[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Odd afs token behavior with Heimdal and OpenAFS

To: heimdal-discuss@sics.se
Subject: Odd afs token behavior with Heimdal and OpenAFS
From: Gedaliah Wolosh <gwolosh@njit.edu>
Date: Thu, 25 Sep 2003 12:47:48 -0400 (EDT)
Sender: owner-heimdal-discuss@sics.se

Hi,

I am bootstrapping a test cell using openafs 1.2.10, heimdal 0.6 on a
Sunblade 1000 running Solaris9

The following is my krb5.conf --

[ktutil]
        dns_lookup_realm = false
        dns_lookup_kdc = false
[libdefaults]
        dns_lookup_realm = false
        default_realm = GWTEST.NJIT.EDU
        clockskew = 300
        default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
        default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]
        GWTEST.NJIT.EDU = {
                kdc = richter.njit.edu
                admin_server = richter.njit.edu
        }
[domain_realm]
        .njit.edu = GWTEST.NJIT.EDU
        njit.edu = GWTEST.NJIT.EDU
[kdc]
        enable-524 = true
        v4-realm = GWTEST.NJIT.EDU
[logging]
        kdc = FILE:/var/heimdal/kdc.log
        kdc = SYSLOG:INFO
        default = SYSLOG:INFO:USER
[kadmin]
  default_keys = v4 v5 des:afs3-salt:gwtest.njit.edu
  afs-cell = gwtest.njit.edu
  v4-realm = GWTEST.NJIT.EDU

I then did the following --


kadmin> add admin
gwolosh/admin@GWTEST.NJIT.EDU's Password:
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
admin@GWTEST.NJIT.EDU's Password:
Verifying password - admin@GWTEST.NJIT.EDU's Password

kadmin> add admin/admin
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:
admin/admin@GWTEST.NJIT.EDU's Password:
Verifying password - admin/admin@GWTEST.NJIT.EDU's Password:

kadmin> add --random-key afs
Max ticket life [1 day]:
Max renewable life [1 week]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:


kadmin> del_enctype afs des3-cbc-sha1
kadmin> get afs
kadmin> ext --keytab=/etc/afskeyfile.krb5 afs
# ktutil -k /etc/afskeyfile.krb5 list
/etc/afskeyfile.krb5:

Vno  Type         Principal
  2  des-cbc-crc  afs@GWTEST.NJIT.EDU
  2  des-cbc-md4  afs@GWTEST.NJIT.EDU
  2  des-cbc-md5  afs@GWTEST.NJIT.EDU
ktutil copy FILE:/etc/afskeyfile.krb5 AFSKEYFILE:/usr/afs/etc/KeyFile

# chmod 0600 /usr/afs/etc/KeyFile
# ls -l /usr/afs/etc/KeyFile
-rw-------    1 root     other          16 Sep 25 09:53 /usr/afs/etc/KeyFile

kadmin> add admin
kadmin> list *
  gwolosh/admin@GWTEST.NJIT.EDU
  gwolosh@GWTEST.NJIT.EDU
  kadmin/hprop@GWTEST.NJIT.EDU
  admin/admin@GWTEST.NJIT.EDU
  default@GWTEST.NJIT.EDU
  admin@GWTEST.NJIT.EDU
  kadmin/admin@GWTEST.NJIT.EDU
  changepw/kerberos@GWTEST.NJIT.EDU
  kadmin/changepw@GWTEST.NJIT.EDU
  krbtgt/GWTEST.NJIT.EDU@GWTEST.NJIT.EDU
  afs@GWTEST.NJIT.EDU

pts createuser admin 1 gwtest.njit.edu -noauth
pts addu admin system:administrators
# pts mem system:administrators -noauth
Members of system:administrators (id: -204) are:
  admin

___________________________________________________

Ok, here we go --

> kinit admin
admin@GWTEST.NJIT.EDU's Password:
> klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: admin@GWTEST.NJIT.EDU

  Issued           Expires          Principal
Sep 25 12:30:09  Sep 25 22:30:09  krbtgt/GWTEST.NJIT.EDU@GWTEST.NJIT.EDU
Sep 25 12:30:09  Sep 25 22:30:09  krbtgt/GWTEST.NJIT.EDU@GWTEST.NJIT.EDU
Sep 25 12:30:49  Sep 25 22:30:09  afs@GWTEST.NJIT.EDU

   V4-ticket file: /tmp/tkt1001
        Principal: admin@GWTEST.NJIT.EDU

  Issued           Expires          Principal
Sep 25 12:30:09  Sep 25 22:30:09  krbtgt.GWTEST.NJIT.EDU@GWTEST.NJIT.EDU
> tokens

Tokens held by the Cache Manager:

User's (AFS ID 1001) tokens for afs@gwtest.njit.edu [Expires Sep 25
22:30]
   --End of list--


Here is the question --

Why is the AFS ID show 1001 when run I tokens?  Interestingly, the
permissions are correct.

For example --
> bos listkeys -server richter.njit.edu
key 2 has cksum 877072873
Keys last changed on Thu Sep 25 09:53:01 2003.
All done.


If I unlog and kinit as another user without administrative priviliges

> kdestroy
> unlog
> kinit moshe
moshe@GWTEST.NJIT.EDU's Password:
> klist
Credentials cache: FILE:/tmp/krb5cc_1001
        Principal: moshe@GWTEST.NJIT.EDU

  Issued           Expires          Principal
Sep 25 12:41:49  Sep 25 22:41:49  krbtgt/GWTEST.NJIT.EDU@GWTEST.NJIT.EDU
Sep 25 12:41:49  Sep 25 22:41:49  krbtgt/GWTEST.NJIT.EDU@GWTEST.NJIT.EDU
Sep 25 12:42:29  Sep 25 22:41:49  afs@GWTEST.NJIT.EDU

   V4-ticket file: /tmp/tkt1001
        Principal: moshe@GWTEST.NJIT.EDU

  Issued           Expires          Principal
Sep 25 12:41:49  Sep 25 22:41:49  krbtgt.GWTEST.NJIT.EDU@GWTEST.NJIT.EDU
> tokens

Tokens held by the Cache Manager:

User's (AFS ID 1001) tokens for afs@gwtest.njit.edu [Expires Sep 25
22:42]
   --End of list--
> bos listkeys -server richter.njit.edu
bos: you are not authorized for this operation error encountered while
listing keys

The AFS ID is the same 1001 while the permission are correct.

What am I doing wrong??


_________________________________________________________________
Gedaliah Wolosh, Ph.D.
Manager Computing Resources - CCS
New Jersey Institute of Technology	 Office 973 596-5437
323 King Blvd 	GITC 2203		 Fax    973 642-4761
Newark, NJ 07102                         Email  gwolosh@njit.edu

Follow-Ups:
- Re: Odd afs token behavior with Heimdal and OpenAFS
  - From: Love <lha@stacken.kth.se>

Prev by Date: Re: Heimdal/AFS Master Key Coordination
Next by Date: Re: Odd afs token behavior with Heimdal and OpenAFS
Prev by thread: Re: Heimdal/AFS Master Key Coordination
Next by thread: Re: Odd afs token behavior with Heimdal and OpenAFS
Index(es):
- Date
- Thread