[OpenAFS] Re: Mystery AFS/Kerberos packet

John Hascall john@iastate.edu
Fri, 23 Jan 2004 09:05:28 CST 

> What operating system is the client running on?
> Is this a K4 request being produced from OpenAFS on Windows?

    I have seen this from three systems, none of which are
    under my group's management.  One (the first one I
    mentioned) exhibited it under both 2000 and XP and
    was using the IBM client.  The other two are PCs
    whose OS and client version I do not know.

> I have suspected that there is a threading problem in the OpenAFS for 
> Windows
> client which is overwriting buffers being written to the network but 
> have been unable
> to catch it reliably.   If you have a system which is consistently 
> producing bad data
> at a known point it would be good to see if we can trace it down.

    Tell me what would need to be done, and I'll see if the
    owners are amenable...

John


> John Hascall wrote:
> 
> >>6303373b766d61124537XXXXXXXX0000494153544154452e4544550067710e403f616673000
0
> >>
> >  c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U . g q . @ ? a f s . 
.
> >
> >
> >>I'm not sure, but the tail bit of it looks like part of a krb4 initial
> >>ticket request by "user" for "afs@IASTATE.EDU", with lifetime 5 hours
> >>15 minutes, around 21 January 2004 (assuming little-endian).
> >>
> >
> >Yes, I've been convinced that this is a valid V4 packet whose
> >first two bytes (04 03) were somehow corrupted with 10 garbage
> >bytes (63 03 37 3b 76 6d 61 12 45 37) and I went off on a wrong
> >tangent upon seeing the 0x6X first byte).  At this point, I'm going
> >to assume the user has either munged hardware or DLLs.
> >
> >It's really quite interesting to dump out rejected packets,
> >you see some fascinating crap, here's another:
> >
> ><04><03>__vmware_user__D2521F2GPKdgDby9P77qlo_w*glhuA3un*!sh!<00><00>IASTATE
.EDU<00>^HN<0e>@?afs<00><00
> >
> >(a 53 character principal name is too long for k4)
> >(curious how both of these invalid packets used '?', 5h15m, for the lifetime
).
> >
> >
> >John
> >_______________________________________________
> >OpenAFS-info mailing list
> >OpenAFS-info@openafs.org
> >https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> 
> --------------090500050708080908070707
> Content-Type: text/html; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
>   <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
>   <title></title>
> </head>
> <body bgcolor="#ffffff" text="#000000">
> <font face="Bitstream Cyberbit">What operating system is the client
> running on?<br>
> Is this a K4 request being produced from OpenAFS on Windows?<br>
> <br>
> I have suspected that there is a threading problem in the OpenAFS for
> Windows<br>
> client which is overwriting buffers being written to the network but
> have been unable<br>
> to catch it reliably.&nbsp;&nbsp; If you have a system which is consistently
> producing bad data<br>
> at a known point it would be good to see if we can trace it down.<br>
> <br>
> Jeffrey Altman<br>
> <br>
> <br>
> John Hascall wrote:</font>
> <blockquote cite="mid200401231435.IAA31736@pvtest.ait.iastate.edu"
>  type="cite">
>   <blockquote type="cite">
>     <pre wrap=""><font face="Bitstream Cyberbit">6303373b766d61124537XXXXXXXX
0000494153544154452e4544550067710e403f6166730000
> </font></pre>
>   </blockquote>
>   <pre wrap=""><!----><font face="Bitstream Cyberbit">  c . 7 ; v m a . E 7 u
 s e r . . I A S T A T E . E D U . g q . @ ? a f s . .
> 
> </font></pre>
>   <blockquote type="cite">
>     <pre wrap=""><font face="Bitstream Cyberbit">I'm not sure, but the tail b
it of it looks like part of a krb4 initial
> ticket request by "user" for <a class="moz-txt-link-rfc2396E" href="mailto:af
s@IASTATE.EDU">"afs@IASTATE.EDU"</a>, with lifetime 5 hours
> 15 minutes, around 21 January 2004 (assuming little-endian).
> </font></pre>
>   </blockquote>
>   <pre wrap=""><!----><font face="Bitstream Cyberbit">
> Yes, I've been convinced that this is a valid V4 packet whose
> first two bytes (04 03) were somehow corrupted with 10 garbage
> bytes (63 03 37 3b 76 6d 61 12 45 37) and I went off on a wrong
> tangent upon seeing the 0x6X first byte).  At this point, I'm going
> to assume the user has either munged hardware or DLLs.
> 
> It's really quite interesting to dump out rejected packets,
> you see some fascinating crap, here's another:
> 
> &lt;04&gt;&lt;03&gt;__vmware_user__D2521F2GPKdgDby9P77qlo_w*glhuA3un*!sh!&lt;
00&gt;&lt;00&gt;IASTATE.EDU&lt;00&gt;^HN&lt;0e&gt;@?afs&lt;00&gt;&lt;00
> 
> (a 53 character principal name is too long for k4)
> (curious how both of these invalid packets used '?', 5h15m, for the lifetime)
.
> 
> 
> John
> _______________________________________________
> OpenAFS-info mailing list
> <a class="moz-txt-link-abbreviated" href="mailto:OpenAFS-info@openafs.org">Op
enAFS-info@openafs.org</a>
> <a class="moz-txt-link-freetext" href="https://lists.openafs.org/mailman/list
info/openafs-info">https://lists.openafs.org/mailman/listinfo/openafs-info</a>
> </font></pre>
> </blockquote>
> </body>
> </html>
> 
> --------------090500050708080908070707--
>