[OpenAFS] Re: A problem with authentication
Dr A V Le Blanc
Dr A V Le Blanc <LeBlanc@mcc.ac.uk>
Mon, 12 Mar 2007 14:58:12 +0000
I wrote:
> We have a very old AFS cell, installed with kaserver back in 1991,
> and we later migrated to use heimdal instead of kaserver. This was
> working well with Debian sarge installations, which were our standard
> setup until recently. When we started upgrading some of our clients
> to Debian etch (libpam-heimdal moves from 1.0-17 to 2.5-1), we're
> seeing problems with some people getting failed login problems
> repeatedly (in /var/log/auth.log we see 'Failed password for xxx').
> If we change the pam library from libpam-heimdal to the MIT-based
> libpam-krb5 (version 2.6-1), there are still some failures, but
> not as many.
Love Hörnquist Åstrand wrote:
> Is it any corresponding error in the KDC log ?
Interesting that you should ask this. We are running Debian's
heimdal-kdc version 0.7.2.dfsg.1-10 on three servers, with the
slaves synchronised by iprop. Recently we had a problem on the
slaves, in which the (binary) log file filled up /var, becoming
over 3gb in size. The logs on the master server did not grow in
this way, but I do find a lot of errors there in the text log file.
First there are a _lot_ of errors of this type:
Server not found in database: afs/cellname@REALMNAME: No such entry in the database
where I've replaced the reall cell and realm names. There are 1480
of these errors in the last 24 hours. There there are several hundred
thousand errors in this period of the form
UNKNOWN -- user@REALMNAME: No such entry in the database
These are caused by people logging into local windows boxes, which
are apparently trying to do a kerberos login by default. There
are many lines of the following forms:
Lookup user@REALMNAME succeeded
Lookup krbtgt/REALMNAME@REALMNAME succeeded
Lookup afs@REALMNAME succeeded
There are about 30-odd lines in the day which say one of these:
Server has no support for etypes
Server (krbtgt/REALMNAME@REALMNAME) has no support for etypes
And the rest of the messages in the log file are fairly sensible.
Is it normal to have over 2 million lines per day in the log file?
There are 7769 lines about using various enctypes:
4019 Using des-cbc-crc/des-cbc-crc
2648 Using des-cbc-md5/des-cbc-md5
923 Using des3-cbc-sha1/des-cbc-crc
103 Using des3-cbc-sha1/des-cbc-md5
57 Using aes256-cts-hmac-sha1-96/des-cbc-crc
15 Using aes256-cts-hmac-sha1-96/des-cbc-md5
4 Using des3-cbc-sha1/des3-cbc-sha1
Because of the usage of the system, it's pretty hard to
locate particular failures. Here are two I think might correspond.
In the log from sshd I find:
Mar 12 09:57:04 hostname sshd[26414]: Failed password for username from ipaddress port 1084 ssh2
and at the same time in heimdal-kdc log I find:
AS-REQ username@REALMNAME from IPv4:ipaddress for krbtgt/REALMNAME@REALMNAME
Using des-cbc-crc/des-cbc-crc
Requested flags: renewable_ok, proxiable, forwardable
sending 493 bytes to IPv4:ipaddress
AS-REQ username@REALMNAME from IPv4:ipaddress for krbtgt/REALMNAME@REALMNAME
Using des-cbc-crc/des-cbc-crc
Requested flags: renewable_ok, proxiable, forwardable
sending 493 bytes to IPv4:ipaddress
To me this looks as though the login ought to have succeeded.
Any clarification welcome.
-- Owen