[3165] in Kerberos-V5-bugs
krb5-misc/794: Terminal server won't communicate to new version.
daemon@ATHENA.MIT.EDU (davidbu@cit.gu.edu.au)
Mon Dec 20 01:33:10 1999
Resent-From: gnats@rt-11.MIT.EDU (GNATS Management)
Resent-To: krb5-unassigned@RT-11.MIT.EDU
Resent-Reply-To: krb5-bugs@MIT.EDU, davidbu@cit.gu.edu.au
Message-Id: <199912200617.QAA04725@beholder.cit.gu.edu.au>
Date: Mon, 20 Dec 1999 16:17:09 +1000 (EST)
From: davidbu@cit.gu.edu.au
Reply-To: davidbu@cit.gu.edu.au
To: krb5-bugs@MIT.EDU
>Number: 794
>Category: krb5-misc
>Synopsis: Xyplex terminal server works with release 5beta 5, but not with 1.0.6 or 1.1beta1
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: krb5-unassigned
>State: open
>Class: support
>Submitter-Id: unknown
>Arrival-Date: Mon Dec 20 01:18:01 EST 1999
>Last-Modified:
>Originator: David Bussenschutt
>Organization:
Griffith University
>Release: krb5-1.1-beta1
>Environment:
System: SunOS beholder 5.6 Generic_105181-16 sun4m sparc SUNW,SPARCstation-10
Architecture: sun4
>Description:
We have a terminal server (used for dial-in access) that authenticates to a kerberos server. We are moving the kerberos server off of a SunOS 4 (solaris 2.4) to a Solaris 2.6 server due to age of server. The terminal server will authenticate quite happily to the original kerberos server... but authentication fails when using the newer server/kerberos install.
The install on the solaris 2.6 server is standard:
ie like this:
./configure --with-cc=gcc --prefix=/opt/krb5
make
make install
I did not install the original SunOS 4 server, but it is also installed into /opt/krb5
old server, where kerberos links to terminal server: citadel.cit.gu.edu.au
new server where kerberos NOT linking to terminal server: beholder.cit.gu.edu.au
here is a log of the two cases, attempting to connect to each server. i have done a 'show unit' and a 'show server kerberos' in both cases to show you that the settings are the same (except for the kerberos server of course) .
Old(but working) server first:
------------------------------------
spawn telnet termsmod 2000
Trying 132.234.42.65...
Connected to termsmod.cit.gu.edu.au.
Escape character is '^]'.
#
Enter username> davidbu
termsmod> set pri XXXXXXX
termsmod>>
termsmod>> show unit
Hardware Type: 86
Hardware Revision: 00.00.00
Rom Revision: 470000
Software Type: Terminal Server Level 4
Software Revision: V6.0.1
Protocol Type: TELNET, SNMP, PPP
Daemon(s): FINGERD
SYSLOGD(Host: 132.234.1.110 Log Facility: LOCAL0)
Enabled Feature(s): HELP, ULI, NESTED MENUS, KERBEROS 5
termsmod>> show server kerberos
MX1620 V6.0.1 Rom 470000 HW 00.00.00 Lat Protocol V5.2 Uptime: 28 04:46:37
19 Dec 1999 20:03:16
Kerberos Security: Login Kerberos Version 5
Kerberos Realm: CIT.GU.EDU.AU
Kerberos Master: CITADEL.CIT.GU.EDU.AU
Resolved Address: 132.234.86.5
Kerberos Primary Server: CITADEL.CIT.GU.EDU.AU
Resolved Address: 132.234.86.5
Kerberos Secondary Server: NONE
Resolved Address: 0.0.0.0 739 Error Message:
Please contact CIT HelpDesk (3875-3666)
Kerberos Port Number: 750 Kerberos Password Port: 749
Kerberos Query Limit: 3 Password Service: kadmin
Kerberos Ports Enabled: 1-16
Successful Logins: 730 Unsuccessful Logins: 25
Logins without Kerberos: 12 Password Change Failures: 0
Last Kerberos Error: 31 Occurred: 18 Dec 1999 17:39:24
Attempts to access: Master Server1 Server2
Successful: 0 755 0
Unsuccessful: 0 0 0
termsmod>>
termsmod>> kerberos
Enter user password>
termsmod>>
----------------------------------
^^^--note how I authenticate to the kerberos server here, and get no errors. (Dandy!)
