Re: RE: Re: Re: RE: [OpenAFS] ad+openafs

zhaoxy299 Fri, 13 May 2016 07:34:40 -0700
hi，
 ktpass -princ afs/[email protected] -mapuser 
 [email protected]   -mapOp add -out afs.keytab +rndPass 
 -crypto DES-CBC-CRC +DesOnly   -ptype KRB5_NT_PRINCIPAL 
 +DumpSalt  
i use the ktpass command to create afs.keytab on windows ad and then copy the 
afs.keytab file to  the openafs server,after that ,i use the command 'asetkey 
add 3 afs.keytab afs/suzhou.powercore.com.cn' on openafs server,  but it does 
not work.
> -----原始邮件-----
> 发件人: "Brandon Allbery" <[email protected]>
> 发送时间: 2016-05-10 03:16:51 (星期二)
> 收件人: "[email protected]" <[email protected]>, "Benjamin Kaduk" 
> <[email protected]>
> 抄送: "[email protected]" <[email protected]>
> 主题: RE: Re: Re: RE: [OpenAFS] ad+openafs
> 
> Do your systems have keytabs on them, with host instances? Using Kerberos for 
> login requires a validation step; it's not enough just to get a ticket, 
> because it's an opaque blob that you can't verify directly (and so might have 
> been injected by an attacker). The only way to validate it is to attempt to 
> use it to authenticate to a service; so pam_krb5, after getting your TGT, 
> uses it to get a service ticket for the host you're logging in to and then 
> uses the copy of the service key in /etc/krb5.keytab to decrypt the service 
> ticket. If this fails, login is rejected.
> 
> If the host you're logging in to doesn’t have a keytab then you will need to 
> make one. I can't help you with this for AD, aside from noting that this will 
> usually be created from an AD machine account, that is, joining the machine 
> to the AD domain using e.g. Samba. (I think it is also possible to create the 
> account directly and extract the keytab, but I don't know any details.)
> 
> Winbind uses a different (and less secure: while it is encrypted, the key is 
> fixed and well known) mechanism.
> 
> -----Original Message-----
> From: [email protected] [mailto:[email protected]] 
> Sent: Sunday, May 8, 2016 10:31 PM
> To: Benjamin Kaduk <[email protected]>
> Cc: [email protected]; Brandon Allbery <[email protected]>
> Subject: Re: Re: Re: RE: [OpenAFS] ad+openafs
> 
> hi,
> sorry,i need to add something .
> i have three servers. 
>  ad +kerberos  win2008
>  nis server openafs server   linux redhat 6.7
>  nis slave  openafs client   linux redhat 6.7
> i can use the ad accounts to login the linux server and can get tokens.but 
> the pam configuration with pam_krb5 seems not working.if i use 
> ad+winbind+openafs,the pam configuraiton with pam_krb5 is working fine.do i 
> miss some pam packages?
> 
> 
> > 
> > hi,
> > i modified the /etc/pam.d/system-auth file ,but it did not work,how can i 
> > debug this error?Are there any other files that need to be modified?
> > 
> > root@test-afs002 cai]# vi /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth        required      pam_env.so
> > auth        sufficient    pam_unix.so nullok try_first_pass
> > auth        requisite     pam_succeed_if.so uid >= 500 quiet
> > auth        sufficient    pam_krb5.afs.so use_first_pass ignore_root
> > auth        required      pam_deny.so
> > 
> > account     required      pam_unix.so broken_shadow
> > account     sufficient    pam_succeed_if.so uid < 500 quiet
> > account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
> > account     [default=bad success=ok user_unknown=ignore] pam_winbind.so 
> > cached_login
> > account     required      pam_permit.so
> > 
> > password    requisite     pam_cracklib.so try_first_pass retry=3 type=
> > password    sufficient    pam_unix.so md5 shadow nullok try_first_pass 
> > use_authtok
> > password    sufficient    pam_krb5afs.so use_authtok
> > password    sufficient    pam_winbind.so cached_login use_authtok
> > password    required      pam_deny.so
> > 
> > session     optional      pam_keyinit.so revoke
> > session     required      pam_limits.so
> > session     optional      pam_oddjob_mkhomedir.so umask=0077
> > session     [success=1 default=ignore] pam_succeed_if.so service in crond 
> > quiet use_uid
> > session     required      pam_unix.so
> > session     optional      pam_krb5afs.so
> > 
> > ~
> > 
> > 
> > 
> > > -----原始邮件-----
> > > 发件人: "Benjamin Kaduk" <[email protected]>
> > > 发送时间: 2016-05-06 23:17:46 (星期五)
> > > 收件人: [email protected]
> > > 抄送: 
> > > 主题: Re: RE: [OpenAFS] ad+openafs
> > > 
> > > You should keep the list cc'd for this thread; there are many other 
> > > people with more experience in this regardn than me.
> > > 
> > > That said, it sounds like you want pam_krb5 and pam_afs_session on 
> > > the linux client, with some configuration knobs set accordingly.
> > > 
> > > -Ben
> > > 
> > > On Thu, 5 May 2016, [email protected] wrote:
> > > 
> > > >
> > > > hi，
> > > >  the system works now,but i want to get  tokens when i login the linux 
> > > > system without input the kinit and aklog command,how can i achieve this 
> > > > goal?do i need to install some packages?
