[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: heimdal on tru64 unix peculiarities

To: Love <lha@stacken.kth.se>
Subject: Re: heimdal on tru64 unix peculiarities
From: David Komanek <xdavid@lib-eth.natur.cuni.cz>
Date: Mon, 5 Apr 2004 10:25:47 +0200 (CEST)
Cc: heimdal-discuss@sics.se, ax@natur.cuni.cz, mikulic@natur.cuni.cz
In-Reply-To: <amlllgyn45.fsf@nutcracker.stacken.kth.se>
References: <20040330130702.56543.qmail@web80810.mail.yahoo.com><Pine.OSF.4.58.0403301629210.74565@lib-eth.natur.cuni.cz><amlllgyn45.fsf@nutcracker.stacken.kth.se>
Sender: owner-heimdal-discuss@sics.se


Hi,

thanks for your suggestions.

> If its the later, the code will have no chance of working and needs to put
> somewhere else. But if the case is the former, replace the
> siad_ses_release() function in heimdal/lib/auth/sia/sia.c with something
> like this (I marked the new lines with |)

First I will learn more about the sia api and then I try the code you have
suggested. Thank you very much for this.

> I'm using krb-krb4-1.3rc1'ish with heimdal-0.6.1ish with modern openssl
> (0.9.7something) on a kdc, so I'm quite sure it possible to make it work
> without going mad at the same time.. You will probably hate me for this,
> but do you really need krb4 ?

We are just switched to the heimdal and krb4 stops working in a few days
on our site. I only noticed the ticket-getting procedure takes for a few
seconds while getting krb4 ticket (1.2) worked much faster. If there could
be some clue, it would be very helpful, but I consider the "slow" heimdal
still usable and I am very glad bo be allowed to use it.

> > 3. There are some strange issues with dns - imagine I have a machine named
> > A with aliases B, C, D. For some reason, the gssapi works fine with
> > shortnames of A and B, but only with fqdn of C and with no form of D. In
> > DNS, all the aliases are made the same way as short cnames. Through kadmin
> > I can see the entry for host/fqdnA and for no aliases. In keytab on target
> > machine is the same. What else might cause this behavior ?
>
> I have not really and good solution to this, I usually look at that that
> the client requests in the kdc log (or by looking that the client and the
> server) and try to figure out what is happening that way.

Thanks, so I should figure out if the problem is on the way to KDC or
back. In the kdc log I found this answer to my problem:

2004-04-05T10:11:31 sending 617 bytes to IPv4:195.113.56.1
2004-04-05T10:11:32 TGS-REQ komanek@NATUR.CUNI.CZ from IPv4:195.113.56.251 for host/prfdec.natur.cuni.cz@NATUR.CUNI.CZ
2004-04-05T10:11:32 Server not found in database: host/prfdec.natur.cuni.cz@NATUR.CUNI.CZ: No such entry in the database

But prfdec is only alias to the real host name. Then I realized that I
have this machine in my /etc/hosts file on the client. Removing this entry
resolved the problem. So probably not a DNS issue, but heimdal issue or
operating system issue ? It is also interesting that it is not possible to
ssh-ing to IP address with heimdals' gss-api, only dns name works.

ssh -l root 195.113.56.1 -v -v -v
debug1: Next authentication method: gssapi-with-mic
debug2: we sent a gssapi-with-mic packet, wait for reply
debug1:  Miscellaneous failure (see text)
Server (krbtgt/113.56.1@NATUR.CUNI.CZ) unknown

First octet of the address is dropped. Is it a solvable with some smart setting in krb5.conf ?

Thanks again,

David

Prev by Date: Re: heimdal on tru64 unix peculiarities
Next by Date: Re: heimdal on tru64 unix peculiarities
Prev by thread: Re: heimdal on tru64 unix peculiarities
Next by thread: Re: To Forward or Not To Forward [PATCH for Telnet]
Index(es):
- Date
- Thread