From davidbu@cit.gu.edu.au Mon Dec 20 01:17:20 1999 Received: from MIT.EDU (PACIFIC-CARRIER-ANNEX.MIT.EDU [18.69.0.28]) by rt-11.MIT.EDU (8.7.5/8.7.3) with SMTP id BAA13093 for ; Mon, 20 Dec 1999 01:17:18 -0500 Received: from beholder.cit.gu.edu.au by MIT.EDU with SMTP id AA20701; Mon, 20 Dec 99 01:18:03 EST Received: (from davidbu@localhost) by beholder.cit.gu.edu.au (8.9.1a/8.9.1) id QAA04725; Mon, 20 Dec 1999 16:17:09 +1000 (EST) Message-Id: <199912200617.QAA04725@beholder.cit.gu.edu.au> Date: Mon, 20 Dec 1999 16:17:09 +1000 (EST) From: davidbu@cit.gu.edu.au Reply-To: davidbu@cit.gu.edu.au To: krb5-bugs@MIT.EDU Subject: Terminal server won't communicate to new version. X-Send-Pr-Version: 3.99 >Number: 794 >Category: krb5-misc >Synopsis: Xyplex terminal server works with release 5beta 5, but not with 1.0.6 or 1.1beta1 >Confidential: no >Severity: critical >Priority: high >Responsible: krb5-unassigned >State: open >Class: support >Submitter-Id: unknown >Arrival-Date: Mon Dec 20 01:18:01 EST 1999 >Last-Modified: >Originator: David Bussenschutt >Organization: Griffith University >Release: krb5-1.1-beta1 >Environment: System: SunOS beholder 5.6 Generic_105181-16 sun4m sparc SUNW,SPARCstation-10 Architecture: sun4 >Description: We have a terminal server (used for dial-in access) that authenticates to a kerberos server. We are moving the kerberos server off of a SunOS 4 (solaris 2.4) to a Solaris 2.6 server due to age of server. The terminal server will authenticate quite happily to the original kerberos server... but authentication fails when using the newer server/kerberos install. The install on the solaris 2.6 server is standard: ie like this: ./configure --with-cc=gcc --prefix=/opt/krb5 make make install I did not install the original SunOS 4 server, but it is also installed into /opt/krb5 old server, where kerberos links to terminal server: citadel.cit.gu.edu.au new server where kerberos NOT linking to terminal server: beholder.cit.gu.edu.au here is a log of the two cases, attempting to connect to each server. i have done a 'show unit' and a 'show server kerberos' in both cases to show you that the settings are the same (except for the kerberos server of course) . Old(but working) server first: ------------------------------------ spawn telnet termsmod 2000 Trying 132.234.42.65... Connected to termsmod.cit.gu.edu.au. Escape character is '^]'. # Enter username> davidbu termsmod> set pri XXXXXXX termsmod>> termsmod>> show unit Hardware Type: 86 Hardware Revision: 00.00.00 Rom Revision: 470000 Software Type: Terminal Server Level 4 Software Revision: V6.0.1 Protocol Type: TELNET, SNMP, PPP Daemon(s): FINGERD SYSLOGD(Host: 132.234.1.110 Log Facility: LOCAL0) Enabled Feature(s): HELP, ULI, NESTED MENUS, KERBEROS 5 termsmod>> show server kerberos MX1620 V6.0.1 Rom 470000 HW 00.00.00 Lat Protocol V5.2 Uptime: 28 04:46:37 19 Dec 1999 20:03:16 Kerberos Security: Login Kerberos Version 5 Kerberos Realm: CIT.GU.EDU.AU Kerberos Master: CITADEL.CIT.GU.EDU.AU Resolved Address: 132.234.86.5 Kerberos Primary Server: CITADEL.CIT.GU.EDU.AU Resolved Address: 132.234.86.5 Kerberos Secondary Server: NONE Resolved Address: 0.0.0.0 739 Error Message: Please contact CIT HelpDesk (3875-3666) Kerberos Port Number: 750 Kerberos Password Port: 749 Kerberos Query Limit: 3 Password Service: kadmin Kerberos Ports Enabled: 1-16 Successful Logins: 730 Unsuccessful Logins: 25 Logins without Kerberos: 