[OpenAFS] aklog claims it can't contact KDC, but KDC is issuing tickets
Marcus Watts
mdw@umich.edu
Mon, 06 Mar 2006 02:28:10 -0500
Adam Megacz <megacz@cs.berkeley.edu> writes:
> To: openafs-info@openafs.org
> From: Adam Megacz <megacz@cs.berkeley.edu>
> Message-ID: <x3oe0kmb5j.fsf@nowhere.com>
> Subject: [OpenAFS] aklog claims it can't contact KDC, but KDC is issuing tickets
> Sender: openafs-info-admin@openafs.org
> Date: Mon, 06 Mar 2006 04:48:08 +0000
>
> It gets stranger and stranger. Here's what the user types on the
> console:
>
> $ kinit *****@EECS.BERKELEY.EDU && aklog -d -c research.cs.berkeley.edu
> Please enter the password for *****@EECS.BERKELEY.EDU:
> Authenticating to cell research.cs.berkeley.edu (server afs.research.CS.Berkeley.EDU).
> We've deduced that we need to authenticate to realm RESEARCH.CS.BERKELEY.EDU.
> Getting tickets: afs/research.cs.berkeley.edu@RESEARCH.CS.BERKELEY.EDU
> Kerberos error code returned by get_cred: -1765328228
> aklog: Couldn't get research.cs.berkeley.edu AFS tickets:
> aklog: Cannot contact any KDC for requested realm while getting AFS tickets
>
> So you'd suspect that the RESEARCH.CS.BERKELEY.EDU KDC hasn't been
> contacted, right? But this is what I get in the KDC logs (times have
> been correlated -- this is in response to the cut-and-paste above):
>
> Mar 05 19:38:40 research.cs.berkeley.edu krb5kdc[1626](info):
> TGS_REQ (1 etypes {1}) *.*.*.*: ISSUE: authtime 1141616344,
> etypes {rep=1 tkt=1 ses=1}, *****@EECS.BERKELEY.EDU for
> afs/research.cs.berkeley.edu@RESEARCH.CS.BERKELEY.EDU
>
> Mar 05 19:38:43 research.cs.berkeley.edu krb5kdc[1626](info):
> DISPATCH: repeated (retransmitted?) request from
> *.*.*.*, resending previous response
>
> Mar 05 19:39:08 research.cs.berkeley.edu krb5kdc[1626](info):
> DISPATCH: repeated (retransmitted?) request from
> *.*.*.*, resending previous response
>
> Is there any way to get aklog to be more specific than "Cannot contact
> any KDC for requested realm"? Like, can I get it to spit out a list
> of what it believes are the KDCs for this realm? Or be more specific
> about which realm it means here (cross-realm is involved)?
>
> If it is relevant, the user is behind a NAT (which supports UDP -- he
> can kinit properly). I'm not running krb524d and krb5kdc is running
> with "-4none".
>
> - a
Looks like a nat problem. aklog doesn't contain internal logic to
go to the level you want. That's because the kerberos library hides
most of those details. Indeed, your application should not need to
know that much about what kerberos is doing.
Fortunately, you don't need to instrument your kerberos application
to figure out what's happening. For problems like this, there are
perfectly adequate system debugging tools that will suffice. In
any given environment, there are usually equivalents for the following:
trace system calls ktrace/kdump, truss, strace
bindview, stracent, depends
dump lan traffic tcpdump, ethereal, snoop, netcap
debug application gdb, dbx, ntsd
with these 3 tools, you can usually figure out a lot about
what's going on.
Following is an example of using these tools.
command sequence:
spam% kinit mdw@DOGS.UMICH.EDU
spam% strace -f -o /tmp/aklog.strace aklog -c dogs -k DOGS.UMICH.EDU
excerpt from strace output:
542 execve("/usr/bin/aklog", ["aklog", "-c", "dogs", "-k", "DOGS.UMICH.EDU"], [/* 51 vars */]) = 0
..................
542 open("/usr/lib/libkrb5support.so.0", O_RDONLY) = 3
..................
542 stat64("/etc/krb5.conf", {st_mode=S_IFREG|0644, st_size=2904, ...}) = 0
..................
