[OpenAFS] Win2K port definitions

Adye, TJ (Tim) T.J.Adye@rl.ac.uk
Sun, 12 Aug 2001 01:22:15 +0100


Hi,

I recently upgraded my Win2K SP2 AFS client from IBM AFS 3.6 2.18 to OpenAFS
1.04a (using Install.exe.old, 25 June, as the newer version was corrupted at
the time - I see this has now been fixed). Although probably not necessary,
I first completely uninstalled IBM AFS and then reinstalled with OpenAFS.
After the installation, I was no longer able to obtain tokens from some
servers (2 of the 5 sites I use), although I could still access their
filesystems (at least where allowed by system:anyuser access). Even stranger
was that one site that I previously had firewall problems (I think) with
started working!

Anyway, I think I've tracked the problem down to the well-known port
definitions in \WINNT\system32\drivers\etc\services file (better known as
/etc/services on Unix). On Win2K, this seems to be set up for Kerberos V5,
with definitions:-

  kerberos           88/tcp    krb5 kerberos-sec      #Kerberos
  kerberos           88/udp    krb5 kerberos-sec      #Kerberos
  kerberos-iv       750/udp                           #Kerberos version IV

while NT4 assumed Kerberos V4:-

  kerberos          750/tcp    kdc           # Kerberos authentication--tcp
  kerberos          750/udp    kdc           # Kerberos authentication--udp

I checked the dates (Dec 99 and Aug 96, respectively), and neither of these
files has been touched by the AFS (or other) installation.

Using network monitoring, I could see the requests going out on port 88, so
I guess that the client uses service "kerberos". For the "problem" cells,
there was no response, so eventually the klog timed out. When I changed the
Win2K /etc/services file to use port 750 for service "kerberos", it started
working.

My guess as to why some cells continued to work is that they might also be
running Kerberos V5 servers (or, probably more likely, a server that could
accept either version - kaserver?), and so accept a connection on port 88.
Maybe the other sites had this too, but port 88 was blocked by their
firewalls. On my other site, perhaps port 750 but not 88 was blocked by the
firewall, which is why it started to work again. Does this sound reasonable?
(Sorry if this is garbled - I'm not that familiar with AFS Kerberos.)

Did I miss something in the documentation about this - I can't see anything?
Or is this supposed to work in a different way? If not, I don't see how I
can be the only one with this problem. Should the /etc/services be updated
as part of the OpenAFS installation, or maybe (better) the client could
check service "kerberos-iv" before trying "kerberos". What did IBM AFS do
differently?

Regards,
Tim.

PS. I don't manage any of these AFS servers, so don't have control over (or
know about) their configuration.

PPS. To get it working, I actually changed all the Kerberos definitions in
\WINNT\system32\drivers\etc\services to match those from NT4. In case it's
relevant, here's the full diff (< old, > new):-

40,41c40,41
< kerberos           88/tcp    krb5 kerberos-sec      #Kerberos
< kerberos           88/udp    krb5 kerberos-sec      #Kerberos
---
> krb5               88/tcp    kerberos-sec           #Kerberos
> krb5               88/udp    kerberos-sec           #Kerberos
104c104,110
< kerberos-iv       750/udp                           #Kerberos version IV
---
> kerberos          750/tcp    kerberos-iv kdc        # Kerberos
authentication--tcp
> kerberos          750/udp    kerberos-iv kdc        # Kerberos
authentication--udp
> kerberos_master   751/tcp                           # Kerberos
authentication
> kerberos_master   751/udp                           # Kerberos
authentication
> passwd_server     752/udp                           # Kerberos passwd
server
> userreg_server    753/udp                           # Kerberos userreg
server
> krb_prop          754/tcp                           # Kerberos slave
propagation
119a126
> eklogin          2105/tcp                           # Kerberos encrypted
rlogin

==============================  cut here  ==============================
Tim Adye, BaBar Group, Particle Physics Dept.,             _   /|
          Rutherford Appleton Laboratory, UK.              \'o.O'   Oop!
e-mail:   T.J.Adye@rl.ac.uk                                =(___)=  Ack!
WWW:      http://hepwww.rl.ac.uk/Delphi/Adye/homepage.html    U  Thphft!