[OpenAFS] Win2k problem

Dean Anderson dean@av8.com
Mon, 4 Aug 2003 16:55:58 -0400 (EDT) 

On 3 Aug 2003, Derek Atkins wrote:

> Dean Anderson <dean@av8.com> writes:
>
> >   why does win2k afs use ports that are not in the 7000-7009 range?
>
> Because, as has been repeatedly said (but you seem to be repeatedly
> ignoring it), the windows "klog" does not use the KAS Rx protocol
> but instead uses KerberosIV.  Why this was done is anyone's guess --
> you'd have to ask Transarc, as I believe it was their doing.

I must have missed the klog discussion. Sorry. I can certainly accept
talking to kerberos directly. I don't have a problem with that, as least,
not at the moment. [consistency comes to mind, but I won't battle that
now--I just want it to work] As I said, I opened port 750/udp (in addition
to 7000-7009).  I also tried opening 750/tcp, just in case it expected to
make a tcp connection.  As I said previously, this just changed the
behavior slightly, to delaying approximately 20 seconds before the same
error. Previously, the error came back immediately.

> >   what other ports does win2k AFS need besides 750 (udp/tcp)?
>
> It needs 7000-7009 ;)

As I said previously, these are already open. It seems to need something
besides 750, and 7000-7009.

So, what _other_ ports does it need? It is clearly a port access problem,
because shutting off Ipchains makes the problem go away. Of course, this
isn't an acceptable solution.  (well, only when you are logged in as the
win2k administrator user. It _still_ doesn't work when you are an
unprivileged user.)

I can probably make a packet trace, and slog through it to find out what
is going on, but I was hoping some win2k users could shed some light on
the issue...

> Note that these are "server" ports, not "client" ports.  The krb4
> request will probably originate from a random UDP source port.

Yup.

What about the other Win2k problems?  (having to be administrator???)

I _hope_ the win2k users aren't simply being administrator, or putting
themselves in the adminstrator group. Might as well go back to win95 if
they are doing that. You have no OS security protections when you have
administrator privileges...)

		--Dean