[OpenAFS] krb_mk_req failure
Christopher Allen Wing
wingc@engin.umich.edu
Tue, 13 Jan 2004 13:43:57 -0500 (EST)
If you experienced this problem after upgrading to the latest Transarc AFS
db servers, it's due to a change which disables Kerberos 4 cross-realm
authentication. (on account of the security vulnerability disclosed last
year)
Unfortunately, this also disables all Kerberos 4 principals with instances
(i.e. imap.hostname).
The fix is to make sure that 'kaserver' runs with the '-crossrealm' flag,
e.g. your
/usr/afs/local/BosConfig
should have an entry:
bnode simple kaserver 1
parm /usr/afs/bin/kaserver -crossrealm
end
This will make those Kerberos 4 principals work again, but also open you
up to the cross-realm authentication vulnerability. I think this is okay
as long as you don't actually have cross-realm keys, but I'm not sure.
Comments from anyone?
In the long term, you should upgrade to Kerberos 5.
-Chris Wing
wingc@engin.umich.edu
On Tue, 13 Jan 2004, ERIC K. CHEU wrote:
> After upgrading to solve the latest ubik syncronization problems on our
> AFS solaris 7 servers, krb_mk_req function seems to fail no matter what I
> put in it. Upgraded kth kerberos but still the same issues, error is:
>
> 8 Principal unknown (kerberos)
>
> which doesn't make sense, of course, since when I do a kas examine, the
> principal is known (and can authenticate against). Too bad transarc
> apparently did not include solaris 7 binaries in their latest patch
> (#9). Only other recourse is to move to openafs libraries and see if that
> works (or maybe upgrade to solaris 8).