[OpenAFS] OpenAFS for Windows 1.5.72, Windows 7, VPN session
killing
Jeffrey Altman
jaltman@secure-endpoints.com
Sun, 14 Mar 2010 14:22:17 -0400
This is a cryptographically signed message in MIME format.
--------------ms070509040908050402090406
Content-Type: multipart/alternative;
boundary="------------010400070609010903090303"
This is a multi-part message in MIME format.
--------------010400070609010903090303
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
On 3/14/2010 12:14 PM, Jeff Blaine wrote:
>> the MIT klist.exe tells you.
>
>
> Yes, but it won't say anything useful when one has no creds
> because the VPN session is dying before that :)
>
> I meant, "how do I determine what it *would* try to use?"
Funny thing. When I have no credentials and run klist.exe, it tells me
which cache it cannot find any credentials within.
[C:\src\openafs\openafs.git\repo\src\WINNT]"\Program
Files\mit\Kerberos\bin\klist.exe"
klist.exe: No credentials cache found (ticket cache
API:jaltman@YOUR-FILE-SYSTEM.COM)
>
>
> As for krb5.ini, there is no 'master_kdc' setting. I've
> never heard of it and don't see that in the MIT Kerberos
> documentation for krb5.conf (?)
>
Another funny thing. When I look at the docs for MIT Kerberos I find
http://web.mit.edu/kerberos/krb5-1.6/krb5-1.6/doc/krb5-admin.html#realms%=
20%28krb5.conf%29
[realms]
*master_kdc*
Identifies the master KDC(s). Currently, this tag is used in only
one case: If an attempt to get credentials fails because of an
invalid password, the client software will attempt to contact the
master KDC, in case the user's password has just been changed, and
the updated database has not been propagated to the slave servers
yet. (We don't currently check whether the KDC from which the
initial response came is on the master KDC list. That may be fixed
in the future.)=20
> Here it is:
>
> [libdefaults]
> default_realm =3D RCF.OUR.ORG
> forwardable =3D yes
> ticket_lifetime =3D 1d
> renew_lifetime =3D 2d
> dns_lookup_realm =3D no
> dns_lookup_kdc =3D no
>
> [appdefaults]
> forwardable =3D yes
>
> [domain_realm]
> .our.org =3D RCF.OUR.ORG
>
> [realms]
> RCF.OUR.ORG =3D {
> kdc =3D kdc1.our.org
> kdc =3D kdc2.our.org
> kdc =3D kdc3.our.org
> admin_server =3D kdc1.our.org
> }
>
> [logging]
> kdc =3D FILE:/var/adm/krb5kdc.log
> admin_server =3D FILE:/var/adm/kadmin.log
> default =3D FILE:/var/adm/krb5lib.log
If you add a master_kdc=3Dkdc1.our.org you should find that the DNS SRV
queries for _master_kdc._udp.RCF.OUR.ORG are no longer being issued.
>
> I'm downloading the Windows Driver Development Kit 620MB ISO
> which is where the "Debugging Tools for Windows" now exist
> apparently.
You do not have to have the most bleeding edge version. One of the
standalone installs would work just fine.
Jeffrey Altman
--------------010400070609010903090303
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content=3D"text/html; charset=3DUTF-8" http-equiv=3D"Content-Type=
">
<title></title>
</head>
<body bgcolor=3D"#ffffff" text=3D"#000000">
<tt>On 3/14/2010 12:14 PM, Jeff Blaine wrote:</tt>
<blockquote cite=3D"mid:4B9D0B78.4030403@kickflop.net" type=3D"cite"><tt>=
</tt>
<blockquote type=3D"cite"><tt>the MIT klist.exe tells you.
<br>
</tt></blockquote>
<br>
<tt><br>
Yes, but it won't say anything useful when one has no creds
<br>
because the VPN session is dying before that :)
<br>
<br>
I meant, "how do I determine what it *would* try to use?"
<br>
</tt></blockquote>
<br>
Funny thing.=C2=A0 When I have no credentials and run klist.exe, it tells=
me
which cache it cannot find any credentials within.<br>
<br>
[C:\src\openafs\openafs.git\repo\src\WINNT]"\Program
Files\mit\Kerberos\bin\klist.exe"<br>
klist.exe: No credentials cache found (ticket cache
<a class=3D"moz-txt-link-abbreviated" href=3D"mailto:API:jaltman@YOUR-FIL=
E-SYSTEM.COM">API:jaltman@YOUR-FILE-SYSTEM.COM</a>)<br>
<br>
<blockquote cite=3D"mid:4B9D0B78.4030403@kickflop.net" type=3D"cite"><tt>=
<br>
</tt><tt><br>
As for krb5.ini, there is no 'master_kdc' setting.=C2=A0 I've
<br>
never heard of it and don't see that in the MIT Kerberos
<br>
documentation for krb5.conf (?)
<br>
<br>
</tt></blockquote>
<br>
Another funny thing.=C2=A0 When I look at the docs for MIT Kerberos I fin=
d <br>
<a class=3D"moz-txt-link-freetext" href=3D"http://web.mit.edu/kerberos/kr=
b5-1.6/krb5-1.6/doc/krb5-admin.html#realms%20%28krb5.conf%29">http://web.=
mit.edu/kerberos/krb5-1.6/krb5-1.6/doc/krb5-admin.html#realms%20%28krb5.c=
onf%29</a><br>
<br>
[realms]<br>
<dl>
<dt><b>master_kdc</b> </dt>
<dd>Identifies the master KDC(s). Currently, this tag is used in only
one
case: If an attempt to get credentials fails because of an invalid
password, the client software will attempt to contact the master KDC,
in case the user's password has just been changed, and the updated
database has not been propagated to the slave servers yet. (We don't
currently check whether the KDC from which the initial response came
is on the master KDC list. That may be fixed in the future.) </dd>
</dl>
<br>
<br>
<blockquote cite=3D"mid:4B9D0B78.4030403@kickflop.net" type=3D"cite"><tt>=
Here
it is:
<br>
<br>
[libdefaults]
<br>
=C2=A0=C2=A0=C2=A0 default_realm =3D RCF.OUR.ORG
<br>
=C2=A0=C2=A0=C2=A0 forwardable =3D yes
<br>
=C2=A0=C2=A0=C2=A0 ticket_lifetime =3D 1d
<br>
=C2=A0=C2=A0=C2=A0 renew_lifetime =3D 2d
<br>
=C2=A0=C2=A0=C2=A0 dns_lookup_realm =3D no
<br>
=C2=A0=C2=A0=C2=A0 dns_lookup_kdc =3D no
<br>
<br>
[appdefaults]
<br>
=C2=A0=C2=A0=C2=A0 forwardable =3D yes
<br>
<br>
[domain_realm]
<br>
=C2=A0=C2=A0=C2=A0 .our.org =3D RCF.OUR.ORG
<br>
<br>
[realms]
<br>
=C2=A0=C2=A0=C2=A0 RCF.OUR.ORG =3D {
<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 kdc =3D kdc1.our.org
<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 kdc =3D kdc2.our.org
<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 kdc =3D kdc3.our.org
<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 admin_server =3D kdc1.our.org
<br>
}
<br>
<br>
[logging]
<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 kdc =3D <a class=3D"moz-txt-li=
nk-freetext" href=3D"FILE:/var/adm/krb5kdc.log">FILE:/var/adm/krb5kdc.log=