542 open("/etc/openafs/ThisCell", O_RDONLY) = 3
..................
542 stat64("/etc/openafs/CellServDB", {st_mode=S_IFREG|0644, st_size=11685, ...}) = 0
..................
542 open("/tmp/krb5cc_25131_dU6g5t", O_RDONLY) = 3
..................
542 connect(3, {sa_family=AF_INET, sin_port=htons(88), sin_addr=inet_addr("141.213.229.82")}, 16) = 0
..................
542 sendmsg(3, {msg_name(16)={sa_family=AF_INET, sin_port=htons(7002), sin_addr=inet_addr("141.213.229.83")}, msg_iov(2)=[{"D\v\326\10\20\27\6\20\0\0\0\1\0\0\0\1\0\0\0\1\1\5\0\0\0"..., 28}, {"\0\0\1\370\0\0\0\1\0\0\0m\0\0\0d\0\0\0w\0\0\0\0\0\0\0\0"..., 264}], msg_controllen=0, msg_flags=0}, 0) = 292
..................
542 write(2, "", 0) = 0
542 open("/proc/fs/openafs/afs_ioctl", O_RDWR) = 4
542 ioctl(4, CAPI_REGISTER or SNDCTL_COPR_LOAD, 0xbffeeb60) = 0
542 close(4) = 0
542 exit_group(0) = ?
..................
Here we see what pathname aklog was loaded, which libraries it
loaded, what kerberos 5 configuration file it read, which afs
configuration files it read, the ticket file, the conversation
with the kdc, and the conversation with ptserver (to look up the viceid.)
Knowing which machine it tried to talk to, and where it got the
notion to talk to that machine, is usually 3/4ths of the battle.
Granted, the above is abstracted from 1184 lines of strace dump,
but it's still not that hard to process. Good ways to handle this
data is to start from the back, and to compare known "it works"
type data with the equivalent "it broke" data. It also helps to
look for things you expect to find. I knew all the interesting
bits of the above were going to be happening while talking to
machines on the 141.213.229 - and sure enough, they were.
tcpdump while running "aklog" from above,
spam:/var/cache/apt/archives# tcpdump -s 1500 -x -n -p udp port 88
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1500 bytes
01:26:16.884685 IP 141.211.1.36.39282 > 141.213.229.82.88:
0x0000: 4500 0263 921c 4000 4011 a44e 8dd3 0124
0x0010: 8dd5 e552 9972 0058 024f 0480 6c82 0243
0x0020: 3082 023f a103 0201 05a2 0302 010c a382
0x0030: 01ce 3082 01ca 3082 01c6 a103 0201 01a2
0x0040: 8201 bd04 8201 b96e 8201 b530 8201 b1a0
0x0050: 0302 0105 a103 0201 0ea2 0703 0500 0000
0x0060: 0000 a382 0105 6182 0101 3081 fea0 0302
0x0070: 0105 a110 1b0e 444f 4753 2e55 4d49 4348
0x0080: 2e45 4455 a223 3021 a003 0201 00a1 1a30
0x0090: 181b 066b 7262 7467 741b 0e44 4f47 532e
0x00a0: 554d 4943 482e 4544 55a3 81bf 3081 bca0
0x00b0: 0302 0110 a103 0201 01a2 81af 0481 ac71
0x00c0: 459d 1f9a c42d 6379 4693 b9a1 e0d3 679b
0x00d0: c7e5 4c2d c10e e8ca ec77 4ab2 fd75 6d61
0x00e0: 55ef 54ac e84e 09e6 84c3 f3bb 0f31 0284
0x00f0: df1e 59fe 9e3c 23ce ae5d 5e34 558e 33d0
0x0100: 9891 df2e ab0d 08cf 520c f1fc 3d65 8ffb
