Re: [OpenAFS] Getting username and IP address from kaserver logs?

[Russ Allbery]

Jason Edgecombe <[EMAIL PROTECTED]> writes:

> We're planning on turning off the kaserver in our AFS server in favor of
> kerberos 5, but I need to know which users have authenticated using the
> kaserver instead of kerberos 5. I would like the IP address as well.

> I've looked in /usr/afs/logs/AuthLog on my test DB server, but user
> authentications don't seem to be logged.

> How can I enable logging of user authentications through kas similar to
> the logs generated by our Kerberos 5 server?

It's unfortunately really annoying.  You can run kaserver with the -debug
flag and that will give you a separate text log, which will contain the
usernames.  However, it won't show TGT requests and will give you IP
addresses in hex unless you also apply the following patch to kaserver.

--- openafs-1.4.1/src/kauth/kalog.c.orig        2003-07-15 16:15:16.000000000 
-0700
+++ openafs-1.4.1/src/kauth/kalog.c     2006-06-23 08:40:58.000000000 -0700
@@ -38,6 +38,9 @@
 #include <time.h>
 #include <signal.h>
 #include <assert.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
 #include <afs/afsutil.h>
 #include "kauth.h"
 #include "kalog.h"
@@ -67,6 +70,7 @@
     char keybuf[512];          /* not random! 63 . 63 , 63 . 63 max key */
     datum key, data;
     kalog_elt rdata;
+    struct in_addr in;
 
     if (!kalog_db)
        return;
@@ -115,6 +119,9 @@
     case LOG_GETTICKET:
        strcat(keybuf, ":gtck");
        break;
+    case LOG_TGTREQUEST:
+       strcat(keybuf, ":tgtreq");
+       break;
     default:
        break;
     }
@@ -128,7 +135,8 @@
 
     dbm_store(kalog_db, key, data, DBM_REPLACE);
 
-    ViceLog(verbose_track, ("%s from %x\n", keybuf, hostaddr));
+    in.s_addr = hostaddr;
+    ViceLog(verbose_track, ("%s from %s\n", keybuf, inet_ntoa(in)));
 }
 
 
@@ -141,6 +149,7 @@
        char *realm, int hostaddr, int type)
 {
     char logbuf[512];          /* not random! 63 . 63 , 63 . 63 max key */
+    struct in_addr in;
 
     if (*principal)
        strcpy(logbuf, principal);
@@ -187,9 +196,13 @@
     case LOG_GETTICKET:
        strcat(logbuf, ":gtck");
        break;
+    case LOG_TGTREQUEST:
+       strcat(logbuf, ":tgtreq");
+       break;
     default:
        break;
     }
 
-    ViceLog(verbose_track, ("%s from %x\n", logbuf, hostaddr));
+    in.s_addr = hostaddr;
+    ViceLog(verbose_track, ("%s from %s\n", logbuf, inet_ntoa(in)));
 }
--- openafs-1.4.1/src/kauth/kalog.h.orig        2000-11-04 02:04:38.000000000 
-0800
+++ openafs-1.4.1/src/kauth/kalog.h     2006-06-23 08:20:22.000000000 -0700
@@ -27,6 +27,7 @@
 #define        LOG_SETFIELDS           5
 #define        LOG_UNLOCK              6
 #define        LOG_AUTHFAILED          7
+#define LOG_TGTREQUEST          8
 
 #ifdef AUTH_DBM_LOG
 #ifdef AFS_LINUX20_ENV
--- openafs-1.4.1/src/kauth/krb_udp.c.orig      2003-12-07 14:49:27.000000000 
-0800
+++ openafs-1.4.1/src/kauth/krb_udp.c   2006-06-23 08:46:14.000000000 -0700
@@ -399,6 +399,12 @@
     }
     KALOG(name, inst, sname, sinst, NULL, client->sin_addr.s_addr,
          LOG_AUTHENTICATE);
+
+    /* STANFORD: Also log tgt requests. */
+    if (cipherLen != 0) {
+       KALOG(name, inst, sname, sinst, NULL, client->sin_addr.s_addr,
+             LOG_TGTREQUEST);
+    }
     osi_audit(UDPAuthenticateEvent, 0, AUD_STR, name, AUD_STR, inst, AUD_END);
     return 0;
 
-- 
Russ Allbery ([EMAIL PROTECTED])             <http://www.eyrie.org/~eagle/>
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info