[OpenAFS] some simple openafs questions

Derrick Brashear shadow@dementia.org
Sat, 26 Jul 2003 02:01:12 -0400


On Friday, July 25, 2003, at 07:12 PM, Rodney M Dyer wrote:

> At 06:44 PM 7/25/2003 -0400, Jeffrey Hutzelman wrote:
>
>> OpenAFS ships with a number of authentication-related utilities for 
>> use on clients; the most notable of these is 'klog'.  ........ On 
>> Windows, these tools speak the Kerberos IV protocol; they will work 
>> with a real kaserver, or a Heimdal KDC built with krb4 support, or 
>> any MIT KDC.
>
> We have just finished testing this senario on Windows and find 
> dis-agreement with you.  Using Transarc AFS...the "klog" command...
>
> c:\>klog username -servers krb5-kdc.uncc.edu
> Password:  xxxxx
> Unable to authenticate to AFS because Authentication Server was 
> unavailable.
>
> Snooping the network reveals that the "klog" sends several requests on 
> Port 750, but gets no replies.
>
> We could not test this feature on OpenAFS "klog" because the 
> "-servers" option is not available.

It's probably trivial to add, but I'm not volunteering, at least not 
right this moment.

> Is the problem (with Transarc's klog) that we are not "running" our 
> MIT KDC "on" our AFS cell servers where the kaserver normally exists?  
> If so, what exactly is the problem here?  Can we not run a separate K5 
> KDC on another box other than our AFS cell servers?  That would seem 
> to be the case with OpenAFS's "klog" since we can't specify an 
> alternate server.
>
> Is the krb protocol that Transarc's "klog" speaks..."true" Kerberos IV 
> protocol?  Why do we get zero responses from the MIT KDC?  The network 
> snoops show that it is accepting the packets from "klog" it just isn't 
> responding.
>
UNIX klog speaks Rx to the kaserver on port 7004. Windows klog speaks 
Kerberos IV on port 750. I assume the kdc isn't answering because it 
hasn't been told to. This should be easy to test. A Kerberos IV kinit 
against your same KDCs should also fall off the edge of the world. I'd 
guess MIT Kerberos for Windows could be configured to talk straight 
krb4 for a realm, but I've only used Heimdal and MIT for unices, and 
MIT Kerberos for Mac, so I have no clue how that might be,

If you "own" the KDCs or are friendly with the owners, check the logs.

I could swear someone answered this but the answer isn't in my mailbox 
now; If this is redundant, I apologize.

-D