[OpenAFS] aklog.exe tickling unwanted corp. AD servers

Mon, 20 Dec 2010 12:27:08 -0800 

Windows 7 64-bit (yeah, I know...)
OpenAFS 1.5.78 64-bit
KfW 3.2.2 with latest released Secure Endpoints NIM

I can't figure out why

    aklog.exe -d -c rcf.our.org -k RCF.OUR.ORG
    Authenticating to cell rcf.our.org.
    Getting v5 tickets: afs/[email protected]
    Getting v5 tickets: [email protected]
    About to resolve name [email protected] to id
    Id 26560
    Set username to [email protected]
    Getting tokens.
    aklog.exe: ktc 7 (11862791) while obtaining tokens for
    cell rcf.our.org

...regardless of the final error, ends up generating Kerberos
packets toward our corporate AD server(s).

C:\Windows\krb5.ini is as follows:


[libdefaults]
    default_realm = RCF.OUR.ORG
    forwardable = yes
    ticket_lifetime = 7d
    renew_lifetime = 14d
    dns_lookup_realm = no
    dns_lookup_kdc = no

[appdefaults]
    forwardable = yes

[domain_realm]
    .our.org = RCF.OUR.ORG

[realms]
    RCF.MITRE.ORG = {
        kdc = rcf-kdc1.our.org
        kdc = rcf-kdc2.our.org
        kdc = rcf-kdc3.our.org
        admin_server = rcf-kdc1.our.org
        master_kdc = rcf-kdc1.our.org
}


The aklog.exe Wireshark capture from above shows the following:

    DNS 'A' query for rcf-kdc1.our.org
    response

    DNS 'A' query for rcf-kdc2.our.org
    response

    DNS 'A' query for rcf-kdc3.our.org
    response

    TGS_REQ to rcf-kdc1.our.org for afs/rcf.mitre.org
    response: "principal unknown afs/rcf.our.org" as expected,
              because we use [email protected] and it works fine.

    DNS 'A' query for rcf-kdc1.our.org
    response

    DNS 'A' query for rcf-kdc2.our.org
    response

    DNS 'A' query for rcf-kdc3.our.org
    response

    TGS_REQ to rcf-kdc1.our.org for afs/rcf.our.org
    response : "principal unknown afs/rcf.our.org" (why again?)

    DNS 'A' query for rcf-kdc1.our.org
    response

    netbios-ssn packet to 10.254.254.253 (MSLA)

    microsoft-ds packet to 10.254.254.253 (MSLA)

    query to corporate AD server port 88 (Kerberos) SYN


    [ ... some more corporate Kerberos junk that is not relevant ]
    [ to what I want to do                                       ]

Does this make any sense?

Note that I do not see anywhere in the packets where a TGS_REQ
was made for '[email protected]'
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to