[OpenAFS] Re: Problem gssklog 0.9 - AFS K5
Jeffrey Hutzelman
jhutz@cmu.edu
Tue, 08 Jun 2004 11:00:55 -0400
On Tuesday, June 08, 2004 08:08:21 -0500 "Douglas E. Engert"
<deengert@anl.gov> wrote:
> gssklog used 750 TCP as it was to run on the AFS database servers, and
> as Kerberos V5 was being added to AFS, the KDC would be on different
> machines. Thus there should be no other uses of port 750 TCP on an AFS
> server.
Eww. Hm; I feel the need to repeat that. EWWW.
> So I suspect that you have a Heimdal KDC running on the AFS server, and
> it is listing on port 750 TCP. Since the V4 would never use TCP, and V5
> uses port 88 the KDC should not need to listen on 750 TCP.
>
> Hopfully these is a way to tell the KDC to not use 750 TCP. Or you can
> start the gssklogd before the KDC.
Indeed there is. Simply include a "ports" setting in the [kdc] section of
krb5.conf or kdc.conf, with a complete list of ports you _do_ want the KDC
to listen on. The standard settings listen on:
88 always
80/tcp if Kerberos-over-HTTP is enabled
750 if V4 support is enabled
4444 if 524 service is enabled
7004 if kaserver emulation is enabled
So to get all of these, but not 750/tcp, you'd say something like
[kdc]
ports = 88 80/tcp 750/udp 4444 7004
Note that including any ports directive disables the defaults. If you
merely want to _add_ ports, you can include a "+" in the list of ports,
which stands for the complete set of default bindings. But in this case
you want to _subtract_ from the default set, so the "+" must not be listed.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA