Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade.
Mukarram Syed
muksyed at stanford.edu
Tue May 6 12:39:36 EDT 2008
Thanks Christopher. I'll try to get on kerberos IRC on Freenode.
Here are my krb5.conf files. There are not different, that I could see.
[root at server-working etc]# cksum /etc/krb5.conf
3826595545 4386 /etc/krb5.conf
server-notworking:~> cksum /etc/krb5.conf
2006343950 4385 /etc/krb5.conf
Krb5.conf from server-working:
------------------------------
#### cat /etc/krb5.conf
# /etc/krb5.conf -- Kerberos V5 general configuration.
# $Id: krb5.conf.erb 708 2007-01-31 21:22:39Z rra $
#
# This is the standard Kerberos v5 configuration file for all of our
# servers. It is based on the Stanford-wide configuration, the canonical
# version of which is in /usr/pubsw/etc/krb5.conf.
#
# This configuration allows any enctypes. Some systems with really old
# Kerberos software may have to limit to triple-DES and DES.
[appdefaults]
default_lifetime = 25hrs
krb4_get_tickets = false
krb5_get_tickets = true
krb5_get_forwardable = true
kinit = {
krb4_convert = false
}
stanford.edu = {
aklog_path = /usr/bin/aklog
krb4_get_tickets = true
krb4_convert = false
krb_run_aklog = true
}
pam = {
minimum_uid = 100
search_k5login = true
forwardable = true
}
pam-afs-session = {
minimum_uid = 100
}
[libdefaults]
default_realm = stanford.edu
dns_lookup_realm = false
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
ticket_lifetime = 1500m
[realms]
stanford.edu = {
kdc = krb5auth1.stanford.edu:88
kdc = krb5auth2.stanford.edu:88
kdc = krb5auth3.stanford.edu:88
master_kdc = krb5auth1.stanford.edu:88
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
kadmind_port = 749
v4_realm = IR.STANFORD.EDU
}
MS.STANFORD.EDU = {
kdc = msdc0.ms.stanford.edu:88
kdc = msdc1.ms.stanford.edu:88
kpasswd_server = msdc0.ms.stanford.edu
}
WIN.STANFORD.EDU = {
kdc = mothra.win.stanford.edu:88
kdc = rodan.win.stanford.edu:88
kpasswd_server = mothra.win.stanford.edu
}
CS.STANFORD.EDU = {
kdc = cs-kdc-1.stanford.edu:88
kdc = cs-kdc-2.stanford.edu:88
kdc = cs-kdc-3.stanford.edu:88
admin_server = cs-kdc-1.stanford.edu:749
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
kdc = kerberos-3.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ISC.ORG = {
kdc = k1.isc.org:88
kdc = k2.isc.org:88
admin_server = k1.isc.org:749
default_domain = isc.org
}
OPENLDAP.ORG = {
kdc = kerberos.openldap.org
default_domain = openldap.org
}
SUCHDAMAGE.ORG = {
kdc = kerberos.suchdamage.org:88
admin_server = kerberos.suchdamage.org:749
default_domain = suckdamage.org
}
VIX.COM = {
kdc = kerberos-0.vix.com:88
kdc = kerberos-1.vix.com:88
kdc = kerberos-2.vix.com:88
admin_server = kerberos-0.vix.com:749
default_domain = vix.com
}
ZEPA.NET = {
kdc = kerberos.zepa.net
kdc = kerberos-too.zepa.net
admin_server = kerberos.zepa.net
}
[domain_realm]
stanford.edu = stanford.edu
.stanford.edu = stanford.edu
.dc.stanford.org = stanford.edu
ms.stanford.edu = MS.STANFORD.EDU
.ms.stanford.edu = MS.STANFORD.EDU
win.stanford.edu = WIN.STANFORD.EDU
.win.stanford.edu = WIN.STANFORD.EDU
windows.stanford.edu = IT.WIN.STANFORD.EDU
infraappprod.stanford.edu = IT.WIN.STANFORD.EDU
.eyrie.org = stanford.edu
.isc.org = ISC.ORG
mit.edu = ATHENA.MIT.EDU
.mit.edu = ATHENA.MIT.EDU
openldap.org = OPENLDAP.ORG
.openldap.org = OPENLDAP.ORG
whoi.edu = ATHENA.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
.vix.com = VIX.COM
.zepa.net = ZEPA.NET
zepa.net = ZEPA.NET
[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
Krb5.conf from server-notworking:
