Hello,
I was trying to setup openafs 1.4.7 working with both Microsoft active
directory and MIT Kerberos 5 server, but it didn't work well.
My goal is to enable both AD user and AFS user to access AFS space. The
current situation is that both AD and MIT Kerberos authentication work
fine, users on both sides could get tickets and tokens, but only AFS
user is able to access its AFS home directory, AD users got "Permission
denied" error.
My AFS and MIT kerberos server is running Linux CentOS 5 - kernel
2.6.18-92.1.10.el5
AD server is Windows 2003 Enterprise edition SP2
AD domain: MESH.UMDNJ.EDU
MIT Kerberos realm: MED.UMDNJ.EDU
I have two users:
MIT Kerberos user: user1
AD user: user101
Here is what I have done:
On AD side:
C:\Program Files\Support Tools>ktpass.exe -princ
afs/[EMAIL PROTECTED]
U -mapuser [EMAIL PROTECTED] -mapOp add -out keytab.afs +rndPass
-crypto DES
-CBC-CRC +DesOnly -ptype KRB5_NT_PRINCIPAL +DumpSalt
Targeting domain controller: rarwjmsist2.mesh.umdnj.edu
Using legacy password setting method
Successfully mapped afs/med.umdnj.edu to afsmed.
Building salt with principalname afs/med.umdnj.edu and domain
MESH.UMDNJ.EDU...
Hashing password with salt "MESH.UMDNJ.EDUafsmed.umdnj.edu".
Key created.
Output keytab to keytab.afs:
Keytab version: 0x502
keysize 59 afs/[EMAIL PROTECTED] ptype 1 (KRB5_NT_PRINCIPAL)
vno 4 et
ype 0x1 (DES-CBC-CRC) keylength 8 (0x01255b6b83402068)
Account afsmed has been set for DES-only encryption.
ktpass.exe version is 5.2.3790.3959
Add the key
[EMAIL PROTECTED] ~]# asetkey add 4 /etc/krb5.keytab
afs/[EMAIL PROTECTED]
[EMAIL PROTECTED] ~]# asetkey list
kvno 3: key is: b0c49b017ffb9440
kvno 4: key is: 61a443c4b55197cd
In /etc/krb5.keytab:
ktutil: rkt krb5.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 4 afs/[EMAIL PROTECTED]
2 3 afs/[EMAIL PROTECTED]
3 3 [EMAIL PROTECTED]
[EMAIL PROTECTED] ~]# klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[EMAIL PROTECTED] ~]# tokens
Tokens held by the Cache Manager:
--End of list--
[EMAIL PROTECTED] ~]# kinit user1
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED] ~]# aklog
[EMAIL PROTECTED] ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
10/15/08 11:41:54 10/16/08 11:41:54 krbtgt/[EMAIL PROTECTED]
Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES
cbc mode with HMAC/sha1
10/15/08 11:41:56 10/16/08 11:41:54 afs/[EMAIL PROTECTED]
Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[EMAIL PROTECTED] ~]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 10001) tokens for [EMAIL PROTECTED] [Expires Oct 16 11:41]
--End of list--
[EMAIL PROTECTED] ~]# ls -l /afs/med.umdnj.edu/home/user1
total 8
-rw-r--r-- 1 user1 root 9 Sep 3 12:13 testfile
drwxrwxrwx 2 user1 root 2048 Sep 4 12:46 testdir
drwxrwxrwx 5 root root 2048 Sep 5 14:35 Yesterday
From above you can see MIT kerberos user works well. Next I tested with
AD user:
[EMAIL PROTECTED] ~]#
[EMAIL PROTECTED] ~]# unlog
[EMAIL PROTECTED] ~]# kdestroy
[EMAIL PROTECTED] ~]# klist -e
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_0)
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[EMAIL PROTECTED] ~]# tokens
Tokens held by the Cache Manager:
--End of list--
[EMAIL PROTECTED] ~]# kinit [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]:
[EMAIL PROTECTED] ~]# aklog
[EMAIL PROTECTED] ~]# klist -e
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
10/15/08 11:43:07 10/15/08 21:43:06 krbtgt/[EMAIL PROTECTED]
renew until 10/16/08 11:43:07, Etype (skey, tkt): ArcFour with
HMAC/md5, ArcFour with HMAC/md5
10/15/08 11:43:09 10/15/08 21:43:06 afs/[EMAIL PROTECTED]
renew until 10/16/08 11:43:07, Etype (skey, tkt): DES cbc mode with
CRC-32, DES cbc mode with RSA-MD5
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[EMAIL PROTECTED] ~]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 10006) tokens for [EMAIL PROTECTED] [Expires Oct 15 21:43]
--End of list--
[EMAIL PROTECTED] ~]# ls -l /afs/med.umdnj.edu/home/user101
ls: /afs/med.umdnj.edu/home/user101: Permission denied
[EMAIL PROTECTED] ~]# touch /afs/med.umdnj.edu/home/user101/test
touch: cannot touch `/afs/med.umdnj.edu/home/user101/test': Permission
denied
You see user101 has tiekets and token, but could not access its AFS home
directory. Permission under /afs/med.umdnj.edu/home/user101 is
[EMAIL PROTECTED] user101]$ fs la .
Access list for . is
Normal rights:
system:administrators rlidwka
user101 rlidwk
Here is krb5.conf:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MED.UMDNJ.EDU
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
forwardable = yes
noaddresses = false
[realms]
MED.UMDNJ.EDU = {
kdc = RArwjmsIST1.umdnj.edu:88
admin_server = RArwjmsIST1.umdnj.edu:749
default_domain = med.umdnj.edu
}
MESH.UMDNJ.EDU = {
kdc = RArwjmsIST2.umdnj.edu:88
admin_server = RArwjmsIST2.umdnj.edu:749
default_domain = mesh.umdnj.edu
}
[domain_realm]
.med.umdnj.edu = MED.UMDNJ.EDU
med.umdnj.edu = MED.UMDNJ.EDU
.mesh.umdnj.edu = MESH.UMDNJ.EDU
mesh.umdnj.edu = MESH.UMDNJ.EDU
[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf
I also tried linux ktutil to generate keytab file:
ktutil: addent -password -p afs/[EMAIL PROTECTED] -k 5 -e
des-cbc-crc
still I got the same results.
I could not figure out why it doesn't work. Any advise would be appreciated.
Wenping Yang
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
