(Illustration by Gaich Muramatsu)
Greetings all: Thought to check the kerberos logs, and found the following two unique entry groupings for my correct password attempts: krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: NEEDED_PREAUTH: kerberos_admin_user_at_KERBEROS.REALM for coda/sandbox3.host.domain_at_KERBEROS.REALM, Additional pre-authentication required krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: ISSUE: authtime epoch_time, etypes {rep=18 tkt=18 ses=18}, kerberos_admin_user_at_KERBEROS.REALM for coda/sandbox3.host.domain_at_KERBEROS.REALM krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: NEEDED_PREAUTH: kerberos_admin_user_at_KERBEROS.REALM for coda/sandbox2.host.domain_at_KERBEROS.REALM, Additional pre-authentication required krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: ISSUE: authtime epoch_time, etypes {rep=18 tkt=18 ses=18}, kerberos_admin_user_at_KERBEROS.REALM for coda/sandbox2.host.domain_at_KERBEROS.REALM NOTE1: It appears that clog appends KERBEROS.REALM to the principal if it is not explicitly stipulated in the -servprinc option. NOTE2: Log was meddled with in the following ways: stripped out leading syslog style datestamp and hostname stripped out krb5kdc pid inbetween [] obfuscated sandbox3_ipv4, kerberos_admin_user, host.domain, epoch_time, and KERBEROS.REALM The following logs show an incorrect password attempt (even though vice/auth2/AuthLog has no corresponding entry): krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: NEEDED_PREAUTH: kerberos_admin_user_at_KERBEROS.REALM for coda/sandbox2.host.domain_at_KERBEROS.REALM, Additional pre-authentication required krb5kdc[](info): preauth (timestamp) verify failure: Decrypt integrity check failed krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: PREAUTH_FAILED: kerberos_admin_user_at_KERBEROS.REALM for coda/sandbox2.host.domain_at_KERBEROS.REALM, Decrypt integrity check failed NOTE1: I don't know that this is particularly useful in my case beyond abstract trivia NOTE2: Log was meddled with in the following ways: stripped out leading syslog style datestamp and hostname stripped out krb5kdc pid inbetween [] obfuscated sandbox3_ipv4, kerberos_admin_user, host.domain, and KERBEROS.REALM did NOT touch "preauth (timestamp)" -- likely generic due to failure Regards, -Don {void} root writes: > Greetings all: > > Here are some clog attempts with -servprinc defined -- whacked out for > readability: > > [root_at_sandbox3 ~]# clog \ > -method kerberos5 coda_admin_user_at_coda.realm \ > -tokenserver sandbox2.host.domain 370 \ > -krealm KERBEROS.REALM \ > -kdc sandbox2.host.domain \ > -servprinc coda/sandbox3.host.domain > > [root_at_sandbox3 ~]# clog \ > -method kerberos5 coda_admin_user_at_coda.realm \ > -tokenserver sandbox2.host.domain 370 \ > -krealm KERBEROS.REALM \ > -kdc sandbox2.host.domain \ > -servprinc coda/sandbox3.host.domain_at_KERBEROS.REALM > > [root_at_sandbox3 ~]# clog \ > -method kerberos5 coda_admin_user_at_coda.realm \ > -tokenserver sandbox2.host.domain 370 \ > -krealm KERBEROS.REALM \ > -kdc sandbox2.host.domain \ > -servprinc coda/sandbox2.host.domain > > [root_at_sandbox3 ~]# clog \ > -method kerberos5 coda_admin_user_at_coda.realm \ > -tokenserver sandbox2.host.domain 370 \ > -krealm KERBEROS.REALM \ > -kdc sandbox2.host.domain \ > -servprinc coda/sandbox2.host.domain_at_KERBEROS.REALM > > I attempted the password three times for each clog command above -- twice > with password correct, and once with password incorrect. When password > was correct, I got the following: > > Password for coda_admin_user/default_at_coda.domain: > Invalid login (RPC2_NOTAUTHENTICATED (F)). > > > When password was incorrect, I got the following: > > krb5secret: Password incorrect > clog: failed to login to Kerberos > > > On the server host, the vice/auth2/AuthLog had the following entries > corresponding to my tests: > > Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port > Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port > Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port > Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port > Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port > Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port > Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port > > NOTE1: These log entries correspond to the "RPC2_NOTAUTHENTICATED" errors > above. There are NO LOG ENTRIES corresponding to the "krb5secret: > Password incorrect" errors. > > NOTE2: Meddled with logs in the following ways: > Stripped out leading date & time stamps > The following substitution was made: > n???0?????????????????? ???????a???0????????????KERBEROS.REALM?) > TOKEN? > Obfuscated text at "KERBEROS.REALM", "sandbox3_ipv6" and "random_port" > > > So, we know that clog is connecting to the auth2 daemon. I don't really > know how the auth2 daemon is connecting to kerberos, but I suspect that > may be the segment which is failing. I simply don't know if it is failing > because of: > *) clog command-line > *) vice/server.conf misconfig > *) coda user incorrect (/vice/bin/pdbtool) > *) kerberos principal(s) incorrect (and subsequently, the keytab) > > Undoubtedly it is a little of several of the above. > > Regards, > -Don > {void} > >Received on 2010-01-19 16:49:24