[OpenAFS] Re: Problem gssklog 0.9 - AFS K5

Douglas E. Engert deengert@anl.gov
Tue, 08 Jun 2004 08:08:21 -0500

Marco Mililotti wrote:
> Hi,
>   here at Caspur we are using gssklog since version 0.6. We have recently
> migrated to AFS+Kerberos 5 (Heimdal) and upgraded to gssklog 0.9.

BTW there is a version 0.11. ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.11.tar

>   The problem is that gssklogd replies with:
>         binding socket: Address already in use
>   It seems that it's trying to bind to port 750.

Kerberos V4 used only UDP. Recent versions of Kerberos V5 can use UDP or TCP.
Kerberos v4 use port 750. Kerberos V5 uses port 88, but a dual KDC can also respond 
on port 750 for historical reasons. 

Port |    UDP     |    TCP
750  | V4         |   Not used 
 88  | V5         |     V5 

gssklog used 750 TCP as it was to run on the AFS database servers, and 
as Kerberos V5 was being added to AFS, the KDC would be on different machines.
Thus there should be no other uses of port 750 TCP on an AFS server. 

So I suspect that you have a Heimdal KDC running on the AFS server, and it 
is listing on port 750 TCP. Since the V4 would never use TCP, and V5 uses 
port 88 the KDC should not need to listen on 750 TCP. 

Hopfully these is a way to tell the KDC to not use 750 TCP. Or you can start
the gssklogd before the KDC. 

> Does version 0.9 support the integration of K5 in AFS?

Yes and no. It still returns an AFS token which looks like a V4 ticket
but the gssapi is based on V5. The real integration of V5 means that there does 
not need to be a gssklogd or krb524d. Newer versions of the clients like aklog 
or afslog can parse the V5 ticket to get what is needed for the token without
having to use a remote daemon. 

There may still be a use for daemon if you need to have principals mapped
where the AFS cell name does not match the Kerberos realm. 
I have not looked at upgrading the gssklogd to do this. If there is interest
I can do it, and would use RX instead of straight TCP. 

> This problem disappear if we try to use differents port (with -p / -port), but
> this also require to configure the firewall for every host.

BTW there is a version 0.11. ftp://achilles.ctd.anl.gov/pub/DEE/gssklog-0.11.tar

> Thanks.
> Best Regards,
> --
> --------------------------------------------------------------------------
>   Marco Mililotti | System Group | CASPUR-Inter.Univ.Computing Consortium
>   Tel.+39 0644486408 | m.mililotti at caspur.it | www.caspur.it/~mililott
>  :: All wars are civil wars, because all men are brothers ... Each one ::
>  :: owes infinitely more to the human race than to the particular      ::
>  :: country in which he was born.  -- Francois Fenelon                 ::
> -- Fingerprint: D029 6910 4EBF 9DF7 6AE8  CF74 62E4 E3A0 F4B7 57EA --


 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444