problems integrating krb5 with openafs

Wes Chow wes at woahnelly.net
Wed Aug 11 10:50:10 EDT 2004 

I have a working krb5 installation going (1.3.4 for the kdc, some
clients are 1.2.4 from Debian stable), as well as a working
installtion of OpenAFS (1.2.11, using the Debian "stable" packages on
the openafs.org site).  I can't get the two to interoperate nicely.

After a "telnet -axF host" command, I'd like aklog to be run
automatically. As I understand it, the kerberized telnetd program
should automatically run login.krb5, which in turn should attempt to
run aklog.  My problem is that it isn't.

After much man page reading and googling, I added to host's krb5.conf
file:

[login]
       krb5_get_tickets = true
       krb4_get_tickets = true
       krb4_run_aklog = true
       aklog_path = /usr/bin/aklog


(BTW, the man page says to use "krb_run_aklog = true", but the source
file in appl/bsd/login.c says to use "krb4_run_aklog" -- that was a
pain to discover)

When I ran login.krb5, it complained that it couldn't connect to the
KDC (forgot what the exact error message was).  I fixed that by
running krb5kdc with "-4 full", and it now connects.  However, it
fails to acquire krb4 tickets.

In appl/bsd/login.c, there's a function called try_krb4 with the
following code:


    krbval = krb_get_pw_in_tkt(username, "", realm,
			       "krbtgt", realm, 
			       DEFAULT_TKT_LIFE,
			       user_pwstring);

    switch (krbval) {
    case INTK_OK:
	kpass_ok = 1;
	krbflag = 1;
	strncpy(tkfile, tkt_string(), sizeof(tkfile));
	tkfile[sizeof(tkfile) - 1] = '\0';
	break;	
	/* These errors should be silent */
	/* So the Kerberos database can't be probed */
    case KDC_NULL_KEY:
    case KDC_PR_UNKNOWN:
    case INTK_BADPW:
    case KDC_PR_N_UNIQUE:
    case -1:
	break;
#if 0 /* I want to see where INTK_W_NOTALL comes from before letting
	 kpass_ok be set in that case.  KR  */
	/* These should be printed but are not fatal */
    case INTK_W_NOTALL:
	krbflag = 1;
	kpass_ok = 1;
	fprintf(stderr, "Kerberos error: %s\n",
		krb_get_err_text(krbval));
	break;
#endif
    default:
	fprintf(stderr, "Kerberos error: %s\n",
		krb_get_err_text(krbval));
	break;
    }
    got_v4_tickets = kpass_ok;



kpass_ok is returning INTK_BADPW, so got_v4_tickets == 0.  (the
username and realm are set correctly)

afs_login then requires got_v4_tickets and login_krb_run_aklog to be
nonzero:

    if (got_v4_tickets && login_krb_run_aklog) {
	/* KPROGDIR is $(prefix)/bin */
	char aklog_path[MAXPATHLEN];
	struct stat st;
	/* construct the name */
	/* get this from profile later */
	aklog_path[sizeof(aklog_path) - 1] = '\0';
	strncpy (aklog_path, KPROGDIR, sizeof(aklog_path) - 1);
	strncat (aklog_path, "/aklog", sizeof(aklog_path) - 1 - strlen(aklog_path));
	/* only run it if we can find it */
	if (stat (aklog_path, &st) == 0) {
	    system(aklog_path);
	}
    }


As a result, aklog doesn't get run.

I have a couple questions.  The first is, am I possibly missing some
sort of configuration for my kdc that will allow this to work?

The second question is, why is got_v4_tickets a requirement to run
aklog?  I know that AFS was designed around a krb V4 draft, but isn't
V5->V4 ticket conversion aklog's job?  If I change the "if" statement
in afs_login to require only login_krb_run_aklog, login.krb5 works as
expected.

Thanks.

Wes

-- 
http://www.woahnelly.net/~wes/          OpenPGP key = 0xA5CA6644
fingerprint = FDE5 21D8 9D8B 386F 128F  DF52 3F52 D582 A5CA 6644

More information about the Kerberos mailing list