</a>
<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 admin_server =3D <a class=3D"m=
oz-txt-link-freetext" href=3D"FILE:/var/adm/kadmin.log">FILE:/var/adm/kad=
min.log</a>
<br>
=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 default =3D <a class=3D"moz-tx=
t-link-freetext" href=3D"FILE:/var/adm/krb5lib.log">FILE:/var/adm/krb5lib=
=2Elog</a>
<br>
</tt></blockquote>
<br>
If you add a master_kdc=3Dkdc1.our.org you should find that the DNS SRV
queries for _master_kdc._udp.RCF.OUR.ORG are no longer being issued.<br>
<blockquote cite=3D"mid:4B9D0B78.4030403@kickflop.net" type=3D"cite"><tt>=
<br>
I'm downloading the Windows Driver Development Kit 620MB ISO
<br>
which is where the "Debugging Tools for Windows" now exist
<br>
apparently.</tt></blockquote>
<br>
You do not have to have the most bleeding edge version.=C2=A0 One of the
standalone installs would work just fine.<br>
<br>
<tt>Jeffrey Altman<br>
<br>
</tt>
</body>
</html>
--------------010400070609010903090303--
--------------ms070509040908050402090406
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJeTCC
AxcwggKAoAMCAQICEAMF9RTCGOz151fTpHLih+cwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UE
BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDgyODA0MDExOVoX
DTEwMDgyODA0MDExOVowczEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVy
aWMxHDAaBgNVBAMTE0plZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDZNscYIvF6xzGSAfa/QUIqiElyn0EUxL2b86eKiYqe91bj0gLr/MJoErLnb+OmokxqSAH6
y0zlFqSbiFwgNM8m69K6m/6YO+x3+5zBc+u6snwTWMEWygnhx3rQ/lMhoQOgArraL+/k9aWL
kNdaXQKk6EZVW9pfV2A4Lk4DoZGFjY8tJRWWDLlFkYnxDuIEpLYwJpwakv3QHOaq/G8KW0iE
jVhVzPobuZzwD2tuepY/bsClwqxz/gfAEpUvAn/lYTqnoT7RYljZlCIdbrgcG/HSYMxAy1Zp
Yh8Fx+9cqsG8O4nqo26SVfYZvrYhh8m6OqW8Vakdt7vBLCTa/QhIdJ4hAgMBAAGjOTA3MCcG
A1UdEQQgMB6BHGphbHRtYW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQUFAAOBgQBvbvJNXUJ4atv1CExIe0J38jZqoEUTttkXOfCDT9e3mSmVboOK
ifHDyLZQC4qSsCUfP7vdwAXjKtjak22HbfX2sEKCUgtnOkxRqXMM2V/NW/ESNVQZF0TO7L/Z
cW3icObO9FIZCSmgFMt2Al7VPfMQmaJNlqu9SLmXSwbRFJ5b4zCCAxcwggKAoAMCAQICEAMF
9RTCGOz151fTpHLih+cwDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT
HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h
bCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA5MDgyODA0MDExOVoXDTEwMDgyODA0MDExOVow
czEPMA0GA1UEBBMGQWx0bWFuMRUwEwYDVQQqEwxKZWZmcmV5IEVyaWMxHDAaBgNVBAMTE0pl
ZmZyZXkgRXJpYyBBbHRtYW4xKzApBgkqhkiG9w0BCQEWHGphbHRtYW5Ac2VjdXJlLWVuZHBv
aW50cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZNscYIvF6xzGSAfa/
QUIqiElyn0EUxL2b86eKiYqe91bj0gLr/MJoErLnb+OmokxqSAH6y0zlFqSbiFwgNM8m69K6
m/6YO+x3+5zBc+u6snwTWMEWygnhx3rQ/lMhoQOgArraL+/k9aWLkNdaXQKk6EZVW9pfV2A4
