Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade.
Mukarram Syed
muksyed at stanford.edu
Fri May 2 18:48:45 EDT 2008
Hi Kerberos Gurus.
I have 2 servers, the problem is that when I ssh into the box on the
server-notworking, I get both the .k5 and .k4 tickets:
server-notworking > klist
Ticket cache: FILE:/tmp/krb5cc_39728_T16049
Default principal: me at stanford.edu
Valid starting Expires Service principal
05/02/08 15:18:47 05/03/08 16:18:45 krbtgt/stanford.edu at stanford.edu
05/02/08 15:18:47 05/03/08 16:18:45 afs/ir.stanford.edu at stanford.edu
Kerberos 4 ticket cache: /tmp/tkt39728_16049
Principal: me at IR.STANFORD.EDU
Issued Expires Principal
05/02/08 15:18:45 05/03/08 01:18:45 krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU
05/02/08 15:18:45 05/03/08 01:18:45 rcmd.server-notworking at IR.STANFORD.EDU
But on the server that's working, I only get the k5 tickets:
server-working > klist
Ticket cache: FILE:/tmp/krb5cc_39728_rJb29M
Default principal: me at stanford.edu
Valid starting Expires Service principal
05/02/08 15:27:27 05/03/08 01:27:25 krbtgt/stanford.edu at stanford.edu
05/02/08 15:27:27 05/03/08 01:27:25 afs/ir.stanford.edu at stanford.edu
Kerberos 4 ticket cache: /tmp/tkt39728
Principal: me at IR.STANFORD.EDU
Issued Expires Principal
04/30/08 23:42:56 05/02/08 01:09:17 krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU
The only difference that I can see between the two klist command outputs is:
05/02/08 15:18:45 05/03/08 01:18:45 rcmd.server-notworking at IR.STANFORD.EDU
What is this?
Below is a comparison of the two servers.
I will be upgrading krb5-SU-1.4.3-12.EL3 to krb5-SU-1.4.4-4.EL3 on the
server-notworking. I don't think this will make a difference because I have
already tried this on another server. I can't upgrade the kernel though to
match the server that is working. The server that is not working is an
actively used server.
Also if I remove the .klogin file in my home directory on the
server-notworking, I can't login to this box. I need both .klogin and
.k5login files otherwise I get permission denied message when ssh'ing in.
I don't have the .klogin file in the server that is working.only the
.k5login file.
Please advise.
Thanks for you help.
Regards
# mukarram syed
SYSTEM INFO
server-notworking
server-working
2.4.21-27.0.2.ELsmp
2.4.21-50.ELsmp
Red Hat Enterprise Linux AS release 3
Red Hat Enterprise Linux AS release 3
(Taroon Update 4)
(Taroon Update 9)
STATUS
Not getting the afs tokens without
Fully Functional.NO aklog -setpag option set.
the aklog -setpag option in the shell
startup scripts. Need .klogin and .k5login
to be able to SSH. SSH won't work without
.klogin file.
OPENAFS RPMS
openafs-1.4.2-1.1
openafs-1.4.2-1.1
openafs-client-1.4.2-1.1
openafs-client-1.4.2-1.1
openafs-kernel-smp-1.4.2-2.4.21_27.0.2.EL_1
openafs-kernel-smp-1.4.2-2.4.21_50.EL_1
openafs-kernel-source-1.4.2-1.1
openafs-kernel-source-1.4.2-1.1
openafs-krb5-1.4.2-1.1
openafs-krb5-1.4.2-1.1
KRB5 RPMS
krb5-devel-1.2.7-42
krb5-devel-1.2.7-64
krb5-libs-1.2.7-42
krb5-libs-1.2.7-64
krb5-SU-1.4.3-12.EL3
krb5-SU-1.4.4-4.EL3
openafs-krb5-1.4.2-1.1
openafs-krb5-1.4.2-1.1
pam_krb5-SU-3.8-1.EL3
pam_krb5-SU-3.8-1.EL3
PAM RPMS
pam-0.75-62
pam-0.75-72
pam-afs-session-1.5-1.EL3
pam-afs-session-1.5-1.EL3
pam-devel-0.75-62
pam_ccreds-3-3.rhel3.2
pam_krb5-SU-3.8-1.EL3
pam-devel-0.75-72
pam_passwdqc-0.7.5-1
pam_krb5-SU-3.8-1.EL3
pam_smb-1.1.7-1
pam_passwdqc-0.7.5-1
pam_smb-1.1.7-1
IMPORTANT FILES:
CKSUMS/SIZES
782515666 1077 /etc/pam.d/system-auth
782515666 1077 /etc/pam.d/system-auth
292550411 160 /etc/krb.conf
292550411 160 /etc/krb.conf
2006343950 4385 /etc/krb5.conf
3826595545 4386 /etc/krb5.conf
3068285566 267416 /usr/bin/aklog
1302602016 267416 /usr/bin/aklog
1323949453 19 /usr/vice/etc/CellAlias
1323949453 19 /usr/vice/etc/CellAlias
3556331601 16 /usr/vice/etc/ThisCell
3556331601 16 /usr/vice/etc/ThisCell
1399150640 446 /usr/vice/etc/CellServDB
514410920 208 /usr/vice/etc/CellServDB
Also in the /etc/ssh/sshd_config file the only differences are (If I change
it to no, on the server-notworking, I can't SSH, I get
Permission denied errors):
KerberosAuthentication yes
KerberosAuthentication no
KerberosOrLocalPasswd yes
KerberosOrLocalPasswd no
KerberosTicketCleanup yes
KerberosTicketCleanup no
SSH RPMS
openssh-3.6.1p2-33.30.3
openssh-3.6.1p2-33.30.14
openssh-clients-3.6.1p2-33.30.3
openssh-askpass-3.6.1p2-33.30.14
openssh-server-3.6.1p2-33.30.3
openssh-askpass-gnome-3.6.1p2-33.30.14
openssh-clients-3.6.1p2-33.30.14
openssh-server-3.6.1p2-33.30.14
More information about the Kerberos
mailing list