afs-krb5 integration
Klaas Hagemann
kerberos at northsailor.de
Mon Oct 21 12:28:26 EDT 2002
I'm sorry, indeed, it works perfect with Cesar's patch....
----- Original Message -----
From: "Klaas Hagemann" <kerberos at northsailor.de>
To: "Cesar Garcia" <Cesar.Garcia at morganstanley.com>
Cc: <kerberos at mit.edu>
Sent: Monday, October 21, 2002 3:19 PM
Subject: Re: afs-krb5 integration
> Hi,
>
> even with your patch having applied successfully for the server, i get the
> following error message after having kinit'd and aklog'd:
>
> # pts listentries
> Name ID Owner Creator
> pts: ticket contained unknown key version number ; unable to list entries
>
>
> Any ideas?
> Klaas
> ----- Original Message -----
> From: "Cesar Garcia" <Cesar.Garcia at morganstanley.com>
> To: "Klaas Hagemann" <kerberos at northsailor.de>
> Cc: "Cesar Garcia" <Cesar.Garcia at morganstanley.com>; <kerberos at mit.edu>
> Sent: Friday, October 18, 2002 5:23 PM
> Subject: Re: afs-krb5 integration
>
>
> > We haven't had problems with it. We've only recently started rolling
> > out OpenAFS.
> >
> > >>>>> "Klaas" == Klaas Hagemann <kerberos at northsailor.de> writes:
> >
> > Klaas> Hi Cesar, thanks for your quick help. I supposed, i woould
> > Klaas> have searched a long time for this bug..... But with your
> > Klaas> patch, the krb524d works good together with openafs?
> >
> > Klaas> Thanks Klaas ----- Original Message ----- From: "Cesar Garcia"
> > Klaas> <Cesar.Garcia at morganstanley.com> To: "Ken Hornstein"
> > Klaas> <kenh at cmf.nrl.navy.mil> Cc: "Cesar Garcia"
> > Klaas> <Cesar.Garcia at morganstanley.com>; <kerberos at mit.edu> Sent:
> > Klaas> Friday, October 18, 2002 6:22 AM Subject: Re: afs-krb5
> > Klaas> integration
> >
> >
> > >> Not sure - I'm not exactly an AFS subject matter expert and I
> > >> haven't seen the AFS code that implements the key retrieval (from
> > >> KeyFile) and token validation.
> > >>
> > >> When I first started looking at MIT's krb524, this was the first
> > >> problem we saw. [the 524 client setting the lifetimes incorrectly
> > >> was the other, as apparently the resulting V4 ticket lifetimes are
> > >> not communicated back to the client over the 524 wire protocol and
> > >> the client is setting it based on 5 minute increments in the V4
> > >> ticket, not the CMU/AFS lifetime interpretation].
> > >>
> > >> I noticed the kvno returned was "0", while the actual kvno for our
> > >> afs principal was "1" (as seen via kadmin). Given the error and
> > >> the observed behavior wrt kvno, the fix was rather straight
> > >> forward.
> > >>
> > >> Perhaps your afs server uses different criteria for key
> > >> retrieval. We're only now starting to roll out OpenAFS. Our
> > >> observations were made with Transarc AFS, versios 3.x. Sorry I
> > >> don't have a good answer for this.
> > >>
> > >> >>>>> "Ken" == Ken Hornstein <kenh at cmf.nrl.navy.mil> writes:
> > >>
> > >> >> There is also a bug in krb524d that does not set the kvno on the
> > >> >> returned V4 ticket. Here's a patch:
> > >>
> > Ken> Interesting ... so what triggers this? I mean, it seems to work
> > Ken> in normal circumstances ...
> > >>
> > Ken> --Ken
> > >> ________________________________________________ Kerberos mailing
> > >> list Kerberos at mit.edu
> > >> http://mailman.mit.edu/mailman/listinfo/kerberos
> >
> > Klaas> ________________________________________________ Kerberos
> > Klaas> mailing list Kerberos at mit.edu
> > Klaas> http://mailman.mit.edu/mailman/listinfo/kerberos
> > ________________________________________________
> > Kerberos mailing list Kerberos at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/kerberos
>
> ________________________________________________
> Kerberos mailing list Kerberos at mit.edu
> http://mailman.mit.edu/mailman/listinfo/kerberos
More information about the Kerberos
mailing list