0x0110: 16e8 4c8b 3eff 2c7c 3313 2cea 57a2 c6f2
0x0120: c3fd e2d8 855d be32 2365 0b2d 7abf 4c70
0x0130: 44c6 b9ea bc15 100a a7b3 7b90 d981 8d43
0x0140: 6a9d e54e 3fee 5f29 25be 6f50 01e5 b448
0x0150: 1a65 d305 c2f0 4305 4d13 f14f 9fa1 0ab7
0x0160: 5e38 e094 9726 8dc0 b554 6fa4 8192 3081
0x0170: 8fa0 0302 0110 a281 8704 8184 b4da 7f4a
0x0180: f301 366b aed7 ab2f 374b 1855 7e18 0d1f
0x0190: 4aac 2824 8493 fb9e 3444 ad03 4653 bf73
0x01a0: 0726 e506 e764 7765 bdf8 085e 7c70 14d1
0x01b0: 15e0 a993 4ef6 a0f7 6366 4547 99c9 35e4
0x01c0: 1a01 4ef4 e728 ae5e c9c8 9a84 7dfb c86b
0x01d0: c0b2 2a3a e981 a943 a75e 79c7 0842 2be1
0x01e0: 063e ed41 df41 f7b3 c9f2 5c4d 45f3 10ca
0x01f0: fa69 7ea6 68c6 e99f 99f3 fab6 d95b 6d1d
0x0200: a461 305f a007 0305 0050 0000 00a2 101b
0x0210: 0e44 4f47 532e 554d 4943 482e 4544 55a3
0x0220: 2030 1ea0 0302 0100 a117 3015 1b03 6166
0x0230: 731b 0e64 6f67 732e 756d 6963 682e 6564
0x0240: 75a5 1118 0f32 3030 3630 3330 3730 3632
0x0250: 3631 305a a706 0204 440b d606 a805 3003
0x0260: 0201 01
01:26:16.885377 IP 141.213.229.82.88 > 141.211.1.36.39282:
0x0000: 4500 00c9 0000 4000 3e11 3a05 8dd5 e552
0x0010: 8dd3 0124 0058 9972 00b5 2e53 7e81 aa30
0x0020: 81a7 a003 0201 05a1 0302 011e a211 180f
0x0030: 3230 3036 3033 3036 3036 3236 3134 5aa4
0x0040: 1118 0f32 3030 3630 3330 3630 3632 3631
0x0050: 365a a505 0203 0d80 bba6 0302 0107 a710
0x0060: 1b0e 444f 4753 2e55 4d49 4348 2e45 4455
0x0070: a810 300e a003 0201 01a1 0730 051b 036d
0x0080: 6477 a910 1b0e 444f 4753 2e55 4d49 4348
0x0090: 2e45 4455 aa20 301e a003 0201 00a1 1730
0x00a0: 151b 0361 6673 1b0e 646f 6773 2e75 6d69
0x00b0: 6368 2e65 6475 ab11 1b0f 554e 4b4e 4f57
0x00c0: 4e5f 5345 5256 4552 00
01:26:16.904653 IP 141.211.1.36.39282 > 141.213.229.82.88:
0x0000: 4500 0253 921e 4000 4011 a45c 8dd3 0124
0x0010: 8dd5 e552 9972 0058 023f 0470 6c82 0233
0x0020: 3082 022f a103 0201 05a2 0302 010c a382
0x0030: 01ce 3082 01ca 3082 01c6 a103 0201 01a2
0x0040: 8201 bd04 8201 b96e 8201 b530 8201 b1a0
0x0050: 0302 0105 a103 0201 0ea2 0703 0500 0000
0x0060: 0000 a382 0105 6182 0101 3081 fea0 0302
0x0070: 0105 a110 1b0e 444f 4753 2e55 4d49 4348
0x0080: 2e45 4455 a223 3021 a003 0201 00a1 1a30
0x0090: 181b 066b 7262 7467 741b 0e44 4f47 532e
0x00a0: 554d 4943 482e 4544 55a3 81bf 3081 bca0
0x00b0: 0302 0110 a103 0201 01a2 81af 0481 ac71
0x00c0: 459d 1f9a c42d 6379 4693 b9a1 e0d3 679b
0x00d0: c7e5 4c2d c10e e8ca ec77 4ab2 fd75 6d61
0x00e0: 55ef 54ac e84e 09e6 84c3 f3bb 0f31 0284
0x00f0: df1e 59fe 9e3c 23ce ae5d 5e34 558e 33d0
0x0100: 9891 df2e ab0d 08cf 520c f1fc 3d65 8ffb
0x0110: 16e8 4c8b 3eff 2c7c 3313 2cea 57a2 c6f2
0x0120: c3fd e2d8 855d be32 2365 0b2d 7abf 4c70
0x0130: 44c6 b9ea bc15 100a a7b3 7b90 d981 8d43
0x0140: 6a9d e54e 3fee 5f29 25be 6f50 01e5 b448
