Hi George,
I think the problem here is that the principal name cannot be mapped to a
locl account (i.e. what's in your passwd file or equivalent). So, the
ticket is validate, the client's kerberos name is OK but there is no
corresponding account on that machine.
Andy
On Fri, 14 May 2021, George Patargias - STFC UKRI wrote:
> Hello Andy,
>
> Thanks for the suggestion. I do have translation entries in the
[domain_realm] section of /etc/krb5.conf
> for all the hosts. Even after adding the exact hostname
(cta-front01.scd.rl.ac.uk = FED.CCLRC.AC.UK)
> I still get the same error.
>
> I was wondering whether the code I mentioned (from
XrdSeckrb5/XrdSecProtocolkrb5.cc) expects something
> else other a hostname to parse.
>
> George
> ________________________________
> From: Andrew Hanushevsky <[log in to unmask]>
> Sent: 13 May 2021 20:08
> To: Patargias, George (STFC,RAL,SC) <[log in to unmask]>
> Cc: xrootd-l <[log in to unmask]>
> Subject: Re: XrootdXeq: User authentication failed, Seckrb5: Unable to extract client name
>
> Hi George,
>
> These seems to be a krb5 config issue as described in the MIT
> documentation:
>
> https://web.mit.edu/kerberos/krb5-1.12/doc/admin/conf_files/krb5_conf.html
>
> That is, it cannot may the host name to the Kerbeross realm. They provide
> some guidance in that document. Search for "no translation".
>
> Andy
>
> On Thu, 13 May 2021, George Patargias - STFC UKRI wrote:
>
>> Hello,
>>
>> I have problems setting krb5 auth with an xrootd service. The following user principal
>>
>> KVNO Timestamp Principal
>> ---- ----------------- --------------------------------------------------------
>> 3 01/01/70 01:00:00 [log in to unmask]
>>
>> obtains the ticket-granting ticket (krgbt) by doing: kinit -kt ./cta-adm-HOST.keytab [log in to unmask]
>>
>> and then issues admin commands on a host called cta-adm.scd.rl.ac.uk and these commands need to be authorised by an
>> XRootD service (the XRootD instance name is cta and the systemd name is cta-frontend.service) running on another host
>> called cta-front01.scd.rl.ac.uk. The krb5 auth for this service is configured as
>>
>> sec.protocol krb5 /etc/cta/cta-frontend.krb5.keytab [log in to unmask]
>> sec.protbind * only sss krb5
>>
>> where the contents of /etc/cta/cta-frontend.krb5.keytab are
>>
>> KVNO Timestamp Principal
>> ---- ----------------- --------------------------------------------------------
>> 3 01/01/70 01:00:00 [log in to unmask]
>>
>> However, any attempt to issue admin commands result in the following error on the xrootd log of this cta service
>>
>> 210513 13:58:45 32387 XrootdXeq: User authentication failed; Seckrb5: Unable to extract client name;; No translation available for requested principal ([log in to unmask])
>>
>> This is thrown by this part of the code in XrdSeckrb5/XrdSecProtocolkrb5.cc
>>
>> // Decode the credentials and extract client's name
>> //
>> if (!rc)
>> {if ((rc = krb5_rd_req(krb_context, &AuthContext, &inbuf,
>> (krb5_const_principal)krb_principal,
>> krb_keytab, NULL, &Ticket)))
>> iferror = (char *)"Unable to authenticate credentials;";
>> else if ((rc = krb5_aname_to_localname(krb_context,
>> Ticket->enc_part2->client,
>> sizeof(CName)-1, CName)))
>> iferror = (char *)"Unable to extract client name;";
>> }
>>
>> Do you know what is the problem?
>>
>> Many thanks.
>>
>> George
>>
>> This email and any attachments are intended solely for the use of the named recipients. If you are not the intended recipient you must not use, disclose, copy or distribute this email or any of its attachments and should notify the sender immediately and delete this email from your system. UK Research and Innovation (UKRI) has taken every reasonable precaution to minimise risk of this email or any attachments containing viruses or malware but the recipient should carry out its own virus and malware checks before opening the attachments. UKRI does not accept any liability for any losses or damages which the recipient may sustain due to presence of any viruses. Opinions, conclusions or other information in this message and attachments that are not related directly to UKRI business are solely those of the author and do not represent the views of UKRI.
>>
>>
>> ########################################################################
>> Use REPLY-ALL to reply to list
>>
>> To unsubscribe from the XROOTD-L list, click the following link:
>> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>>
>
> ########################################################################
> Use REPLY-ALL to reply to list
>
> To unsubscribe from the XROOTD-L list, click the following link:
> https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
>
########################################################################
Use REPLY-ALL to reply to list
To unsubscribe from the XROOTD-L list, click the following link:
https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1
