[OpenAFS] Re: Mystery AFS/Kerberos packet
Kevin Coffman
kwc@citi.umich.edu
Fri, 23 Jan 2004 10:26:23 -0500
It's a bit fuzzy now, but I recall a problem with the IBM Windows client =
a
couple (or more) years ago that required swapping out the authentication =
DLL
if you were not talking to a kaserver. If you are only seeing this on =
IBM
clients, that may be your problem. I _do_ remember that it manifested
itself with this kind of error (what looks like a mangled K4 packet). =
If
you think this may be the case, I'll look back through my mail to find =
the
specifics.
-----Original Message-----
From: openafs-info-admin@openafs.org =
[mailto:openafs-info-admin@openafs.org]
On Behalf Of John Hascall
Sent: Friday, January 23, 2004 10:05 AM
To: Jeffrey Altman
Cc: openafs-info@openafs.org; kerberos@mit.edu
Subject: Re: [OpenAFS] Re: Mystery AFS/Kerberos packet=20
> What operating system is the client running on?
> Is this a K4 request being produced from OpenAFS on Windows?
I have seen this from three systems, none of which are
under my group's management. One (the first one I
mentioned) exhibited it under both 2000 and XP and
was using the IBM client. The other two are PCs
whose OS and client version I do not know.
> I have suspected that there is a threading problem in the OpenAFS for=20
> Windows
> client which is overwriting buffers being written to the network but=20
> have been unable
> to catch it reliably. If you have a system which is consistently=20
> producing bad data
> at a known point it would be good to see if we can trace it down.
Tell me what would need to be done, and I'll see if the
owners are amenable...
John
> John Hascall wrote:
>=20
>
>>6303373b766d61124537XXXXXXXX0000494153544154452e4544550067710e403f61667=
300
0
0
> >>
> > c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U . g q . @ ? a =
f s
.=20
.
> >
> >
> >>I'm not sure, but the tail bit of it looks like part of a krb4 =
initial
> >>ticket request by "user" for "afs@IASTATE.EDU", with lifetime 5 =
hours
> >>15 minutes, around 21 January 2004 (assuming little-endian).
> >>
> >
> >Yes, I've been convinced that this is a valid V4 packet whose
> >first two bytes (04 03) were somehow corrupted with 10 garbage
> >bytes (63 03 37 3b 76 6d 61 12 45 37) and I went off on a wrong
> >tangent upon seeing the 0x6X first byte). At this point, I'm going
> >to assume the user has either munged hardware or DLLs.
> >
> >It's really quite interesting to dump out rejected packets,
> >you see some fascinating crap, here's another:
> >
>
><04><03>__vmware_user__D2521F2GPKdgDby9P77qlo_w*glhuA3un*!sh!<00><00>IAS=
TAT
E
.EDU<00>^HN<0e>@?afs<00><00
> >
> >(a 53 character principal name is too long for k4)
> >(curious how both of these invalid packets used '?', 5h15m, for the
lifetime
).
> >
> >
> >John
> >_______________________________________________
> >OpenAFS-info mailing list
> >OpenAFS-info@openafs.org
> >https://lists.openafs.org/mailman/listinfo/openafs-info
> >
>=20
> --------------090500050708080908070707
> Content-Type: text/html; charset=3Dus-ascii
> Content-Transfer-Encoding: 7bit
>=20
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
> <meta content=3D"text/html;charset=3DISO-8859-1" =
http-equiv=3D"Content-Type">
> <title></title>
> </head>
> <body bgcolor=3D"#ffffff" text=3D"#000000">
> <font face=3D"Bitstream Cyberbit">What operating system is the client
> running on?<br>
> Is this a K4 request being produced from OpenAFS on Windows?<br>
> <br>
> I have suspected that there is a threading problem in the OpenAFS for
> Windows<br>
> client which is overwriting buffers being written to the network but
> have been unable<br>
> to catch it reliably. If you have a system which is
consistently
> producing bad data<br>
> at a known point it would be good to see if we can trace it down.<br>
> <br>
> Jeffrey Altman<br>
> <br>
> <br>
> John Hascall wrote:</font>
> <blockquote cite=3D"mid200401231435.IAA31736@pvtest.ait.iastate.edu"
> type=3D"cite">
> <blockquote type=3D"cite">
> <pre wrap=3D""><font face=3D"Bitstream
Cyberbit">6303373b766d61124537XXXXXXXX
0000494153544154452e4544550067710e403f6166730000
> </font></pre>
> </blockquote>
> <pre wrap=3D""><!----><font face=3D"Bitstream Cyberbit"> c . 7 ; v =
m a . E
7 u
s e r . . I A S T A T E . E D U . g q . @ ? a f s . .
>=20
> </font></pre>
> <blockquote type=3D"cite">
> <pre wrap=3D""><font face=3D"Bitstream Cyberbit">I'm not sure, but =
the
tail b
it of it looks like part of a krb4 initial
> ticket request by "user" for <a class=3D"moz-txt-link-rfc2396E"
href=3D"mailto:af
s@IASTATE.EDU">"afs@IASTATE.EDU"</a>, with lifetime 5 hours
> 15 minutes, around 21 January 2004 (assuming little-endian).
> </font></pre>
> </blockquote>
> <pre wrap=3D""><!----><font face=3D"Bitstream Cyberbit">
> Yes, I've been convinced that this is a valid V4 packet whose
> first two bytes (04 03) were somehow corrupted with 10 garbage
> bytes (63 03 37 3b 76 6d 61 12 45 37) and I went off on a wrong
> tangent upon seeing the 0x6X first byte). At this point, I'm going
> to assume the user has either munged hardware or DLLs.
>=20
> It's really quite interesting to dump out rejected packets,
> you see some fascinating crap, here's another:
>=20
>
<04><03>__vmware_user__D2521F2GPKdgDby9P77qlo_w*glhuA3un*!sh!=
<
;
00><00>IASTATE.EDU<00>^HN<0e>@?afs<00><00
>=20
> (a 53 character principal name is too long for k4)
> (curious how both of these invalid packets used '?', 5h15m, for the
lifetime)
.
>=20
>=20
> John
> _______________________________________________
> OpenAFS-info mailing list
> <a class=3D"moz-txt-link-abbreviated"
href=3D"mailto:OpenAFS-info@openafs.org">Op
enAFS-info@openafs.org</a>
> <a class=3D"moz-txt-link-freetext"
href=3D"https://lists.openafs.org/mailman/list
info/openafs-info">https://lists.openafs.org/mailman/listinfo/openafs-inf=
o</
a>
> </font></pre>
> </blockquote>
> </body>
> </html>
>=20
> --------------090500050708080908070707--
>=20
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info