[OpenAFS] Win2k problem

Derek Atkins warlord@MIT.EDU
04 Aug 2003 17:47:09 -0400


Dean Anderson <dean@av8.com> writes:

> I must have missed the klog discussion. Sorry. I can certainly accept
> talking to kerberos directly. I don't have a problem with that, as least,
> not at the moment. [consistency comes to mind, but I won't battle that
> now--I just want it to work] As I said, I opened port 750/udp (in addition
> to 7000-7009).  I also tried opening 750/tcp, just in case it expected to
> make a tcp connection.  As I said previously, this just changed the
> behavior slightly, to delaying approximately 20 seconds before the same
> error. Previously, the error came back immediately.

I dont know..  I would run ethereal and trudge through the dump.

> > >   what other ports does win2k AFS need besides 750 (udp/tcp)?
> >
> > It needs 7000-7009 ;)
> 
> As I said previously, these are already open. It seems to need something
> besides 750, and 7000-7009.
> 
> So, what _other_ ports does it need? It is clearly a port access problem,
> because shutting off Ipchains makes the problem go away. Of course, this
> isn't an acceptable solution.  (well, only when you are logged in as the
> win2k administrator user. It _still_ doesn't work when you are an
> unprivileged user.)

I dont know...  53?

Personally I find firewalls more of a pain than they are useful.
Close the ports you can't secure otherwise, but keep things open
and you wont run into this kind of problem.  Besides, why is there
a firewall between your clients and your servers anyways? ;)

> I can probably make a packet trace, and slog through it to find out what
> is going on, but I was hoping some win2k users could shed some light on
> the issue...
> 
> > Note that these are "server" ports, not "client" ports.  The krb4
> > request will probably originate from a random UDP source port.
> 
> Yup.
> 
> What about the other Win2k problems?  (having to be administrator???)

No clue... I dont do windows, generally.

> I _hope_ the win2k users aren't simply being administrator, or putting
> themselves in the adminstrator group. Might as well go back to win95 if
> they are doing that. You have no OS security protections when you have
> administrator privileges...)
> 
> 		--Dean

-derek

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available