[OpenAFS] kaserver sun to linux db auth issue
John W. Sopko Jr.
sopko@cs.unc.edu
Mon, 21 Feb 2005 14:48:51 -0500
Here are 2 tests, the -vv option does not seem to give any more info.
I used the -X option to get both hex and ascii info.
The 1st test is to the Red Hat Enterprise 3 OpenAFS server that broke
when we migrated to it. The second test is to our campus server that
runs heimdal and works. I used the same "kinit" client which is the
latest that comes with Red Hat Enterprise and works, that is the "kinit -4"
command works and issues a k4 tgt.
The one diffence I see is the first, non-working, KDC_REPLY does not have
the domain name "CS.UNC.EDU" in the response from toucan.cs.unc.edu where
the response from db0.isis.unc.edu does have the domain, ISIS.UNC.EDU,
name in it. I thought there may be some config file or setting that
could easily fix the issue, think this may be the problem?
Don't know if the kaserver uses /etc/krb.conf or krb.realms but I included
them below, krb.realms is unchanged and krb.conf has the new linux db
servers in it. The "kinit -4" command uses the /etc/krb.conf file to find
its kdc servers.
The latest version of kinit the RedHat distributes is 1.2.7, :-(. The
user that had the problem was on a Mac and I do need to get more info
on their kinit client, but the point is this worked on OpenAFS 1.2.13
Solaris and then broke when we went to the Red Hat linux servers.
The klog for the Mac works but they had integrated login working where
kinit got a v4 tgt and then did an aklog to get a token.
Thanks for any ideas you may have!
sopko@lark:1% kinit -4 sopko@CS.UNC.EDU
Password for sopko@CS.UNC.EDU:
kinit(v4): Password incorrect
sopko@lark:2% kinit -4 sopko@ISIS.UNC.EDU
Password for sopko@ISIS.UNC.EDU:
sopko@lark:3% klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_3903)
Kerberos 4 ticket cache: /tmp/tktp1092227119
Principal: sopko@ISIS.UNC.EDU
Issued Expires Principal
02/21/05 14:25:34 02/22/05 00:25:34 krbtgt.ISIS.UNC.EDU@ISIS.UNC.EDU
OUTPUT FROM REDHAT LINUX OPENAFS 1.2.13
---------------------------------------
tcpdump -X -s 1500 -vv port 750 or port 88
tcpdump: listening on eth0
13:40:02.238307 lark.cs.unc.edu.32807 > toucan.cs.unc.edu.kerberos-iv: [udp
sum ok] v4 le KDC_REQUEST: sopko.@CS.UNC.EDU 600min krbtgt.CS.UNC.EDU (DF)
(ttl 64, id 0, len 71)
0x0000 4500 0047 0000 4000 4011 0990 9802 810d E..G..@.@.......
0x0010 9802 8004 8027 02ee 0033 4c22 0403 736f .....'...3L"..so
0x0020 706b 6f00 0043 532e 554e 432e 4544 5500 pko..CS.UNC.EDU.
0x0030 022b 1a42 786b 7262 7467 7400 4353 2e55 .+.Bxkrbtgt.CS.U
0x0040 4e43 2e45 4455 00 NC.EDU.
13:40:02.238623 toucan.cs.unc.edu.kerberos-iv > lark.cs.unc.edu.32807: [udp
sum ok] v4 be KDC_REPLY: sopko.@ (104) (DF) (ttl 64, id 11, len 154)
0x0000 4500 009a 000b 4000 4011 0932 9802 8004 E.....@.@..2....
0x0010 9802 810d 02ee 8027 0086 26f3 0404 736f .......'..&...so
0x0020 706b 6f00 0000 421a 2b02 0142 1ab7 a230 pko...B.+..B...0
0x0030 0068 d91f 12eb 9756 6b50 b2ad ace8 17e4 .h.....VkP......
0x0040 7f20 64ce 87f1 b5bf 4bb1 c9f5 0ebf e1f2 ..d.....K.......
