[OpenAFS] WXP 1.2.9a client to 1.3 K5 KDC

Stephen Joyce stephen@physics.unc.edu
Mon, 28 Jul 2003 15:38:05 -0400 (EDT) 

John,

I can verify that problem (unfortunately).  I banged my head against it ~2
years ago.

First, make sure that you can get tickets good for longer than 10 hours.
There are 2 or 3 places where you need to change this (kdc.conf,
krb5.conf, at least).

Next try setting your principals' maximum ticket life to 21:10:00.

Maximum ticket life: 0 days 21:10:00

For me, that allows windows clients to get a token good for around 30 days
(go figure) while the unix clients get tickets/tokens good for the actual
value of 21h 10m.

I'd be interested in hearing any other solutions.

Cheers,
Stephen
--
Stephen Joyce
Systems Administrator                                            P A N I C
Physics & Astronomy Department                         Physics & Astronomy
University of North Carolina at Chapel Hill         Network Infrastructure
voice: (919) 962-7214                                        and Computing
fax: (919) 962-0480                               http://www.panic.unc.edu

You don't pull on Superman's cape. You don't pee into the wind.
And you don't store anything in a file named "core".

On Mon, 28 Jul 2003, John W. Sopko Jr. wrote:

> I am running:
>
> - Kerberos 5 KDC version 1.3
> - fakeka and krb524 are running
> - OpenAFS 1.2.9a  test cell under Red Hat 9
> - Open AFS windows client version 1.2.9a on Windows XP
>
> I can kinit/aklog on linux and solaris without any
> problems. I can klog to the fakeka server, no problems.
>
> As we know the windows client talks to the K5 KDC over port 750. I can
> get a token for 10 hours 40 minutes (10:40) on the Windows client. If I
> set the principals -maxlife time in the K5 KDC to 10:41 or greater when
> getting a token from the Windows XP client I get an error:
>
> Error: 37(server and client are badly skewed)
>
> I know my clocks are within 100 milli seconds and I do not have the
> problem if I set the -maxlife below 10:41.
>
> I had a similar token lifetime problem with Kerberos 1.2.7 where if I
> set the -maxlife greater then 20 hours (20:00) I would get a token good
> until 1/1/1601.
>
> I was hoping Kerberos 1.3  would fix the problem, it just changed it.
>
> Can anyone else verify this?
>
> The KDC krb5kdc.log log file shows no difference between the error and
> non error cases when getting a token, see below. There are no events
> logged in the Windows event logs on the client.
>
>
> Error: (-maxlife 10:41)
> ------
>
> Jul 28 14:22:16 kfive.cs.unc.edu krb5kdc[16417](info):
> PROCESS_V4:Initial ticket request Host: 152.2.142.104 User: "sopkox" ""
> Jul 28 14:22:16 kfive.cs.unc.edu krb5kdc[16417](info):
> PROCESS_V4:INITIAL request from sopkox. for afs.
>
>
> No Error: (-maxlife 10:40)
> ---------
>
> Jul 28 14:23:37 kfive.cs.unc.edu krb5kdc[16417](info):
> PROCESS_V4:Initial ticket request Host: 152.2 .142.104 User: "sopkox" ""
> Jul 28 14:23:37 kfive.cs.unc.edu krb5kdc[16417](info):
> PROCESS_V4:INITIAL request from sopkox. for afs.
>
> --
> John W. Sopko Jr.               University of North Carolina
> email: sopko@cs.unc.edu         Computer Science Dept., CB 3175
> Phone: 919-962-1844             Sitterson Hall; Room 044
> Fax:   919-962-1799             Chapel Hill, NC 27599-3175
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>