> cat /etc/krb5.conf
# /etc/krb5.conf -- Kerberos V5 general configuration.
# $Id: krb5.conf.erb 708 2007-01-31 21:22:39Z rra $
#
# This is the standard Kerberos v5 configuration file for all of our
# servers. It is based on the Stanford-wide configuration, the canonical
# version of which is in /usr/pubsw/etc/krb5.conf.
#
# This configuration allows any enctypes. Some systems with really old
# Kerberos software may have to limit to triple-DES and DES.
[appdefaults]
default_lifetime = 25hrs
krb4_get_tickets = false
krb5_get_tickets = true
krb5_get_forwardable = true
kinit = {
krb4_convert = false
}
stanford.edu = {
aklog_path = /usr/bin/aklog
krb4_get_tickets = true
krb4_convert = false
krb_run_aklog = true
}
pam = {
minimum_uid = 100
search_k5login = true
forwardable = true
}
pam-afs-session = {
minimum_uid = 100
}
[libdefaults]
default_realm = stanford.edu
dns_lookup_realm = false
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
ticket_lifetime = 1500m
[realms]
stanford.edu = {
kdc = krb5auth1.stanford.edu:88
kdc = krb5auth2.stanford.edu:88
kdc = krb5auth3.stanford.edu:88
master_kdc = krb5auth1.stanford.edu:88
admin_server = krb5-admin.stanford.edu
default_domain = stanford.edu
kadmind_port = 749
v4_realm = IR.STANFORD.EDU
}
MS.STANFORD.EDU = {
kdc = msdc0.ms.stanford.edu:88
kdc = msdc1.ms.stanford.edu:88
kpasswd_server = msdc0.ms.stanford.edu
}
WIN.STANFORD.EDU = {
kdc = mothra.win.stanford.edu:88
kdc = rodan.win.stanford.edu:88
kpasswd_server = mothra.win.stanford.edu
}
CS.STANFORD.EDU = {
kdc = cs-kdc-1.stanford.edu:88
kdc = cs-kdc-2.stanford.edu:88
kdc = cs-kdc-3.stanford.edu:88
admin_server = cs-kdc-1.stanford.edu:749
}
ATHENA.MIT.EDU = {
kdc = kerberos.mit.edu:88
kdc = kerberos-1.mit.edu:88
kdc = kerberos-2.mit.edu:88
kdc = kerberos-3.mit.edu:88
admin_server = kerberos.mit.edu
default_domain = mit.edu
}
ISC.ORG = {
kdc = k1.isc.org:88
kdc = k2.isc.org:88
admin_server = k1.isc.org:749
default_domain = isc.org
}
OPENLDAP.ORG = {
kdc = kerberos.openldap.org
default_domain = openldap.org
}
SUCHDAMAGE.ORG = {
kdc = kerberos.suchdamage.org:88
admin_server = kerberos.suchdamage.org:749
default_domain = suckdamage.org
}
VIX.COM = {
kdc = kerberos-0.vix.com:88
kdc = kerberos-1.vix.com:88
kdc = kerberos-2.vix.com:88
admin_server = kerberos-0.vix.com:749
default_domain = vix.com
}
ZEPA.NET = {
kdc = kerberos.zepa.net
kdc = kerberos-too.zepa.net
admin_server = kerberos.zepa.net
}
[domain_realm]
stanford.edu = stanford.edu
.stanford.edu = stanford.edu
.dc.stanford.org = stanford.edu
ms.stanford.edu = MS.STANFORD.EDU
.ms.stanford.edu = MS.STANFORD.EDU
win.stanford.edu = WIN.STANFORD.EDU
.win.stanford.edu = WIN.STANFORD.EDU
windows.stanford.edu = IT.WIN.STANFORD.EDU
infraappprod.stanford.edu = IT.WIN.STANFORD.EDU
.eyrie.org = stanford.edu
.isc.org = ISC.ORG
mit.edu = ATHENA.MIT.EDU
.mit.edu = ATHENA.MIT.EDU
openldap.org = OPENLDAP.ORG
.openldap.org = OPENLDAP.ORG
whoi.edu = ATHENA.MIT.EDU
.whoi.edu = ATHENA.MIT.EDU
.vix.com = VIX.COM
.zepa.net = ZEPA.NET
zepa.net = ZEPA.NET
[logging]
kdc = SYSLOG:NOTICE
admin_server = SYSLOG:NOTICE
default = SYSLOG:NOTICE
-----Original Message-----
From: Christopher D. Clausen [mailto:cclausen at acm.org]
Sent: Monday, May 05, 2008 5:32 PM
To: Mukarram Syed
Cc: kerberos at mit.edu
Subject: Re: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 upgrade.
Can you post and compare your krb5.conf files? Are they identical?
Have you asked someone at Stanford? This might be a specific
configuration problem for that realm.
If you join the #kerberos IRC on Freenode, various people may be able to
help you out interactively.
<<CDC
Mukarram Syed <muksyed at stanford.edu> wrote:
> Hi Again,
>
> Any suggestion will be appreciated.
>
> Thanks
>
> # mukarram
>
> -----Original Message-----
> From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu] On
> Behalf Of Mukarram Syed
> Sent: Friday, May 02, 2008 3:49 PM
> To: kerberos at mit.edu
> Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5
> upgrade.
>
> Hi Kerberos Gurus.
>
>
>
> I have 2 servers, the problem is that when I ssh into the box on the
> server-notworking, I get both the .k5 and .k4 tickets:
>
>
>
> server-notworking > klist
>
> Ticket cache: FILE:/tmp/krb5cc_39728_T16049
>
> Default principal: me at stanford.edu
>
>
>
> Valid starting Expires Service principal
>
> 05/02/08 15:18:47 05/03/08 16:18:45 krbtgt/stanford.edu at stanford.edu
>
> 05/02/08 15:18:47 05/03/08 16:18:45 afs/ir.stanford.edu at stanford.edu
>
>
>
>
>
> Kerberos 4 ticket cache: /tmp/tkt39728_16049
>
> Principal: me at IR.STANFORD.EDU
>
>
>
> Issued Expires Principal
>
> 05/02/08 15:18:45 05/03/08 01:18:45
> krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU
>
> 05/02/08 15:18:45 05/03/08 01:18:45
> rcmd.server-notworking at IR.STANFORD.EDU
>
>
>
> But on the server that's working, I only get the k5 tickets:
>
>
>
> server-working > klist
>
> Ticket cache: FILE:/tmp/krb5cc_39728_rJb29M
>
> Default principal: me at stanford.edu
>
>
>
> Valid starting Expires Service principal
>
> 05/02/08 15:27:27 05/03/08 01:27:25 krbtgt/stanford.edu at stanford.edu
>
> 05/02/08 15:27:27 05/03/08 01:27:25 afs/ir.stanford.edu at stanford.edu
>
>
>
>
>
> Kerberos 4 ticket cache: /tmp/tkt39728
>
> Principal: me at IR.STANFORD.EDU
>
>
>
> Issued Expires Principal
>
> 04/30/08 23:42:56 05/02/08 01:09:17
> krbtgt.IR.STANFORD.EDU at IR.STANFORD.EDU
>
>
>
> The only difference that I can see between the two klist command
> outputs is:
>
>
>
> 05/02/08 15:18:45 05/03/08 01:18:45
> rcmd.server-notworking at IR.STANFORD.EDU
>
>
>
> What is this?
>
>
>
> Below is a comparison of the two servers.
>
> I will be upgrading krb5-SU-1.4.3-12.EL3 to krb5-SU-1.4.4-4.EL3 on the
> server-notworking. I don't think this will make a difference because
> I have already tried this on another server. I can't upgrade the
> kernel though to match the server that is working. The server that
> is not working is an actively used server.
>
>
>
> Also if I remove the .klogin file in my home directory on the
> server-notworking, I can't login to this box. I need both .klogin and
> .k5login files otherwise I get permission denied message when ssh'ing
> in.
>
> I don't have the .klogin file in the server that is working.only the
> .k5login file.
>
> Please advise.
>
>
>
> Thanks for you help.
>
>
>
> Regards
>
>
>
> # mukarram syed
>
>
>
>
>
> SYSTEM INFO
>
>
>
> server-notworking
> server-working
>
>
>
>
>
> 2.4.21-27.0.2.ELsmp
> 2.4.21-50.ELsmp
>
>
>
> Red Hat Enterprise Linux AS release 3
> Red Hat Enterprise Linux AS release 3
>
> (Taroon Update 4)
> (Taroon Update 9)
>
>
>
> STATUS
>
>
>
> Not getting the afs tokens without
> Fully Functional.NO aklog -setpag option set.
>
> the aklog -setpag option in the shell
>
> startup scripts. Need .klogin and .k5login
>
> to be able to SSH. SSH won't work without
>
> .klogin file.
>
>
>
> OPENAFS
> RPMS
>
>
>
> openafs-1.4.2-1.1
> openafs-1.4.2-1.1
>
> openafs-client-1.4.2-1.1
> openafs-client-1.4.2-1.1
>
> openafs-kernel-smp-1.4.2-2.4.21_27.0.2.EL_1
> openafs-kernel-smp-1.4.2-2.4.21_50.EL_1
>
> openafs-kernel-source-1.4.2-1.1
> openafs-kernel-source-1.4.2-1.1
>
> openafs-krb5-1.4.2-1.1
> openafs-krb5-1.4.2-1.1
>
>
>
> KRB5 RPMS
>
>
>
>
>
> krb5-devel-1.2.7-42
> krb5-devel-1.2.7-64
>
> krb5-libs-1.2.7-42
> krb5-libs-1.2.7-64
>
> krb5-SU-1.4.3-12.EL3
> krb5-SU-1.4.4-4.EL3
>
> openafs-krb5-1.4.2-1.1
> openafs-krb5-1.4.2-1.1
>
> pam_krb5-SU-3.8-1.EL3
> pam_krb5-SU-3.8-1.EL3
>
>
>
>
>
> PAM RPMS
>
>
>
> pam-0.75-62
> pam-0.75-72
>
> pam-afs-session-1.5-1.EL3
> pam-afs-session-1.5-1.EL3
>
> pam-devel-0.75-62
> pam_ccreds-3-3.rhel3.2
>
> pam_krb5-SU-3.8-1.EL3
> pam-devel-0.75-72
>
> pam_passwdqc-0.7.5-1
> pam_krb5-SU-3.8-1.EL3
>
> pam_smb-1.1.7-1
> pam_passwdqc-0.7.5-1
>
>
> pam_smb-1.1.7-1
>
>
>
>
>
>
> IMPORTANT FILES:
> CKSUMS/SIZES
>
>
>
> 782515666 1077 /etc/pam.d/system-auth
> 782515666 1077 /etc/pam.d/system-auth
>
> 292550411 160 /etc/krb.conf
> 292550411 160 /etc/krb.conf
>
> 2006343950 4385 /etc/krb5.conf
> 3826595545 4386 /etc/krb5.conf
>
> 3068285566 267416 /usr/bin/aklog
> 1302602016 267416 /usr/bin/aklog
>
> 1323949453 19 /usr/vice/etc/CellAlias
> 1323949453 19 /usr/vice/etc/CellAlias
>
> 3556331601 16 /usr/vice/etc/ThisCell
> 3556331601 16 /usr/vice/etc/ThisCell
>
> 1399150640 446 /usr/vice/etc/CellServDB
> 514410920 208 /usr/vice/etc/CellServDB
>
>
>
> Also in the /etc/ssh/sshd_config file the only differences are (If I
> change it to no, on the server-notworking, I can't SSH, I get
>
> Permission denied errors):
>
>
>
> KerberosAuthentication yes
> KerberosAuthentication no
>
> KerberosOrLocalPasswd yes
> KerberosOrLocalPasswd no
>
> KerberosTicketCleanup yes
> KerberosTicketCleanup no
>
>
>
> SSH RPMS
>
>
>
> openssh-3.6.1p2-33.30.3
> openssh-3.6.1p2-33.30.14
> openssh-clients-3.6.1p2-33.30.3
> openssh-askpass-3.6.1p2-33.30.14
> openssh-server-3.6.1p2-33.30.3
> openssh-askpass-gnome-3.6.1p2-33.30.14
> openssh-clients-3.6.1p2-33.30.14
> openssh-server-3.6.1p2-33.30.14
More information about the Kerberos
mailing list