[krbdev.mit.edu #1201] Possible Kerberos Server Bug?

rmdyer@uncc.edu via RT rt-comment at krbdev.mit.edu
Mon Sep 30 15:45:13 EDT 2002 

Hi,

This email is another request for help on the issue discussed below.  In 
the past I sent this mail, got a reply, then turned down help based on the 
fact that we thought we had the problem solved.  The problem has now 
resurfaced with MIT K5 v1.2.6.  I would very much appreciate any help you 
can offer.

Original problem...

We are experiencing an interoperability issue with Microsoft Windows XP Pro 
and a MIT Kerberos 1.2.2 (and 1.2.6, possibly 1.2.4) KDC server.  We have 
setup a cross-realm trust between two kerberos realms.  This works 
fine.  We are able to authenticate to XP/Active Directory domain and the 
MIT kerberos realm just fine.  The problem we are having is that the XP 
machine isn't always allowing us access to the AD domain shares.

I have been in contact with Microsoft support on this issue for quite some 
time.  Microsoft's support rep put me in contact with their Kerberos 
developer group in Redmond.  The Redmond support has checked and rechecked 
the kerberos code on their side.  The've made some changes to their 
"kerberos.dll" that have been worse, or better, but the problem still persists.

We did some network traffic sniffs from both the client and the server 
sides.  We've found something curious that we think may point the problem 
to MIT's developer group.  In the network capture, we found return packets 
from the MIT server with the phrase "Request is a replay.".  It seems that 
the MIT server is responding to the client, suggesting that it sent 
redundant packets.  We know from the captures that we didn't send two 
redundant packets, and the MIT server never received two.

We also see messages in the kerberos logs such as...

Aug 29 12:19:42 kdc-sm2 krb5kdc[8093](info): TGS_REQ 152.15.11.60(88): 
PROCESS_TGS: authtime 0, <unknown client> for 
krbtgt/TEST.UNCC.EDU at UNCC.EDU, Request is a replay

...  Why is the client unknown in this log message?  Why is the authtime zero?

Here is a bit more of the log...

Aug 29 12:19:42 kdc-sm2 krb5kdc[8093](info): AS_REQ 152.15.11.60(88): 
NEEDED_PREAUTH: trng07 at UNCC.EDU for krbtgt/UNCC.EDU at UNCC.EDU, Additional 
pre-authentication required
Aug 29 12:19:42 kdc-sm2 krb5kdc[8093](info): AS_REQ 152.15.11.60(88): 
ISSUE: authtime 1030637982, trng07 at UNCC.EDU for krbtgt/UNCC.EDU at UNCC.EDU
Aug 29 12:19:42 kdc-sm2 krb5kdc[8093](info): TGS_REQ 152.15.11.60(88): 
ISSUE: authtime 1030637982, trng07 at UNCC.EDU for krbtgt/TEST.UNCC.EDU at UNCC.EDU
Aug 29 12:19:42 kdc-sm2 krb5kdc[8093](info): TGS_REQ 152.15.11.60(88): 
UNKNOWN_SERVER: authtime 1030637982, trng07 at UNCC.EDU for 
cifs/adcsm2.test.uncc.edu at UNCC.EDU, Server not found in Kerberos database
Aug 29 12:19:42 kdc-sm2 krb5kdc[8093](info): TGS_REQ 152.15.11.60(88): 
PROCESS_TGS: authtime 0, <unknown client> for 
krbtgt/TEST.UNCC.EDU at UNCC.EDU, Request is a replay
Aug 29 12:19:42 kdc-sm2 krb5kdc[8093](info): TGS_REQ 152.15.11.60(88): 
UNKNOWN_SERVER: authtime 1030637982, trng07 at UNCC.EDU for 
cifs/adcsm2.test.uncc.edu at UNCC.EDU, Server not found in Kerberos database
Aug 29 12:19:42 kdc-sm2 krb5kdc[8093](info): TGS_REQ 152.15.11.60(88): 
ISSUE: authtime 1030637982, trng07 at UNCC.EDU for krbtgt/TEST.UNCC.EDU at UNCC.EDU

The only thing sitting between the client and the server are a couple of 
switched hubs.  Microsoft seems to indicate that this replay packet is the 
problem.  I'm not sure I agree, but I would like some second 
opinions.  This appears to be some strange time issue because it doesn't 
always fail.  Most of the time we get access to the Microsoft AD shares 
correctly.  But, it does fail often enough that it can't be used in a 
production capacity.  Everytime it fails we see a "replay" packet message.

We built a couple of MIT Kerberos test servers.  One server was 1.2.4, the 
other was 1.2.2.  We put them on the same switched hub as the XP client and 
AD server.  We didn't see any problems then.  What is going on?

Current situation...

With Microsoft's latest private test "kerberos.dll" that they have been 
working on for me, I have not been able to reproduce the problem with MIT 
KDC v1.2.4, but I have been able to produce the problem with v1.2.6.  Both 
of the MIT test servers are in the same room, and on the same switched hub 
as the XP client.

I am including the Solaris snoop capture binary from the 1.2.6 kdc that 
shows the "replay packet" that seems to be the cause of the problem.

Is this a kerberos bug?

MIT Kerberos server is a Sun workstation running Solaris 8, MIT Kerberos 5 
v1.2.2, v1.2.6
Microsoft Windows XP Pro. on a Gateway PIII

Help is appreciated.  Thanks,

Rodney

Rodney M. Dyer
PC Systems Programmer
College of Engineering Computing Services
University of North Carolina at Charlotte
Email rmdyer at uncc.edu
Phone (704)687-3518
Help Desk Line (704)687-3150
FAX (704)687-2352
Office  267 Smith Building

More information about the krb5-bugs mailing list