[OpenAFS] aklog.exe tickling unwanted corp. AD servers
Jeffrey Altman
jaltman@secure-endpoints.com
Tue, 21 Dec 2010 09:38:07 -0500
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig6853C87637C70E01C2E1CCEA
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
What is the default cell for the machine?
What is the role that rcf.mitre.org plays on this machine?
What realm is the user principal from?
What credential cache type is in use?
On 12/20/2010 3:26 PM, Jeff Blaine wrote:
> Windows 7 64-bit (yeah, I know...)
> OpenAFS 1.5.78 64-bit
> KfW 3.2.2 with latest released Secure Endpoints NIM
>=20
> I can't figure out why
>=20
> aklog.exe -d -c rcf.our.org -k RCF.OUR.ORG
> Authenticating to cell rcf.our.org.
> Getting v5 tickets: afs/rcf.our.org@RCF.OUR.ORG
> Getting v5 tickets: afs@RCF.OUR.ORG
> About to resolve name jblaine@RCF.OUR.ORG to id
> Id 26560
> Set username to jblaine@RCF.OUR.ORG
> Getting tokens.
> aklog.exe: ktc 7 (11862791) while obtaining tokens for
> cell rcf.our.org
>=20
> ...regardless of the final error, ends up generating Kerberos
> packets toward our corporate AD server(s).
>=20
> C:\Windows\krb5.ini is as follows:
>=20
>> [libdefaults]
>> default_realm =3D RCF.OUR.ORG
>> forwardable =3D yes
>> ticket_lifetime =3D 7d
>> renew_lifetime =3D 14d
>> dns_lookup_realm =3D no
>> dns_lookup_kdc =3D no
>>
>> [appdefaults]
>> forwardable =3D yes
>>
>> [domain_realm]
>> .our.org =3D RCF.OUR.ORG
>>
>> [realms]
>> RCF.MITRE.ORG =3D {
>> kdc =3D rcf-kdc1.our.org
>> kdc =3D rcf-kdc2.our.org
>> kdc =3D rcf-kdc3.our.org
>> admin_server =3D rcf-kdc1.our.org
>> master_kdc =3D rcf-kdc1.our.org
>> }
>=20
> The aklog.exe Wireshark capture from above shows the following:
>=20
> DNS 'A' query for rcf-kdc1.our.org
> response
>=20
> DNS 'A' query for rcf-kdc2.our.org
> response
>=20
> DNS 'A' query for rcf-kdc3.our.org
> response
>=20
> TGS_REQ to rcf-kdc1.our.org for afs/rcf.mitre.org
> response: "principal unknown afs/rcf.our.org" as expected,
> because we use afs@RCF.OUR.ORG and it works fine.
>=20
> DNS 'A' query for rcf-kdc1.our.org
> response
>=20
> DNS 'A' query for rcf-kdc2.our.org
> response
>=20
> DNS 'A' query for rcf-kdc3.our.org
> response
>=20
> TGS_REQ to rcf-kdc1.our.org for afs/rcf.our.org
> response : "principal unknown afs/rcf.our.org" (why again?)
>=20
> DNS 'A' query for rcf-kdc1.our.org
> response
>=20
> netbios-ssn packet to 10.254.254.253 (MSLA)
>=20
> microsoft-ds packet to 10.254.254.253 (MSLA)
>=20
> query to corporate AD server port 88 (Kerberos) SYN
>=20
>=20
> [ ... some more corporate Kerberos junk that is not relevant ]
> [ to what I want to do ]
>=20
> Does this make any sense?
>=20
> Note that I do not see anywhere in the packets where a TGS_REQ
> was made for 'afs@RCF.OUR.ORG'
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>=20
--------------enig6853C87637C70E01C2E1CCEA
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
iQEcBAEBAgAGBQJNELvPAAoJENxm1CNJffh4qEMH/3+rFdDiWG+vE8q+cPaT11jV
r63ptFgrZfryN+1MJ77x1gnUhBgg9k7ZQ5DSl24msLC839wL1Tkb0CQWfztJecsg
XvvaWFEgHh8ZwodT2ksyTHjLtBThke/fx4uXwvkV5V1c5m8CzyGTXbk6DyOIXcDs
qd9AtkBFgcRELHBIksQFgXulJoFEEHDd6AC66XOi0BcLJbU0J3ZAeylQrWy5ZFq0
vRNlUTfgpdhtIFZh7sCLxueb7W2xa7rfnS8gc8xxedCum//PIXSNdO0KMuqghVju
ZaW42/R8zoXKH2afVb5cGHy27W+dKj9jKYvJwIkL/6D2VSOBYeToBQmxPq/r054=
=3v48
-----END PGP SIGNATURE-----
--------------enig6853C87637C70E01C2E1CCEA--