0x0050 7078 3cdb 3538 0ba7 4238 af2e f9b2 7e2a px<.58..B8....~*
0x0060 90ba 425a bb02 6396 d673 e9a8 0519 aa02 ..BZ..c..s......
0x0070 aee8 dc20 71b7 ed5e 95af 7d80 7156 c140 ....q..^..}.qV.@
0x0080 5798 c7bf 64cc ba99 7d75 2057 c388 6b7a W...d...}u.W..kz
0x0090 42bd 6bbc 6db3 919f 7170 B.k.m...qp
OUTPUT FROM HEIMDAL CAMPUS SERVER
---------------------------------
13:41:09.727346 lark.cs.unc.edu.32809 > db0.isis.unc.edu.kerberos-iv: [udp
sum o k] v4 le KDC_REQUEST: sopko.@ISIS.UNC.EDU 600min krbtgt.ISIS.UNC.EDU
(DF) (ttl 64, id 0, len 75)
0x0000 4500 004b 0000 4000 4011 888b 9802 810d E..K..@.@.......
0x0010 9802 0105 8029 02ee 0037 e574 0403 736f .....)...7.t..so
0x0020 706b 6f00 0049 5349 532e 554e 432e 4544 pko..ISIS.UNC.ED
0x0030 5500 452b 1a42 786b 7262 7467 7400 4953 U.E+.Bxkrbtgt.IS
0x0040 4953 2e55 4e43 2e45 4455 00 IS.UNC.EDU.
13:41:09.731849 db0.isis.unc.edu.kerberos-iv > lark.cs.unc.edu.32809: [udp
sum o k] v4 be KDC_REPLY: sopko.@ISIS.UNC.EDU (112) (ttl 28, id 23908, len 174)
0x0000 4500 00ae 5d64 0000 1c11 8ec4 9802 0105 E...]d..........
0x0010 9802 810d 02ee 8029 009a abbd 0404 736f .......)......so
0x0020 706b 6f00 0049 5349 532e 554e 432e 4544 pko..ISIS.UNC.ED
0x0030 5500 421a 2b45 0042 8201 6a19 0070 551c U.B.+E.B..j..pU.
0x0040 dd62 1a2e f4f2 dbfb a46b efa4 f0af 89ce .b.......k......
0x0050 eee1 9719 a1fa 5b12 e474 ddce 2d55 02c5 ......[..t..-U..
0x0060 1f87 80f0 d5d7 664e 3eca e479 a71c bfb9 ......fN>..y....
0x0070 1b07 8ccc 30de 4535 0aed 4140 d4b8 6525 ....0.E5..A@..e%
0x0080 3e43 be7b aae5 1b65 0217 51b3 b49d c190 >C.{...e..Q.....
0x0090 0493 8232 065a 0c53 654b f66b 18db d86c ...2.Z.SeK.k...l
0x00a0 aaad 79de b73c dfbf 146e f481 af16 ..y..<...n....
This is on the kaserver:
sopko@toucan:2% cat krb.realms
cs.unc.edu CS.UNC.EDU
.cs.unc.edu CS.UNC.EDU
sopko@toucan:3% cat krb.conf
CS.UNC.EDU
CS.UNC.EDU quail.cs.unc.edu admin server
CS.UNC.EDU toucan.cs.unc.edu admin server
CS.UNC.EDU cvs.cs.unc.edu admin server
On my the client I did the "kinit -4" command from the krb.conf just
has:
lark/root [/etc] # cat krb.conf
CS.UNC.EDU
CS.UNC.EDU toucan.cs.unc.edu:750
ISIS.UNC.EDU db0.isis.unc.edu:750
To force the client to use kdc toucan and port 750.
Jeffrey Hutzelman wrote:
>
>
> On Monday, February 21, 2005 08:20:49 AM -0500 "John W. Sopko Jr."
> <sopko@cs.unc.edu> wrote:
>
>> This posting got delayed for a few days, some email issue, thought you
>> may not have seen it, I have run out of things to try to get
>> kinit to get k4 tgt's to work. That is why I was asking for the Red Hat
>> Source the other day to see if there may be some issue with our
>> source. I have tried kinit to port 750 and 88 with no luck. Probably
>> not related but when the kas server starts on our Red Hat linux,
>> it reports this in the /usr/afs/logs/AuthLog:
>>
>> kerberos4/udp port=60930
>> kerberos5/udp port=22528
>
>
>> kerberos4/udp port=750
>> kerberos5/udp port=88
>
>
> Looks like a byte-order problem. It's been a very long time (say, AFS
> 3.3a or so) since I've had a kaserver running on a little-endian system,
> but I'm pretty sure it was listening on the right ports back then. It's
> possible it's listening on the correct ports, but reporting the wrong
> ones in the log. If you run 'lsof -i -p XXX' where XXX is the
> kaserver's pid, it should be pretty obvious which ports it's actually
> listening on. Either way, you should file an appropriate bug if you've
> not already done so.
It is listening on the proper ports:
kaserver 31519 root cwd DIR 8,13 4096 63873 /usr/afs/logs
kaserver 31519 root rtd DIR 8,1 4096 2 /
kaserver 31519 root txt REG 8,13 265592 31954 /usr/afs/bin/kaserver
kaserver 31519 root mem REG 8,1 76540 14676 /lib/libresolv-2.3.2.so
kaserver 31519 root mem REG 8,1 1571692 63016 /lib/tls/libc-2.3.2.so
kaserver 31519 root mem REG 8,1 106912 14631 /lib/ld-2.3.2.so
kaserver 31519 root mem REG 8,1 51936 14664
/lib/libnss_files-2.3.2.so
kaserver 31519 root 0u CHR 5,1 29415 /dev/console
kaserver 31519 root 1w REG 8,13 326 63887 /usr/afs/logs/AuthLog
kaserver 31519 root 2w REG 8,13 326 63887 /usr/afs/logs/AuthLog
kaserver 31519 root 3u IPv4 499749 UDP *:afs3-kaserver
kaserver 31519 root 4u REG 8,13 64 47910
/usr/afs/db/kaserver.DBSYS1
kaserver 31519 root 5u REG 8,13 249920 47911
/usr/afs/db/kaserver.DB0
kaserver 31519 root 6u REG 8,13 8656 15974
/usr/afs/local/kaserverauxdb
kaserver 31519 root 7u IPv4 499756 UDP *:kerberos-iv
kaserver 31519 root 8u IPv4 499757 UDP *:kerberos
>
>
>> I cranked up debugging on the kaserver with "kill -TSTP" it shows the
>> following if I give it a good passwd or a bad passwd:
>>
>> Fri Feb 18 10:43:22 2005 sopko,krbtgt.CS.UNC.EDU:auth from d810298
>>
>> Also I get the same response as shown below from tcpdump if I
>> type in the good passwd or a bad passwd.
>
>
> This makes it seem likely that the kaserver is indeed listening on the
> correct port, and you actually have some other problem. Unfortunately,
> your tcpdump output is fairly useless because with no switches, tcpdump
> shows very limited information. You should try more switches, like:
>
> # tcpdump -s 1500 -vv port 7004 or port 750 or port 88
>
> That will increase the packet length that tcpdump captures, and increase
> the verbosity of its output. You can also add -x if you want to see the
> raw packets.
>
>
> At the moment, I'm not sure what the problem is here. It would probably
> help to know where your kinit came from, what version it is, etc.
>
>
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
> Sr. Research Systems Programmer
> School of Computer Science - Research Computing Facility
> Carnegie Mellon University - Pittsburgh, PA
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
--
John W. Sopko Jr. University of North Carolina
email: sopko AT cs.unc.edu Computer Science Dept., CB 3175
Phone: 919-962-1844 Sitterson Hall; Room 044
Fax: 919-962-1799 Chapel Hill, NC 27599-3175