[OpenAFS-devel] KAA_AuthenticateV2

Christof Hanke hanke@rzg.mpg.de
Thu, 14 Apr 2005 18:02:16 +0200 

Hi,

at RZG, there is a strange behaviour of klog. Whenever one of the afs 
db-servers is down, you have to wait a full timeout before you got a 
token. This shouldn't happen, because klog chooses one server at random, 
so in my case (3 servers), 66% should not timeout. In fact, 100% wait 
for a timeout.

Here the version-details :
Distribution: SLES9
klog from openafs 1.3.80 (doesn't really matter)
kaserver : heimdal 0.6.3 - kdc

The problem is, that heimdal 0.6.3 does not support the rx-call 
KAA_AuthenticateV2, but only KAA_Authenticate. "klog", however tries 
first KAA_AuthenticateV2 on all known servers (in random order), then 
switches back to KAA_Authenticate.
Thus, you always have to wait one timeout.
Looking at the source, the solution turned out to be trivial :
KAA_Authenticate is exactly KAA_AuthenticateV2 except the op-field in 
the header is different.
The easiest solution is then to patch heimdal to treat 
KAA_AuthenticateV2 in the same way as
KA_Authenticate:

hanke@senf:src>diff -u heimdal-0.6.3/kdc/kaserver.c 
heimdal-0.6.3/kdc/kaserver.c.
--- heimdal-0.6.3/kdc/kaserver.c        2003-10-06 23:02:35.324554230 +0200
+++ heimdal-0.6.3/kdc/kaserver.c.       2005-04-14 17:47:40.415265408 +0200
@@ -828,6 +828,8 @@
     case GETPASSWORD :
     case GETRANDOMKEY :
     case AUTHENTICATE_V2 :
+        do_authenticate(&hdr, sp, addr, reply);
+        break;
     default :
        make_error_reply (&hdr, RXGEN_OPCODE, reply);
        break;

(Hopefully a heimdal-developer reads this, otherwise I can report it 
there as well)

The question is, why are there two versions of KAA_Authenticate ?
I look in our afs-src trees revealed this situation hasn't changed since 
1998 (afs 3.4)
Shouldn't we just dump KAA_AuthenticateV2 altogether, or is it used 
somewhere else ?
I don't have a clue what's going on with the krb5-integration, so I 
don't know how much work I/we should put into fixing this stuff.

Christof

-- 
There is always an easy solution to every human problem --
neat, plausible and wrong. H. L. Mencken
-----------------------------------------------------------------
Christof Hanke                 		e-mail hanke@rzg.mpg.de
RZG (Rechenzentrum Garching)		phone +49-89-3299-1788
Computing Center of the Max-Planck-Gesellschaft (MPG) and the
Institut für Plasmaphysik (IPP)