Lk4DoZGFjY8tJRWWDLlFkYnxDuIEpLYwJpwakv3QHOaq/G8KW0iEjVhVzPobuZzwD2tuepY/
bsClwqxz/gfAEpUvAn/lYTqnoT7RYljZlCIdbrgcG/HSYMxAy1ZpYh8Fx+9cqsG8O4nqo26S
VfYZvrYhh8m6OqW8Vakdt7vBLCTa/QhIdJ4hAgMBAAGjOTA3MCcGA1UdEQQgMB6BHGphbHRt
YW5Ac2VjdXJlLWVuZHBvaW50cy5jb20wDAYDVR0TAQH/BAIwADANBgkqhkiG9w0BAQUFAAOB
gQBvbvJNXUJ4atv1CExIe0J38jZqoEUTttkXOfCDT9e3mSmVboOKifHDyLZQC4qSsCUfP7vd
wAXjKtjak22HbfX2sEKCUgtnOkxRqXMM2V/NW/ESNVQZF0TO7L/ZcW3icObO9FIZCSmgFMt2
Al7VPfMQmaJNlqu9SLmXSwbRFJ5b4zCCAz8wggKooAMCAQICAQ0wDQYJKoZIhvcNAQEFBQAw
gdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUg
VG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFp
bCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw0w
MzA3MTcwMDAwMDBaFw0xMzA3MTYyMzU5NTlaMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxU
aGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwg
RnJlZW1haWwgSXNzdWluZyBDQTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAxKY8VXNV
+065yplaHmjAdQRwnd/p/6Me7L3N9VvyGna9fww6YfK/Uc4B1OVQCjDXAmNaLIkVcI7dyfAr
hVqqP3FWy688Cwfn8R+RNiQqE88r1fOCdz0Dviv+uxg+B79AgAJk16emu59l0cUqVIUPSAR/
p7bRPGEEQB5kGXJgt/sCAwEAAaOBlDCBkTASBgNVHRMBAf8ECDAGAQH/AgEAMEMGA1UdHwQ8
MDowOKA2oDSGMmh0dHA6Ly9jcmwudGhhd3RlLmNvbS9UaGF3dGVQZXJzb25hbEZyZWVtYWls
Q0EuY3JsMAsGA1UdDwQEAwIBBjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRUHJpdmF0ZUxh
YmVsMi0xMzgwDQYJKoZIhvcNAQEFBQADgYEASIzRUIPqCy7MDaNmrGcPf6+svsIXoUOWlJ1/
TCG4+DYfqi2fNi/A9BxQIJNwPP2t4WFiw9k6GX6EsZkbAMUaC4J0niVQlGLH2ydxVyWN3amc
OY6MIE9lX5Xa9/eH1sYITq726jTlEBpbNU1341YheILcIRk13iSx0x1G/11fZU8xggNxMIID
bQIBATB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5
KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQ
AwX1FMIY7PXnV9OkcuKH5zAJBgUrDgMCGgUAoIIB0DAYBgkqhkiG9w0BCQMxCwYJKoZIhvcN
AQcBMBwGCSqGSIb3DQEJBTEPFw0xMDAzMTQxODIyMTdaMCMGCSqGSIb3DQEJBDEWBBTpurLv
0hAy/Nw1xWO2ftfVipfnczBfBgkqhkiG9w0BCQ8xUjBQMAsGCWCGSAFlAwQBAjAKBggqhkiG
9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYIKoZIhvcN
AwICASgwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0
ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVl
bWFpbCBJc3N1aW5nIENBAhADBfUUwhjs9edX06Ry4ofnMIGHBgsqhkiG9w0BCRACCzF4oHYw
YjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4x
LDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhADBfUUwhjs
9edX06Ry4ofnMA0GCSqGSIb3DQEBAQUABIIBACJX8axaeW9L0H4ed4WgDh93+Dz23MPUvrLR
agJz/45q+5N87pUBrNfKCloYpeVS0ps/xZvU7U9d5hQy6hqlgfOXCCHRHe34PjAMaGqVhsAU
AatW7wrrpigS0wPoLbsbQVm0VAy1lBlT2bZri/gibRm2RU316UD5WgKZjhAde33P1tmjItRA
iZdBYrCez6ganFnvVNWUqzLe9AnANMhSaC0I7X5CR4sVspeLpj3D5AddbdQs2aX5VOqNuENg
yhJGZKRIxa4oMaTCfJd6auzQNlp5Z8o19lEBUPVcKs8nlChJH5lmzkQgBnax/yRKv7s9QO9G
m4Hx5UanZ/VUXYf2yF0AAAAAAAA=
--------------ms070509040908050402090406--