Kevin Hill wrote:
Hi,
This is more of a kerberos question, but thought someone here might have
run into this before...
We are using an older version of openssh with Simon Wilkinson's gssapi
patch, and a locally maintained version of mit kerberos. We have some
linux systems behind a load balancer, which are having problems getting
afs tickets.
The systems behind the load balancer are configured with the external ip
address client machines think they are connected to bound to a loopback
device. They have a host principal for this name installed. Clients can
authenticate correctly, but if they log in with an addressless ticket
they are ending up with a tgt with the ip they connected to in their
cache, which seems to be preventing getting an afs token. When
connecting with telnet they are getting an addressless tgt and can
successfully get an afs token.
Anyone seen this situation come up before or have any suggestions?
Sounds like something we had seen in 1.2.8 and fixed in 1.3.1 dealing
with addressless tickets.
http://mailman.mit.edu/pipermail/krbdev/2002/000681.html
This was the 1.2.8 verison, look at later versions for a better fix.
--- ,fwd_tgt.c Fri Apr 11 13:58:14 2003
+++ fwd_tgt.c Fri Apr 11 13:58:14 2003
@@ -103,9 +103,11 @@
krb5_free_cred_contents (context, &in);
}
+ if (tgt.addresses) {
retval = krb5_os_hostaddr(context, rhost, &addrs);
if (retval)
goto errout;
+ }
if ((retval = krb5_copy_principal(context, client, &creds.client)))
goto errout;
thanks,
-kevin
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