0x0150: 1a65 d305 c2f0 4305 4d13 f14f 9fa1 0ab7
0x0160: 5e38 e094 9726 8dc0 b554 6fa4 8192 3081
0x0170: 8fa0 0302 0110 a281 8704 8184 c843 e597
0x0180: 388f 2caf b5d6 230c 975f 34c2 5506 3558
0x0190: b9cb 0702 ec81 56da 7589 7d51 7c7b 7ab0
0x01a0: e17e f1e8 df39 18d1 77b1 a9dd c0d8 238e
0x01b0: 1ccf 361b e93d ecb1 7e04 74ba a776 586b
0x01c0: 4c55 38f1 3784 92d4 1499 43cd 05f7 32de
0x01d0: 57ce d8a5 d1f7 46e9 1c70 a809 5861 085b
0x01e0: 51f1 23e1 5fa7 76ab 67c4 bc62 c342 da31
0x01f0: 4eaf 1e69 884a fc2b 8aad bd29 9d69 52cc
0x0200: a451 304f a007 0305 0050 0000 00a2 101b
0x0210: 0e44 4f47 532e 554d 4943 482e 4544 55a3
0x0220: 1030 0ea0 0302 0100 a107 3005 1b03 6166
0x0230: 73a5 1118 0f32 3030 3630 3330 3730 3632
0x0240: 3631 305a a706 0204 440b d606 a805 3003
0x0250: 0201 01
01:26:16.905454 IP 141.213.229.82.88 > 141.211.1.36.39282:
0x0000: 4500 020f 0000 4000 3e11 38bf 8dd5 e552
0x0010: 8dd3 0124 0058 9972 01fb ab41 6d82 01ef
0x0020: 3082 01eb a003 0201 05a1 0302 010d a310
0x0030: 1b0e 444f 4753 2e55 4d49 4348 2e45 4455
0x0040: a410 300e a003 0201 01a1 0730 051b 036d
0x0050: 6477 a581 e561 81e2 3081 dfa0 0302 0105
0x0060: a110 1b0e 444f 4753 2e55 4d49 4348 2e45
0x0070: 4455 a210 300e a003 0201 00a1 0730 051b
0x0080: 0361 6673 a381 b330 81b0 a003 0201 01a1
0x0090: 0302 0103 a281 a304 81a0 bc54 bc9e 4cda
0x00a0: 13c8 432b 4a95 04fe b7c5 6319 a1a0 fceb
0x00b0: 2f62 50af 2439 838d a90a 2dc6 6d4e b6b4
0x00c0: 71b2 3af8 68aa d844 cbb7 6bab 506e 0a45
0x00d0: d7a1 1bf0 9cee 0b5d aef7 d8cf e3ea 3668
0x00e0: 52bf 0aec 08f8 f072 09bc 6016 7f11 3228
0x00f0: a72d 788c 231e ec45 9877 c993 01d0 06de
0x0100: ee1b 1714 4c1e 00cd 531c a140 7f5b c4a9
0x0110: 06a2 56d2 b7c8 fa1a e780 9b24 4268 66fd
0x0120: d8bb 6eba 4827 f82e 235d 5c61 216c cc32
0x0130: fab7 4165 4c0c b0ea 1ee9 a681 d230 81cf
0x0140: a003 0201 10a2 81c7 0481 c4c0 0124 864c
0x0150: fc7b 2e5e d96f a5ca 15f5 805f a7c0 c82c
0x0160: 2c5a 3448 8cc3 8f4b 6bfb c63d 22f3 edd6
0x0170: 6c5b 1b14 5461 0769 6a99 c131 d2dd 9ba6
0x0180: c5db 1248 f598 9615 7990 9b44 914c 6ca6
0x0190: 7e2c cb8b e983 927b 38c5 d949 4fba f244
0x01a0: b42c e101 bceb 6917 c1cb 954e 5a51 5f6d
0x01b0: 820e d9f2 ac40 5265 1c87 ade0 6d5c e0ff
0x01c0: 1643 1653 0cdc e050 bd48 51e1 2dfd 785e
0x01d0: 0f46 156c 4a95 1714 088c 524e 04aa ebff
0x01e0: a468 3cb9 675d 840f cb56 a296 d80a 1a48
0x01f0: ccd0 8ea3 75ac 1769 6923 0798 7c70 f866
0x0200: b6d7 8539 e3dc 6aa3 e91b 34d6 13fb 79
4 packets captured
8 packets received by filter
0 packets dropped by kernel
Looks pretty scary, eh? And it is - that's asn.1 encoded output,
and since I used "-x" and not "-X", I don't even get the aid of
seeing the ascii on the side. But, well, that's ok, I don't have
to parse asn.1. I just have to make the computer do it for me.
