[OpenAFS] aklog.exe tickling unwanted corp. AD servers
Jeff Blaine
jblaine@kickflop.net
Mon, 20 Dec 2010 15:26:12 -0500
Windows 7 64-bit (yeah, I know...)
OpenAFS 1.5.78 64-bit
KfW 3.2.2 with latest released Secure Endpoints NIM
I can't figure out why
aklog.exe -d -c rcf.our.org -k RCF.OUR.ORG
Authenticating to cell rcf.our.org.
Getting v5 tickets: afs/rcf.our.org@RCF.OUR.ORG
Getting v5 tickets: afs@RCF.OUR.ORG
About to resolve name jblaine@RCF.OUR.ORG to id
Id 26560
Set username to jblaine@RCF.OUR.ORG
Getting tokens.
aklog.exe: ktc 7 (11862791) while obtaining tokens for
cell rcf.our.org
...regardless of the final error, ends up generating Kerberos
packets toward our corporate AD server(s).
C:\Windows\krb5.ini is as follows:
> [libdefaults]
> default_realm = RCF.OUR.ORG
> forwardable = yes
> ticket_lifetime = 7d
> renew_lifetime = 14d
> dns_lookup_realm = no
> dns_lookup_kdc = no
>
> [appdefaults]
> forwardable = yes
>
> [domain_realm]
> .our.org = RCF.OUR.ORG
>
> [realms]
> RCF.MITRE.ORG = {
> kdc = rcf-kdc1.our.org
> kdc = rcf-kdc2.our.org
> kdc = rcf-kdc3.our.org
> admin_server = rcf-kdc1.our.org
> master_kdc = rcf-kdc1.our.org
> }
The aklog.exe Wireshark capture from above shows the following:
DNS 'A' query for rcf-kdc1.our.org
response
DNS 'A' query for rcf-kdc2.our.org
response
DNS 'A' query for rcf-kdc3.our.org
response
TGS_REQ to rcf-kdc1.our.org for afs/rcf.mitre.org
response: "principal unknown afs/rcf.our.org" as expected,
because we use afs@RCF.OUR.ORG and it works fine.
DNS 'A' query for rcf-kdc1.our.org
response
DNS 'A' query for rcf-kdc2.our.org
response
DNS 'A' query for rcf-kdc3.our.org
response
TGS_REQ to rcf-kdc1.our.org for afs/rcf.our.org
response : "principal unknown afs/rcf.our.org" (why again?)
DNS 'A' query for rcf-kdc1.our.org
response
netbios-ssn packet to 10.254.254.253 (MSLA)
microsoft-ds packet to 10.254.254.253 (MSLA)
query to corporate AD server port 88 (Kerberos) SYN
[ ... some more corporate Kerberos junk that is not relevant ]
[ to what I want to do ]
Does this make any sense?
Note that I do not see anywhere in the packets where a TGS_REQ
was made for 'afs@RCF.OUR.ORG'