Jonathan Nilsson wrote:
Hello, I've spent a good amount of time trying to figure out how to use Windows Active Directory as my Kerberos Realm. So first off, tell me if this is not a supported scenario... although from the reading I've done, it should work. That said, I am having strange problems with my tickets/tokens and kvno miss-matches. First let me describe my environment: - my one and only (for now) OpenAFS server (afs1.mycell.edu), version 1.4.11 on Fedora 11, kernel 2.6.30.10-105.2.16.fc11.i686.PAE, installed using RPMs from the openafs.org site (this is a VMware virtual machine, if that matters) - two Windows servers running all the other support services: NTP, Kerberos, DNS, LDAP (for nss_ldap on my linux boxes). - My AD domain and my AFS Cellname are identical. - The "afs/mycell.edu" service principal was created by creating an account called "afs" in AD, checking the boxes for "Use DES encryption types for this account" and "Do not require Kerberos preauthentication", and then running "ktpass mapuser afs princ afs/[email protected]"
Was this the full ktpass command? Did you have it create a keytab? And how did you use asetkey with the keytab? There is a problem with the W2003 SP1 ktpass. See: http://support.microsoft.com/kb/919557 Have you looked at: http://www.dementia.org/twiki/bin/view/AFSLore/WindowsK5AfsServicePrincipal
I can "kinit" and "aklog" to get a token. At this point I can read my AFS root.afs volume and root.cell volume, which have "system:anyuser rl" permissions. However, doing pretty much anything else fails, unless I append "-localauth" [09:36 r...@afs1 ~]# bos listusers afs1 -localauth SUsers are: afsadmin [09:42 r...@afs1 ~]# bos listusers afs1 bos: failed to retrieve super-user list (security object was passed a bad ticket) [09:52 r...@afs1 ~]# pts mem afsadmin -localauth Groups afsadmin (id: 1) is a member of: system:administrators [09:53 r...@afs1 ~]# pts mem afsadmin pts: security object was passed a bad ticket so couldn't look up names I'm not sure what is wrong with my ticket... Here's some additional output from klist, tokens, asetkey and kvno that might prove useful: [09:56 r...@afs1 ~]# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: [email protected] Valid starting Expires Service principal 02/26/10 09:25:50 02/26/10 19:25:07 krbtgt/[email protected] renew until 02/27/10 09:25:50 02/26/10 09:25:12 02/26/10 19:25:07 afs/[email protected] renew until 02/27/10 09:25:50 Kerberos 4 ticket cache: /tmp/tkt0 klist: You have no tickets cached [09:57 r...@afs1 ~]# tokens Tokens held by the Cache Manager: User's (AFS ID 1) tokens for [email protected] [Expires Feb 26 19:25] --End of list-- [09:57 r...@afs1 ~]# kvno -c /tmp/krb5cc_0 afs [email protected]: kvno = 2 [09:57 r...@afs1 ~]# kvno -c /tmp/krb5cc_0 afs/mycell.edu afs/[email protected]: kvno = 2 [09:57 r...@afs1 ~]# asetkey list kvno 2: key is: <key_obscured> All done. Let me know if there is any other information I can supply that would be helpful.
-- Douglas E. Engert <[email protected]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
