-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jeffrey Altman wrote: > Eric Chris Garrison wrote: >> Anything else that we might be missing? I keep thinking it must be >> something simple. > > It has to be key related. An authenticated/encrypted connection is > possible provided that the key works. Even if the user name is not > found in the protection database. > > I would verify once again using kvno that the key in fact works and that > you are in fact obtaining des based enctypes.
So, here's the kvno test: [r...@rufus2 x86_64]# kvno afs/[email protected] afs/[email protected]: kvno = 8 [r...@rufus2 x86_64]# asetkey list kvno 5: key is: XXXXXXXXXXXXXXXX kvno 8: key is: XXXXXXXXXXXXXXXX All done. Here's a look at the keytab they sent me: [r...@rufus2 etc]# ktutil ktutil: rkt afstest-md5.keytab ktutil: list slot KVNO Principal --------------------------------------------------------------------- 1 8 afs/[email protected] Also, I can kinit with the keytab they gave me for the service principal: [r...@rufus2 etc]# kinit -k -t afstest-md5.keytab afs/[email protected] [r...@rufus2 etc]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: afs/[email protected] Valid starting Expires Service principal 07/17/09 14:34:44 07/18/09 00:34:44 krbtgt/[email protected] renew until 07/18/09 14:34:44, Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC Kerberos 4 ticket cache: /tmp/tkt0 Here's a test with a principal (ecgarris) that is in ADS.IU.EDU, AFSTEST.IU.EDU and also in the pts database as a user: [r...@rufus2 etc]# kinit [email protected] Password for [email protected]: [r...@rufus2 etc]# klist -e Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 07/17/09 14:38:51 07/18/09 00:38:55 krbtgt/[email protected] renew until 07/18/09 14:38:51, Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC 07/17/09 14:38:58 07/18/09 00:38:55 afs/[email protected] renew until 07/18/09 14:38:51, Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with RSA-MD5 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [r...@rufus2 etc]# aklog -d Authenticating to cell afstest.iu.edu (server rufus2.uits.iupui.edu). Trying to authenticate to user's realm ADS.IU.EDU. Getting tickets: afs/[email protected] Using Kerberos V5 ticket natively About to resolve name ecgarris to id in cell afstest.iu.edu. Id 37302 Set username to AFS ID 37302 Setting tokens. AFS ID 37302 / @ ADS.IU.EDU So here's the real problem, I've set ecgarris's homedir with the proper ACLs, which work from [email protected] but not [email protected]: [r...@rufus2 etc]# ls /afs/iu.edu/home/ecgarris ls: /afs/iu.edu/home/ecgarris: No such file or directory [r...@rufus2 etc]# ls /afs/afstest.iu.edu/home/ecgarris ls: /afs/afstest.iu.edu/home/ecgarris: Permission denied The following message appears in dmesg: afs: Tokens for user of AFS id 37302 for cell afstest.iu.edu are discarded (rxkad error=19270407) [r...@rufus2 x86_64]# translate_et 19270407 19270407 (rxk).7 = security object was passed a bad ticket I'm still waiting to hear back from My ADS admin on the other questions that Douglas Engert asked about that side of things, since that's something we don't control. We have our own test KDC, but it's a MIT Kerberos server. The service principal from AFTEST.IU.EDU works fine, just not the ADS side of things. Just for fun, I updated the openafs server/client on the test machine to 1.4.11 today, it was 1.4.10 before. I also made sure the machine is as up2date as it can be for RHEL4. It didn't make a difference, though I didn't really think it would. Hopefully, something will shake loose for the ADS admin, because I'm really running our of ideas on my end. Any other suggestions/ideas are very welcome. Thanks for all your help so far. Chris - -- Eric Chris Garrison | Principal Mass Storage Specialist [email protected] | Indiana University - Research Storage W: 317-278-1207 M: 317-250-8649 | Jabber IM: [email protected] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKYMqBG2WsK8XoJWURAlNsAJ0ceKIF1ppfpb71wTDwlszNeV6UCQCeJaa5 MDnN/3AXVjJPhvAhqpbWxxY= =1AhP -----END PGP SIGNATURE----- _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
