[30562] in Kerberos
disabling krb524d attempts - causes login hangs
daemon@ATHENA.MIT.EDU (Fletcher Cocquyt)
Fri Dec 19 09:43:05 2008
To: kerberos@mit.edu
From: Fletcher Cocquyt <fcocquyt@stanford.edu>
Date: Fri, 19 Dec 2008 14:41:54 +0000 (UTC)
Message-ID: <loom.20081219T143531-401@post.gmane.org>
Mime-Version: 1.0
X-Complaints-To: usenet@ger.gmane.org
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi, a recent campus firewall change has caused user's kerberos logins to hang on
this system. The problem has been isolated to a krb524 attempt (which used to
swiftly fail - but now tries for 60-90 seconds before failing).
How can we explicitly disable the krb524 communication attempt (campus does not
run that service)
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: flag: no external
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: flag: warn
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: ticket lifetime: 0
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: renewable lifetime: 0
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: minimum uid: 100
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: banner: Kerberos 5
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: ccache dir: /tmp
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: keytab: FILE:/etc
/krb5.keytab
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: called to authenticate
'fcocquyt', realm 'stanford.edu'
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: authenticating
'fcocquyt@stanford.edu'
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: trying
previously-entered
password for 'fcocquyt', allowing libkrb5 to prompt for more
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: authenticating
'fcocquyt@stanford.edu' to 'krbtgt/stanford.edu@stanford.edu'
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]:
krb5_get_init_creds_password(krbtgt/stanford.edu@stanford.edu) returned 0
(Success)
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: got result 0 (Success)
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: obtaining v4-compatible
key
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: obtained des-cbc-crc v5
creds
Dec 19 06:32:30 admsys-local sshd[801]: pam_krb5[801]: converting v5 creds to
v4
creds (etype = 1)
...
...<hang > 60 seconds >
...
...
many thanks
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
