Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade.

Mukarram Syed muksyed at stanford.edu
Fri May 2 18:48:45 EDT 2008 

Hi Kerberos Gurus.

 

I have 2 servers, the problem is that when I ssh into the box on the
server-notworking, I get both the .k5 and .k4 tickets:

 

server-notworking > klist

Ticket cache: FILE:/tmp/krb5cc_39728_T16049

Default principal: me at stanford.edu

 

Valid starting     Expires            Service principal

05/02/08 15:18:47  05/03/08 16:18:45  krbtgt/stanford.edu at stanford.edu

05/02/08 15:18:47  05/03/08 16:18:45  afs/ir.stanford.edu at stanford.edu

 

 

Kerberos 4 ticket cache: /tmp/tkt39728_16049

Principal: me at IR.STANFORD.EDU

 

  Issued              Expires             Principal

05/02/08 15:18:45  05/03/08 01:18:45  krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU

05/02/08 15:18:45  05/03/08 01:18:45  rcmd.server-notworking at IR.STANFORD.EDU

 

But on the server that's working, I only get the k5 tickets:

 

server-working > klist

Ticket cache: FILE:/tmp/krb5cc_39728_rJb29M

Default principal: me at stanford.edu

 

Valid starting     Expires            Service principal

05/02/08 15:27:27  05/03/08 01:27:25  krbtgt/stanford.edu at stanford.edu

05/02/08 15:27:27  05/03/08 01:27:25  afs/ir.stanford.edu at stanford.edu

 

 

Kerberos 4 ticket cache: /tmp/tkt39728

Principal: me at IR.STANFORD.EDU

 

  Issued              Expires             Principal

04/30/08 23:42:56  05/02/08 01:09:17  krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU

 

The only difference that I can see between the two klist command outputs is:

 

05/02/08 15:18:45  05/03/08 01:18:45  rcmd.server-notworking at IR.STANFORD.EDU

 

What is this?

 

Below is a comparison of the two servers.

I will be upgrading krb5-SU-1.4.3-12.EL3 to krb5-SU-1.4.4-4.EL3 on the
server-notworking.  I don't think this will make a difference because I have
already tried this on another server.  I can't upgrade the kernel though to
match the server that is working.  The server that is not working is an
actively used server.

 

Also if I remove the .klogin file in my home directory on the
server-notworking, I can't login to this box.  I need both .klogin and
.k5login files otherwise I get permission denied message when ssh'ing in.

I don't have the .klogin file in the server that is working.only the
.k5login file.

Please advise.

 

Thanks for you help.

 

Regards

 

# mukarram syed

 

 

                                                            SYSTEM INFO

 

server-notworking
server-working               

 

 

2.4.21-27.0.2.ELsmp
2.4.21-50.ELsmp

 

Red Hat Enterprise Linux AS release 3
Red Hat Enterprise Linux AS release 3 

(Taroon Update 4)
(Taroon Update 9)

 

                                                            STATUS

 

Not getting the afs tokens without
Fully Functional.NO aklog -setpag option set.

the aklog -setpag option in the shell 

startup scripts.  Need .klogin and .k5login

to be able to SSH.  SSH won't work without

.klogin file.

 

                                                            OPENAFS RPMS

                                                

openafs-1.4.2-1.1
openafs-1.4.2-1.1          

openafs-client-1.4.2-1.1
openafs-client-1.4.2-1.1

openafs-kernel-smp-1.4.2-2.4.21_27.0.2.EL_1
openafs-kernel-smp-1.4.2-2.4.21_50.EL_1

openafs-kernel-source-1.4.2-1.1
openafs-kernel-source-1.4.2-1.1

openafs-krb5-1.4.2-1.1
openafs-krb5-1.4.2-1.1

            

                                                            KRB5 RPMS

                                                

 

krb5-devel-1.2.7-42
krb5-devel-1.2.7-64

krb5-libs-1.2.7-42
krb5-libs-1.2.7-64

krb5-SU-1.4.3-12.EL3
krb5-SU-1.4.4-4.EL3

openafs-krb5-1.4.2-1.1
openafs-krb5-1.4.2-1.1

pam_krb5-SU-3.8-1.EL3
pam_krb5-SU-3.8-1.EL3

 

 

                                                            PAM RPMS

                                                

pam-0.75-62
pam-0.75-72

pam-afs-session-1.5-1.EL3
pam-afs-session-1.5-1.EL3

pam-devel-0.75-62
pam_ccreds-3-3.rhel3.2

pam_krb5-SU-3.8-1.EL3
pam-devel-0.75-72

pam_passwdqc-0.7.5-1
pam_krb5-SU-3.8-1.EL3

pam_smb-1.1.7-1
pam_passwdqc-0.7.5-1

 
pam_smb-1.1.7-1

 


                                                            

                                                IMPORTANT FILES:
CKSUMS/SIZES

                                                            

782515666 1077 /etc/pam.d/system-auth
782515666 1077 /etc/pam.d/system-auth

292550411 160 /etc/krb.conf
292550411 160 /etc/krb.conf

2006343950 4385 /etc/krb5.conf
3826595545 4386 /etc/krb5.conf

3068285566 267416 /usr/bin/aklog
1302602016 267416 /usr/bin/aklog

1323949453 19 /usr/vice/etc/CellAlias
1323949453 19 /usr/vice/etc/CellAlias

3556331601 16 /usr/vice/etc/ThisCell
3556331601 16 /usr/vice/etc/ThisCell

1399150640 446 /usr/vice/etc/CellServDB
514410920 208 /usr/vice/etc/CellServDB

 

Also in the /etc/ssh/sshd_config file the only differences are (If I change
it to no, on the server-notworking, I can't SSH, I get

Permission denied errors):

 

KerberosAuthentication yes
KerberosAuthentication no

KerberosOrLocalPasswd yes
KerberosOrLocalPasswd no

KerberosTicketCleanup yes
KerberosTicketCleanup no

 

                                                SSH RPMS

 

openssh-3.6.1p2-33.30.3
openssh-3.6.1p2-33.30.14

openssh-clients-3.6.1p2-33.30.3
openssh-askpass-3.6.1p2-33.30.14

openssh-server-3.6.1p2-33.30.3
openssh-askpass-gnome-3.6.1p2-33.30.14

 
openssh-clients-3.6.1p2-33.30.14

 
openssh-server-3.6.1p2-33.30.14

More information about the Kerberos mailing list