[OpenAFS] openssh, addressless tickets and AFS tokens
Douglas E. Engert
deengert@anl.gov
Mon, 07 Feb 2005 13:15:36 -0600
Kevin Hill wrote:
> Hi,
> This is more of a kerberos question, but thought someone here might have
> run into this before...
>
> We are using an older version of openssh with Simon Wilkinson's gssapi
> patch, and a locally maintained version of mit kerberos. We have some
> linux systems behind a load balancer, which are having problems getting
> afs tickets.
>
> The systems behind the load balancer are configured with the external ip
> address client machines think they are connected to bound to a loopback
> device. They have a host principal for this name installed. Clients can
> authenticate correctly, but if they log in with an addressless ticket
> they are ending up with a tgt with the ip they connected to in their
> cache, which seems to be preventing getting an afs token. When
> connecting with telnet they are getting an addressless tgt and can
> successfully get an afs token.
>
> Anyone seen this situation come up before or have any suggestions?
Sounds like something we had seen in 1.2.8 and fixed in 1.3.1 dealing
with addressless tickets.
http://mailman.mit.edu/pipermail/krbdev/2002/000681.html
This was the 1.2.8 verison, look at later versions for a better fix.
--- ,fwd_tgt.c Fri Apr 11 13:58:14 2003
+++ fwd_tgt.c Fri Apr 11 13:58:14 2003
@@ -103,9 +103,11 @@
krb5_free_cred_contents (context, &in);
}
+ if (tgt.addresses) {
retval = krb5_os_hostaddr(context, rhost, &addrs);
if (retval)
goto errout;
+ }
if ((retval = krb5_copy_principal(context, client, &creds.client)))
goto errout;
>
> thanks,
> -kevin
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444