[OpenAFS] Re: Mystery AFS/Kerberos packet

John Hascall john at iastate.edu
Fri Jan 23 10:05:28 EST 2004 

> What operating system is the client running on?
> Is this a K4 request being produced from OpenAFS on Windows?

    I have seen this from three systems, none of which are
    under my group's management.  One (the first one I
    mentioned) exhibited it under both 2000 and XP and
    was using the IBM client.  The other two are PCs
    whose OS and client version I do not know.

> I have suspected that there is a threading problem in the OpenAFS for 
> Windows
> client which is overwriting buffers being written to the network but 
> have been unable
> to catch it reliably.   If you have a system which is consistently 
> producing bad data
> at a known point it would be good to see if we can trace it down.

    Tell me what would need to be done, and I'll see if the
    owners are amenable...

John


> John Hascall wrote:
> 
> >>6303373b766d61124537XXXXXXXX0000494153544154452e4544550067710e403f616673000
0
> >>
> >  c . 7 ; v m a . E 7 u s e r . . I A S T A T E . E D U . g q . @ ? a f s . 
.
> >
> >
> >>I'm not sure, but the tail bit of it looks like part of a krb4 initial
> >>ticket request by "user" for "afs at IASTATE.EDU", with lifetime 5 hours
> >>15 minutes, around 21 January 2004 (assuming little-endian).
> >>
> >
> >Yes, I've been convinced that this is a valid V4 packet whose
> >first two bytes (04 03) were somehow corrupted with 10 garbage
> >bytes (63 03 37 3b 76 6d 61 12 45 37) and I went off on a wrong
> >tangent upon seeing the 0x6X first byte).  At this point, I'm going
> >to assume the user has either munged hardware or DLLs.
> >
> >It's really quite interesting to dump out rejected packets,
> >you see some fascinating crap, here's another:
> >
> ><04><03>__vmware_user__D2521F2GPKdgDby9P77qlo_w*glhuA3un*!sh!<00><00>IASTATE
.EDU<00>^HN<0e>@?afs<00><00
> >
> >(a 53 character principal name is too long for k4)
> >(curious how both of these invalid packets used '?', 5h15m, for the lifetime
).
> >
> >
> >John
> >_______________________________________________
> >OpenAFS-info mailing list
> >OpenAFS-info at openafs.org
> >https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> 
> --------------090500050708080908070707
> Content-Type: text/html; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
> <html>
> <head>
>   <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
>   <title></title>
> </head>
> <body bgcolor="#ffffff" text="#000000">
> <font face="Bitstream Cyberbit">What operating system is the client
> running on?<br>
> Is this a K4 request being produced from OpenAFS on Windows?<br>
> <br>
> I have suspected that there is a threading problem in the OpenAFS for
> Windows<br>
> client which is overwriting buffers being written to the network but
> have been unable<br>
> to catch it reliably.&nbsp;&nbsp; If you have a system which is consistently
> producing bad data<br>
> at a known point it would be good to see if we can trace it down.<br>
> <br>
> Jeffrey Altman<br>
> <br>
> <br>
> John Hascall wrote:</font>
> <blockquote cite="mid200401231435.IAA31736 at pvtest.ait.iastate.edu"
>  type="cite">
>   <blockquote type="cite">
>     <pre wrap=""><font face="Bitstream Cyberbit">6303373b766d61124537XXXXXXXX
0000494153544154452e4544550067710e403f6166730000
> </font></pre>
>   </blockquote>
>   <pre wrap=""><!----><font face="Bitstream Cyberbit">  c . 7 ; v m a . E 7 u
 s e r . . I A S T A T E . E D U . g q . @ ? a f s . .
> 
> </font></pre>
>   <blockquote type="cite">
>     <pre wrap=""><font face="Bitstream Cyberbit">I'm not sure, but the tail b
it of it looks like part of a krb4 initial
> ticket request by "user" for <a class="moz-txt-link-rfc2396E" href="mailto:af
s at IASTATE.EDU">"afs at IASTATE.EDU"</a>, with lifetime 5 hours
> 15 minutes, around 21 January 2004 (assuming little-endian).
> </font></pre>
>   </blockquote>
>   <pre wrap=""><!----><font face="Bitstream Cyberbit">
> Yes, I've been convinced that this is a valid V4 packet whose
> first two bytes (04 03) were somehow corrupted with 10 garbage
> bytes (63 03 37 3b 76 6d 61 12 45 37) and I went off on a wrong
> tangent upon seeing the 0x6X first byte).  At this point, I'm going
> to assume the user has either munged hardware or DLLs.
> 
> It's really quite interesting to dump out rejected packets,
> you see some fascinating crap, here's another:
> 
> &lt;04&gt;&lt;03&gt;__vmware_user__D2521F2GPKdgDby9P77qlo_w*glhuA3un*!sh!&lt;
00&gt;&lt;00&gt;IASTATE.EDU&lt;00&gt;^HN&lt;0e&gt;@?afs&lt;00&gt;&lt;00
> 
> (a 53 character principal name is too long for k4)
> (curious how both of these invalid packets used '?', 5h15m, for the lifetime)
.
> 
> 
> John
> _______________________________________________
> OpenAFS-info mailing list
> <a class="moz-txt-link-abbreviated" href="mailto:OpenAFS-info at openafs.org">Op
enAFS-info at openafs.org</a>
> <a class="moz-txt-link-freetext" href="https://lists.openafs.org/mailman/list
info/openafs-info">https://lists.openafs.org/mailman/listinfo/openafs-info</a>
> </font></pre>
> </blockquote>
> </body>
> </html>
> 
> --------------090500050708080908070707--
>

More information about the Kerberos mailing list