[OpenAFS] kaserver sun to linux db auth issue

John W. Sopko Jr. sopko@cs.unc.edu
Thu, 17 Feb 2005 13:52:06 -0500 

We were running 2 Sun Solaris boxes and 3 Red Hat Enterpise Linux boxes
all running OpenAFS 1.2.13 as db servers. One of the Sun boxes was the
lowest IP address and was always the sync site for the databases. We
removed both Suns as db servers, (we are in the process of retiring them).
When the lowest IP address Linux box became the lowest IP address it
became the sync site.

Most everything works fine accept for one strange problem that has to do
with using kinit to get krb4 style tickets. We are running the standard
kaserver that comes with OpenAFS. The OpenAFS klog and klog.krb commands
and the pam libraries work fine as well as the windows clients. We have
some systems that use kinit to get k4 tgt's so they can authenticate
under MacOSX 10 and this broke when the Linux db servers took over for
authentication. As I mentioned the Suns and the Linux boxes were both
running OpenAFS 1.2.13.

My question is: Is there any settings/options compile flags etc to support
k4 authentication that I can try? I did a "configure --help" and looked
through the source files as well as for options in the RedHat spec file
that is used to build the binaries and did not see any options for this.

It appears the lowest IP address always does the kerberos authentication.
I used tcpdump on the client and server and ran kinit to get a v4
ticket.  from a linux client.  The kinit request is getting answered
on kerberos/port 88 on the kaserver. The request is going through but
from linux and MacOsx you get password incorrect. Here is some info that
may help:

AFS kaserver/host quail tcpdump output:

# tcpdump host lark and \(port 7004 or port 750 or port 88\)
tcpdump: listening on eth0
13:16:03.468925 lark.cs.unc.edu.34354 > quail.cs.unc.edu.kerberos:  v4 le 
KDC_REQUEST: sopko.@CS.UNC.EDU 600min krbtgt.CS.UNC.EDU (DF)
13:16:03.482043 quail.cs.unc.edu.kerberos > lark.cs.unc.edu.34354:  v4 be 
KDC_REPLY: sopko.@ (104) (DF)


kinit client/host lark tcpdump output:

tcpdump port 7004 or port 750 or port 88
tcpdump: listening on eth0
13:16:03.468500 lark.cs.unc.edu.34354 > quail.cs.unc.edu.kerberos:  v4 le 
KDC_REQUEST: sopko.@CS.UNC.EDU 600min krbtgt.CS.UNC.EDU (DF)
13:16:03.481773 quail.cs.unc.edu.kerberos > lark.cs.unc.edu.34354:  v4 be 
KDC_REPLY: sopko.@ (104) (DF)


kinit client failed command output:

% kinit -4 sopko
Password for sopko@CS.UNC.EDU:
kinit(v4): Password incorrect

-- 
John W. Sopko Jr.               University of North Carolina
email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
Phone: 919-962-1844             Sitterson Hall; Room 044
Fax:   919-962-1799             Chapel Hill, NC 27599-3175