The above packets have an IP header, then UDP. That's the first 28
bytes of stuff. The rest is the payload. So, in the last packet,
from 0x001c onwards is what I want. Or, the stuff that starts with
6d82 01ef.
To convert the hex to der encoded, I can use this perl script:
use MIME::Base64;
if ($bin = !($ARGV[0] cmp "-der"))
{
shift @ARGV;
}
while (<>)
{
next unless (/^ /);
s/[^0-9a-fA-F]//g;
$j = pack "H*", $_;
if ($bin) {
print $j;
} else {
$acc .= $j;
}
}
if (!$bin) {
$j = encode_base64($acc);
print $j;
}
(a copy of which you can find here:)
/afs/umich.edu/user/m/d/mdw/.bin/scripts/tcp2pem.pl
One minor ugliness is I need to strip the packet offset from the start
of each line and I need to make sure the result starts with at least
one space (Hey, it was a quick hack tcpdump's output format changed since
I wrote this.) Fortunately you can fix it to do what you like.
I then want to pass the output from this to
"openssl asn1parse -i -dump"
So, here's my not particularly clever cut & paste run of tcp2pem:
spam% perl /afs/umich.edu/user/m/d/mdw/.bin/scripts/tcp2pem.pl
6d82 01ef
3082 01eb a003 0201 05a1 0302 010d a310
1b0e 444f 4753 2e55 4d49 4348 2e45 4455
a410 300e a003 0201 01a1 0730 051b 036d
6477 a581 e561 81e2 3081 dfa0 0302 0105
a110 1b0e 444f 4753 2e55 4d49 4348 2e45
4455 a210 300e a003 0201 00a1 0730 051b
0361 6673 a381 b330 81b0 a003 0201 01a1
0302 0103 a281 a304 81a0 bc54 bc9e 4cda
13c8 432b 4a95 04fe b7c5 6319 a1a0 fceb
2f62 50af 2439 838d a90a 2dc6 6d4e b6b4
71b2 3af8 68aa d844 cbb7 6bab 506e 0a45
d7a1 1bf0 9cee 0b5d aef7 d8cf e3ea 3668
52bf 0aec 08f8 f072 09bc 6016 7f11 3228
a72d 788c 231e ec45 9877 c993 01d0 06de
ee1b 1714 4c1e 00cd 531c a140 7f5b c4a9
06a2 56d2 b7c8 fa1a e780 9b24 4268 66fd
d8bb 6eba 4827 f82e 235d 5c61 216c cc32
fab7 4165 4c0c b0ea 1ee9 a681 d230 81cf
a003 0201 10a2 81c7 0481 c4c0 0124 864c
fc7b 2e5e d96f a5ca 15f5 805f a7c0 c82c
2c5a 3448 8cc3 8f4b 6bfb c63d 22f3 edd6
6c5b 1b14 5461 0769 6a99 c131 d2dd 9ba6
