[OpenAFS] Re: A problem with authentication

Dr A V Le Blanc Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Mon, 12 Mar 2007 14:58:12 +0000


I wrote:
> We have a very old AFS cell, installed with kaserver back in 1991,
> and we later migrated to use heimdal instead of kaserver.  This was
> working well with Debian sarge installations, which were our standard
> setup until recently.  When we started upgrading some of our clients
> to Debian etch (libpam-heimdal moves from 1.0-17 to 2.5-1), we're
> seeing problems with some people getting failed login problems
> repeatedly (in /var/log/auth.log we see 'Failed password for xxx').
> If we change the pam library from libpam-heimdal to the MIT-based
> libpam-krb5 (version 2.6-1), there are still some failures, but
> not as many.

Love Hörnquist Åstrand wrote:
> Is it any corresponding error in the KDC log ?

Interesting that you should ask this.  We are running Debian's
heimdal-kdc version 0.7.2.dfsg.1-10 on three servers, with the
slaves synchronised by iprop.  Recently we had a problem on the
slaves, in which the (binary) log file filled up /var, becoming
over 3gb in size.  The logs on the master server did not grow in
this way, but I do find a lot of errors there in the text log file.
First there are a _lot_ of errors of this type:

     Server not found in database: afs/cellname@REALMNAME: No such entry in the database

where I've replaced the reall cell and realm names.  There are 1480
of these errors in the last 24 hours.  There there are several hundred
thousand errors in this period of the form

     UNKNOWN -- user@REALMNAME: No such entry in the database

These are caused by people logging into local windows boxes, which
are apparently trying to do a kerberos login by default.  There
are many lines of the following forms:

     Lookup user@REALMNAME succeeded
     Lookup krbtgt/REALMNAME@REALMNAME succeeded
     Lookup afs@REALMNAME succeeded

There are about 30-odd lines in the day which say one of these:

     Server has no support for etypes
     Server (krbtgt/REALMNAME@REALMNAME) has no support for etypes

And the rest of the messages in the log file are fairly sensible.
Is it normal to have over 2 million lines per day in the log file?

There are 7769 lines about using various enctypes:

     4019     Using des-cbc-crc/des-cbc-crc
     2648     Using des-cbc-md5/des-cbc-md5
      923     Using des3-cbc-sha1/des-cbc-crc
      103     Using des3-cbc-sha1/des-cbc-md5
       57     Using aes256-cts-hmac-sha1-96/des-cbc-crc
       15     Using aes256-cts-hmac-sha1-96/des-cbc-md5
        4     Using des3-cbc-sha1/des3-cbc-sha1

Because of the usage of the system, it's pretty hard to
locate particular failures.  Here are two I think might correspond.
In the log from sshd I find:

     Mar 12 09:57:04 hostname sshd[26414]: Failed password for username from ipaddress port 1084 ssh2

and at the same time in heimdal-kdc log I find:

     AS-REQ username@REALMNAME from IPv4:ipaddress for krbtgt/REALMNAME@REALMNAME
     Using des-cbc-crc/des-cbc-crc
     Requested flags: renewable_ok, proxiable, forwardable
     sending 493 bytes to IPv4:ipaddress
     AS-REQ username@REALMNAME from IPv4:ipaddress for krbtgt/REALMNAME@REALMNAME
     Using des-cbc-crc/des-cbc-crc
     Requested flags: renewable_ok, proxiable, forwardable
     sending 493 bytes to IPv4:ipaddress

To me this looks as though the login ought to have succeeded.
Any clarification welcome.

     -- Owen