[5884] in Kerberos
Intercell Authenication Problem
daemon@ATHENA.MIT.EDU (Venke.Murughappan)
Tue Sep 19 00:23:53 1995
To: kerberos@MIT.EDU
Date: Sun, 17 Sep 1995 21:18:14 GMT
From: venke@caseyColumbiaSC.NCR.COM (Venke.Murughappan)
This bug is about authenticated intercell lookup between two
DCE realms. OSF-DCE 1.0.3 running on ATT's SVR4 based MP-RAS
platforms, using krb5/DNS entries to do the intercell lookup
fails. Any info/insights to solve this problem will be
greatly appreciated.
HW & SW Data:
-------------
OSF-DCE Version 1.0.3 running on MP-RAS 3:00.00 and 2.03.00 Operating Systems (SVR4 UNIX).
Machines : mozart (158.78.108.21) & bach (153.78.108.24)
Problem:
--------
After cross registration, users of the local cell could login to the foreign cell. The problem starts when the CDS is involved as shown below:
cdscp show cell /.../foreign.cell.name, in our case it is
cdscp show cell /.../bach2g.columbiasc.attgis.com
This call returns the cell info if we do not have a valid ticket. If we log into DCE and run the same command again, it generates the following error
message:
/>cdscp show cell /.../bach2g.columbiasc.attgis.com
SHOW
CELL /.../bach2g.columbiasc.attgis.com
AT 1995-09-10-22:43:51
status 282111999
Error on entity: /.../bach2g.columbiasc.attgis.com
Registry server unavailable (dce / sec)
Function: dnsReadAttrValue
Again, the same command works fine if we run kdestroy and reexecute the
command.
rgy_edit
--------
While doing cross registration using rgy_edit cell command, the following message appears on the XConsole.
Sep 10 20:17:07 secd.dce.1.0.2[4161]: TGS_REQ: can't find key.for'krbtgt/bach2g.columbiasc.attgis.com@opera3a.columbiasc.attgis.com'
Sep 10 20:17:07 secd.dce.1.0.2[4161]: TGS_REQ: host 02cbef80-a015-11ce-8467-0000c0ef2e1c@ncacn_ip_tcp:153.78.108.21[2223]: Server not found in Kerberos database (dce / krb) while processing request
The first error message is generated by kdc_get_server_key function. The second message is generated by prepare_tgs_err
function. The message originates from the ek_cell_add function
in rgy_edit. When rgy_edit makes an rpc call to get server key, this message is returned from the runtime.
CDS aspect of the problem:
--------------------------
The call is successfull till the last leg of the intercell
lookup. The local CDS Server parses the name in local CDS, does
not find it so gives the job to GDA, gdad deamon does a DNS
lookup finds the foreign CDS Server address, then the local
cdsclerk tries to communicate with the foreign CDS server, at
this juncture authentication failure occures.
rpc_binding_set_auth_info call fails, with the message registry_server_not_found.
The actual failure occurs during the dns_send thread condition
OPQCDN0, this condition changes state and gives a broadcast
which releases the mutex (dns_send_int), which finishes the
DNS_WAIT.
The failure is camaflouged by thread conditions. The actual failure
OPQCND0, occurs in cdsclerk, when it tries to talk to the foreign CDS
Server, which is the last leg of the call.
--
Venke Murughappan at X6547/6545
