[OpenAFS] very strange authenticaion problems

David Bear David.Bear@asu.edu
Thu, 05 Sep 2002 16:08:33 -0700 (MST) 

We have something so strange that if it hadn't happened to three different
principals on three different machines I'd pass it off is windows
weirdness.  Heres the scoop.

We have kerberos and windows AD authentication on campus.  AFS uses
kerberos.  Don't know the details of the implementation but the point is
that we have both systems AND they are disjoint  -- ie my AD password can
be different than my kerberos password.

I have deployed both transarc afs code and openafs code on windows nt and
2000.  here's the symptom

using the openafs gui to obtain tokens user Rex is rejected with a message
"invalid password" on machine A.  Now, goto machine B running linux and
openafs.  klog  authenticates fine.  Go back to machine A, using gui to
obtain tokens for Rex and use an OLD password -- (one that was changed a
while ago) and you get authenticated!!!

Go to machine C, windows running openafs 1.2.2b.  Attempt to get tokens as
user Anne.  rejected.  (of course, I am using correct id/password combos
becuase we can shell into unix machines with these identities and it
works fine)  Attempt to get tokens on machine C as user David -- works!!!

Go to machine D, windows running transarc AFS 3.6.2.18. Attempt to logon
as user Anne.  OKAY!!!  User David works as well.

So far, these symptoms have been seen with 3 different prinicpals.  The
'fix' seems to be using Transarc AFS.  But what is intriguing as that 1)
kerberos seems to be sending old as well as new password creditials, else
why would openafs authenticate Rex with the old password -- ergo, assume
server side problems.  2) whatever the real problem is, it only affect
selected principals and the symptoms ONLY appear on OpenAFS clients.

I'd be too terrified to post this to this list becuase its so weird --
except that I have another support analyst that reproduced this as well.
So, I don't think its just me.  Any ideas?

-- 
David Bear
College of Public Programs/ASU
480-965-8257
...the way is like water, going where nobody wants it to go