12 Password Change Failures: 0 Last Kerberos Error: 31 Occurred: 18 Dec 1999 17:39:24 Attempts to access: Master Server1 Server2 Successful: 0 755 0 Unsuccessful: 0 0 0 termsmod>> termsmod>> kerberos Enter user password> termsmod>> ---------------------------------- ^^^--note how I authenticate to the kerberos server here, and get no errors. (Dandy!) OK, so lets try the other (newer) server... ---------------------------------- spawn telnet termsmod 2000 Trying 132.234.42.65... Connected to termsmod.cit.gu.edu.au. Escape character is '^]'. # Enter username> davidbu termsmod> set pri XXXXXXX termsmod>> termsmod>> show unit Hardware Type: 86 Hardware Revision: 00.00.00 Rom Revision: 470000 Software Type: Terminal Server Level 4 Software Revision: V6.0.1 Protocol Type: TELNET, SNMP, PPP Daemon(s): FINGERD SYSLOGD(Host: 132.234.34.1 Log Facility: LOCAL0) Enabled Feature(s): HELP, ULI, NESTED MENUS, KERBEROS 5 termsmod>> show server kerberos MX1620 V6.0.1 Rom 470000 HW 00.00.00 Lat Protocol V5.2 Uptime: 0 01:09:57 19 Dec 1999 19:58:51 Kerberos Security: Login Kerberos Version 5 Kerberos Realm: CIT.GU.EDU.AU Kerberos Master: BEHOLDER.CIT.GU.EDU.AU Resolved Address: 132.234.86.5 Kerberos Primary Server: BEHOLDER.CIT.GU.EDU.AU Resolved Address: 132.234.86.5 Kerberos Secondary Server: NONE Resolved Address: 0.0.0.0 739 Error Message: Please contact CIT HelpDesk (3875-3666) Kerberos Port Number: 750 Kerberos Password Port: 749 Kerberos Query Limit: 3 Password Service: kadmin Kerberos Ports Enabled: 1-16 Successful Logins: 730 Unsuccessful Logins: 25 Logins without Kerberos: 12 Password Change Failures: 0 Last Kerberos Error: 31 Occurred: 18 Dec 1999 17:39:24 Attempts to access: Master Server1 Server2 Successful: 0 755 0 Unsuccessful: 0 0 0 termsmod>> kerberos Enter user password> Enter user password> Enter user password> Xyplex -739- Please contact CIT HelpDesk (3875-3666) Xyplex -020- Logged out port 0 on server TERMSMOD at 19 ------------------------------------ ^^^^--- and now note that I get logged out. it won't accept my passwd. HOWEVER: I know that I have contacted the kerberos server successfully because the logs on the server tell me I have, even thought the terminal server failed to let me pass(using tail -f /opt/krb5/var/krb5kdc/kdc.log ) .....and got: Dec 20 16:10:15 beholder krb5kdc[233](info): AS_REQ 132.234.86.81(88): ISSUE: authtime 945670215, davidbu@CIT.GU.EDU.AU for krbtgt/CIT.GU.EDU.AU@CIT.GU.EDU.AU ------------------------------------ THe problem is NOT that the KDC isn't working as the following shows:(I can kinit both my common and admin instances) ------------------------------------ davidbu@beholder>~> kinit davidbu Password for davidbu@CIT.GU.EDU.AU: davidbu@beholder>~> klist Ticket cache: /tmp/krb5cc_101 Default principal: davidbu@CIT.GU.EDU.AU Valid starting Expires Service principal 12/20/99 16:06:14 12/21/99 02:06:14 krbtgt/CIT.GU.EDU.AU@CIT.GU.EDU.AU davidbu@beholder>~> kinit davidbu/admin Password for davidbu/admin@CIT.GU.EDU.AU: davidbu@beholder>~> klist Ticket cache: /tmp/krb5cc_101 Default principal: davidbu/admin@CIT.GU.EDU.AU Valid starting Expires Service principal 12/20/99 16:06:28 12/21/99 02:06:28 krbtgt/CIT.GU.EDU.AU@CIT.GU.EDU.AU davidbu@beholder>~> ----------------------------------- Now, from here on I'm stuck. >How-To-Repeat: see above. >Fix: No fix known here, that's what I'm after myself. I really don't know. >Audit-Trail: >Unformatted: