Ticket forwarding and IP addresses

Cesar Garcia Cesar.Garcia at morganstanley.com
Tue Feb 12 21:41:34 EST 2002 

This is not exactly a Kerberos specific issue, but perhaps
the folks on this mailing list might have some insight.

I decided for now to go with Ken's suggestion that I simply
remove the IP addresses from my V5 tickets, and do ticket
forwarding sans IP addresses.

It appears that the one dependency we have on IP addresses
is k524. Our client code is modern and works fine. It's an
old krb524d which we currently run on a CyberSafe KDC that
requires IP addresses in the requesting ticket.

So thanks to Doug Engert, we have a -k option that allows
one to run the MIT krb524d with a keytab, which handles
null IP addresses just fine - and I don't immediately, or
perhaps ever, have to solve the problem of writing the glue
to get it to work the CyberSafe KDB. Simply extracting all
the necessary keys to a keytab file suffices.

I then add the following keys to a keytab file:
1 - krbtgt/k5realm at k5realm
2 - afs at k5realm (*)

(*) An aside - this predates me, so I'm not sure what all
the reasons were) Since all of our AFS cells use the same
server principal, we don't have afs/afscellname at k5realm
for each of our cells, just one principal afs at k5realm
(one k5realm) for all cells. Not sure how/if this is
relevant, but it is different.

The basic algorithm for obtaining tokens for all cells follows:
1 - using V5 TGS, obtain a ticket V5 ticket for afs at k5realm
    (this ticket get's cached)
2 - using k524 and V5 ticket for afs at k5realm, obtain a V4 ticket
    for afs at k5realm
3 - foreach cell, invoke ktc_SetToken, passing in the V4 cred
    obtained in step 2.

This code is implemented in a lib/app we call ak5log and works
with the cybersafe based krb524d, with either the cybersafe
based k524 client or the MIT based k524 client.

When we try to run either the cybersafe or MIT based client
against the MIT krb524d (using -k), the ak5log code completes,
but I get the following messages in syslog:
----
Feb 12 21:05:09 imus afs: [ID 255639 kern.notice] afs: Tokens for user of AFS id 4843 for cell w.ny.ms.com are discarded (rxkad error=19270408)
----
with a similar error going to my console.

krb524init itself seems to work fine against the same MIT
krb524d with the keytab. That is the I can V4 tgt and run
my v4 apps with no problem.

The error apparently corresponds to "Unknown key". I've verified
the key and kvno for afs at k5realm that was extracted to the
keytab file, and it appears to be correct. I assume I would
have failed earlier had that not been the case.

When I list my tokens, the listing looks normal.t The
tokens themselves, however, are worthless.

We're running various versions of transarc afs (3.5, 3.6)
on our solaris machines, openafs 1.2.2 on our linux boxes.
AFS servers are solaris.

Before I go digging into this problem some more, I was wondering
if anyone might have some insight on this one.

Thanks in advance.

>>>>> "Cesar" == Cesar Garcia <Cesar.Garcia at morganstanley.com> writes:

Cesar> I've been working with 1.2.2 for a some months now, and only
Cesar> recently have attempted to get the rcmds working, mainly in
Cesar> an effort to better understand how ticket forwarding works,
Cesar> since we have a need to do this in a homegrown application.

Cesar> The behavior that I see is that when I invoke ticket
Cesar> forwarding, the "forwarded" tickets contain only a single
Cesar> IP address.

Cesar> After walking through some of the code, it appears that
Cesar> the client, via krb5_fwd_tgt_creds, determines the target's
Cesar> IP address via a host lookup using gethostbyname(), as
Cesar> implemented in krb5_os_hostaddr().

Cesar> Since we use NIS as the primary source for hostname
Cesar> resolution, all host lookups render a single IP address,
Cesar> even for multihomed machines. Moving to DNS is not an
Cesar> option at the moment. Additionally, we use Veritas VCS
Cesar> and other similar clustering facilities. These hosts
Cesar> will have additional IP addresses that are not associated
Cesar> with the real hostname, but with service names for a
Cesar> particular cluster/application. So even if were to switch
Cesar> to DNS, the client would not be able to determine all the
Cesar> IP addresses for a given target host via the hostname
Cesar> lookup that it uses today.

Cesar> That said (barring hacks to application protocols that
Cesar> would allow target hosts to send IP addresses back to
Cesar> the source host, then having the client embed the full set
Cesar> of tickets), the way to address this would be to have
Cesar> the target host obtain new tickets will a full set of
Cesar> IP addresses.

Cesar> 1 - is this possible?
Cesar> 2 - is it within the limits of the specification?

Cesar> If so, has anyone has implemented this for 1.2.2 or any
Cesar> releases of MIT krb5.

More information about the Kerberos mailing list