OK, so lets try the other (newer) server...
----------------------------------
spawn telnet termsmod 2000
Trying 132.234.42.65...
Connected to termsmod.cit.gu.edu.au.
Escape character is '^]'.
#
Enter username> davidbu
termsmod> set pri XXXXXXX
termsmod>>
termsmod>> show unit
Hardware Type: 86
Hardware Revision: 00.00.00
Rom Revision: 470000
Software Type: Terminal Server Level 4
Software Revision: V6.0.1
Protocol Type: TELNET, SNMP, PPP
Daemon(s): FINGERD
SYSLOGD(Host: 132.234.34.1 Log Facility: LOCAL0)
Enabled Feature(s): HELP, ULI, NESTED MENUS, KERBEROS 5
termsmod>> show server kerberos
MX1620 V6.0.1 Rom 470000 HW 00.00.00 Lat Protocol V5.2 Uptime: 0 01:09:57
19 Dec 1999 19:58:51
Kerberos Security: Login Kerberos Version 5
Kerberos Realm: CIT.GU.EDU.AU
Kerberos Master: BEHOLDER.CIT.GU.EDU.AU
Resolved Address: 132.234.86.5
Kerberos Primary Server: BEHOLDER.CIT.GU.EDU.AU
Resolved Address: 132.234.86.5
Kerberos Secondary Server: NONE
Resolved Address: 0.0.0.0 739 Error Message:
Please contact CIT HelpDesk (3875-3666)
Kerberos Port Number: 750 Kerberos Password Port: 749
Kerberos Query Limit: 3 Password Service: kadmin
Kerberos Ports Enabled: 1-16
Successful Logins: 730 Unsuccessful Logins: 25
Logins without Kerberos: 12 Password Change Failures: 0
Last Kerberos Error: 31 Occurred: 18 Dec 1999 17:39:24
Attempts to access: Master Server1 Server2
Successful: 0 755 0
Unsuccessful: 0 0 0
termsmod>> kerberos
Enter user password>
Enter user password>
Enter user password>
Xyplex -739- Please contact CIT HelpDesk (3875-3666)
Xyplex -020- Logged out port 0 on server TERMSMOD at 19
------------------------------------
^^^^--- and now note that I get logged out. it won't accept my passwd. HOWEVER: I know that I have contacted the kerberos server successfully because the logs on the server tell me I have, even thought the terminal server failed to let me pass(using tail -f /opt/krb5/var/krb5kdc/kdc.log )
.....and got:
Dec 20 16:10:15 beholder krb5kdc[233](info): AS_REQ 132.234.86.81(88): ISSUE: authtime 945670215, davidbu@CIT.GU.EDU.AU for krbtgt/CIT.GU.EDU.AU@CIT.GU.EDU.AU
------------------------------------
THe problem is NOT that the KDC isn't working as the following shows:(I can kinit both my common and admin instances)
------------------------------------
davidbu@beholder>~> kinit davidbu
Password for davidbu@CIT.GU.EDU.AU:
davidbu@beholder>~> klist
Ticket cache: /tmp/krb5cc_101
Default principal: davidbu@CIT.GU.EDU.AU
Valid starting Expires Service principal
12/20/99 16:06:14 12/21/99 02:06:14 krbtgt/CIT.GU.EDU.AU@CIT.GU.EDU.AU
davidbu@beholder>~> kinit davidbu/admin
Password for davidbu/admin@CIT.GU.EDU.AU:
davidbu@beholder>~> klist
Ticket cache: /tmp/krb5cc_101
Default principal: davidbu/admin@CIT.GU.EDU.AU
Valid starting Expires Service principal
12/20/99 16:06:28 12/21/99 02:06:28 krbtgt/CIT.GU.EDU.AU@CIT.GU.EDU.AU
davidbu@beholder>~>
-----------------------------------
Now, from here on I'm stuck.
>How-To-Repeat:
see above.
>Fix:
No fix known here, that's what I'm after myself. I really don't know.
>Audit-Trail:
>Unformatted:
