[OpenAFS] Re: gssklog-0.10 - better support for SEAM and SSPI with cross realm

Chris McClimans openafs-info@mcclimans.net
Wed, 10 Sep 2003 08:54:20 -0500 

oak:~# /usr/sbin/gssklogd -a /etc/openafs/server/KeyFile -k  
/etc/krb5.keytab -G /etc/openafs/server/principal-pts-mapfile -E  
TTU.EDU -E CS.TTU.EDU -d
E receive_message(): Incorrect buf_size read: [0]
GSS-error accepting credentials: major_status:01090000  
minor_status:00000000

A token was invalid

A required input parameter could not be read

No error

olive.cs.ttu.edu[129.118.29.56] FAILED for other reasons

oak:~# klist -ke
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
----  
------------------------------------------------------------------------ 
--
    5 host/oak.cs.ttu.edu@CS.TTU.EDU (Triple DES cbc mode with HMAC/sha1)
    5 host/oak.cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)
   10 afs/cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)
    2 gssklog/oak.cs.ttu.edu@CS.TTU.EDU (Triple DES cbc mode with  
HMAC/sha1)
    2 gssklog/oak.cs.ttu.edu@CS.TTU.EDU (DES cbc mode with CRC-32)

(asetkey list and klist -ketK match up)

# ./gssklog -server oak.cs.ttu.edu
methods found: 6a838 0
found cell=cs.ttu.edu
smethod=0 try-maj-min (0 0 0) (-1 -1 0)
N connect_to_server_sockaddr attempting connection to 129.118.18.57.
N connect_to_server_sockaddr connected socket
N doit: Connected to acceptor
N gssklog_gss_init_sec_context(): calling gss_init_sec_context
mech_use 6a820
N gssklog_gss_init_sec_context(): Returned from init_sec_ctx w/token [0]
GSS-error init_sec_context failed: major:000d0000 minor:00000000
Unspecified GSS failure.  Minor code may provide more information
No error
Failed code = 2

# klist -e
Ticket cache: /tmp/krb5cc_0
Default principal: mccliman@CS.TTU.EDU

Valid starting                       Expires                        
Service principal
Wed Sep 10 08:39:04 2003  Wed Sep 10 18:39:04 2003   
krbtgt/CS.TTU.EDU@CS.TTU.EDU
         renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):  
DES-CBC-CRC, etype 16
Wed Sep 10 08:40:11 2003  Wed Sep 10 18:39:04 2003   
gssklog/elm.cs.ttu.edu@CS.TTU.EDU
         renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):  
DES-CBC-CRC, etype 16
Wed Sep 10 08:40:11 2003  Wed Sep 10 18:39:04 2003   
gssklog/oak.cs.ttu.edu@CS.TTU.EDU
         renew until Wed Sep 17 08:39:04 2003, Etype (skey, tkt):  
DES-CBC-CRC, etype 16

On Tuesday, September 9, 2003, at 04:24  PM, Douglas E. Engert wrote:

> Please try compiling with the -DDEBUG affed to the MYCFLAGS = in the
> Makefile.
>
> You can the run the server with: -d -p <portnumber>
> and the client with a -port <portnumber> and maybe a -server  
> <servername>
> and see what happens.
>
> I had some proplems with uisng SEAM with the server. The MIT works  
> fine.
>
> ALso do a klist -e to see the enc_types. There maybe some mismatch  
> between the
> KDC and the client or server Kerberos implementation.
>
>
>
> Chris McClimans wrote:
>>
>> We are further along, now we at least get the gssklog/fqdn@REALM
>> service tickets.
>> init_sec_contexts fails, but with a major code of 'Unspecified GSS
>> failure'
>> The minor code is zero, so I'm not sure if that is going to provide  
>> any
>> more information.
>>
>> bash-2.03# uname -a
>> SunOS olive 5.8 Generic_108528-13 sun4u sparc SUNW,Sun-Blade-100
>> bash-2.03# kinit mccliman@CS.TTU.EDU
>> Password for mccliman@CS.TTU.EDU:
>> bash-2.03# klist
>> Ticket cache: /tmp/krb5cc_0
>> Default principal: mccliman@CS.TTU.EDU
>>
>> Valid starting                       Expires
>> Service principal
>> Tue Sep 09 16:10:03 2003  Wed Sep 10 02:10:03 2003
>> krbtgt/CS.TTU.EDU@CS.TTU.EDU
>>          renew until Tue Sep 16 16:10:03 2003
>> bash-2.03# cat /etc/gss/mech
>> # Mechanism Name        Object Identifier       Shared Library  Kernel
>> Module
>> #
>> diffie_hellman_640_0    1.3.6.4.1.42.2.26.2.4   dh640-0.so.1
>> diffie_hellman_1024_0   1.3.6.4.1.42.2.26.2.5   dh1024-0.so.1
>> kerberos_v5             1.2.840.113554.1.2.2    gl/mech_krb5.so
>> gl_kmech_krb5
>> bash-2.03# ./gssklog
>> GSS-error init_sec_context failed: major:000d0000 minor:00000000
>> Unspecified GSS failure.  Minor code may provide more information
>> No error
>> Problem 2 with server elm.cs.ttu.edu, trying next
>> GSS-error init_sec_context failed: major:000d0000 minor:00000000
>> Unspecified GSS failure.  Minor code may provide more information
>> No error
>> Problem 2 with server oak.cs.ttu.edu
>> Failed code = 2
>> bash-2.03# klist
>> Ticket cache: /tmp/krb5cc_0
>> Default principal: mccliman@CS.TTU.EDU
>>
>> Valid starting                       Expires
>> Service principal
>> Tue Sep 09 16:10:03 2003  Wed Sep 10 02:10:03 2003
>> krbtgt/CS.TTU.EDU@CS.TTU.EDU
>>          renew until Tue Sep 16 16:10:03 2003
>> Tue Sep 09 16:10:14 2003  Wed Sep 10 02:10:03 2003
>> gssklog/elm.cs.ttu.edu@CS.TTU.EDU
>>          renew until Tue Sep 16 16:10:03 2003
>> Tue Sep 09 16:10:14 2003  Wed Sep 10 02:10:03 2003
>> gssklog/oak.cs.ttu.edu@CS.TTU.EDU
>>          renew until Tue Sep 16 16:10:03 2003
>
> -- 
>
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>