[OpenAFS] Win2K port definitions
Adye, TJ (Tim)
T.J.Adye@rl.ac.uk
Sun, 12 Aug 2001 01:22:15 +0100
Hi,
I recently upgraded my Win2K SP2 AFS client from IBM AFS 3.6 2.18 to OpenAFS
1.04a (using Install.exe.old, 25 June, as the newer version was corrupted at
the time - I see this has now been fixed). Although probably not necessary,
I first completely uninstalled IBM AFS and then reinstalled with OpenAFS.
After the installation, I was no longer able to obtain tokens from some
servers (2 of the 5 sites I use), although I could still access their
filesystems (at least where allowed by system:anyuser access). Even stranger
was that one site that I previously had firewall problems (I think) with
started working!
Anyway, I think I've tracked the problem down to the well-known port
definitions in \WINNT\system32\drivers\etc\services file (better known as
/etc/services on Unix). On Win2K, this seems to be set up for Kerberos V5,
with definitions:-
kerberos 88/tcp krb5 kerberos-sec #Kerberos
kerberos 88/udp krb5 kerberos-sec #Kerberos
kerberos-iv 750/udp #Kerberos version IV
while NT4 assumed Kerberos V4:-
kerberos 750/tcp kdc # Kerberos authentication--tcp
kerberos 750/udp kdc # Kerberos authentication--udp
I checked the dates (Dec 99 and Aug 96, respectively), and neither of these
files has been touched by the AFS (or other) installation.
Using network monitoring, I could see the requests going out on port 88, so
I guess that the client uses service "kerberos". For the "problem" cells,
there was no response, so eventually the klog timed out. When I changed the
Win2K /etc/services file to use port 750 for service "kerberos", it started
working.
My guess as to why some cells continued to work is that they might also be
running Kerberos V5 servers (or, probably more likely, a server that could
accept either version - kaserver?), and so accept a connection on port 88.
Maybe the other sites had this too, but port 88 was blocked by their
firewalls. On my other site, perhaps port 750 but not 88 was blocked by the
firewall, which is why it started to work again. Does this sound reasonable?
(Sorry if this is garbled - I'm not that familiar with AFS Kerberos.)
Did I miss something in the documentation about this - I can't see anything?
Or is this supposed to work in a different way? If not, I don't see how I
can be the only one with this problem. Should the /etc/services be updated
as part of the OpenAFS installation, or maybe (better) the client could
check service "kerberos-iv" before trying "kerberos". What did IBM AFS do
differently?
Regards,
Tim.
PS. I don't manage any of these AFS servers, so don't have control over (or
know about) their configuration.
PPS. To get it working, I actually changed all the Kerberos definitions in
\WINNT\system32\drivers\etc\services to match those from NT4. In case it's
relevant, here's the full diff (< old, > new):-
40,41c40,41
< kerberos 88/tcp krb5 kerberos-sec #Kerberos
< kerberos 88/udp krb5 kerberos-sec #Kerberos
---
> krb5 88/tcp kerberos-sec #Kerberos
> krb5 88/udp kerberos-sec #Kerberos
104c104,110
< kerberos-iv 750/udp #Kerberos version IV
---
> kerberos 750/tcp kerberos-iv kdc # Kerberos
authentication--tcp
> kerberos 750/udp kerberos-iv kdc # Kerberos
authentication--udp
> kerberos_master 751/tcp # Kerberos
authentication
> kerberos_master 751/udp # Kerberos
authentication
> passwd_server 752/udp # Kerberos passwd
server
> userreg_server 753/udp # Kerberos userreg
server
> krb_prop 754/tcp # Kerberos slave
propagation
119a126
> eklogin 2105/tcp # Kerberos encrypted
rlogin
============================== cut here ==============================
Tim Adye, BaBar Group, Particle Physics Dept., _ /|
Rutherford Appleton Laboratory, UK. \'o.O' Oop!
e-mail: T.J.Adye@rl.ac.uk =(___)= Ack!
WWW: http://hepwww.rl.ac.uk/Delphi/Adye/homepage.html U Thphft!