> > > >
> > > > sotfware configuration : ad(win 2008 server ) + nis+ openafs 
> > > > 1.6.14
> > > >
> > > > > -----原始邮件-----
> > > > > 发件人: "Benjamin Kaduk" <[email protected]>
> > > > > 发送时间: 2016-05-04 13:44:00 (星期三)
> > > > > 收件人: "Brandon Allbery" <[email protected]>
> > > > > 抄送: "[email protected]" <[email protected]>, 
> > > > > "[email protected]" <[email protected]>
> > > > > 主题: RE: [OpenAFS] ad+openafs
> > > > >
> > > > > 1.6.14 doesn't need to have single-DES enabled; we shouldn't be 
> > > > > recommending it.  The rxkad.keytab method should work fine with AES 
> > > > > keys.
> > > > >
> > > > > -Ben
> > > > >
> > > > > On Tue, 3 May 2016, Brandon Allbery wrote:
> > > > >
> > > > > > -1765328370 is KRB5KDC_ERR_ETYPE_NOSUPP. This often means that 
> > > > > > DES is disabled somewhere. Note that the client library *also* 
> > > > > > needs DES enabled; you might need to add to the [libdefaults] 
> > > > > > section of /etc/krb5.conf on the RH system,
> > > > > >
> > > > > >     allow_weak_crypto = true
> > > > > >
> > > > > > From: [email protected] 
> > > > > > [mailto:[email protected]] On Behalf Of 
> > > > > > [email protected]
> > > > > > Sent: Tuesday, May 3, 2016 4:39 AM
> > > > > > To: [email protected]
> > > > > > Subject: [OpenAFS] ad+openafs
> > > > > >
> > > > > >
> > > > > > hi
> > > > > >
> > > > > > i install openafs1.6.14 on redhat 6.7 and i want to use the ad as 
> > > > > > krb5 auth .
> > > > > >
> > > > > > here is my steps:
> > > > > >
> > > > > > 1  install openafs1.6.14 on redhat6.7
> > > > > >
> > > > > > 2  install ad on windows 2008 r2
> > > > > >
> > > > > > 3  ktpass -princ afs/cellname@ADDOMAINNAME -mapuser 
> > > > > > afscell@ADDOMAINNAME \ -mapOp add -out afs-keytab +rndPass 
> > > > > > -crypto DES-CBC-CRC +DesOnly \ -ptype KRB5_NT_PRINCIPAL 
> > > > > > +DumpSalt )
> > > > > >
> > > > > > 4 use kinit wang
> > > > > >
> > > > > >    aklog
> > > > > >
> > > > > > [root@test-afs002 ]# klist -e -f Ticket cache: 
> > > > > > FILE:/tmp/krb5cc_0 Default principal: 
> > > > > > [email protected]<mailto:[email protected]>
> > > > > >
> > > > > > Valid starting     Expires            Service principal
> > > > > > 05/03/16 16:26:46  05/04/16 02:26:33  
> > > > > > krbtgt/[email protected]<mailto:krbtgt/[email protected]>
> > > > > >         renew until 05/10/16 16:26:46, Flags: FRIA
> > > > > >         Etype (skey, tkt): aes256-cts-hmac-sha1-96, 
> > > > > > aes256-cts-hmac-sha1-96
> > > > > > 05/03/16 16:27:04  05/04/16 02:26:33  
> > > > > > afs/[email protected]<mailto:afs/[email protected]>
> > > > > >         renew until 05/10/16 16:26:46, Flags: FRA
> > > > > >         Etype (skey, tkt): arcfour-hmac, arcfour-hmac
> > > > > > [root@test-afs002 ]# ls /afs/pc.com/
> > > > > > ls: cannot open directory /afs/pc.com/: Permission denied
> > > > > > [root@test-afs002 ]#
> > > > > >
> > > > > > if Create a afs user in the AD as a normal user with the login 
> > > > > > afs, set user cannot change passwordd, password never expires. 
> > > > > > Try to set "Use Kerberos DES encryption types for this 
> > > > > > account" on the Account tab. then when i use the command
> > > > > >
> > > > > > [root@test-afs002 ]# kinit wang Password for 
> > > > > > [email protected]<mailto:[email protected]>:
> > > > > > [root@test-afs002 ]# aklog
> > > > > > aklog: Couldn't get pc.com AFS tickets:
> > > > > > aklog: unknown RPC error (-1765328370) while getting AFS 
> > > > > > tickets
> > > > > > [root@test-afs002 ]#
> > > > > >
> > > > > > i configure the ad follow the web 
> > > > > > https://wiki.openafs.org/win2008r2adaskdc/,but i can't find what is 
> > > > > > wrong with me ?can you tell me ?
> > > > > >
> > > > > > thanks
> > > > > >
> > > > > >
> > > > > >
> > > >
:��T���&j)b�   b�өzpJ)ߢ�^��좸!��l��b��(���~�+����Y���b�ا~�����~ȧ~
Re: RE: Re: Re: RE: [OpenAFS] ad+openafs

Reply via email to
