[29792] in Kerberos
RE: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade.
daemon@ATHENA.MIT.EDU (Mukarram Syed)
Mon May  5 20:24:36 2008
From: "Mukarram Syed" <muksyed@stanford.edu>
To: <kerberos@mit.edu>
Date: Mon, 5 May 2008 17:23:10 -0700
Message-ID: <01ab01c8af0f$5dca2c00$2e1c42ab@stanford.edu>
MIME-Version: 1.0
In-Reply-To: <00b401c8aca6$adb0c190$2e1c42ab@stanford.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
Hi Again,
Any suggestion will be appreciated.
Thanks
# mukarram
-----Original Message-----
From: kerberos-bounces@mit.edu [mailto:kerberos-bounces@mit.edu] On Behalf
Of Mukarram Syed
Sent: Friday, May 02, 2008 3:49 PM
To: kerberos@mit.edu
Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade.
Hi Kerberos Gurus.
 
I have 2 servers, the problem is that when I ssh into the box on the
server-notworking, I get both the .k5 and .k4 tickets:
 
server-notworking > klist
Ticket cache: FILE:/tmp/krb5cc_39728_T16049
Default principal: me@stanford.edu
 
Valid starting     Expires            Service principal
05/02/08 15:18:47  05/03/08 16:18:45  krbtgt/stanford.edu@stanford.edu
05/02/08 15:18:47  05/03/08 16:18:45  afs/ir.stanford.edu@stanford.edu
 
 
Kerberos 4 ticket cache: /tmp/tkt39728_16049
Principal: me@IR.STANFORD.EDU
 
  Issued              Expires             Principal
05/02/08 15:18:45  05/03/08 01:18:45  krbtgt.IR.STANFORD.EDU@IR.STANFORD.EDU
05/02/08 15:18:45  05/03/08 01:18:45  rcmd.server-notworking@IR.STANFORD.EDU
 
But on the server that's working, I only get the k5 tickets:
 
server-working > klist
Ticket cache: FILE:/tmp/krb5cc_39728_rJb29M
Default principal: me@stanford.edu
 
Valid starting     Expires            Service principal
05/02/08 15:27:27  05/03/08 01:27:25  krbtgt/stanford.edu@stanford.edu
05/02/08 15:27:27  05/03/08 01:27:25  afs/ir.stanford.edu@stanford.edu
 
 
Kerberos 4 ticket cache: /tmp/tkt39728
Principal: me@IR.STANFORD.EDU
 
  Issued              Expires             Principal
04/30/08 23:42:56  05/02/08 01:09:17  krbtgt.IR.STANFORD.EDU@IR.STANFORD.EDU
 
The only difference that I can see between the two klist command outputs is:
 
05/02/08 15:18:45  05/03/08 01:18:45  rcmd.server-notworking@IR.STANFORD.EDU
 
What is this?
 
Below is a comparison of the two servers.
I will be upgrading krb5-SU-1.4.3-12.EL3 to krb5-SU-1.4.4-4.EL3 on the
server-notworking.  I don't think this will make a difference because I have
already tried this on another server.  I can't upgrade the kernel though to
match the server that is working.  The server that is not working is an
actively used server.
 
Also if I remove the .klogin file in my home directory on the
server-notworking, I can't login to this box.  I need both .klogin and
.k5login files otherwise I get permission denied message when ssh'ing in.
I don't have the .klogin file in the server that is working.only the
.k5login file.
Please advise.
 
Thanks for you help.
 
Regards
 
# mukarram syed
 
 
                                                            SYSTEM INFO
 
server-notworking
server-working               
 
 
2.4.21-27.0.2.ELsmp
2.4.21-50.ELsmp
 
Red Hat Enterprise Linux AS release 3
Red Hat Enterprise Linux AS release 3 
(Taroon Update 4)
(Taroon Update 9)
 
                                                            STATUS
 
Not getting the afs tokens without
Fully Functional.NO aklog -setpag option set.
the aklog -setpag option in the shell 
startup scripts.  Need .klogin and .k5login
to be able to SSH.  SSH won't work without
.klogin file.
 
                                                            OPENAFS RPMS
                                                
openafs-1.4.2-1.1
openafs-1.4.2-1.1          
openafs-client-1.4.2-1.1
openafs-client-1.4.2-1.1
openafs-kernel-smp-1.4.2-2.4.21_27.0.2.EL_1
openafs-kernel-smp-1.4.2-2.4.21_50.EL_1
openafs-kernel-source-1.4.2-1.1
openafs-kernel-source-1.4.2-1.1
openafs-krb5-1.4.2-1.1
openafs-krb5-1.4.2-1.1
            
                                                            KRB5 RPMS
                                                
 
krb5-devel-1.2.7-42
krb5-devel-1.2.7-64
krb5-libs-1.2.7-42
krb5-libs-1.2.7-64
krb5-SU-1.4.3-12.EL3
krb5-SU-1.4.4-4.EL3
openafs-krb5-1.4.2-1.1
openafs-krb5-1.4.2-1.1
pam_krb5-SU-3.8-1.EL3
pam_krb5-SU-3.8-1.EL3
 
 
                                                            PAM RPMS
                                                
pam-0.75-62
pam-0.75-72
pam-afs-session-1.5-1.EL3
pam-afs-session-1.5-1.EL3
pam-devel-0.75-62
pam_ccreds-3-3.rhel3.2
pam_krb5-SU-3.8-1.EL3
pam-devel-0.75-72
pam_passwdqc-0.7.5-1
pam_krb5-SU-3.8-1.EL3
pam_smb-1.1.7-1
pam_passwdqc-0.7.5-1
 
pam_smb-1.1.7-1
 
                                                            
                                                IMPORTANT FILES:
CKSUMS/SIZES
                                                            
782515666 1077 /etc/pam.d/system-auth
782515666 1077 /etc/pam.d/system-auth
292550411 160 /etc/krb.conf
292550411 160 /etc/krb.conf
2006343950 4385 /etc/krb5.conf
3826595545 4386 /etc/krb5.conf
3068285566 267416 /usr/bin/aklog
1302602016 267416 /usr/bin/aklog
1323949453 19 /usr/vice/etc/CellAlias
1323949453 19 /usr/vice/etc/CellAlias
3556331601 16 /usr/vice/etc/ThisCell
3556331601 16 /usr/vice/etc/ThisCell
1399150640 446 /usr/vice/etc/CellServDB
514410920 208 /usr/vice/etc/CellServDB
 
Also in the /etc/ssh/sshd_config file the only differences are (If I change
it to no, on the server-notworking, I can't SSH, I get
Permission denied errors):
 
KerberosAuthentication yes
KerberosAuthentication no
KerberosOrLocalPasswd yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
KerberosTicketCleanup no
 
                                                SSH RPMS
 
openssh-3.6.1p2-33.30.3
openssh-3.6.1p2-33.30.14
openssh-clients-3.6.1p2-33.30.3
openssh-askpass-3.6.1p2-33.30.14
openssh-server-3.6.1p2-33.30.3
openssh-askpass-gnome-3.6.1p2-33.30.14
 
openssh-clients-3.6.1p2-33.30.14
 
openssh-server-3.6.1p2-33.30.14
 
 
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos