[20489] in Athena Bugs
Re: Solaris Athena 9.1.11 and KNFS servers
daemon@ATHENA.MIT.EDU (Tom Cavin)
Tue Jul 16 16:49:16 2002
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15668.34506.258410.788897@lap1-wccf.mit.edu>
Date: Tue, 16 Jul 2002 16:49:14 -0400
From: Tom Cavin <cavin@MIT.EDU>
To: Garry Zacheiss <zacheiss@mit.edu>
Cc: Tom Cavin <cavin@mit.edu>, Athena Bugs list <bugs@mit.edu>
In-Reply-To: <200207162026.QAA14779@riff-raff.mit.edu>
Hi Garry,
I was in a bit of a rush with this server and fixed it (more or less) by
doing a "nfs.server stop" followed by an "nfs.server start".
If I recall correctly, we had a similar problem with mountd dying on start
up that was fixed with a new version of mountd.
I can let you onto the system, but I'm not sure if it would be enlightening
since the system now seems to be running. (Although you could look at the
nfs.server links and copies in the /etc/rc?.d directories...)
I've added "zacheiss/root@ATHENA.MIT.EDU" to the /.k5login file on
Yoda-WCCF, and you are welcome to look around.
The other odd thing that is happening is with a brand new Dell running
Athena Linux 9.0.28 (at least until tonight). I just ran "mkserv remote"
on it, added a new srvtab (and krb5.keytab), and rebooted. But it still
doesn't seem to work with the .k5login file. When I try to login I get:
$ ssh -l root pasque -v
SSH Version 1.2.26 [i686-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.
lap1-wccf.mit.edu: ssh_connect: getuid 3620 geteuid 3620 anon 1
lap1-wccf.mit.edu: Connecting to pasque [18.229.2.36] port 22.
lap1-wccf.mit.edu: Connection established.
lap1-wccf.mit.edu: Remote protocol version 1.5, remote software version 1.2.26
lap1-wccf.mit.edu: Waiting for server public key.
lap1-wccf.mit.edu: Received server public key (768 bits) and host key (1024 bits).
lap1-wccf.mit.edu: Host 'pasque' is known and matches the host key.
lap1-wccf.mit.edu: Initializing random; seed file /mit/cavin/.ssh/random_seed
lap1-wccf.mit.edu: Encryption type: idea
lap1-wccf.mit.edu: Sent encrypted session key.
lap1-wccf.mit.edu: Installing crc compensation attack detector.
lap1-wccf.mit.edu: Received encrypted confirmation.
lap1-wccf.mit.edu: Trying Kerberos V5 TGT passing.
lap1-wccf.mit.edu: Kerberos V5 TGT passing was successful.
lap1-wccf.mit.edu: Trying Kerberos V5 authentication.
lap1-wccf.mit.edu: Remote: Kerberos V5 krb5_rd_req: Key version number for principal in key table is incorrect
lap1-wccf.mit.edu: Kerberos V5 authentication failed.
lap1-wccf.mit.edu: No agent.
lap1-wccf.mit.edu: Trying RSA authentication with key 'cavin@home-on-the-dome.mit.edu'
lap1-wccf.mit.edu: Server refused our key.
lap1-wccf.mit.edu: Doing password authentication.
root@pasque's password:
Received signal 2.
I can get in using either the password or ssh-agent, but I don't understand
why the "Key version number for principal in key table is incorrect".
When I look at the srvtab and krb5.keytab files, they seem ok. I don't
know (or remember) how to check the version on the key server.
bash-2.04# ktutil
ktutil: rst /etc/athena/srvtab
ktutil: l
slot KVNO Principal
---- ---- --------------------------------------------------------------------------
1 4 host/pasque.mit.edu@ATHENA.MIT.EDU
2 4 rvdsrv/pasque.mit.edu@ATHENA.MIT.EDU
ktutil: q
bash-2.04# ktutil
ktutil: rkt /etc/krb5.keytab
ktutil: l
slot KVNO Principal
---- ---- --------------------------------------------------------------------------
1 4 host/pasque.mit.edu@ATHENA.MIT.EDU
2 4 rvdsrv/pasque.mit.edu@ATHENA.MIT.EDU
ktutil: q
I'd welcome any pointers on either problem.
Thanks,
--Tom
P.S. I've also added your Athena Kerberos principal to the /root/.k5login
file on Pasque. In the best of all possible worlds we'll be using that
system as an OpenAFS server for this lab. --tec
Garry Zacheiss writes:
> Hi Tom,
>
> Sorry for the delay. In answer to your question:
>
> >> One of my systems took the update and then failed to start KNFS. It
> >> also has a peculiar combination of links and file copies for the
> >> nfs.server file in the /etc/rc?.d directories that doesn't look to be
> >> managed by chkconfig. Does chkconfig (or an equivalent) exist on
> >> Solaris?
>
> No, there's no equivalent to chkconfig on Solaris, at least one that
> we use with mkserv. Those links are created by hand.
>
> >> The server in question is Yoda-WCCF (ask me for access to look around it
> >> if you want to).
>
> I am happy to take a look if you'd like.
>
> Garry
--
Tom Cavin Phone: (617) 258 - 7806
Computer Operations Manager Email: cavin@mit.edu
MIT - Whitaker College Computer Facility or tec@ai.mit.edu
