Hello,
I have a RHEL5 VMware virtual machine running on a VMware ESX 3.0.2
server. It is currently the only virtual machine running on the VMware
server.
The RHEL5 server has the httpd RPM installed, together with a compiled
version of PHP 4.4.7. I'm also using a couple of compiled apache
modules, mod_auth_cookie and mod_auth_kerb. I'm using mod_auth_kerb to
Kerberos-protect an intranet.
When a user accesses a Kerberos-protected page, apache authenticates the
user against a Kerberos KDC in the same subnet as the apache server.
Apache authenticates the user for each item on the web page, and because
there are quite a few images on the web page, there are quite a few
(around 30) authentications against the Kerberos KDC for each page
access. (Actually, I have found a patch to mod_auth_kerb that caches the
authentication information and results in a very small number of actual
username/password checks against the Kerberos KDC. However, I'm thinking
that with enough users using the patched server, this problem is going
to recur...)
The problem I'm having is that the apache server (RHEL5 VM) sends back
an 'ICMP port unreachable' message to the KDC roughly every 20 packets
or so (variable). There it is, happily sending UDP packets between RHEL5
apache VM (from a high port) and RHEL3 KDC (Kerberos 5 - port 88), when
suddenly the apache server sends the 'port unreachable' packet.
FYI, here is a packet dump... 10.200.0.72 is the apache server and
10.200.0.1 is the KDC:
6.419340 10.200.0.72 -> 10.200.0.1 KRB5 AS-REQ
6.419548 10.200.0.1 -> 10.200.0.72 KRB5 AS-REP
6.421944 10.200.0.72 -> 10.200.0.1 KRB5 TGS-REQ
6.424311 10.200.0.1 -> 10.200.0.72 KRB5 TGS-REP
6.436367 10.200.0.72 -> 10.200.0.1 KRB5 AS-REQ
6.436631 10.200.0.1 -> 10.200.0.72 KRB5 AS-REP
6.439016 10.200.0.72 -> 10.200.0.1 KRB5 TGS-REQ
6.441649 10.200.0.1 -> 10.200.0.72 KRB5 TGS-REP
6.453587 10.200.0.72 -> 10.200.0.1 KRB5 AS-REQ
6.453790 10.200.0.1 -> 10.200.0.72 KRB5 AS-REP
6.455863 10.200.0.72 -> 10.200.0.1 KRB5 TGS-REQ
6.458278 10.200.0.1 -> 10.200.0.72 KRB5 TGS-REP
6.484476 10.200.0.72 -> 10.200.0.1 KRB5 AS-REQ
6.484683 10.200.0.1 -> 10.200.0.72 KRB5 AS-REP
6.486920 10.200.0.72 -> 10.200.0.1 KRB5 TGS-REQ
6.489017 10.200.0.72 -> 10.200.0.1 KRB5 AS-REQ
6.489299 10.200.0.1 -> 10.200.0.72 KRB5 TGS-REP
6.489361 10.200.0.1 -> 10.200.0.72 KRB5 AS-REP
6.489494 10.200.0.72 -> 10.200.0.1 ICMP Destination unreachable
(Port unreachable)
6.515883 10.200.0.72 -> 10.200.0.1 KRB5 AS-REQ
6.516059 10.200.0.1 -> 10.200.0.72 KRB5 AS-REP
6.518263 10.200.0.72 -> 10.200.0.1 KRB5 TGS-REQ
6.520637 10.200.0.1 -> 10.200.0.72 KRB5 TGS-REP
6.536783 10.200.0.72 -> 10.200.0.1 KRB5 AS-REQ
6.536847 10.200.0.1 -> 10.200.0.72 KRB5 AS-REP
6.539213 10.200.0.72 -> 10.200.0.1 KRB5 TGS-REQ
6.541309 10.200.0.1 -> 10.200.0.72 KRB5 TGS-REP
6.551802 10.200.0.72 -> 10.200.0.1 KRB5 AS-REQ
6.551860 10.200.0.1 -> 10.200.0.72 KRB5 AS-REP
6.554321 10.200.0.72 -> 10.200.0.1 KRB5 TGS-REQ
6.556499 10.200.0.1 -> 10.200.0.72 KRB5 TGS-REP
6.573668 10.200.0.72 -> 10.200.0.1 KRB5 AS-REQ
6.573730 10.200.0.1 -> 10.200.0.72 KRB5 AS-REP
6.573862 10.200.0.72 -> 10.200.0.1 ICMP Destination unreachable
(Port unreachable)
6.594280 10.200.0.72 -> 10.200.0.1 KRB5 AS-REQ
6.594330 10.200.0.1 -> 10.200.0.72 KRB5 AS-REP
6.596684 10.200.0.72 -> 10.200.0.1 KRB5 TGS-REQ
6.598720 10.200.0.1 -> 10.200.0.72 KRB5 TGS-REP
Would anyone have any idea about what is causing this, or what I could
do to try to find out what is causing it? I guess I could run up an
RHEL5 physical (i.e. not a VMWare virtual) server and see if the problem
persists, or go down a number of other similar paths... I'd rather not
have to do that if I can help it 8-)
Thanks,
Guy.
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
