[21070] in Athena Bugs
Login puzzle
daemon@ATHENA.MIT.EDU (Tom Cavin)
Thu Nov 14 13:38:13 2002
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15827.60819.86320.334283@lap1-wccf.mit.edu>
Date: Thu, 14 Nov 2002 13:38:11 -0500
From: Tom Cavin <cavin@MIT.EDU>
To: SIPB Linux Help <linux-help@MIT.EDU>
CC: Athena Bugs list <bugs@MIT.EDU>
Hi All,
I just had a problem on a private Linux Athena system that I don't
understand. The system is going to be reinstalled, so this isn't a
critical issue, but I'd like to have some idea what happened.
The Symptoms:
The only way to login to the system is by using the root password, or
to boot single user. (This is a recent install, using grub.)
Attempting to login at the console generates one of two errors:
If your password is correct, you get the pop-up message:
Login Failed
Unable to authenticate you, kerberos failure
31: Can't decode authenticator (krb_rd_req)
If your password is not correct, you get:
Incorrect password
Attempting to login using SSH fails with a simple disconnect.
The Configuration:
The theoretical configuration for this system is a private workstation
running sshd to allow some remote logins using /etc/athena/access, and
with an area for private data. Remote access is enabled by running
"mkserv remote", and installing the srvtab file according to the standard
instructions.
The actual configuration is known to differ from this due to some
operator mistakes, but all the mistakes are not known at this time, and
that is what I'm curious about.
The Known Mistake:
There was some confusion with the original /etc/athena/srvtab file for
this system and there is now version skew between the existing srvtab
file and the KDC.
Other Information:
The /etc/athena/srvtab file was reconstructed from the /etc/krb5.keytab
file after the exiting srvtab file had been removed. Confusion regarding
the nature of srvtab files resulted in the removal and it is very likely
that the old krb5.keytab file is out of sync with the KDC.
An "sshd -d" and "ssh -v" test indicated in the sshd debug output that
the ssh system thinks there is a version skew problem somewhere.
Even though login is not possible as a normal user, you can use "kinit"
to get proper, useful tickets.
Hesiod (or at least hesinfo) seems to work properly.
The /etc/athena/access list contains the single line "USER rl" for my
Athena username. The same symptoms persist with no access file at all,
and with my hesiod entry in the /etc/passwd and /etc/passwd.local files.
My Questions:
1. What tools can I use to get the srvtab/keytab versions so I can
compare local files with the corresponding versions on the KDC?
2. What happens in normal login process for a normal user that isn't
happening here?
3. What does the error message from krb_rd_req mean? And more
generally, where can I find documentation on these errors?
4. Is there a way to get the system to tell me what's different or
missing?
Thanks,
--Tom
P.S. The expected recovery procedure is to get a new srvtab from accounts
and then reinstall the system. I would like to know what happened so I can
either repair it or recognize it and tell people not to do it. --tec
--
Tom Cavin Phone: (617) 258 - 7806
Computer Operations Manager Email: cavin@mit.edu
MIT - Whitaker College Computer Facility or tec@ai.mit.edu