c5db 1248 f598 9615 7990 9b44 914c 6ca6
7e2c cb8b e983 927b 38c5 d949 4fba f244
b42c e101 bceb 6917 c1cb 954e 5a51 5f6d
820e d9f2 ac40 5265 1c87 ade0 6d5c e0ff
1643 1653 0cdc e050 bd48 51e1 2dfd 785e
0f46 156c 4a95 1714 088c 524e 04aa ebff
a468 3cb9 675d 840f cb56 a296 d80a 1a48
ccd0 8ea3 75ac 1769 6923 0798 7c70 f866
b6d7 8539 e3dc 6aa3 e91b 34d6 13fb 79
^D
bYIB7zCCAeugAwIBBaEDAgENoxAbDkRPR1MuVU1JQ0guRURVpBAwDqADAgEBoQcwBRsDbWR3pYHl
YYHiMIHfoAMCAQWhEBsORE9HUy5VTUlDSC5FRFWiEDAOoAMCAQChBzAFGwNhZnOjgbMwgbCgAwIB
AaEDAgEDooGjBIGgvFS8nkzaE8hDK0qVBP63xWMZoaD86y9iUK8kOYONqQotxm1OtrRxsjr4aKrY
RMu3a6tQbgpF16Eb8JzuC12u99jP4+o2aFK/CuwI+PByCbxgFn8RMiinLXiMIx7sRZh3yZMB0Abe
7hsXFEweAM1THKFAf1vEqQaiVtK3yPoa54CbJEJoZv3Yu266SCf4LiNdXGEhbMwy+rdBZUwMsOoe
6aaB0jCBz6ADAgEQooHHBIHEwAEkhkz8ey5e2W+lyhX1gF+nwMgsLFo0SIzDj0tr+8Y9IvPt1mxb
GxRUYQdpapnBMdLdm6bF2xJI9ZiWFXmQm0SRTGymfizLi+mDkns4xdlJT7ryRLQs4QG862kXwcuV
TlpRX22CDtnyrEBSZRyHreBtXOD/FkMWUwzc4FC9SFHhLf14Xg9GFWxKlRcUCIxSTgSq6/+kaDy5
Z12ED8tWopbYChpIzNCOo3WsF2lpIweYfHD4ZrbXhTnj3Gqj6Rs01hP7eQ==
spam%
And here's the run of asn1parse:
spam% openssl asn1parse -i -dump
bYIB7zCCAeugAwIBBaEDAgENoxAbDkRPR1MuVU1JQ0guRURVpBAwDqADAgEBoQcwBRsDbWR3pYHl
YYHiMIHfoAMCAQWhEBsORE9HUy5VTUlDSC5FRFWiEDAOoAMCAQChBzAFGwNhZnOjgbMwgbCgAwIB
AaEDAgEDooGjBIGgvFS8nkzaE8hDK0qVBP63xWMZoaD86y9iUK8kOYONqQotxm1OtrRxsjr4aKrY
RMu3a6tQbgpF16Eb8JzuC12u99jP4+o2aFK/CuwI+PByCbxgFn8RMiinLXiMIx7sRZh3yZMB0Abe
7hsXFEweAM1THKFAf1vEqQaiVtK3yPoa54CbJEJoZv3Yu266SCf4LiNdXGEhbMwy+rdBZUwMsOoe
6aaB0jCBz6ADAgEQooHHBIHEwAEkhkz8ey5e2W+lyhX1gF+nwMgsLFo0SIzDj0tr+8Y9IvPt1mxb
GxRUYQdpapnBMdLdm6bF2xJI9ZiWFXmQm0SRTGymfizLi+mDkns4xdlJT7ryRLQs4QG862kXwcuV
TlpRX22CDtnyrEBSZRyHreBtXOD/FkMWUwzc4FC9SFHhLf14Xg9GFWxKlRcUCIxSTgSq6/+kaDy5
Z12ED8tWopbYChpIzNCOo3WsF2lpIweYfHD4ZrbXhTnj3Gqj6Rs01hP7eQ==
^D
0:d=0 hl=4 l= 495 cons: appl [ 13 ]
4:d=1 hl=4 l= 491 cons: SEQUENCE
8:d=2 hl=2 l= 3 cons: cont [ 0 ]
10:d=3 hl=2 l= 1 prim: INTEGER :05
13:d=2 hl=2 l= 3 cons: cont [ 1 ]
15:d=3 hl=2 l= 1 prim: INTEGER :0D
