Coda File System

Kerberos authentication for coda client

From: Andrew Wasielewski <andrew_at_wasielewski.co.uk>
Date: Tue, 11 Mar 2014 23:41:07 +0000
Hello everyone,

At the risk of re-asking an old question, can I ask for help on setting up Kerberos authentication for the coda client?

I am running Coda 6.9.5-11 both client and server on Fedora 20 (different hosts) installed from standard Fedora RPM packages.  Everything works fine using auth2 authentication.

Kerberos is installed as part of FreeIPA 3.3.4-3.  The FreeIPA and Coda servers run on the same host.  Kerberised logins and NFS work fine on FreeIPA.

I have created a service principal codaauth/server.wasielewski_at_WASIELEWSKI and exported the keytab file to /vice/db/krb5.keytab.  In /etc/coda/server.conf I have the following Kerberos-relevant setup:

# kerberos5service contains "%s" which will be substituted with a hostname,
# for a usual DCE setup it would be "hosts/%s/self
kerberos5servprinc=codaauth/server.wasielewski_at_WASIELEWSKI
kerberos5service=host/%s/self
kerberos5realm=WASIELEWSKI
kerberos5keytab=/vice/db/krb5.keytab

If I try to clog in using Kerberos I get the following error message on the client:

[Andrew_at_ivanka-laptop ~]$ clog -kerberos5 codauser2_at_server.wasielewski
username: codauser2_at_server.wasielewski
krb5.c: No credentials cache found while preparing AP_REQ
kinit: Client 'Andrew_at_WASIELEWSKI' not found in Kerberos database while getting initial credentials
krb5.c: No credentials cache found while preparing AP_REQ
Failed to get secret for server.wasielewski
Invalid login (RPC2_FAIL (F)).

...and this in the krb5kdc.log file on the server

Mar 11 23:23:58 server.wasielewski krb5kdc[31135](info): AS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: CLIENT_NOT_FOUND: Andrew_at_WASIELEWSKI for krbtgt/WASIELEWSKI_at_WASIELEWSKI, Client not found in Kerberos database
(client IP address obfuscated as "aaa.bbb.ccc.ddd")

codauser2 exists as both a FreeIPA and a Coda user, and I can log in fine using normal Linux login and auth2 respectively.  Whatever options I give clog, it seems to take the Linux username and apply that as the Coda user.

If I log in as codauser2, I get some different output:

-sh-4.2$ clog -kerberos5 codauser2_at_server.wasielewski
username: codauser2_at_server.wasielewski
krb5.c: Server not found in Kerberos database while preparing AP_REQ
Password for codauser2_at_WASIELEWSKI: 
krb5.c: Server not found in Kerberos database while preparing AP_REQ
Failed to get secret for server.wasielewski
Invalid login (RPC2_FAIL (F)).
-sh-4.2$ ctokens
Tokens held by the Cache Manager for codauser2:
    @server.wasielewski
        Not Authenticated

...and on the server:

Mar 11 23:30:25 server.wasielewski krb5kdc[31134](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0,  codauser2_at_WASIELEWSKI for host/SERVER.WASIELEWSKI_at_WASIELEWSKI, Server not found in Kerberos database
Mar 11 23:30:25 server.wasielewski krb5kdc[31134](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0,  codauser2_at_WASIELEWSKI for host/SERVER.WASIELEWSKI_at_WASIELEWSKI, Server not found in Kerberos database
Mar 11 23:30:25 server.wasielewski krb5kdc[31134](info): AS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: NEEDED_PREAUTH: codauser2_at_WASIELEWSKI for krbtgt/WASIELEWSKI_at_WASIELEWSKI, Additional pre-authentication required
Mar 11 23:30:39 server.wasielewski krb5kdc[31135](info): AS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: ISSUE: authtime 1394580639, etypes {rep=18 tkt=18 ses=18}, codauser2_at_WASIELEWSKI for krbtgt/WASIELEWSKI_at_WASIELEWSKI
Mar 11 23:30:39 server.wasielewski krb5kdc[31135](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0,  codauser2_at_WASIELEWSKI for host/SERVER.WASIELEWSKI_at_WASIELEWSKI, Server not found in Kerberos database
Mar 11 23:30:39 server.wasielewski krb5kdc[31134](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0,  codauser2_at_WASIELEWSKI for host/SERVER.WASIELEWSKI_at_WASIELEWSKI, Server not found in Kerberos database

Can anyone see where I am going wrong?  I have read about a "modular clog", but not clear where/how I get and use it, nor whether it is already part of the Coda client.

Thanks in advance,
Andrew
Received on 2014-03-11 19:41:20