>
> [EMAIL PROTECTED]:~$ pts membership system:administrators
> Members of system:administrators (id: -204) are:
> florian/admin
> admin
>
> [EMAIL PROTECTED]:~$ pts examine florian/admin
> Name: florian/admin, id: 1, owner: system:administrators, creator: anonymous,
> membership: 1, flags: S----, group quota: unlimited.
>
>
> [EMAIL PROTECTED]:~$ pts examine admin
> Name: admin, id: 3, owner: system:administrators, creator: anonymous,
> membership: 1, flags: S----, group quota: unlimited.
>
> [EMAIL PROTECTED]:~$ pts listentries -users
> Name ID Owner Creator
> anonymous 32766 -204 -204
> florian/admin 1 -204 32766
> florian 2 -204 32766
> admin 3 -204 32766
>
>
> [EMAIL PROTECTED]:~$ fs listacl /afs/domain.com/
> Access list for /afs/domain.com/ is
> Normal rights:
> system:administrators rlidwka
> system:anyuser rl
> [...]
>
>
> However, trying to use "florian/admin" instead doesn't work. Note
> also that the output of the "tokens" command does not output any "AFS
> ID" as the one for "admin" above (!?!?!).
>
> [...]
> kdc-hostname:~# kinit florian/admin
> florian/[EMAIL PROTECTED]'s Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
>
> kdc-hostname:~# tokens
>
> Tokens held by the Cache Manager:
>
> Tokens for [EMAIL PROTECTED] [Expires Nov 8 09:04]
> --End of list--
>
> kdc-hostname:~# pts membership "system:administrators"
> pts: Permission denied ; unable to get membership of
> system:administrators (id: -204)
>
> kdc-hostname:~# pts examine florian/admin
> pts: Permission denied ; unable to find entry for (id: 1)
>
>
> kdc-hostname:~# fs setacl /afs/domain.com/ system:anyuser rl
> fs: You don't have the required access rights on '/afs/domain.com/'
> [...]
>
>
>
> ========== /etc/krb5.conf ==========
> [libdefaults]
> default_realm = DOMAIN.COM
> # The following krb5.conf variables are only for MIT Kerberos.
> krb4_config = /etc/krb.conf
> krb4_realms = /etc/krb.realms
> kdc_timesync = 1
> ccache_type = 4
> forwardable = true
> proxiable = true
> # Get Kerberos 4 tickets
> krb4_get_tickets = true
>
> v4_instance_resolve = true
> v4_name_convert = {
> host = {
> rcmd = host
> ftp = ftp
> }
> }
>
> [realms]
> DOMAIN.COM = {
> kdc = kdc-hostname.domain.com.
> admin_server = kdc-hostname.domain.com.
> }
>
> [kdc]
> use_2b={
> [EMAIL PROTECTED] = true
> afs/[EMAIL PROTECTED] = true
> }
>
> [domain_realm]
> .domain.com = DOMAIN.COM
>
> # This below is for kerberos-enabled login.
> [login]
> krb4_convert = true
> krb4_get_tickets = true
>
>
> ========= /var/lib/heimdal-kdc/kdc.conf ============
>
> [kdc]
> logging = FILE:/var/log/heimdal-kdc.log
>
> # respond to Kerberos 4 requests
> enable-kerberos4 = true
>
> # respond to 524 requests
> enable-524 = true
>
> v4-realm = DOMAIN.COM
>
> # Enable kaserver emulation (in case it's compiled in).
> enable-kaserver = true
>
>
> # [kadmin]
> # default_keys = list of strings
> # Maybe this will help ?
> default_keys = v4 v5 afs3-salt:domain.com
>
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