18:d=2 hl=2 l= 16 cons: cont [ 3 ]
20:d=3 hl=2 l= 14 prim: GENERALSTRING
0000 - 44 4f 47 53 2e 55 4d 49-43 48 2e 45 44 55 DOGS.UMICH.EDU
36:d=2 hl=2 l= 16 cons: cont [ 4 ]
38:d=3 hl=2 l= 14 cons: SEQUENCE
40:d=4 hl=2 l= 3 cons: cont [ 0 ]
42:d=5 hl=2 l= 1 prim: INTEGER :01
45:d=4 hl=2 l= 7 cons: cont [ 1 ]
47:d=5 hl=2 l= 5 cons: SEQUENCE
49:d=6 hl=2 l= 3 prim: GENERALSTRING
0000 - 6d 64 77 mdw
54:d=2 hl=3 l= 229 cons: cont [ 5 ]
57:d=3 hl=3 l= 226 cons: appl [ 1 ]
60:d=4 hl=3 l= 223 cons: SEQUENCE
63:d=5 hl=2 l= 3 cons: cont [ 0 ]
65:d=6 hl=2 l= 1 prim: INTEGER :05
68:d=5 hl=2 l= 16 cons: cont [ 1 ]
70:d=6 hl=2 l= 14 prim: GENERALSTRING
0000 - 44 4f 47 53 2e 55 4d 49-43 48 2e 45 44 55 DOGS.UMICH.EDU
86:d=5 hl=2 l= 16 cons: cont [ 2 ]
88:d=6 hl=2 l= 14 cons: SEQUENCE
90:d=7 hl=2 l= 3 cons: cont [ 0 ]
92:d=8 hl=2 l= 1 prim: INTEGER :00
95:d=7 hl=2 l= 7 cons: cont [ 1 ]
97:d=8 hl=2 l= 5 cons: SEQUENCE
99:d=9 hl=2 l= 3 prim: GENERALSTRING
0000 - 61 66 73 afs
104:d=5 hl=3 l= 179 cons: cont [ 3 ]
107:d=6 hl=3 l= 176 cons: SEQUENCE
110:d=7 hl=2 l= 3 cons: cont [ 0 ]
112:d=8 hl=2 l= 1 prim: INTEGER :01
115:d=7 hl=2 l= 3 cons: cont [ 1 ]
117:d=8 hl=2 l= 1 prim: INTEGER :03
120:d=7 hl=3 l= 163 cons: cont [ 2 ]
123:d=8 hl=3 l= 160 prim: OCTET STRING
0000 - bc 54 bc 9e 4c da 13 c8-43 2b 4a 95 04 fe b7 c5 .T..L...C+J.....
0010 - 63 19 a1 a0 fc eb 2f 62-50 af 24 39 83 8d a9 0a c...../bP.$9....
0020 - 2d c6 6d 4e b6 b4 71 b2-3a f8 68 aa d8 44 cb b7 -.mN..q.:.h..D..
0030 - 6b ab 50 6e 0a 45 d7 a1-1b f0 9c ee 0b 5d ae f7 k.Pn.E.......]..
0040 - d8 cf e3 ea 36 68 52 bf-0a ec 08 f8 f0 72 09 bc ....6hR......r..
0050 - 60 16 7f 11 32 28 a7 2d-78 8c 23 1e ec 45 98 77 `...2(.-x.#..E.w
0060 - c9 93 01 d0 06 de ee 1b-17 14 4c 1e 00 cd 53 1c ..........L...S.
0070 - a1 40 7f 5b c4 a9 06 a2-56 d2 b7 c8 fa 1a e7 80 .@.[....V.......
0080 - 9b 24 42 68 66 fd d8 bb-6e ba 48 27 f8 2e 23 5d .$Bhf...n.H'..#]
0090 - 5c 61 21 6c cc 32 fa b7-41 65 4c 0c b0 ea 1e e9 \a!l.2..AeL.....
