Hi Again, Any suggestion will be appreciated.
Thanks # mukarram -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mukarram Syed Sent: Friday, May 02, 2008 3:49 PM To: [email protected] Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade. Hi Kerberos Gurus. I have 2 servers, the problem is that when I ssh into the box on the server-notworking, I get both the .k5 and .k4 tickets: server-notworking > klist Ticket cache: FILE:/tmp/krb5cc_39728_T16049 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 05/02/08 15:18:47 05/03/08 16:18:45 krbtgt/[EMAIL PROTECTED] 05/02/08 15:18:47 05/03/08 16:18:45 afs/[EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt39728_16049 Principal: [EMAIL PROTECTED] Issued Expires Principal 05/02/08 15:18:45 05/03/08 01:18:45 [EMAIL PROTECTED] 05/02/08 15:18:45 05/03/08 01:18:45 [EMAIL PROTECTED] But on the server that's working, I only get the k5 tickets: server-working > klist Ticket cache: FILE:/tmp/krb5cc_39728_rJb29M Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 05/02/08 15:27:27 05/03/08 01:27:25 krbtgt/[EMAIL PROTECTED] 05/02/08 15:27:27 05/03/08 01:27:25 afs/[EMAIL PROTECTED] Kerberos 4 ticket cache: /tmp/tkt39728 Principal: [EMAIL PROTECTED] Issued Expires Principal 04/30/08 23:42:56 05/02/08 01:09:17 [EMAIL PROTECTED] The only difference that I can see between the two klist command outputs is: 05/02/08 15:18:45 05/03/08 01:18:45 [EMAIL PROTECTED] What is this? Below is a comparison of the two servers. I will be upgrading krb5-SU-1.4.3-12.EL3 to krb5-SU-1.4.4-4.EL3 on the server-notworking. I don't think this will make a difference because I have already tried this on another server. I can't upgrade the kernel though to match the server that is working. The server that is not working is an actively used server. Also if I remove the .klogin file in my home directory on the server-notworking, I can't login to this box. I need both .klogin and .k5login files otherwise I get permission denied message when ssh'ing in. I don't have the .klogin file in the server that is working.only the .k5login file. Please advise. Thanks for you help. Regards # mukarram syed SYSTEM INFO server-notworking server-working 2.4.21-27.0.2.ELsmp 2.4.21-50.ELsmp Red Hat Enterprise Linux AS release 3 Red Hat Enterprise Linux AS release 3 (Taroon Update 4) (Taroon Update 9) STATUS Not getting the afs tokens without Fully Functional.NO aklog -setpag option set. the aklog -setpag option in the shell startup scripts. Need .klogin and .k5login to be able to SSH. SSH won't work without .klogin file. OPENAFS RPMS openafs-1.4.2-1.1 openafs-1.4.2-1.1 openafs-client-1.4.2-1.1 openafs-client-1.4.2-1.1 openafs-kernel-smp-1.4.2-2.4.21_27.0.2.EL_1 openafs-kernel-smp-1.4.2-2.4.21_50.EL_1 openafs-kernel-source-1.4.2-1.1 openafs-kernel-source-1.4.2-1.1 openafs-krb5-1.4.2-1.1 openafs-krb5-1.4.2-1.1 KRB5 RPMS krb5-devel-1.2.7-42 krb5-devel-1.2.7-64 krb5-libs-1.2.7-42 krb5-libs-1.2.7-64 krb5-SU-1.4.3-12.EL3 krb5-SU-1.4.4-4.EL3 openafs-krb5-1.4.2-1.1 openafs-krb5-1.4.2-1.1 pam_krb5-SU-3.8-1.EL3 pam_krb5-SU-3.8-1.EL3 PAM RPMS pam-0.75-62 pam-0.75-72 pam-afs-session-1.5-1.EL3 pam-afs-session-1.5-1.EL3 pam-devel-0.75-62 pam_ccreds-3-3.rhel3.2 pam_krb5-SU-3.8-1.EL3 pam-devel-0.75-72 pam_passwdqc-0.7.5-1 pam_krb5-SU-3.8-1.EL3 pam_smb-1.1.7-1 pam_passwdqc-0.7.5-1 pam_smb-1.1.7-1 IMPORTANT FILES: CKSUMS/SIZES 782515666 1077 /etc/pam.d/system-auth 782515666 1077 /etc/pam.d/system-auth 292550411 160 /etc/krb.conf 292550411 160 /etc/krb.conf 2006343950 4385 /etc/krb5.conf 3826595545 4386 /etc/krb5.conf 3068285566 267416 /usr/bin/aklog 1302602016 267416 /usr/bin/aklog 1323949453 19 /usr/vice/etc/CellAlias 1323949453 19 /usr/vice/etc/CellAlias 3556331601 16 /usr/vice/etc/ThisCell 3556331601 16 /usr/vice/etc/ThisCell 1399150640 446 /usr/vice/etc/CellServDB 514410920 208 /usr/vice/etc/CellServDB Also in the /etc/ssh/sshd_config file the only differences are (If I change it to no, on the server-notworking, I can't SSH, I get Permission denied errors): KerberosAuthentication yes KerberosAuthentication no KerberosOrLocalPasswd yes KerberosOrLocalPasswd no KerberosTicketCleanup yes KerberosTicketCleanup no SSH RPMS openssh-3.6.1p2-33.30.3 openssh-3.6.1p2-33.30.14 openssh-clients-3.6.1p2-33.30.3 openssh-askpass-3.6.1p2-33.30.14 openssh-server-3.6.1p2-33.30.3 openssh-askpass-gnome-3.6.1p2-33.30.14 openssh-clients-3.6.1p2-33.30.14 openssh-server-3.6.1p2-33.30.14 ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
