[OpenAFS] ka-forwarder -> fakeka malformed (bad password)

John W. Sopko Jr. sopko@cs.unc.edu
Thu, 29 Jun 2006 15:36:05 -0400 

Trying to get ka-forwarder to -> fakeka working. Don't want
to run the k5 servers on the AFS db servers if I do not have to.
I am using the latest:

ka-forwarder from OpenAFS 1.4.1
fakeka       from MIT KRB 1.4.3

The KRB 1.4.3 setup seems to be working fine. I configured a cell to
use the K5 server. All the cell stuff is working.  I can do a kinit and
aklog and get a token fine. Create/delete files in afs etc.
I am using all OpenAFS 1.4.1 utilities.

Need to get fakeka to work for backward compatibility for a while.

My Kerberos REALM name and CELL name our DIFFERENT. I need to do this
since our Windows group took over our the REALM name that is the same
as the AFS cell name for their Kerberos system.

I saw some info in the mail list and put our REALM name in
/usr/afs/etc/krb.conf on the db server:

$ cat /usr/afs/etc/krb.conf
CSX.UNC.EDU

The AFS cell name is cs.unc.edu.

When I try to use the OpenAFS klog command to get a token fakeka
logs the following in the syslog:


Jun 29 14:55:23 kfive fakeka[17074]: authenticate: sopko. from 152.2.128.185
Jun 29 14:55:23 kfive fakeka[17074]: ... failed due to request was malformed 
(bad password)

I can do kerberos kinit and kpasswd just fine. I am entering
a correct password to klog.

The ka-forwarder logs it is contacting the fakeka over port 7004:

Jun 29 14:55:23 eagle ka-forwarder[3227]: forwarding 84 bytes from 
152.2.128.185/32781 to 152.2.129.25/7004
Jun 29 14:55:23 eagle ka-forwarder[3227]: forwarding 32 bytes from 
152.2.129.25/7004 to 152.2.128.185/32781
Jun 29 14:55:23 eagle ka-forwarder[3227]: forwarding 84 bytes from 
152.2.128.185/32781 to 152.2.129.25/7004
Jun 29 14:55:23 eagle ka-forwarder[3227]: forwarding 32 bytes from 
152.2.129.25/7004 to 152.2.128.185/32781

and if I put fakeka in debug mode in the foreground I get the following
which tells me they are talking to each other.

# ./fakeka -d -f eagle.cs.unc.edu
Handling Authenticate request
Authenticating sopko.
Handling Authenticate request
Authenticating sopko.

Must be some config item I am missing? Any help is appreciated.

Windows AFS client QUESTION: I believe normally the Windows client talks
to the kaserver over port 750. The ka-forwarder listens on port 7004 by
default for unix/klog requests. It appears you can only tell ka-forwarder
to listen on one port where it defaults to 7004 and you can use the -p
option to tell it another port. Is the proper way to handle this is run
2 ka-forwarder daemons, one for port 750 and one for port 7004?


I need for the krb5 upgrade to be transparent. I would like all
the current client configurations to continue to work without changing
them. Then move the clients off krb4 which looks like it is going away
in the MIT krb5 release sometime soon.



-- 
John W. Sopko Jr.               University of North Carolina
email: sopko AT cs.unc.edu      Computer Science Dept., CB 3175
Phone: 919-962-1844             Sitterson Hall; Room 044
Fax:   919-962-1799             Chapel Hill, NC 27599-3175