Coda File System

Re: modular clog + kerberos

From: root <coda_at_voidembraced.net>
Date: Tue, 19 Jan 2010 13:48:34 -0800
Greetings all: 

Thought to check the kerberos logs, and found the following two unique entry 
groupings for my correct password attempts: 

krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
NEEDED_PREAUTH: kerberos_admin_user_at_KERBEROS.REALM for 
coda/sandbox3.host.domain_at_KERBEROS.REALM, Additional pre-authentication 
required
krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
ISSUE: authtime epoch_time, etypes {rep=18 tkt=18 ses=18}, 
kerberos_admin_user_at_KERBEROS.REALM for 
coda/sandbox3.host.domain_at_KERBEROS.REALM 

krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
NEEDED_PREAUTH: kerberos_admin_user_at_KERBEROS.REALM for 
coda/sandbox2.host.domain_at_KERBEROS.REALM, Additional pre-authentication 
required
krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
ISSUE: authtime epoch_time, etypes {rep=18 tkt=18 ses=18}, 
kerberos_admin_user_at_KERBEROS.REALM for 
coda/sandbox2.host.domain_at_KERBEROS.REALM 

NOTE1:  It appears that clog appends KERBEROS.REALM to the principal if it 
is not explicitly stipulated in the -servprinc option. 

NOTE2:  Log was meddled with in the following ways:
  stripped out leading syslog style datestamp and hostname
  stripped out krb5kdc pid inbetween []
  obfuscated sandbox3_ipv4, kerberos_admin_user, host.domain, epoch_time,
     and KERBEROS.REALM 


The following logs show an incorrect password attempt (even though 
vice/auth2/AuthLog has no corresponding entry): 

krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
NEEDED_PREAUTH: kerberos_admin_user_at_KERBEROS.REALM for 
coda/sandbox2.host.domain_at_KERBEROS.REALM, Additional pre-authentication 
required
krb5kdc[](info): preauth (timestamp) verify failure: Decrypt integrity check 
failed
krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
PREAUTH_FAILED: kerberos_admin_user_at_KERBEROS.REALM for 
coda/sandbox2.host.domain_at_KERBEROS.REALM, Decrypt integrity check failed 

NOTE1:  I don't know that this is particularly useful in my case beyond 
abstract trivia 

NOTE2:  Log was meddled with in the following ways:
  stripped out leading syslog style datestamp and hostname
  stripped out krb5kdc pid inbetween []
  obfuscated sandbox3_ipv4, kerberos_admin_user, host.domain,
     and KERBEROS.REALM
  did NOT touch "preauth (timestamp)" -- likely generic due to failure 


Regards,
 -Don
{void} 


root writes: 

> Greetings all:  
> 
> Here are some clog attempts with -servprinc defined -- whacked out for 
> readability:  
> 
> [root_at_sandbox3 ~]# clog \
>  -method kerberos5 coda_admin_user_at_coda.realm \
>  -tokenserver sandbox2.host.domain 370 \
>  -krealm KERBEROS.REALM \
>  -kdc sandbox2.host.domain \
>  -servprinc coda/sandbox3.host.domain  
> 
> [root_at_sandbox3 ~]# clog \
>  -method kerberos5 coda_admin_user_at_coda.realm \
>  -tokenserver sandbox2.host.domain 370 \
>  -krealm KERBEROS.REALM \
>  -kdc sandbox2.host.domain \
>  -servprinc coda/sandbox3.host.domain_at_KERBEROS.REALM  
> 
> [root_at_sandbox3 ~]# clog \
>  -method kerberos5 coda_admin_user_at_coda.realm \
>  -tokenserver sandbox2.host.domain 370 \
>  -krealm KERBEROS.REALM \
>  -kdc sandbox2.host.domain \
>  -servprinc coda/sandbox2.host.domain  
> 
> [root_at_sandbox3 ~]# clog \
>  -method kerberos5 coda_admin_user_at_coda.realm \
>  -tokenserver sandbox2.host.domain 370 \
>  -krealm KERBEROS.REALM \
>  -kdc sandbox2.host.domain \
>  -servprinc coda/sandbox2.host.domain_at_KERBEROS.REALM  
> 
> I attempted the password three times for each clog command above -- twice 
> with password correct, and once with password incorrect.  When password 
> was correct, I got the following:  
> 
> Password for coda_admin_user/default_at_coda.domain:
> Invalid login (RPC2_NOTAUTHENTICATED (F)).  
> 
> 
> When password was incorrect, I got the following:  
> 
> krb5secret: Password incorrect
> clog: failed to login to Kerberos  
> 
> 
> On the server host, the vice/auth2/AuthLog had the following entries 
> corresponding to my tests:  
> 
> Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
> Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
> Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
> Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
> Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
> Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
> Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port  
> 
> NOTE1:  These log entries correspond to the "RPC2_NOTAUTHENTICATED" errors 
> above.  There are NO LOG ENTRIES corresponding to the "krb5secret: 
> Password incorrect" errors.  
> 
> NOTE2:  Meddled with logs in the following ways:
>  Stripped out leading date & time stamps
>  The following substitution was made:
>     n???0?????????????????? ???????a???0????????????KERBEROS.REALM?)
>     TOKEN?
>  Obfuscated text at "KERBEROS.REALM", "sandbox3_ipv6" and "random_port"  
> 
> 
> So, we know that clog is connecting to the auth2 daemon.  I don't really 
> know how the auth2 daemon is connecting to kerberos, but I suspect that 
> may be the segment which is failing.  I simply don't know if it is failing 
> because of:
> *) clog command-line
> *) vice/server.conf misconfig
> *) coda user incorrect (/vice/bin/pdbtool)
> *) kerberos principal(s) incorrect (and subsequently, the keytab)  
> 
> Undoubtedly it is a little of several of the above.  
> 
> Regards,
> -Don
> {void}  
> 
> 
 
Received on 2010-01-19 16:49:24