[OpenAFS] kaserver sun to linux db auth issue

John W. Sopko Jr. sopko@cs.unc.edu
Mon, 21 Feb 2005 08:20:49 -0500 

This posting got delayed for a few days, some email issue, thought you
may not have seen it, I have run out of things to try to get
kinit to get k4 tgt's to work. That is why I was asking for the Red Hat 
Source the other day to see if there may be some issue with our
source. I have tried kinit to port 750 and 88 with no luck. Probably
not related but when the kas server starts on our Red Hat linux,
it reports this in the /usr/afs/logs/AuthLog:

kerberos4/udp port=60930
kerberos5/udp port=22528
.unc.edu cell database.
Fri Feb 18 12:10:08 2005 Using level crypt for Ubik connections.
Fri Feb 18 12:10:09 2005 Using 152.2.128.4 as my primary address
Fri Feb 18 12:10:09 2005 Starting to process AuthServer requests
Starting to listen for UDP packets
start 5 min check lwp

The Suns that used to work reported this:

kerberos4/udp port=750
kerberos5/udp port=88
om cs.unc.edu cell database.
Tue Feb  8 08:11:14 2005 Using level crypt for Ubik connections.
Tue Feb  8 08:11:14 2005 Using 152.2.128.8 as my primary address
Tue Feb  8 08:11:15 2005 Starting to process AuthServer requests
Starting to listen for UDP packets
start 5 min check lwp

The auth requests are getting through to both port 88 and 750.

I cranked up debugging on the kaserver with "kill -TSTP" it shows the
following if I give it a good passwd or a bad passwd:

Fri Feb 18 10:43:22 2005 sopko,krbtgt.CS.UNC.EDU:auth from d810298

Also I get the same response as shown below from tcpdump if I
type in the good passwd or a bad passwd.


-------- Original Message --------
Subject: [OpenAFS] kaserver sun to linux db auth issue
Date: Thu, 17 Feb 2005 13:52:06 -0500
From: John W. Sopko Jr. <sopko@cs.unc.edu>
To: openafs-info@openafs.org

We were running 2 Sun Solaris boxes and 3 Red Hat Enterpise Linux boxes
all running OpenAFS 1.2.13 as db servers. One of the Sun boxes was the
lowest IP address and was always the sync site for the databases. We
removed both Suns as db servers, (we are in the process of retiring them).
When the lowest IP address Linux box became the lowest IP address it
became the sync site.

Most everything works fine accept for one strange problem that has to do
with using kinit to get krb4 style tickets. We are running the standard
kaserver that comes with OpenAFS. The OpenAFS klog and klog.krb commands
and the pam libraries work fine as well as the windows clients. We have
some systems that use kinit to get k4 tgt's so they can authenticate
under MacOSX 10 and this broke when the Linux db servers took over for
authentication. As I mentioned the Suns and the Linux boxes were both
running OpenAFS 1.2.13.

My question is: Is there any settings/options compile flags etc to support
k4 authentication that I can try? I did a "configure --help" and looked
through the source files as well as for options in the RedHat spec file
that is used to build the binaries and did not see any options for this.

It appears the lowest IP address always does the kerberos authentication.
I used tcpdump on the client and server and ran kinit to get a v4
ticket.  from a linux client.  The kinit request is getting answered
on kerberos/port 88 on the kaserver. The request is going through but
from linux and MacOsx you get password incorrect. Here is some info that
may help:

AFS kaserver/host quail tcpdump output:

# tcpdump host lark and \(port 7004 or port 750 or port 88\)
tcpdump: listening on eth0
13:16:03.468925 lark.cs.unc.edu.34354 > quail.cs.unc.edu.kerberos:  v4 le
KDC_REQUEST: sopko.@CS.UNC.EDU 600min krbtgt.CS.UNC.EDU (DF)
13:16:03.482043 quail.cs.unc.edu.kerberos > lark.cs.unc.edu.34354:  v4 be
KDC_REPLY: sopko.@ (104) (DF)


kinit client/host lark tcpdump output:

tcpdump port 7004 or port 750 or port 88
tcpdump: listening on eth0
13:16:03.468500 lark.cs.unc.edu.34354 > quail.cs.unc.edu.kerberos:  v4 le
KDC_REQUEST: sopko.@CS.UNC.EDU 600min krbtgt.CS.UNC.EDU (DF)
13:16:03.481773 quail.cs.unc.edu.kerberos > lark.cs.unc.edu.34354:  v4 be
KDC_REPLY: sopko.@ (104) (DF)


kinit client failed command output:

% kinit -4 sopko
Password for sopko@CS.UNC.EDU:
kinit(v4): Password incorrect

-- 
John W. Sopko Jr.               University of North Carolina
email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
Phone: 919-962-1844             Sitterson Hall; Room 044
Fax:   919-962-1799             Chapel Hill, NC 27599-3175
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


-- 
John W. Sopko Jr.               University of North Carolina
email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
Phone: 919-962-1844             Sitterson Hall; Room 044
Fax:   919-962-1799             Chapel Hill, NC 27599-3175