may not have seen it, I have run out of things to try to get
kinit to get k4 tgt's to work. That is why I was asking for the Red Hat Source the other day to see if there may be some issue with our
source. I have tried kinit to port 750 and 88 with no luck. Probably
not related but when the kas server starts on our Red Hat linux,
it reports this in the /usr/afs/logs/AuthLog:
kerberos4/udp port=60930 kerberos5/udp port=22528 .unc.edu cell database. Fri Feb 18 12:10:08 2005 Using level crypt for Ubik connections. Fri Feb 18 12:10:09 2005 Using 152.2.128.4 as my primary address Fri Feb 18 12:10:09 2005 Starting to process AuthServer requests Starting to listen for UDP packets start 5 min check lwp
The Suns that used to work reported this:
kerberos4/udp port=750 kerberos5/udp port=88 om cs.unc.edu cell database. Tue Feb 8 08:11:14 2005 Using level crypt for Ubik connections. Tue Feb 8 08:11:14 2005 Using 152.2.128.8 as my primary address Tue Feb 8 08:11:15 2005 Starting to process AuthServer requests Starting to listen for UDP packets start 5 min check lwp
The auth requests are getting through to both port 88 and 750.
I cranked up debugging on the kaserver with "kill -TSTP" it shows the following if I give it a good passwd or a bad passwd:
Fri Feb 18 10:43:22 2005 sopko,krbtgt.CS.UNC.EDU:auth from d810298
Also I get the same response as shown below from tcpdump if I type in the good passwd or a bad passwd.
-------- Original Message -------- Subject: [OpenAFS] kaserver sun to linux db auth issue Date: Thu, 17 Feb 2005 13:52:06 -0500 From: John W. Sopko Jr. <[EMAIL PROTECTED]> To: [email protected]
We were running 2 Sun Solaris boxes and 3 Red Hat Enterpise Linux boxes all running OpenAFS 1.2.13 as db servers. One of the Sun boxes was the lowest IP address and was always the sync site for the databases. We removed both Suns as db servers, (we are in the process of retiring them). When the lowest IP address Linux box became the lowest IP address it became the sync site.
Most everything works fine accept for one strange problem that has to do with using kinit to get krb4 style tickets. We are running the standard kaserver that comes with OpenAFS. The OpenAFS klog and klog.krb commands and the pam libraries work fine as well as the windows clients. We have some systems that use kinit to get k4 tgt's so they can authenticate under MacOSX 10 and this broke when the Linux db servers took over for authentication. As I mentioned the Suns and the Linux boxes were both running OpenAFS 1.2.13.
My question is: Is there any settings/options compile flags etc to support k4 authentication that I can try? I did a "configure --help" and looked through the source files as well as for options in the RedHat spec file that is used to build the binaries and did not see any options for this.
It appears the lowest IP address always does the kerberos authentication. I used tcpdump on the client and server and ran kinit to get a v4 ticket. from a linux client. The kinit request is getting answered on kerberos/port 88 on the kaserver. The request is going through but from linux and MacOsx you get password incorrect. Here is some info that may help:
AFS kaserver/host quail tcpdump output:
# tcpdump host lark and \(port 7004 or port 750 or port 88\) tcpdump: listening on eth0 13:16:03.468925 lark.cs.unc.edu.34354 > quail.cs.unc.edu.kerberos: v4 le KDC_REQUEST: [EMAIL PROTECTED] 600min krbtgt.CS.UNC.EDU (DF) 13:16:03.482043 quail.cs.unc.edu.kerberos > lark.cs.unc.edu.34354: v4 be KDC_REPLY: sopko.@ (104) (DF)
kinit client/host lark tcpdump output:
tcpdump port 7004 or port 750 or port 88 tcpdump: listening on eth0 13:16:03.468500 lark.cs.unc.edu.34354 > quail.cs.unc.edu.kerberos: v4 le KDC_REQUEST: [EMAIL PROTECTED] 600min krbtgt.CS.UNC.EDU (DF) 13:16:03.481773 quail.cs.unc.edu.kerberos > lark.cs.unc.edu.34354: v4 be KDC_REPLY: sopko.@ (104) (DF)
kinit client failed command output:
% kinit -4 sopko Password for [EMAIL PROTECTED]: kinit(v4): Password incorrect
-- John W. Sopko Jr. University of North Carolina email: sopko AT cs.unc.edu Computer Science Dept., CB 3175 Phone: 919-962-1844 Sitterson Hall; Room 044 Fax: 919-962-1799 Chapel Hill, NC 27599-3175 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
-- John W. Sopko Jr. University of North Carolina email: sopko AT cs.unc.edu Computer Science Dept., CB 3175 Phone: 919-962-1844 Sitterson Hall; Room 044 Fax: 919-962-1799 Chapel Hill, NC 27599-3175 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
