[Netatalk-devel] Kerberos authentication

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

hello all,

so now I'm writing to the devel-list as Thomas Kaiser suggested. Hope,
Sam will read this now :)

the back story: I was trying to get kerberos authentication working on
my FreeBSD 5.2.1 box. I managed to get the port built with kerberos
support and the afpd.conf is changed to use kerberos uam. All fine.

Now, when I try to connect from a client it starts with the Kerberos
authenticator and gives me the key, but then it brings up the dialogue
saying "A connection error has occured".

the logfile says:
- client thinks user is philon
- importing name
- acquiring credentials (uid = 0, keytab = /etc/krb5.keytab)
- No principal in keytab matches desired name

what does it look for in the keytab?

I can kinit from the server-box without a problem. A tcpdump brings up
that no connection to the kdc is started/even tried.

so where's the bug?

regards,
Philon

--
log:
Oct 22 16:00:11 afpd[82953][afp_config.c:379]: I:AFPDaemon: ASIP started
on 192.168.0.9:548(7) (2.0.0)
Okt 22 16:01:26 afpd[82953][afp_config.c:434]: E:AFPDaemon:
DSIConfigInit: Error registering
afp://fileserver.bodysplit.sw:548/?NAME=Fileserver with SRVLOC
Okt 22 16:01:26 afpd[82953][auth.c:1012]: D5:AFPDaemon: uam: loading
(/usr/local/etc/netatalk/uams/uams_dhx.so)
Okt 22 16:01:26 afpd[82953][auth.c:1019]: I:AFPDaemon: uam: uams_dhx.so
loaded
Okt 22 16:01:26 afpd[82953][auth.c:1012]: D5:AFPDaemon: uam: loading
(/usr/local/etc/netatalk/uams/uams_gss.so)
Okt 22 16:01:26 afpd[82953][auth.c:1019]: I:AFPDaemon: uam: uams_gss.so
loaded
Okt 22 16:01:26 afpd[82953][auth.c:130]: I:AFPDaemon: uam: "Client Krb
v2" available
Okt 22 16:01:26 afpd[82953][auth.c:130]: I:AFPDaemon: uam: "DHCAST128"
available
Okt 22 16:01:26 afpd[82953][afp_config.c:578]: D5:AFPDaemon: Finished
parsing Config File
Okt 22 16:01:26 afpd[82953][server_child.c:365]: I:Default:
server_child[1] 82956 exited 1
Okt 22 16:01:26 afpd[82957][dsi_tcp.c:208]: I:Default: ASIP
session:548(7) from 192.168.0.5:50499(9)
Okt 22 16:01:26 afpd[82953][server_child.c:368]: I:Default:
server_child[1] 82957 done
Okt 22 16:01:27 afpd[82958][dsi_tcp.c:208]: I:Default: ASIP
session:548(7) from 192.168.0.5:50500(9)
Okt 22 16:01:28 afpd[82958][uams_gss.c:361]: I:UAMSDaemon: uams_gss.c
:LoginCont: client thinks user is philon
Okt 22 16:01:28 afpd[82958][uams_gss.c:148]: D5:UAMSDaemon: uams_gss.c
:do_gss_auth: importing name
Okt 22 16:01:28 afpd[82958][uams_gss.c:159]: D5:UAMSDaemon: uams_gss.c
:do_gss_auth: acquiring credentials (uid = 0, keytab = /etc/krb5.keytab)
Okt 22 16:01:28 afpd[82958][uams_gss.c:82]: I:UAMSDaemon: uams_gss.c
:do_gss_auth: acquire_cred Miscellaneous failure (error Bad address)
Okt 22 16:01:28 afpd[82958][uams_gss.c:93]: I:UAMSDaemon: uams_gss.c
:do_gss_auth: acquire_cred No principal in keytab matches desired name
(error Bad address)
Okt 22 16:01:28 afpd[82958][uams_gss.c:390]: I:UAMSDaemon: do_gss_auth
failed

/etc/krb5.keytab:

Vno  Type              Principal
   3  des3-cbc-sha1     host/penguin.local.domain@MYSTIC.LOCAL.DOMAIN 

   3  arcfour-hmac-md5  host/penguin.local.domain@MYSTIC.LOCAL.DOMAIN 

   3  des-cbc-crc       host/penguin.local.domain@MYSTIC.LOCAL.DOMAIN 

   3  des3-cbc-sha1 
afpserver/fileserver.local.domain@MYSTIC.LOCAL.DOMAIN
   3  arcfour-hmac-md5 
afpserver/fileserver.local.domain@MYSTIC.LOCAL.DOMAIN
   3  des-cbc-crc 
afpserver/fileserver.local.domain@MYSTIC.LOCAL.DOMAIN

MYSTIC is my OSX-server and KDC
Penguin is my unixbox
fileserver is the ipalias running netatalk

afpd.conf:
"Fileserver" -ipaddr 192.168.0.9 -uamlist uams_dhx.so,uams_gss.so 
-nosavepassword -uampath /usr/local/etc/netatalk/uams -icon 
-nosetpassword -advertise_ssh -fqdn fileserver.local.domain:548 -noddp 
-tcp -k5service afpserver -k5realm MYSTIC.LOCAL.DOMAIN -k5keytab 
/etc/krb5.keytab -setuplog "default log_maxdebug /var/log/netatalk.log"