Eric Chris Garrison wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Okay, we continue to fight this. We found that despite having an alternate realm name in /usr/afs/etc/krb.conf, users from that realm were being treated as unauthorized, anonymous users, rather than being mapped as they should be. We looked into enctypes as a possible culprit. We were using des-cbc-crc, but when we'd do an aklog, ADS returns des-cbc-md5, and they said they can not restrict it to just one type, but can restrict it to just DES types. (The ADS admin said they set the "Use Kerberos DES encryption types" flag). So, we got a des-crc-md5 service principal from our ADS admin. Now the ticket decoding is failing in krb5_des_decrypt() in rxkad/ticket5.c on the server side. After aklog, this is what klist shows for afs/afstest.iu.edu: 07/16/09 14:43:22 07/17/09 00:43:12 afs/[email protected] renew until 07/17/09 14:43:08, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5
The enc types are OK For example, I have: 07/16/09 08:41:05 07/16/09 18:40:53 afs/[email protected] renew until 07/23/09 08:40:53, Etype(skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5
In FileLog: Thu Jul 16 14:27:48 2009 FindClient: authenticating connection: authClass=0 That 0 should be 2 for properly authenticated connections. At first it failed because the enctype wasn't supported. Now that they have that DES flag set in the kdc, it fails because it can't decrypt the encrypted part of the k5 ticket.
And after you reset the desonly bit in AD, did you use ktpass with -pass somepassword -out keytabfile or did you use the -rndPass option? And you put the new key in the /usr/afs/etc/KeyFile on all the servers with the correct kvno? Not sure, but you may have to restart the servers too. And you did a fresh kinit?
Can anyone enlighten me on the encryption types we should be asking for from the ADS admin, and what other issues might be going on here, and why the MD5 ticket isn't being decrpted by the AFS server?
Thanks again, Chris - -- Eric Chris Garrison | Principal Mass Storage Specialist [email protected] | Indiana University - Research Storage W: 317-278-1207 M: 317-250-8649 | Jabber IM: [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKX3YgG2WsK8XoJWURAqeIAJ9OPHBKmZsSlFFNH+NHrezPgWJcKgCfeD1r pmR2Q99g+UhX9JJvl8zaBtM= =L3qL -----END PGP SIGNATURE----- _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
-- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
