We were running 2 Sun Solaris boxes and 3 Red Hat Enterpise Linux boxes all running OpenAFS 1.2.13 as db servers. One of the Sun boxes was the lowest IP address and was always the sync site for the databases. We removed both Suns as db servers, (we are in the process of retiring them). When the lowest IP address Linux box became the lowest IP address it became the sync site.
Most everything works fine accept for one strange problem that has to do with using kinit to get krb4 style tickets. We are running the standard kaserver that comes with OpenAFS. The OpenAFS klog and klog.krb commands and the pam libraries work fine as well as the windows clients. We have some systems that use kinit to get k4 tgt's so they can authenticate under MacOSX 10 and this broke when the Linux db servers took over for authentication. As I mentioned the Suns and the Linux boxes were both running OpenAFS 1.2.13.
My question is: Is there any settings/options compile flags etc to support k4 authentication that I can try? I did a "configure --help" and looked through the source files as well as for options in the RedHat spec file that is used to build the binaries and did not see any options for this.
It appears the lowest IP address always does the kerberos authentication. I used tcpdump on the client and server and ran kinit to get a v4 ticket. from a linux client. The kinit request is getting answered on kerberos/port 88 on the kaserver. The request is going through but from linux and MacOsx you get password incorrect. Here is some info that may help:
AFS kaserver/host quail tcpdump output:
# tcpdump host lark and \(port 7004 or port 750 or port 88\)
tcpdump: listening on eth0
13:16:03.468925 lark.cs.unc.edu.34354 > quail.cs.unc.edu.kerberos: v4 le KDC_REQUEST: [EMAIL PROTECTED] 600min krbtgt.CS.UNC.EDU (DF)
13:16:03.482043 quail.cs.unc.edu.kerberos > lark.cs.unc.edu.34354: v4 be KDC_REPLY: sopko.@ (104) (DF)
kinit client/host lark tcpdump output:
tcpdump port 7004 or port 750 or port 88
tcpdump: listening on eth0
13:16:03.468500 lark.cs.unc.edu.34354 > quail.cs.unc.edu.kerberos: v4 le KDC_REQUEST: [EMAIL PROTECTED] 600min krbtgt.CS.UNC.EDU (DF)
13:16:03.481773 quail.cs.unc.edu.kerberos > lark.cs.unc.edu.34354: v4 be KDC_REPLY: sopko.@ (104) (DF)
kinit client failed command output:
% kinit -4 sopko Password for [EMAIL PROTECTED]: kinit(v4): Password incorrect
-- John W. Sopko Jr. University of North Carolina email: sopko AT cs.unc.edu Computer Science Dept., CB 3175 Phone: 919-962-1844 Sitterson Hall; Room 044 Fax: 919-962-1799 Chapel Hill, NC 27599-3175 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