286:d=2 hl=3 l= 210 cons: cont [ 6 ]
289:d=3 hl=3 l= 207 cons: SEQUENCE
292:d=4 hl=2 l= 3 cons: cont [ 0 ]
294:d=5 hl=2 l= 1 prim: INTEGER :10
297:d=4 hl=3 l= 199 cons: cont [ 2 ]
300:d=5 hl=3 l= 196 prim: OCTET STRING
0000 - c0 01 24 86 4c fc 7b 2e-5e d9 6f a5 ca 15 f5 80 ..$.L.{.^.o.....
0010 - 5f a7 c0 c8 2c 2c 5a 34-48 8c c3 8f 4b 6b fb c6 _...,,Z4H...Kk..
0020 - 3d 22 f3 ed d6 6c 5b 1b-14 54 61 07 69 6a 99 c1 ="...l[..Ta.ij..
0030 - 31 d2 dd 9b a6 c5 db 12-48 f5 98 96 15 79 90 9b 1.......H....y..
0040 - 44 91 4c 6c a6 7e 2c cb-8b e9 83 92 7b 38 c5 d9 D.Ll.~,.....{8..
0050 - 49 4f ba f2 44 b4 2c e1-01 bc eb 69 17 c1 cb 95 IO..D.,....i....
0060 - 4e 5a 51 5f 6d 82 0e d9-f2 ac 40 52 65 1c 87 ad NZQ_m.....@Re...
0070 - e0 6d 5c e0 ff 16 43 16-53 0c dc e0 50 bd 48 51 .m\...C.S...P.HQ
0080 - e1 2d fd 78 5e 0f 46 15-6c 4a 95 17 14 08 8c 52 .-.x^.F.lJ.....R
0090 - 4e 04 aa eb ff a4 68 3c-b9 67 5d 84 0f cb 56 a2 N.....h<.g]...V.
00a0 - 96 d8 0a 1a 48 cc d0 8e-a3 75 ac 17 69 69 23 07 ....H....u..ii#.
00b0 - 98 7c 70 f8 66 b6 d7 85-39 e3 dc 6a a3 e9 1b 34 .|p.f...9..j...4
00c0 - d6 13 fb 79 ...y
And there we have it. Kerberos 5 decoded and dumped, using
just regular non-kerberos aware tools.
To understand the bits here, look at
http://www.ietf.org/rfc/rfc4120.txt
In this case appl 13 = tgs rep
(a mapping of application types is on pages 96-97 in rfc 4120.)
tgs_rep and as_rep are described on page 81.
so, above the line that reads:
36:d=2 hl=2 l= 16 cons: cont [ 4 ]
matches the start of what the rfc describes as:
cname [4] PrincipalName
the rfc on page 123 says that a PrincipalName is a sequence of
name-type[0] Int32, name-string [1] SEQUENCE OF KerberosString
and sure enough, here we see:
36:d=2 hl=2 l= 16 cons: cont [ 4 ]
38:d=3 hl=2 l= 14 cons: SEQUENCE
40:d=4 hl=2 l= 3 cons: cont [ 0 ]
42:d=5 hl=2 l= 1 prim: INTEGER :01
45:d=4 hl=2 l= 7 cons: cont [ 1 ]
47:d=5 hl=2 l= 5 cons: SEQUENCE
49:d=6 hl=2 l= 3 prim: GENERALSTRING
0000 - 6d 64 77 mdw
and, sure enough, we have element [0] being a name-type of 1 (the :01 above),
which corresponds to what the rfc describes in section 6.2 as NT-PRINCIPAL.
We also have element [1] consinsting of a sequence of one element, "mdw".
Generally, you won't need to know nearly this much about what's
in your kerberos traffic. For your nat problem, if you look
at the IP addresses you find with tcpdump, and your nat configuration,
you should be able to figure out what you need to do to make things
work. Depeding on how bad things are broke, you might find
it easier if you run tcpdump at both or in your case all 3 ends.
But you could probably get by with just running the network capture
on your client machine & reviewing very carefully your nat configuration
choices.
-Marcus Watts