[OpenAFS] Win2K port definitions

Jeffrey Hutzelman jhutz@cmu.edu
Mon, 13 Aug 2001 02:05:55 -0400 (EDT)


On Sun, 12 Aug 2001, Adye, TJ (Tim)  wrote:

> Using network monitoring, I could see the requests going out on port 88, so
> I guess that the client uses service "kerberos". For the "problem" cells,
> there was no response, so eventually the klog timed out. When I changed the
> Win2K /etc/services file to use port 750 for service "kerberos", it started
> working.
>
> My guess as to why some cells continued to work is that they might also be
> running Kerberos V5 servers (or, probably more likely, a server that could
> accept either version - kaserver?), and so accept a connection on port 88.
> Maybe the other sites had this too, but port 88 was blocked by their
> firewalls. On my other site, perhaps port 750 but not 88 was blocked by the
> firewall, which is why it started to work again. Does this sound reasonable?
> (Sorry if this is garbled - I'm not that familiar with AFS Kerberos.)

First, it is worth noting that there is no Kerberos V5 code in OpenAFS.
The kaserver and its associated utilities have always used AFS-specific
protocols for authentication, password-changing, and administration.
However, for compatibility, the kaserver also handles authentication
requests made via the Kerberos V4 protocol.  On Windows NT, the 'klog'
command uses this protocol instead of the traditional AFS-specific
authentication protocol, presumably because when the port was originally
done, getting a program like that to speak the Rx-based protocol was
Too Hard(tm).


Now, it is worth noting that Kerberos commonly uses two ports for its
basic authentication protocol.  Port 750 was the port chosen by the folks
at MIT who originally developed Kerberos, and is still commonly used for
the Kerberos V4 protocol today.  Port 88 was assigned to the 'kerberos'
service by IANA, and is generally used by the Kerberos V5 protocol as
defined in RFC1510.


Unfortunately, some Kerberos V4 programs were designed to look up and use
the port for the 'kerberos' service in /etc/services (or your platform's
equivalent).  This was fine when people added an entry for port 750 to
/etc/services as part of installing Kerberos, but started to backfire when
vendors started shipping /etc/services files with 'kerberos' on port 88.
Since most Kerberos V4 servers don't listen on that port, sending requests
there doesn't work, and will simply time out.

Now, as it turns out, the kaserver will normally listen to both ports, if
they are not already in use when it starts up.  So, if you are talking to
a machine running a kaserver, either will work.

The two major free Kerberos V5 implementations (MIT and hemidal) will both
handle V4 or V5 requests on any port they listen to.  Since both of these
implementations listen to port 88 by default, they will also work.


To complicate things further some cells (like cs.cmu.edu) don't run
Kerberos servers on the same machines as their AFS database servers.  This
works fine for most platforms, but to make Windows NT happy, we have to
add our Kerberos KDC's to the server list.

> Did I miss something in the documentation about this - I can't see anything?
> Or is this supposed to work in a different way? If not, I don't see how I
> can be the only one with this problem. Should the /etc/services be updated
> as part of the OpenAFS installation, or maybe (better) the client could
> check service "kerberos-iv" before trying "kerberos". What did IBM AFS do
> differently?

It would seem reasonable for the Windows NT 'klog' to look for a service
named 'kerberos-iv' before looking for 'kerberos', which has become the de
facto standard behaviour for other V4 implementations still in use today.