[OpenAFS] Win2k problem
04 Aug 2003 17:47:09 -0400
Dean Anderson <email@example.com> writes:
> I must have missed the klog discussion. Sorry. I can certainly accept
> talking to kerberos directly. I don't have a problem with that, as least,
> not at the moment. [consistency comes to mind, but I won't battle that
> now--I just want it to work] As I said, I opened port 750/udp (in addition
> to 7000-7009). I also tried opening 750/tcp, just in case it expected to
> make a tcp connection. As I said previously, this just changed the
> behavior slightly, to delaying approximately 20 seconds before the same
> error. Previously, the error came back immediately.
I dont know.. I would run ethereal and trudge through the dump.
> > > what other ports does win2k AFS need besides 750 (udp/tcp)?
> > It needs 7000-7009 ;)
> As I said previously, these are already open. It seems to need something
> besides 750, and 7000-7009.
> So, what _other_ ports does it need? It is clearly a port access problem,
> because shutting off Ipchains makes the problem go away. Of course, this
> isn't an acceptable solution. (well, only when you are logged in as the
> win2k administrator user. It _still_ doesn't work when you are an
> unprivileged user.)
I dont know... 53?
Personally I find firewalls more of a pain than they are useful.
Close the ports you can't secure otherwise, but keep things open
and you wont run into this kind of problem. Besides, why is there
a firewall between your clients and your servers anyways? ;)
> I can probably make a packet trace, and slog through it to find out what
> is going on, but I was hoping some win2k users could shed some light on
> the issue...
> > Note that these are "server" ports, not "client" ports. The krb4
> > request will probably originate from a random UDP source port.
> What about the other Win2k problems? (having to be administrator???)
No clue... I dont do windows, generally.
> I _hope_ the win2k users aren't simply being administrator, or putting
> themselves in the adminstrator group. Might as well go back to win95 if
> they are doing that. You have no OS security protections when you have
> administrator privileges...)
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available