[OpenAFS] Re: Problem gssklog 0.9 - AFS K5

Jeffrey Hutzelman jhutz@cmu.edu
Tue, 08 Jun 2004 11:00:55 -0400

On Tuesday, June 08, 2004 08:08:21 -0500 "Douglas E. Engert" 
<deengert@anl.gov> wrote:

> gssklog used 750 TCP as it was to run on the AFS database servers, and
> as Kerberos V5 was being added to AFS, the KDC would be on different
> machines. Thus there should be no other uses of port 750 TCP on an AFS
> server.

Eww.  Hm; I feel the need to repeat that.  EWWW.

> So I suspect that you have a Heimdal KDC running on the AFS server, and
> it  is listing on port 750 TCP. Since the V4 would never use TCP, and V5
> uses  port 88 the KDC should not need to listen on 750 TCP.
> Hopfully these is a way to tell the KDC to not use 750 TCP. Or you can
> start the gssklogd before the KDC.

Indeed there is.  Simply include a "ports" setting in the [kdc] section of 
krb5.conf or kdc.conf, with a complete list of ports you _do_ want the KDC 
to listen on.  The standard settings listen on:

88      always
80/tcp  if Kerberos-over-HTTP is enabled
750     if V4 support is enabled
4444    if 524 service is enabled
7004    if kaserver emulation is enabled

So to get all of these, but not 750/tcp, you'd say something like

ports = 88 80/tcp 750/udp 4444 7004

Note that including any ports directive disables the defaults.  If you 
merely want to _add_ ports, you can include a "+" in the list of ports, 
which stands for the complete set of default bindings.  But in this case 
you want to _subtract_ from the default set, so the "+" must not be listed.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA