From kreymer@fnal.gov Wed Jul 7 17:31:00 1999 -0500 Received: from fnal.fnal.gov by ea831.fnal.gov; (5.65v3.2/1.1.8.2/03Feb96-0240PM) id AA04068; Wed, 7 Jul 1999 17:31:00 -0500 Received: from cuervo ("port 1195"@d-cd-182.fnal.gov) by FNAL.FNAL.GOV (PMDF V5.1-12 #3998) with SMTP id <01JDAHPLXLK0000E0A@FNAL.FNAL.GOV> for kreymer@ea831.fnal.gov; Wed, 7 Jul 1999 17:30:58 -0500 CDT Date: Wed, 07 Jul 1999 17:30:58 -0500 From: "Mark O. Kaletka" Subject: Strong Authentication Web Site To: kerberos-pilot@fnal.gov Cc: Krzysztof Genser , Art Kreymer Message-Id: <000001bec8c8$6282b460$4e57e183@cuervo.fnal.gov> Mime-Version: 1.0 X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Importance: Normal X-Msmail-Priority: Normal X-Mimeole: Produced By Microsoft MimeOLE V4.72.3110.3 X-Priority: 3 (Normal) Status: RO X-Status: X-Keywords: X-UID: 1 Please feel free to check out the strong authentication project web site, recently (five minutes ago) organized. Also, notice a series of talks are scheduled... -- Mark K. From kreymer@fnal.gov Wed Jul 7 17:38:11 1999 -0500 Received: from fnal.fnal.gov by ea831.fnal.gov; (5.65v3.2/1.1.8.2/03Feb96-0240PM) id AA04051; Wed, 7 Jul 1999 17:38:10 -0500 Received: from cuervo ("port 1220"@d-cd-182.fnal.gov) by FNAL.FNAL.GOV (PMDF V5.1-12 #3998) with SMTP id <01JDAHYH1YG4000DMV@FNAL.FNAL.GOV> for kreymer@ea831.fnal.gov; Wed, 7 Jul 1999 17:38:08 -0500 CDT Date: Wed, 07 Jul 1999 17:38:06 -0500 From: "Mark O. Kaletka" Subject: RE: Strong Authentication Web Site In-Reply-To: <000001bec8c8$6282b460$4e57e183@cuervo.fnal.gov> To: "Mark O. Kaletka" , kerberos-pilot@fnal.gov Cc: Krzysztof Genser , Art Kreymer Message-Id: <000301bec8c9$61e609c0$4e57e183@cuervo.fnal.gov> Mime-Version: 1.0 X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Importance: Normal X-Msmail-Priority: Normal X-Mimeole: Produced By Microsoft MimeOLE V4.72.3110.3 X-Priority: 3 (Normal) Status: RO X-Status: X-Keywords: X-UID: 2 Doh!!! Forgot to include the url! Sorry... http://www-dcd.fnal.gov/computersecurity/strongauth/default.htm -- Mark K. > -----Original Message----- > From: Mark O. Kaletka [mailto:kaletka@fnal.gov] > Sent: Wednesday, July 07, 1999 5:31 PM > To: kerberos-pilot@fnal.gov > Cc: Krzysztof Genser; Art Kreymer > Subject: Strong Authentication Web Site > > > Please feel free to check out the strong authentication project web site, > recently (five minutes ago) organized. > > Also, notice a series of talks are scheduled... > > -- Mark K. > > From kreymer@fnal.gov Thu Jul 8 07:06:16 1999 -0500 Received: from fnal.fnal.gov by ea831.fnal.gov; (5.65v3.2/1.1.8.2/03Feb96-0240PM) id AA04038; Thu, 8 Jul 1999 07:06:15 -0500 Received: from gungnir.fnal.gov ("port 47937"@gungnir.fnal.gov) by FNAL.FNAL.GOV (PMDF V5.1-12 #3998) with ESMTP id <01JDBA7DIFLG000F6X@FNAL.FNAL.GOV> for kreymer@ea831.fnal.gov; Thu, 8 Jul 1999 07:06:14 -0500 CDT Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id HAA19227; Thu, 08 Jul 1999 07:06:14 -0500 (CDT) Date: Thu, 08 Jul 1999 07:06:14 -0500 From: Matt Crawford Subject: Re: Strong Authentication Web Site In-Reply-To: "07 Jul 1999 22:52:55 CDT." <"Pine.OSF.4.05.9907072249160.4954-100000"@ea831.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Art Kreymer Cc: "Mark O. Kaletka" Message-Id: <199907081206.HAA19227@gungnir.fnal.gov> Mime-Version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-Type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 3 That was my one foray into the microsoft html composing tools. Believe it or not, the pebbles are what MS calls the "professional" look. I'll get around to fixing it in the next release, as they say. From kreymer@fnal.gov Thu Jul 8 09:54:10 1999 -0500 Received: from fnal.fnal.gov by ea831.fnal.gov; (5.65v3.2/1.1.8.2/03Feb96-0240PM) id AA32736; Thu, 8 Jul 1999 09:54:09 -0500 Received: from cuervo ("port 1153"@d-cd-182.fnal.gov) by FNAL.FNAL.GOV (PMDF V5.1-12 #3998) with SMTP id <01JDBG2HFX6G000GA9@FNAL.FNAL.GOV> for kreymer@ea831.fnal.gov; Thu, 8 Jul 1999 09:54:06 -0500 CDT Date: Thu, 08 Jul 1999 09:54:13 -0500 From: "Mark O. Kaletka" Subject: RE: Strong Authentication Web Site In-Reply-To: <199907081206.HAA19227@gungnir.fnal.gov> To: Matt Crawford , Art Kreymer Message-Id: <000501bec951$bdff1f20$4e57e183@cuervo.fnal.gov> Mime-Version: 1.0 X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Importance: Normal X-Msmail-Priority: Normal X-Mimeole: Produced By Microsoft MimeOLE V4.72.3110.3 X-Priority: 3 (Normal) Status: RO X-Status: X-Keywords: X-UID: 4 Removed on Matt's behalf... and I took such pains to preserve the background yesterday ... -- Mark K. > -----Original Message----- > From: crawdad@gungnir.fnal.gov [mailto:crawdad@gungnir.fnal.gov]On > Behalf Of Matt Crawford > Sent: Thursday, July 08, 1999 7:06 AM > To: Art Kreymer > Cc: Mark O. Kaletka > Subject: Re: Strong Authentication Web Site > > > That was my one foray into the microsoft html composing tools. > Believe it or not, the pebbles are what MS calls the "professional" > look. I'll get around to fixing it in the next release, as they > say. > > > From kreymer@fnal.gov Thu Oct 14 14:43:30 1999 -0500 Received: from fnal.fnal.gov by ea831.fnal.gov; (5.65v3.2/1.1.8.2/03Feb96-0240PM) id AA11668; Thu, 14 Oct 1999 14:43:29 -0500 Received: from purpc09.fnal.gov ([131.225.103.61]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JH4MPQAKUO000ERY@FNAL.FNAL.GOV> (original mail from greenc@fnal.gov) for kreymer@ea831.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 14 Oct 1999 14:43:29 -0500 CDT Received: from purpc09.fnal.gov ([131.225.103.61]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JH4MPO75W2000EU8@FNAL.FNAL.GOV>; Thu, 14 Oct 1999 14:43:07 -0500 Received: from localhost (greenc@localhost) by purpc09.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA17237; Thu, 14 Oct 1999 14:43:06 -0500 Date: Thu, 14 Oct 1999 14:43:06 -0500 (CDT) From: Chris Green Subject: RE: kerberos, ssh, cvs repositories, and what are people supposed to do? In-Reply-To: To: "Mark O. Kaletka" Cc: lauri@fnal.gov, kerberos-pilot@fnal.gov, ssh-users@fnal.gov Errors-To: ssh-users-owner@fnal.gov Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Authentication-Warning: purpc09.fnal.gov: greenc owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 5 Putting in my twopenn'orth, I think if the use of ssh is impacted by the kerberos-pilot scheme then is is a valid subject for discussion on both groups until the problem is resolved. Or what is the pilot scheme supposed to achieve anyway? A rubber stamp, perhaps? Cheers, Chris. On Thu, 14 Oct 1999, Mark O. Kaletka wrote: > No, this discussion belongs on ssh-users, created just for this purpose. > Anybody on kerberos-pilot who'd like to engage in the discussion, and isn't > already on ssh-users, please send a "subscribe ssh-users" to > mailserv@fnal.gov. Thanks. > > -- Mark K. > > > -----Original Message----- > > From: lauri@ossbud.fnal.gov [mailto:lauri@ossbud.fnal.gov]On Behalf Of > > Laurelin of Middle Earth, 630-840-2214 > > Sent: Wednesday, October 13, 1999 10:38 AM > > To: kerberos-pilot@fnal.gov > > Cc: lauri@fnal.gov > > Subject: kerberos, ssh, cvs repositories, and what are people supposed > > to do? > > > > > > I know that Matt asked that we NOT discuss ssh in the kerberos-pilot > > mailing list, but I don't see a separate "strong-authentication" > > list -- AND, the very same people are involved, so I think it's > > fair to use this group. Sorry, Matt. > > >...snip...< > > -- Chris Green. HEP, Purdue University. CDF SVXII project. Based at Fermilab. MAIL greenc@fnal.gov; PHONE (630) 840-2308 From kreymer@fnal.gov Wed Nov 3 14:35:32 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (SYSTEM@fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA06822 for ; Wed, 3 Nov 1999 14:35:30 -0600 Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JHWK535T8G0000H0@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 3 Nov 1999 14:34:35 -0600 CDT Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JHWK1BC4F80000KN@FNAL.FNAL.GOV>; Wed, 03 Nov 1999 14:28:26 -0600 Date: Wed, 03 Nov 1999 14:28:19 -0600 From: "Mark O. Kaletka" Subject: RE: Strong Authentication Pilot In-reply-to: <199911031919.NAA26300@hamshack.fnal.gov> To: Kerberos Pilot Cc: oss-dept@fnal.gov, bld-cluster-announce@fnal.gov Errors-to: bld-cluster-announce-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 6 The pitfalls of assumed knowledge... The strong authentication pilot project does indeed have a web site, which includes some introductory documentation, which is located at: http://www-dcd.fnal.gov/computersecurity/StrongAuth/ with the basic user documentation (from MIT) at: http://www-dcd.fnal.gov/computersecurity/StrongAuth/UserDocs/user-guide_toc. html Sorry for not including these to begin with! The easiest way to proceed, assuming you don't have Kerberos clients installed on your desktop, is to first ssh to ossbud. Issue "setup kerberos" on ossbud and use the kpasswd command to change your Kerberos password (those with new principals need to do this). You can then use the kinit command to obtain tickets (and klist to view them), and telnet, ftp, rsh, etc. from ossbud for access to the other build cluster systems with Kerberos authentication. On a related note, the power outages, visit of the DOE yesterday, and other things have put us somewhat behind schedule for today's cutover, although we're still hoping for a cutover before the end of the day. The final builds are being done now and software installs will begin either later today or tomorrow. More news as events progress! Thanks again! -- Mark K. > -----Original Message----- > From: Ken Schumacher [mailto:kschu@fnal.gov] > Sent: Wednesday, November 03, 1999 1:20 PM > To: Mark Kaletka > Subject: Strong Authentication Pilot > > > Mark, > > Is there a web page or some other document which describes the SA > Project? I had talked to Matt and gotten set-up with a kerberos > login. I > have not been able to access it to reset the password. From reading on > the kerberos-pilot mailing list, I'm guessing that I need to access a > machine that's part of the pilot and use a 'kinit' command to access that > authentication. Is there some sort of document that describes how the SA > works so that a new person in the test can get up to speed? > > More later, > Ken S. -- > > -- > ================================================================== > ========= > Ken Schumacher (o) 630-840-4579 (f) > 630-840-6345 > Fermilab CD/OSS CSS Group Loc:FCC-252g > http://home.fnal.gov/~kschu/ > ================================================================== > ========= > > > > From kreymer@fnal.gov Thu Nov 4 11:07:48 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA14764 for ; Thu, 4 Nov 1999 11:07:48 -0600 Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JHXRAN8M0W0000WT@FNAL.FNAL.GOV> (original mail from lauri@bldsunos26.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 4 Nov 1999 11:07:44 -0600 CDT Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JHXRALQ6WQ0000YX@FNAL.FNAL.GOV>; Thu, 04 Nov 1999 11:07:30 -0600 Received: from localhost (lauri@localhost) by bldsunos26.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id LAA13001; Thu, 04 Nov 1999 11:07:29 -0600 (CST) Date: Thu, 04 Nov 1999 11:07:28 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: reconfiguring ssh: does it need to be restarted? Sender: lauri@bldsunos26.fnal.gov To: Ken Schumacher Cc: kerberos-pilot@fnal.gov, ssh-users@fnal.gov Errors-to: ssh-users-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199911041707.LAA13001@bldsunos26.fnal.gov> X-Authentication-warning: bldsunos26.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 7 When I look on ossbud, I see only one inetd process (which makes it easy to find). When I look on ossbud, I see many, many /usr/local/sbin/sshd processes. I'm guessing that this means: - inetd is started ONCE when the system boots - sshd is started once FOR EACH PERSON COMING IN VIA ssh. Can/should root send HUP to other people's sshd processes? Should I be re-hupping all of them? And, what happens when: - process comes in via ssh, reads existing sshd_config file to see that "xxxAuthentication yes" allows xxx form of authentication (and maybe then processes uses that xxx form of authentication) - I modify sshd_config so that "xxxAuthentication no" now disallows this form of authentication - I send HUP to existing sshd daemons So the process that has already authenticated is now told "you can't use the form of authentication any more". What does this mean? -- lauri On Wednesday 3 November 1999, our friend Ken Schumacher spaketh thusly: > Lauri, > > According to the man page for 'sshd', if you send the daemon process a > SIGHUP, it will re-read it's configuration file. You'll want to find the > PID of the 'sshd' and then 'kill -HUP ' (replaceing '' with the > process number. > > You can also restart the 'sshd' in order to have it pick up the new > 'sshd_config' parameters. The best way to do this is to use the startup > script that is run when the system boots. On my Linux desktop system > (FRHL 5.2) that is '/etc/rc.d/init.d/sshd.init'. Run the script once with > the parameter stop and then again with the parameter start. A reboot of > the system is much more dramatic, but an effective way to accomplish the > goal. > > More later, > Ken S. > > > -- > =========================================================================== > Ken Schumacher (o) 630-840-4579 (f) 630-840-6345 > Fermilab CD/OSS CSS Group Loc:FCC-252g http://home.fnal.gov/~kschu/ > =========================================================================== > > From kreymer@fnal.gov Fri Nov 12 10:30:35 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA28968 for ; Fri, 12 Nov 1999 10:30:34 -0600 Received: from mailserv-daemon by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JI8WCG98VK0004KL@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 12 Nov 1999 10:30:30 -0600 CDT Date: Fri, 12 Nov 1999 10:30:30 -0600 From: "PMDF Mailserv V5.2" Subject: Welcome to kerberos-pilot To: kreymer@fnal.gov Message-id: <01JI8WCHF0BC0004KL@FNAL.FNAL.GOV> MIME-version: 1.0 Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 8 This list is for the use of the sysadmins and users participating in the Kerberos pilot project. This will be the main channel for news, questions and problem reports. Please contact the list owner, crawdad@fnal.gov, for more information Do not reply to this message. From kreymer@fnal.gov Fri Nov 12 10:30:35 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA28969 for ; Fri, 12 Nov 1999 10:30:34 -0600 Received: from mailserv-daemon by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JI8WCG98VK0004KL@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 12 Nov 1999 10:30:29 -0600 CDT Date: Fri, 12 Nov 1999 10:30:29 -0600 From: "PMDF Mailserv V5.2" Subject: Re: subscribe kerberos-pilot kreymer@fnal.gov To: "Mark O. Kaletka" , kreymer@fnal.gov Message-id: <01JI8WCGLKHE0004KL@FNAL.FNAL.GOV> MIME-version: 1.0 Status: RO X-Status: X-Keywords: X-UID: 9 The address: kreymer@fnal.gov has been added to the kerberos-pilot mailing list by "Mark O. Kaletka" . From kreymer@fnal.gov Fri Nov 12 10:30:35 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA28970 for ; Fri, 12 Nov 1999 10:30:35 -0600 Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JI8WCF5Y8G0003NZ@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 12 Nov 1999 10:30:28 -0600 CDT Date: Fri, 12 Nov 1999 10:29:18 -0600 From: "Mark O. Kaletka" Subject: RE: principal for kreymer@fnal.gov In-reply-to: To: Art Kreymer , crawdad@fnal.gov Cc: Mark Kaletka Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: A X-Keywords: X-UID: 10 Done... Call me for your password, x2965. The initial password will expire in 30 days. After you change it once, it will expire (i.e., must be changed again) in 400 days. New Kerberos commands you'll need to know are: kpasswd change your kerberos password. klist list Kerberos tickets already obtained. kinit get initial ticket (if, for example, you logged in through some non-Kerberos means, or if your TGT has expired). -- Mark K. > -----Original Message----- > From: Art Kreymer [mailto:kreymer@fnal.gov] > Sent: Thursday, November 11, 1999 9:35 AM > To: crawdad@fnal.gov; kaletka@fnal.gov > Subject: principal for kreymer@fnal.gov > > > Time has come for me to start working on SAPilot. > > I don't see any instructions on the S.A. web, > but an old bld-cluster email states that one you needs to call > me with an initial password for kreymer@fnal.gov (x4261) > > > From kreymer@fnal.gov Fri Nov 12 15:21:27 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA29588 for ; Fri, 12 Nov 1999 15:21:27 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JI96HY7IUO0003ZQ@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 12 Nov 1999 15:21:24 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JI96HXA5280004VM@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 12 Nov 1999 15:21:13 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id PAA02599; Fri, 12 Nov 1999 15:21:11 -0600 Date: Fri, 12 Nov 1999 15:21:10 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: aren't the afs tokens supposed to be long-lived? Sender: lauri@ossbud.fnal.gov To: crawdad@fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199911122121.PAA02599@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 11 I thought that one of the "features" added to kerberos v0_3 was a longer default lifetime for afs tokens obtained when you kinit. But this doesn't seem to be happening: bldsunos26> date Fri Nov 12 15:15:59 CST 1999 bldsunos26> klist klist: No credentials cache file found (ticket cache /tmp/krb5cc_0) bldsunos26> kinit Password for lauri@PILOT.FNAL.GOV: bldsunos26> klist -f Ticket cache: /tmp/krb5cc_0 Default principal: lauri@PILOT.FNAL.GOV Valid starting Expires Service principal 11/12/99 15:16:08 11/13/99 01:16:08 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Flags: FIA 11/12/99 15:16:09 11/13/99 01:16:08 afs/fnal.gov@PILOT.FNAL.GOV Flags: FA ??? This was on node bldsunos26; a copy of the /etc/krb5.conf is below. -- lauri # krb5conf v0_3 with afs on node ossbud initial installation 04Nov1999 [libdefaults] ticket_lifetime = 780 default_realm = PILOT.FNAL.GOV checksum_type = 1 ccache_type = 2 default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc [realms] PILOT.FNAL.GOV = { kdc = krb-pilot-1.fnal.gov:88 kdc = krb-pilot-2.fnal.gov:88 admin_server = krb-pilot-admin.fnal.gov default_domain = fnal.gov } [domain_realm] .fnal.gov = PILOT.FNAL.GOV # DO NOT EDIT ABOVE THIS LINE # Furthermore, if you edit below the line in the early days of the # pilot project, you may be required to merge later updates in by hand. [logging] default = SYSLOG:ERR:AUTH [appdefaults] default_lifetime = 7d retain_ccache = false autologin = true forward = true forwardable = true encrypt = true krb5_aklog_path = /usr/krb5/bin/aklog rcp = { forward = false encrypt = false allow_fallback = true } rsh = { allow_fallback = true } rlogin = { allow_fallback = false } kinit = { forwardable = true krb5_run_aklog = true } login = { krb5_get_tickets = true forwardable = true krb4_get_tickets = false krb4_convert = false krb5_run_aklog = true } ftpd = { default_lifetime = 4h } From kreymer@fnal.gov Sat Nov 13 10:41:06 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA28608 for ; Sat, 13 Nov 1999 10:41:06 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIAAZSUFPC0004G7@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Sat, 13 Nov 1999 10:41:03 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIAAZSCA320004SI@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Sat, 13 Nov 1999 10:40:56 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA08844; Sat, 13 Nov 1999 10:40:34 -0600 (CST) Date: Sat, 13 Nov 1999 10:40:33 -0600 From: Matt Crawford Subject: Re: aren't the afs tokens supposed to be long-lived? In-reply-to: "12 Nov 1999 15:21:10 CST." <"199911122121.PAA02599"@ossbud.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199911131640.KAA08844@gungnir.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 12 The new feature is that if your Kerberos ticket is renewable, your AFS token gets the full renewable life rather than the "per-renewal" life. Typically, that means 7 days rather than 10 (or was it 13?) hours. However, when you typed kinit, you didn't specify "-r 7d" to get a renewable ticket, I *think* we do have things set up so that if you do a local login through the Kerberos login program, you get a renewable ticket. From kreymer@fnal.gov Mon Nov 15 09:23:16 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA16603 for ; Mon, 15 Nov 1999 09:23:15 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JID0T4842800058W@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 15 Nov 1999 09:22:31 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JID0T12FVA0004X3@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 15 Nov 1999 09:21:33 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id JAA08340; Mon, 15 Nov 1999 09:21:30 -0600 Date: Mon, 15 Nov 1999 09:21:30 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: aren't the afs tokens supposed to be long-lived? Sender: lauri@ossbud.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199911151521.JAA08340@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 13 On Saturday 13 November 1999 thou didst say: > > However, when you typed kinit, you didn't specify "-r 7d" to get a renewable > ticket, I *think* we do have things set up so that if you do a local login > through the Kerberos login program, you get a renewable ticket. > 1) Can the "-r 7d" be part of the default settings for kinit? If so, why might we NOT want to have this be the default? 2) How do you do a local login through the kerberos login program, if you don't already have tickets? Is this something that I just can't do because I'm starting from a NT box? (In other words, if Reflections *did* forward my tickets, would I be getting a default 7 day AFS token when I got there?) -- lauri From kreymer@fnal.gov Mon Nov 15 11:17:08 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA16675 for ; Mon, 15 Nov 1999 11:17:08 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JID4LPRUOG00058W@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 15 Nov 1999 11:11:28 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JID4KPEBUW0005BQ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 15 Nov 1999 11:09:22 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA19876 for ; Mon, 15 Nov 1999 11:08:56 -0600 (CST) Date: Mon, 15 Nov 1999 11:08:55 -0600 From: Matt Crawford Subject: Re: aren't the afs tokens supposed to be long-lived? In-reply-to: "15 Nov 1999 09:21:30 CST." <"199911151521.JAA08340"@ossbud.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199911151708.LAA19876@gungnir.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 14 > > However, when you typed kinit, you didn't specify "-r 7d" to get > > a renewable ticket, I *think* we do have things set up so that if > > you do a local login through the Kerberos login program, you get > > a renewable ticket. > > 1) Can the "-r 7d" be part of the default settings for kinit? If > so, why might we NOT want to have this be the default? > > 2) How do you do a local login through the kerberos login program, > if you don't already have tickets? Is this something that I just > can't do because I'm starting from a NT box? (In other words, if > Reflections *did* forward my tickets, would I be getting a default 7 > day AFS token when I got there?) Let me answer this backwards, and also beginning way back, to make the answer more coherent. Lauri and many others on the list already know most of this; they'll have to be patient. The tickets have limited lifetimes to reduce the exposure to theft and cryptographic cracking. Tickets can be renewable because it's a dang nuisance to type your password often, especially if you're running a long job unattended. After a lot of discussion we settled on a maximum ticket lifetime of 13 hours, renewable for up to 7 days. *=> All security choices are compromises. <=* When you do "kinit" without explicitly asking for a renewable ticket, you get a a non-renewable ticket with a lifetime equal to the minimum of the values from: the command line flags, if any the local system's /etc/krb5.conf, if any the KDC's configured limit a limit set for your principal, if any (When getting a ticket for a service, the lifetime of that ticket may also be reduced to a special value set for that service.) Kinit won't give you a renewable ticket unless you ask for such with the command-line flags. Since kinit is only invoked from the command line, this does not seem to be a great nuisance. The login program, on the other hand, is not generally invoked by a command line, so its actions must be customized solely through krb5.conf. For example, that's where "forwardable = true" will cause the login program to obtain a forwardable initial ticket. The v0_3 change I made to login is to have it check for a "renewable = [true|false]" appdefault in krb5.conf. If set to true, it sets the "RENEWABLE_OK" option in the initial ticket request which instructs the KDC, "If the lifetime I'm asking for is longer than allowed, give me a renewable ticket." Coupling that with a default lifetime above 13 hours (also determined by krb5.conf) will get a renewable ticket with an initial lifetime of 13 hours and a renewable life as specified. The v0_3 change to aklog and the Kerberos V5-to-V4 translator daemon is that now, when getting an AFS token based on a renewable Kerberos V5 ticket, the token will be valid for the entire renewable lifetime of the ticket. I justify this security-weakening to myself on the grounds that Kerberos V4 and AFS have no concept of renewing, so I'm just providing a V5-like feature, albeit in a slightly less secure way than Kerberos V5 provides it. *=> All security choices are compromises. <=* In our strengthened-realm environment, the ticket lifetime choices of login's appdefaults affect only local console logins, which are usually made by a single person or a small set of people. Where kinit is used, it may be used by a larger set of people and so it seems less appropriate to kick it with a system-wide configuration file. And yes, if your Reflection software got you a 7-day renewable ticket and *forwarded* it when you logged into an AFS machine, you'd have a 7-day AFS token. Matt From kreymer@fnal.gov Mon Nov 15 11:36:41 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA16693 for ; Mon, 15 Nov 1999 11:36:35 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JID5E92S4W00058W@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 15 Nov 1999 11:34:07 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JID5DXRC7S0005BY@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 15 Nov 1999 11:32:57 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id LAA10332; Mon, 15 Nov 1999 11:32:54 -0600 Date: Mon, 15 Nov 1999 11:32:54 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: aren't the afs tokens supposed to be long-lived? Sender: lauri@ossbud.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199911151732.LAA10332@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 15 Good explanation. Is the following summary correct (to the 95% accuracy for most users), then? a) At the console of a kerberized machine, log in. You'll get renewable tickets, and (if the machine is running AFS) a 7 day AFS token. b) If you're using a kerberized node as a portal, kinit -r7d to get the renewable tickets with 7 day AFS token. c) Then, within each 13 hour segment, issue the kinit -R command to renew your kerberos tickets -- lauri On Monday 15 November 1999 thou didst say: > > > However, when you typed kinit, you didn't specify "-r 7d" to get > > > a renewable ticket, I *think* we do have things set up so that if > > > you do a local login through the Kerberos login program, you get > > > a renewable ticket. > > > > 1) Can the "-r 7d" be part of the default settings for kinit? If > > so, why might we NOT want to have this be the default? > > > > 2) How do you do a local login through the kerberos login program, > > if you don't already have tickets? Is this something that I just > > can't do because I'm starting from a NT box? (In other words, if > > Reflections *did* forward my tickets, would I be getting a default 7 > > day AFS token when I got there?) > > Let me answer this backwards, and also beginning way back, to make > the answer more coherent. Lauri and many others on the list already > know most of this; they'll have to be patient. > > The tickets have limited lifetimes to reduce the exposure to theft > and cryptographic cracking. Tickets can be renewable because it's a > dang nuisance to type your password often, especially if you're > running a long job unattended. After a lot of discussion we settled > on a maximum ticket lifetime of 13 hours, renewable for up to 7 days. > > *=> All security choices are compromises. <=* > > When you do "kinit" without explicitly asking for a renewable ticket, > you get a a non-renewable ticket with a lifetime equal to the minimum > of the values from: > > the command line flags, if any > the local system's /etc/krb5.conf, if any > the KDC's configured limit > a limit set for your principal, if any > > (When getting a ticket for a service, the lifetime of that ticket may > also be reduced to a special value set for that service.) > > Kinit won't give you a renewable ticket unless you ask for such with > the command-line flags. Since kinit is only invoked from the command > line, this does not seem to be a great nuisance. The login program, > on the other hand, is not generally invoked by a command line, so its > actions must be customized solely through krb5.conf. For example, > that's where "forwardable = true" will cause the login program to > obtain a forwardable initial ticket. The v0_3 change I made to login > is to have it check for a "renewable = [true|false]" appdefault in > krb5.conf. If set to true, it sets the "RENEWABLE_OK" option in the > initial ticket request which instructs the KDC, "If the lifetime I'm > asking for is longer than allowed, give me a renewable ticket." > Coupling that with a default lifetime above 13 hours (also determined > by krb5.conf) will get a renewable ticket with an initial lifetime of > 13 hours and a renewable life as specified. > > The v0_3 change to aklog and the Kerberos V5-to-V4 translator daemon > is that now, when getting an AFS token based on a renewable Kerberos > V5 ticket, the token will be valid for the entire renewable lifetime > of the ticket. I justify this security-weakening to myself on the > grounds that Kerberos V4 and AFS have no concept of renewing, so I'm > just providing a V5-like feature, albeit in a slightly less secure > way than Kerberos V5 provides it. > > *=> All security choices are compromises. <=* > > In our strengthened-realm environment, the ticket lifetime choices of > login's appdefaults affect only local console logins, which are > usually made by a single person or a small set of people. Where > kinit is used, it may be used by a larger set of people and so it > seems less appropriate to kick it with a system-wide configuration > file. > > And yes, if your Reflection software got you a 7-day renewable ticket > and *forwarded* it when you logged into an AFS machine, you'd have a > 7-day AFS token. > Matt > > From kreymer@fnal.gov Mon Nov 15 12:01:30 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA16712 for ; Mon, 15 Nov 1999 12:01:28 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JID6AL6I8W0005AD@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 15 Nov 1999 11:59:22 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JID6AI6BZ80005CO@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 15 Nov 1999 11:58:25 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA20151 for ; Mon, 15 Nov 1999 11:57:58 -0600 (CST) Date: Mon, 15 Nov 1999 11:57:58 -0600 From: Matt Crawford Subject: Re: aren't the afs tokens supposed to be long-lived? In-reply-to: "15 Nov 1999 11:32:54 CST." <"199911151732.LAA10332"@ossbud.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199911151757.LAA20151@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 16 > Good explanation. Is the following summary correct (to the 95% > accuracy for most users), then? > > a) At the console of a kerberized machine, log in. You'll get > renewable tickets, and (if the machine is running AFS) a > 7 day AFS token. Correction here: *if* the system's krb5.conf file has been altered to put "renewable = true" under the "login = { ... }" of [appdefaults]. We didn't make this the default, although we did make the 7-day time a default. > b) If you're using a kerberized node as a portal, > kinit -r7d > to get the renewable tickets with 7 day AFS token. > > c) Then, within each 13 hour segment, issue the > kinit -R > command to renew your kerberos tickets Right. It might be worth noting, for belt-and-suspenders clarity, that you don't need "kinit -R" in such a case if all you care about is your AFS token. From kreymer@fnal.gov Mon Nov 15 13:17:41 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA16759 for ; Mon, 15 Nov 1999 13:17:40 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JID8X3WJTS00058W@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 15 Nov 1999 13:14:49 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JID8WZR9JO0005CK@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 15 Nov 1999 13:13:49 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id NAA11473; Mon, 15 Nov 1999 13:13:46 -0600 Date: Mon, 15 Nov 1999 13:13:46 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: aren't the afs tokens supposed to be long-lived? Sender: lauri@ossbud.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199911151913.NAA11473@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 17 On Monday 15 November 1999, our friend Matt Crawford spaketh thusly: > > Good explanation. Is the following summary correct (to the 95% > > accuracy for most users), then? > > > > a) At the console of a kerberized machine, log in. You'll get > > renewable tickets, and (if the machine is running AFS) a > > 7 day AFS token. > > Correction here: *if* the system's krb5.conf file has been altered to > put "renewable = true" under the "login = { ... }" of [appdefaults]. > We didn't make this the default, although we did make the 7-day time > a default. How does one go about finding out about all the things that can be configured in the krb5.conf file? We don't have *anything* in the file that looks like "renewable" to me, so unless somebody does some serious homework, they wouldn't even know that they can set this feature. -- lauri From kreymer@fnal.gov Mon Nov 15 14:04:04 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA16994 for ; Mon, 15 Nov 1999 14:04:04 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIDAKKCFF40005AD@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 15 Nov 1999 14:01:58 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIDAKHBBD20005CS@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 15 Nov 1999 14:00:59 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA21164 for ; Mon, 15 Nov 1999 14:00:33 -0600 (CST) Date: Mon, 15 Nov 1999 14:00:32 -0600 From: Matt Crawford Subject: Re: aren't the afs tokens supposed to be long-lived? In-reply-to: "15 Nov 1999 13:13:46 CST." <"199911151913.NAA11473"@ossbud.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199911152000.OAA21164@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 18 > How does one go about finding out about all the things that can be > configured in the krb5.conf file? Most of it is in "man krb5.conf", but this particular item, added to the login code just two days before deployment, did not, alas, make it into the man page in time. But it's in the source tree now for the next release. From kreymer@fnal.gov Wed Nov 24 14:28:56 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA13737 for ; Wed, 24 Nov 1999 14:28:55 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIPW5LE7SG0008RN@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 24 Nov 1999 14:28:50 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JIPW5DY0QC0008UW@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 24 Nov 1999 14:28:15 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id OAA17301; Wed, 24 Nov 1999 14:28:12 -0600 Date: Wed, 24 Nov 1999 14:28:12 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: observations after a few weeks Sender: lauri@ossbud.fnal.gov To: kerberos-pilot@fnal.gov Cc: lauri@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199911242028.OAA17301@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 19 For the most part, kerberos has had very little impact on our ability to do business. The one very annoying "feature" is that you need to reauthenticate yourself every day, on each node where you're logged in. I'm entering my password more now than I ever needed to in the past -- once per day per (on average) 6-8 nodes. My typical way of working (and I suspect this is similar to many other folks) is: on Monday I log in, open windows onto each of my "primary systems" (places where I do lots of work -- a node for editing, a node for email, a node for net news, a node for my calendar, and often a node of each build flavor). Why don't I use the same node for all of this? I try to switch it around so that I use/test software from lots of different platforms (i.e., I use exmh from a Sun one week, an SGI the next, etc.; I run through the login scripts, etc., on all flavors, etc.). In the kerberized environment, I need to kinit first thing when I log on to any of the build cluster nodes. And the tickets are only good for 12 hours. So even if I "kinit -R" before I go home at night, it's doubtful that I'll be back to work in the morning before the tickets expire. I need to "kinit" (with password) in every window where I might want to do rsh or telnet things to other nodes. I understand the compromises going into the decision to make people "kinit" frequently, but 12 hours seems excessive. It seems to me that if you "kinit -R" before you go home at night, (and you lock your terminal before you leave) you should be able to "kinit -R" when you return in the morning, without having to enter a password. Let's say that you leave around 5:00pm, and return around 9:00am. That would be 16 hours. Be a little generous, say 20 hours, as a reasonable compromise. (Of course, I'd prefer to be authenticated once per week, but I won't push it... ;-) -- lauri From kreymer@fnal.gov Wed Nov 24 16:20:38 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA13838 for ; Wed, 24 Nov 1999 16:20:38 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIQ02KSQ400008DD@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 24 Nov 1999 16:20:37 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIQ02KDQGC000991@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 24 Nov 1999 16:20:30 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA18868 for ; Wed, 24 Nov 1999 16:19:48 -0600 (CST) Date: Wed, 24 Nov 1999 16:19:47 -0600 From: Matt Crawford Subject: Re: observations after a few weeks In-reply-to: "24 Nov 1999 14:28:12 CST." <"199911242028.OAA17301"@ossbud.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199911242219.QAA18868@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 20 Lauri, your situation is more painful than it need be because your desktop is Windows and your software ("MY software?" you object; OK, we foisted it on you) doesn't forward tickets. If you make all your subsequent logins through ossbud you can maybe minimize the pain. Try this % setenv EDITOR (your favorite) % crontab -e (insert a line that says ...) 0 1,7,13,19 * * * kinit -R (and save) (Also, check again. Aren't your tickets actually good for 13 hours, not 12?) Matt From kreymer@fnal.gov Mon Nov 29 09:28:24 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA00748 for ; Mon, 29 Nov 1999 09:28:23 -0600 Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIWL3O463K0009X6@FNAL.FNAL.GOV> (original mail from lauri@bldsunos26.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 29 Nov 1999 09:28:12 -0600 CDT Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIWL3I4WRC000AC3@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 29 Nov 1999 09:27:43 -0600 Received: from localhost (lauri@localhost) by bldsunos26.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id JAA28463; Mon, 29 Nov 1999 09:27:42 -0600 (CST) Date: Mon, 29 Nov 1999 09:27:41 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: observations after a few weeks Sender: lauri@bldsunos26.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199911291527.JAA28463@bldsunos26.fnal.gov> X-Authentication-warning: bldsunos26.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 21 Yes, you're right, 13 hours (not 12). Question: if the Windows software did forward the tickets, how would that make the situation easier? If I renew my tickets on the 'originator' node, will they be automatically renewed on the other nodes as well? -- lauri On Wednesday 24 November 1999, our friend Matt Crawford spaketh thusly: > Lauri, your situation is more painful than it need be because your > desktop is Windows and your software ("MY software?" you object; OK, > we foisted it on you) doesn't forward tickets. If you make all your > subsequent logins through ossbud you can maybe minimize the pain. > Try this > > % setenv EDITOR (your favorite) > % crontab -e > (insert a line that says ...) > 0 1,7,13,19 * * * kinit -R > (and save) > > (Also, check again. Aren't your tickets actually good for 13 hours, > not 12?) > Matt From kreymer@fnal.gov Mon Nov 29 09:38:31 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA00760 for ; Mon, 29 Nov 1999 09:38:29 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIWLFM0N9C000B9I@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 29 Nov 1999 09:38:16 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIWLFBUQEK00094S@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 29 Nov 1999 09:37:15 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA12987 for ; Mon, 29 Nov 1999 09:36:24 -0600 (CST) Date: Mon, 29 Nov 1999 09:36:24 -0600 From: Matt Crawford Subject: Re: observations after a few weeks In-reply-to: "29 Nov 1999 09:27:41 CST." <"199911291527.JAA28463"@bldsunos26.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199911291536.JAA12987@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 22 > Question: if the Windows software did forward the tickets, how would > that make the situation easier? If I renew my tickets on the > 'originator' node, will they be automatically renewed on the other > nodes as well? No, but you could then "kinit -R" on all those nodes, with no password, to renew the tickets. In principle, if you let your ticket expire on a remote node, you could send along a new (or renewed) ticket from elsewhere for use in that session, without logging out and in again. In practice, it would take a tiny little clever shell script because each new network connection to the remote host gets a new ticket cache, so you have to copy the newer tickets to the older cache, or reset the old session's KRB5CCNAME to point to the new tickets. Not hard. Matt From kreymer@fnal.gov Mon Nov 29 09:49:54 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA00776 for ; Mon, 29 Nov 1999 09:49:53 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIWLUM2YK00009X6@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 29 Nov 1999 09:49:46 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIWLUKC49O000ABL@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.fnal.gov); Mon, 29 Nov 1999 09:49:31 -0600 Received: from localhost (dane@localhost) by unferth.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA14210; Mon, 29 Nov 1999 09:49:30 -0600 Date: Mon, 29 Nov 1999 09:49:30 -0600 (EST) From: Dane Skow Subject: Re: Strong security and fnalu In-reply-to: <01bf3618$b89c4fb0$d96ae183@stephenhome.fnal.gov> To: ruth Cc: votava@fnal.gov, terekhov@fnal.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: unferth.fnal.gov: dane owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 23 Igor's FNALU tickets should currently be valid for 6 days. (If he issues a "tokens" command shortly after login, he can see the timeout. If it's less than 6 days something is wrong and he should submit a problem report.) It is unlikely that we will make tickets valid for longer than this. I'm copying Mark, etal. on this as handling of tickets and their renewal/recreation is one of the areas currently under debate/investigations. It seems to be one of the areas where the various clients pay varying degrees of attention. I believe this is going to be one of the areas where people get annoyed (like Igor) and worthy of effort to minimize. The current plan is to allow tickets to be renewed (something that requires user intervention) up to a maximum of something like 1 week. The current renewal interval is 13 hours. This is arbitrary and a compromise between desire to flush stale tickets (there is no easy way to "kill" specific tickets) and minimal user intervention. At a minimum, I think the current behaviour of a "wierd error message" coming back when one tries to do something with an expired ticket is a bad place to be. It is not clear what is necessary to make that a more "friendly" failure. One possibility under investigation is the use of screenlockers that automatically refresh ones tickets when the screen is unlocked. This has its own drawbacks and will not be able to exceed some maximum ticket lifetime (likely to be something like 1 week). It would be useful to have some method of determining/estimating threshold of acceptable pain. Particularly in areas like this it's all over the map from user feedback. Personally, I don't think it's unreasonable to force a relogin after 6 days and as Igor points out, if we DID force it, rather than just expire the authorization, people might like it better. Not sure how this would be implemented in practice though. dane On Tue, 23 Nov 1999, ruth wrote: > Dane > > we are trying to move people off of fndaub. Can Igor/people get a longer > ticket? I believe the plan is for the kerberos tickets from strong > authentication to last longer than 24 hours... > > Ruth > > > > -----Original Message----- > From: Igor_Terekhov > To: Margaret Votava > Cc: ruth > Date: Tuesday, November 23, 1999 3:46 PM > Subject: Strong security and fnalu > > > >Today Margaret asked me apropos why I don't like fnalu too much. > >The short answer is, if you're logged on too long, you lose access to your > >own files. > > > >This creates a gripe when e.g. you write a long e-mail to someone and > >when sending it, you discover that you can't save a copy to sent-mail > >folder or something. In fact, if you've been working on a file long enough > >you won't be able to save it. I complained about this "feature" but the > >complaint was ignored (Ruth might remember), apparently because the > >feature is deemed beneficial. > > > >I much prefer that the system logs out interactive dormant sessions. I > >think a better security is achieved that way. > > > >I would be horrified if our future strong authentication would legalize > >the above nuisance. IMHO this is wrong, wrong, wrong. > > > >Meanwhile I want to read my e-mail on U cluster. Once again, I don't need > >to open any attachments or use Netscape. I need fast, efficient text-only > >means of communicating with the management and the colleagues. > > > >Igor > > > >-+-+-+-+-+-+-+-+-+- > >Igor Terekhov, Ph.D. > >Computing Division, ODS MS 120 > >Fermi National Accelerator Laboratory > >Phone: 630-840-8884 Fax: x2783 > >E-mail: terekhov@fnal.gov > > > > > > > > > From kreymer@fnal.gov Wed Dec 1 09:14:02 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA00673 for ; Wed, 1 Dec 1999 09:14:02 -0600 Received: from doofus.fnal.gov ([131.225.80.35]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZD70HAFK000AQR@FNAL.FNAL.GOV> (original mail from baisley@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 09:13:58 -0600 CDT Received: from doofus.fnal.gov ([131.225.80.35]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JIZD6ZJR04000B3J@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 09:13:49 -0600 Received: by doofus.fnal.gov id AA08830; Wed, 01 Dec 1999 09:13:48 -0600 Date: Wed, 01 Dec 1999 09:13:42 -0600 From: "I'm not a real doofus, but I play one at a national laboratory" Subject: Re: observations after a few weeks Sender: baisley@doofus.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <38453B26.27542B73@fnal.gov> Organization: Fermilab Unix Application Support Group MIME-version: 1.0 X-Mailer: Mozilla 4.5 [en] (X11; I; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <199911242219.QAA18868@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 24 I have been successful at renewing my tickets via cron on ossbud, but not on bldosf1v40d. My crontab file has the entry: 0 1,7,13,19 * * * /usr/krb5/bin/kinit -R My tickets right now on bldosf1v40d are: Ticket cache: /tmp/krb5cc_p24742 Default principal: baisley@PILOT.FNAL.GOV Valid starting Expires Service principal 12/01/99 08:22:02 12/01/99 15:20:46 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 12/08/99 08:17:38, Flags: FRIA 12/01/99 08:22:32 12/01/99 15:20:46 afs/fnal.gov@PILOT.FNAL.GOV renew until 12/08/99 08:17:38, Flags: FRA If I issue the '/usr/krb5/bin/kinit -R' command interactively, it works fine. The output I get from the cron job is: kinit: No credentials cache file found renewing tgt Am I doing something wrong? Cheers, Wayne From kreymer@fnal.gov Wed Dec 1 09:20:36 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA06041 for ; Wed, 1 Dec 1999 09:20:35 -0600 Received: from nascar.fnal.gov ([131.225.80.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZDF34U9C000AQR@FNAL.FNAL.GOV> (original mail from stan@nascar.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 09:20:33 -0600 CDT Received: from nascar.fnal.gov ([131.225.80.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZDEWVBSS000BWQ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 09:20:13 -0600 Received: from localhost (stan@localhost) by nascar.fnal.gov (8.8.3/8.8.2) with SMTP id JAA13392 for ; Wed, 01 Dec 1999 09:20:11 -0600 (CST) Date: Wed, 01 Dec 1999 09:20:10 -0600 From: Stanley Naymola Subject: ticket life To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912011520.JAA13392@nascar.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: nascar.fnal.gov: stan@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 25 It strikes me as odd that we set ticket life short but go to serious lengths to find ways to keep it renewed. Whats the point of short tickets. Just make them long and quit making cluge work arounds to the rules. Just my opinion. Stan. From kreymer@fnal.gov Wed Dec 1 09:26:55 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA11599 for ; Wed, 1 Dec 1999 09:26:54 -0600 Received: from doofus.fnal.gov ([131.225.80.35]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZDN0LA28000AQR@FNAL.FNAL.GOV> (original mail from baisley@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 09:26:52 -0600 CDT Received: from doofus.fnal.gov ([131.225.80.35]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JIZDMZVQU2000APN@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 09:26:43 -0600 Received: by doofus.fnal.gov id AA08923; Wed, 01 Dec 1999 09:25:39 -0600 Date: Wed, 01 Dec 1999 09:25:28 -0600 From: "I'm not a real doofus, but I play one at a national laboratory" Subject: Re: ticket life Sender: baisley@doofus.fnal.gov To: Stanley Naymola Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <38453DE8.AAF9FE89@fnal.gov> Organization: Fermilab Unix Application Support Group MIME-version: 1.0 X-Mailer: Mozilla 4.5 [en] (X11; I; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <199912011520.JAA13392@nascar.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 26 As I understand it, it has the advantage of narrowing the window of vulnerability should someone attempt to crack your ticket's encryption key. That should take hours, not days. The encryption key changes upon renewal, so the bad guy has to know what he's doing and work really quickly. Cheers, Wayne From kreymer@fnal.gov Wed Dec 1 10:20:53 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA06564 for ; Wed, 1 Dec 1999 10:20:53 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZFJ01WSG000AQR@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 10:20:52 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZFIZDZ0G000BI9@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 10:20:45 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA27147 for ; Wed, 01 Dec 1999 10:19:52 -0600 (CST) Date: Wed, 01 Dec 1999 10:19:52 -0600 From: Matt Crawford Subject: Re: observations after a few weeks In-reply-to: "01 Dec 1999 09:13:42 CST." <"38453B26.27542B73"@fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912011619.KAA27147@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 27 The whole approach may be dubious, but for those who want to pursue it, here's the problem with my first stab at renewing tickets via cron. The default credential cache name is generally FILE:/tmp/krb5cc_UID, where UID is your numeric user-id. When you log in via Kerberos, it gives you a cache with a non-default name based on your terminal name or PID. This is sort of important so that different login (or rsh) sessions don't step on each other's tickets. A Kerberos command executed from a cron job has no choice but to look for the default ticket cache unless you tell it otherwise. You can insert something like the following into your .login file (csh family) or .profile (sh family) if ( $?KRB5CCNAME ) then echo $KRB5CCNAME > $HOME/.krb5ccname endif and then run "kinit -R -c `cat $HOME/.krb5ccname`" from cron, or create a fancier script like this called "renew" and run it from cron: #!/bin/sh if [ -r $HOME/.krb5ccname ]; then cc=`cat $HOME/.krb5ccname` else uid=`id | sed -e 's/(.*//' -e 's/.*=//'` if [ -r /tmp/krb5cc_$uid ]; then cc="FILE:/tmp/krb5cc_$uid" else cc="FILE:/tmp/krb5cc_console" fi fi klist -s $cc && kinit -R -c $cc (For the picky reader: I know about "id -u", but some OSes don't support that in the default "id" command.) Matt From kreymer@fnal.gov Wed Dec 1 10:45:28 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA07230 for ; Wed, 1 Dec 1999 10:45:27 -0600 Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZGEERD0W000AQR@FNAL.FNAL.GOV> (original mail from lauri@bldsunos26.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 10:45:25 -0600 CDT Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZGECLY8C000B5F@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 10:45:16 -0600 Received: from localhost (lauri@localhost) by bldsunos26.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id KAA07033; Wed, 01 Dec 1999 10:45:15 -0600 (CST) Date: Wed, 01 Dec 1999 10:45:15 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: observations after a few weeks Sender: lauri@bldsunos26.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912011645.KAA07033@bldsunos26.fnal.gov> X-Authentication-warning: bldsunos26.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 28 On Wednesday 1 December 1999, our friend Matt Crawford spaketh thusly: > [snippage] > You can insert something like the following into your .login file > (csh family) or .profile (sh family) > > if ( $?KRB5CCNAME ) then > echo $KRB5CCNAME > $HOME/.krb5ccname > endif Of course, this won't work in a multi-node cluster where you have different KRB5CCNAMEs on each node. The solution is left as an exercise for the reader. -- lauri From kreymer@fnal.gov Wed Dec 1 11:23:37 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA08425 for ; Wed, 1 Dec 1999 11:23:36 -0600 Received: from ibyte.fnal.gov ([131.225.81.8]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZHPN2OY8000AQR@FNAL.FNAL.GOV> (original mail from lisa@ibyte.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 11:23:33 -0600 CDT Received: from ibyte.fnal.gov ([131.225.81.8]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZHPM7EM0000BJX@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 11:23:22 -0600 Received: from localhost (lisa@localhost) by ibyte.fnal.gov (980427.SGI.8.8.8/970903.SGI.AUTOCF) via SMTP id LAA26508 for ; Wed, 01 Dec 1999 11:23:20 -0600 (CST) Date: Wed, 01 Dec 1999 11:23:19 -0600 (CST) From: Lisa Giacchetti Subject: Re: observations after a few weeks In-reply-to: "Your message of Wed, 01 Dec 1999 10:19:52 CST." <199912011619.KAA27147@gungnir.fnal.gov> To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912011723.LAA26508@ibyte.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 29 First - thank you o all of you who have been putting in a lot of effort on these little configuration/useability issues. My concern however is that this info is not going to be packaged up in a "samples" type area for general users to use. For example the fact that Matt provided this little script and then lauri followed up with mail about it not working on a multinode cluster and leaving it for the reader to figure out. No - no - no - the script should be built for all users to use and then point them at it. This issue of renewing tickets is going to be a major one. There will be other user configuration issues. And speaking as someone who has experience with getting users to use new environments - the transition will be much smoother if this sort of script it provided. One of the reasons it took so long for AFS to catch on was becuase we were not given sufficient time to build tools like this for users. We have a couple of people dedicated to this task now who can work on these tools so lets get them done and documented the right way. lisa > The whole approach may be dubious, but for those who want to pursue > it, here's the problem with my first stab at renewing tickets via > cron. > > The default credential cache name is generally FILE:/tmp/krb5cc_UID, > where UID is your numeric user-id. When you log in via Kerberos, it > gives you a cache with a non-default name based on your terminal name > or PID. This is sort of important so that different login (or rsh) > sessions don't step on each other's tickets. A Kerberos command > executed from a cron job has no choice but to look for the default > ticket cache unless you tell it otherwise. > > You can insert something like the following into your .login file > (csh family) or .profile (sh family) > > if ( $?KRB5CCNAME ) then > echo $KRB5CCNAME > $HOME/.krb5ccname > endif > > and then run "kinit -R -c `cat $HOME/.krb5ccname`" from cron, or > create a fancier script like this called "renew" and run it from cron: > > #!/bin/sh > if [ -r $HOME/.krb5ccname ]; then > cc=`cat $HOME/.krb5ccname` > else > uid=`id | sed -e 's/(.*//' -e 's/.*=//'` > if [ -r /tmp/krb5cc_$uid ]; then > cc="FILE:/tmp/krb5cc_$uid" > else > cc="FILE:/tmp/krb5cc_console" > fi > fi > klist -s $cc && kinit -R -c $cc > > (For the picky reader: I know about "id -u", but some OSes don't > support that in the default "id" command.) > > Matt From kreymer@fnal.gov Wed Dec 1 12:09:07 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA26383 for ; Wed, 1 Dec 1999 12:09:05 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZJB4ONE8000AQR@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 12:09:03 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZJB42EXK000CCY@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 12:08:56 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA29147 for ; Wed, 01 Dec 1999 12:08:03 -0600 (CST) Date: Wed, 01 Dec 1999 12:08:03 -0600 From: Matt Crawford Subject: Re: observations after a few weeks In-reply-to: "01 Dec 1999 11:23:19 CST." <"199912011723.LAA26508"@ibyte.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912011808.MAA29147@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 30 Lisa's point is good, but I think it would be premature to select one, two or any number of convenient hacks and endorse them. Automatically renewing tickets does increase the risk of their exposure. Not renewing tickets increases the risk of the password's exposure. Every security decision is a compromise. The right thing to offer might be a "keep my tickets fresh" script which can be explicitly run after login, or put into the login/profile/cshrc. This has the advantage of having KRB5CCNAME available in the environment. Such a script might look like this: #!/bin/sh # Name: hot-tix # This script will put itself into the background and renew Kerberos # tickets every six hours until the tickets are invalid or have been # kdestroy'd. exec 2>&1 >/dev/null Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA26644 for ; Wed, 1 Dec 1999 12:19:38 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZJO5EKKW000AQR@FNAL.FNAL.GOV> (original mail from kreymer@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 12:19:34 -0600 CDT Received: from patnt2.fnal.gov ([131.225.84.37]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZJO4UVDQ000AD2@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 12:19:26 -0600 Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA26640 for ; Wed, 01 Dec 1999 12:18:48 -0600 Date: Wed, 01 Dec 1999 12:18:47 -0600 (EST) From: Art Kreymer Subject: Re: observations after a few weeks In-reply-to: <199912011808.MAA29147@gungnir.fnal.gov> To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 31 Am I missing something here ? It is starting to sound like the basic premise is that we have tokens which can be cracked in days, but not in hours or minutes. This must surely be a false premise. Either the tokens take millenia to crack, or they are insecure. From kreymer@fnal.gov Wed Dec 1 12:27:44 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA26651 for ; Wed, 1 Dec 1999 12:27:44 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZJY757Y8000AQR@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 12:27:42 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZJY6KMQE0009L4@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 12:27:32 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA29371 for ; Wed, 01 Dec 1999 12:26:40 -0600 (CST) Date: Wed, 01 Dec 1999 12:26:39 -0600 From: Matt Crawford Subject: Re: observations after a few weeks In-reply-to: "01 Dec 1999 12:18:47 CST." <"Pine.LNX.4.10.9912011215080.7528-100000"@patnt2.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912011826.MAA29371@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 32 > It is starting to sound like the basic premise is that we have tokens > which can be cracked in days, but not in hours or minutes. > > This must surely be a false premise. > Either the tokens take millenia to crack, > or they are insecure. You can thank your choice of NIST, the NSA, IBM, or the phenomenal advance in computing power. The tickets use DES encryption, which has been demonstrated to be crackable by the well-resourced private citizen in about 60 hours. Kerberos is moving to triple-DES encryption. A first MIT release with triple DES is out now, but its interaction with previous versions is a little buggy, so I'm waiting for the next. But note also that crypto-attacks aren't the only way to steal a ticket. Conventional penetration of OS security would let an attacker steal tickets which are on that system at the time. Keeping lifetimes short reduces the utility of stolen tickets. Making them renewable is a balancing act between ticket exposure and password exposure. Matt From kreymer@fnal.gov Wed Dec 1 14:31:58 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA31627 for ; Wed, 1 Dec 1999 14:31:58 -0600 Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZOB0C3W0000AQR@FNAL.FNAL.GOV> (original mail from lauri@bldsunos26.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 14:31:52 -0600 CDT Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZOAZC1AK000BLV@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 14:31:37 -0600 Received: from localhost (lauri@localhost) by bldsunos26.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id OAA09289; Wed, 01 Dec 1999 14:31:36 -0600 (CST) Date: Wed, 01 Dec 1999 14:31:36 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: my experience with the cron job ticket renewal Sender: lauri@bldsunos26.fnal.gov To: kerberos-pilot@fnal.gov Cc: lauri@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912012031.OAA09289@bldsunos26.fnal.gov> X-Authentication-warning: bldsunos26.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 33 I created a little script, kinit-R, which contains: nodename=`uname -n` echo "now renewing kerberos tickets on node $nodename" if [ -r $HOME/.krb5ccname.$nodename ]; then cc=`cat $HOME/.krb5ccname.$nodename` else uid=`id | sed -e 's/(.*//' -e 's/.*=//'` if [ -r /tmp/krb5cc_$uid ]; then cc="FILE:/tmp/krb5cc_$uid" else cc="FILE:/tmp/krb5cc_console" fi fi /usr/krb5/bin/klist -s $cc && /usr/krb5/bin/kinit -R -c $cc echo "final ticket status:" /usr/krb5/bin/klist -f $cc I modified my .profile so that it creates the .krb5ccname.$nodename file (based on the suggestion from Matt). Interactively, I run the kinit-R script and it works just fine: ossbud:~/Cron> kinit-R now renewing kerberos tickets on node ossbud final ticket status: Ticket cache: /tmp/krb5cc_9 Default principal: lauri@PILOT.FNAL.GOV Valid starting Expires Service principal 12/01/99 14:28:21 12/02/99 03:28:21 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 12/08/99 13:58:59, Flags: FRIA 12/01/99 14:28:21 12/02/99 03:28:21 afs/fnal.gov@PILOT.FNAL.GOV renew until 12/08/99 13:58:59, Flags: FRA But when it is called from the cron job, it FAILS to obtain AFS tokens (see output below). Is this expected? I'm using regular old cron, not any fancy kerberized cron (yet). -- lauri ------- Forwarded Message Date: Wed, 01 Dec 1999 14:26:01 -0600 From: lauri (Lauri Loebel Carpenter) To: lauri Subject: Output from "cron" command Your "cron" job /home/dcdsv0/lauri/Cron/kinit-R produced the following output: now renewing kerberos tickets on node ossbud aklog: Couldn't get fnal.gov AFS tickets: aklog: Invalid argument while getting AFS tickets final ticket status: Ticket cache: /tmp/krb5cc_9 Default principal: lauri@PILOT.FNAL.GOV Valid starting Expires Service principal 12/01/99 14:26:01 12/02/99 03:26:01 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 12/08/99 13:58:59, Flags: FRIA ------- End of Forwarded Message From kreymer@fnal.gov Wed Dec 1 14:43:57 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA31636 for ; Wed, 1 Dec 1999 14:43:57 -0600 Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZOQ3OGEO000AQR@FNAL.FNAL.GOV> (original mail from lauri@bldsunos26.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 14:43:56 -0600 CDT Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZOQ2YW54000BLT@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 14:43:47 -0600 Received: from localhost (lauri@localhost) by bldsunos26.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id OAA09365; Wed, 01 Dec 1999 14:43:47 -0600 (CST) Date: Wed, 01 Dec 1999 14:43:46 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: observations after a few weeks Sender: lauri@bldsunos26.fnal.gov To: lisa@fnal.gov, Matt Crawford Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912012043.OAA09365@bldsunos26.fnal.gov> X-Authentication-warning: bldsunos26.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 34 I agree with Lisa that, before this thing goes "public" we need to have the tools and documentation in place, INCLUDING any "ease-of-use" scripts for automatic token renewal, etc. I agree with Matt that it is premature to begin to work on this level of detail at the present -- we're only beginning to play with this stuff, and don't know how/if it works yet. This is still a PILOT program, after all. I agree with Stan that it seems more sensible to just start with longer ticket lifetimes, rather than promoting/propogating the use of "renewal" scripts. (If you steal my ticket, and you know how to renew it, what's the diff?) -- lauri From kreymer@fnal.gov Wed Dec 1 15:01:22 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA31649 for ; Wed, 1 Dec 1999 15:01:22 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZPBEWTU8000AQR@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 15:01:20 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZPBCHKPI000CEQ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 15:00:56 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA01013 for ; Wed, 01 Dec 1999 15:00:55 -0600 (CST) Date: Wed, 01 Dec 1999 15:00:55 -0600 From: Matt Crawford Subject: Re: my experience with the cron job ticket renewal In-reply-to: "01 Dec 1999 14:31:36 CST." <"199912012031.OAA09289"@bldsunos26.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912012100.PAA01013@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 35 > [...] > But when it is called from the cron job, it FAILS to obtain AFS > tokens (see output below). > > Is this expected? I'm using regular old cron, not any fancy > kerberized cron (yet). I found the problem with some experimentation and examination of source code. The "-c cachename" flag doesn't pass from kinit down to aklog. (That's a bug, IMHO.) So a simple workaround is to set KRB5CCNAME when you decide on the ticket cache name. Either replace the variable cc with KRB5CCNAME throughout (and then export it before "klist -s $cc && kinit -R -c $cc") or set the latter from the former (and, of course, export it). From kreymer@fnal.gov Wed Dec 1 15:21:46 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA31918 for ; Wed, 1 Dec 1999 15:21:45 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZQ1GJZ28000AQR@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 15:21:35 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZQ1EB4ME000B7G@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 15:21:09 -0600 Received: from localhost (dane@localhost) by unferth.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA15617; Wed, 01 Dec 1999 15:21:09 -0600 Date: Wed, 01 Dec 1999 15:21:08 -0600 (EST) From: Dane Skow Subject: re: observations after a few weeks In-reply-to: <199912012043.OAA09365@bldsunos26.fnal.gov> To: "Laurelin of Middle Earth, 630-840-2214" Cc: lisa@fnal.gov, Matt Crawford , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: unferth.fnal.gov: dane owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 36 Does the idea of a screenlock that renews tickets (or gets new ones) solve this problem more elegantly than cron, even with short ticket lifes ? I certainly agree that a good portion of preproduction effort needs to go into solving these "real life" use cases. The pilot to date has had a charge only of identifying these and determining if they are addressable or not. Part of the current planning work should be to determine when/how/who will create and document workable solutions and what are the usage cases that must be accommodated. dane On Wed, 1 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > I agree with Lisa that, before this thing goes "public" we need to > have the tools and documentation in place, INCLUDING any > "ease-of-use" scripts for automatic token renewal, etc. > > I agree with Matt that it is premature to begin to work on this > level of detail at the present -- we're only beginning to play with > this stuff, and don't know how/if it works yet. This is still a > PILOT program, after all. > > I agree with Stan that it seems more sensible to just start with > longer ticket lifetimes, rather than promoting/propogating the use > of "renewal" scripts. (If you steal my ticket, and you know how to > renew it, what's the diff?) > > -- lauri > > From kreymer@fnal.gov Wed Dec 1 15:39:41 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA32182 for ; Wed, 1 Dec 1999 15:39:41 -0600 Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JIZQO645VK000AQR@FNAL.FNAL.GOV> (original mail from lauri@bldsunos26.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Dec 1999 15:39:39 -0600 CDT Received: from bldsunos26.fnal.gov ([131.225.80.100]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JIZQO5CAPW000BLT@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Dec 1999 15:39:30 -0600 Received: from localhost (lauri@localhost) by bldsunos26.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id PAA09602; Wed, 01 Dec 1999 15:39:29 -0600 (CST) Date: Wed, 01 Dec 1999 15:39:29 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: observations after a few weeks Sender: lauri@bldsunos26.fnal.gov To: Dane Skow Cc: "Laurelin of Middle Earth, 630-840-2214" , lisa@fnal.gov, Matt Crawford , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912012139.PAA09602@bldsunos26.fnal.gov> X-Authentication-warning: bldsunos26.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 37 On Wednesday 1 December 1999, our friend Dane Skow spaketh thusly: > > Does the idea of a screenlock that renews tickets (or gets new ones) > solve this problem more elegantly than cron, even with short ticket > lifes ? In my case, not at all. Even if we find a way to have my desktop machine forward tickets -- that doesn't solve my problem. For people who work primarily ON THEIR DESKTOP machine, it would help. But for people who work on OTHER machines, and their desktop is an Xterminal into other machines (as with the build cluster), you need to renew the tickets individually on EACH NODE where you are logged in. (So I now have cron jobs running on each of the build cluster nodes). -- lauri From kreymer@fnal.gov Thu Dec 2 14:28:34 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA08407 for ; Thu, 2 Dec 1999 14:28:34 -0600 Received: from doofus.fnal.gov ([131.225.80.35]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ12GW2GDS000CET@FNAL.FNAL.GOV> (original mail from baisley@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 2 Dec 1999 14:28:27 -0600 CDT Received: from doofus.fnal.gov ([131.225.80.35]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ12GQOSS6000C1C@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 02 Dec 1999 14:27:55 -0600 Received: by doofus.fnal.gov id AA17158; Thu, 02 Dec 1999 14:27:54 -0600 Date: Thu, 02 Dec 1999 14:27:52 -0600 From: "I'm not a real doofus, but I play one at a national laboratory" Subject: Installing kerberos on my workstation, sort of Sender: baisley@doofus.fnal.gov To: kerberos-pilot Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <3846D648.17FEAE99@fnal.gov> Organization: Fermilab Unix Application Support Group MIME-version: 1.0 X-Mailer: Mozilla 4.5 [en] (X11; I; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 38 It was grumpy from the beginning, but I got halfway? through before it got really unhappy. # ups install kerberos v0_3 Beginning installation of kerberos v0_3 into /usr/krb5. tar: bin/krb524init : unable to preserve mode tar: bin/kpasswd : unable to preserve mode tar: bin/v5passwd : unable to preserve mode ... ... many more of these ... ... tar: sbin/telnetd : unable to preserve mode tar: share/gnats/mit : unable to preserve mode This is the installation script for the kerberos product. Usage: This script should be called indirectly via one (or more) of the following ups commands, which will set additional required environmental variables before execution: ups install kerberos # perform all of the following: ups install-krb5conf kerberos # install the krb5 configuration ups install-services kerberos # install the /etc/services configuration ups install-hostkeys kerberos # install the host keys configuration ups install-inetd kerberos # install the inetd configuration ups install-sshd kerberos # install the sshd configuration You must be logged in as root in order to run this procedure. Kerberos must be installed on each node individually! ABORT: You didn't call this procedure from a UPS environment. doofus> kinit -f kinit: Can't open/find Kerberos configuration file while initializing krb5 So, the important configuration work didn't get done. What do I (un)do now? Cheers, Wayne From kreymer@fnal.gov Fri Dec 3 11:34:46 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA27527 for ; Fri, 3 Dec 1999 11:34:45 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ2AP8BAG0000CON@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 3 Dec 1999 11:34:44 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ2AP6FE9Y000D4B@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 03 Dec 1999 11:34:34 -0600 Date: Fri, 03 Dec 1999 11:34:33 -0600 (CST) From: Stephan Lammel Subject: kerberos installation comments/problems/issues/... To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <991203113433.2020cba5@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 39 Dear All, Glenn and i just installed kerberos v0_3 on my workstation, a Sun Solaris 2.6 box. I still have the problem fetching the tar file via upd (that i reported a while back): 154:b0sun01 % upd install kerberos v0_3 informational: beginning install of kerberos. error: ftp transfer failed: kerberos_v0_3_SunOS+5.tar: Permission denied. error: can't transfer /ftp/products/kerberos/v0_3/SunOS+5/kerberos_v0_3_SunOS+5 from fnkits.fnal.gov to /cdf/user/products/kerberos/v0_3 informational: Starting remove of /cdf/user/products/kerberos/v0_3 in background upd install failed. 155:b0sun01 % We took the tar file manually, and run ups install as root afterwards. We had expected questions about how strong to secure my workstation but were never asked. The install bombed out at the YP part (the WS is not running any YP): Preparing to configure service/byname on this node... Reading template file /cdf/user/products/kerberos/v0_3/ups/services.temp late... Saving backup copy of /etc/services... Updating /etc/services file... ypwhich: the domainname hasn't been set on this machine. ypcat: the domainname hasn't been set on this machine. ABORT: couldn't close input file ; # ypwhich ypwhich: the domainname hasn't been set on this machine. # After commenting out the YP subroutine call in the install script, it run until the end (at least looked successfull). The /etc/inetd.conf file was very badly messed up afterwards. We took the extra 8 lines and added them to the original one plus commented out the two ftp/telnet lines. (Double commenting out comment lines adds little security or?) It looks like we have a very tight telnet/ftp setup but all r* programs are still the non-kerberized versions. What do i do next?, what went wrong?, should i have done differently? (I have requested keys from Matt.) cheers, Stephan From kreymer@fnal.gov Fri Dec 3 11:57:17 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov ([131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA27545 for ; Fri, 3 Dec 1999 11:55:56 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ2BES7TG0000CON@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 3 Dec 1999 11:55:20 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ2BERTDGE000CBY@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 03 Dec 1999 11:55:12 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id LAA10670; Fri, 03 Dec 1999 11:55:01 -0600 Date: Fri, 03 Dec 1999 11:55:01 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kerberos installation comments/problems/issues/... Sender: lauri@ossbud.fnal.gov To: Stephan Lammel Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912031755.LAA10670@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 40 Thanks for providing this feedback. None of the machines (til now) were not running yp, so this is the first feedback I've had on the YP part of the code. I will repair this in the next release. Do you still have a copy of the /etc/inetd.conf file that was so badly mangled? I'd like to see it. (If you have a saved copy of what it looked like before, that would be very useful too). You should now have r* files in /usr/krb5. These rsh* files will supercede the other versions on your system, and should be the ones your users use. (You need to make sure you're using recent enough versions of setpath, etc.; please read the README.FUE file where this is documented). The README.INSTALL file should tell you all of what you need to know; please take a look and then get back to me with further questions. -- lauri On Friday 3 December 1999, our friend Stephan Lammel spaketh thusly: > Dear All, > Glenn and i just installed kerberos v0_3 on my workstation, a Sun Solaris > 2.6 box. I still have the problem fetching the tar file via upd (that i > reported a while back): > > 154:b0sun01 % upd install kerberos v0_3 > informational: beginning install of kerberos. > error: ftp transfer failed: kerberos_v0_3_SunOS+5.tar: Permission denied. > > error: can't transfer /ftp/products/kerberos/v0_3/SunOS+5/kerberos_v0_3_SunOS+5 > from fnkits.fnal.gov to > /cdf/user/products/kerberos/v0_3 > informational: Starting remove of /cdf/user/products/kerberos/v0_3 in > background > upd install failed. > 155:b0sun01 % > > > We took the tar file manually, and run ups install as root afterwards. > We had expected questions about how strong to secure my workstation but > were never asked. The install bombed out at the YP part (the WS is not > running any YP): > > Preparing to configure service/byname on this node... > Reading template file > /cdf/user/products/kerberos/v0_3/ups/services.temp > late... > Saving backup copy of /etc/services... > Updating /etc/services file... > ypwhich: the domainname hasn't been set on this machine. > ypcat: the domainname hasn't been set on this machine. > ABORT: couldn't close input file ; > # ypwhich > ypwhich: the domainname hasn't been set on this machine. > # > > > After commenting out the YP subroutine call in the install script, it > run until the end (at least looked successfull). The /etc/inetd.conf > file was very badly messed up afterwards. We took the extra 8 lines > and added them to the original one plus commented out the two ftp/telnet > lines. (Double commenting out comment lines adds little security or?) > > It looks like we have a very tight telnet/ftp setup but all r* programs > are still the non-kerberized versions. > > What do i do next?, what went wrong?, should i have done differently? > (I have requested keys from Matt.) > cheers, Stephan From kreymer@fnal.gov Fri Dec 3 13:35:08 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA27641 for ; Fri, 3 Dec 1999 13:35:08 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ2EWEWLO0000CON@FNAL.FNAL.GOV> (original mail from mengel@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 3 Dec 1999 13:35:06 -0600 CDT Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJ2EWE42BE000BJ7@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 03 Dec 1999 13:34:55 -0600 Date: Fri, 03 Dec 1999 13:34:54 -0600 (EST) From: "Marc W. Mengel" Subject: Re: kerberos installation comments/problems/issues/... In-reply-to: <991203113433.2020cba5@FNALD.FNAL.GOV> To: Stephan Lammel Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 41 On Fri, 3 Dec 1999, Stephan Lammel wrote: > Date: Fri, 03 Dec 1999 11:34:33 -0600 (CST) > From: Stephan Lammel > To: kerberos-pilot@fnal.gov > Subject: kerberos installation comments/problems/issues/... > > Dear All, > Glenn and i just installed kerberos v0_3 on my workstation, a Sun Solaris > 2.6 box. I still have the problem fetching the tar file via upd (that i > reported a while back): Upgrade to the latest upd, please. Marc From kreymer@fnal.gov Fri Dec 3 14:46:03 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA27673 for ; Fri, 3 Dec 1999 14:46:03 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ2HDDW56O000CON@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 3 Dec 1999 14:46:01 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ2HDD9YEW000B5I@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 03 Dec 1999 14:45:52 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id OAA12616; Fri, 03 Dec 1999 14:45:49 -0600 Date: Fri, 03 Dec 1999 14:45:48 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kerberos installation comments/problems/issues/... Sender: lauri@ossbud.fnal.gov To: Stephan Lammel Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912032045.OAA12616@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 42 I have modified the kerberos v0_3 product in fnkits (the ups directory and the table file). I think I've fixed the YP problem, but I have no non-YP nodes on which to test. If you would, it would be greatly appreciated if you would: - restore your ORIGINAL /etc/inetd.conf file (before any kerberos changes) - restore your ORIGINAL /etc/sshd_config file (before any kerberos changes) - remove the kerberos files that you installed already - install the latest version of upd - re-install kerberos via upd install upd -G -c # make the new version of upd current setup upd # set it up upd install kerberos v0_3 ups install kerberos v0_3 NOTE, due to a bug in ups, please do NOT try to do upd install kerberos v0_3 -G -c (that is, don't go 'current' when you do the upd install -- it will core dump). Then let me know if this installation goes more smoothly. Thanks so much, lauri From kreymer@fnal.gov Fri Dec 3 20:12:58 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id UAA27953 for ; Fri, 3 Dec 1999 20:12:58 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ2SSQXEG0000CON@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 3 Dec 1999 20:12:56 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ2SSQDQ6Q000CE5@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 03 Dec 1999 20:12:50 -0600 Date: Fri, 03 Dec 1999 20:12:49 -0600 (CST) From: Stephan Lammel Subject: re: kerberos installation comments/problems/issues/... To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov, LAMMEL@fnald.fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <991203201249.2020cba5@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 43 Hallo Lauri, scratched everything, updated upd, re-installed all the kerberos stuff, ..., and not only did it work, it even added the inetd.conf entries nicely! Wau, i am impressed! Thanks, cheers, Stephan (from the Earth's surface) From kreymer@fnal.gov Fri Dec 3 20:19:50 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id UAA27958 for ; Fri, 3 Dec 1999 20:19:50 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ2T1AAPTS000CON@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 3 Dec 1999 20:19:49 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ2T19UPFI000CDN@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 03 Dec 1999 20:19:43 -0600 Date: Fri, 03 Dec 1999 20:19:42 -0600 (CST) From: Stephan Lammel Subject: nuisance To: "FNAL::CRAWDAD"@fnald.fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <991203201942.2020cba5@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 44 Hallo Matt, could you please age my password so i can chage it. I thought we had all agreed that this provides more nuisance to users than it ever does good for security. Don't we/you keep a history of last used passwords so they cannot be re-used? Correct me if i am wrong but wasn't pasword re-use the main reason for the wait time in the first place? Could we please please change this in general and allow users to change their password without wait period as default. Thanks, cheers, Stephan kpasswd: Password cannot be changed because it was changed too recently. Please wait until Sun Dec 5 12:07:49 1999 before you change it. If you need to change your password before then, contact the Helpdesk. 187:b0sun01 % From kreymer@fnal.gov Sun Dec 5 15:06:41 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA20067 for ; Sun, 5 Dec 1999 15:06:40 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ5AOOT4I8000CFR@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Sun, 5 Dec 1999 15:06:39 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ5AOOAOI8000D6J@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Sun, 05 Dec 1999 15:06:32 -0600 Date: Sun, 05 Dec 1999 15:06:31 -0600 (CST) From: Stephan Lammel Subject: cannot ftp into my machine To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <991205150631.2020dd0f@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 45 Dear All, how do i enable ftp to fall back to password in case it comes from a non-kerberized node? I only have a default_lifetime entry under ftp in my krb5.conf file. Thanks, cheers, Stephan From kreymer@fnal.gov Sun Dec 5 19:29:29 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id TAA20126 for ; Sun, 5 Dec 1999 19:29:29 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ5JUJC1NK000CFR@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Sun, 5 Dec 1999 19:29:28 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJ5JUILIFM000CH3@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Sun, 05 Dec 1999 19:29:20 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id TAA10497; Sun, 05 Dec 1999 19:29:18 -0600 (CST) Date: Sun, 05 Dec 1999 19:29:18 -0600 From: Matt Crawford Subject: Re: cannot ftp into my machine In-reply-to: "05 Dec 1999 15:06:31 CST." <"991205150631.2020dd0f"@FNALD.FNAL.GOV> Sender: crawdad@gungnir.fnal.gov To: Stephan Lammel Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912060129.TAA10497@gungnir.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 46 > how do i enable ftp to fall back to password in case it comes from a > non-kerberized node? I only have a default_lifetime entry under ftp in > my krb5.conf file. Thanks, First the warning, then the answer: At a future stage (a NEAR future stage) of the pilot project, we will commence scanning all machines in the "Strengthened Realm" for compliance with our configuration requirements. This include making sure that telnetd and ftpd will not accept a non-Kerberos-authenticated connection, except for anonymous ftp. We'll take the list of hosts to be scanned from the KDC log files. It's the "-a" flag on ftpd in inetd.conf that sets ftpd to Kerberos-only mode. From kreymer@fnal.gov Mon Dec 6 14:30:21 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA20326 for ; Mon, 6 Dec 1999 14:30:21 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ6NOV7Y3K000CB5@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 6 Dec 1999 14:30:18 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ6NOTVB4Q000DN4@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 06 Dec 1999 14:30:05 -0600 Date: Mon, 06 Dec 1999 14:30:04 -0600 (CST) From: Stephan Lammel Subject: telnet To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <991206143004.20614207@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 47 Dear All, the kerberized version of telnet behaves dangerously different than the standard telnet: it skipps ahead to the password without asking for the username. Quick and blindly typing people like me now display their passwords openly: the username prompt is bypassed so on the password prompt Stephan types his username the machine checks and naps due to the wrong password at which time Stephan types his password well visible onto the screen the machine comes back with a prompt for the username which now takes the password the machine asks for the password while Stephan types his first command Stephan naps waiting for the output of the command, Stephan' gets Stephan's free brain and triggeres an interrupt, Stephan gets back the brain, panicks, and attempts to clear the screen... Is there a way to configure ktelnit to query the username as default or could we change ktelnet that way? Thanks, cheers, Stephan From kreymer@fnal.gov Mon Dec 6 15:02:53 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA26784 for ; Mon, 6 Dec 1999 15:02:52 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ6OU1IF0G000CRP@FNAL.FNAL.GOV> (original mail from kreymer@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 6 Dec 1999 15:02:48 -0600 CDT Received: from patnt2.fnal.gov ([131.225.84.37]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJ6OTWMPJM000CV1@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 06 Dec 1999 15:02:25 -0600 Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA26633; Mon, 06 Dec 1999 15:02:22 -0600 Date: Mon, 06 Dec 1999 15:02:20 -0600 (EST) From: Art Kreymer Subject: Re: telnet In-reply-to: <991206143004.20614207@FNALD.FNAL.GOV> To: Stephan Lammel Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 48 An additional major problem is the use of the name 'telnet'. If I telnet to a node which happens at the moment not to be using kerberos, my password goes in the clear over the net. It seems to be a very bad idea to use 'telnet' and 'ftp' as the user commands for these kerberized utilities. From kreymer@fnal.gov Mon Dec 6 15:40:58 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA29099 for ; Mon, 6 Dec 1999 15:40:57 -0600 Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ6Q6KG60W000D9C@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 6 Dec 1999 15:40:53 -0600 CDT Date: Mon, 06 Dec 1999 15:40:39 -0600 From: "Mark O. Kaletka" Subject: RE: telnet In-reply-to: To: Art Kreymer , Stephan Lammel Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: multipart/mixed; boundary="----=_NextPart_000_0025_01BF4000.3EF6C2C0" Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 49 This is a multi-part message in MIME format. ------=_NextPart_000_0025_01BF4000.3EF6C2C0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable When going a Kerberized system a non-Kerberized system it's = up to the non-Kerberized system to enforce whatever level of security it = wants. I.e. it's up to the non-Kerberized system to decide whether or = not it will accept a password in clear text. I frankly don't understand = what Art's driving at ... If you're telnetting to a non-Kerberized = system that permits a login with a clear text password, I don't see what = difference it makes if you start on a Kerberos system or a non-Kerberos = system. Or whether telnet and ftp should be called something other than = telnet and ftp, just because they can do more than one kind of = authentication. In Stephan's case, I actually can't reproduce the behavior. Starting = from OSSBUD with forwardable tickets and an AFS token, if I telnet to = another Kerberized system, I get logged in without being prompted for = either username or password, as expected. If I telnet to a = non-Kerberized system, I get prompted for username and password just as = I always do, even to an AFS system (FSUI02). Where to/from are you = going? Hmmmm, are you possibly starting from a Kerberos system on which = you don't have any tickets, i.e. you never did a kinit? Actually, if I = kdestroy my tickets I can't reproduce that behavior, either, at least = not in the build cluster.=20 Mayhaps other experts will chime in ... And, btw, this is exactly why we recommend that your Kerberos password = be the same as your password on any non-Kerberos system! -- Mark K. ------=_NextPart_000_0025_01BF4000.3EF6C2C0 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: attachment From: "Art Kreymer" To: "Stephan Lammel" Cc: Subject: Re: telnet Date: Mon, 6 Dec 1999 15:02:20 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-reply-to: <991206143004.20614207@FNALD.FNAL.GOV> X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 An additional major problem is the use of the name 'telnet'. If I telnet to a node which happens at the moment not to be using = kerberos, my password goes in the clear over the net. It seems to be a very bad idea to use 'telnet' and 'ftp'=20 as the user commands for these kerberized utilities. ------=_NextPart_000_0025_01BF4000.3EF6C2C0 Content-Type: text/x-vcard; name="Mark Kaletka.vcf" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="Mark Kaletka.vcf" BEGIN:VCARD VERSION:2.1 N:Kaletka;Mark FN:Mark Kaletka ORG:Fermi National Accelerator Laboratory TITLE:Associate Head, Distributed Computing NOTE;ENCODING=3DQUOTED-PRINTABLE:-----BEGIN PGP PUBLIC KEY = BLOCK-----=3D0D=3D0AVersion: PGP Personal Privacy 6.0.=3D 2=3D0D=3D0A=3D0D=3D0AmQBtAzFwKkIAAAEDAMruMgtjb4AFWh9Fakw1gvuA5Yy7Of2B2YX0= oSikYJN5HlO=3D g=3D0D=3D0AEvvah/+5k7fojhsb5lvkvqzrXT7RGFhqEjvnAZ8p+8mztXLS3FwF7NP/lXenas= zS=3D0D=3D =3D0ArwsXq/MKkEIU20zX6QAFEbQiTWFyayBPLiBLYWxldGthIDxrYWxldGthQGZuYWwu=3D0= D=3D0AZ29=3D 2PokAdQMFEDGKdKoKkEIU20zX6QEBe5oC/i5FUpvqphC89h2Nvs//gzTDdWon=3D0D=3D0ANT= 4ewv19Q=3D vQG7f27AiXjUubWH8meR1XTy1IdgGIYr1HHTLSs3t1zZMfvLQwuNLtw=3D0D=3D0ABmRnl7mt= fLVxd8s=3D gaSHD8SkwTAY0GwuM08NERokAdQMFEDLmRjkADvWCVm9jxQEB=3D0D=3D0APLgDAMWxqduliP= 63Au+8n=3D bEgqvnPJ0XshiISmxgv/J+45nov4BNey4OJY0FMn88F=3D0D=3D0AKVnMy1kl4fQVxNreXAHK= FLRCem6=3D FNlEwtAKHPSsfrqHWUmWnySOy4M0UAN/1FP9b=3D0D=3D0AI+r8qIkAlQIFEDK4G83BvA0Ss1= w9dQEBg=3D bwEAKVDrwLo1zwXqfvLHcTUbF6hp+63=3D0D=3D0AjKtEWKGUoLDRY+oe8EPa5FL9FmKO6YGQ= cDraiDz=3D CL/a2MnAUuTKY4brS7k8YggKM=3D0D=3D0AyJzmbgbzOusUV2QIrjdAUCbS02D/e0PUG4lvK3= SfriSPU=3D 2ZVpkSN3zf+z6h9KHtU=3D0D=3D0AxjsxlXM45I3L1FseiQCVAwUQMevo4P9eObdUvIBNAQGI= pQP/UTB=3D lXoAy3kCVIMkD=3D0D=3D0Auk+JNcN+iQHMG1w6+1kCpTUKABTritOFr1OU3obtJmdF5uQIFa= dGXrP7N=3D MmYKCvy=3D0D=3D0A6XpyaEAFEB+a6cZ8WF/JuKHJNpMRcffAFwqHZk/n7hoHv8Q/ug/HwpIC= xNaj30b=3D 0=3D0D=3D0AQOVMp0pl3Le517z0Tmm1Sh4PPueJAHUDBRAxoLzgG0UcLhL3B0EBAeIpAvwNC1= MI=3D0D=3D =3D0AxzUJp3FrUciY/x54RwNOMNlAYmpcng7z7qO5Br6bEAeu8VzTqWp2CalNH6Er8qI/=3D0= D=3D0Anwe=3D hgvqWIkK+gdYVTmGS//HQzB2+byvh676SHIYoa8eaPkxcw3tDtK/vDC6JAJUD=3D0D=3D0ABR= AxmoZP+=3D TQP17o6+40BAbfQBACAoEaIW4BBa0Oc6RfPMmXqPhYSGk4Q/QngXDO5=3D0D=3D0AAR9MxDyU= f2B1QtQ=3D mvh5BJMNLzGo5N08U2hkbCy/S3gb3LZz+gEULCubF/RHmyqC5=3D0D=3D0AZM+V49yiYslcjJ= Tf5ATGX=3D jyNlvj6raF3LS+ic3vvlZLUmE6Tpbzc/vFv7Vkyypf+=3D0D=3D0AYKJcZYkAlQMFEDGZE+hW= 04RGFOU=3D GqQEBLdAEAMLu4ovw5JkQDueYZs6JzcOJLbcd=3D0D=3D0A8mhSr2d6TvvaJWyjcNpRYvIITe= v7ynoXb=3D m4TXJ7THlU3+DxnBBcF0AWNi4WncOgO=3D0D=3D0AmK42AGGLdla7hy4CDqKhfoU2P4egYpML= m7Qp16m=3D hU7/ZnEKPsS2Q5EsajwF0Frdw=3D0D=3D0A4aO3Xo/0nLZt+zeviQCVAwUQMZDc/W1BGsl3GS= GhAQHBk=3D QP9GM/4iOOtL5Rf2M0S=3D0D=3D0Ai5VHsI/rl7SCfaNZ9wOC2wkQ2vNm43E7thTiVQVtj5qy= xS6K5Mu=3D bg8/ug8dhqpTz=3D0D=3D0ASpsz/48r7hzQPu/YF76Hf79xAKfTv7PtJETsSre020vHWepG6w= 6IWE0OF=3D XBnAN0i=3D0D=3D0AG6xRLyEvhlxdcNB1B603g83UfpGJAD8DBRA08gOPx4mzXMF1scMRAtkq= AKDEi24=3D L=3D0D=3D0AcHItynHq4gRRaf/wiu/p6ACcCP6Lo1WCmIITN4H44rl+2mLYdluJAEYEEBECAA= YF=3D0D=3D =3D0AAjV+z48ACgkQIAiiW3E7KJ+XCACgqtiEV+Y8i5h4YjAwSV7nxCkJBJ4AoOnshi9a=3D0= D=3D0Ah47=3D pyHPbAzJB5rDv0ptliQCVAwUQNYUWCQBA97MJhXBxAQF2dwQAtQ6JAgmXc6d5=3D0D=3D0Awl= L7rWBlQ=3D l4YAPeq6QNvKjyYlzXdq1l4VfQk+cYkpUOMEFoxUfWa/T3wu3nZafWT=3D0D=3D0AGy4zK0Ho= LQ3ykiY=3D Da8aEIkEsycBsEzU3/Ng4gdb8wfOMkadVnwcAXBI/XsaHD13E=3D0D=3D0Aq+xiyVfYNVqJRJ= 3g4ykpP=3D 2ojYENOeviJAD8DBRA08foSCyAmjthzIwcRAsqlAKDI=3D0D=3D0AY87cds3hNoR69Bw3TuDG= OsuULwC=3D g0VnMyqkBMCQT0+V5Qtwhn4zHGD6JARUDBRA1=3D0D=3D0AiTpVFGN6RSh/tv0BAUKXB/4xSD= 91zoPjY=3D 9QnpIUQSIQ65Kq2cnjwX0Mh3/eUwbkA=3D0D=3D0Ayo7wYNCzQfssIyxrXSB+2cU7KUeE48Pt= caoOve2=3D WoDorHASlB/kl8ujZSq2rahX7=3D0D=3D0AbB/Rj4dnDOu+oR4sv0JCaVvYhTwAumfW/h/Hk0= NnFfjk9=3D fGeX5geI9SYtVBwpOBa=3D0D=3D0AHaYA27AMD8AulsDalOhKHpZsiOGkGSiN94fcE54vlRBE= UMi0Hi/=3D HGuUVxV6zp2pI=3D0D=3D0ARf5ZNMW081gQIBGWO7ODOKu8Xuk0Ahix2YyfMTf9R/h1hMKjKE= um0Kuvi=3D K/w9/L2=3D0D=3D0AU+WNkodE5SpTpVO3WEjB04iAvWoq4PwvqXZmi/HD8k5riQCVAwUQNYBI= DhXbgx0=3D t=3D0D=3D0A2v9JAQHEmQP7B/Erh3QjKJPf8Z6ZIvR7dyeNYjCNghbozoOfMZnY55YzV4/kPz= WP=3D0D=3D =3D0A9U3N850DlgLJroFFW3cweSrZd1W5uA+/BLVSOPF6vduskK8bMr1w7PkyREPGlbUU=3D0= D=3D0AhuT=3D SC1C6NB4EbSDe+WROysgzygOJrAF2f3C3lFPTH8QE/flAp3u30KCJARUDBRA1=3D0D=3D0AiT= m3IVnPs=3D A6KBgEBAZdMB/4mlUWMTM/i6qTHYgpIcvODpPLw+b6KCOJRzLY0n78H=3D0D=3D0AKV2nnrXi= bhwixvC=3D YGkDxs5RkrrBh6XfgAUCRJD9IR57dLe3Up9m3Rs9zdcGdcwvG=3D0D=3D0AKsgLtTDl3Lidpx= JmnOhDn=3D WTvbS33jk/2s+r40YsPQjJF0rY3WNG0xwmIqX4/OmuY=3D0D=3D0AlSIC3ceTPU5xoycFzy7M= DS3ZTJR=3D HeCFbAiAWnqiQgDYO+jAlre2/GtID/mCIiDtC=3D0D=3D0AS7gA8nQAJDm/zvWWu6dg8kNZrT= gZow68k=3D 9ZU6Opcl4Z44qkYfHRLKE6FgqKU3kWe=3D0D=3D0AwpygQImGQ9YRumVPqQzffllxEdZMuiI6= POFg8k1=3D DyvN3iQBGBBARAgAGBQI13O1X=3D0D=3D0AAAoJEGU5iQSM6LaTMGwAn2K/UWQLCpAPUl9ZCT= rzM2WZj=3D FRrAJ0bSN5CjxJ9W/3P=3D0D=3D0AGTP7cNijlFTwHokARgQQEQIABgUCNdzt1wAKCRCLomuA= xTllVwG=3D /AKC6P1cXO/7S=3D0D=3D0AprphH5zP//WPJgUe+QCcCZmZOB3kIgcTATy9vOTBPRwFDS2JAE= YEEBECA=3D AYFAjUJ=3D0D=3D0AnUoACgkQnbmAIRU6jisG2wCgp5bR1QwdzQnSNvtbqCwyDsKszU4AoOIx= At+Xtqk=3D h=3D0D=3D0A4HSFUZmTaKCLDPT8iQBGBBARAgAGBQI13O5TAAoJEKPC0RK2POhRwG0An20z3/= g6=3D0D=3D =3D0A3f9s7VrvQzmzOeCMFYd+AJ9tOKzI1uOS8N3pqkc8MBB9D5yTVYkARgQQEQIABgUC=3D0= D=3D0ANdz=3D umQAKCRCs2MAZgvJsEx9iAJ9Iy7S3DmerrWlztH/NkvuI1iXmfgCeORLvzVDf=3D0D=3D0ANy= ZX+kV1q=3D 7MPcQfKDks=3D3D=3D0D=3D0A=3D3DmxgW=3D0D=3D0A-----END PGP PUBLIC KEY = BLOCK----- TEL;WORK;VOICE:(630) 840-2965 TEL;CELL;VOICE:(630) 726-7221 TEL;PAGER;VOICE:(630) 722-9742 TEL;WORK;FAX:(630) 840-8208 ADR;WORK:;;P.O. Box 500, MS-368;Batavia;Il;60510-0500 LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:P.O. Box 500, = MS-368=3D0D=3D0ABatavia, Il 60510-0500 EMAIL;PREF;INTERNET:kaletka@fnal.gov REV:19991203T200139Z END:VCARD ------=_NextPart_000_0025_01BF4000.3EF6C2C0-- From kreymer@fnal.gov Mon Dec 6 15:46:23 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA29309 for ; Mon, 6 Dec 1999 15:46:21 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ6QCVKTYO000CB5@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 6 Dec 1999 15:46:10 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJ6QCT8Z2Y000CV1@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 06 Dec 1999 15:45:54 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA15648 for ; Mon, 06 Dec 1999 15:45:53 -0600 (CST) Date: Mon, 06 Dec 1999 15:45:53 -0600 From: Matt Crawford Subject: Re: telnet In-reply-to: "06 Dec 1999 14:30:04 CST." <"991206143004.20614207"@FNALD.FNAL.GOV> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912062145.PAA15648@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 50 Stephan, > the kerberized version of telnet behaves dangerously different than the > standard telnet: it skipps ahead to the password without asking for the > username. Can you tell me the circumstances in which this has happened? The only way I can make telnet act this way is when I connect to a Kerberos system such as b0sun01 on which I have no account. Also, what flags do you have on telnetd in the inetd.conf of b0sun01? In the "strong" mode you'd have "-a valid" and an incoming telnet user would NEVER see a prompt for username OR password. Art, > An additional major problem is the use of the name 'telnet'. > If I telnet to a node which happens at the moment not to be using kerberos, > my password goes in the clear over the net. If you telnet to a node which *is* using Kerberos, you don't type a password. So the general rule is password=danger. This is part of the reasoning behind the requirement of "-a valid" on telnetd and "-a" on ftpd. Matt From kreymer@fnal.gov Mon Dec 6 17:53:20 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA03213 for ; Mon, 6 Dec 1999 17:53:19 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ6USRLDH8000DJH@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 6 Dec 1999 17:53:18 -0600 CDT Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id RAA27350; Mon, 06 Dec 1999 17:53:16 -0600 Date: Mon, 06 Dec 1999 17:53:16 -0600 From: Glenn Cooper Subject: RE: telnet In-reply-to: To: "Mark O. Kaletka" Cc: Art Kreymer , Stephan Lammel , kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 51 For what it's worth, I see the same behavior Stephan reports, at least on many machines. Going from garnet, a Linux box with kerberos v0_3, I see the following on various nodes: * cdfsga (IRIX 6.2, no kerberos) - password prompt, no login: prompt Same on various other IRIX nodes. * fsui02 (Solaris, no kerberos) - password: AND login: prompts (same as Mark) * kpasa (Digital UNIX, no kerberos, no gcooper account) - Fills in "login: gcooper" and then gives a password: prompt I also see the same as above from b0rv11, an IRIX 6.2 box with kerberos v0_1. Glenn On Mon, 6 Dec 1999, Mark O. Kaletka wrote: [I added a bunch of line breaks, since Mark's mail didn't seem to have any...] > In Stephan's case, I actually can't reproduce the behavior. Starting from > OSSBUD with forwardable tickets and an AFS token, if I telnet to another > Kerberized system, I get logged in without being prompted for either > username or password, as expected. If I telnet to a non-Kerberized system, > I get prompted for username and password just as I always do, even to an > AFS system (FSUI02). Where to/from are you going? Hmmmm, are you possibly > starting from a Kerberos system on which you don't have any tickets, i.e. > you never did a kinit? Actually, if I kdestroy my tickets I can't reproduce > that behavior, either, at least not in the build cluster. From kreymer@fnal.gov Tue Dec 7 08:52:08 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA01810 for ; Tue, 7 Dec 1999 08:52:08 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ7Q6ZH928000CRP@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 7 Dec 1999 08:52:06 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJ7Q6YQ49S000COB@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 07 Dec 1999 08:51:58 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA19802 for ; Tue, 07 Dec 1999 08:51:58 -0600 (CST) Date: Tue, 07 Dec 1999 08:51:58 -0600 From: Matt Crawford Subject: Re: telnet In-reply-to: "06 Dec 1999 15:45:53 CST." <"199912062145.PAA15648"@gungnir.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912071451.IAA19802@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 52 I bumped (almost literally) into Stephan and got more information about his report. > > the kerberized version of telnet behaves dangerously different than the > > standard telnet: it skipps ahead to the password without asking for the > > username. He was connecting to cdfsga, which has not had Kerberos installed. And, in fact, the phenomenon has nothing to do with Kerberos itself. The standard Solaris telnet will act this way in some circumstances. Turning on options processing display before connecting shows this exchange when connecting to cdfsga with the kerberos v0_3 telnet (I have deleted many unrelated options in both directions): SENT WILL AUTHENTICATION SENT WILL NEW-ENVIRON RCVD DO OLD-ENVIRON SENT WILL OLD-ENVIRON RCVD DONT AUTHENTICATION RCVD DONT NEW-ENVIRON RCVD IAC SB OLD-ENVIRON SEND SENT IAC SB OLD-ENVIRON IS VAR "USER" VALUE "crawdad" VAR "DISPLAY" VALUE "gungnir.fnal.gov:0.0" This is the client side printing SENT and RCVD, and an option goes into effect if there is a WILL from one side and a DO from the other. Some options, such as all the above, have a sub-negotiation marked by SB. (IAC stands for Interpret As Command.) Cdfsga rejected the proposed AUTHENTICATION and NEW-ENVIRON exchanges, but requested OLD-ENVIRON. The telnet client agreed to do it and sent back two environment variables, one of which is $USER. That's what caused bypass of the "login:" prompt. Solaris 2 telnet with no flags did this: SENT WILL NEW-ENVIRON RCVD DO OLD-ENVIRON SENT WILL OLD-ENVIRON RCVD DONT NEW-ENVIRON RCVD IAC SB OLD-ENVIRON SEND SENT IAC SB OLD-ENVIRON IS VAR "DISPLAY" VALUE "gungnir.fnal.gov:0.0" No $USER. Solaris telnet with "-l crawdad" causes the $USER variable to be sent as well, just as in the first example, and the "login:" prompt is skipped. Using the Kerberos telnet client, with autologin *and encryption* turned off: SENT WILL NEW-ENVIRON RCVD DO OLD-ENVIRON SENT WILL OLD-ENVIRON RCVD DONT NEW-ENVIRON RCVD IAC SB OLD-ENVIRON SEND SENT IAC SB OLD-ENVIRON IS VAR "DISPLAY" VALUE "gungnir.fnal.gov:0.0" And there is a a "login:" prompt. Now that the phenomenon is understood, the question is whether the bahavior really is undesirable, and if so, to set a priority on changing it. My feeling is that by the time this rose to the top of the work-stack, everyone would be used to the current behavior. Matt From kreymer@fnal.gov Tue Dec 7 09:05:35 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA01820 for ; Tue, 7 Dec 1999 09:05:35 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ7QNLJQE8000DWE@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 7 Dec 1999 09:05:33 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ7QNKU2GS000COH@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 07 Dec 1999 09:05:22 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id JAA01070; Tue, 07 Dec 1999 09:05:21 -0600 Date: Tue, 07 Dec 1999 09:05:20 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: telnet Sender: lauri@ossbud.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912071505.JAA01070@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 53 Just to add to the fray: this is not new. I've seen this for a very long time, and I've gotten used to it. It has nothing to do with kerberos. It has to do with going from one platform to another. If you get in the habit of always using 'telnet -l whoyouare' then you'll never be asked for the username -- and if you're asked for anything, it will be a password. -- lauri On Tuesday 7 December 1999, our friend Matt Crawford spaketh thusly: > I bumped (almost literally) into Stephan and got more information > about his report. > > > > the kerberized version of telnet behaves dangerously different than the > > > standard telnet: it skipps ahead to the password without asking for the > > > username. > > He was connecting to cdfsga, which has not had Kerberos installed. > And, in fact, the phenomenon has nothing to do with Kerberos itself. > The standard Solaris telnet will act this way in some circumstances. > > Turning on options processing display before connecting shows this > exchange when connecting to cdfsga with the kerberos v0_3 telnet (I > have deleted many unrelated options in both directions): > > SENT WILL AUTHENTICATION > SENT WILL NEW-ENVIRON > RCVD DO OLD-ENVIRON > SENT WILL OLD-ENVIRON > RCVD DONT AUTHENTICATION > RCVD DONT NEW-ENVIRON > RCVD IAC SB OLD-ENVIRON SEND > SENT IAC SB OLD-ENVIRON IS VAR "USER" VALUE "crawdad" VAR "DISPLAY" VALUE "gungnir.fnal.gov:0.0" > > This is the client side printing SENT and RCVD, and an option goes > into effect if there is a WILL from one side and a DO from the > other. Some options, such as all the above, have a sub-negotiation > marked by SB. (IAC stands for Interpret As Command.) > > Cdfsga rejected the proposed AUTHENTICATION and NEW-ENVIRON > exchanges, but requested OLD-ENVIRON. The telnet client agreed to do > it and sent back two environment variables, one of which is $USER. > That's what caused bypass of the "login:" prompt. > > Solaris 2 telnet with no flags did this: > > SENT WILL NEW-ENVIRON > RCVD DO OLD-ENVIRON > SENT WILL OLD-ENVIRON > RCVD DONT NEW-ENVIRON > RCVD IAC SB OLD-ENVIRON SEND > SENT IAC SB OLD-ENVIRON IS VAR "DISPLAY" VALUE "gungnir.fnal.gov:0.0" > > No $USER. Solaris telnet with "-l crawdad" causes the $USER variable > to be sent as well, just as in the first example, and the "login:" > prompt is skipped. > > Using the Kerberos telnet client, with autologin *and encryption* > turned off: > > SENT WILL NEW-ENVIRON > RCVD DO OLD-ENVIRON > SENT WILL OLD-ENVIRON > RCVD DONT NEW-ENVIRON > RCVD IAC SB OLD-ENVIRON SEND > SENT IAC SB OLD-ENVIRON IS VAR "DISPLAY" VALUE "gungnir.fnal.gov:0.0" > > And there is a a "login:" prompt. > > > Now that the phenomenon is understood, the question is whether the > bahavior really is undesirable, and if so, to set a priority on > changing it. My feeling is that by the time this rose to the top of > the work-stack, everyone would be used to the current behavior. > > Matt From kreymer@fnal.gov Tue Dec 7 12:11:16 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA07088 for ; Tue, 7 Dec 1999 12:11:16 -0600 Received: from fnpspb.fnal.gov ([131.225.81.79]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ7X4W7WM8000DWE@FNAL.FNAL.GOV> (original mail from garren@fnpspb.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 7 Dec 1999 12:11:14 -0600 CDT Received: from fnpspb.fnal.gov ([131.225.81.79]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ7X4VLTPC000DXP@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 07 Dec 1999 12:11:07 -0600 Received: from localhost by fnpspb.fnal.gov (5.65v4.0/1.1.8.2/25Apr95-0324PM) id AA00758; Tue, 07 Dec 1999 12:11:06 -0600 Date: Tue, 07 Dec 1999 12:11:06 -0600 From: garren@fnpspb.fnal.gov Subject: Re: telnet In-reply-to: "Your message of Tue, 07 Dec 1999 09:05:20 CST." <199912071505.JAA01070@ossbud.fnal.gov> To: kerberos-pilot@fnal.gov Cc: garren@fnpspb.fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912071811.AA00758@fnpspb.fnal.gov> X-MTS: smtp Status: RO X-Status: X-Keywords: X-UID: 54 Well, you get the same behaviour with ssh : "ssh some_machine" does not prompt for username but just assumes the one from the local machine, so I don't see a problem. I still type username instead of password half the time, but I figure that eventually new habits will take over. So, I guess that it's better to leave things as they are. I'm in favor of keeping things simple whereever possible. We've caused a lot of unnecessary complications in the past by trying to make things backwards compatible while adding "improvements". Lynn (ducking and running for cover now) From kreymer@fnal.gov Tue Dec 7 17:50:34 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA07495 for ; Tue, 7 Dec 1999 17:50:33 -0600 Received: from purpc09.fnal.gov ([131.225.103.61]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ88ZIOIHS000DWE@FNAL.FNAL.GOV> (original mail from greenc@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 7 Dec 1999 17:50:30 -0600 CDT Received: from purpc09.fnal.gov ([131.225.103.61]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJ88ZHZ310000D7H@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 07 Dec 1999 17:50:23 -0600 Received: from localhost (greenc@localhost) by purpc09.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA13935; Tue, 07 Dec 1999 17:50:15 -0600 Date: Tue, 07 Dec 1999 17:50:15 -0600 (EST) From: Chris Green Subject: Request for kerberos principal To: kerberos-pilot@fnal.gov Cc: Liz Buckley-Geer , markl@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: purpc09.fnal.gov: greenc owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 55 Hi, I'd like to request a kerberos principal for myself, greenc, uid 8483. Could someone please send me the necessary details on how to obtain one, and how to use it once I have it? Thanks, Chris. -- Chris Green. HEP, Purdue University. CDF SVXII project. Based at Fermilab. MAIL greenc@fnal.gov; PHONE (630) 840-2308 From kreymer@fnal.gov Wed Dec 8 09:48:33 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA15016 for ; Wed, 8 Dec 1999 09:48:33 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ96FVT5TS000F2B@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 09:48:28 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ96FT5L3G000EQ4@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 08 Dec 1999 09:48:02 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id JAA14774; Wed, 08 Dec 1999 09:48:00 -0600 Date: Wed, 08 Dec 1999 09:47:59 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: 13 hour ticket lifetime: a stronger statement AGAINST it Sender: lauri@ossbud.fnal.gov To: kerberos-pilot@fnal.gov Cc: lauri@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912081548.JAA14774@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 56 After several days of playing around with various configurations of cron jobs to renew my kerberos tickets in the background, NONE of them have worked satisfactorily for me so far. (And I'm certainly getting quite tired of receiving cron email from each of 10 build nodes every 13 hours). I believe that cron-renewal of kerberos tickets is NOT something that we want to promote. I think that a 13 hour lifetime is NOT long enough, and the resulting kludges and machinations to automatically renew tickets will present a much larger security risk than just lengthening the lifetime to begin with. If we do not provide the tools, users WILL cobble together their own ways of preventing tickets from expiring. And if we provide the tools, it seems rather hypocritical. "We set your ticket to 13 hours for security. Here's how you can make it last longer." Not very sensible, IMHO. -- lauri From kreymer@fnal.gov Wed Dec 8 10:59:53 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA15086 for ; Wed, 8 Dec 1999 10:59:53 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ98XNQP5C000EQE@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 10:59:51 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJ98XMYRXY000DJ4@FNAL.FNAL.GOV>; Wed, 08 Dec 1999 10:59:40 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA27538; Wed, 08 Dec 1999 10:59:39 -0600 (CST) Date: Wed, 08 Dec 1999 10:59:39 -0600 From: Matt Crawford Subject: Re: Discussion with kaletka about kerberos In-reply-to: "08 Dec 1999 06:48:45 CST." <"199912081248.GAA29663"@dcdrjh.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: "Randolph J. Herber" Cc: cdfsys@fnal.gov, Mark Leininger , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912081659.KAA27538@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 57 (Moved from computer_security to kerberos-pilot list.) > OK, then, where do I avail the necessary clients for MSDOS, Windows/NT4 SP4 > and for Linux? DOS would be a problem. We'd probably have to treat it like an X-Terminal or other "dumb telnet" box. For Windows (95/98/NT4), just get a license for WRQ "Reflection Suit for X" + "Reflection Signature". I think we still a few to give out. (It's pretty equivalent to Hummingbird Exceed with Kerberos thrown in. You can get a 30-day trial copy at http://www.wrq.com/products/download_index.html) For Linux, just upd-install the Fermi "kerberos" product. > I will miss the ssh suite. And, can I use the Kerborized versions of > ssh suite? Eventually, but not at first. We haven't built & tested the Kerberized ssh clients and servers, but we intend to. From kreymer@fnal.gov Wed Dec 8 11:30:55 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA15107 for ; Wed, 8 Dec 1999 11:30:55 -0600 Received: from dcdrjh.fnal.gov ([131.225.232.66]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ9A14YUZ4000EQE@FNAL.FNAL.GOV> (original mail from herber@dcdrjh.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 11:30:54 -0600 CDT Received: from dcdrjh.fnal.gov ([131.225.232.66]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJ9A12KQEQ000EDI@FNAL.FNAL.GOV>; Wed, 08 Dec 1999 11:30:41 -0600 Received: (from herber@localhost) by dcdrjh.fnal.gov (8.9.3/8.9.3) id LAA00872; Wed, 08 Dec 1999 11:30:36 -0600 (CST) Date: Wed, 08 Dec 1999 11:30:36 -0600 (CST) From: "Randolph J. Herber" Subject: Re: Discussion with kaletka about kerberos To: "Randolph J. Herber" , Matt Crawford Cc: kerberos-pilot@fnal.gov, Mark Leininger , cdfsys@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: "Randolph J. Herber" Message-id: <199912081730.LAA00872@dcdrjh.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 58 Re For Linux, just upd-install the Fermi "kerberos" product. Apparently you missed the demand for an rpm and not a upd distribution. I will not install upd on any machine I own and will object strongly about installing upd on any machine that is assigned effectively to my sole use. If necessary, I will build the software myself (on my time, if necessary) rather than use upd. Randolph J. Herber, herber@dcdrjh.fnal.gov, +1 630 840 2966, CD/CDFTF PK-149F, Mail Stop 318, Fermilab, Kirk & Pine Rds., PO Box 500, Batavia, IL 60510-0500, USA. (Speaking for myself and not for US, US DOE, FNAL nor URA.) (Product, trade, or service marks herein belong to their respective owners.) From kreymer@fnal.gov Wed Dec 8 13:45:52 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov ([131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA15179 for ; Wed, 8 Dec 1999 13:44:36 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ9EO36BOG000EQE@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 13:43:54 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ9EO2DZR6000ERH@FNAL.FNAL.GOV>; Wed, 08 Dec 1999 13:43:45 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id NAA16880; Wed, 08 Dec 1999 13:43:43 -0600 Date: Wed, 08 Dec 1999 13:43:43 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Discussion with kaletka about kerberos Sender: lauri@ossbud.fnal.gov To: "Randolph J. Herber" Cc: Matt Crawford , kerberos-pilot@fnal.gov, Mark Leininger , cdfsys@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912081943.NAA16880@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 59 You don't have to install upd, but if you don't install upd then we won't assist you. The OSS department policy is that, if we have any sort of support load on the machine at all, then it WILL be a FUE environment and it WILL have ups/upd. Period. If you want to rebuild the software yourself, that's fine. Just don't come to us for help or assistance. We already built it, and spent a lot of time designing an installation script that would automate the difficult portions, and make sure that your kerberos configuration is up-to-date. We did this in the CD-standard FUE way. You can choose to: - use FUE - learn how to pull things from FNKITS and bypass FUE (but the kerberos installation assumes that FUE exists, and will fail without it) - do it yourself. The OSS department does NOT provide Linux utilities in RPM format, except when they come that way from RedHat. Until they provide kerberos, you're stuck with ours. -- lauri On Wednesday 8 December 1999, our friend "Randolph J. Herber" spaketh thusly: > Re For Linux, just upd-install the Fermi "kerberos" product. > > Apparently you missed the demand for an rpm and not a upd distribution. > > I will not install upd on any machine I own and will object strongly about > installing upd on any machine that is assigned effectively to my sole use. > > If necessary, I will build the software myself (on my time, if necessary) > rather than use upd. > > Randolph J. Herber, herber@dcdrjh.fnal.gov, +1 630 840 2966, CD/CDFTF PK-149F, > Mail Stop 318, Fermilab, Kirk & Pine Rds., PO Box 500, Batavia, IL 60510-0500, > USA. (Speaking for myself and not for US, US DOE, FNAL nor URA.) (Product, > trade, or service marks herein belong to their respective owners.) From kreymer@fnal.gov Wed Dec 8 14:17:19 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov ([131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA15201 for ; Wed, 8 Dec 1999 14:17:19 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ9FSN2LF4000EQE@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 14:16:35 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ9FSLHEGM000ERH@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 08 Dec 1999 14:16:26 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id OAA17203; Wed, 08 Dec 1999 14:16:24 -0600 Date: Wed, 08 Dec 1999 14:16:23 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: tcpwrappers and kerberos: what should we do? Sender: lauri@ossbud.fnal.gov To: kerberos-pilot@fnal.gov Cc: lauri@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912082016.OAA17203@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 60 Glenn Cooper points out that kerberos v0_3 wipes out any previous tcp-wrapping of the kerberized services. Questions: a) Are all tcp-wrapped services listed in inetd.conf? Or may things be wrapped by other means? (The tcp_wrapper product INSTALL_NOTE on fnalu would indicate that everything is in inetd.conf, I'm just confirming this suspicion). b) Does tcp_wrappers work with kerberized services? c) Do we want to preserve tcp-wrapping of any previously wrapped services? d) If so, in the INSTALL_NOTE it talks about OS systems areas, and how to wrap services. Question: does the "tcpd" image live in /usr/etc (as is shown in the examples) or in the OS system area (which varies from platform to platform, and is /usr/etc only on IRIX+6)? What does tcp_wrappers buy you in a kerberized environment? -- lauri From kreymer@fnal.gov Wed Dec 8 14:40:35 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA15209 for ; Wed, 8 Dec 1999 14:40:34 -0600 Received: from hamshack ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ9GNBCDSG000EQE@FNAL.FNAL.GOV> (original mail from kschu@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 14:40:32 -0600 CDT Received: from hamshack ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ9GNAI43E000DM5@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 08 Dec 1999 14:40:23 -0600 Date: Wed, 08 Dec 1999 14:31:16 -0600 From: Ken Schumacher Subject: Re: tcpwrappers and kerberos: what should we do? To: lauri@fnal.gov, lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214), kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <99120814402304.00491@hamshack> Organization: Fermilab CD/OSS Central Systems Support group MIME-version: 1.0 X-Mailer: KMail [version 1.0.21] Content-type: text/plain Content-transfer-encoding: 8bit References: <199912082016.OAA17203@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 61 On Wed, 08 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > Glenn Cooper points out that kerberos v0_3 wipes out any previous > tcp-wrapping of the kerberized services. > > Questions: > > a) Are all tcp-wrapped services listed in inetd.conf? > Or may things be wrapped by other means? (The > tcp_wrapper product INSTALL_NOTE on fnalu would > indicate that everything is in inetd.conf, I'm > just confirming this suspicion). SSH is compiled with an option enabled which looks at the /etc/hosts.deny and /etc/hosts.allow files. These files are also used and very important to tcp_wrappers. I don't know if installation of kerberos v0_3 affects these files or not. > > b) Does tcp_wrappers work with kerberized services? I expect that tcp_wrappers would work with anything which follows it's expectation that connections to ports are made via the 'INETD' daemon. That's a "best guess", not a "statement of fact". > > c) Do we want to preserve tcp-wrapping of any > previously wrapped services? I believe it would be a bad precident to change the configuration put in place by another product, such as tcp_wrappers. However, replacing the binaries that 'inetd' (and therefore tcp_wrapper) would otherwise point you to in order to secure a system is another matter. > > d) If so, in the INSTALL_NOTE it talks about OS > systems areas, and how to wrap services. Question: > does the "tcpd" image live in /usr/etc (as is > shown in the examples) or in the OS system area > (which varies from platform to platform, and is > /usr/etc only on IRIX+6)? It resides in '/usr/sbin' on OSF1 v4.0d. I expect it is system dependent for all platforms/flavors. > > What does tcp_wrappers buy you in a kerberized environment? Audit Trail and specific messages which can be returned when rejecting a particular service. We also use it to ensure presentation of banners before one connects to a host. More later, Ken S. -- =========================================================================== Ken Schumacher (o) 630-840-4579 (f) 630-840-6345 Fermilab CD/OSS CSS Group Loc:FCC-252g http://home.fnal.gov/~kschu/ =========================================================================== From kreymer@fnal.gov Wed Dec 8 16:06:10 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA15263 for ; Wed, 8 Dec 1999 16:06:08 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ9JM5HZM8000EQE@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 16:05:59 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ9JM4I84S000DM9@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 08 Dec 1999 16:05:44 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id QAA19516; Wed, 08 Dec 1999 16:05:42 -0600 Date: Wed, 08 Dec 1999 16:05:42 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: tcpwrappers and kerberos: what should we do? Sender: lauri@ossbud.fnal.gov To: Ken Schumacher Cc: lauri@fnal.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912082205.QAA19516@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 62 On Wednesday 8 December 1999, our friend Ken Schumacher spaketh thusly: > I believe it would be a bad precident to change the > configuration put in place by another product, such as > tcp_wrappers. However, replacing the binaries that 'inetd' > (and therefore tcp_wrapper) would otherwise point you to in order > to secure a system is another matter. > By its very nature, kerberos DOES change the configuration put in place by other products -- it modifies several system configuration files so that the kerberized services are presented instead of the system defaults. We do not overwrite the existing files on the system -- for many many reasons, not the least of which is maintenance headaches. But we change inetd.conf so that the *new* kerberized files are used instead of the old system ones. -- lauri From kreymer@fnal.gov Wed Dec 8 16:06:16 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA15267 for ; Wed, 8 Dec 1999 16:06:16 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ9JMDB14G000F2B@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 16:06:13 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJ9JMA5AYA000D7V@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 08 Dec 1999 16:05:52 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA29317 for ; Wed, 08 Dec 1999 16:05:51 -0600 (CST) Date: Wed, 08 Dec 1999 16:05:51 -0600 From: Matt Crawford Subject: Re: tcpwrappers and kerberos: what should we do? In-reply-to: "08 Dec 1999 15:26:45 CST." <"199912082126.PAA71869"@frosty.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912082205.QAA29317@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 63 So, I think everything's been addressed by Lauri, Ken and Ray except the bottom line (which actually appears at the top): what should we do? I propose this: In the next version, be it called v0_4 or v1_0, the install procedure should note and preserve the presence of tcp wrappers control on ftpd and telnetd, whether the existing ftpd and telnetd were Kerberos or not. It should also note and preserve existing tcp wrappers on Kerberized r-commands, if this is a Kerberos upgrade. If it's a new Kerberos installation and wrappers are in effect on the Berkeley r-commands, the installer should be notified to update the tcp wrappers configuration files to include the kerberos r-commands (which use different ports and server binary names!), then insert tcpd into the resulting inetd.conf by hand. An alternative to consider is whether the installation procedure can be made smart enough to update hosts.{allow,deny} (if needed) to give the Kerberos r-commands to get the same access control as the Berkeley ones had. However, they may not be what the installer wants, so it would still have to be flagged. Matt From kreymer@fnal.gov Wed Dec 8 16:21:36 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA15274 for ; Wed, 8 Dec 1999 16:21:34 -0600 Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ9K602CK0000F2B@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 16:21:30 -0600 CDT Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ9K5VH2V0000EEO@FNAL.FNAL.GOV>; Wed, 08 Dec 1999 16:20:55 -0600 Date: Wed, 08 Dec 1999 16:20:51 -0600 From: "Mark O. Kaletka" Subject: RE: Discussion with kaletka about kerberos In-reply-to: <199912081659.KAA27538@gungnir.fnal.gov> To: Matt Crawford , "Randolph J. Herber" Cc: cdfsys@fnal.gov, Mark Leininger , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: multipart/mixed; boundary="Boundary_(ID_OQ8ruKZX/scPIAFA2K+j/A)" Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 64 This is a multi-part message in MIME format. --Boundary_(ID_OQ8ruKZX/scPIAFA2K+j/A) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Don't bother with the demo download of WRQ -- just let me know if you want an installation. -- Mark K. > -----Original Message----- > From: crawdad@gungnir.fnal.gov [mailto:crawdad@gungnir.fnal.gov]On > Behalf Of Matt Crawford > Sent: Wednesday, December 08, 1999 11:00 AM > To: Randolph J. Herber > Cc: cdfsys@fnal.gov; Mark Leininger; kerberos-pilot@fnal.gov > Subject: Re: Discussion with kaletka about kerberos > > > (Moved from computer_security to kerberos-pilot list.) > > > OK, then, where do I avail the necessary clients for MSDOS, > Windows/NT4 SP4 > > and for Linux? > > DOS would be a problem. We'd probably have to treat it like an > X-Terminal or other "dumb telnet" box. For Windows (95/98/NT4), just > get a license for WRQ "Reflection Suit for X" + "Reflection > Signature". I think we still a few to give out. (It's pretty > equivalent to Hummingbird Exceed with Kerberos thrown in. You can > get a 30-day trial copy at > http://www.wrq.com/products/download_index.html) For Linux, just > upd-install the Fermi "kerberos" product. > > > I will miss the ssh suite. And, can I use the Kerborized versions of > > ssh suite? > > Eventually, but not at first. We haven't built & tested the > Kerberized ssh clients and servers, but we intend to. > > --Boundary_(ID_OQ8ruKZX/scPIAFA2K+j/A) Content-type: text/x-vcard; name="Mark Kaletka.vcf" Content-disposition: attachment; filename="Mark Kaletka.vcf" Content-transfer-encoding: quoted-printable BEGIN:VCARD VERSION:2.1 N:Kaletka;Mark FN:Mark Kaletka ORG:Fermi National Accelerator Laboratory TITLE:Associate Head, Distributed Computing NOTE;ENCODING=3DQUOTED-PRINTABLE:-----BEGIN PGP PUBLIC KEY = BLOCK-----=3D0D=3D0AVersion: PGP Personal Privacy 6.0.=3D 2=3D0D=3D0A=3D0D=3D0AmQBtAzFwKkIAAAEDAMruMgtjb4AFWh9Fakw1gvuA5Yy7Of2B2YX0= oSikYJN5HlO=3D g=3D0D=3D0AEvvah/+5k7fojhsb5lvkvqzrXT7RGFhqEjvnAZ8p+8mztXLS3FwF7NP/lXenas= zS=3D0D=3D =3D0ArwsXq/MKkEIU20zX6QAFEbQiTWFyayBPLiBLYWxldGthIDxrYWxldGthQGZuYWwu=3D0= D=3D0AZ29=3D 2PokAdQMFEDGKdKoKkEIU20zX6QEBe5oC/i5FUpvqphC89h2Nvs//gzTDdWon=3D0D=3D0ANT= 4ewv19Q=3D vQG7f27AiXjUubWH8meR1XTy1IdgGIYr1HHTLSs3t1zZMfvLQwuNLtw=3D0D=3D0ABmRnl7mt= fLVxd8s=3D gaSHD8SkwTAY0GwuM08NERokAdQMFEDLmRjkADvWCVm9jxQEB=3D0D=3D0APLgDAMWxqduliP= 63Au+8n=3D bEgqvnPJ0XshiISmxgv/J+45nov4BNey4OJY0FMn88F=3D0D=3D0AKVnMy1kl4fQVxNreXAHK= FLRCem6=3D FNlEwtAKHPSsfrqHWUmWnySOy4M0UAN/1FP9b=3D0D=3D0AI+r8qIkAlQIFEDK4G83BvA0Ss1= w9dQEBg=3D bwEAKVDrwLo1zwXqfvLHcTUbF6hp+63=3D0D=3D0AjKtEWKGUoLDRY+oe8EPa5FL9FmKO6YGQ= cDraiDz=3D CL/a2MnAUuTKY4brS7k8YggKM=3D0D=3D0AyJzmbgbzOusUV2QIrjdAUCbS02D/e0PUG4lvK3= SfriSPU=3D 2ZVpkSN3zf+z6h9KHtU=3D0D=3D0AxjsxlXM45I3L1FseiQCVAwUQMevo4P9eObdUvIBNAQGI= pQP/UTB=3D lXoAy3kCVIMkD=3D0D=3D0Auk+JNcN+iQHMG1w6+1kCpTUKABTritOFr1OU3obtJmdF5uQIFa= dGXrP7N=3D MmYKCvy=3D0D=3D0A6XpyaEAFEB+a6cZ8WF/JuKHJNpMRcffAFwqHZk/n7hoHv8Q/ug/HwpIC= xNaj30b=3D 0=3D0D=3D0AQOVMp0pl3Le517z0Tmm1Sh4PPueJAHUDBRAxoLzgG0UcLhL3B0EBAeIpAvwNC1= MI=3D0D=3D =3D0AxzUJp3FrUciY/x54RwNOMNlAYmpcng7z7qO5Br6bEAeu8VzTqWp2CalNH6Er8qI/=3D0= D=3D0Anwe=3D hgvqWIkK+gdYVTmGS//HQzB2+byvh676SHIYoa8eaPkxcw3tDtK/vDC6JAJUD=3D0D=3D0ABR= AxmoZP+=3D TQP17o6+40BAbfQBACAoEaIW4BBa0Oc6RfPMmXqPhYSGk4Q/QngXDO5=3D0D=3D0AAR9MxDyU= f2B1QtQ=3D mvh5BJMNLzGo5N08U2hkbCy/S3gb3LZz+gEULCubF/RHmyqC5=3D0D=3D0AZM+V49yiYslcjJ= Tf5ATGX=3D jyNlvj6raF3LS+ic3vvlZLUmE6Tpbzc/vFv7Vkyypf+=3D0D=3D0AYKJcZYkAlQMFEDGZE+hW= 04RGFOU=3D GqQEBLdAEAMLu4ovw5JkQDueYZs6JzcOJLbcd=3D0D=3D0A8mhSr2d6TvvaJWyjcNpRYvIITe= v7ynoXb=3D m4TXJ7THlU3+DxnBBcF0AWNi4WncOgO=3D0D=3D0AmK42AGGLdla7hy4CDqKhfoU2P4egYpML= m7Qp16m=3D hU7/ZnEKPsS2Q5EsajwF0Frdw=3D0D=3D0A4aO3Xo/0nLZt+zeviQCVAwUQMZDc/W1BGsl3GS= GhAQHBk=3D QP9GM/4iOOtL5Rf2M0S=3D0D=3D0Ai5VHsI/rl7SCfaNZ9wOC2wkQ2vNm43E7thTiVQVtj5qy= xS6K5Mu=3D bg8/ug8dhqpTz=3D0D=3D0ASpsz/48r7hzQPu/YF76Hf79xAKfTv7PtJETsSre020vHWepG6w= 6IWE0OF=3D XBnAN0i=3D0D=3D0AG6xRLyEvhlxdcNB1B603g83UfpGJAD8DBRA08gOPx4mzXMF1scMRAtkq= AKDEi24=3D L=3D0D=3D0AcHItynHq4gRRaf/wiu/p6ACcCP6Lo1WCmIITN4H44rl+2mLYdluJAEYEEBECAA= YF=3D0D=3D =3D0AAjV+z48ACgkQIAiiW3E7KJ+XCACgqtiEV+Y8i5h4YjAwSV7nxCkJBJ4AoOnshi9a=3D0= D=3D0Ah47=3D pyHPbAzJB5rDv0ptliQCVAwUQNYUWCQBA97MJhXBxAQF2dwQAtQ6JAgmXc6d5=3D0D=3D0Awl= L7rWBlQ=3D l4YAPeq6QNvKjyYlzXdq1l4VfQk+cYkpUOMEFoxUfWa/T3wu3nZafWT=3D0D=3D0AGy4zK0Ho= LQ3ykiY=3D Da8aEIkEsycBsEzU3/Ng4gdb8wfOMkadVnwcAXBI/XsaHD13E=3D0D=3D0Aq+xiyVfYNVqJRJ= 3g4ykpP=3D 2ojYENOeviJAD8DBRA08foSCyAmjthzIwcRAsqlAKDI=3D0D=3D0AY87cds3hNoR69Bw3TuDG= OsuULwC=3D g0VnMyqkBMCQT0+V5Qtwhn4zHGD6JARUDBRA1=3D0D=3D0AiTpVFGN6RSh/tv0BAUKXB/4xSD= 91zoPjY=3D 9QnpIUQSIQ65Kq2cnjwX0Mh3/eUwbkA=3D0D=3D0Ayo7wYNCzQfssIyxrXSB+2cU7KUeE48Pt= caoOve2=3D WoDorHASlB/kl8ujZSq2rahX7=3D0D=3D0AbB/Rj4dnDOu+oR4sv0JCaVvYhTwAumfW/h/Hk0= NnFfjk9=3D fGeX5geI9SYtVBwpOBa=3D0D=3D0AHaYA27AMD8AulsDalOhKHpZsiOGkGSiN94fcE54vlRBE= UMi0Hi/=3D HGuUVxV6zp2pI=3D0D=3D0ARf5ZNMW081gQIBGWO7ODOKu8Xuk0Ahix2YyfMTf9R/h1hMKjKE= um0Kuvi=3D K/w9/L2=3D0D=3D0AU+WNkodE5SpTpVO3WEjB04iAvWoq4PwvqXZmi/HD8k5riQCVAwUQNYBI= DhXbgx0=3D t=3D0D=3D0A2v9JAQHEmQP7B/Erh3QjKJPf8Z6ZIvR7dyeNYjCNghbozoOfMZnY55YzV4/kPz= WP=3D0D=3D =3D0A9U3N850DlgLJroFFW3cweSrZd1W5uA+/BLVSOPF6vduskK8bMr1w7PkyREPGlbUU=3D0= D=3D0AhuT=3D SC1C6NB4EbSDe+WROysgzygOJrAF2f3C3lFPTH8QE/flAp3u30KCJARUDBRA1=3D0D=3D0AiT= m3IVnPs=3D A6KBgEBAZdMB/4mlUWMTM/i6qTHYgpIcvODpPLw+b6KCOJRzLY0n78H=3D0D=3D0AKV2nnrXi= bhwixvC=3D YGkDxs5RkrrBh6XfgAUCRJD9IR57dLe3Up9m3Rs9zdcGdcwvG=3D0D=3D0AKsgLtTDl3Lidpx= JmnOhDn=3D WTvbS33jk/2s+r40YsPQjJF0rY3WNG0xwmIqX4/OmuY=3D0D=3D0AlSIC3ceTPU5xoycFzy7M= DS3ZTJR=3D HeCFbAiAWnqiQgDYO+jAlre2/GtID/mCIiDtC=3D0D=3D0AS7gA8nQAJDm/zvWWu6dg8kNZrT= gZow68k=3D 9ZU6Opcl4Z44qkYfHRLKE6FgqKU3kWe=3D0D=3D0AwpygQImGQ9YRumVPqQzffllxEdZMuiI6= POFg8k1=3D DyvN3iQBGBBARAgAGBQI13O1X=3D0D=3D0AAAoJEGU5iQSM6LaTMGwAn2K/UWQLCpAPUl9ZCT= rzM2WZj=3D FRrAJ0bSN5CjxJ9W/3P=3D0D=3D0AGTP7cNijlFTwHokARgQQEQIABgUCNdzt1wAKCRCLomuA= xTllVwG=3D /AKC6P1cXO/7S=3D0D=3D0AprphH5zP//WPJgUe+QCcCZmZOB3kIgcTATy9vOTBPRwFDS2JAE= YEEBECA=3D AYFAjUJ=3D0D=3D0AnUoACgkQnbmAIRU6jisG2wCgp5bR1QwdzQnSNvtbqCwyDsKszU4AoOIx= At+Xtqk=3D h=3D0D=3D0A4HSFUZmTaKCLDPT8iQBGBBARAgAGBQI13O5TAAoJEKPC0RK2POhRwG0An20z3/= g6=3D0D=3D =3D0A3f9s7VrvQzmzOeCMFYd+AJ9tOKzI1uOS8N3pqkc8MBB9D5yTVYkARgQQEQIABgUC=3D0= D=3D0ANdz=3D umQAKCRCs2MAZgvJsEx9iAJ9Iy7S3DmerrWlztH/NkvuI1iXmfgCeORLvzVDf=3D0D=3D0ANy= ZX+kV1q=3D 7MPcQfKDks=3D3D=3D0D=3D0A=3D3DmxgW=3D0D=3D0A-----END PGP PUBLIC KEY = BLOCK----- TEL;WORK;VOICE:(630) 840-2965 TEL;CELL;VOICE:(630) 726-7221 TEL;PAGER;VOICE:(630) 722-9742 TEL;WORK;FAX:(630) 840-8208 ADR;WORK:;;P.O. Box 500, MS-368;Batavia;Il;60510-0500 LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:P.O. Box 500, = MS-368=3D0D=3D0ABatavia, Il 60510-0500 EMAIL;PREF;INTERNET:kaletka@fnal.gov REV:19991203T200139Z END:VCARD --Boundary_(ID_OQ8ruKZX/scPIAFA2K+j/A)-- From kreymer@fnal.gov Wed Dec 8 16:21:44 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA15278 for ; Wed, 8 Dec 1999 16:21:43 -0600 Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ9K6642JK000EQE@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 16:21:35 -0600 CDT Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ9K5VH2V0000EEO@FNAL.FNAL.GOV>; Wed, 08 Dec 1999 16:20:58 -0600 Date: Wed, 08 Dec 1999 16:20:55 -0600 From: "Mark O. Kaletka" Subject: RE: Discussion with kaletka about kerberos In-reply-to: <199912081730.LAA00872@dcdrjh.fnal.gov> To: "Randolph J. Herber" , Matt Crawford Cc: kerberos-pilot@fnal.gov, Mark Leininger , cdfsys@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: multipart/mixed; boundary="Boundary_(ID_nx9FF9tFpKsT14mwqEi8pg)" Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 65 This is a multi-part message in MIME format. --Boundary_(ID_nx9FF9tFpKsT14mwqEi8pg) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Sorry, we support upd and not rpm install. -- Mark K. > -----Original Message----- > From: Randolph J. Herber [mailto:herber@dcdrjh.fnal.gov] > Sent: Wednesday, December 08, 1999 11:31 AM > To: Randolph J. Herber; Matt Crawford > Cc: kerberos-pilot@fnal.gov; Mark Leininger; cdfsys@fnal.gov > Subject: Re: Discussion with kaletka about kerberos > > > Re For Linux, just upd-install the Fermi "kerberos" product. > > Apparently you missed the demand for an rpm and not a upd distribution. > > I will not install upd on any machine I own and will object strongly about > installing upd on any machine that is assigned effectively to my sole use. > > If necessary, I will build the software myself (on my time, if necessary) > rather than use upd. > > Randolph J. Herber, herber@dcdrjh.fnal.gov, +1 630 840 2966, > CD/CDFTF PK-149F, > Mail Stop 318, Fermilab, Kirk & Pine Rds., PO Box 500, Batavia, > IL 60510-0500, > USA. (Speaking for myself and not for US, US DOE, FNAL nor URA.) > (Product, > trade, or service marks herein belong to their respective owners.) > > --Boundary_(ID_nx9FF9tFpKsT14mwqEi8pg) Content-type: text/x-vcard; name="Mark Kaletka.vcf" Content-disposition: attachment; filename="Mark Kaletka.vcf" Content-transfer-encoding: quoted-printable BEGIN:VCARD VERSION:2.1 N:Kaletka;Mark FN:Mark Kaletka ORG:Fermi National Accelerator Laboratory TITLE:Associate Head, Distributed Computing NOTE;ENCODING=3DQUOTED-PRINTABLE:-----BEGIN PGP PUBLIC KEY = BLOCK-----=3D0D=3D0AVersion: PGP Personal Privacy 6.0.=3D 2=3D0D=3D0A=3D0D=3D0AmQBtAzFwKkIAAAEDAMruMgtjb4AFWh9Fakw1gvuA5Yy7Of2B2YX0= oSikYJN5HlO=3D g=3D0D=3D0AEvvah/+5k7fojhsb5lvkvqzrXT7RGFhqEjvnAZ8p+8mztXLS3FwF7NP/lXenas= zS=3D0D=3D =3D0ArwsXq/MKkEIU20zX6QAFEbQiTWFyayBPLiBLYWxldGthIDxrYWxldGthQGZuYWwu=3D0= D=3D0AZ29=3D 2PokAdQMFEDGKdKoKkEIU20zX6QEBe5oC/i5FUpvqphC89h2Nvs//gzTDdWon=3D0D=3D0ANT= 4ewv19Q=3D vQG7f27AiXjUubWH8meR1XTy1IdgGIYr1HHTLSs3t1zZMfvLQwuNLtw=3D0D=3D0ABmRnl7mt= fLVxd8s=3D gaSHD8SkwTAY0GwuM08NERokAdQMFEDLmRjkADvWCVm9jxQEB=3D0D=3D0APLgDAMWxqduliP= 63Au+8n=3D bEgqvnPJ0XshiISmxgv/J+45nov4BNey4OJY0FMn88F=3D0D=3D0AKVnMy1kl4fQVxNreXAHK= FLRCem6=3D FNlEwtAKHPSsfrqHWUmWnySOy4M0UAN/1FP9b=3D0D=3D0AI+r8qIkAlQIFEDK4G83BvA0Ss1= w9dQEBg=3D bwEAKVDrwLo1zwXqfvLHcTUbF6hp+63=3D0D=3D0AjKtEWKGUoLDRY+oe8EPa5FL9FmKO6YGQ= cDraiDz=3D CL/a2MnAUuTKY4brS7k8YggKM=3D0D=3D0AyJzmbgbzOusUV2QIrjdAUCbS02D/e0PUG4lvK3= SfriSPU=3D 2ZVpkSN3zf+z6h9KHtU=3D0D=3D0AxjsxlXM45I3L1FseiQCVAwUQMevo4P9eObdUvIBNAQGI= pQP/UTB=3D lXoAy3kCVIMkD=3D0D=3D0Auk+JNcN+iQHMG1w6+1kCpTUKABTritOFr1OU3obtJmdF5uQIFa= dGXrP7N=3D MmYKCvy=3D0D=3D0A6XpyaEAFEB+a6cZ8WF/JuKHJNpMRcffAFwqHZk/n7hoHv8Q/ug/HwpIC= xNaj30b=3D 0=3D0D=3D0AQOVMp0pl3Le517z0Tmm1Sh4PPueJAHUDBRAxoLzgG0UcLhL3B0EBAeIpAvwNC1= MI=3D0D=3D =3D0AxzUJp3FrUciY/x54RwNOMNlAYmpcng7z7qO5Br6bEAeu8VzTqWp2CalNH6Er8qI/=3D0= D=3D0Anwe=3D hgvqWIkK+gdYVTmGS//HQzB2+byvh676SHIYoa8eaPkxcw3tDtK/vDC6JAJUD=3D0D=3D0ABR= AxmoZP+=3D TQP17o6+40BAbfQBACAoEaIW4BBa0Oc6RfPMmXqPhYSGk4Q/QngXDO5=3D0D=3D0AAR9MxDyU= f2B1QtQ=3D mvh5BJMNLzGo5N08U2hkbCy/S3gb3LZz+gEULCubF/RHmyqC5=3D0D=3D0AZM+V49yiYslcjJ= Tf5ATGX=3D jyNlvj6raF3LS+ic3vvlZLUmE6Tpbzc/vFv7Vkyypf+=3D0D=3D0AYKJcZYkAlQMFEDGZE+hW= 04RGFOU=3D GqQEBLdAEAMLu4ovw5JkQDueYZs6JzcOJLbcd=3D0D=3D0A8mhSr2d6TvvaJWyjcNpRYvIITe= v7ynoXb=3D m4TXJ7THlU3+DxnBBcF0AWNi4WncOgO=3D0D=3D0AmK42AGGLdla7hy4CDqKhfoU2P4egYpML= m7Qp16m=3D hU7/ZnEKPsS2Q5EsajwF0Frdw=3D0D=3D0A4aO3Xo/0nLZt+zeviQCVAwUQMZDc/W1BGsl3GS= GhAQHBk=3D QP9GM/4iOOtL5Rf2M0S=3D0D=3D0Ai5VHsI/rl7SCfaNZ9wOC2wkQ2vNm43E7thTiVQVtj5qy= xS6K5Mu=3D bg8/ug8dhqpTz=3D0D=3D0ASpsz/48r7hzQPu/YF76Hf79xAKfTv7PtJETsSre020vHWepG6w= 6IWE0OF=3D XBnAN0i=3D0D=3D0AG6xRLyEvhlxdcNB1B603g83UfpGJAD8DBRA08gOPx4mzXMF1scMRAtkq= AKDEi24=3D L=3D0D=3D0AcHItynHq4gRRaf/wiu/p6ACcCP6Lo1WCmIITN4H44rl+2mLYdluJAEYEEBECAA= YF=3D0D=3D =3D0AAjV+z48ACgkQIAiiW3E7KJ+XCACgqtiEV+Y8i5h4YjAwSV7nxCkJBJ4AoOnshi9a=3D0= D=3D0Ah47=3D pyHPbAzJB5rDv0ptliQCVAwUQNYUWCQBA97MJhXBxAQF2dwQAtQ6JAgmXc6d5=3D0D=3D0Awl= L7rWBlQ=3D l4YAPeq6QNvKjyYlzXdq1l4VfQk+cYkpUOMEFoxUfWa/T3wu3nZafWT=3D0D=3D0AGy4zK0Ho= LQ3ykiY=3D Da8aEIkEsycBsEzU3/Ng4gdb8wfOMkadVnwcAXBI/XsaHD13E=3D0D=3D0Aq+xiyVfYNVqJRJ= 3g4ykpP=3D 2ojYENOeviJAD8DBRA08foSCyAmjthzIwcRAsqlAKDI=3D0D=3D0AY87cds3hNoR69Bw3TuDG= OsuULwC=3D g0VnMyqkBMCQT0+V5Qtwhn4zHGD6JARUDBRA1=3D0D=3D0AiTpVFGN6RSh/tv0BAUKXB/4xSD= 91zoPjY=3D 9QnpIUQSIQ65Kq2cnjwX0Mh3/eUwbkA=3D0D=3D0Ayo7wYNCzQfssIyxrXSB+2cU7KUeE48Pt= caoOve2=3D WoDorHASlB/kl8ujZSq2rahX7=3D0D=3D0AbB/Rj4dnDOu+oR4sv0JCaVvYhTwAumfW/h/Hk0= NnFfjk9=3D fGeX5geI9SYtVBwpOBa=3D0D=3D0AHaYA27AMD8AulsDalOhKHpZsiOGkGSiN94fcE54vlRBE= UMi0Hi/=3D HGuUVxV6zp2pI=3D0D=3D0ARf5ZNMW081gQIBGWO7ODOKu8Xuk0Ahix2YyfMTf9R/h1hMKjKE= um0Kuvi=3D K/w9/L2=3D0D=3D0AU+WNkodE5SpTpVO3WEjB04iAvWoq4PwvqXZmi/HD8k5riQCVAwUQNYBI= DhXbgx0=3D t=3D0D=3D0A2v9JAQHEmQP7B/Erh3QjKJPf8Z6ZIvR7dyeNYjCNghbozoOfMZnY55YzV4/kPz= WP=3D0D=3D =3D0A9U3N850DlgLJroFFW3cweSrZd1W5uA+/BLVSOPF6vduskK8bMr1w7PkyREPGlbUU=3D0= D=3D0AhuT=3D SC1C6NB4EbSDe+WROysgzygOJrAF2f3C3lFPTH8QE/flAp3u30KCJARUDBRA1=3D0D=3D0AiT= m3IVnPs=3D A6KBgEBAZdMB/4mlUWMTM/i6qTHYgpIcvODpPLw+b6KCOJRzLY0n78H=3D0D=3D0AKV2nnrXi= bhwixvC=3D YGkDxs5RkrrBh6XfgAUCRJD9IR57dLe3Up9m3Rs9zdcGdcwvG=3D0D=3D0AKsgLtTDl3Lidpx= JmnOhDn=3D WTvbS33jk/2s+r40YsPQjJF0rY3WNG0xwmIqX4/OmuY=3D0D=3D0AlSIC3ceTPU5xoycFzy7M= DS3ZTJR=3D HeCFbAiAWnqiQgDYO+jAlre2/GtID/mCIiDtC=3D0D=3D0AS7gA8nQAJDm/zvWWu6dg8kNZrT= gZow68k=3D 9ZU6Opcl4Z44qkYfHRLKE6FgqKU3kWe=3D0D=3D0AwpygQImGQ9YRumVPqQzffllxEdZMuiI6= POFg8k1=3D DyvN3iQBGBBARAgAGBQI13O1X=3D0D=3D0AAAoJEGU5iQSM6LaTMGwAn2K/UWQLCpAPUl9ZCT= rzM2WZj=3D FRrAJ0bSN5CjxJ9W/3P=3D0D=3D0AGTP7cNijlFTwHokARgQQEQIABgUCNdzt1wAKCRCLomuA= xTllVwG=3D /AKC6P1cXO/7S=3D0D=3D0AprphH5zP//WPJgUe+QCcCZmZOB3kIgcTATy9vOTBPRwFDS2JAE= YEEBECA=3D AYFAjUJ=3D0D=3D0AnUoACgkQnbmAIRU6jisG2wCgp5bR1QwdzQnSNvtbqCwyDsKszU4AoOIx= At+Xtqk=3D h=3D0D=3D0A4HSFUZmTaKCLDPT8iQBGBBARAgAGBQI13O5TAAoJEKPC0RK2POhRwG0An20z3/= g6=3D0D=3D =3D0A3f9s7VrvQzmzOeCMFYd+AJ9tOKzI1uOS8N3pqkc8MBB9D5yTVYkARgQQEQIABgUC=3D0= D=3D0ANdz=3D umQAKCRCs2MAZgvJsEx9iAJ9Iy7S3DmerrWlztH/NkvuI1iXmfgCeORLvzVDf=3D0D=3D0ANy= ZX+kV1q=3D 7MPcQfKDks=3D3D=3D0D=3D0A=3D3DmxgW=3D0D=3D0A-----END PGP PUBLIC KEY = BLOCK----- TEL;WORK;VOICE:(630) 840-2965 TEL;CELL;VOICE:(630) 726-7221 TEL;PAGER;VOICE:(630) 722-9742 TEL;WORK;FAX:(630) 840-8208 ADR;WORK:;;P.O. Box 500, MS-368;Batavia;Il;60510-0500 LABEL;WORK;ENCODING=3DQUOTED-PRINTABLE:P.O. Box 500, = MS-368=3D0D=3D0ABatavia, Il 60510-0500 EMAIL;PREF;INTERNET:kaletka@fnal.gov REV:19991203T200139Z END:VCARD --Boundary_(ID_nx9FF9tFpKsT14mwqEi8pg)-- From kreymer@fnal.gov Wed Dec 8 16:32:54 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA15283 for ; Wed, 8 Dec 1999 16:32:53 -0600 Received: from frosty.fnal.gov ([131.225.81.4]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ9KKIR6E8000EQE@FNAL.FNAL.GOV> (original mail from rayp@frosty.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 16:32:51 -0600 CDT Received: from frosty.fnal.gov ([131.225.81.4]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJ9KKI7DIU000DM5@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 08 Dec 1999 16:32:41 -0600 Received: from localhost (rayp@localhost) by frosty.fnal.gov (980427.SGI.8.8.8/980728.SGI.AUTOCF) via SMTP id QAA19960; Wed, 08 Dec 1999 16:33:21 -0600 (CST) Date: Wed, 08 Dec 1999 16:33:20 -0600 (CST) From: Ramon Pasetes Subject: Re: tcpwrappers and kerberos: what should we do? In-reply-to: "Your message of Wed, 08 Dec 1999 16:05:51 CST." <199912082205.QAA29317@gungnir.fnal.gov> To: Matt Crawford Cc: kerberos-pilot@fnal.gov, rayp@frosty.fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912082233.QAA19960@frosty.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 66 > stuff snipped that sound like good ideas > An alternative to consider is whether the installation procedure can > be made smart enough to update hosts.{allow,deny} (if needed) to give > the Kerberos r-commands to get the same access control as the > Berkeley ones had. However, they may not be what the installer > wants, so it would still have to be flagged. Since one kows what the kerberos r-commands are, the install could look for the existence of the berkely r-command in the /etc/hosts.{allow,deny} file and just change it to the kerberos names. This could be done in sed, ed, perl whatever. It probably should save off the old file also. -Ray From kreymer@fnal.gov Wed Dec 8 16:51:38 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA15295 for ; Wed, 8 Dec 1999 16:51:38 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ9L7R5P3K000EQE@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 16:51:36 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJ9L7OY036000EEO@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 08 Dec 1999 16:51:22 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id QAA19883; Wed, 08 Dec 1999 16:51:21 -0600 Date: Wed, 08 Dec 1999 16:51:20 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: tcpwrappers and kerberos: what should we do? Sender: lauri@ossbud.fnal.gov To: Ramon Pasetes Cc: Matt Crawford , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912082251.QAA19883@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 67 What does the hosts.{allow,deny} file look like? Does it use the service name, or the path to the service binary? (i.e., am I looking for "rsh" or am I looking for "/usr/krb5/bin/rsh"?) If it goes by service name, and the kerberos service name is the same as the berkeley service name that it's replacing, then the hosts.{allow,deny} probably don't need to be modified at all. == lauri On Wednesday 8 December 1999, our friend Ramon Pasetes spaketh thusly: > > > > stuff snipped that sound like good ideas > > > An alternative to consider is whether the installation procedure can > > be made smart enough to update hosts.{allow,deny} (if needed) to give > > the Kerberos r-commands to get the same access control as the > > Berkeley ones had. However, they may not be what the installer > > wants, so it would still have to be flagged. > > Since one kows what the kerberos r-commands are, the install could look > for the existence of the berkely r-command in the /etc/hosts.{allow,deny} > file and just change it to the kerberos names. This could be done > in sed, ed, perl whatever. It probably should save off the old file also. > > -Ray > From kreymer@fnal.gov Wed Dec 8 17:29:47 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA15314 for ; Wed, 8 Dec 1999 17:29:47 -0600 Received: from frosty.fnal.gov ([131.225.81.4]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJ9MK4IZ4W000EQE@FNAL.FNAL.GOV> (original mail from rayp@frosty.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 8 Dec 1999 17:29:46 -0600 CDT Received: from frosty.fnal.gov ([131.225.81.4]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJ9MK3SU56000EFZ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 08 Dec 1999 17:29:37 -0600 Received: from localhost (rayp@localhost) by frosty.fnal.gov (980427.SGI.8.8.8/980728.SGI.AUTOCF) via SMTP id RAA70261; Wed, 08 Dec 1999 17:30:17 -0600 (CST) Date: Wed, 08 Dec 1999 17:30:16 -0600 (CST) From: Ramon Pasetes Subject: Re: tcpwrappers and kerberos: what should we do? In-reply-to: "Your message of Wed, 08 Dec 1999 16:51:20 CST." <199912082251.QAA19883@ossbud.fnal.gov> To: lauri@fnal.gov Cc: rayp@frosty.fnal.gov, Matt Crawford , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912082330.RAA70261@frosty.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 68 The file looks like: : : So, it would be something like rshd: .fnal.gov : banners /etc/banners or in.rshd: .fnal.gov : banners /etc/banners depeding on the OS flavor. -Ray > What does the hosts.{allow,deny} file look like? Does it use the > service name, or the path to the service binary? (i.e., am I > looking for "rsh" or am I looking for "/usr/krb5/bin/rsh"?) > > If it goes by service name, and the kerberos service name is the > same as the berkeley service name that it's replacing, then the > hosts.{allow,deny} probably don't need to be modified at all. > > == lauri > > > On Wednesday 8 December 1999, > our friend Ramon Pasetes spaketh thusly: > > > > > > > > stuff snipped that sound like good ideas > > > > > An alternative to consider is whether the installation procedure can > > > be made smart enough to update hosts.{allow,deny} (if needed) to give > > > the Kerberos r-commands to get the same access control as the > > > Berkeley ones had. However, they may not be what the installer > > > wants, so it would still have to be flagged. > > > > Since one kows what the kerberos r-commands are, the install could look > > for the existence of the berkely r-command in the /etc/hosts.{allow,deny} > > file and just change it to the kerberos names. This could be done > > in sed, ed, perl whatever. It probably should save off the old file also. > > > > -Ray > > From kreymer@fnal.gov Thu Dec 9 08:15:37 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA22240 for ; Thu, 9 Dec 1999 08:15:36 -0600 Received: from doofus.fnal.gov ([131.225.80.35]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJAHHDGKR4000EQE@FNAL.FNAL.GOV> (original mail from baisley@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 9 Dec 1999 08:15:33 -0600 CDT Received: from doofus.fnal.gov ([131.225.80.35]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJAHHCV2KA000ERX@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 09 Dec 1999 08:15:25 -0600 Received: by doofus.fnal.gov id AA16566; Thu, 09 Dec 1999 08:15:22 -0600 Date: Thu, 09 Dec 1999 08:15:20 -0600 From: "I'm not a real doofus, but I play one at a national laboratory" Subject: Re: tcpwrappers and kerberos: what should we do? Sender: baisley@doofus.fnal.gov To: Ramon Pasetes Cc: lauri@fnal.gov, Matt Crawford , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <384FB978.E90AD118@fnal.gov> Organization: Fermilab Unix Application Support Group MIME-version: 1.0 X-Mailer: Mozilla 4.5 [en] (X11; I; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <199912082330.RAA70261@frosty.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 69 > The file looks like: > > : : Of course, and are not necessarily simple strings: # cat /etc/hosts.allow ALL except fingerd: ALL : banners /etc/banners fingerd : .fnal.gov : banners /etc/banners # cat /etc/hosts.deny fingerd: ALL except .fnal.gov : banners /etc/banners I don't know that anybody's doing such things with r-commands, but you should at least be aware that they could. Cheers, Wayne From kreymer@fnal.gov Thu Dec 9 11:34:10 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (SYSTEM@fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA22353 for ; Thu, 9 Dec 1999 11:34:10 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJAOEWOP8G0000HH@FNAL.FNAL.GOV> (original mail from mengel@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 9 Dec 1999 11:34:07 -0600 CDT Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJAOEQAADM0000FG@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 09 Dec 1999 11:33:21 -0600 Date: Thu, 09 Dec 1999 11:33:19 -0600 (EST) From: "Marc W. Mengel" Subject: Ticket renewal revisited... To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 70 Okay, so here's what I'm doing for the moment. In my .profile I've added the following, which initially gets me a kerberos ticket when I first log in if I don't have one, and then, if I have a ticket, kicks off a shell for loop in background to refresh it twice a day for the next week. This way when I rsh somewhere, I get my token forwareded, and the job to refresh it starts automatically when I log in. - - - - - - - - - - - - - cut here - - - - - - - - - - - - - - - - - # # first, get a kerberos ticket if you don't have one # if klist -s then : else echo "Getting kerberos ticket" kinit -r 7d fi if klist -s then for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 do sleep 43200; kinit -R done & fi - - - - - - - - - - - - - cut here - - - - - - - - - - - - - - - - - From kreymer@fnal.gov Thu Dec 9 14:26:57 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (SYSTEM@fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA22599 for ; Thu, 9 Dec 1999 14:26:57 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJAUGPSI280000HH@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 9 Dec 1999 14:26:54 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJAUGP48ZE0000JL@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 09 Dec 1999 14:26:44 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id OAA27945; Thu, 09 Dec 1999 14:26:43 -0600 Date: Thu, 09 Dec 1999 14:26:42 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Ticket renewal revisited... Sender: lauri@ossbud.fnal.gov To: "Marc W. Mengel" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912092026.OAA27945@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 71 I just tried inserting this into my .profile, but it doesn't work: Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996 >>> klist: No ticket file (tf_util) Getting kerberized... Password for lauri@PILOT.FNAL.GOV: >>> klist: No ticket file (tf_util) Terminal type is vt220 There are no available articles. ossbud:~> For *each* of the klist commands, I get an error "No ticket file (tf_util)". The first one makes sense, sort of, because I don't have tickets yet (I'm coming from my NT box, which doesn't forward the tickets). The second one doesn't make sense to me -- it's as if the cache file hasn't been written yet or something. But since the klist fails, it doesn't start the background job to renew tickets. What are we doing differently? -- lauri On Thursday 9 December 1999, our friend "Marc W. Mengel" spaketh thusly: > > Okay, so here's what I'm doing for the moment. In my .profile I've > added the following, which initially gets me a kerberos ticket > when I first log in if I don't have one, and then, if I have a > ticket, kicks off a shell for loop in background to refresh it > twice a day for the next week. This way when I rsh somewhere, > I get my token forwareded, and the job to refresh it starts > automatically when I log in. > > - - - - - - - - - - - - - cut here - - - - - - - - - - - - - - - - - > # > # first, get a kerberos ticket if you don't have one > # > if klist -s > then > : > else > echo "Getting kerberos ticket" > kinit -r 7d > fi > > if klist -s > then > for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 > do > sleep 43200; kinit -R > done & > fi > - - - - - - - - - - - - - cut here - - - - - - - - - - - - - - - - - > From kreymer@fnal.gov Thu Dec 9 14:35:12 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (SYSTEM@fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA22603 for ; Thu, 9 Dec 1999 14:35:12 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJAUQXTBLS0000HH@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 9 Dec 1999 14:35:10 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJAUQWX47E0000J0@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 09 Dec 1999 14:34:58 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id OAA29124; Thu, 09 Dec 1999 14:34:56 -0600 Date: Thu, 09 Dec 1999 14:34:56 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Ticket renewal revisited... Sender: lauri@ossbud.fnal.gov To: lauri@fnal.gov Cc: "Marc W. Mengel" , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912092034.OAA29124@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 72 On Thursday 9 December 1999, our friend Laurelin of Middle Earth, 630-840-2214 spaketh thusly: > What are we doing differently? > I found the problem: mine was too early in the .profile to be able to call "klist" or "kinit" -- I need to specify the path (because I put it at the top of the .profile). With "/usr/krb5/bin/klist" and "/usr/krb5/bin/kinit" it works fine. -- lauri From kreymer@fnal.gov Thu Dec 9 15:00:58 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (SYSTEM@fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA22621 for ; Thu, 9 Dec 1999 15:00:58 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJAVMX1SNK0000HH@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 9 Dec 1999 15:00:56 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJAVMVW55E0000JB@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 09 Dec 1999 15:00:45 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA05936 for ; Thu, 09 Dec 1999 15:00:44 -0600 (CST) Date: Thu, 09 Dec 1999 15:00:44 -0600 From: Matt Crawford Subject: Re: Ticket renewal revisited... In-reply-to: "09 Dec 1999 11:33:19 CST." <"Pine.LNX.4.05.9912091125110.10735-100000"@bel-kwinth.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912092100.PAA05936@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 73 > if klist -s > then > for i in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 > do > sleep 43200; kinit -R > done & > fi I suggest a small change to add a "klist -s" loop test, so that if you choose to kdestroy, or you forward a ticket which has a shorter time yet to run, the background job exits sooner. Perhaps i=1 while klist -s && test $i -lt 15; do sleep 43200 kinit -R i=`expr $i + 1` done To the nay-sayers who disapprove of automatically renewing a short-lived ticket for a long time, I agree with you as much as I can manage, but at least renewing does buy you a brand-new random session key with the KDC *and* it incidently discards your existing tickets for other services -- you get new ones transparently as needed. From kreymer@fnal.gov Fri Dec 10 15:02:08 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA31955 for ; Fri, 10 Dec 1999 15:02:08 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJC9YMO4E80000XL@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 10 Dec 1999 15:02:05 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJC9YL54AI0000UJ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 10 Dec 1999 15:01:50 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id PAA14142; Fri, 10 Dec 1999 15:01:49 -0600 Date: Fri, 10 Dec 1999 15:01:48 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: bldirix62 can't get to bldsunos26?!?!? Sender: lauri@ossbud.fnal.gov To: kerberos-pilot@fnal.gov Cc: lauri@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912102101.PAA14142@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 74 I have discovered that node bldirix62 cannot speak kerberos to node bldsunos26. I have no idea why. I have been checking all of the build cluster nodes' connectivity to the other nodes, using something like for node in ossbud bldsunos26 bldsunos27 bldlinux52 \ bldlinux61 bldirix62 bldirix65 bldosf1v40d do if [ "$thisnode" != "$node" ] then rsh $node ls .profile fi done on each node. It works everywhere, EXCEPT going from bldiri62 to bldsunos26. In that case, I get an error message: bldirix62:~> rsh bldsunos26 ls .profile rsh: kcmd to host bldsunos26 failed - Server not found in Kerberos database trying normal rsh (/usr/bsd/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused I suspect that the underlying problem may be name resolution, but beyond that point I'm out of my league. Any ideas? -- lauri From kreymer@fnal.gov Fri Dec 10 15:57:31 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA31986 for ; Fri, 10 Dec 1999 15:57:30 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJCBW9GBU80000XL@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 10 Dec 1999 15:57:27 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJCBW6MJC80001A7@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 10 Dec 1999 15:57:10 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA13948; Fri, 10 Dec 1999 15:57:09 -0600 (CST) Date: Fri, 10 Dec 1999 15:57:09 -0600 From: Matt Crawford Subject: Re: bldirix62 can't get to bldsunos26?!?!? In-reply-to: "10 Dec 1999 15:01:48 CST." <"199912102101.PAA14142"@ossbud.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912102157.PAA13948@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 75 bldsunos26 is at 131.225.80.100. When bldirix62 tries to check wither this name is a nickname for something else, it is somehow finding the entry in /etc/hosts which says that the official name for that is fnsolar. So it tries to get a ticket for the host/fnsolar.fnal.gov service and the KDC logs: Dec 10 00:01:18 i-krb-2.fnal.gov krb5kdc[19896]: TGS_REQ 131.225.81.165(88): UNK NOWN_SERVER: authtime 944805632, lauri/cron@PILOT.FNAL.GOV for host/fnsolar@PILO T.FNAL.GOV, Server not found in Kerberos database [...several times...] Dec 10 14:25:32 i-krb-2.fnal.gov krb5kdc[19896]: TGS_REQ 131.225.81.165(88): UNK NOWN_SERVER: authtime 944855470, lauri@PILOT.FNAL.GOV for host/fnsolar@PILOT.FNA L.GOV, Server not found in Kerberos database [...several times...] Solution: purge that line from /etc/hosts. Unknown factor: why is it even looking at /etc/hosts? From kreymer@fnal.gov Fri Dec 10 16:09:39 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA32028 for ; Fri, 10 Dec 1999 16:09:38 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJCCC8D9680000XL@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 10 Dec 1999 16:09:31 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJCCC699M600019Z@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 10 Dec 1999 16:09:17 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id QAA14845; Fri, 10 Dec 1999 16:09:15 -0600 Date: Fri, 10 Dec 1999 16:09:15 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: bldirix62 can't get to bldsunos26?!?!? Sender: lauri@ossbud.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912102209.QAA14845@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 76 > Solution: purge that line from /etc/hosts. > That's a nice theory, and may even be right. It sure looks reasonable. But node ossbud *also* has an entry in /etc/hosts listing fnsolar at the bldsunos26 address, and it is *not* failing. > Unknown factor: why is it even looking at /etc/hosts? Is this yet another case of "unix is unix (except when it isn't)"? I don't know how/why/when nodes look at /etc/hosts. Would one of our expert sysadmins (multi-flavored variety) care to comment? -- lauri On Friday 10 December 1999, our friend Matt Crawford spaketh thusly: > bldsunos26 is at 131.225.80.100. When bldirix62 tries to check wither > this name is a nickname for something else, it is somehow finding the > entry in /etc/hosts which says that the official name for that is > fnsolar. So it tries to get a ticket for the host/fnsolar.fnal.gov > service and the KDC logs: > > Dec 10 00:01:18 i-krb-2.fnal.gov krb5kdc[19896]: TGS_REQ 131.225.81.165(88): UNK > NOWN_SERVER: authtime 944805632, lauri/cron@PILOT.FNAL.GOV for host/fnsolar@PILO > T.FNAL.GOV, Server not found in Kerberos database > [...several times...] > Dec 10 14:25:32 i-krb-2.fnal.gov krb5kdc[19896]: TGS_REQ 131.225.81.165(88): UNK > NOWN_SERVER: authtime 944855470, lauri@PILOT.FNAL.GOV for host/fnsolar@PILOT.FNA > L.GOV, Server not found in Kerberos database > [...several times...] > From kreymer@fnal.gov Fri Dec 10 16:14:28 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA32047 for ; Fri, 10 Dec 1999 16:14:28 -0600 Received: from nascar.fnal.gov ([131.225.80.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJCCICBZJ40000XL@FNAL.FNAL.GOV> (original mail from stan@nascar.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 10 Dec 1999 16:14:25 -0600 CDT Received: from nascar.fnal.gov ([131.225.80.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJCCIAQ3C40000VC@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 10 Dec 1999 16:14:13 -0600 Received: from localhost (stan@localhost) by nascar.fnal.gov (8.8.3/8.8.2) with SMTP id QAA10796; Fri, 10 Dec 1999 16:14:09 -0600 (CST) Date: Fri, 10 Dec 1999 16:14:08 -0600 From: Stanley Naymola Subject: Re: bldirix62 can't get to bldsunos26?!?!? In-reply-to: "Your message of Fri, 10 Dec 1999 16:09:15 CST." <199912102209.QAA14845@ossbud.fnal.gov> To: lauri@fnal.gov Cc: Matt Crawford , kerberos-pilot@fnal.gov, stan@nascar.fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912102214.QAA10796@nascar.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: nascar.fnal.gov: stan@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 77 Depending on the library that the application is running, it will look at /etc/hosts first and then dns or just dns or just hosts. It is up to the code writer. I look at it as flexablity and not just UNIX. ;-> Stan. > > Solution: purge that line from /etc/hosts. > > > That's a nice theory, and may even be right. It sure looks > reasonable. > > But node ossbud *also* has an entry in /etc/hosts listing fnsolar at > the bldsunos26 address, and it is *not* failing. > > > Unknown factor: why is it even looking at /etc/hosts? > > Is this yet another case of "unix is unix (except when it isn't)"? > I don't know how/why/when nodes look at /etc/hosts. Would one of > our expert sysadmins (multi-flavored variety) care to comment? > > -- lauri > > On Friday 10 December 1999, > our friend Matt Crawford spaketh thusly: > > > bldsunos26 is at 131.225.80.100. When bldirix62 tries to check wither > > this name is a nickname for something else, it is somehow finding the > > entry in /etc/hosts which says that the official name for that is > > fnsolar. So it tries to get a ticket for the host/fnsolar.fnal.gov > > service and the KDC logs: > > > > Dec 10 00:01:18 i-krb-2.fnal.gov krb5kdc[19896]: TGS_REQ 131.225.81.165(88) : UNK > > NOWN_SERVER: authtime 944805632, lauri/cron@PILOT.FNAL.GOV for host/fnsolar @PILO > > T.FNAL.GOV, Server not found in Kerberos database > > [...several times...] > > Dec 10 14:25:32 i-krb-2.fnal.gov krb5kdc[19896]: TGS_REQ 131.225.81.165(88) : UNK > > NOWN_SERVER: authtime 944855470, lauri@PILOT.FNAL.GOV for host/fnsolar@PILO T.FNA > > L.GOV, Server not found in Kerberos database > > [...several times...] > > From kreymer@fnal.gov Fri Dec 10 16:22:49 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA32067 for ; Fri, 10 Dec 1999 16:22:49 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJCCSO358G0000XL@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 10 Dec 1999 16:22:45 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJCCSM7A4400019V@FNAL.FNAL.GOV>; Fri, 10 Dec 1999 16:22:32 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id QAA14929; Fri, 10 Dec 1999 16:22:30 -0600 Date: Fri, 10 Dec 1999 16:22:30 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: /etc/hosts files on the build nodes Sender: lauri@ossbud.fnal.gov To: stolz@fnal.gov Cc: kerberos-pilot@fnal.gov, oss-mgmt@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912102222.QAA14929@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 78 I spoke with Connie Sieh about the /etc/hosts configuration on the kerberos pilot cluster (aka build cluster). We believe that we should clean up the /etc/hosts files so that they list ONLY THE MINIMUM NUMBER OF ENTRIES, and be 'consistent' across all nodes of the cluster. [Note, Linux doesn't even use this file, but it doesn't hurt to have it, so we'll cleanup on the Linux nodes too.] ACTION ITEM: ------------ Mike, on Monday of next week, please modify the /etc/hosts file on the build cluster so that it contains: # this entry must be present 127.0.0.1 # # this is the node itself >> 131.225.81.165 bldirix62.fnal.gov bldirix62 # # this is the NIS server, just in case we need it 131.225.81.78 dcdsv0.fnal.gov dcdsv0 where, of course, the line marked is different on each node (the file above would be accurate for node bldirix62; change the address and nodename for each of the other build nodes). We are keeping dcdsv0 just in case; it really shouldn't be necessary, but better safe than sorry. Please add this to your list of things to be properly configured when a new node is installed. (Of course, the definition of "properly configured" will not necessarily be the same in other situations, but for a build cluster node the /etc/hosts file should look like the above). -- lauri From kreymer@fnal.gov Fri Dec 10 16:31:35 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA32079 for ; Fri, 10 Dec 1999 16:31:34 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJCD3HIM5C0000XL@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 10 Dec 1999 16:31:30 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJCD3G7G0E00019V@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 10 Dec 1999 16:31:16 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id QAA15054; Fri, 10 Dec 1999 16:31:14 -0600 Date: Fri, 10 Dec 1999 16:31:14 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: preliminary cron results Sender: lauri@ossbud.fnal.gov To: kerberos-pilot@fnal.gov Cc: lauri@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912102231.QAA15054@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 79 I have been able to use kerberized cron jobs, and to copy files between kerberized nodes. I have only scratched the surface, doing "rcp" from one kerberized node to another, using my account in both places. It works as expected. I have tested this from each of the build nodes to each of the other buildnodes: ossbud, bldsunos26, bldsunos27, bldlinux52, bldlinux61, bldirix62, bldirix65, bldosf1v40d. [It failed from bldirix62 to bldsunos26, but this was due to system misconfiguration and not due to a problem with the kerberized cron job concept]. Next week I will begin other testing: - test writing files into AFS space - test ksu to another account in a cron job - test copying files to another account I need to make sure that things work as expected, but I also need to make sure that things FAIL as expected, so I will need to be creative and come up with things that should NOT work. In order to speed up the testing, I will most likely NOT try all permutations on all flavors/platforms. I will assume that if it works between two different-flavor nodes, it will work in the general case. [There is a lot of overhead to modifying crontab entries on multiple nodes; this is not something that buildmanager can help with, so I have to do it manually. Given that we are under time pressure, I will go for a wider variety of tests on a smaller suite of platforms]. -- lauri From kreymer@fnal.gov Fri Dec 10 16:35:58 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA32087 for ; Fri, 10 Dec 1999 16:35:58 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJCD8YJ6K00000UW@FNAL.FNAL.GOV> (original mail from stolz@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 10 Dec 1999 16:35:55 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJCD8V9XWW0000VP@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 10 Dec 1999 16:35:38 -0600 Received: from localhost by ossbud.fnal.gov (SMI-8.6/SMI-SVR4) id QAA15244; Fri, 10 Dec 1999 16:35:36 -0600 Date: Fri, 10 Dec 1999 16:35:36 -0600 (CST) From: Michael Stolz Subject: Re: bldirix62 can't get to bldsunos26?!?!? In-reply-to: <199912102157.PAA13948@gungnir.fnal.gov> To: Matt Crawford Cc: lauri@fnal.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 80 fixed on bldirix62 (also found on ossbud and trocious). Mike Stolz (stolz@fnal.gov) --------------------------------------------------- On Fri, 10 Dec 1999, Matt Crawford wrote: > Date: Fri, 10 Dec 1999 15:57:09 -0600 > From: Matt Crawford > To: lauri@fnal.gov > Cc: kerberos-pilot@fnal.gov > Subject: Re: bldirix62 can't get to bldsunos26?!?!? > > bldsunos26 is at 131.225.80.100. When bldirix62 tries to check wither > this name is a nickname for something else, it is somehow finding the > entry in /etc/hosts which says that the official name for that is > fnsolar. So it tries to get a ticket for the host/fnsolar.fnal.gov > service and the KDC logs: > > Dec 10 00:01:18 i-krb-2.fnal.gov krb5kdc[19896]: TGS_REQ 131.225.81.165(88): UNK > NOWN_SERVER: authtime 944805632, lauri/cron@PILOT.FNAL.GOV for host/fnsolar@PILO > T.FNAL.GOV, Server not found in Kerberos database > [...several times...] > Dec 10 14:25:32 i-krb-2.fnal.gov krb5kdc[19896]: TGS_REQ 131.225.81.165(88): UNK > NOWN_SERVER: authtime 944855470, lauri@PILOT.FNAL.GOV for host/fnsolar@PILOT.FNA > L.GOV, Server not found in Kerberos database > [...several times...] > > Solution: purge that line from /etc/hosts. > > Unknown factor: why is it even looking at /etc/hosts? From kreymer@fnal.gov Fri Dec 10 21:21:52 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id VAA32175 for ; Fri, 10 Dec 1999 21:21:52 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJCN8KEMF40000XL@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 10 Dec 1999 21:21:50 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJCN8JWVUW0001CY@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 10 Dec 1999 21:21:42 -0600 Date: Fri, 10 Dec 1999 21:21:42 -0600 (CST) From: Stephan Lammel Subject: kerberized ftp To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <991210212142.2020f69a@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 81 Dear All, the standard ftp versions provide file transfer information that is very usefull, i.e. ASCII versus binary transfer, number of Bytes transfered, average rate. Is there an easy way to make the same information available, printed, with the kerberized version? Thanks, Stephan From kreymer@fnal.gov Wed Dec 15 08:45:39 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA15919 for ; Wed, 15 Dec 1999 08:45:39 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJIWACIWMO0002EI@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 15 Dec 1999 08:45:35 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJIWA9T6YS0002IC@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 15 Dec 1999 08:45:10 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA11247; Wed, 15 Dec 1999 08:45:09 -0600 (CST) Date: Wed, 15 Dec 1999 08:45:09 -0600 From: Matt Crawford Subject: Re: bldirix62 can't get to bldsunos26?!?!? In-reply-to: "10 Dec 1999 16:09:15 CST." <"199912102209.QAA14845"@ossbud.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912151445.IAA11247@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 82 > > Solution: purge that line from /etc/hosts. > > > That's a nice theory, and may even be right. It sure looks > reasonable. > > But node ossbud *also* has an entry in /etc/hosts listing fnsolar at > the bldsunos26 address, and it is *not* failing. Different OS, different get*by*() functions in different libraries. > > Unknown factor: why is it even looking at /etc/hosts? > > Is this yet another case of "unix is unix (except when it isn't)"? > I don't know how/why/when nodes look at /etc/hosts. On Solaris, it's controlled by /etc/nsswitch.conf. IRIX has that file, but obviously that file is not the whole story. I'm guessing it's a function of which alternative libraries you link with. From kreymer@fnal.gov Sun Dec 19 19:33:50 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id TAA11755 for ; Sun, 19 Dec 1999 19:33:50 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJP43FAT4G0004TC@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Sun, 19 Dec 1999 19:33:40 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJP43ESAAW00058Z@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.fnal.gov); Sun, 19 Dec 1999 19:33:26 -0600 Received: from localhost (dane@localhost) by unferth.fnal.gov (8.8.7/8.8.7) with ESMTP id TAA01418 for ; Sun, 19 Dec 1999 19:33:26 -0600 Date: Sun, 19 Dec 1999 19:33:25 -0600 (EST) From: Dane Skow Subject: is the KDC up ? To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: unferth.fnal.gov: dane owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 83 I'm having troubles with dane@unferth "preauthentication failed..." Power outage trouble ? dane From kreymer@fnal.gov Mon Dec 20 08:29:04 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA21816 for ; Mon, 20 Dec 1999 08:29:04 -0600 Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJPV5GHG9C0004TC@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 20 Dec 1999 08:28:46 -0600 CDT Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JJPV5EXVPO0004X2@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 20 Dec 1999 08:28:33 -0600 Date: Mon, 20 Dec 1999 08:28:32 -0600 From: "Mark O. Kaletka" Subject: RE: is the KDC up ? In-reply-to: To: Dane Skow , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 84 It's certainly up this morning. Your clock on unferth may be out of synch with the kdc. -- Mark K. > -----Original Message----- > From: Dane Skow [mailto:dane@fnal.gov] > Sent: Sunday, December 19, 1999 7:33 PM > To: kerberos-pilot@fnal.gov > Subject: is the KDC up ? > > > > I'm having troubles with dane@unferth "preauthentication failed..." > Power outage trouble ? > > dane > > > > From kreymer@fnal.gov Tue Dec 21 10:33:31 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA00239 for ; Tue, 21 Dec 1999 10:33:31 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJRDSA9KFK0005ON@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 21 Dec 1999 10:33:22 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJRDS8F29S000591@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 21 Dec 1999 10:33:08 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA10718; Tue, 21 Dec 1999 10:33:07 -0600 (CST) Date: Tue, 21 Dec 1999 10:33:07 -0600 From: Matt Crawford Subject: Re: is the KDC up ? In-reply-to: "19 Dec 1999 19:33:25 CST." <"Pine.LNX.4.10.9912191932340.1416-100000"@unferth.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912211633.KAA10718@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 85 As Mark said, this error is almost certainly due to clock skew. Host and KDC must be within 5 minutes of each other. The KDC runs NTP. Note, though, that you can get the same error by giving the wrong password. From kreymer@fnal.gov Wed Dec 22 10:42:42 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA27458 for ; Wed, 22 Dec 1999 10:42:41 -0600 Received: from hamshack.fnal.gov ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJSSF4ZW4W000600@FNAL.FNAL.GOV> (original mail from kschu@hamshack.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 22 Dec 1999 10:42:38 -0600 CDT Received: from hamshack.fnal.gov ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJSSF498AQ0006RA@FNAL.FNAL.GOV>; Wed, 22 Dec 1999 10:42:27 -0600 Received: (from kschu@localhost) by hamshack.fnal.gov (8.9.3/8.9.3) id KAA01336; Wed, 22 Dec 1999 10:42:26 -0600 Date: Wed, 22 Dec 1999 10:42:26 -0600 (CST) From: Ken Schumacher Subject: Backup of OSSBUD in kerberized realm To: kerberos-pilot@fnal.gov Cc: uas-group@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <14432.62780.938823.618707@hamshack.fnal.gov> MIME-version: 1.0 X-Mailer: VM 6.43 under 20.4 "Emerald" XEmacs Lucid Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Status: RO X-Status: X-Keywords: X-UID: 86 Greetings, We've run into a problem backing up 'ossbud'. Before the beginning of this test, I believe that the OSSBUD node was being backed up as part of the daily 'dcdsv0' backup. Stan noticed yesterday that this node is not being backed up presently. Since standard 'rsh' is no longer valid on 'ossbud', I can't simply add the "ossbud:/" file system to the FMB backup of host 'dcdsv0'. Can anyone offer any suggestions as to the best way to add 'ossbud' to the backups being done on 'dcdsv0'. I was going to just initiate a backup of ossbud locally, but sending the output to the 8mm drive on host 'outland'. Since 'dcdsv0' is also a member of the kerberized group, that option is not going to work either. I may have to take the tape drive off 'outland' (with it's shoe-box case) and move it to 'ossbud'. I believe there is a kerberized 'rsh' type function but I don't know if it comes into play for FMB automatically or not. By chance is there a new kerberos compatible version of FMB available (I doubt this) or is that one of the reasons that we are looking at Amanda. Thanks for you help. Ken S. From kreymer@fnal.gov Wed Dec 22 13:46:19 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA27893 for ; Wed, 22 Dec 1999 13:46:19 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJSYT6WUWW000600@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 22 Dec 1999 13:46:05 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJSYT57P6C000616@FNAL.FNAL.GOV>; Wed, 22 Dec 1999 13:45:34 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA21107; Wed, 22 Dec 1999 13:45:33 -0600 (CST) Date: Wed, 22 Dec 1999 13:45:33 -0600 From: Matt Crawford Subject: Re: Backup of OSSBUD in kerberized realm In-reply-to: "22 Dec 1999 10:42:26 CST." <"14432.62780.938823.618707"@hamshack.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Ken Schumacher Cc: kerberos-pilot@fnal.gov, uas-group@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <199912221945.NAA21107@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 87 I'm not very familiar with the way backups are done, so let me give my (mis)understanding of the process before exploring possibilities. Is it the case that the host (call it T) with the tape drive controls the process, opening an rsh to each system B to be backed up? And it connects with root access and runs some file-oriented command (as opposed to raw disk access like "dump") to get the data? It would be simpler frmo the security viewpoint if the "client" B could initiate the backup, since it only needs to access one resource, T's tape drive(s). T, on the other hand, needs to access essentially all of B's data. But once you admit the possibility of active attacks, the problem is to authenticate T, no matter which side initiates the process. If you grant that T is a Kerberos host and that its host key can be kept as secure as any host's key ought to be, this is a normal task for Kerberos. The simplest solution is to give T's "host" principal access to B by listing it in /.k5login on B. Other, slicker solutions can be devised. Do you have the capability to exclude certain individual files from the backup? It would be essential to exclude B's "keytab" file form the backup or the keys contained there will be exposed on the network (unless the data is encrypted, which may or may not be computationally costly) and control of the tapes becomes critical to the security plan. We can discuss this further after the "shutdown". Matt From kreymer@fnal.gov Wed Dec 22 15:08:14 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA27932 for ; Wed, 22 Dec 1999 15:08:13 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJT1O4SSOW000600@FNAL.FNAL.GOV> (original mail from mengel@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 22 Dec 1999 15:08:03 -0600 CDT Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJT1O32E44000616@FNAL.FNAL.GOV>; Wed, 22 Dec 1999 15:07:46 -0600 Date: Wed, 22 Dec 1999 15:07:44 -0600 (EST) From: "Marc W. Mengel" Subject: Re: Backup of OSSBUD in kerberized realm In-reply-to: <199912221945.NAA21107@gungnir.fnal.gov> To: Matt Crawford Cc: Ken Schumacher , kerberos-pilot@fnal.gov, uas-group@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_Ks4s7cq6LXG2TIXzi4ZU7A)" Status: RO X-Status: X-Keywords: X-UID: 88 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --Boundary_(ID_Ks4s7cq6LXG2TIXzi4ZU7A) Content-type: TEXT/PLAIN; charset=US-ASCII Matt, In the not-too-distant future we'll be putting up amanda with kerberos support for backups. (which reminds me, I'll need to get some amanda backup principals from you early next year). It has provisions not only to use kerberos to authenticate the backup requests, but also to use kerberos to encrypt the backup data channel for "sensitive" partitions. Anyhow, I'm attatching the amanda/kerberos doc which has gory details. Marc --Boundary_(ID_Ks4s7cq6LXG2TIXzi4ZU7A) Content-id: Content-type: TEXT/PLAIN; charset=US-ASCII; name=amkrb Content-description: Content-disposition: attachment; filename=amkrb Content-transfer-encoding: BASE64 DQpBbWFuZGEgMi40LjAgLSBLRVJCRVJPUyB2NCBTVVBQT1JUIE5PVEVTDQoN Ck5vdGUgdGhhdCBrZXJiZXJvcyA1IGlzbid0IHN1cHBvcnRlZC4gIFt5ZXRd DQoNCk5PVEU6ICBlbmNyeXB0ZWQgZHVtcHMgYXJlIHJ1bW9yZWQgbm90IHRv IHdvcmsgaW4gdGhlIDIuNC4wYjQgYmV0YSANCglyZWxlYXNlIG9mIGFtYW5k YS4gIEhvcGVmdWxseSB0aGV5J2xsIGJlIGZpeGVkIGJ5IHRoZSAyLjQuMCAN CglmdWxsIHJlbGVhc2UuDQoNCjAuIEdFVFRJTkcgVEhFIFNPVVJDRSBGSUxF Uw0KDQpUaGUgS2VyYmVyb3MtcmVsYXRlZCBBbWFuZGEgc291cmNlIGNvZGUg aXMgYXZhaWxhYmxlIGluIGEgc2VwYXJhdGUsDQpleHBvcnQgcmVzdHJpY3Rl ZCwgcGFja2FnZS4gIFVTIHNpdGVzIGNhbiBmb2xsb3cgdGhlIGluc3RydWN0 aW9ucyBpbg0KS0VSQkVST1MuSE9XLVRPLUdFVCBvbiBmdHAuYW1hbmRhLm9y ZyBpbiB0aGUgL3B1Yi9hbWFuZGEgZGlyZWN0b3J5Lg0KDQoxLiBDT05GSUdV UkFUSU9ODQoNClRoZSBjb25maWd1cmUgc2NyaXB0IGRlZmF1bHRzIHRvOg0K DQojICBkZWZpbmUgU0VSVkVSX0hPU1RfUFJJTkNJUExFICJhbWFuZGEiDQoj ICBkZWZpbmUgU0VSVkVSX0hPU1RfSU5TVEFOQ0UgICIiDQojICBkZWZpbmUg U0VSVkVSX0hPU1RfS0VZX0ZJTEUgICIvLmFtYW5kYSINCg0KIyAgZGVmaW5l IENMSUVOVF9IT1NUX1BSSU5DSVBMRSAicmNtZCINCiMgIGRlZmluZSBDTElF TlRfSE9TVF9JTlNUQU5DRSAgSE9TVE5BTUVfSU5TVEFOQ0UNCiMgIGRlZmlu ZSBDTElFTlRfSE9TVF9LRVlfRklMRSAgS0VZRklMRQ0KDQojICBkZWZpbmUg VElDS0VUX0xJRkVUSU1FICAgICAgIDEyOA0KDQp5b3UgY2FuIG92ZXJyaWRl IHRoZXNlIHdpdGggY29uZmlndXJlIG9wdGlvbnMgaWYgeW91IHNvIGRlc2ly ZSwgd2l0aDoNCg0KICAgIC0td2l0aC1zZXJ2ZXItcHJpbmNpcGFsPUFSRyAg ICBzZXJ2ZXIgaG9zdCBwcmluY2lwYWwgIFthbWFuZGFdDQogICAgIC0td2l0 aC1zZXJ2ZXItaW5zdGFuY2U9QVJHICAgICBzZXJ2ZXIgaG9zdCBpbnN0YW5j ZSAgIFtdDQogICAgIC0td2l0aC1zZXJ2ZXIta2V5ZmlsZT1BUkcgICAgICBz ZXJ2ZXIgaG9zdCBrZXkgZmlsZSAgIFsvLmFtYW5kYV0NCiAgICAgLS13aXRo LWNsaWVudC1wcmluY2lwYWw9QVJHICAgIGNsaWVudCBob3N0IHByaW5jaXBh bCAgW3JjbWRdDQogICAgIC0td2l0aC1jbGllbnQtaW5zdGFuY2U9QVJHICAg ICBjbGllbnQgaG9zdCBpbnN0YW5jZSAgIFtIT1NUTkFNRV9JTlNUQU5DRV0N CiAgICAgLS13aXRoLWNsaWVudC1rZXlmaWxlPUFSRyAgICAgIGNsaWVudCBo b3N0IGtleSBmaWxlICAgW0tFWUZJTEVdDQogICAgIC0td2l0aC10aWNrZXQt bGlmZXRpbWU9QVJHICAgICB0aWNrZXQgbGlmZXRpbWUgICAgICAgIFsxMjhd DQoNClRoZSBjb25maWd1cmUgc2NyaXB0IHdpbGwgYXV0b21hdGljYWxseSBp bmNsdWRlIGtlcmJlcm9zIGlmIHlvdQ0KZm9sbG93ZWQgdGhlIGRpcmVjdGlv bnMgaW4gc3RlcCAwLiAgSXQnbGwgc2VhcmNoIHVuZGVyIC91c3Iva2VyYmVy b3MvbGliLA0KL3Vzci9jeWdudXMvbGliLCAvdXNyL2xpYiwgYW5kIC9vcHQv a2VyYmVyb3MvbGliIGZvciBsaWJrcmIuYS4NCihpbiB0aGF0IG9yZGVyKSBm b3IgdGhlIGtlcmJlcm9zIGJpdHMuICBJZiBpdCBmaW5kcyB0aGVtLCBrZXJi ZXJvcw0Kc3VwcG9ydCB3aWxsIGJlIGFkZGVkIGluLCBpZiBpdCBkb2Vzbid0 LCBpdCB3b24ndC4gIElmIHRoZSBrZXJiZXJvcw0KYml0cyBhcmUgZm91bmQg dW5kZXIgc29tZSBvdGhlciBoaWVyYXJjaHksIHlvdSBjYW4gc3BlY2lmeSB0 aGlzDQp2aWEgdGhlIC0td2l0aC1rcmI0PURJUiwgd2hlcmUgRElSIGlzIHdo ZXJlIHRoZSBrZXJiZXJvcyBiaXRzIGxpdmUuDQpJdCdsbCBsb29rIHVuZGVy IHRoZSAnbGliJyBkaXJlY3RvcnkgdW5kZXIgdGhpcyBoaWVyYXJjaHkgZm9y DQpsaWJrcmIuYS4NCg0KMi4gSU5TVEFMTEFUSU9ODQoNClRoZSBrZXJiZXJp emVkIEFtYW5kYSBzZXJ2aWNlIHVzZXMgYSBkaWZmZXJlbnQgcG9ydCBvbiB0 aGUgY2xpZW50IGhvc3RzLg0KVGhlIC9ldGMvc2VydmljZXMgbGluZSBpczoN Cg0KICAgIGthbWFuZGEgICAgICAxMDA4MS91ZHANCg0KQW5kIHRoZSAvZXRj L2luZXRkLmNvbmYgbGluZSBpczoNCg0KICAgIGthbWFuZGEgZGdyYW0gdWRw IHdhaXQgcm9vdCAvdXNyL2xvY2FsL2xpYmV4ZWMvYW1hbmRhL2FtYW5kYWQg YW1hbmRhZCAta3JiNA0KDQpOb3RlIHRoYXQgeW91J3JlIHJ1bm5pbmcgdGhp cyBhcyByb290LCByYXRoZXIgdGhhbiBhcyB5b3VyIGR1bXAgdXNlci4NCkFt YW5kYSB3aWxsIHNldCBpdCdzIHVpZCBkb3duIHRvIHRoZSBkdW1wIHVzZXIg YXQgdGltZXMgaXQgZG9lc24ndCBuZWVkDQp0byByZWFkIHRoZSBzcnZ0YWIg ZmlsZSwgYW5kIGdpdmUgdXAgcm9vdCBwZXJtaXNzaW9ucyBlbnRpcmVseSBi ZWZvcmUNCml0IGdvZXMgb2ZmIGFuZCBydW5zIGR1bXAuICBBbHRlcm5hdGVs eSB5b3UgY2FuIGNoYW5nZSB5b3VyIHNydnRhYiBmaWxlcw0KdG8gYmUgcmVh ZGFibGUgYnkgdXNlciBhbWFuZGEuDQoNCjMuIENPTkYgRklMRQ0KDQpXaXRo IEtSQjRfU0VDVVJJVFkgZGVmaW5lZCwgdGhlcmUgYXJlIHR3byBuZXcgZHVt cHR5cGUgb3B0aW9uczoNCg0KCWtyYjQtYXV0aAl1c2Uga3JiNCBhdXRoIGZv ciB0aGlzIGhvc3QgDQoJCQkoeW91IGNhbiBtaW5nbGUga3JiIGhvc3RzICYg YnNkIC5yaG9zdHMgaW4gb25lIGNvbmYpDQoJa2VuY3J5cHQJZW5jcnlwdCB0 aGlzIGZpbGVzeXN0ZW0gb3ZlciB0aGUgbmV0IHVzaW5nIHRoZSBrcmI0DQoJ CQlzZXNzaW9uIGtleS4gIEFib3V0IDJ4IHNsb3dlci4gIEdvb2QgZm9yIHRo b3NlIHJvb3QNCgkJCXBhcnRpdGlvbnMgY29udGFpbmluZyB5b3VyIGtleWZp bGVzLiAgRG9uJ3Qgd2FudCB0bw0KCQkJZ2l2ZSBhd2F5IHRoZSBrZXlzIHRv IGFuIGV0aGVybmV0IHNuaWZmZXIhDQo= --Boundary_(ID_Ks4s7cq6LXG2TIXzi4ZU7A)-- From kreymer@fnal.gov Wed Dec 22 15:25:23 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA27937 for ; Wed, 22 Dec 1999 15:25:23 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJT2AIRG2O000600@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 22 Dec 1999 15:25:19 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJT2AHKA1Y00060V@FNAL.FNAL.GOV>; Wed, 22 Dec 1999 15:25:03 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id PAA08342; Wed, 22 Dec 1999 15:25:01 -0600 (CST) Date: Wed, 22 Dec 1999 15:25:01 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Backup of OSSBUD in kerberized realm Sender: lauri@ossbud.fnal.gov To: Ken Schumacher Cc: kerberos-pilot@fnal.gov, uas-group@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912222125.PAA08342@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 89 So, was there a resolution to the problem of backing up ossbud? What is it? Are other build nodes affected by this? -- lauri On Wednesday 22 December 1999, our friend Ken Schumacher spaketh thusly: > Greetings, > > We've run into a problem backing up 'ossbud'. Before the beginning > of this test, I believe that the OSSBUD node was being backed up as > part of the daily 'dcdsv0' backup. Stan noticed yesterday that this > node is not being backed up presently. Since standard 'rsh' is no > longer valid on 'ossbud', I can't simply add the "ossbud:/" file > system to the FMB backup of host 'dcdsv0'. > > Can anyone offer any suggestions as to the best way to add 'ossbud' > to the backups being done on 'dcdsv0'. I was going to just initiate a > backup of ossbud locally, but sending the output to the 8mm drive on > host 'outland'. Since 'dcdsv0' is also a member of the kerberized > group, that option is not going to work either. I may have to take > the tape drive off 'outland' (with it's shoe-box case) and move it to > 'ossbud'. > > I believe there is a kerberized 'rsh' type function but I don't > know if it comes into play for FMB automatically or not. By chance is > there a new kerberos compatible version of FMB available (I doubt > this) or is that one of the reasons that we are looking at Amanda. > > Thanks for you help. > > Ken S. From kreymer@fnal.gov Wed Dec 22 15:58:51 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA27946 for ; Wed, 22 Dec 1999 15:58:49 -0600 Received: from hamshack.fnal.gov ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJT3G2RWKW000600@FNAL.FNAL.GOV> (original mail from kschu@hamshack.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 22 Dec 1999 15:58:45 -0600 CDT Received: from hamshack.fnal.gov ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJT3G27XZ20005OW@FNAL.FNAL.GOV>; Wed, 22 Dec 1999 15:58:34 -0600 Received: (from kschu@localhost) by hamshack.fnal.gov (8.9.3/8.9.3) id PAA01774; Wed, 22 Dec 1999 15:58:34 -0600 Date: Wed, 22 Dec 1999 15:58:33 -0600 (CST) From: Ken Schumacher Subject: re: Backup of OSSBUD in kerberized realm In-reply-to: <199912222125.PAA08342@ossbud.fnal.gov> To: kerberos-pilot@fnal.gov, uas-group@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <14433.18825.924049.101717@hamshack.fnal.gov> MIME-version: 1.0 X-Mailer: VM 6.71 under 21.1 (patch 8) "Bryce Canyon" XEmacs Lucid Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit References: <199912222125.PAA08342@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 90 Greetings, Marc Mengel pointed me to a feature of the 6.8 release of FMB. By setting the 'fmb_rsh' environment variable, we are able to tell FMB to use a method other than 'rsh' for connecting to a remote host for access to a partition that needs backing up or access to a remote tape device. To do this, we have done the following: - We modified the crontab to call a shell script (found in /usr/local/admin/dcdsv0_backup.sh) instead of performing the backup as a single line crontab task. - In the shell script file (dcdsv0_backup.sh) we set the value of 'fmb_rsh' to "ssh -c blowfish -x". The "-c blowfish" option chooses the 'blowfish' encryption method which has one of the lower CPU overheads of the various methods available. My understanding is that the 'none' selection for encryption is not available under our implementation of SSH. The "-x" option disables X/11 forwarding, which is unneeded for an fmb_backup pipe to work. - We created the file '/.shosts' on 'ossbud' which allows the user root of the node 'dcdsv0.fnal.gov' 'ssh' access without a password. - Marc had to install v6_8 of FMB onto 'dcdsv0'. It had been running v6.7 for it's backups to date. Since the kerberos-pilot is simply a test, we felt that creating a '.shosts' file was a legitimate solution. If 'dcdsv0' were configured as a member of the Strong Authentication Realm, it would have a kerberos aware 'rsh' which would be better than the '.shosts' file. Since 'ossbud' is the gateway into the kerberized realm, I don't see this as a breakdown of the secure realm. We did run a command line test of this v6_8 implementation of FMB using the 'fmb_rsh' environment variable to run a fast backup of the 'ossbud:/' file system. We were able to get that to work. Tonight's FMB backup of 'dcdsv0' should include the 'ossbud' root file system in addition to it's regular workload. I don't know if the other build nodes would have been affected by this. I believe this was an issue because 'ossbud' has been secured to be the gateway into the test authentication realm. A normal 'rsh' connection was not allowed. Since the host 'dcdsv0' is not configured with Kerberos v5 (there is not /etc/krb5.conf file), we could not simply use a kerberos aware 'rsh' function. More later, Ken S. From kreymer@fnal.gov Wed Dec 22 16:00:19 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA27950 for ; Wed, 22 Dec 1999 16:00:18 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJT3HND0F4000600@FNAL.FNAL.GOV> (original mail from mengel@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 22 Dec 1999 16:00:12 -0600 CDT Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJT3HM7JLI00063F@FNAL.FNAL.GOV>; Wed, 22 Dec 1999 15:59:49 -0600 Date: Wed, 22 Dec 1999 15:59:47 -0600 (EST) From: "Marc W. Mengel" Subject: re: Backup of OSSBUD in kerberized realm In-reply-to: <199912222125.PAA08342@ossbud.fnal.gov> To: "Laurelin of Middle Earth, 630-840-2214" Cc: Ken Schumacher , kerberos-pilot@fnal.gov, uas-group@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 91 On Wed, 22 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > > So, was there a resolution to the problem of backing up ossbud? > What is it? Are other build nodes affected by this? I talked with Ken at lunchtime, were backing it up via ssh for the moment. A little slower than we might have liked, but it should work okay. Marc From kreymer@fnal.gov Wed Dec 22 16:51:04 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA27970 for ; Wed, 22 Dec 1999 16:51:04 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JJT59WEF8G000600@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 22 Dec 1999 16:51:02 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JJT59VA1Z60006HD@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 22 Dec 1999 16:50:50 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id QAA11266; Wed, 22 Dec 1999 16:50:50 -0600 (CST) Date: Wed, 22 Dec 1999 16:50:49 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: tcpwrappedness now maintained by kerberos installation Sender: lauri@ossbud.fnal.gov To: kerberos-pilot@fnal.gov Cc: lauri@fnal.gov, gcooper@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912222250.QAA11266@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 92 I have modified the installation script for kerberos v0_3 so that, if your inetd.conf has already wrapped various services by /some/path/to/tcpd, those services will remain wrapped after the kerberos installation. In other words, the corresponding kerberos service will be wrapped by /some/path/to/tcpd. -- lauri From kreymer@fnal.gov Wed Dec 29 11:19:57 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA32672 for ; Wed, 29 Dec 1999 11:19:57 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK2LQTQ2Y80008Q4@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 29 Dec 1999 11:19:53 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2LQTC7YQ000833@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.fnal.gov); Wed, 29 Dec 1999 11:19:45 -0600 Received: from localhost (dane@localhost) by unferth.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA19645 for ; Wed, 29 Dec 1999 11:19:45 -0600 Date: Wed, 29 Dec 1999 11:19:45 -0600 (EST) From: Dane Skow Subject: Returned mail: User unknown (fwd) To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: Content-id: MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_CKbUfmKbWKWIwZU4+degcg)"; REPORT-TYPE=delivery-status X-Authentication-warning: unferth.fnal.gov: dane owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 93 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --Boundary_(ID_CKbUfmKbWKWIwZU4+degcg) Content-id: Content-type: TEXT/PLAIN; CHARSET=US-ASCII --Boundary_(ID_CKbUfmKbWKWIwZU4+degcg) Content-id: Content-type: MESSAGE/DELIVERY-STATUS; CHARSET=US-ASCII Content-description: Reporting-MTA: dns; unferth.fnal.gov Arrival-Date: Wed, 29 Dec 1999 10:58:12 -0600 Final-Recipient: RFC822; kerberos_pilot@fnal.fnal.gov Action: failed Status: 5.1.1 Remote-MTA: DNS; fnal.fnal.gov Diagnostic-Code: SMTP; 550 5.1.1 unknown or illegal user: kerberos_pilot@fnal.fnal.gov Last-Attempt-Date: Wed, 29 Dec 1999 10:58:12 -0600 --Boundary_(ID_CKbUfmKbWKWIwZU4+degcg) Content-id: Content-type: message/rfc822; CHARSET=US-ASCII Content-description: Return-path: Received: from localhost (dane@localhost) by unferth.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA19634 for ; Wed, 29 Dec 1999 10:58:12 -0600 Date: Wed, 29 Dec 1999 10:58:12 -0600 (EST) From: Dane Skow Subject: installing Kerberos v0_3 on unferth To: kerberos_pilot@fnal.fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: unferth.fnal.gov: dane owned process doing -bs I seem to be having troubles too. At the risk of swamping the list, I'm appending the full contents of my attempted upgrade: **First I did the upd install per the SA web pages instructions** [root@unferth dane]# upd install kerberos -G -c informational: beginning install of krb5conf. informational: transferred /ftp/products/krb5conf/v0_3/NULL/krb5conf_v0_3_NULL from fnkits.fnal.gov to /local/ups/prd/krb5conf/v0_3 informational: transferred /ftp/products/krb5conf/v0_3/NULL/krb5conf_v0_3_NULL/ups/. from fnkits.fnal.gov to /local/ups/prd/krb5conf/v0_3/ups informational: transferred /ftp/products/krb5conf/v0_3/NULL/krb5conf_v0_3_NULL.table from fnkits.fnal.gov:/ to /local/ups/prd/krb5conf/v0_3/ups/krb5conf.table.new informational: ups declare succeeded informational: ups declare succeeded Beginning installation of krb5conf v0_3 on unferth.fnal.gov. Previous /etc/krb5.conf saved as /etc/krb5.conf.29Dec1999... Merge new configuration information... Logging the installation in /local/ups/prd/krb5conf/v0_3/ups/unferth.fnal.gov.log... Reminder!!!! You must perform this installation on each node that shares this copy of krb5conf. Installation of krb5conf v0_3 with afs on unferth.fnal.gov complete. informational: beginning install of kerberos. informational: transferred /ftp/products/kerberos/v0_3/Linux+2.2/kerberos_v0_3_Linux+2.2 from fnkits.fnal.gov:9021 to /local/ups/prd/kerberos/v0_3 informational: transferred /ftp/products/kerberos/v0_3/Linux+2.2/kerberos_v0_3_Linux+2.2/ups/. from fnkits.fnal.gov:9021 to /local/ups/prd/kerberos/v0_3/ups informational: transferred /ftp/products/kerberos/v0_3/Linux+2.2/kerberos_v0_3_Linux+2.2.table from fnkits.fnal.gov:9021:/ to /local/ups/prd/kerberos/v0_3/ups/kerberos.table.new informational: ups declare succeeded *********************************************************************** You should login as root and execute the command ups install kerberos v0_3 on each node using this copy of kerberos to complete the installation. (See the README.INSTALL file for other installation options). *********************************************************************** informational: ups declare succeeded *********************************************************************** You should login as root and execute the command ups install kerberos v0_3 on each node using this copy of kerberos to complete the installation. (See the README.INSTALL file for other installation options). *********************************************************************** informational: product krb5conf has an INSTALL_NOTE; you should read /local/ups/prd/krb5conf/v0_3/ups/INSTALL_NOTE. informational: product kerberos has an INSTALL_NOTE; you should read /local/ups/prd/kerberos/v0_3/ups/INSTALL_NOTE. ** That seemed to go well so then I tried to do the UPS install as instructed ** [root@unferth dane]# ups install kerberos v0_3 Beginning installation of kerberos v0_3 into /usr/krb5. ABORT: cannot close HOSTKEYSCONF stream. The INSTALL_NOTEs seem to point to READMEs for troubleshooting so I will try there as well, but does this ring a bell Lauri ? dane --Boundary_(ID_CKbUfmKbWKWIwZU4+degcg)-- From kreymer@fnal.gov Wed Dec 29 11:37:21 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA32677 for ; Wed, 29 Dec 1999 11:37:20 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK2MDDUD1S0008Q4@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 29 Dec 1999 11:37:18 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2MDCR7SG0006WJ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 29 Dec 1999 11:37:09 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id LAA09846; Wed, 29 Dec 1999 11:37:07 -0600 (CST) Date: Wed, 29 Dec 1999 11:37:05 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Returned mail: User unknown (fwd) Sender: lauri@ossbud.fnal.gov To: Dane Skow Cc: lauri@fnal.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912291737.LAA09846@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 94 On Wednesday 29 December 1999 Dane didst say: > I seem to be having troubles too. > At the risk of swamping the list, I'm appending the full contents > of my attempted upgrade: > > **First I did the upd install per the SA web pages instructions** That looks fine. > ** That seemed to go well so then I tried to do the UPS install > as instructed ** > > [root@unferth dane]# ups install kerberos v0_3 > Beginning installation of kerberos v0_3 > into /usr/krb5. > ABORT: cannot close HOSTKEYSCONF stream. > > The INSTALL_NOTEs seem to point to READMEs for troubleshooting > so I will try there as well, but does this ring a bell Lauri ? No, that doesn't ring a bell. Do you have an /etc/krb5.keytab file on your system already? If not, this would be (I think) the first time somebody has run through that section of code. -- lauri From kreymer@fnal.gov Wed Dec 29 11:53:30 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA32684 for ; Wed, 29 Dec 1999 11:53:30 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK2MXG8TR40008Q4@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 29 Dec 1999 11:53:28 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2MXFLE5U00083K@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 29 Dec 1999 11:53:20 -0600 Received: from localhost (dane@localhost) by unferth.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA31983; Wed, 29 Dec 1999 11:53:20 -0600 Date: Wed, 29 Dec 1999 11:53:20 -0600 (EST) From: Dane Skow Subject: re: Returned mail: User unknown (fwd) In-reply-to: <199912291737.LAA09846@ossbud.fnal.gov> To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: unferth.fnal.gov: dane owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 95 On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > On Wednesday 29 December 1999 Dane didst say: > > > I seem to be having troubles too. > > At the risk of swamping the list, I'm appending the full contents > > of my attempted upgrade: > > > > **First I did the upd install per the SA web pages instructions** > > That looks fine. > > > ** That seemed to go well so then I tried to do the UPS install > > as instructed ** > > > > [root@unferth dane]# ups install kerberos v0_3 > > Beginning installation of kerberos v0_3 > > into /usr/krb5. > > ABORT: cannot close HOSTKEYSCONF stream. > > > > The INSTALL_NOTEs seem to point to READMEs for troubleshooting > > so I will try there as well, but does this ring a bell Lauri ? > > No, that doesn't ring a bell. Do you have an /etc/krb5.keytab file > on your system already? If not, this would be (I think) the first > time somebody has run through that section of code. Yup. Here's the listing ls -l !$ ls -l /etc/k* -rw-r--r-- 1 root root 59 Sep 14 19:08 /etc/krb.conf -rw-r--r-- 1 root root 1129 Dec 29 10:49 /etc/krb5.conf -rw-r--r-- 1 root root 1054 Dec 29 10:49 /etc/krb5.conf.29Dec1999 -rw------- 1 root root 135 Sep 15 20:24 /etc/krb5.keytab > -- lauri > > From kreymer@fnal.gov Wed Dec 29 13:02:55 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA00046 for ; Wed, 29 Dec 1999 13:02:55 -0600 Received: from hamshack.fnal.gov ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK2PCH9DBK0008Q4@FNAL.FNAL.GOV> (original mail from kschu@hamshack.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 29 Dec 1999 13:02:52 -0600 CDT Received: from hamshack.fnal.gov ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2PCGR13O0008QM@FNAL.FNAL.GOV>; Wed, 29 Dec 1999 13:02:43 -0600 Received: (from kschu@localhost) by hamshack.fnal.gov (8.9.3/8.9.3) id NAA30353; Wed, 29 Dec 1999 13:02:43 -0600 Date: Wed, 29 Dec 1999 13:02:43 -0600 (CST) From: Ken Schumacher Subject: forwarded message from root To: uas-group@fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <14442.23251.269373.566940@hamshack.fnal.gov> MIME-version: 1.0 X-Mailer: VM 6.71 under 21.1 (patch 8) "Bryce Canyon" XEmacs Lucid Content-type: multipart/mixed; boundary="Boundary_(ID_PSuASVjKpBQiea2XP6lcaQ)" Status: RO X-Status: X-Keywords: X-UID: 96 --Boundary_(ID_PSuASVjKpBQiea2XP6lcaQ) Content-type: text/plain; charset=us-ascii Content-description: message body text Content-transfer-encoding: 7bit Mike, I'm not sure what we have to do to get past this. Perhaps you've done more work with the 'kerberos' stuff than I have. My guess is that the problem was the way that we launched this task. I think it might work fine if we ran the 'fmb_backup' from a login shell, or if we started it from an authenticated/kerberos aware cron daemon. Since we simply did a batch command, it does not appear to have gotten any carry-over authentication from the login shell. Let me know how you want to proceed from here. One suggestion, let's move the local (bldlinux52) filesystems to the beginning of the backup set. That would mean a simple resequence of lines in the one file ('buildclstr.A'). More later, Ken S. --Boundary_(ID_PSuASVjKpBQiea2XP6lcaQ) Content-type: message/rfc822 Content-description: forwarded message Return-path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by hamshack.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA29321 for ; Wed, 29 Dec 1999 12:00:36 -0600 Received: from bldlinux52.fnal.gov ([131.225.81.82]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2N6FLKHM0007PB@FNAL.FNAL.GOV> for kschu@hamshack.fnal.gov (ORCPT rfc822;kschu@fnal.gov); Wed, 29 Dec 1999 12:00:36 -0600 CDT Received: (from root@localhost) by bldlinux52.fnal.gov (8.8.7/8.8.7) id MAA13177; Wed, 29 Dec 1999 12:00:35 -0600 Date: Wed, 29 Dec 1999 12:00:35 -0600 From: root Subject: Build Cluster Backup Report To: stolz@fnal.gov Cc: kschu@fnal.gov Message-id: <199912291800.MAA13177@bldlinux52.fnal.gov> Wed Dec 29 11:15:21 CST 1999: /usr/products/UNIX/fmb/v6_8/fmb_backup -L buildclstr.Spc.A -m quiet -u -t /dev/rmt/tps2d2n -f buildclstr.A Checking tape label Writing label buildclstr.Spc.A, Try 1 Archive Size Information Full Backup Estimate Low High Actual Type Name --- ---- ------ ---- ---- - - - full bldsunos26:/ [1] 0k 0k 0k full bldsunos26:/ [1] - - - full bldsunos26:/usr [2] 0k 0k 0k full bldsunos26:/usr [2] - - - full bldsunos26:/opt [3] 0k 0k 0k full bldsunos26:/opt [3] - - - full bldsunos27:/ [4] 0k 0k 0k full bldsunos27:/ [4] - - - full bldsunos27:/usr [5] 0k 0k 0k full bldsunos27:/usr [5] - - - full bldlinux52:/ [6] 0k 0k 0k full bldlinux52:/ [6] - - - full bldlinux61:/ [7] 0k 0k 0k full bldlinux61:/ [7] - - - full bldlinux61:/usr/src [8] 0k 0k 0k full bldlinux61:/usr/src [8] - - - full bldosf1v40d:/ [9] 0k 0k 0k full bldosf1v40d:/ [9] - - - full bldosf1v40d:/usr [10] 0k 0k 0k full bldosf1v40d:/usr [10] - - - full bldirix62:/ [11] - - - full bldirix62:/usr [12] - - - full bldirix65:/ [13] ------------- -------------- -------------- 0k 0k 0k TOTAL Executive Summary: ------------------ Wed Dec 29 12:00:35 CST 1999 The backup failed because one or more archives failed. A total of 0 write retries were made. ======================================================================== Detailed error reports: -------------- [1] fmb: error during fmb_backup on Wed Dec 29 11:19:06 CST 1999 ncpio archive of bldsunos26:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused Unable to rsh to bldsunos26 Exit code 1 This archive may be incomplete. -------- [2] fmb: error during fmb_backup on Wed Dec 29 11:23:28 CST 1999 ncpio archive of bldsunos26:/usr try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused Unable to rsh to bldsunos26 Exit code 1 This archive may be incomplete. -------- [3] fmb: error during fmb_backup on Wed Dec 29 11:27:49 CST 1999 ncpio archive of bldsunos26:/opt try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused Unable to rsh to bldsunos26 Exit code 1 This archive may be incomplete. -------- [4] fmb: error during fmb_backup on Wed Dec 29 11:32:10 CST 1999 ncpio archive of bldsunos27:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldsunos27 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos27.fnal.gov: Connection refused rsh: kcmd to host bldsunos27 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos27.fnal.gov: Connection refused Unable to rsh to bldsunos27 Exit code 1 This archive may be incomplete. -------- [5] fmb: error during fmb_backup on Wed Dec 29 11:36:30 CST 1999 ncpio archive of bldsunos27:/usr try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldsunos27 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos27.fnal.gov: Connection refused rsh: kcmd to host bldsunos27 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos27.fnal.gov: Connection refused Unable to rsh to bldsunos27 Exit code 1 This archive may be incomplete. -------- [6] fmb: error during fmb_backup on Wed Dec 29 11:40:50 CST 1999 ncpio archive of bldlinux52:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldlinux52 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux52.fnal.gov: Connection refused rsh: kcmd to host bldlinux52 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux52.fnal.gov: Connection refused Unable to rsh to bldlinux52 Exit code 1 This archive may be incomplete. -------- [7] fmb: error during fmb_backup on Wed Dec 29 11:45:11 CST 1999 ncpio archive of bldlinux61:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldlinux61 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux61.fnal.gov: Connection refused rsh: kcmd to host bldlinux61 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux61.fnal.gov: Connection refused Unable to rsh to bldlinux61 Exit code 1 This archive may be incomplete. -------- [8] fmb: error during fmb_backup on Wed Dec 29 11:49:31 CST 1999 ncpio archive of bldlinux61:/usr/src try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldlinux61 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux61.fnal.gov: Connection refused rsh: kcmd to host bldlinux61 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux61.fnal.gov: Connection refused Unable to rsh to bldlinux61 Exit code 1 This archive may be incomplete. -------- [9] fmb: error during fmb_backup on Wed Dec 29 11:53:52 CST 1999 ncpio archive of bldosf1v40d:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldosf1v40d failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldosf1v40d.fnal.gov: Connection refused rsh: kcmd to host bldosf1v40d failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldosf1v40d.fnal.gov: Connection refused Unable to rsh to bldosf1v40d Exit code 1 This archive may be incomplete. -------- [10] fmb: error during fmb_backup on Wed Dec 29 11:58:15 CST 1999 ncpio archive of bldosf1v40d:/usr try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldosf1v40d failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldosf1v40d.fnal.gov: Connection refused rsh: kcmd to host bldosf1v40d failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldosf1v40d.fnal.gov: Connection refused Unable to rsh to bldosf1v40d Exit code 1 This archive may be incomplete. -------- [11] fmb: error during fmb_backup on Wed Dec 29 11:59:34 CST 1999 ncpio archive of bldirix62:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldirix62 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. rsh: kcmd to host bldirix62 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. Unable to rsh to bldirix62 Exit code 1 This archive may be incomplete. -------- [12] fmb: error during fmb_backup on Wed Dec 29 11:59:51 CST 1999 ncpio archive of bldirix62:/usr try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldirix62 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. rsh: kcmd to host bldirix62 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. Unable to rsh to bldirix62 Exit code 1 This archive may be incomplete. -------- [13] fmb: error during fmb_backup on Wed Dec 29 12:00:11 CST 1999 ncpio archive of bldirix65:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldirix65 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. rsh: kcmd to host bldirix65 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. Unable to rsh to bldirix65 Exit code 1 This archive may be incomplete. -------- --Boundary_(ID_PSuASVjKpBQiea2XP6lcaQ)-- From kreymer@fnal.gov Wed Dec 29 13:22:22 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA00053 for ; Wed, 29 Dec 1999 13:22:22 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK2Q1G8R000008Q4@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 29 Dec 1999 13:22:20 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2Q1FGFXG0007YH@FNAL.FNAL.GOV>; Wed, 29 Dec 1999 13:22:04 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id NAA10915; Wed, 29 Dec 1999 13:22:03 -0600 (CST) Date: Wed, 29 Dec 1999 13:22:03 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: forwarded message from root Sender: lauri@ossbud.fnal.gov To: Ken Schumacher Cc: uas-group@fnal.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912291922.NAA10915@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 97 Ken, I've forwarded you some instructions on how to set up an authenticating cron job. You're right, batch/cron jobs do NOT automatically get authenticated. Call me for more information if you need it. I'm not sure what all you've tried with Mike, or what remains to be done, but at this point dcdsv0 is NOT running kerberos. If that's the node you're using, we'll need to install kerberos on it (without turning off the other services). Please advise. -- lauri On Wednesday 29 December 1999, our friend Ken Schumacher spaketh thusly: > > Mike, > > I'm not sure what we have to do to get past this. Perhaps you've > done more work with the 'kerberos' stuff than I have. > > My guess is that the problem was the way that we launched this > task. I think it might work fine if we ran the 'fmb_backup' from a > login shell, or if we started it from an authenticated/kerberos aware > cron daemon. Since we simply did a batch command, it does not appear > to have gotten any carry-over authentication from the login shell. > > Let me know how you want to proceed from here. One suggestion, > let's move the local (bldlinux52) filesystems to the beginning of the > backup set. That would mean a simple resequence of lines in the one > file ('buildclstr.A'). > > More later, > Ken S. > > > --Boundary_(ID_PSuASVjKpBQiea2XP6lcaQ) > Content-type: message/rfc822 > Content-description: forwarded message > > Return-path: > Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) > by hamshack.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA29321 for > ; Wed, 29 Dec 1999 12:00:36 -0600 > Received: from bldlinux52.fnal.gov ([131.225.81.82]) > by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) > with ESMTP id <01JK2N6FLKHM0007PB@FNAL.FNAL.GOV> for kschu@hamshack.fnal.gov > (ORCPT rfc822;kschu@fnal.gov); Wed, 29 Dec 1999 12:00:36 -0600 CDT > Received: (from root@localhost) by bldlinux52.fnal.gov (8.8.7/8.8.7) > id MAA13177; Wed, 29 Dec 1999 12:00:35 -0600 > Date: Wed, 29 Dec 1999 12:00:35 -0600 > From: root > Subject: Build Cluster Backup Report > To: stolz@fnal.gov > Cc: kschu@fnal.gov > Message-id: <199912291800.MAA13177@bldlinux52.fnal.gov> > > Wed Dec 29 11:15:21 CST 1999: /usr/products/UNIX/fmb/v6_8/fmb_backup -L buildclstr.Spc.A -m quiet -u -t /dev/rmt/tps2d2n -f buildclstr.A > Checking tape label > Writing label buildclstr.Spc.A, Try 1 > > Archive Size Information > Full Backup > Estimate > Low High Actual Type Name > --- ---- ------ ---- ---- > - - - full bldsunos26:/ [1] > 0k 0k 0k full bldsunos26:/ [1] > - - - full bldsunos26:/usr [2] > 0k 0k 0k full bldsunos26:/usr [2] > - - - full bldsunos26:/opt [3] > 0k 0k 0k full bldsunos26:/opt [3] > - - - full bldsunos27:/ [4] > 0k 0k 0k full bldsunos27:/ [4] > - - - full bldsunos27:/usr [5] > 0k 0k 0k full bldsunos27:/usr [5] > - - - full bldlinux52:/ [6] > 0k 0k 0k full bldlinux52:/ [6] > - - - full bldlinux61:/ [7] > 0k 0k 0k full bldlinux61:/ [7] > - - - full bldlinux61:/usr/src [8] > 0k 0k 0k full bldlinux61:/usr/src [8] > - - - full bldosf1v40d:/ [9] > 0k 0k 0k full bldosf1v40d:/ [9] > - - - full bldosf1v40d:/usr [10] > 0k 0k 0k full bldosf1v40d:/usr [10] > - - - full bldirix62:/ [11] > - - - full bldirix62:/usr [12] > - - - full bldirix65:/ [13] > ------------- -------------- -------------- > 0k 0k 0k TOTAL > > > Executive Summary: > ------------------ > Wed Dec 29 12:00:35 CST 1999 > The backup failed because one or more archives failed. > > A total of 0 write retries were made. > > ======================================================================== > > Detailed error reports: > -------------- > [1] > fmb: error during fmb_backup on Wed Dec 29 11:19:06 CST 1999 > ncpio archive of bldsunos26:/ try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldsunos26 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldsunos26.fnal.gov: Connection refused > rsh: kcmd to host bldsunos26 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldsunos26.fnal.gov: Connection refused > Unable to rsh to bldsunos26 > Exit code 1 > This archive may be incomplete. > -------- > [2] > fmb: error during fmb_backup on Wed Dec 29 11:23:28 CST 1999 > ncpio archive of bldsunos26:/usr try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldsunos26 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldsunos26.fnal.gov: Connection refused > rsh: kcmd to host bldsunos26 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldsunos26.fnal.gov: Connection refused > Unable to rsh to bldsunos26 > Exit code 1 > This archive may be incomplete. > -------- > [3] > fmb: error during fmb_backup on Wed Dec 29 11:27:49 CST 1999 > ncpio archive of bldsunos26:/opt try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldsunos26 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldsunos26.fnal.gov: Connection refused > rsh: kcmd to host bldsunos26 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldsunos26.fnal.gov: Connection refused > Unable to rsh to bldsunos26 > Exit code 1 > This archive may be incomplete. > -------- > [4] > fmb: error during fmb_backup on Wed Dec 29 11:32:10 CST 1999 > ncpio archive of bldsunos27:/ try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldsunos27 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldsunos27.fnal.gov: Connection refused > rsh: kcmd to host bldsunos27 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldsunos27.fnal.gov: Connection refused > Unable to rsh to bldsunos27 > Exit code 1 > This archive may be incomplete. > -------- > [5] > fmb: error during fmb_backup on Wed Dec 29 11:36:30 CST 1999 > ncpio archive of bldsunos27:/usr try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldsunos27 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldsunos27.fnal.gov: Connection refused > rsh: kcmd to host bldsunos27 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldsunos27.fnal.gov: Connection refused > Unable to rsh to bldsunos27 > Exit code 1 > This archive may be incomplete. > -------- > [6] > fmb: error during fmb_backup on Wed Dec 29 11:40:50 CST 1999 > ncpio archive of bldlinux52:/ try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldlinux52 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldlinux52.fnal.gov: Connection refused > rsh: kcmd to host bldlinux52 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldlinux52.fnal.gov: Connection refused > Unable to rsh to bldlinux52 > Exit code 1 > This archive may be incomplete. > -------- > [7] > fmb: error during fmb_backup on Wed Dec 29 11:45:11 CST 1999 > ncpio archive of bldlinux61:/ try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldlinux61 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldlinux61.fnal.gov: Connection refused > rsh: kcmd to host bldlinux61 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldlinux61.fnal.gov: Connection refused > Unable to rsh to bldlinux61 > Exit code 1 > This archive may be incomplete. > -------- > [8] > fmb: error during fmb_backup on Wed Dec 29 11:49:31 CST 1999 > ncpio archive of bldlinux61:/usr/src try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldlinux61 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldlinux61.fnal.gov: Connection refused > rsh: kcmd to host bldlinux61 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldlinux61.fnal.gov: Connection refused > Unable to rsh to bldlinux61 > Exit code 1 > This archive may be incomplete. > -------- > [9] > fmb: error during fmb_backup on Wed Dec 29 11:53:52 CST 1999 > ncpio archive of bldosf1v40d:/ try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldosf1v40d failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldosf1v40d.fnal.gov: Connection refused > rsh: kcmd to host bldosf1v40d failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldosf1v40d.fnal.gov: Connection refused > Unable to rsh to bldosf1v40d > Exit code 1 > This archive may be incomplete. > -------- > [10] > fmb: error during fmb_backup on Wed Dec 29 11:58:15 CST 1999 > ncpio archive of bldosf1v40d:/usr try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldosf1v40d failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldosf1v40d.fnal.gov: Connection refused > rsh: kcmd to host bldosf1v40d failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > bldosf1v40d.fnal.gov: Connection refused > Unable to rsh to bldosf1v40d > Exit code 1 > This archive may be incomplete. > -------- > [11] > fmb: error during fmb_backup on Wed Dec 29 11:59:34 CST 1999 > ncpio archive of bldirix62:/ try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldirix62 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > Permission denied. > rsh: kcmd to host bldirix62 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > Permission denied. > Unable to rsh to bldirix62 > Exit code 1 > This archive may be incomplete. > -------- > [12] > fmb: error during fmb_backup on Wed Dec 29 11:59:51 CST 1999 > ncpio archive of bldirix62:/usr try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldirix62 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > Permission denied. > rsh: kcmd to host bldirix62 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > Permission denied. > Unable to rsh to bldirix62 > Exit code 1 > This archive may be incomplete. > -------- > [13] > fmb: error during fmb_backup on Wed Dec 29 12:00:11 CST 1999 > ncpio archive of bldirix65:/ try 1 exited with Exit code 1 > stderr output was: > rsh: kcmd to host bldirix65 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > Permission denied. > rsh: kcmd to host bldirix65 failed - No credentials cache file found > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > Permission denied. > Unable to rsh to bldirix65 > Exit code 1 > This archive may be incomplete. > -------- > From kreymer@fnal.gov Wed Dec 29 14:36:44 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA00074 for ; Wed, 29 Dec 1999 14:36:44 -0600 Received: from hamshack.fnal.gov ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK2SMRPJCW0008Q4@FNAL.FNAL.GOV> (original mail from kschu@hamshack.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 29 Dec 1999 14:36:42 -0600 CDT Received: from hamshack.fnal.gov ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2SMQXBOE0007K4@FNAL.FNAL.GOV>; Wed, 29 Dec 1999 14:36:31 -0600 Received: (from kschu@localhost) by hamshack.fnal.gov (8.9.3/8.9.3) id OAA32682; Wed, 29 Dec 1999 14:36:31 -0600 Date: Wed, 29 Dec 1999 14:36:31 -0600 (CST) From: Ken Schumacher Subject: re: forwarded message from root In-reply-to: <199912291922.NAA10915@ossbud.fnal.gov> To: lauri@fnal.gov Cc: uas-group@fnal.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <14442.28879.132728.67420@hamshack.fnal.gov> MIME-version: 1.0 X-Mailer: VM 6.71 under 21.1 (patch 8) "Bryce Canyon" XEmacs Lucid Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit References: <199912291922.NAA10915@ossbud.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 98 Lauri, There are two different backups that have been discussed. The mail that you were replying to was about the backup that I am helping Mike with. That backup is running on 'bldlinux52' to backup the nodes of the build cluster. It is intended to use the kerberized rsh function. Mike is working to test that based on the instructions that he asked you for. I helped him put together the backup script this morning and he's working out the authentication issue to get it to work. The backup that I sent mail on this morning is one that runs on 'dcdsv0' to back up 'dcdsv0' (several filesystems) and 'ossbud:/'. That backup is using FMB v6_8 and an environment variable that Mark showed me. That environment variable tells FMB to use SSH (instead of RSH) for it's connection between 'dcdsv0' and 'ossbud'. The problems that I documented in my e-mail this morning are not related to authentication, but are problems with mounting tapes via JUKE and in the summary report returned by FMB. It seems to mess up the order of magnitude of units (Kb or bytes instead of Mb). This second problem is almost cosmetic and no real concern. Niether of those problems would be helped by adding kerberos to 'dcdsv0'. Laurelin of Middle Earth, 630-840-2214 writes: > Ken, I've forwarded you some instructions on how to set up an > authenticating cron job. You're right, batch/cron jobs do NOT > automatically get authenticated. Call me for more information if > you need it. > > I'm not sure what all you've tried with Mike, or what remains to be > done, but at this point dcdsv0 is NOT running kerberos. If that's > the node you're using, we'll need to install kerberos on it (without > turning off the other services). I'd recommend that we not make any changes to 'dcdsv0' while everyone is out of the office. I'll get the backups working, one way or another. Next week, when everyone is back in, we can remove my "band-aids" and correct the problems right and proper. Thanks for offering to add Kerberos. If I thought it would add "if it ain't broke, don't fix it" approach and leave access to that system alone. I've tested 'ssh' between the two systems and that is working. Access is not the problem here. > > Please advise. -- lauri Consider yourself advised. :-) More later, Ken S. From kreymer@fnal.gov Wed Dec 29 14:37:42 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA00078 for ; Wed, 29 Dec 1999 14:37:42 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK2SNZCTCG0008Q4@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 29 Dec 1999 14:37:40 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2SNY6CB60007Y0@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 29 Dec 1999 14:37:29 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id OAA12468; Wed, 29 Dec 1999 14:37:28 -0600 (CST) Date: Wed, 29 Dec 1999 14:37:28 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: v0_3 troubles Sender: lauri@ossbud.fnal.gov To: Dane Skow Cc: lauri@fnal.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912292037.OAA12468@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 99 On Wednesday 29 December 1999 Dane didst say: > [root@unferth dane]# . /local/ups/etc/setups.sh > [root@unferth dane]# setup kerberos > [root@unferth dane]# $KERBEROS_DIR/sbin/ktutil > Segmentation fault This explains why the installation script is bombing out -- it is trying to run an executable that is core dumping. What kernel version are you running? We had (have!) similar problems with ups v4_5 on Linux -- it core dumps for some people, not for others. Seems that Linux 6.x (and maybe 5.2 as well) is very sensitive to kernel version, at least for some stuff). > > (I discovered that the "setups.sh" script had not run on my > login/su. This doesn't seem to have affected the ups install > any: I get the same errors.) Safer to get yourself into the UPS environment, but mostly, if ups is in your path, you'll be ok. -- lauri > > > > > ? (That's what the code is trying to do for you at this point). > > > > -- lauri > > > > On Wednesday 29 December 1999 thou didst say: > > > > > On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > > > > Please set the environmental variable KRB_INSTALL_DEBUG (to any > > > > value at all), and then do the ups install again. Send me the > > > > output. > > > > > > Here you go: > > > > > > [root@unferth dane]# ups install kerberos v0_3 > > > Beginning installation of kerberos v0_3 > > > into /usr/krb5. > > > main: nodename = >unferth.fnal.gov< > > > main: datestamp = >29Dec1999< > > > main: Now into all for UPS_PROD_NAME = kerberos > > > main: args: all > > > isInUPSEnv: checking >UPS_DIR< = >/local/ups/prd/ups/v4_4a< > > > isInUPSEnv: checking >UPS_PROD_NAME< = >kerberos< > > > isInUPSEnv: checking >UPS_PROD_VERSION< = >v0_3< > > > isInUPSEnv: checking >UPS_PROD_DIR< = >/local/ups/prd/kerberos/v0_3< > > > isInUPSEnv: checking >UPS_UPS_DIR< = >/local/ups/prd/kerberos/v0_3/ups< > > > isInUPSEnv: checking >KERBEROS_DIR< = >/local/ups/prd/kerberos/v0_3< > > > isInUPSEnv: checking >KRB_ABS_TGT< = >/usr/krb5< > > > isInUPSEnv: checking >KRB_REL_SRC< = >.< > > > isInUPSEnv: checking >KRB_SERVICES_TEMPLATE< = > > > >/local/ups/prd/kerberos/v0_3/u > > > ps/services.template< > > > isInUPSEnv: checking >KRB_SERVICES_CONF< = >/etc/services< > > > isInUPSEnv: checking >KRB_HOSTKEY_CONF< = >/etc/krb5.keytab< > > > isInUPSEnv: checking >KRB_INETD_TEMPLATE< = > > > >/local/ups/prd/kerberos/v0_3/ups/ > > > inetd.conf.template< > > > isInUPSEnv: checking >KRB_INETD_CONF< = >/etc/inetd.conf< > > > isInUPSEnv: checking >KRB_SSHD_TEMPLATE< = > > > >/local/ups/prd/kerberos/v0_3/ups/s > > > shd_config.template< > > > isInUPSEnv: checking >KRB_SSHD_CONF< = >/etc/sshd_config< > > > get_input: getting required user input. > > > get_input: HOSTKEYSCOMMAND = > ( echo "rkt > > > /etc/krb5.keytab" > > > echo "list" > > > echo "exit" ) | > > > /local/ups/prd/kerberos/v0_3/./sbin/ktutil > > > < > > > get_input: command successfully issued: ( echo "rkt > > > /etc/krb5.keyt > > > ab" > > > echo "list" > > > echo "exit" ) | > > > /local/ups/prd/kerberos/v0_3/./sbin/ktutil > > > . > > > ABORT: cannot close HOSTKEYSCONF stream. > > > > > > ****************************** > > > > > > FYI: in the current installation (v0_2) the kinds of > > > errors I get all refer to some preauthentication failure. > > > Sometimes it's to a "preauthentication cache" sometimes just > > > a failure like below. > > > > > > Here's a copy in case it might be related. > > > > > > bash$ kinit > > > Password for dane@PILOT.FNAL.GOV: > > > kinit: Preauthentication failed while getting initial credentials > > > > > > dane > > > > > > > > > > > Thanks, lauri > > > > > > > > On Wednesday 29 December 1999, > > > > our friend Dane Skow spaketh thusly: > > > > > > > > > On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > > > > > > > > On Wednesday 29 December 1999 Dane didst say: > > > > > > > > > > > > > I seem to be having troubles too. > > > > > > > At the risk of swamping the list, I'm appending the full contents > > > > > > > of my attempted upgrade: > > > > > > > > > > > > > > **First I did the upd install per the SA web pages instructions** > > > > > > > > > > > > That looks fine. > > > > > > > > > > > > > ** That seemed to go well so then I tried to do the UPS install > > > > > > > as instructed ** > > > > > > > > > > > > > > [root@unferth dane]# ups install kerberos v0_3 > > > > > > > Beginning installation of kerberos v0_3 > > > > > > > into /usr/krb5. > > > > > > > ABORT: cannot close HOSTKEYSCONF stream. > > > > > > > > > > > > > > The INSTALL_NOTEs seem to point to READMEs for troubleshooting > > > > > > > so I will try there as well, but does this ring a bell Lauri ? > > > > > > > > > > > > No, that doesn't ring a bell. Do you have an /etc/krb5.keytab file > > > > > > on your system already? If not, this would be (I think) the first > > > > > > time somebody has run through that section of code. > > > > > > > > > > Yup. Here's the listing > > > > > > > > > > ls -l !$ > > > > > ls -l /etc/k* > > > > > -rw-r--r-- 1 root root 59 Sep 14 19:08 /etc/krb.conf > > > > > -rw-r--r-- 1 root root 1129 Dec 29 10:49 /etc/krb5.conf > > > > > -rw-r--r-- 1 root root 1054 Dec 29 10:49 > > > > > /etc/krb5.conf.29Dec1999 > > > > > -rw------- 1 root root 135 Sep 15 20:24 /etc/krb5.keytab > > > > > > > > > > > > > > The krb5.keytab file is not human readable. > > > > > > > > > > dane > > > > > > > > > > > > > > > > > -- lauri > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From kreymer@fnal.gov Wed Dec 29 14:49:19 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA00086 for ; Wed, 29 Dec 1999 14:49:19 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK2T2G2KWG0008Q4@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 29 Dec 1999 14:49:18 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2T2FE0VQ00094V@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 29 Dec 1999 14:49:10 -0600 Received: from localhost (dane@localhost) by unferth.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA11820; Wed, 29 Dec 1999 14:49:09 -0600 Date: Wed, 29 Dec 1999 14:49:09 -0600 (EST) From: Dane Skow Subject: re: v0_3 troubles In-reply-to: <199912292037.OAA12468@ossbud.fnal.gov> To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: unferth.fnal.gov: dane owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 100 On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > On Wednesday 29 December 1999 Dane didst say: > > > [root@unferth dane]# . /local/ups/etc/setups.sh > > [root@unferth dane]# setup kerberos > > [root@unferth dane]# $KERBEROS_DIR/sbin/ktutil > > Segmentation fault > > This explains why the installation script is bombing out -- it is > trying to run an executable that is core dumping. > > What kernel version are you running? > > We had (have!) similar problems with ups v4_5 on Linux -- it core > dumps for some people, not for others. Seems that Linux 6.x (and > maybe 5.2 as well) is very sensitive to kernel version, at least for > some stuff). I'm running the standard 5.2.1 installation with the 2.2.12 kernel upgrade (so, I guess that's an unstandard installation by definition). Kernel version sensitivity is unusual (more usually the libraries). On most of my machines, I'm playing with the new 6.1 installation. I'm prepared to take my main desktop up, but would rather not until I've gotten a couple weeks on my home and 2ndary machine here. Where shall we go from here ? The 6.1 installs remind me to ask the question of how will Strong Authentication handle DHCP machines ? Will we have to have the fixed name function working in DHCP first ? dane > > > > > (I discovered that the "setups.sh" script had not run on my > > login/su. This doesn't seem to have affected the ups install > > any: I get the same errors.) > > Safer to get yourself into the UPS environment, but mostly, if ups > is in your path, you'll be ok. > > -- lauri > > > > > > > > > ? (That's what the code is trying to do for you at this point). > > > > > > -- lauri > > > > > > On Wednesday 29 December 1999 thou didst say: > > > > > > > On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > > > > > > Please set the environmental variable KRB_INSTALL_DEBUG (to any > > > > > value at all), and then do the ups install again. Send me the > > > > > output. > > > > > > > > Here you go: > > > > > > > > [root@unferth dane]# ups install kerberos v0_3 > > > > Beginning installation of kerberos v0_3 > > > > into /usr/krb5. > > > > main: nodename = >unferth.fnal.gov< > > > > main: datestamp = >29Dec1999< > > > > main: Now into all for UPS_PROD_NAME = kerberos > > > > main: args: all > > > > isInUPSEnv: checking >UPS_DIR< = >/local/ups/prd/ups/v4_4a< > > > > isInUPSEnv: checking >UPS_PROD_NAME< = >kerberos< > > > > isInUPSEnv: checking >UPS_PROD_VERSION< = >v0_3< > > > > isInUPSEnv: checking >UPS_PROD_DIR< = >/local/ups/prd/kerberos/v0_3< > > > > isInUPSEnv: checking >UPS_UPS_DIR< = >/local/ups/prd/kerberos/v0_3/ups< > > > > isInUPSEnv: checking >KERBEROS_DIR< = >/local/ups/prd/kerberos/v0_3< > > > > isInUPSEnv: checking >KRB_ABS_TGT< = >/usr/krb5< > > > > isInUPSEnv: checking >KRB_REL_SRC< = >.< > > > > isInUPSEnv: checking >KRB_SERVICES_TEMPLATE< = > > > > >/local/ups/prd/kerberos/v0_3/u > > > > ps/services.template< > > > > isInUPSEnv: checking >KRB_SERVICES_CONF< = >/etc/services< > > > > isInUPSEnv: checking >KRB_HOSTKEY_CONF< = >/etc/krb5.keytab< > > > > isInUPSEnv: checking >KRB_INETD_TEMPLATE< = > > > > >/local/ups/prd/kerberos/v0_3/ups/ > > > > inetd.conf.template< > > > > isInUPSEnv: checking >KRB_INETD_CONF< = >/etc/inetd.conf< > > > > isInUPSEnv: checking >KRB_SSHD_TEMPLATE< = > > > > >/local/ups/prd/kerberos/v0_3/ups/s > > > > shd_config.template< > > > > isInUPSEnv: checking >KRB_SSHD_CONF< = >/etc/sshd_config< > > > > get_input: getting required user input. > > > > get_input: HOSTKEYSCOMMAND = > ( echo "rkt > > > > /etc/krb5.keytab" > > > > echo "list" > > > > echo "exit" ) | > > > > /local/ups/prd/kerberos/v0_3/./sbin/ktutil > > > > < > > > > get_input: command successfully issued: ( echo "rkt > > > > /etc/krb5.keyt > > > > ab" > > > > echo "list" > > > > echo "exit" ) | > > > > /local/ups/prd/kerberos/v0_3/./sbin/ktutil > > > > . > > > > ABORT: cannot close HOSTKEYSCONF stream. > > > > > > > > ****************************** > > > > > > > > FYI: in the current installation (v0_2) the kinds of > > > > errors I get all refer to some preauthentication failure. > > > > Sometimes it's to a "preauthentication cache" sometimes just > > > > a failure like below. > > > > > > > > Here's a copy in case it might be related. > > > > > > > > bash$ kinit > > > > Password for dane@PILOT.FNAL.GOV: > > > > kinit: Preauthentication failed while getting initial credentials > > > > > > > > dane > > > > > > > > > > > > > > Thanks, lauri > > > > > > > > > > On Wednesday 29 December 1999, > > > > > our friend Dane Skow spaketh thusly: > > > > > > > > > > > On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > > > > > > > > > > On Wednesday 29 December 1999 Dane didst say: > > > > > > > > > > > > > > > I seem to be having troubles too. > > > > > > > > At the risk of swamping the list, I'm appending the full contents > > > > > > > > of my attempted upgrade: > > > > > > > > > > > > > > > > **First I did the upd install per the SA web pages instructions** > > > > > > > > > > > > > > That looks fine. > > > > > > > > > > > > > > > ** That seemed to go well so then I tried to do the UPS install > > > > > > > > as instructed ** > > > > > > > > > > > > > > > > [root@unferth dane]# ups install kerberos v0_3 > > > > > > > > Beginning installation of kerberos v0_3 > > > > > > > > into /usr/krb5. > > > > > > > > ABORT: cannot close HOSTKEYSCONF stream. > > > > > > > > > > > > > > > > The INSTALL_NOTEs seem to point to READMEs for troubleshooting > > > > > > > > so I will try there as well, but does this ring a bell Lauri ? > > > > > > > > > > > > > > No, that doesn't ring a bell. Do you have an /etc/krb5.keytab file > > > > > > > on your system already? If not, this would be (I think) the first > > > > > > > time somebody has run through that section of code. > > > > > > > > > > > > Yup. Here's the listing > > > > > > > > > > > > ls -l !$ > > > > > > ls -l /etc/k* > > > > > > -rw-r--r-- 1 root root 59 Sep 14 19:08 /etc/krb.conf > > > > > > -rw-r--r-- 1 root root 1129 Dec 29 10:49 /etc/krb5.conf > > > > > > -rw-r--r-- 1 root root 1054 Dec 29 10:49 > > > > > > /etc/krb5.conf.29Dec1999 > > > > > > -rw------- 1 root root 135 Sep 15 20:24 /etc/krb5.keytab > > > > > > > > > > > > > > > > > The krb5.keytab file is not human readable. > > > > > > > > > > > > dane > > > > > > > > > > > > > > > > > > > > -- lauri > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From kreymer@fnal.gov Wed Dec 29 14:57:50 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA00161 for ; Wed, 29 Dec 1999 14:57:49 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK2TCZP3IO0008Q4@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 29 Dec 1999 14:57:48 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2TCYZX7Q0008CQ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 29 Dec 1999 14:57:40 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id OAA12803; Wed, 29 Dec 1999 14:57:39 -0600 (CST) Date: Wed, 29 Dec 1999 14:57:38 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: v0_3 troubles Sender: lauri@ossbud.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov, lauri@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <199912292057.OAA12803@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 101 You ask "where shall we go from here?" At this point, it's beyond my capabilities. I don't think Matt is around this week (or if he is, he's very quietly working on the portal to move it ahead). Marc isn't here, Wayne isn't here, and there are other pressing issues (backups of the build cluster, for example). I think we need to wait until next week to look any further into this from the kerberos end of things. You might choose to change your OS to a more "standard" Linux and then try again. By the way, the "pre-authentication failure" message is usually one of two things: - you typed your password wrong - the clock on your system is off by >5 min -- lauri On Wednesday 29 December 1999 thou didst say: > On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > > > On Wednesday 29 December 1999 Dane didst say: > > > > > [root@unferth dane]# . /local/ups/etc/setups.sh > > > [root@unferth dane]# setup kerberos > > > [root@unferth dane]# $KERBEROS_DIR/sbin/ktutil > > > Segmentation fault > > > > This explains why the installation script is bombing out -- it is > > trying to run an executable that is core dumping. > > > > What kernel version are you running? > > > > We had (have!) similar problems with ups v4_5 on Linux -- it core > > dumps for some people, not for others. Seems that Linux 6.x (and > > maybe 5.2 as well) is very sensitive to kernel version, at least for > > some stuff). > > I'm running the standard 5.2.1 installation with the 2.2.12 kernel upgrade > (so, I guess that's an unstandard installation by definition). Kernel > version sensitivity is unusual (more usually the libraries). On most of my > machines, I'm playing with the new 6.1 installation. I'm prepared to take > my main desktop up, but would rather not until I've gotten a couple weeks > on my home and 2ndary machine here. > > Where shall we go from here ? > > The 6.1 installs remind me to ask the question of how will > Strong Authentication handle DHCP machines ? Will we have to have > the fixed name function working in DHCP first ? > > dane > > > > > > > > (I discovered that the "setups.sh" script had not run on my > > > login/su. This doesn't seem to have affected the ups install > > > any: I get the same errors.) > > > > Safer to get yourself into the UPS environment, but mostly, if ups > > is in your path, you'll be ok. > > > > -- lauri > > > > > > > > > > > > > ? (That's what the code is trying to do for you at this point). > > > > > > > > -- lauri > > > > > > > > On Wednesday 29 December 1999 thou didst say: > > > > > > > > > On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > > > > > > > > Please set the environmental variable KRB_INSTALL_DEBUG (to any > > > > > > value at all), and then do the ups install again. Send me the > > > > > > output. > > > > > > > > > > Here you go: > > > > > > > > > > [root@unferth dane]# ups install kerberos v0_3 > > > > > Beginning installation of kerberos v0_3 > > > > > into /usr/krb5. > > > > > main: nodename = >unferth.fnal.gov< > > > > > main: datestamp = >29Dec1999< > > > > > main: Now into all for UPS_PROD_NAME = kerberos > > > > > main: args: all > > > > > isInUPSEnv: checking >UPS_DIR< = >/local/ups/prd/ups/v4_4a< > > > > > isInUPSEnv: checking >UPS_PROD_NAME< = >kerberos< > > > > > isInUPSEnv: checking >UPS_PROD_VERSION< = >v0_3< > > > > > isInUPSEnv: checking >UPS_PROD_DIR< = >/local/ups/prd/kerberos/v0_3< > > > > > isInUPSEnv: checking >UPS_UPS_DIR< = >/local/ups/prd/kerberos/v0_3/ups< > > > > > isInUPSEnv: checking >KERBEROS_DIR< = >/local/ups/prd/kerberos/v0_3< > > > > > isInUPSEnv: checking >KRB_ABS_TGT< = >/usr/krb5< > > > > > isInUPSEnv: checking >KRB_REL_SRC< = >.< > > > > > isInUPSEnv: checking >KRB_SERVICES_TEMPLATE< = > > > > > >/local/ups/prd/kerberos/v0_3/u > > > > > ps/services.template< > > > > > isInUPSEnv: checking >KRB_SERVICES_CONF< = >/etc/services< > > > > > isInUPSEnv: checking >KRB_HOSTKEY_CONF< = >/etc/krb5.keytab< > > > > > isInUPSEnv: checking >KRB_INETD_TEMPLATE< = > > > > > >/local/ups/prd/kerberos/v0_3/ups/ > > > > > inetd.conf.template< > > > > > isInUPSEnv: checking >KRB_INETD_CONF< = >/etc/inetd.conf< > > > > > isInUPSEnv: checking >KRB_SSHD_TEMPLATE< = > > > > > >/local/ups/prd/kerberos/v0_3/ups/s > > > > > shd_config.template< > > > > > isInUPSEnv: checking >KRB_SSHD_CONF< = >/etc/sshd_config< > > > > > get_input: getting required user input. > > > > > get_input: HOSTKEYSCOMMAND = > ( echo "rkt > > > > > /etc/krb5.keytab" > > > > > echo "list" > > > > > echo "exit" ) | > > > > > /local/ups/prd/kerberos/v0_3/./sbin/ktutil > > > > > < > > > > > get_input: command successfully issued: ( echo "rkt > > > > > /etc/krb5.keyt > > > > > ab" > > > > > echo "list" > > > > > echo "exit" ) | > > > > > /local/ups/prd/kerberos/v0_3/./sbin/ktutil > > > > > . > > > > > ABORT: cannot close HOSTKEYSCONF stream. > > > > > > > > > > ****************************** > > > > > > > > > > FYI: in the current installation (v0_2) the kinds of > > > > > errors I get all refer to some preauthentication failure. > > > > > Sometimes it's to a "preauthentication cache" sometimes just > > > > > a failure like below. > > > > > > > > > > Here's a copy in case it might be related. > > > > > > > > > > bash$ kinit > > > > > Password for dane@PILOT.FNAL.GOV: > > > > > kinit: Preauthentication failed while getting initial credentials > > > > > > > > > > dane > > > > > > > > > > > > > > > > > Thanks, lauri > > > > > > > > > > > > On Wednesday 29 December 1999, > > > > > > our friend Dane Skow spaketh thusly: > > > > > > > > > > > > > On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > > > > > > > > > > > > On Wednesday 29 December 1999 Dane didst say: > > > > > > > > > > > > > > > > > I seem to be having troubles too. > > > > > > > > > At the risk of swamping the list, I'm appending the full contents > > > > > > > > > of my attempted upgrade: > > > > > > > > > > > > > > > > > > **First I did the upd install per the SA web pages instructions** > > > > > > > > > > > > > > > > That looks fine. > > > > > > > > > > > > > > > > > ** That seemed to go well so then I tried to do the UPS install > > > > > > > > > as instructed ** > > > > > > > > > > > > > > > > > > [root@unferth dane]# ups install kerberos v0_3 > > > > > > > > > Beginning installation of kerberos v0_3 > > > > > > > > > into /usr/krb5. > > > > > > > > > ABORT: cannot close HOSTKEYSCONF stream. > > > > > > > > > > > > > > > > > > The INSTALL_NOTEs seem to point to READMEs for troubleshooting > > > > > > > > > so I will try there as well, but does this ring a bell Lauri ? > > > > > > > > > > > > > > > > No, that doesn't ring a bell. Do you have an /etc/krb5.keytab file > > > > > > > > on your system already? If not, this would be (I think) the first > > > > > > > > time somebody has run through that section of code. > > > > > > > > > > > > > > Yup. Here's the listing > > > > > > > > > > > > > > ls -l !$ > > > > > > > ls -l /etc/k* > > > > > > > -rw-r--r-- 1 root root 59 Sep 14 19:08 /etc/krb.conf > > > > > > > -rw-r--r-- 1 root root 1129 Dec 29 10:49 /etc/krb5.conf > > > > > > > -rw-r--r-- 1 root root 1054 Dec 29 10:49 > > > > > > > /etc/krb5.conf.29Dec1999 > > > > > > > -rw------- 1 root root 135 Sep 15 20:24 /etc/krb5.keytab > > > > > > > > > > > > > > > > > > > > The krb5.keytab file is not human readable. > > > > > > > > > > > > > > dane > > > > > > > > > > > > > > > > > > > > > > > -- lauri > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From kreymer@fnal.gov Wed Dec 29 15:06:10 1999 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA00167 for ; Wed, 29 Dec 1999 15:06:09 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK2TN9AIZ40008Q4@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 29 Dec 1999 15:06:07 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2TN8QIIS00094V@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 29 Dec 1999 15:05:57 -0600 Received: from localhost (dane@localhost) by unferth.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA13244; Wed, 29 Dec 1999 15:05:56 -0600 Date: Wed, 29 Dec 1999 15:05:56 -0600 (EST) From: Dane Skow Subject: re: v0_3 troubles In-reply-to: <199912292057.OAA12803@ossbud.fnal.gov> To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: unferth.fnal.gov: dane owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 102 On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > You ask "where shall we go from here?" At this point, it's beyond > my capabilities. I don't think Matt is around this week (or if he > is, he's very quietly working on the portal to move it ahead). Marc > isn't here, Wayne isn't here, and there are other pressing issues > (backups of the build cluster, for example). Matt is squirrelled away working on the portal and I've been trying not to bother him. So, putting it on hold sounds fine. > > I think we need to wait until next week to look any further into > this from the kerberos end of things. You might choose to change > your OS to a more "standard" Linux and then try again. > smile. > By the way, the "pre-authentication failure" message is usually one > of two things: > - you typed your password wrong > - the clock on your system is off by >5 min If my password is wrong, then I'm typing it consistently wrong and forgottent the truth. The clock on my system looks reasonable to me. How can I tell it that jives with the KDC's (definitive) view of the world ? dane > > -- lauri > > On Wednesday 29 December 1999 thou didst say: > > > On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > > On Wednesday 29 December 1999 Dane didst say: > > > > > > > [root@unferth dane]# . /local/ups/etc/setups.sh > > > > [root@unferth dane]# setup kerberos > > > > [root@unferth dane]# $KERBEROS_DIR/sbin/ktutil > > > > Segmentation fault > > > > > > This explains why the installation script is bombing out -- it is > > > trying to run an executable that is core dumping. > > > > > > What kernel version are you running? > > > > > > We had (have!) similar problems with ups v4_5 on Linux -- it core > > > dumps for some people, not for others. Seems that Linux 6.x (and > > > maybe 5.2 as well) is very sensitive to kernel version, at least for > > > some stuff). > > > > I'm running the standard 5.2.1 installation with the 2.2.12 kernel upgrade > > (so, I guess that's an unstandard installation by definition). Kernel > > version sensitivity is unusual (more usually the libraries). On most of my > > machines, I'm playing with the new 6.1 installation. I'm prepared to take > > my main desktop up, but would rather not until I've gotten a couple weeks > > on my home and 2ndary machine here. > > > > Where shall we go from here ? > > > > The 6.1 installs remind me to ask the question of how will > > Strong Authentication handle DHCP machines ? Will we have to have > > the fixed name function working in DHCP first ? > > > > dane > > > > > > > > > > > (I discovered that the "setups.sh" script had not run on my > > > > login/su. This doesn't seem to have affected the ups install > > > > any: I get the same errors.) > > > > > > Safer to get yourself into the UPS environment, but mostly, if ups > > > is in your path, you'll be ok. > > > > > > -- lauri > > > > > > > > > > > > > > > > > ? (That's what the code is trying to do for you at this point). > > > > > > > > > > -- lauri > > > > > > > > > > On Wednesday 29 December 1999 thou didst say: > > > > > > > > > > > On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > > > > > > > > > > Please set the environmental variable KRB_INSTALL_DEBUG (to any > > > > > > > value at all), and then do the ups install again. Send me the > > > > > > > output. > > > > > > > > > > > > Here you go: > > > > > > > > > > > > [root@unferth dane]# ups install kerberos v0_3 > > > > > > Beginning installation of kerberos v0_3 > > > > > > into /usr/krb5. > > > > > > main: nodename = >unferth.fnal.gov< > > > > > > main: datestamp = >29Dec1999< > > > > > > main: Now into all for UPS_PROD_NAME = kerberos > > > > > > main: args: all > > > > > > isInUPSEnv: checking >UPS_DIR< = >/local/ups/prd/ups/v4_4a< > > > > > > isInUPSEnv: checking >UPS_PROD_NAME< = >kerberos< > > > > > > isInUPSEnv: checking >UPS_PROD_VERSION< = >v0_3< > > > > > > isInUPSEnv: checking >UPS_PROD_DIR< = >/local/ups/prd/kerberos/v0_3< > > > > > > isInUPSEnv: checking >UPS_UPS_DIR< = >/local/ups/prd/kerberos/v0_3/ups< > > > > > > isInUPSEnv: checking >KERBEROS_DIR< = >/local/ups/prd/kerberos/v0_3< > > > > > > isInUPSEnv: checking >KRB_ABS_TGT< = >/usr/krb5< > > > > > > isInUPSEnv: checking >KRB_REL_SRC< = >.< > > > > > > isInUPSEnv: checking >KRB_SERVICES_TEMPLATE< = > > > > > > >/local/ups/prd/kerberos/v0_3/u > > > > > > ps/services.template< > > > > > > isInUPSEnv: checking >KRB_SERVICES_CONF< = >/etc/services< > > > > > > isInUPSEnv: checking >KRB_HOSTKEY_CONF< = >/etc/krb5.keytab< > > > > > > isInUPSEnv: checking >KRB_INETD_TEMPLATE< = > > > > > > >/local/ups/prd/kerberos/v0_3/ups/ > > > > > > inetd.conf.template< > > > > > > isInUPSEnv: checking >KRB_INETD_CONF< = >/etc/inetd.conf< > > > > > > isInUPSEnv: checking >KRB_SSHD_TEMPLATE< = > > > > > > >/local/ups/prd/kerberos/v0_3/ups/s > > > > > > shd_config.template< > > > > > > isInUPSEnv: checking >KRB_SSHD_CONF< = >/etc/sshd_config< > > > > > > get_input: getting required user input. > > > > > > get_input: HOSTKEYSCOMMAND = > ( echo "rkt > > > > > > /etc/krb5.keytab" > > > > > > echo "list" > > > > > > echo "exit" ) | > > > > > > /local/ups/prd/kerberos/v0_3/./sbin/ktutil > > > > > > < > > > > > > get_input: command successfully issued: ( echo "rkt > > > > > > /etc/krb5.keyt > > > > > > ab" > > > > > > echo "list" > > > > > > echo "exit" ) | > > > > > > /local/ups/prd/kerberos/v0_3/./sbin/ktutil > > > > > > . > > > > > > ABORT: cannot close HOSTKEYSCONF stream. > > > > > > > > > > > > ****************************** > > > > > > > > > > > > FYI: in the current installation (v0_2) the kinds of > > > > > > errors I get all refer to some preauthentication failure. > > > > > > Sometimes it's to a "preauthentication cache" sometimes just > > > > > > a failure like below. > > > > > > > > > > > > Here's a copy in case it might be related. > > > > > > > > > > > > bash$ kinit > > > > > > Password for dane@PILOT.FNAL.GOV: > > > > > > kinit: Preauthentication failed while getting initial credentials > > > > > > > > > > > > dane > > > > > > > > > > > > > > > > > > > > Thanks, lauri > > > > > > > > > > > > > > On Wednesday 29 December 1999, > > > > > > > our friend Dane Skow spaketh thusly: > > > > > > > > > > > > > > > On Wed, 29 Dec 1999, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > > > > > > > > > > > > > > On Wednesday 29 December 1999 Dane didst say: > > > > > > > > > > > > > > > > > > > I seem to be having troubles too. > > > > > > > > > > At the risk of swamping the list, I'm appending the full contents > > > > > > > > > > of my attempted upgrade: > > > > > > > > > > > > > > > > > > > > **First I did the upd install per the SA web pages instructions** > > > > > > > > > > > > > > > > > > That looks fine. > > > > > > > > > > > > > > > > > > > ** That seemed to go well so then I tried to do the UPS install > > > > > > > > > > as instructed ** > > > > > > > > > > > > > > > > > > > > [root@unferth dane]# ups install kerberos v0_3 > > > > > > > > > > Beginning installation of kerberos v0_3 > > > > > > > > > > into /usr/krb5. > > > > > > > > > > ABORT: cannot close HOSTKEYSCONF stream. > > > > > > > > > > > > > > > > > > > > The INSTALL_NOTEs seem to point to READMEs for troubleshooting > > > > > > > > > > so I will try there as well, but does this ring a bell Lauri ? > > > > > > > > > > > > > > > > > > No, that doesn't ring a bell. Do you have an /etc/krb5.keytab file > > > > > > > > > on your system already? If not, this would be (I think) the first > > > > > > > > > time somebody has run through that section of code. > > > > > > > > > > > > > > > > Yup. Here's the listing > > > > > > > > > > > > > > > > ls -l !$ > > > > > > > > ls -l /etc/k* > > > > > > > > -rw-r--r-- 1 root root 59 Sep 14 19:08 /etc/krb.conf > > > > > > > > -rw-r--r-- 1 root root 1129 Dec 29 10:49 /etc/krb5.conf > > > > > > > > -rw-r--r-- 1 root root 1054 Dec 29 10:49 > > > > > > > > /etc/krb5.conf.29Dec1999 > > > > > > > > -rw------- 1 root root 135 Sep 15 20:24 /etc/krb5.keytab > > > > > > > > > > > > > > > > > > > > > > > The krb5.keytab file is not human readable. > > > > > > > > > > > > > > > > dane > > > > > > > > > > > > > > > > > > > > > > > > > > -- lauri > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From kreymer@fnal.gov Mon Jan 3 11:29:42 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA17169 for ; Mon, 3 Jan 2000 11:29:42 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9LJJGM6O0009HP@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 11:29:39 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK9LJJ0ZT0000APU@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal); Mon, 03 Jan 2000 11:29:26 -0600 Date: Mon, 03 Jan 2000 11:29:25 -0600 (EST) From: Dane Skow Subject: password changes To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 103 I've just run into again our old friend password change minimum time. Here's the scenario: I've been having trouble kinit'ing and in order to rule out forgetting my password, I asked to have my password changed. It was. Now on logging in the first thing I want to do is change the password to something I can remember. Here's what I get: kinit Password for dane@PILOT.FNAL.GOV: kpasswd kpasswd: Changing password for dane@PILOT.FNAL.GOV. Old password: kpasswd: dane@PILOT.FNAL.GOV's password is controlled by the policy default, which requires a minimum of 10 characters from at least 2 classes (the five classes are lowercase, uppercase, numbers, punctuation, and all other characters). New password: New password (again): kpasswd: Password cannot be changed because it was changed too recently. Please wait until Wed Jan 5 10:44:40 2000 before you change it. If you need to change your password before then, contact the Helpdesk. I think this will be a relatively common occurance (people forgetting their passwords) and folks won't want to live with the random password for two days. What are options ? Was there an error in the way my password was reset ? I recall Matt saying something about the intent being that the initial password change wouldn't have this timedelay. dane From kreymer@fnal.gov Mon Jan 3 12:46:04 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA17247 for ; Mon, 3 Jan 2000 12:46:04 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9O89OQJK0009HP@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 12:46:00 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK9O88RHYK0009Z7@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 03 Jan 2000 12:45:51 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id MAA03244; Mon, 03 Jan 2000 12:45:49 -0600 (CST) Date: Mon, 03 Jan 2000 12:45:47 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: password changes Sender: lauri@ossbud.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001031845.MAA03244@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 104 In case it matters: I was the person who changed the password for Dane. The commands I used were: kadmin> [enter my kadmin password] kadmin> cpw dane@PILOT.FNAL.GOV new password: [enter the new password] again: [enter it again] Was there some other switch I should have used? (The online documentation for this command is pretty minimal..._) -- lauri On Monday 3 January 2000, our friend Dane Skow spaketh thusly: > > I've just run into again our old friend password change minimum time. > > Here's the scenario: I've been having trouble kinit'ing and in > order to rule out forgetting my password, I asked to have my > password changed. It was. Now on logging in the first thing I > want to do is change the password to something I can remember. > > Here's what I get: > > kinit > Password for dane@PILOT.FNAL.GOV: > kpasswd > kpasswd: Changing password for dane@PILOT.FNAL.GOV. > Old password: > kpasswd: dane@PILOT.FNAL.GOV's password is controlled by the policy > default, which > requires a minimum of 10 characters from at least 2 classes (the five > classes > are lowercase, uppercase, numbers, punctuation, and all other characters). > New password: > New password (again): > kpasswd: Password cannot be changed because it was changed too recently. > Please wait until Wed Jan 5 10:44:40 2000 before you change it. > If you need to change your password before then, contact the Helpdesk. > > > I think this will be a relatively common occurance (people forgetting > their passwords) and folks won't want to live with the random password > for two days. What are options ? Was there an error in the way > my password was reset ? I recall Matt saying something about the > intent being that the initial password change wouldn't have this > timedelay. > > dane > > From kreymer@fnal.gov Mon Jan 3 13:40:38 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA17275 for ; Mon, 3 Jan 2000 13:40:38 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9Q4SNTN40009HP@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 13:40:33 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK9Q4Q7ZC200098G@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 03 Jan 2000 13:40:17 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA29066 for ; Mon, 03 Jan 2000 13:40:16 -0600 (CST) Date: Mon, 03 Jan 2000 13:40:15 -0600 From: Matt Crawford Subject: Re: password changes In-reply-to: "03 Jan 2000 11:29:25 CST." <"Pine.LNX.4.10.10001031124460.27052-100000"@unferth.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001031940.NAA29066@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 105 > I think this will be a relatively common occurance (people forgetting > their passwords) and folks won't want to live with the random password > for two days. What are options ? I have just changed policy "default" to impose no minimum interval between password changes. It was causing more trouble than it was worth. I also increased the number of old keys remembered in the history list, to retain some of deterrence against rapid cycling back to the previous password. > Was there an error in the way my password was reset ? I recall Matt > saying something about the intent being that the initial password > change wouldn't have this timedelay. The initial password establishment is not a *change*, so it doesn't trigger the minlife mechanism. An alternative solution to the annoyance would have been to have the administrator who changes the user's password also "back-date" the password change (which kadmin allows). From kreymer@fnal.gov Mon Jan 3 14:35:42 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA17397 for ; Mon, 3 Jan 2000 14:35:42 -0600 Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9S28SL9C0009HP@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 14:35:40 -0600 CDT Received: from cuervo ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JK9S27VYS2000AGE@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 03 Jan 2000 14:35:31 -0600 Date: Mon, 03 Jan 2000 14:35:25 -0600 From: "Mark O. Kaletka" Subject: RE: v0_3 troubles In-reply-to: To: Dane Skow , "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 106 > -----Original Message----- > From: Dane Skow [mailto:dane@fnal.gov] > Sent: Wednesday, December 29, 1999 3:06 PM > To: Laurelin of Middle Earth, 630-840-2214 > Cc: kerberos-pilot@fnal.gov > Subject: re: v0_3 troubles > >...snip...< > > By the way, the "pre-authentication failure" message is usually one > > of two things: > > - you typed your password wrong > > - the clock on your system is off by >5 min > > If my password is wrong, then I'm typing it consistently wrong and > forgottent the truth. The clock on my system looks reasonable to me. > How can I tell it that jives with the KDC's (definitive) view of > the world ? > > dane You can check your ntp log to be sure you're getting a good time synch, since the kdc is synched to ntp as well. >...snip...< > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > From kreymer@fnal.gov Mon Jan 3 14:40:26 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA17406 for ; Mon, 3 Jan 2000 14:40:26 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9S7TRZI80009HP@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 14:40:21 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK9S7QXPAQ000ATP@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 03 Jan 2000 14:39:59 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA29629; Mon, 03 Jan 2000 14:39:58 -0600 (CST) Date: Mon, 03 Jan 2000 14:39:58 -0600 From: Matt Crawford Subject: Re: password changes In-reply-to: "03 Jan 2000 12:45:47 CST." <"200001031845.MAA03244"@ossbud.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001032039.OAA29629@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 107 > In case it matters: I was the person who changed the password for > Dane. The commands I used were: > > kadmin> [enter my kadmin password] > kadmin> cpw dane@PILOT.FNAL.GOV > new password: [enter the new password] > again: [enter it again] > > Was there some other switch I should have used? Nope, aside from the option of spelling out change_password or putting the password on the command line with "cpw -pw PASSWORD principal", that's the only way to do it. > (The online documentation for this command is pretty minimal..._) The command itself is pretty minimal. What you can't easily deduce from the manual, though, is that if you set the REQUIRES_PWCHANGE attribute with kadmin> modprinc +needchange princname the needchange flag trumps the password minimum lifetime and allows a password change. However, at the same time it *prevents* a login! So the user would have to do a non-Kerveros login first to get at the kpasswd command. Today, that's generally possible. But in the future, most users won't have local passwords recorded so they might be stuck for a way in. The other option, as I mentioned, is to kadmin> modprinc -lastpwchange "3 days ago" dane It's easy to lie to computers. If it weren't, we wouldn't be doing this project! From kreymer@fnal.gov Mon Jan 3 15:31:01 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA17442 for ; Mon, 3 Jan 2000 15:31:01 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9TYRA9RK0009HP@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 15:30:58 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK9TYQ981400099M@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 03 Jan 2000 15:30:45 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id PAA06476; Mon, 03 Jan 2000 15:30:43 -0600 (CST) Date: Mon, 03 Jan 2000 15:30:42 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: kerberos v0_3: we think we know the problem Sender: lauri@ossbud.fnal.gov To: dane@fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001032130.PAA06476@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 108 After talking with Wayne and Marc, we think we understand the problem with kerberos v0_3 on Dane's Linux machine (and we believe this is the same problem that is affecting other people with the new build of ups v4_5). The problem is that you are running a different kernel, but the old libraries. In other words, when we built kerberos, we built: Linux+2 - built on bldlinux52, using the old libraries Linux+2.2 - built on bldlinux61, using the new libraries As discussed several months ago at FUE, we are not officially supporting the old-libraries/new-kernel combination. The solution would be to manually force upd to select the Linux+2 flavor (it chose the Linux+2.2 flavor for you, because it was a "better" flavor match to your kernel, whence it calculates flavor). To fix this: - remove the existing kerberos installation: ups undeclare -Y kerberos v0_3 -f Linux+2.2 - re-install, forcing upd to select the Linux+2 instance: upd install -f Linux+2 -z kerberos v0_3 ups install -f Linux+2 kerberos v0_3 Then things are likely to work for you. -- lauri From kreymer@fnal.gov Mon Jan 3 15:53:11 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA17457 for ; Mon, 3 Jan 2000 15:53:10 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9UR92XQ80009HP@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 15:53:08 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK9UR7A14K000AUG@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 03 Jan 2000 15:52:56 -0600 Date: Mon, 03 Jan 2000 15:52:55 -0600 (EST) From: Dane Skow Subject: Re: kerberos v0_3: we think we know the problem In-reply-to: <200001032130.PAA06476@ossbud.fnal.gov> To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 109 On Mon, 3 Jan 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > After talking with Wayne and Marc, we think we understand the > problem with kerberos v0_3 on Dane's Linux machine (and we believe > this is the same problem that is affecting other people with the new > build of ups v4_5). > > The problem is that you are running a different kernel, but the old > libraries. In other words, when we built kerberos, we built: > > Linux+2 - built on bldlinux52, using the old libraries > Linux+2.2 - built on bldlinux61, using the new libraries > > As discussed several months ago at FUE, we are not officially > supporting the old-libraries/new-kernel combination. Understood. Hopefully with the imminent certification we can get beyond this soon. > > The solution would be to manually force upd to select the Linux+2 > flavor (it chose the Linux+2.2 flavor for you, because it was a > "better" flavor match to your kernel, whence it calculates flavor). > > To fix this: > > - remove the existing kerberos installation: > ups undeclare -Y kerberos v0_3 -f Linux+2.2 done okay > > - re-install, forcing upd to select the Linux+2 instance: > > upd install -f Linux+2 -z kerberos v0_3 [root@unferth dane]# upd install -f Linux+2.0 -z /local/ups/db kerberos v0_3 informational: krb5conf v0_3 already exists on local node, skipping. informational: beginning install of kerberos. informational: transferred /ftp/products/kerberos/v0_3/Linux+2.0/kerberos_v0_3_Linux+2.0 from fnkits.fnal.gov:9021 to /local/ups/prd/kerberos/v0_3 informational: transferred /ftp/products/kerberos/v0_3/Linux+2.0/kerberos_v0_3_Linux+2.0/ups/. from fnkits.fnal.gov:9021 to /local/ups/prd/kerberos/v0_3/ups informational: transferred /ftp/products/kerberos/v0_3/Linux+2.0/kerberos_v0_3_Linux+2.0.table from fnkits.fnal.gov:9021:/ to /local/ups/prd/kerberos/v0_3/ups/kerberos.table.new informational: ups declare succeeded *********************************************************************** You should login as root and execute the command ups install kerberos v0_3 on each node using this copy of kerberos to complete the installation. (See the README.INSTALL file for other installation options). *********************************************************************** informational: product kerberos has an INSTALL_NOTE; you should read /local/ups/prd/kerberos/v0_3/ups/INSTALL_NOTE. >ups install -f Linux+2 kerberos v0_3 [root@unferth dane]# ups install -f Linux+2.0 kerberos v0_3 Beginning installation of kerberos v0_3 into /usr/krb5. Host/ftp services keys have already been enabled for this node. Preparing to configure krb5conf on this node... Beginning installation of krb5conf v0_3 on unferth.fnal.gov. Previous /etc/krb5.conf saved as /etc/krb5.conf.03Jan2000... Merge new configuration information... Logging the installation in /local/ups/prd/krb5conf/v0_3/ups/unferth.fnal.gov.log... Reminder!!!! You must perform this installation on each node that shares this copy of krb5conf. Installation of krb5conf v0_3 with afs on unferth.fnal.gov complete. krb5conf configuration complete. Preparing to configure service/byname on this node... Reading template file /local/ups/prd/kerberos/v0_3/ups/services.template... Saving backup copy of /etc/services... Updating /etc/services file... service/byname configuration complete. Preparing to configure inetd on this node... Reading template file /local/ups/prd/kerberos/v0_3/ups/inetd.conf.template... Saving backup copy of /etc/inetd.conf... Updating /etc/inetd.conf file... Sending HUP to inetd... Sorry, I can't find the inetd process. You'll have to restart it by hand. inetd configuration complete. Preparing to reconfigure sshd on this node... Reading template file /local/ups/prd/kerberos/v0_3/ups/sshd_config.template... Saving backup copy of /etc/sshd_config... Updating /etc/sshd_config file... Sending HUP to sshd... Sorry, I can't find the sshd process. You'll have to restart it by hand. sshd configuration complete. Automated installation of kerberos complete. IMPORTANT: 1) inetd daemon restart was not completed successfully. 2) sshd daemon restart was not completed successfully. These steps must be completed before the kerberos installation is complete. [root@unferth dane]# ps aux | grep inetd root 250 0.0 0.0 772 396 ? S Dec 19 0:00 inetd root 28167 0.0 0.0 840 352 p4 S 15:51 0:00 grep inetd [root@unferth dane]# ps aux | grep sshd root 263 0.0 0.1 1324 568 ? S Dec 19 0:01 /usr/local/sbin/sshd root 28169 0.0 0.0 840 352 p4 S 15:51 0:00 grep sshd Now I will reboot, just to make sure everything restarts cleanly. More when I know the results (I appended the ps output for inetd and sshd as possible debugging info for the install script. It complained) Thanks, dane > > Then things are likely to work for you. > > -- lauri > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Jan 3 16:05:49 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA17472 for ; Mon, 3 Jan 2000 16:05:47 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9V5ZWQJ40008RT@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 16:05:35 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK9V3ZC71C0009N4@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 03 Jan 2000 16:03:15 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id QAA07481; Mon, 03 Jan 2000 16:03:11 -0600 (CST) Date: Mon, 03 Jan 2000 16:03:11 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kerberos v0_3: we think we know the problem Sender: lauri@ossbud.fnal.gov To: Dane Skow Cc: "Laurelin of Middle Earth, 630-840-2214" , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001032203.QAA07481@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 110 Everything went smoothly in the new installation, with the [very minor] exception of: > > IMPORTANT: > 1) inetd daemon restart was not completed successfully. > 2) sshd daemon restart was not completed successfully. > > These steps must be completed before the kerberos installation is > complete. > The problem is that we have not yet been able to determine a way to find a unique process that works on all of our systems. What we're using now works everywhere *except* Linux+2.0 (at least, it works when it's possible to determine a unique inetd or sshd at all). I don't want to start introducing flavor-specific calculations into the installation code unless we absolutely have to, because that makes it very very difficult to maintain and keep up-to-date. If Linux+2 is the only place where we can't figure out which process to restart, and we hope to move [universally] to Linux+2.2 (with the correct libraries!), I think it's a small thing to manually restart these two daemons. -- lauri From kreymer@fnal.gov Mon Jan 3 16:08:18 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA17476 for ; Mon, 3 Jan 2000 16:08:18 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9V9WO1OW0009HP@FNAL.FNAL.GOV> (original mail from mengel@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 16:08:15 -0600 CDT Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK9V9VUJEE00098G@FNAL.FNAL.GOV>; Mon, 03 Jan 2000 16:07:59 -0600 Date: Mon, 03 Jan 2000 16:07:58 -0600 (EST) From: "Marc W. Mengel" Subject: Re: forwarded message from root In-reply-to: <14442.23251.269373.566940@hamshack.fnal.gov> To: Ken Schumacher Cc: uas-group@fnal.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: Content-id: MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_mRwoQGGATJs0nbWdqc/L/g)" Status: RO X-Status: X-Keywords: X-UID: 111 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --Boundary_(ID_mRwoQGGATJs0nbWdqc/L/g) Content-id: Content-type: TEXT/PLAIN; CHARSET=US-ASCII Content-description: message body text On Wed, 29 Dec 1999, Ken Schumacher wrote: > > I'm not sure what we have to do to get past this. Perhaps you've > done more work with the 'kerberos' stuff than I have. > > My guess is that the problem was the way that we launched this > task. I think it might work fine if we ran the 'fmb_backup' from a > login shell, or if we started it from an authenticated/kerberos aware > cron daemon. Since we simply did a batch command, it does not appear > to have gotten any carry-over authentication from the login shell. Actually, we only need (I think) the host key, (assuming we put it in the .k5login on the various systems. We might need to do a kinit -k to actually pull in the host key from the keytab file before running the backup script. So we can have a script like: #!/bin/sh . /fnal/ups/etc/setups.sh setup kerberos, fmb kinit -k fmb_rsh=$KERBEROS_DIR/bin/rsh export fmb_rsh fmb_backup -f optionfile -f optionfile ... Marc --Boundary_(ID_mRwoQGGATJs0nbWdqc/L/g) Content-id: Content-type: message/rfc822; CHARSET=US-ASCII Content-description: forwarded message Return-path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by hamshack.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA29321 for ; Wed, 29 Dec 1999 12:00:36 -0600 Received: from bldlinux52.fnal.gov ([131.225.81.82]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK2N6FLKHM0007PB@FNAL.FNAL.GOV> for kschu@hamshack.fnal.gov (ORCPT rfc822;kschu@fnal.gov); Wed, 29 Dec 1999 12:00:36 -0600 CDT Received: (from root@localhost) by bldlinux52.fnal.gov (8.8.7/8.8.7) id MAA13177; Wed, 29 Dec 1999 12:00:35 -0600 Date: Wed, 29 Dec 1999 12:00:35 -0600 From: root Subject: Build Cluster Backup Report To: stolz@fnal.gov Cc: kschu@fnal.gov Message-id: <199912291800.MAA13177@bldlinux52.fnal.gov> Wed Dec 29 11:15:21 CST 1999: /usr/products/UNIX/fmb/v6_8/fmb_backup -L buildclstr.Spc.A -m quiet -u -t /dev/rmt/tps2d2n -f buildclstr.A Checking tape label Writing label buildclstr.Spc.A, Try 1 Archive Size Information Full Backup Estimate Low High Actual Type Name --- ---- ------ ---- ---- - - - full bldsunos26:/ [1] 0k 0k 0k full bldsunos26:/ [1] - - - full bldsunos26:/usr [2] 0k 0k 0k full bldsunos26:/usr [2] - - - full bldsunos26:/opt [3] 0k 0k 0k full bldsunos26:/opt [3] - - - full bldsunos27:/ [4] 0k 0k 0k full bldsunos27:/ [4] - - - full bldsunos27:/usr [5] 0k 0k 0k full bldsunos27:/usr [5] - - - full bldlinux52:/ [6] 0k 0k 0k full bldlinux52:/ [6] - - - full bldlinux61:/ [7] 0k 0k 0k full bldlinux61:/ [7] - - - full bldlinux61:/usr/src [8] 0k 0k 0k full bldlinux61:/usr/src [8] - - - full bldosf1v40d:/ [9] 0k 0k 0k full bldosf1v40d:/ [9] - - - full bldosf1v40d:/usr [10] 0k 0k 0k full bldosf1v40d:/usr [10] - - - full bldirix62:/ [11] - - - full bldirix62:/usr [12] - - - full bldirix65:/ [13] ------------- -------------- -------------- 0k 0k 0k TOTAL Executive Summary: ------------------ Wed Dec 29 12:00:35 CST 1999 The backup failed because one or more archives failed. A total of 0 write retries were made. ======================================================================== Detailed error reports: -------------- [1] fmb: error during fmb_backup on Wed Dec 29 11:19:06 CST 1999 ncpio archive of bldsunos26:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused Unable to rsh to bldsunos26 Exit code 1 This archive may be incomplete. -------- [2] fmb: error during fmb_backup on Wed Dec 29 11:23:28 CST 1999 ncpio archive of bldsunos26:/usr try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused Unable to rsh to bldsunos26 Exit code 1 This archive may be incomplete. -------- [3] fmb: error during fmb_backup on Wed Dec 29 11:27:49 CST 1999 ncpio archive of bldsunos26:/opt try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused rsh: kcmd to host bldsunos26 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos26.fnal.gov: Connection refused Unable to rsh to bldsunos26 Exit code 1 This archive may be incomplete. -------- [4] fmb: error during fmb_backup on Wed Dec 29 11:32:10 CST 1999 ncpio archive of bldsunos27:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldsunos27 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos27.fnal.gov: Connection refused rsh: kcmd to host bldsunos27 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos27.fnal.gov: Connection refused Unable to rsh to bldsunos27 Exit code 1 This archive may be incomplete. -------- [5] fmb: error during fmb_backup on Wed Dec 29 11:36:30 CST 1999 ncpio archive of bldsunos27:/usr try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldsunos27 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos27.fnal.gov: Connection refused rsh: kcmd to host bldsunos27 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldsunos27.fnal.gov: Connection refused Unable to rsh to bldsunos27 Exit code 1 This archive may be incomplete. -------- [6] fmb: error during fmb_backup on Wed Dec 29 11:40:50 CST 1999 ncpio archive of bldlinux52:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldlinux52 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux52.fnal.gov: Connection refused rsh: kcmd to host bldlinux52 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux52.fnal.gov: Connection refused Unable to rsh to bldlinux52 Exit code 1 This archive may be incomplete. -------- [7] fmb: error during fmb_backup on Wed Dec 29 11:45:11 CST 1999 ncpio archive of bldlinux61:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldlinux61 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux61.fnal.gov: Connection refused rsh: kcmd to host bldlinux61 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux61.fnal.gov: Connection refused Unable to rsh to bldlinux61 Exit code 1 This archive may be incomplete. -------- [8] fmb: error during fmb_backup on Wed Dec 29 11:49:31 CST 1999 ncpio archive of bldlinux61:/usr/src try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldlinux61 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux61.fnal.gov: Connection refused rsh: kcmd to host bldlinux61 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldlinux61.fnal.gov: Connection refused Unable to rsh to bldlinux61 Exit code 1 This archive may be incomplete. -------- [9] fmb: error during fmb_backup on Wed Dec 29 11:53:52 CST 1999 ncpio archive of bldosf1v40d:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldosf1v40d failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldosf1v40d.fnal.gov: Connection refused rsh: kcmd to host bldosf1v40d failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldosf1v40d.fnal.gov: Connection refused Unable to rsh to bldosf1v40d Exit code 1 This archive may be incomplete. -------- [10] fmb: error during fmb_backup on Wed Dec 29 11:58:15 CST 1999 ncpio archive of bldosf1v40d:/usr try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldosf1v40d failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldosf1v40d.fnal.gov: Connection refused rsh: kcmd to host bldosf1v40d failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! bldosf1v40d.fnal.gov: Connection refused Unable to rsh to bldosf1v40d Exit code 1 This archive may be incomplete. -------- [11] fmb: error during fmb_backup on Wed Dec 29 11:59:34 CST 1999 ncpio archive of bldirix62:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldirix62 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. rsh: kcmd to host bldirix62 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. Unable to rsh to bldirix62 Exit code 1 This archive may be incomplete. -------- [12] fmb: error during fmb_backup on Wed Dec 29 11:59:51 CST 1999 ncpio archive of bldirix62:/usr try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldirix62 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. rsh: kcmd to host bldirix62 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. Unable to rsh to bldirix62 Exit code 1 This archive may be incomplete. -------- [13] fmb: error during fmb_backup on Wed Dec 29 12:00:11 CST 1999 ncpio archive of bldirix65:/ try 1 exited with Exit code 1 stderr output was: rsh: kcmd to host bldirix65 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. rsh: kcmd to host bldirix65 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. Unable to rsh to bldirix65 Exit code 1 This archive may be incomplete. -------- --Boundary_(ID_mRwoQGGATJs0nbWdqc/L/g)-- From kreymer@fnal.gov Mon Jan 3 16:10:31 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA17481 for ; Mon, 3 Jan 2000 16:10:30 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9VCTMZEO0009HP@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 16:10:29 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK9VCSM1MQ0009N6@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 03 Jan 2000 16:10:20 -0600 Date: Mon, 03 Jan 2000 16:10:20 -0600 (EST) From: Dane Skow Subject: re: kerberos v0_3: we think we know the problem In-reply-to: <200001032203.QAA07481@ossbud.fnal.gov> To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 112 On Mon, 3 Jan 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > Everything went smoothly in the new installation, with the [very > minor] exception of: Yes, I am able now to kinit and kpasswd to change my password. Interestingly, it permitted me to change it to what I believed my previous password to be. Is it possible that the password change that Lauri did somehow obliterated that current password ? Just as proof I'm not imagining things (and that I'm typing correctly), here's my current kinit session: bash$ kinit Password for dane@PILOT.FNAL.GOV: bash$ klist Ticket cache: /tmp/krb5cc_tty1 Default principal: dane@PILOT.FNAL.GOV Valid starting Expires Service principal 01/03/00 16:08:15 01/04/00 05:08:15 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Yes, I agree, the daemon restarts are a minor problem. Sounds like the right compromise. dane > > > > IMPORTANT: > > 1) inetd daemon restart was not completed successfully. > > 2) sshd daemon restart was not completed successfully. > > > > These steps must be completed before the kerberos installation is > > complete. > > > > The problem is that we have not yet been able to determine a way to > find a unique process that works on all of our systems. What we're > using now works everywhere *except* Linux+2.0 (at least, it works > when it's possible to determine a unique inetd or sshd at all). > > I don't want to start introducing flavor-specific calculations into > the installation code unless we absolutely have to, because that > makes it very very difficult to maintain and keep up-to-date. If > Linux+2 is the only place where we can't figure out which process to > restart, and we hope to move [universally] to Linux+2.2 (with the > correct libraries!), I think it's a small thing to manually restart > these two daemons. > > -- lauri > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Jan 3 16:26:43 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA17490 for ; Mon, 3 Jan 2000 16:26:43 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9VWJ0E2O0009HP@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 16:26:37 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK9VWF43K20009ON@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 03 Jan 2000 16:26:10 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id QAA07708; Mon, 03 Jan 2000 16:26:09 -0600 (CST) Date: Mon, 03 Jan 2000 16:26:08 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kerberos v0_3: we think we know the problem Sender: lauri@ossbud.fnal.gov To: Dane Skow Cc: "Laurelin of Middle Earth, 630-840-2214" , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001032226.QAA07708@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 113 On Monday 3 January 2000, our friend Dane Skow spaketh thusly: > Yes, I am able now to kinit and kpasswd to change my password. > Interestingly, it permitted me to change it to what I believed > my previous password to be. Is it possible that the password > change that Lauri did somehow obliterated that current password ? More likely, and consistent with the fact that you *couldn't* use that password successfully before, I think you just had remembered the wrong password. -- lauri From kreymer@fnal.gov Mon Jan 3 16:34:17 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA17503 for ; Mon, 3 Jan 2000 16:34:17 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JK9W78WUCG0009HP@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 3 Jan 2000 16:34:15 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JK9W77HQUE000A1B@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 03 Jan 2000 16:34:04 -0600 Date: Mon, 03 Jan 2000 16:34:04 -0600 (EST) From: Dane Skow Subject: re: kerberos v0_3: we think we know the problem In-reply-to: <200001032226.QAA07708@ossbud.fnal.gov> To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 114 On Mon, 3 Jan 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > On Monday 3 January 2000, > our friend Dane Skow spaketh thusly: > > > Yes, I am able now to kinit and kpasswd to change my password. > > Interestingly, it permitted me to change it to what I believed > > my previous password to be. Is it possible that the password > > change that Lauri did somehow obliterated that current password ? > > More likely, and consistent with the fact that you *couldn't* use > that password successfully before, I think you just had remembered > the wrong password. Hmm. I really don't think so. My claim is that the password I'm using now *WAS* a valid KRB5 password and that I more likely changed it and forgot to write the new one down. Hmm. guess that would destroy my previous theory. Also, when I run the test and change it now and try to change it back, kpasswd won't let me. Oh, okay, when led kicking and screaming to the inevitable conclusion, I guess I can admit to being mistaken :-)) Thanks, dane > > -- lauri > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Tue Jan 4 14:46:40 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA28682 for ; Tue, 4 Jan 2000 14:46:40 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKB6Q4XWNK000A2X@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 4 Jan 2000 14:46:38 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKB6Q3APU2000B46@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 04 Jan 2000 14:46:25 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id OAA15322; Tue, 04 Jan 2000 14:46:24 -0600 (CST) Date: Tue, 04 Jan 2000 14:46:24 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: fwd: -n32 libraries for AFS on SGI Sender: lauri@ossbud.fnal.gov To: crawdad@fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001042046.OAA15322@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 115 ------- Forwarded Message Date: Tue, 04 Jan 2000 14:42:25 -0600 From: Ramon Pasetes To: lauri@fnal.gov cc: stan@fnal.gov Subject: N32 libraries for SGI HI Lauri, Transarc's sgi_62 is still O32. However, their sgi_65 code, /afs/fnal.gov/afs35/sgi_65/usr/afsws/lib is N32. It's supposed to work for IRIX 6.5 or IRIX 6.4 If you want to try and compile kerberos under IRIX 6.2 against it you can. FYI: ssh compiles with o32, but it doesn't work. -Ray ------- End of Forwarded Message From kreymer@fnal.gov Tue Jan 4 16:03:15 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA28764 for ; Tue, 4 Jan 2000 16:03:15 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKB9E4TOYO000A2X@FNAL.FNAL.GOV> (original mail from stolz@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 4 Jan 2000 16:03:12 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKB9E41EXI0009XW@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 04 Jan 2000 16:03:03 -0600 Received: from localhost (stolz@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with ESMTP id QAA16242 for ; Tue, 04 Jan 2000 16:03:02 -0600 (CST) Date: Tue, 04 Jan 2000 16:03:02 -0600 (CST) From: Michael Stolz Subject: ksu fails *only* on bldlinux52 To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: ossbud.fnal.gov: stolz owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 116 I think this is for Matt? I needed ksu in order to do root-level backups last week. Lauri got ksu to work everywhere BUT on the bldlinux52 machine. Could someone please figure out what the problem is? thanx Mike Stolz (stolz@fnal.gov) --------------------------------------------------- From kreymer@fnal.gov Wed Jan 5 09:38:22 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA07150 for ; Wed, 5 Jan 2000 09:38:21 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKCA97BN3K000A2X@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 5 Jan 2000 09:38:18 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKCA95WU200009WV@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 05 Jan 2000 09:38:06 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA06150; Wed, 05 Jan 2000 09:38:05 -0600 (CST) Date: Wed, 05 Jan 2000 09:38:05 -0600 From: Matt Crawford Subject: Re: ksu fails *only* on bldlinux52 In-reply-to: "04 Jan 2000 16:03:02 CST." <"Pine.GS4.4.05.10001041600490.16233-100000"@ossbud.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Michael Stolz Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001051538.JAA06150@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 117 > I think this is for Matt? I needed ksu in order to do root-level backups > last week. Lauri got ksu to work everywhere BUT on the bldlinux52 > machine. Could someone please figure out what the problem is? Based on the "ksu -D" output provided by another pilot user experiencing the same problem on another Linux machine just 9 minutes before you, here's my shoot-from-the-hip guess: Perhaps you put your principal in /.k5login, but / is not root's home directory? Try moving the file to /root/.k5login on Linux. M From kreymer@fnal.gov Wed Jan 5 09:51:01 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA07157 for ; Wed, 5 Jan 2000 09:51:00 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKCAOXUKB4000A2X@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 5 Jan 2000 09:50:58 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKCAOWZ75I0009WL@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 05 Jan 2000 09:50:48 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id JAA20990; Wed, 05 Jan 2000 09:50:46 -0600 (CST) Date: Wed, 05 Jan 2000 09:50:45 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: ksu fails *only* on bldlinux52 Sender: lauri@ossbud.fnal.gov To: Matt Crawford Cc: Michael Stolz , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001051550.JAA20990@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 118 Yes, this works. (Mike is out sick today, so I checked for him). Mike, what I did was to make a symbolic link from /root/.k5login to /.k5login on bldlinux52, so that you can still use /.k5login as The File Of Interest on *all* buildcluster nodes. -- lauri On Wednesday 5 January 2000, our friend Matt Crawford spaketh thusly: > > I think this is for Matt? I needed ksu in order to do root-level backups > > last week. Lauri got ksu to work everywhere BUT on the bldlinux52 > > machine. Could someone please figure out what the problem is? > > Based on the "ksu -D" output provided by another pilot user > experiencing the same problem on another Linux machine just 9 minutes > before you, here's my shoot-from-the-hip guess: Perhaps you put your > principal in /.k5login, but / is not root's home directory? Try > moving the file to /root/.k5login on Linux. > > M > From kreymer@fnal.gov Wed Jan 5 14:41:48 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA07363 for ; Wed, 5 Jan 2000 14:41:48 -0600 Received: from dcdsv0.fnal.gov ([131.225.81.78]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKCKUF7JWW000954@FNAL.FNAL.GOV> (original mail from stolz@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 5 Jan 2000 14:41:46 -0600 CDT Received: from dcdsv0.fnal.gov ([131.225.81.78]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JKCKUCALWK0009YC@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 05 Jan 2000 14:41:30 -0600 Received: from localhost by dcdsv0.fnal.gov (SMI-8.6/SMI-SVR4) id OAA27744; Wed, 05 Jan 2000 14:41:28 -0600 Date: Wed, 05 Jan 2000 14:41:28 -0600 (CST) From: Michael Stolz Subject: re: ksu fails *only* on bldlinux52 In-reply-to: <200001051550.JAA20990@ossbud.fnal.gov> To: "Laurelin of Middle Earth, 630-840-2214" Cc: Matt Crawford , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 119 thanx Lauri Mike Stolz (stolz@fnal.gov) --------------------------------------------------- On Wed, 5 Jan 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > Date: Wed, 05 Jan 2000 09:50:45 -0600 > From: "Laurelin of Middle Earth, 630-840-2214" > To: Matt Crawford > Cc: Michael Stolz , kerberos-pilot@fnal.gov > Subject: re: ksu fails *only* on bldlinux52 > > Yes, this works. (Mike is out sick today, so I checked for him). > > Mike, what I did was to make a symbolic link from /root/.k5login to > /.k5login on bldlinux52, so that you can still use /.k5login as The > File Of Interest on *all* buildcluster nodes. > > -- lauri > > On Wednesday 5 January 2000, > our friend Matt Crawford spaketh thusly: > > > > I think this is for Matt? I needed ksu in order to do root-level backups > > > last week. Lauri got ksu to work everywhere BUT on the bldlinux52 > > > machine. Could someone please figure out what the problem is? > > > > Based on the "ksu -D" output provided by another pilot user > > experiencing the same problem on another Linux machine just 9 minutes > > before you, here's my shoot-from-the-hip guess: Perhaps you put your > > principal in /.k5login, but / is not root's home directory? Try > > moving the file to /root/.k5login on Linux. > > > > M > > > From kreymer@fnal.gov Thu Jan 6 15:08:48 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA18662 for ; Thu, 6 Jan 2000 15:08:48 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKE037ABXC000BKZ@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 6 Jan 2000 15:08:43 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKE036JA28000BLR@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 06 Jan 2000 15:08:32 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA11527 for ; Thu, 06 Jan 2000 15:08:31 -0600 (CST) Date: Thu, 06 Jan 2000 15:08:31 -0600 From: Matt Crawford Subject: network outage will affect KDC Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001062108.PAA11527@gungnir.fnal.gov> Content-id: <11518.947192881.0@gungnir.fnal.gov> MIME-version: 1.0 Content-type: multipart/mixed; boundary="Boundary_(ID_Dh18ae47DB009p6OFJhy+g)" Status: RO X-Status: X-Keywords: X-UID: 120 --Boundary_(ID_Dh18ae47DB009p6OFJhy+g) Content-id: <11518.947192881.1@gungnir.fnal.gov> Content-type: text/plain; charset="us-ascii" The outage described in the attached message will affect the primary KDC. The slave KDC on subnet 80 will be available. Anyone using Kerberos during this interruption is requested to report their perception of the failover delay. --Boundary_(ID_Dh18ae47DB009p6OFJhy+g) MIME-version: 1.0 Content-type: message/rfc822 Return-path: netdown-error@fnal.gov Date: Thu, 06 Jan 2000 14:56:41 -0600 From: Phil DeMar Subject: Network out on Thursday (1/13) morning at 6:30am affecting subnet 110 To: netdown@fnal.gov Errors-to: netdown-error@fnal.gov Message-id: <000701bf5888$882e8590$0750e183@blackbird.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Notice of Scheduled Network Outage --------------------------------------------------- ## Date/time: Thursday, January 13, 6:30 am ## Duration: Approximately 10 minutes ## Description of Network Maintenance: The FCC General Computing Resources LAN (subnet 131.225.110.x systems...) is being disconnected from the general site backbone, and directly connected to its own router port. This change will provide router isolation for subnet 110 systems. ## Affected Areas of the Network: Systems in subnet 110 will be cut off from the rest of the site network during the cutover period. ARP tables of subnet 110 systems may temporarily contain some erroneous entries after the cutover is completed. ## Unaffected Areas of the Network: The rest of the network should not be affected by this work, other than losing access to subnet 110 systems during the outage period. ## Contact: Phil Demar x3678 --Boundary_(ID_Dh18ae47DB009p6OFJhy+g)-- From kreymer@fnal.gov Mon Jan 10 08:17:18 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA27723 for ; Mon, 10 Jan 2000 08:17:18 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKJ6VK0QY8000CBU@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 10 Jan 2000 08:17:16 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKJ6VJAHCU000B8R@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal); Mon, 10 Jan 2000 08:17:09 -0600 Date: Mon, 10 Jan 2000 08:17:08 -0600 (EST) From: Dane Skow Subject: kinit To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 121 I notice this morning the following odd behaviour: When I tried to kinit to get a new ticket (after the weekend) I mistyped by password and aborted by hitting the return (since it doesn't seem to like backspace for me to correct typos). It then proceeded to ask me for the CH/MAC, which just for fun, I gave the response. This doesn't seem to have worked (and yes I typed the letters in upper case). It would seem that either a) the CH/MAC query should not be a fallback for invalid passwords on a kinit, or b) there may be a problem with this path through the CH/MAC code. In trying to document my configuration for this debugging note, I note that I seem to be using the v0_2 Kerberos. This is odd given that I installed the upgrade to v0_3 (and I thought made it current) (all this is on unferth). Guess I'll have to poke around more later. bash$ kinit Password for dane@PILOT.FNAL.GOV: Press CH/MAC and enter this on the keypad: [57480484] Enter the displayed response: kinit: Password incorrect bash$ env | grep -i kerb KERBEROS_DIR=/local/ups/prd/kerberos/v0_2 PATH=/local/ups/prd/kerberos/v0_2/usr/local/bin:/local/ups/prd/ups/v4_4a/bin:/usr/bin:/usr/X11R6/bin:/afs/fnal/files/home/room1/dane/bin:/bin:/usr/bin:/usr/sbin:/etc:/usr/etc:/usr/afsws/bin:/usr/bin/X11:/usr/X11R6/bin:/usr/local/bin:.:/usr/local/sbin SETUP_KERBEROS=kerberos v0_2 -f Linux+2 -z /local/ups/db bash$ which kinit /local/ups/prd/kerberos/v0_2/usr/local/bin/kinit bash$ ls -l /local/ups/prd/kerberos/v0_2/usr/local/bin/kinit -rwxr-xr-x 1 crawdad g150 11088 Aug 26 13:40 /local/ups/prd/kerberos/v0_2/usr/local/bin/kinit bash$ setup ups bash$ ups list kerberos DATABASE=/local/ups/db Product=kerberos Version=v0_2 Flavor=Linux+2 Qualifiers="" Chain=current DATABASE=/afs/fnal.gov/ups/db Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Jan 10 08:21:05 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA27728 for ; Mon, 10 Jan 2000 08:21:05 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKJ701OF8W000CBU@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 10 Jan 2000 08:21:00 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKJ6ZZSTJA000D7X@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal); Mon, 10 Jan 2000 08:20:44 -0600 Date: Mon, 10 Jan 2000 08:20:44 -0600 (EST) From: Dane Skow Subject: the plot thickens To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 122 Here's what I get with kinit after I enter my password properly: bash$ kinit Password for dane@PILOT.FNAL.GOV: Press ENTER and compare this challenge to the one on your display: [02042800] Enter the displayed response: kinit: Preauthentication failed while getting initial credentials (I botched the displayed response because while that was indeed the challenge displayed, I did not recall Matt's instructions on how to get the response - CH/MAC key did not work). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Jan 10 09:51:02 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA27889 for ; Mon, 10 Jan 2000 09:51:01 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKJA54ZL80000CTG@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 10 Jan 2000 09:50:54 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKJA502SVK000BV1@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 10 Jan 2000 09:50:17 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id JAA20707; Mon, 10 Jan 2000 09:50:16 -0600 (CST) Date: Mon, 10 Jan 2000 09:50:16 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: cryptocard works, I guess Sender: lauri@ossbud.fnal.gov To: kerberos-pilot@fnal.gov Cc: lauri@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001101550.JAA20707@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 123 I seem to be using my cryptocard successfully, but I don't quite understand the mechanism it uses to decide whether or not to ask me for cryptocard information. My questions (for those who aren't interested in reading the details below): a) WHY am I being asked for cryptocard information, when I'm not logging into the portal itself? Shouldn't my kerberos password be enough, if I'm on a node running kerberos? a') Am I going to need to carry my cryptocard with me all the time in the future? b') Why was I asked for the cryptocard info on ossbud, but NOT when I was getting my initial tickets on my NT workstation? b) Observation: After the first successful cryptocard challenge, the wording of the subsequent requests seems a bit confusing: Press ENTER and compare this challenge to the one on your display: [71551789] (and then, *after* you press ENTER) Enter the displayed response: The sequence is somewhat different than the above would indicate. It's more like Compare this challenge to the one on your display. If they match, press ENTER. [xxxxxxxx] (then followed by Enter the displayed response: ) b') What to do if they don't match? Details of what I did and what I saw are below. -- lauri This morning I logged in to my NT workstation. I used WRQ to open an encrypted kerberized telnet session onto ossbud. I was prompted by WRQ for my kerberos password, which was accepted. I was now logged in on ossbud, but without tickets. I used WRQ to open a second kerberized telnet session onto ossbud. This time I was not prompted for a password, and was successfully logged in to ossbud (again without tickets). (This is all normal). Then in one of the telnet windows I entered the command "kinit -r7d" on ossbud, in order to obtain tickets. After I entered my kerberos password, I was then prompted for cryptocard information (this is the first time I've been prompted for anything related to cryptocard): ossbud> kinit -r7d Password for lauri@PILOT.FNAL.GOV: Press CH/MAC and enter this on the keypad: [46561468] Enter the displayed response: I did as instructed and was then successfully logged in, with tickets: ossbud:~/UAS> klist -f Ticket cache: /tmp/krb5cc_20 Default principal: lauri@PILOT.FNAL.GOV Valid starting Expires Service principal 01/10/00 09:33:08 01/10/00 22:33:08 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 01/17/00 09:32:01, Flags: FRIHA 01/10/00 09:33:09 01/10/00 22:33:08 afs/fnal.gov@PILOT.FNAL.GOV renew until 01/17/00 09:32:01, Flags: FRHA Then I went to the second telnet window to get tickets. Again, I was prompted for cryptocard information: ossbud:~> kinit -r7d Password for lauri@PILOT.FNAL.GOV: Press ENTER and compare this challenge to the one on your display: [71551789] Enter the displayed response: Again it worked. -- lauri From kreymer@fnal.gov Mon Jan 10 15:20:22 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA29434 for ; Mon, 10 Jan 2000 15:20:22 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKJLMZXDV4000AQ0@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 10 Jan 2000 15:20:19 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKJLMZG9WI000BXL@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 10 Jan 2000 15:20:08 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA24680 for ; Mon, 10 Jan 2000 15:20:08 -0600 (CST) Date: Mon, 10 Jan 2000 15:20:07 -0600 From: Matt Crawford Subject: Solaris 8 will have Kerberos V5 Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001102120.PAA24680@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 124 > Here are just a few of the many new features in the Solaris > 8 Operating Environment Early Access version: > [...] > - Security Enhancements: Role-Based Access Control (RBAC), IPsec for > IPv4, Kerberos v5 From kreymer@fnal.gov Wed Jan 12 16:44:24 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA20887 for ; Wed, 12 Jan 2000 16:44:24 -0600 Received: from hamshack.fnal.gov ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKMH5YSX74000DN3@FNAL.FNAL.GOV> (original mail from kschu@hamshack.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 12 Jan 2000 16:44:22 -0600 CDT Received: from hamshack.fnal.gov ([131.225.84.179]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKMH5XV6WG000ENT@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 12 Jan 2000 16:44:15 -0600 Received: (from kschu@localhost) by hamshack.fnal.gov (8.9.3/8.9.3) id QAA29108; Wed, 12 Jan 2000 16:44:14 -0600 Date: Wed, 12 Jan 2000 16:44:14 -0600 (CST) From: Ken Schumacher Subject: Problem with v0_3 'ksu' command To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <14461.958.422220.274434@hamshack.fnal.gov> MIME-version: 1.0 X-Mailer: VM 6.71 under 21.1 (patch 8) "Bryce Canyon" XEmacs Lucid Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Status: RO X-Status: X-Keywords: X-UID: 125 Greetings, I've been having problems trying to figure out why I could not get 'ksu' to work for me. I was getting strange errors like: kschu@ossbud$ ksu ksu: Not owner while selecting the best principal kschu@ossbud$ klist Ticket cache: /tmp/krb5cc_7885 Default principal: kschu@PILOT.FNAL.GOV Valid starting Expires Service principal 01/12/00 16:10:56 01/13/00 05:10:56 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 01/12/00 16:10:56 01/13/00 05:10:56 afs/fnal.gov@PILOT.FNAL.GOV 01/12/00 16:11:15 01/13/00 05:10:56 host/bldlinux52.fnal.gov@PILOT.FNAL.GOV kschu@ossbud$ telnet bldlinux52 [ clip ] kschu@bldlinux52$ klist Ticket cache: /tmp/krb5cc_p15936 Default principal: kschu@PILOT.FNAL.GOV Valid starting Expires Service principal 01/12/00 16:33:33 01/13/00 05:10:56 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV kschu@bldlinux52$ ksu ksu: Operation not permitted while selecting the best principal And then Marc Mengel happened by my office. He suggested a couple of things to look at. We found the following: kschu@bldlinux52$ which ksu /fnal/ups/kerberos/v0_3/Linux+2.0/./bin/ksu kschu@bldlinux52$ ls -lAF /fnal/ups/kerberos/v0_3/Linux+2.0/./bin/ksu -rwsr-xr-x 1 crawdad g150 42900 Nov 4 11:50 /fnal/ups/kerberos/v0_3/Linux+2.0/./bin/ksu* We don't think this file should be SUID for 'crawdad'. We checked the executeable in /usr/krb5/bin and we see: kschu@bldlinux52$ ls -lAF /usr/krb5/bin/ksu -rwsr-xr-x 1 root root 42900 Dec 29 16:23 /usr/krb5/bin/ksu* When I spell out the path and use this version of 'ksu' I am able to get in just fine. Who is it that needs to fix v0_3 of the kerberos product? What will it take to roll this fix out to the various systems where it is installed? Sorry if this message is less than readable, but I wanted to include all the details of our debugging efforts. More later, Ken S. From kreymer@fnal.gov Thu Jan 13 09:56:33 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA32100 for ; Thu, 13 Jan 2000 09:56:32 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKNH77G1S0000DN3@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 13 Jan 2000 09:56:24 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKNH75Y9CY000F8N@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 13 Jan 2000 09:56:01 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id JAA17818; Thu, 13 Jan 2000 09:55:59 -0600 (CST) Date: Thu, 13 Jan 2000 09:55:59 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Problem with v0_3 'ksu' command Sender: lauri@ossbud.fnal.gov To: Ken Schumacher Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001131555.JAA17818@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 126 This is a known problem, and I am working on it. The fix will be included in the next release of kerberos. -- lauri On Wednesday 12 January 2000, our friend Ken Schumacher spaketh thusly: > Greetings, > > I've been having problems trying to figure out why I could not get > 'ksu' to work for me. I was getting strange errors like: > > kschu@ossbud$ ksu > ksu: Not owner while selecting the best principal > kschu@ossbud$ klist > Ticket cache: /tmp/krb5cc_7885 > Default principal: kschu@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 01/12/00 16:10:56 01/13/00 05:10:56 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > 01/12/00 16:10:56 01/13/00 05:10:56 afs/fnal.gov@PILOT.FNAL.GOV > 01/12/00 16:11:15 01/13/00 05:10:56 host/bldlinux52.fnal.gov@PILOT.FNAL.GOV > kschu@ossbud$ telnet bldlinux52 > > [ clip ] > > kschu@bldlinux52$ klist > Ticket cache: /tmp/krb5cc_p15936 > Default principal: kschu@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 01/12/00 16:33:33 01/13/00 05:10:56 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > kschu@bldlinux52$ ksu > ksu: Operation not permitted while selecting the best principal > > > And then Marc Mengel happened by my office. He suggested a couple > of things to look at. We found the following: > > kschu@bldlinux52$ which ksu > /fnal/ups/kerberos/v0_3/Linux+2.0/./bin/ksu > > kschu@bldlinux52$ ls -lAF /fnal/ups/kerberos/v0_3/Linux+2.0/./bin/ksu > -rwsr-xr-x 1 crawdad g150 42900 Nov 4 11:50 > /fnal/ups/kerberos/v0_3/Linux+2.0/./bin/ksu* > > We don't think this file should be SUID for 'crawdad'. We checked > the executeable in /usr/krb5/bin and we see: > > kschu@bldlinux52$ ls -lAF /usr/krb5/bin/ksu > -rwsr-xr-x 1 root root 42900 Dec 29 16:23 /usr/krb5/bin/ksu* > > When I spell out the path and use this version of 'ksu' I am able > to get in just fine. > > Who is it that needs to fix v0_3 of the kerberos product? What > will it take to roll this fix out to the various systems where it is > installed? > > Sorry if this message is less than readable, but I wanted to > include all the details of our debugging efforts. > > More later, > Ken S. > From kreymer@fnal.gov Tue Jan 18 15:43:41 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA08522 for ; Tue, 18 Jan 2000 15:43:41 -0600 Received: from fnal.gov ([131.225.235.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKUSSR15CW000GBN@FNAL.FNAL.GOV> (original mail from phubbard@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 18 Jan 2000 15:43:39 -0600 CDT Received: from fnal.gov ([131.225.235.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKUSSQMKDG000GDT@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 18 Jan 2000 15:43:32 -0600 Date: Tue, 18 Jan 2000 15:43:31 -0600 From: Paul Hubbard Subject: Principle request Sender: phubbard@fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <3884DE83.12DB22ED@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.0.36 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 127 Sir/madam - I'm working with Mark Leininger to get Kerberos working on my box/person, and I need to get a principal. Please let me know what I need to do, Paul ps x8408 -- Paul Hubbard phubbard@fnal.gov From kreymer@fnal.gov Tue Jan 18 15:50:08 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA08531 for ; Tue, 18 Jan 2000 15:50:08 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKUT0PP5OW000GBN@FNAL.FNAL.GOV> (original mail from aheavey@fsui02.FNAL.GOV) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 18 Jan 2000 15:50:06 -0600 CDT Received: from fsui02.fnal.gov ([131.225.68.20]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKUT0P0DRS000ESZ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 18 Jan 2000 15:49:57 -0600 Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id PAA28967 for ; Tue, 18 Jan 2000 15:49:55 -0600 (CST) Date: Tue, 18 Jan 2000 15:49:55 -0600 From: aheavey@fnal.gov Subject: doc URL change Sender: aheavey@fsui02.FNAL.GOV To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200001182149.PAA28967@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 128 The URL for the in-progress "strong authentication" documentation was just inadvertently changed to: http://wwwserver1.fnal.gov/www/docs/StrongAuth/html/strong_auth.html -- Anne Anne Heavey Fermilab Computing Division Phone: 630-840-8039 Location: Wilson Hall 8.18 (NE corner) MS: 120 From kreymer@fnal.gov Tue Jan 18 15:50:53 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA08535 for ; Tue, 18 Jan 2000 15:50:52 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKUT1MJPGW000GBN@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 18 Jan 2000 15:50:49 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKUT1LXD5I000F6A@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 18 Jan 2000 15:50:41 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id PAA25194; Tue, 18 Jan 2000 15:50:39 -0600 (CST) Date: Tue, 18 Jan 2000 15:50:37 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Principle request Sender: lauri@ossbud.fnal.gov To: Paul Hubbard Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001182150.PAA25194@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 129 I need to know the nodename of the box, so that I can register it. Presumably, you will also need a kerberos principal. Please let me know the nodename. -- lauri On Tuesday 18 January 2000, our friend Paul Hubbard spaketh thusly: > Sir/madam - > > I'm working with Mark Leininger to get Kerberos working on my > box/person, and I need to get a principal. > > Please let me know what I need to do, > Paul > > ps x8408 > -- > Paul Hubbard phubbard@fnal.gov From kreymer@fnal.gov Tue Jan 18 15:53:08 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA08539 for ; Tue, 18 Jan 2000 15:53:08 -0600 Received: from fnpat1.fnal.gov ([131.225.84.175]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKUT4GE5N4000GBN@FNAL.FNAL.GOV> (original mail from marafino@fnpat1.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 18 Jan 2000 15:53:06 -0600 CDT Received: from fnpat1.fnal.gov ([131.225.84.175]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKUT4FUCOC000GDX@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 18 Jan 2000 15:52:58 -0600 Received: from localhost (marafino@localhost) by fnpat1.fnal.gov (980427.SGI.8.8.8/980728.SGI.AUTOCF) via SMTP id PAA45267; Tue, 18 Jan 2000 15:54:41 -0600 (CST) Date: Tue, 18 Jan 2000 15:54:41 -0600 (CST) From: John Marraffino Subject: Re: doc URL change In-reply-to: <200001182149.PAA28967@fsui02.fnal.gov> To: aheavey@fnal.gov Cc: kerberos-pilot@fnal.gov, marafino@fnpat1.fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001182154.PAA45267@fnpat1.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 130 Now that it has been changed, is it going to stay that way? Cheers John > The URL for the in-progress "strong authentication" documentation was > just inadvertently changed to: > > http://wwwserver1.fnal.gov/www/docs/StrongAuth/html/strong_auth.html > > -- Anne > > Anne Heavey > Fermilab Computing Division > Phone: 630-840-8039 > Location: Wilson Hall 8.18 (NE corner) > MS: 120 - ======================================================================= John Marraffino marafino@fnal.gov Fermi National Accelerator Lab PHONE: (630)840-4483 Computing Division/Physics Analysis Tools FAX: (630)840-2783 ======================================================================= "The surest sign that intelligent life exists elsewhere in the universe is that it has never tried to contact us." Calvin and Hobbes (Bill Watterson) From kreymer@fnal.gov Tue Jan 18 15:58:04 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA08543 for ; Tue, 18 Jan 2000 15:58:04 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JKUTAJJ5UO000GBN@FNAL.FNAL.GOV> (original mail from aheavey@fsui02.FNAL.GOV) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 18 Jan 2000 15:58:02 -0600 CDT Received: from fsui02.fnal.gov ([131.225.68.20]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JKUTAI69NS000GDT@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 18 Jan 2000 15:57:51 -0600 Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id PAA29846; Tue, 18 Jan 2000 15:57:50 -0600 (CST) Date: Tue, 18 Jan 2000 15:57:49 -0600 From: Anne Heavey Subject: Re: doc URL change In-reply-to: "Your message of Tue, 18 Jan 2000 15:54:41 CST." <200001182154.PAA45267@fnpat1.fnal.gov> To: John Marraffino Cc: aheavey@fnal.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001182157.PAA29846@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 131 > > Now that it has been changed, is it going to stay that way? > > Cheers > John > > > The URL for the in-progress "strong authentication" documentation was > > just inadvertently changed to: > > > > http://wwwserver1.fnal.gov/www/docs/StrongAuth/html/strong_auth.html > > > > -- Anne > > No -- this is its pre-release location. Once I release it, I will copy it to a permanent location. I will send around that URL when it's time. I'm planning to have it ready around the end of this month. (I also plan to produce a postscript version.) -- Anne From kreymer@fnal.gov Sun Jan 23 14:49:06 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA16212 for ; Sun, 23 Jan 2000 14:49:06 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL1QCTXJJ4000FVA@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Sun, 23 Jan 2000 14:49:04 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JL1QCTJU04000HZH@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.fnal.gov); Sun, 23 Jan 2000 14:48:59 -0600 Date: Sun, 23 Jan 2000 14:48:58 -0600 (CST) From: Stephan Lammel Subject: second network interface... To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <000123144858.20202c45@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 132 Dear All, it looks like kerberos is sensitive to the network interface of a machine. We configured the Gigabit Ethernet interface on fcdfsgi2 last week. Kerberos rejects all connection comming in through that interface. I don't see the network address/name in any configuration file. Is this something on the key server? Is there a way to do the aliasing on the machine itself? cheers, Stephan 80:b0sun01 % /usr/krb5/bin/rsh 131.225.240.130 -l lammel 'hostname' 131.225.240.130: Connection refused trying normal rsh (/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. 81:b0sun01 % /usr/krb5/bin/rsh 131.225.108.5 -l lammel 'hostname' This rsh session is using DES encryption for all data transmissions. fcdfsgi2 82:b0sun01 % From kreymer@fnal.gov Mon Jan 24 10:24:53 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA28919 for ; Mon, 24 Jan 2000 10:24:51 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL2VDMWPMO000FVA@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 24 Jan 2000 10:24:26 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL2VDKK5BQ000ISE@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 24 Jan 2000 10:23:56 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA13388; Mon, 24 Jan 2000 10:23:54 -0600 (CST) Date: Mon, 24 Jan 2000 10:23:54 -0600 From: Matt Crawford Subject: Re: second network interface... In-reply-to: "23 Jan 2000 14:48:58 CST." <"000123144858.20202c45"@FNALD.FNAL.GOV> Sender: crawdad@gungnir.fnal.gov To: Stephan Lammel Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001241623.KAA13388@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 133 80:b0sun01 % /usr/krb5/bin/rsh 131.225.240.130 -l lammel 'hostname' 131.225.240.130: Connection refused trying normal rsh (/bin/rsh) WARNING: NO ENCRYPTION! Permission denied. When I do "ifconfig -a" or "netstat -in" on fcdfsgi2, it tells me that it has an address of 131.225.240.129, not ...130. That address seems to be attached to a "b0sgi02", *but is not in the nameserver and may be in use without proper DCG registration!*. B0sgi2 has no Kerberos installed, which explains the "connection refused" error. That is not to say that using the right address would have worked, though: gungnir 852% rsh 131.225.240.129 date rsh: kcmd to host 131.225.240.129 failed - Server not found in Kerberos database Kerberos has to figure out which "host" principal to get a ticket for (in this case it needs to discover host/fcdfsgi2.fna.gov@PILOT.FNAL.GOV), and the only way it can do that when you give an address is to consult the (DNS or /etc/hosts or NIS) address->name mapping. This address happens to also be unlisted (naughty CDF!) and so that fails. Solution: use the hostname or the correct address, AND make sure all addresses are associated with *the official* hostname in DNS! (If you want to have a "convenience name" which maps to a single interface's IP address, that's fine, but you can't use that name in a Kerberos command, and the reverse mapping had better point to the official name.) From kreymer@fnal.gov Mon Jan 24 14:48:02 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA29514 for ; Mon, 24 Jan 2000 14:48:01 -0600 Received: from sapphire.fnal.gov ([131.225.81.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL34LRK5PS000HTB@FNAL.FNAL.GOV> (original mail from yocum@sapphire.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 24 Jan 2000 14:47:58 -0600 CDT Received: from sapphire.fnal.gov ([131.225.81.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL34LQKHZU000IA0@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 24 Jan 2000 14:47:49 -0600 Received: from sapphire.fnal.gov (localhost [127.0.0.1]) by sapphire.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA07238; Mon, 24 Jan 2000 14:47:49 -0600 Date: Mon, 24 Jan 2000 14:47:49 -0600 From: Dan Yocum Subject: Upgrading bldlinux61 Sender: yocum@sapphire.fnal.gov To: kerberos-pilot@fnal.gov Cc: yocum@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001242047.OAA07238@sapphire.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.3 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 134 I need to upgrade bldlinux61 to the latest kernel so people can test building products on it, for completeness sake. I'll need root access and a time that's good for everyone for it to be down for half an hour. Who do I need to arrange this with? Dan ___________________________________________________________________________ Dan Yocum | Phone: (630) 840-8525 Linux Research and Development | Fax: (630) 840-6345 Computing Division, OSS Dept. | email: yocum@fnal.gov .~. L Fermi National Accelerator Lab | WWW: www-oss.fnal.gov/~yocum/ /V\ I P.O. Box 500 | // \\ N Batavia, IL 60510 | "TANSTAAFL" /( )\ U ________________________________|_________________________________ ^`~'^__X_ From kreymer@fnal.gov Mon Jan 24 15:02:15 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA29554 for ; Mon, 24 Jan 2000 15:02:13 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL352YZG6O000HLM@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 24 Jan 2000 15:02:03 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL352WCHE8000IA0@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 24 Jan 2000 15:01:40 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA14503; Mon, 24 Jan 2000 15:01:39 -0600 (CST) Date: Mon, 24 Jan 2000 15:01:38 -0600 From: Matt Crawford Subject: Re: Upgrading bldlinux61 In-reply-to: "24 Jan 2000 14:47:49 CST." <"200001242047.OAA07238"@sapphire.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Dan Yocum Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001242101.PAA14503@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 135 > I need to upgrade bldlinux61 to the latest kernel so people can > test building products on it, for completeness sake. I can't control access, but I logged out of my buildmanager session just now. By the way, Kerberos users, v0_4 is in kits as "test" at the moment (except for the pesky IRIX+6 flavor, which should be there in a couple of hours). File ups/RELEASE-NOTES.v0_4 describes the portal access support, which is conceptually quite improved and simplified simpler compared to the original design. From kreymer@fnal.gov Mon Jan 24 15:18:02 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA29563 for ; Mon, 24 Jan 2000 15:18:02 -0600 Received: from fsgi02.fnal.gov ([131.225.68.15]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL35MXEY28000HTB@FNAL.FNAL.GOV> (original mail from csieh@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 24 Jan 2000 15:17:58 -0600 CDT Received: from fsgi02.fnal.gov ([131.225.68.15]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL35MWQRT0000IOR@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 24 Jan 2000 15:17:47 -0600 Received: from localhost (csieh@localhost) by fsgi02.fnal.gov (980427.SGI.8.8.8/970903.SGI.AUTOCF) via ESMTP id PAA01054; Mon, 24 Jan 2000 15:17:47 -0600 (CST) Date: Mon, 24 Jan 2000 15:17:46 -0600 From: Connie Sieh Subject: Re: Upgrading bldlinux61 In-reply-to: <200001242101.PAA14503@gungnir.fnal.gov> To: Matt Crawford Cc: Dan Yocum , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 136 Matt, I asked Dan to send mail to kerberos-pilot so as to find the "right" answer to the question "How do sysadmins get "root" access to "kerberized in the strenghten realm machines". So is your answer described below right for the above question? -connie On Mon, 24 Jan 2000, Matt Crawford wrote: > > I need to upgrade bldlinux61 to the latest kernel so people can > > test building products on it, for completeness sake. > > I can't control access, but I logged out of my buildmanager session > just now. > > By the way, Kerberos users, v0_4 is in kits as "test" at the moment > (except for the pesky IRIX+6 flavor, which should be there in a > couple of hours). File ups/RELEASE-NOTES.v0_4 describes the portal > access support, which is conceptually quite improved and simplified > simpler compared to the original design. > From kreymer@fnal.gov Mon Jan 24 15:31:27 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA29576 for ; Mon, 24 Jan 2000 15:31:26 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL364GBY7K000HTB@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 24 Jan 2000 15:31:22 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL364EXJDK000IOL@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 24 Jan 2000 15:31:07 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA14717; Mon, 24 Jan 2000 15:31:07 -0600 (CST) Date: Mon, 24 Jan 2000 15:31:07 -0600 From: Matt Crawford Subject: Re: Upgrading bldlinux61 In-reply-to: "24 Jan 2000 15:17:46 CST." <"Pine.SGI.4.05.10001241515150.26356-100000"@fsgi02.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Connie Sieh Cc: Dan Yocum , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001242131.PAA14717@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 137 > I asked Dan to send mail to kerberos-pilot so as to find the > "right" answer to the question "How do sysadmins get "root" access > to "kerberized in the strenghten realm machines". So is your answer > described below right for the above question? No, Kerberos v0_4 is irrelevant to that. For any version of Kerberos, the right answer is: Get your kerberos principal (eg, yocum@PILOT.FNAL.GOV) listed in the .k5login in root's home directory, be that / or /root. (That bit of variety has led to some confusion, with people putting a .k5login in / and it not working for Linux.) Log in to the machine with Kerberos, forwarding your ticket- granting-ticket. (It will be forwarded automatically unless you override that or monkey with your /etc/krb5.conf.) Use "ksu" instead of "su". Matt From kreymer@fnal.gov Mon Jan 24 15:46:14 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA29585 for ; Mon, 24 Jan 2000 15:46:14 -0600 Received: from fsgi02.fnal.gov ([131.225.68.15]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL36MUA1HC000HTB@FNAL.FNAL.GOV> (original mail from csieh@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 24 Jan 2000 15:46:12 -0600 CDT Received: from fsgi02.fnal.gov ([131.225.68.15]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL36MSPZYU000IOQ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 24 Jan 2000 15:45:57 -0600 Received: from localhost (csieh@localhost) by fsgi02.fnal.gov (980427.SGI.8.8.8/970903.SGI.AUTOCF) via ESMTP id PAA02704; Mon, 24 Jan 2000 15:45:56 -0600 (CST) Date: Mon, 24 Jan 2000 15:45:56 -0600 From: Connie Sieh Subject: Re: Upgrading bldlinux61 In-reply-to: <200001242131.PAA14717@gungnir.fnal.gov> To: Matt Crawford Cc: Dan Yocum , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 138 Matt, thanks. -connie On Mon, 24 Jan 2000, Matt Crawford wrote: > > I asked Dan to send mail to kerberos-pilot so as to find the > > "right" answer to the question "How do sysadmins get "root" access > > to "kerberized in the strenghten realm machines". So is your answer > > described below right for the above question? > > No, Kerberos v0_4 is irrelevant to that. For any version of > Kerberos, the right answer is: > > Get your kerberos principal (eg, yocum@PILOT.FNAL.GOV) listed > in the .k5login in root's home directory, be that / or /root. > (That bit of variety has led to some confusion, with people > putting a .k5login in / and it not working for Linux.) > > Log in to the machine with Kerberos, forwarding your ticket- > granting-ticket. (It will be forwarded automatically unless > you override that or monkey with your /etc/krb5.conf.) > > Use "ksu" instead of "su". > > > Matt > From kreymer@fnal.gov Mon Jan 24 16:33:34 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA30393 for ; Mon, 24 Jan 2000 16:33:34 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL38ANATU8000HTB@FNAL.FNAL.GOV> (original mail from stolz@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 24 Jan 2000 16:33:32 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL38AM8QJ2000J2W@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 24 Jan 2000 16:33:23 -0600 Received: from localhost (stolz@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with ESMTP id QAA01782; Mon, 24 Jan 2000 16:33:21 -0600 (CST) Date: Mon, 24 Jan 2000 16:33:20 -0600 (CST) From: Michael Stolz Subject: Re: Upgrading bldlinux61 In-reply-to: To: Connie Sieh Cc: Matt Crawford , Dan Yocum , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: ossbud.fnal.gov: stolz owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 139 I guess I'm the designated sysadmin for most build machine issues. Our current rule-of-thumb is: send e-mail about a downtime to oss-dept@fnal.gov (give folks at least 1/2 an hour), and also see who is on the machine. The password hasn't changed for awhile, so you may know it (it starts with 'h'). If not, you can get it from Lisa, Ken or myself. You will need to log in as yourself, and then 'ksu' to become root. If you don't have Kerberos validation on PILOT.FNAL.GOV, you will need to get one from Matt C. or Lauri C. before you can get onto that machine (and use ksu too). I've already added you to the kerberos access list on bldlinux61. You may not need to root password... Mike Stolz (stolz@fnal.gov) --------------------------------------------------- On Mon, 24 Jan 2000, Connie Sieh wrote: > Date: Mon, 24 Jan 2000 15:17:46 -0600 > From: Connie Sieh > To: Matt Crawford > Cc: Dan Yocum , kerberos-pilot@fnal.gov > Subject: Re: Upgrading bldlinux61 > > Matt, > > I asked Dan to send mail to kerberos-pilot so as to find the > "right" answer to the question "How do sysadmins get "root" access > to "kerberized in the strenghten realm machines". So is your answer > described below right for the above question? > > -connie From kreymer@fnal.gov Thu Jan 27 11:40:36 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA04823 for ; Thu, 27 Jan 2000 11:40:35 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL74XDW7Y8000IMQ@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 27 Jan 2000 11:40:32 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL74XDCU94000KRR@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Jan 2000 11:40:22 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA27190 for ; Thu, 27 Jan 2000 11:40:22 -0600 (CST) Date: Thu, 27 Jan 2000 11:40:21 -0600 From: Matt Crawford Subject: Kerberos v0_4 Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001271740.LAA27190@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 140 Kerberos v0_4 is in kits as "test". This version includes the new "portal" function. The design of that function is improved relative to the original plan as well. See the RELEASE-NOTES.v0_4 for details. This version involves a KDC update, so I will be stopping the Kerberos servers on the primary KDC at 1:30 PM today for 5 to 10 minutes. The secondary (which has been running the new code for ten days) will be available. But as always, password changes and other principal modifications, creations or deletions require the master KDC to be up. Matt From kreymer@fnal.gov Thu Jan 27 16:49:25 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA04958 for ; Thu, 27 Jan 2000 16:49:24 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL7FPC3QTS000IMQ@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 27 Jan 2000 16:49:22 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL7FPAR7TI000KNO@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Jan 2000 16:49:13 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id QAA22854; Thu, 27 Jan 2000 16:49:12 -0600 (CST) Date: Thu, 27 Jan 2000 16:49:12 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: upgrading to kerberos v0_4 has some unforseen problems Sender: lauri@ossbud.fnal.gov To: kerberos-pilot@fnal.gov Cc: lauri@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001272249.QAA22854@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 141 Heads up: there are some curious problems ahead (not solved yet) if you try to UPGRADE a kerberized system from v0_3 to v0_4. The problems seem to stem from file overwrite conflicts, and appear to be WORST on Linux boxes. What I think is happening is: in order to log in as 'root' to finish the kerberos installation on a node which is already running kerberos, you need to: - first log in, using some kerberized services - then ksu, using another kerberized service So various /usr/krb5/bin (and other library) files are in use. Now, as part of the upgrade, you issue a tar command: tar cf - $instdirs | ( cd $target; tar xop${v}f - ) (essentially, take the stuff under $KERBEROS_DIR/ and copy it over to the /usr/krb5 tree). You are trying to replace files that you are using. Linux, in particular, gives up and dies, logging you out completely. Matt and I (with help from others, probably) will be investigating this in the next few days. Until then, I suggest that people running v0_3 sit tight and not try to upgrade to v0_4 just yet (especially if they're on a Linux box). -- lauri From kreymer@fnal.gov Thu Jan 27 17:00:27 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA04963 for ; Thu, 27 Jan 2000 17:00:27 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL7G3LDOCW000IMQ@FNAL.FNAL.GOV> (original mail from mengel@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 27 Jan 2000 17:00:23 -0600 CDT Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL7G3ICSIY000KNY@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Jan 2000 16:59:54 -0600 Date: Thu, 27 Jan 2000 16:59:53 -0600 (EST) From: "Marc W. Mengel" Subject: Re: upgrading to kerberos v0_4 has some unforseen problems In-reply-to: <200001272249.QAA22854@ossbud.fnal.gov> To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 142 On Thu, 27 Jan 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > The problems seem to stem from file overwrite conflicts, and appear > to be WORST on Linux boxes. > > What I think is happening is: in order to log in as 'root' to > finish the kerberos installation on a node which is already running > kerberos, you need to: > - first log in, using some kerberized services > - then ksu, using another kerberized service > > So various /usr/krb5/bin (and other library) files are in use. Now, > as part of the upgrade, you issue a tar command: > > tar cf - $instdirs | ( cd $target; tar xop${v}f - ) > > (essentially, take the stuff under $KERBEROS_DIR/ and copy it over > to the /usr/krb5 tree). > > You are trying to replace files that you are using. Linux, in > particular, gives up and dies, logging you out completely. setup gtools, use gtar, and do gtar cf - $instdirs | ( cd $target; gtar Uxop${v}f - ) The U will unlink files before extracting overtop them, and this will safely dodge your overwrite errors. Marc From kreymer@fnal.gov Thu Jan 27 17:44:41 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA04987 for ; Thu, 27 Jan 2000 17:44:41 -0600 Received: from fnpspb.fnal.gov ([131.225.81.79]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL7HMQ3Z28000IMQ@FNAL.FNAL.GOV> (original mail from garren@fnpspb.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 27 Jan 2000 17:44:37 -0600 CDT Received: from fnpspb.fnal.gov ([131.225.81.79]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL7HM7NHRK000JVJ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Jan 2000 17:44:00 -0600 Received: from localhost (garren@localhost) by fnpspb.fnal.gov (8.9.3/8.9.3) with SMTP id RAA07439 for ; Thu, 27 Jan 2000 17:43:59 -0600 (CST) Date: Thu, 27 Jan 2000 17:43:59 -0600 From: Lynn Garren Subject: can't login to ossbud Sender: garren@fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: garren@fnal.gov Message-id: <200001272343.RAA07439@fnpspb.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: fnpspb.fnal.gov: garren@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 143 Earlier today I was able to login to ossbud with no problem. However, right now I am unable to connect: fnpspb> ssh ossbud Permission denied. Help! Lynn From kreymer@fnal.gov Thu Jan 27 17:44:41 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA04987 for ; Thu, 27 Jan 2000 17:44:41 -0600 Received: from fnpspb.fnal.gov ([131.225.81.79]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL7HMQ3Z28000IMQ@FNAL.FNAL.GOV> (original mail from garren@fnpspb.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 27 Jan 2000 17:44:37 -0600 CDT Received: from fnpspb.fnal.gov ([131.225.81.79]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL7HM7NHRK000JVJ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Jan 2000 17:44:00 -0600 Received: from localhost (garren@localhost) by fnpspb.fnal.gov (8.9.3/8.9.3) with SMTP id RAA07439 for ; Thu, 27 Jan 2000 17:43:59 -0600 (CST) Date: Thu, 27 Jan 2000 17:43:59 -0600 From: Lynn Garren Subject: can't login to ossbud Sender: garren@fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: garren@fnal.gov Message-id: <200001272343.RAA07439@fnpspb.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: fnpspb.fnal.gov: garren@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 144 Earlier today I was able to login to ossbud with no problem. However, right now I am unable to connect: fnpspb> ssh ossbud Permission denied. Help! Lynn From kreymer@fnal.gov Thu Jan 27 17:46:38 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA05000 for ; Thu, 27 Jan 2000 17:46:38 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL7HP0X9GW000JSS@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 27 Jan 2000 17:46:34 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL7HOT41FK000K9V@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Jan 2000 17:46:07 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA29870; Thu, 27 Jan 2000 17:46:04 -0600 (CST) Date: Thu, 27 Jan 2000 17:46:04 -0600 From: Matt Crawford Subject: Re: upgrading to kerberos v0_4 has some unforseen problems In-reply-to: "27 Jan 2000 16:59:53 CST." <"Pine.LNX.4.05.10001271657030.15031-100000"@bel-kwinth.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: "Marc W. Mengel" Cc: "Laurelin of Middle Earth, 630-840-2214" , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001272346.RAA29870@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 145 > setup gtools, use gtar, and do > gtar cf - $instdirs | ( cd $target; gtar Uxop${v}f - ) > The U will unlink files before extracting overtop them, and this will > safely dodge your overwrite errors. Sounds like a winner to me. From kreymer@fnal.gov Thu Jan 27 19:22:02 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id TAA05029 for ; Thu, 27 Jan 2000 19:22:02 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL7L1KW6SW000IMQ@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 27 Jan 2000 19:22:00 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JL7L1KGIMW000KAX@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Jan 2000 19:21:53 -0600 Date: Thu, 27 Jan 2000 19:21:52 -0600 (CST) From: Stephan Lammel Subject: kerberized rcp daemon/client is broken To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <000127192152.20603c6c@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 146 Dear All, it looks like the kerberized rcp client and/or daemon is broken. I get consistently pulling files from fcdfgsi2 while being on either fcdfsgi1 and fcdfsun1 the error message: rcp: protocol screwup: expected control record the status code of the rc is 1. I don't see the problem with the original bsd rcp from another host (pulling files of fcdfsgi2). Please contact Glenn Cooper to get information about kerberos versions on the machines, etc. cheers, Stephan From kreymer@fnal.gov Fri Jan 28 07:15:42 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id HAA14034 for ; Fri, 28 Jan 2000 07:15:41 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL89YE7QTC000IMQ@FNAL.FNAL.GOV> (original mail from gcooper@b0rv11.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 28 Jan 2000 07:15:40 -0600 CDT Received: from b0rv11.fnal.gov ([131.225.232.239]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JL89YDNIS4000I88@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 28 Jan 2000 07:15:32 -0600 Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id HAA08864; Fri, 28 Jan 2000 07:15:29 -0600 Date: Fri, 28 Jan 2000 07:15:29 -0600 From: Glenn Cooper Subject: Re: kerberized rcp daemon/client is broken In-reply-to: <000127192152.20603c6c@FNALD.FNAL.GOV> To: Stephan Lammel Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 147 fcdfsgi1 and fcdfsgi2 both use kerberos v0_3. fcdfsun1 is still at v0_1, though I'll probably go to v0_3 today or early next week. Glenn On Thu, 27 Jan 2000, Stephan Lammel wrote: > Dear All, > it looks like the kerberized rcp client and/or daemon is broken. I get > consistently pulling files from fcdfgsi2 while being on either fcdfsgi1 > and fcdfsun1 the error message: > > rcp: protocol screwup: expected control record > > the status code of the rc is 1. I don't see the problem with the original > bsd rcp from another host (pulling files of fcdfsgi2). > > Please contact Glenn Cooper to get information about kerberos versions > on the machines, etc. > cheers, Stephan > From kreymer@fnal.gov Fri Jan 28 09:06:01 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA14077 for ; Fri, 28 Jan 2000 09:06:01 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL8DSTL7B4000IMQ@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 28 Jan 2000 09:05:57 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL8DSO5V8U000JRH@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 28 Jan 2000 09:05:28 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA01951; Fri, 28 Jan 2000 09:05:26 -0600 (CST) Date: Fri, 28 Jan 2000 09:05:25 -0600 From: Matt Crawford Subject: Re: kerberized rcp daemon/client is broken In-reply-to: "27 Jan 2000 19:21:52 CST." <"000127192152.20603c6c"@FNALD.FNAL.GOV> Sender: crawdad@gungnir.fnal.gov To: Stephan Lammel Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001281505.JAA01951@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 148 > it looks like the kerberized rcp client and/or daemon is broken. I get > consistently pulling files from fcdfgsi2 while being on either fcdfsgi1 > and fcdfsun1 the error message: > > rcp: protocol screwup: expected control record > > the status code of the rc is 1. It works for me -- logged into fcdfsun1 or fcdfsgi1 I can pull from fcdfsgi2 with /usr/krb5/bin/rcp. Suspecting the age-old "noise from your .cshrc confuses rcp" problem, I even tried it with a copy of your .cshrc in place in my account. No difference. Looking at the code to see where that error message is generated makes me ask exactly what command you typed. From kreymer@fnal.gov Fri Jan 28 09:14:09 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA14111 for ; Fri, 28 Jan 2000 09:14:08 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL8E3TBT80000IMQ@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 28 Jan 2000 09:13:58 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL8E3QWSVC000L1V@FNAL.FNAL.GOV> for bld-cluster-announce-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;bld-cluster-announce@fnal.gov); Fri, 28 Jan 2000 09:13:37 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id JAA28460; Fri, 28 Jan 2000 09:13:36 -0600 (CST) Date: Fri, 28 Jan 2000 09:13:35 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: ossbud Sender: lauri@ossbud.fnal.gov To: Ken Schumacher Cc: Etta Burns , bld-cluster-announce@fnal.gov Errors-to: bld-cluster-announce-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001281513.JAA28460@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 149 There were indeed problems on ossbud this morning, and they were due to the kerberos installation attempts. They have been corrected now. The problem was entirely my fault, and I apologize. (I inadvertently did the full install of kerberos on ossbud instead of the 'install-keep-ssh' option, so kerberized access worked, but [temporarily] ssh access did not). The ssh access has been restored. Sorry. Mea culpa. You may beat me with a wet noodle at your convenience. On Friday 28 January 2000, our friend Ken Schumacher spaketh thusly: > Good Morning all, > > Etta Burns writes: > > I just had to give a HUP to inetd on ossbud because > > I could not get logged in. > > > > Anyone else have any problems? > > > > Etta > > > > -- > > Etta Burns Phone: (630) 840-8300 > > Fermilab E-mail: ettab@fnal.gov > > CD/OSS/CSS Fax: (630) 840-6345 > > I was logged in and my session disappeared, probably when you did > the HUP. I think I saw e-mail this AM from Lynn Garren saying that > she was unable to get in using SSH. I know that Laurie is doing an > upgrade of Kerberos (from v0.3 to v0.4) on one of the systems in the > pilot test, but I don't know if that was OSSBUD or not. They were > having some problems with the upgrade. > > Ken S. From kreymer@fnal.gov Fri Jan 28 09:17:24 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA14119 for ; Fri, 28 Jan 2000 09:17:23 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL8E77CAB4000IMQ@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 28 Jan 2000 09:17:11 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JL8E73TAJS000JV2@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 28 Jan 2000 09:16:19 -0600 Date: Fri, 28 Jan 2000 09:16:18 -0600 (CST) From: Stephan Lammel Subject: Re: kerberized rcp daemon/client is broken To: crawdad@fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <000128091618.20206c78@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 150 Hallo MAtt, thanks for looking into it. I am typing (on fcdfsgi1): /usr/krb5/bin/rcp lammel@fcdfsgi2:/cdf/test3/lammel/test001.tmp /cdf/data02a/up grade/lammel/junk and get: rcp: protocol screwup: expected control record after the file was copied. Stephan From kreymer@fnal.gov Fri Jan 28 11:09:16 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA15249 for ; Fri, 28 Jan 2000 11:09:14 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL8I4TJRHS000IMQ@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 28 Jan 2000 11:09:10 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL8I4SPYY6000KA2@FNAL.FNAL.GOV>; Fri, 28 Jan 2000 11:08:59 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id LAA02959; Fri, 28 Jan 2000 11:08:57 -0600 (CST) Date: Fri, 28 Jan 2000 11:08:57 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: kerberos v0_4 now available Sender: lauri@ossbud.fnal.gov To: kerberos-pilot@fnal.gov Cc: lauri@fnal.gov, bld-cluster-announce@fnal.gov Errors-to: bld-cluster-announce-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200001281708.LAA02959@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 151 The installation script for kerberos v0_4 is fixed. You can now upgrade from v0_3 without ripping the rug out from underneath you. If you did a 'upd install kerberos v0_4' earlier, you should update the UPS directory and table file on your system via: upd update ups_dir:table_file kerberos v0_4 -f -- lauri From kreymer@fnal.gov Fri Jan 28 13:59:30 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA15326 for ; Fri, 28 Jan 2000 13:59:30 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL8O2VQEQ8000JWK@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 28 Jan 2000 13:59:26 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL8O2V81H4000JIR@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 28 Jan 2000 13:59:14 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA03286; Fri, 28 Jan 2000 13:59:12 -0600 (CST) Date: Fri, 28 Jan 2000 13:59:11 -0600 From: Matt Crawford Subject: Re: kerberized rcp daemon/client is broken In-reply-to: "28 Jan 2000 09:16:18 CST." <"000128091618.20206c78"@FNALD.FNAL.GOV> Sender: crawdad@gungnir.fnal.gov To: Stephan Lammel Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001281959.NAA03286@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 152 > /usr/krb5/bin/rcp lammel@fcdfsgi2:/cdf/test3/lammel/test001.tmp /cdf/data02a/upgrade/lammel/junk > and get: > rcp: protocol screwup: expected control record OK, I can get errors something like that, but it's always related to exceeding my disk quota. The copied file appears to be the right size, but instead of 2^30 bytes of 'x' as the source file is, it's a lot of 'x' followed by a lot of '\0'. Could you have been copying it to a place where your quota was insufficient also? I don't have a way to do "rcp classic" to fcdfsgi2 for comparison. But I'll have another look at the Kerberos rcp code to see why running out of disk quota might confuse the network input reader. From kreymer@fnal.gov Fri Jan 28 14:20:29 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA15342 for ; Fri, 28 Jan 2000 14:20:29 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL8OSUDO2O000JWK@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 28 Jan 2000 14:20:23 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JL8OSSZ79O000JX6@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 28 Jan 2000 14:20:09 -0600 Date: Fri, 28 Jan 2000 14:20:08 -0600 (CST) From: Stephan Lammel Subject: Re: kerberized rcp daemon/client is broken To: crawdad@fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <000128142008.20206c78@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 153 Hallo MAtt, thanks for your message. The rcp is data disk to data disk, i.e. neither disk has quota enabled. I'll check the file limit size on the two machines just to make sure but they should be at 2 GB (the file is exactly 1 GB)... cheers, Stephan From kreymer@fnal.gov Fri Jan 28 15:26:51 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA15407 for ; Fri, 28 Jan 2000 15:26:50 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL8R3IFI28000JWK@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 28 Jan 2000 15:26:33 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL8R3FGYWA000KCL@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 28 Jan 2000 15:25:59 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA03740; Fri, 28 Jan 2000 15:25:56 -0600 (CST) Date: Fri, 28 Jan 2000 15:25:56 -0600 From: Matt Crawford Subject: Re: yes, filesize is unlimited In-reply-to: "28 Jan 2000 14:41:26 CST." <"000128144126.20206c78"@FNALD.FNAL.GOV> Sender: crawdad@gungnir.fnal.gov To: Stephan Lammel Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200001282125.PAA03740@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 154 Stefan, I'm afraid the finger of guilt does point toward your .cshrc. Here are five rcp's of your gigabyte of 'x'. The first trial has my .cshrc in place on the remote end, which is whatever was set up for me when my account is created. The third has no .cshrc at all, and the second and fourth have a copy of your .cshrc in my ahome directory. The second and fourth show the error you saw. Finally, the fifth trial has a copy of your .cshrc in place, with the line "set time = 10" commented out. Since that gave no error, I suggest you wrap both that line and all the prompt-setting lines inside a if ( $?prompt ) then ... endif test so they aren't in effect in non-interactive shells. fcdfsgi1 240% pwd /usr/var/tmp fcdfsgi1 241% ls -l junk Cannot access junk: No such file or directory fcdfsgi1 242% time rcp fcdfsgi2:/cdf/test3/lammel/test001.tmp junk 1.7u 39.4s 1:32 44% 0+0k 13+0io 5pf+0w fcdfsgi1 243% ls -ls junk 2097152 -rw-r--r-- 1 crawdad g150 1073741824 Jan 28 15:04 junk fcdfsgi1 244% od -x junk 0000000 7878 7878 7878 7878 7878 7878 7878 7878 * 0000000 47.0u 9.3s 1:09 80% 0+0k 16385+0io 0pf+0w fcdfsgi1 245% tr -d x junk|wc Usage: tr [-cs] [string1 [string2]] Usage: tr [-c] -d string1 Usage: tr [-c] -s string1 Usage: tr [-c] -ds string1 string2 0 0 0 fcdfsgi1 246% tr -d x < junk | wc 0 0 0 44.1u 9.1s 1:09 76% 0+0k 16384+0io 0pf+0w fcdfsgi1 247% rsh fcdfsgi2 cp \~lammel/.cshrc .cshrc This rsh session is using DES encryption for all data transmissions. fcdfsgi1 248% rm junk fcdfsgi1 249% time rcp fcdfsgi2:/cdf/test3/lammel/test001.tmp junk rcp: protocol screwup: expected control record 1.8u 39.2s 1:31 44% 0+0k 2+0io 0pf+0w fcdfsgi1 250% ls -ls junk 2097152 -rw-r--r-- 1 crawdad g150 1073741824 Jan 28 15:09 junk fcdfsgi1 251% od -x junk 0000000 7878 7878 7878 7878 7878 7878 7878 7878 * 0000000 47.1u 9.3s 1:09 80% 0+0k 16385+0io 0pf+0w fcdfsgi1 252% rsh fcdfsgi2 rm .cshrc This rsh session is using DES encryption for all data transmissions. fcdfsgi1 253% rm junk fcdfsgi1 254% time rcp fcdfsgi2:/cdf/test3/lammel/test001.tmp junk 1.7u 40.1s 1:31 46% 0+0k 2+0io 0pf+0w fcdfsgi1 255% rsh fcdfsgi2 cp \~lammel/.cshrc .cshrc This rsh session is using DES encryption for all data transmissions. fcdfsgi1 256% rm junk fcdfsgi1 257% time rcp fcdfsgi2:/cdf/test3/lammel/test001.tmp junk rcp: protocol screwup: expected control record 1.7u 40.0s 1:32 45% 0+0k 0+0io 0pf+0w fcdfsgi1 258% rm junk fcdfsgi1 259% rsh fcdfsgi2 ex - .cshrc << EOF g/time/s/^/### / wq EOF This rsh session is using DES encryption for all data transmissions. fcdfsgi1 260% time rcp fcdfsgi2:/cdf/test3/lammel/test001.tmp junk 1.7u 39.9s 1:31 45% 0+0k 7+0io 1pf+0w From kreymer@fnal.gov Fri Jan 28 16:52:40 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA15447 for ; Fri, 28 Jan 2000 16:52:40 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL8U4P5X4W000JWK@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 28 Jan 2000 16:52:38 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JL8U4O9QO6000L5T@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 28 Jan 2000 16:52:29 -0600 Date: Fri, 28 Jan 2000 16:52:29 -0600 (CST) From: Stephan Lammel Subject: Re: yes, filesize is unlimited To: crawdad@fnal.gov Cc: kerberos-pilot@fnal.gov, LAMMEL@fnald.fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <000128165229.20206c78@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 155 Hallo MAtt, thanks for your message, debug, and help. My apology for causing this. The BSD rcp i tried from a machine that has a Gigabit Ethernet interface. It looks like that takes quite a bit less CPU (probably less I/O wait on fcdfsgi2) so that it falls below the 10 sec report threshold. Sorry and thanks, cheers, Stephan From kreymer@fnal.gov Fri Jan 28 17:53:17 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA15469 for ; Fri, 28 Jan 2000 17:53:17 -0600 Received: from fnal.gov ([131.225.106.190]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL8W8VI09S000JWK@FNAL.FNAL.GOV> (original mail from ruth@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 28 Jan 2000 17:53:15 -0600 CDT Received: from fnal.gov ([131.225.106.190]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL8W8UKLNC000KCH@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal); Fri, 28 Jan 2000 17:53:08 -0600 Date: Fri, 28 Jan 2000 17:53:21 -0600 From: Ruth Pordes Subject: Re: CryptoCards at Fermilab? Sender: ruthhome@fnal.gov To: Torre Wenaus , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: ruth@fnal.gov Message-id: <38922BF1.EF5D3AE7@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.0.36 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3891B088.C42151E4@bnl.gov> Status: RO X-Status: X-Keywords: X-UID: 156 Hi Torre I am forwarding this to the kerberos-pilot@fnal mail list - I hope you don't mind. As you might imagine this implies we are serious about kerberos. The following Chep abstract speaks to the Fermilab plans: http://chep2000.pd.infn.it/abs/abs_306.htm I don't know if the following url is viewable from outside Fermilab: http://www.fnal.gov/cd/security/StrongAuth/ Mark Kaletka and Matt Crawford are the Project Leaders and can give you more information. See you in 10 days or so.. Ruth Torre Wenaus wrote: > > Hi Ruth, > Computer security has recently become a very noisy topic at BNL since the > computing division put out a proposal many regard as over-zealous in the > extent to which it proposes to lock down the lab. In discussions on this > someone has said that Fermilab is going to introduce CryptoCards -- > challenge/response authentication based on a credit card sized calculator > everyone has to carry around -- for all its users as the computing division > is proposing here. Is there any truth to this? > See you at CHEP, Torre > > -- Torre Wenaus, BNL wenaus@bnl.gov 631-344-4755 Fax 631-344-4206 -- > -- STAR/RHIC and ATLAS/LHC -- > -- B. 510A Room 1-175 http://www.wenaus.com/torre.html -- From kreymer@fnal.gov Fri Jan 28 18:49:51 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id SAA15484 for ; Fri, 28 Jan 2000 18:49:50 -0600 Received: from fnal.gov ([131.225.106.190]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JL8Y7YR5N4000JWK@FNAL.FNAL.GOV> (original mail from ruth@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 28 Jan 2000 18:49:47 -0600 CDT Received: from fnal.gov ([131.225.106.190]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JL8Y7XZAOS000LJO@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal); Fri, 28 Jan 2000 18:49:39 -0600 Date: Fri, 28 Jan 2000 18:49:54 -0600 From: Ruth Pordes Subject: oops Sender: ruthhome@fnal.gov To: Torre Wenaus Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: ruth@fnal.gov Message-id: <38923932.D2FCCC33@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.61 [en] (X11; I; Linux 2.0.36 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 157 Torre I apologise. It was probably not very politic of me to include your mail in my reply! The kerberos pilot people are a friendly bunch and I am sure will be discreet. Ruth From kreymer@fnal.gov Thu Feb 3 13:02:14 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA26145 for ; Thu, 3 Feb 2000 13:02:14 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JLGZSZGNDC000MA0@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 3 Feb 2000 13:02:11 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JLGZSXPODC000N4Y@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 03 Feb 2000 13:01:57 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA23418 for ; Thu, 03 Feb 2000 13:01:56 -0600 (CST) Date: Thu, 03 Feb 2000 13:01:56 -0600 From: Matt Crawford Subject: Kerberos v0_4 is now "current" Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002031901.NAA23418@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 158 After a good test period on the build cluster and myown desktop, version v0_4 is now "current" on fnkits. There were some installation "gotchas" that have been resolved. I have turned off sshd on my own machine and have been using only my CryptoCard for access from home for a bit over a week now and it works like a charm. Release notes are in $KERBEROS_DIR/ups/RELEASE-NOTES.v0_4. From kreymer@fnal.gov Thu Feb 3 19:13:48 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id TAA26380 for ; Thu, 3 Feb 2000 19:13:48 -0600 Received: from thwk23.lbl.gov ([131.243.112.65]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JLHCSRFKY8000LW3@FNAL.FNAL.GOV> (original mail from anderson@thsrv.lbl.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 3 Feb 2000 19:13:46 -0600 CDT Received: from thwk23.lbl.gov ([131.243.112.65]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JLHCSQSPSA000MXY@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 03 Feb 2000 19:13:38 -0600 Received: (from anderson@localhost) by thwk23.lbl.gov (8.9.3/8.9.3) id RAA22970; Thu, 03 Feb 2000 17:13:41 -0800 Date: Thu, 03 Feb 2000 17:13:40 -0800 (PST) From: Jeffrey D Anderson Subject: core dump To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: JDAnderson@lbl.gov Message-id: <14490.10180.646346.595384@thwk23.lbl.gov> MIME-version: 1.0 X-Mailer: VM 6.71 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Status: RO X-Status: X-Keywords: X-UID: 159 I've installed kerberos v0_4 on a box running Redhat Linux 5.2 with the 2.2.12 kernel and glibc 2.0.7, but everytime I attempt to run any of the binaries (e.g.,telnet) I get an immediate core dump. Apparently I've chosen the wrong flavor for my system. I was told that the Linux+2.2 flavor supposed to work with Redhat 5.2 + 2.2 kernels (although I'm not really sure I believe that the kernel version is relevant to a userspace program like telnet). In any case, am I using the wrong flavor? -- -------------------------------------------------------------- Jeffrey Anderson | JDAnderson@lbl.gov Lawrence Berkeley National Laboratory | Mailstop 50a-5101 Phone: 510 486-4208 | Fax: 510 486-6808 From kreymer@fnal.gov Fri Feb 4 08:47:50 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA06929 for ; Fri, 4 Feb 2000 08:47:49 -0600 Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JLI57YFQ9C000LW3@FNAL.FNAL.GOV> (original mail from lauri@ossbud.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 4 Feb 2000 08:47:46 -0600 CDT Received: from ossbud.fnal.gov ([131.225.110.42]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JLI57XV8SO000N47@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 04 Feb 2000 08:47:36 -0600 Received: from localhost (lauri@localhost) by ossbud.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id IAA23604; Fri, 04 Feb 2000 08:47:34 -0600 (CST) Date: Fri, 04 Feb 2000 08:47:34 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: core dump Sender: lauri@ossbud.fnal.gov To: JDAnderson@lbl.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200002041447.IAA23604@ossbud.fnal.gov> X-Authentication-warning: ossbud.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 160 I think you're using the wrong flavor. The Linux+2.2 flavor works with RedHat 6.1, the Linux+2.0 flavor works with the RedHat 5.2. The specific kernel version is not the important point in determining "compatibility", so in the case of Linux the 2.2 flavor indicates the 6.1 libraries (which are the important part for flavor compatibility). To correct your problem: ups undeclare -f Linux+2.2 kerberos v0_4 -y # remove the old one # (and its files) upd install -f Linux+2.0 kerberos v0_4 # bring over the correct one # (by forcing the flavor # to the one you need) # log in as 'root' ups install -f Linux+2.0 kerberos v0_4 # perform the configs # necessary for # kerberos to function In general, for *any* product that has both a Linux+2.0 and a Linux+2.2 version, you will want to install the Linux+2.0 flavor until you upgrade to the newer kernel. Please see http://www.fnal.gov/docs/Recommendations/dr0013.html for a clarification on the flavor policies with respect to Linux. -- lauri On Thursday 3 February 2000, our friend Jeffrey D Anderson spaketh thusly: > I've installed kerberos v0_4 on a box running Redhat Linux 5.2 with > the 2.2.12 kernel and glibc 2.0.7, but everytime I attempt to run any > of the binaries (e.g.,telnet) I get an immediate core dump. > > Apparently I've chosen the wrong flavor for my system. I was told > that the Linux+2.2 flavor supposed to work with Redhat 5.2 + 2.2 > kernels (although I'm not really sure I believe that the kernel > version is relevant to a userspace program like telnet). > > In any case, am I using the wrong flavor? > > -- > -------------------------------------------------------------- > Jeffrey Anderson | JDAnderson@lbl.gov > Lawrence Berkeley National Laboratory | Mailstop 50a-5101 > Phone: 510 486-4208 | Fax: 510 486-6808 From kreymer@fnal.gov Fri Feb 4 08:54:35 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA06943 for ; Fri, 4 Feb 2000 08:54:35 -0600 Received: from fnpspb.fnal.gov ([131.225.81.79]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JLI5G6U840000LW3@FNAL.FNAL.GOV> (original mail from garren@fnpspb.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 4 Feb 2000 08:54:29 -0600 CDT Received: from fnpspb.fnal.gov ([131.225.81.79]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JLI5G5Y1K4000NXK@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 04 Feb 2000 08:54:14 -0600 Received: from localhost (garren@localhost) by fnpspb.fnal.gov (8.9.3/8.9.3) with SMTP id IAA16756; Fri, 04 Feb 2000 08:54:14 -0600 (CST) Date: Fri, 04 Feb 2000 08:54:13 -0600 From: Lynn Garren Subject: Re: core dump In-reply-to: "Your message of Fri, 04 Feb 2000 08:47:34 CST." <200002041447.IAA23604@ossbud.fnal.gov> To: lauri@fnal.gov Cc: JDAnderson@lbl.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002041454.IAA16756@fnpspb.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: fnpspb.fnal.gov: garren@localhost didn't use HELO protocol Status: RO X-Status: A X-Keywords: X-UID: 161 > To correct your problem: > > ups undeclare -f Linux+2.2 kerberos v0_4 -y # remove the old one > # (and its files) > upd install -f Linux+2.0 kerberos v0_4 # bring over the correct one > # (by forcing the flavor > # to the one you need) > # log in as 'root' > ups install -f Linux+2.0 kerberos v0_4 # perform the configs > # necessary for > # kerberos to function > I should point out that ups will not recognize Linux+2.0 on a 5.2 machine with the 2.2 kernel, so you'll need: ups install -f Linux+2.0 kerberos v0_4 -G"-fLinux+2" Lynn From kreymer@fnal.gov Fri Feb 4 10:43:02 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA07004 for ; Fri, 4 Feb 2000 10:43:02 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JLI98RRQ34000LW3@FNAL.FNAL.GOV> (original mail from mengel@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 4 Feb 2000 10:42:58 -0600 CDT Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JLI98QS494000OBV@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 04 Feb 2000 10:42:47 -0600 Date: Fri, 04 Feb 2000 10:42:47 -0600 (EST) From: "Marc W. Mengel" Subject: Re: core dump In-reply-to: <14490.10180.646346.595384@thwk23.lbl.gov> To: Jeffrey D Anderson Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 162 On Thu, 3 Feb 2000, Jeffrey D Anderson wrote: > Apparently I've chosen the wrong flavor for my system. I was told > that the Linux+2.2 flavor supposed to work with Redhat 5.2 + 2.2 > kernels (although I'm not really sure I believe that the kernel > version is relevant to a userspace program like telnet). Actually, you want Linux+2.0 stuff on RedHat 5.2; the 2.2 kernel there is what confuses things. It's really libc that makes things break. The Linux+2.2 flavors are RedHat 6.1 -> newer libc. Marc From kreymer@fnal.gov Mon Feb 14 12:30:24 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA32094 for ; Mon, 14 Feb 2000 12:30:23 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JLWBW6E71S000R1Y@FNAL.FNAL.GOV> (original mail from kreymer@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 14 Feb 2000 12:30:20 -0600 CDT Received: from patnt2.fnal.gov ([131.225.84.37]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JLWBW5ZEWW000PVD@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 14 Feb 2000 12:30:01 -0600 Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA32090 for ; Mon, 14 Feb 2000 12:30:01 -0600 Date: Mon, 14 Feb 2000 12:30:01 -0600 (EST) From: Art Kreymer Subject: No rlogin access today ? In-reply-to: <200002041454.IAA16756@fnpspb.fnal.gov> To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 163 rlogin via kerberos seems to be failing today ( 20000214 12:25 ) I cannot get from ossbud to bldlinux61 fcdfsgi2 to fcdfsgi2 ossbud to ossbud For example, on ossbud, $ kinit Password for kreymer@PILOT.FNAL.GOV: $ klist Ticket cache: /tmp/krb5cc_1060 Default principal: kreymer@PILOT.FNAL.GOV Valid starting Expires Service principal 02/14/00 12:27:22 02/15/00 01:27:22 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 02/14/00 12:27:22 02/15/00 01:27:22 afs/fnal.gov@PILOT.FNAL.GOV $ rlogin ossbud.fnal.gov rlogin: kcmd to host ossbud.fnal.gov failed - Generic error (see e-text) trying normal rlogin (/bin/rlogin) WARNING: NO ENCRYPTION! From kreymer@fnal.gov Mon Feb 14 12:37:01 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA32098 for ; Mon, 14 Feb 2000 12:37:01 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JLWC5QFBDM000PGR@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 14 Feb 2000 12:36:58 -0600 CDT Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id MAA07167 for ; Mon, 14 Feb 2000 12:36:56 -0600 Date: Mon, 14 Feb 2000 12:36:56 -0600 From: Glenn Cooper Subject: Re: No rlogin access today ? In-reply-to: To: Art Kreymer Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 164 Hi Art, Works for me to/from fcdf____ machines. I can't get to ossbud, but I get a different error: rlogin ossbud klogind: User gcooper@PILOT.FNAL.GOV is not authorized to login to account gcooper. I do have an ossbud account, and have used (kerberized) rlogin to get there many times before. Maybe it's a problem with the build cluster? Glenn On Mon, 14 Feb 2000, Art Kreymer wrote: > rlogin via kerberos seems to be failing today ( 20000214 12:25 ) > > I cannot get from > ossbud to bldlinux61 > fcdfsgi2 to fcdfsgi2 > ossbud to ossbud > > For example, on ossbud, > > $ kinit > Password for kreymer@PILOT.FNAL.GOV: > > $ klist > Ticket cache: /tmp/krb5cc_1060 > Default principal: kreymer@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 02/14/00 12:27:22 02/15/00 01:27:22 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > 02/14/00 12:27:22 02/15/00 01:27:22 afs/fnal.gov@PILOT.FNAL.GOV > > $ rlogin ossbud.fnal.gov > rlogin: kcmd to host ossbud.fnal.gov failed - Generic error (see e-text) > trying normal rlogin (/bin/rlogin) WARNING: NO ENCRYPTION! > From kreymer@fnal.gov Mon Feb 14 15:56:30 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA32268 for ; Mon, 14 Feb 2000 15:56:30 -0600 Received: from fsui03.fnal.gov ([131.225.68.24]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JLWJ43Q1MW000RV8@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 14 Feb 2000 15:56:28 -0600 CDT Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id PAA04244; Mon, 14 Feb 2000 15:56:27 -0600 (CST) Date: Mon, 14 Feb 2000 15:56:27 -0600 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: No rlogin access today ? Sender: lauri@fnal.gov To: Art Kreymer Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200002142156.PAA04244@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 165 I don't see the same behaviour: ossbud:~> kinit Password for lauri@PILOT.FNAL.GOV: ossbud:~> klist -f Ticket cache: /tmp/krb5cc_3 Default principal: lauri@PILOT.FNAL.GOV Valid starting Expires Service principal 02/14/00 15:53:53 02/15/00 04:53:53 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Flags: FIA 02/14/00 15:53:54 02/15/00 04:53:53 afs/fnal.gov@PILOT.FNAL.GOV Flags: FA ossbud:~> telnet bldlinux61 Trying 131.225.81.163... Connected to bldlinux61.fnal.gov (131.225.81.163). Escape character is '^]'. [ Kerberos V5 accepts you as ``lauri@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] ... and ossbud:~> rlogin bldlinux61 This rlogin session is using DES encryption for all data transmissions. Red Hat Linux release 6.1 (Cartman) Kernel 2.2.14-1.2.0f1smp on a 2-processor i686 I can also go from ossbud to ossbud. (I don't have an account on fcdfsgi2 to check there...) -- lauri On Monday 14 February 2000, our friend Art Kreymer spaketh thusly: > rlogin via kerberos seems to be failing today ( 20000214 12:25 ) > > I cannot get from > ossbud to bldlinux61 > fcdfsgi2 to fcdfsgi2 > ossbud to ossbud > > For example, on ossbud, > > $ kinit > Password for kreymer@PILOT.FNAL.GOV: > > $ klist > Ticket cache: /tmp/krb5cc_1060 > Default principal: kreymer@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 02/14/00 12:27:22 02/15/00 01:27:22 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > 02/14/00 12:27:22 02/15/00 01:27:22 afs/fnal.gov@PILOT.FNAL.GOV > > $ rlogin ossbud.fnal.gov > rlogin: kcmd to host ossbud.fnal.gov failed - Generic error (see e-text) > trying normal rlogin (/bin/rlogin) WARNING: NO ENCRYPTION! > From kreymer@fnal.gov Mon Feb 14 16:12:20 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA32285 for ; Mon, 14 Feb 2000 16:12:20 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JLWJNPK35A000QH9@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 14 Feb 2000 16:12:18 -0600 CDT Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA21818; Mon, 14 Feb 2000 16:12:16 -0600 (CST) Date: Mon, 14 Feb 2000 16:12:16 -0600 From: Matt Crawford Subject: Re: No rlogin access today ? In-reply-to: "14 Feb 2000 15:56:27 CST." <"200002142156.PAA04244"@fsui03.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: lauri@fnal.gov Cc: Art Kreymer , kerberos-pilot@fnal.gov Message-id: <200002142212.QAA21818@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 166 I figured it out: This is what happens when a user who doesn't have the REQUIRES_PRE_AUTH flag tries to access a service which *does* have it set. I'll list all the user principals and set the flag for any that lack it. Should take about 10 minutes. From kreymer@fnal.gov Mon Feb 14 16:21:17 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA32305 for ; Mon, 14 Feb 2000 16:21:16 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JLWJYP9XBA000PVM@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 14 Feb 2000 16:21:10 -0600 CDT Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA21861; Mon, 14 Feb 2000 16:21:08 -0600 (CST) Date: Mon, 14 Feb 2000 16:21:07 -0600 From: Matt Crawford Subject: Re: No rlogin access today ? In-reply-to: "14 Feb 2000 16:12:16 CST." <"200002142212.QAA21818"@gungnir.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: lauri@fnal.gov, Art Kreymer , kerberos-pilot@fnal.gov Message-id: <200002142221.QAA21861@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 167 > ... I'll list all the user principals and set the flag for > any that lack it. Done. The following principals were modified to set +requires_preauth: dawson@PILOT.FNAL.GOV greenc@PILOT.FNAL.GOV kastner@PILOT.FNAL.GOV kreymer@PILOT.FNAL.GOV marafino@PILOT.FNAL.GOV marrafino@PILOT.FNAL.GOV merina@PILOT.FNAL.GOV mgreaney@PILOT.FNAL.GOV mmihalek@PILOT.FNAL.GOV phubbard@PILOT.FNAL.GOV schmidt@PILOT.FNAL.GOV shepelak@PILOT.FNAL.GOV yocum@PILOT.FNAL.GOV Can we eliminate one of the marafino/marrafino pair? From kreymer@fnal.gov Tue Feb 22 09:45:48 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA09746 for ; Tue, 22 Feb 2000 09:45:48 -0600 Received: from fnal.gov ([131.225.233.126]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JM7CHZGLS0000U1Z@FNAL.FNAL.GOV> (original mail from markl@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 22 Feb 2000 09:45:47 -0600 CDT Received: from fnal.gov ([131.225.233.126]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JM7CHYUJT0000RG3@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 22 Feb 2000 09:45:32 -0600 Date: Tue, 22 Feb 2000 09:45:14 -0600 From: Mark Leininger Subject: Crypto card guinea pigs Sender: markl@fnal.gov To: kerberos-pilot@fnal.gov Cc: gcooper@fnal.gov, rjetton@fnal.gov, colombo@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <38B2AF0A.48ED2987@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.3.0f2 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 168 Lauri asked me for volunteers to test crypto cards. They are: gcooper@fnal.gov rjetton@fnal.gov colombo@fnal.gov -- Mark Leininger, Fermilab Computing Division markl@fnal.gov CDF Portacamps, Office 149-O 630.840.4776 FAX 630.840.6315 From kreymer@fnal.gov Tue Feb 22 11:30:47 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA09986 for ; Tue, 22 Feb 2000 11:30:46 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JM7G5R7CXC000TQ5@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 22 Feb 2000 11:30:44 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JM7G5LSQS4000TPV@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 22 Feb 2000 11:30:06 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA27714; Tue, 22 Feb 2000 11:30:00 -0600 (CST) Date: Tue, 22 Feb 2000 11:30:00 -0600 From: Matt Crawford Subject: Re: Crypto card guinea pigs In-reply-to: "22 Feb 2000 09:45:14 CST." <"38B2AF0A.48ED2987"@fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Mark Leininger Cc: kerberos-pilot@fnal.gov, gcooper@fnal.gov, rjetton@fnal.gov, colombo@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002221730.LAA27714@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 169 > Lauri asked me for volunteers to test crypto cards. They are: > > gcooper@fnal.gov > rjetton@fnal.gov > colombo@fnal.gov Cooper and Colombo can come find me in FCC 351 to pick up their cards. rjetton doesn't have a Kerberos principal yet, or at least not by that name. Could he or she go through the established registration process first? Matt From kreymer@fnal.gov Wed Feb 23 12:47:05 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA16679 for ; Wed, 23 Feb 2000 12:47:05 -0600 Received: from othello.physics.gla.ac.uk ([130.209.204.200]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JM8X433BS0000TAC@FNAL.FNAL.GOV> (original mail from r.stdenis@physics.gla.ac.uk) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 23 Feb 2000 12:47:02 -0600 CDT Received: from othello.physics.gla.ac.uk ([130.209.204.200]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JM8X41HIBI000LI6@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 23 Feb 2000 12:46:48 -0600 Received: from a5.ph.gla.ac.uk ([130.209.45.103]) by othello.physics.gla.ac.uk with esmtp (Exim 3.03 #1) id 12NgoB-0000gf-00 for kerberos-pilot@fnal.gov; Wed, 23 Feb 2000 18:46:47 +0000 Received: from localhost (stdenis@localhost) by a5.ph.gla.ac.uk (8.8.8/8.8.8) with ESMTP id SAA06731 for ; Wed, 23 Feb 2000 18:46:46 +0000 (GMT) Date: Wed, 23 Feb 2000 18:46:46 +0000 (GMT) From: "Rick St. Denis" Subject: kerberized things Sender: stdenis@a5.ph.gla.ac.uk To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: r.stdenis@physics.gla.ac.uk Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: a5.ph.gla.ac.uk: stdenis owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 170 hi I asked our local (ie. in Glasgow) system guru about the status of kerberosized things. Can someone answer his questions: >For Windows users, Exceed has a telnet tool that supports Kerberos v4. >I've never actually tried it, I must admit. > >Is this enough? Or do they want us to use v5? The dialogue has a >button for v5, but that is greyed-out: perhaps it's an optional extra. >I assume there is some RPM for linux...? He also added... >I don't know why kerberized telnet is supposed to be better than >ssh, though. cheers, Rick ***************************** Dr. Richard St. Denis,Dept. of Phys.& Astr., Glasgow University Glasgow G12 8QQ; United Kingdom; UK Phone: [44] (141) 330 5887 UK Fax : [44] (141) 330 5881 ====================================== FermiLab PO Box 500; MS 318 Batavia, Illinois 60510 USA FNAL Phone: [00] 1-630-840-2943 FNAL Fax: [00] 1-630-840-2968 Sidet: [00] 1-630-840-8630 FCC: [00] 1-630-840-3707 From kreymer@fnal.gov Wed Feb 23 13:25:29 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA16686 for ; Wed, 23 Feb 2000 13:25:28 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JM8YGRC3A8000V0J@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 23 Feb 2000 13:25:26 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JM8YGQGCTS000TSN@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 23 Feb 2000 13:25:16 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA06940; Wed, 23 Feb 2000 13:25:05 -0600 (CST) Date: Wed, 23 Feb 2000 13:25:04 -0600 From: Matt Crawford Subject: Re: kerberized things In-reply-to: "23 Feb 2000 18:46:46 GMT." <"Pine.OSF.4.21.0002231844150.31662-100000"@a5.ph.gla.ac.uk> Sender: crawdad@gungnir.fnal.gov To: r.stdenis@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002231925.NAA06940@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 171 > >For Windows users, Exceed has a telnet tool that supports Kerberos v4. > >I've never actually tried it, I must admit. > > > >Is this enough? Or do they want us to use v5? The dialogue has a > >button for v5, but that is greyed-out: perhaps it's an optional extra. It has to be Kerberos v5. WRQ's product "Reflection Signature" supports Kerberos v5 telnet, ftp and r-commands. The price is about the same as Exceed. We'd be happy to learn of Exceed support for v5 if it comes out, although many users demand FTP support and we found that many Windows products fell down on that point. > >I assume there is some RPM for linux...? Yes, a Google search turned up several. I didn't investigate export-control issues on them. Fermilab collaborators may find it most convenient to use the Fermi Kerberos product (supported for Lunix, Solaris, IRIX, Compaq Unix) *if* we can solve the export issues ourselves. The outlook for that is fair-to-good. > He also added... > > I don't know why kerberized telnet is supposed to be better than > > ssh, though. Suppose someone's SSH RSA key has been compromised. It's quite a daunting task to revoke it! Users who don't use the RSA mode still face the regular vulnerabilities of the Rhosts and RhostsRSA mechanisms (reduced perhaps 10% by the necessity of exploiting them from the real authorized host) and crackable password files on the server end. Matt Crawford From kreymer@fnal.gov Wed Feb 23 14:17:08 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA16723 for ; Wed, 23 Feb 2000 14:17:07 -0600 Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JM909MSNN4000V0J@FNAL.FNAL.GOV> (original mail from a.reichold1@physics.ox.ac.uk) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 23 Feb 2000 14:17:04 -0600 CDT Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JM909LE82K000W6D@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 23 Feb 2000 14:16:47 -0600 Received: by ppnt41.physics.ox.ac.uk with Internet Mail Service (5.5.2650.21) id ; Wed, 23 Feb 2000 20:16:46 +0000 Content-return: allowed Date: Wed, 23 Feb 2000 20:16:43 +0000 From: Armin Reichold Subject: RE: kerberized things To: "'Matt Crawford'" , r.stdenis@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov, Ian McArthur , Todd Huffman , Peter Renton Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Status: RO X-Status: X-Keywords: X-UID: 172 Hi Matt, I think you are wrong about the Exceed v4/v5. We logged into fcdfsgi2 using exceed v4-kerberised telnet and Ian McArthur (see above email) can tell you what he has been able to do with this. I guess it is quite frightening. All of this avoids the one big question of how to get x-output/input to the kerberised machine. Cheers Armin ************************************************* * Dr. Armin Reichold | private: * * Research Officer | 17 Frys Hill * * University of Oxford | Oxford * * Particle & Nuclear Phys. Lab. | OX4 5GW * * 1 Keble Road | UK * * Oxford OX1 3RH * * UK * * Room 612 * * * * Tel. : +44-(0)1865-273358...(office) * * Tel. : +44-(0)1865-434856...(private) * * Mobile: +44-(0)7930-431102...(emergency only) * * Fax. : +44-(0)1865-273418...(office) * * E-Mail: a.reichold1@physics.ox.ac.uk * * Netmeeting: ppnt67.physics.ox.ac.uk (business)* * ---//--- Dir. Server: webnt.physics.ox.ac.uk * ************************************************* -----Original Message----- From: Matt Crawford [mailto:crawdad@fnal.gov] Sent: Wednesday, February 23, 2000 7:25 PM To: r.stdenis@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov Subject: Re: kerberized things > >For Windows users, Exceed has a telnet tool that supports Kerberos v4. > >I've never actually tried it, I must admit. > > > >Is this enough? Or do they want us to use v5? The dialogue has a > >button for v5, but that is greyed-out: perhaps it's an optional extra. It has to be Kerberos v5. WRQ's product "Reflection Signature" supports Kerberos v5 telnet, ftp and r-commands. The price is about the same as Exceed. We'd be happy to learn of Exceed support for v5 if it comes out, although many users demand FTP support and we found that many Windows products fell down on that point. > >I assume there is some RPM for linux...? Yes, a Google search turned up several. I didn't investigate export-control issues on them. Fermilab collaborators may find it most convenient to use the Fermi Kerberos product (supported for Lunix, Solaris, IRIX, Compaq Unix) *if* we can solve the export issues ourselves. The outlook for that is fair-to-good. > He also added... > > I don't know why kerberized telnet is supposed to be better than > > ssh, though. Suppose someone's SSH RSA key has been compromised. It's quite a daunting task to revoke it! Users who don't use the RSA mode still face the regular vulnerabilities of the Rhosts and RhostsRSA mechanisms (reduced perhaps 10% by the necessity of exploiting them from the real authorized host) and crackable password files on the server end. Matt Crawford From kreymer@fnal.gov Wed Feb 23 14:41:38 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA16739 for ; Wed, 23 Feb 2000 14:41:36 -0600 Received: from CUERVO ([131.225.87.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JM913QHIOG000V0J@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 23 Feb 2000 14:41:25 -0600 CDT Received: from CUERVO ([131.225.87.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JM913NKNZG000UML@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 23 Feb 2000 14:41:01 -0600 Date: Wed, 23 Feb 2000 14:41:00 -0600 From: "Mark O. Kaletka" Subject: RE: kerberized things In-reply-to: <200002231925.NAA06940@gungnir.fnal.gov> To: Matt Crawford , r.stdenis@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 173 > -----Original Message----- > From: crawdad@gungnir.fnal.gov [mailto:crawdad@gungnir.fnal.gov]On > Behalf Of Matt Crawford > Sent: Wednesday, February 23, 2000 1:25 PM > To: r.stdenis@physics.gla.ac.uk > Cc: kerberos-pilot@fnal.gov > Subject: Re: kerberized things >...snip...< > It has to be Kerberos v5. WRQ's product "Reflection Signature" > supports Kerberos v5 telnet, ftp and r-commands. The price is about > the same as Exceed. We'd be happy to learn of Exceed support for v5 > if it comes out, although many users demand FTP support and we found > that many Windows products fell down on that point. Correction, WRQ doesn't provide r-commands. It provides kerberized telnet and ftp clients and and a ticket manager. It lacks certain features (notably ticket forwarding) which we hope will be fixed in the next release but otherwise seems sufficiently functional. There are other Kerberos v5 suites for Windows, all with their various warts (lack of support, poor integration, missing features, no clients, etc.). Hummingbird, to my knowledge (and after numerous inquiries) only supports Kerberos v4 and as far as I can discern has no real plans to support v5. -- Mark K. From kreymer@fnal.gov Wed Feb 23 14:49:53 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA16744 for ; Wed, 23 Feb 2000 14:49:52 -0600 Received: from CUERVO ([131.225.87.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JM91DY98FK000V0J@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 23 Feb 2000 14:49:48 -0600 CDT Received: from CUERVO ([131.225.87.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JM91DX9KPG000WLN@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 23 Feb 2000 14:49:17 -0600 Date: Wed, 23 Feb 2000 14:49:17 -0600 From: "Mark O. Kaletka" Subject: RE: kerberized things In-reply-to: To: Armin Reichold , "'Matt Crawford'" , r.stdenis@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov, Ian McArthur , Todd Huffman , Peter Renton Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 174 > -----Original Message----- > From: Armin Reichold [mailto:a.reichold1@physics.ox.ac.uk] > Sent: Wednesday, February 23, 2000 2:17 PM > To: 'Matt Crawford'; r.stdenis@physics.gla.ac.uk > Cc: kerberos-pilot@fnal.gov; Ian McArthur; Todd Huffman; Peter Renton > Subject: RE: kerberized things > > > Hi Matt, > I think you are wrong about the Exceed v4/v5. We logged into > fcdfsgi2 using > exceed v4-kerberised telnet and Ian McArthur (see above email) > can tell you > what he has been able to do with this. I guess it is quite frightening. > > All of this avoids the one big question of how to get > x-output/input to the > kerberised machine. > > Cheers Armin There's no impediment to X on a Kerberized machine. One has to be careful not to type the Kerberos password in an X window (i.e. by kinit'ing in a X terminal window), but once a Kerberized connection has been established (with telnet or rlogin, e.g.) you can open all the X windows you like. The WRQ Reflection installation includes an X server which can start clients using Kerberized telnet (see the draft doc at http://wwwserver1.fnal.gov/www/docs/StrongAuth/html/strong_auth.html); one can also use the WRQ Kerberized telnet with the Hummingbird eXceed X server but this seems needlessly complicated (although really hard-core eXceed users may insist on this). -- Mark K. From kreymer@fnal.gov Wed Feb 23 15:59:25 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA16758 for ; Wed, 23 Feb 2000 15:59:25 -0600 Received: from CUERVO ([131.225.87.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JM93TKSL1S000V0J@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 23 Feb 2000 15:59:22 -0600 CDT Received: from CUERVO ([131.225.87.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JM93TJKPI6000WLN@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 23 Feb 2000 15:59:09 -0600 Date: Wed, 23 Feb 2000 15:59:08 -0600 From: "Mark O. Kaletka" Subject: RE: kerberized things In-reply-to: <14516.18780.399934.812230@thwk23.lbl.gov> To: JDAnderson@lbl.gov Cc: Kerberos Pilot Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 175 I'm not sure I understand exactly your question. I'm imagining a situation like: A <> B <> C where C is a strengthened system at (say) FNAL and B is a strengthened system at (say) LBNL and A is an unstrengthened system which wants to be an X display for clients running on C. Is this what you have in mind? If not, the rest of this may be dead off... The rest of the discussion assumes the final state of the plan , not the interim state we're in now, i.e. "strengthened" systems will have non-Kerberized telnet/rlogin/ssh access turned off and will only accept network logins with established Kerberos credentials or a CryptoCard. The connection from A to B is an unstrengthened system to a strengthened system and will require a CryptoCard login . From B to C is strengthened to strengthened, so it uses Kerberos and no further password is needed. Likewise A could login directly to C with a CryptoCard. Once the login to C is established, by either path, C can open X windows directly on A without hindrance. Unlike ssh, this is a normal X connection and a forwarded encrypted tunnel, so users have to be careful to type their Kerberos password in one of these X windows (and normally should not have to). (OK, as long as they don't let their tickets expire.) So, if B really is your system at LBNL, and there are lots of A's at LBNL (or elsewhere), there is an obvious hassle. If you fully strengthen B (in our model) then your users on your A's have to get CryptoCards to access the B system at LBNL, even if they have nothing to do with FNAL. One alternative is to strengthen B, so only users on B who actually access strengthened systems need CryptoCards. Another alternative is to get as many of your A's as possible into the strengthened realm (FNAL's or maybe your own). There are obvious tradeoffs depending on who and where your users are and where they do most of the work (in the strengthened realm or outside it) and the tolerance level for various kinds of inconveniences. -- Mark K. > -----Original Message----- > From: Jeffrey D Anderson [mailto:JDAnderson@lbl.gov] > Sent: Wednesday, February 23, 2000 2:56 PM > To: Mark O. Kaletka > Subject: RE: kerberized things > > > Mark O. Kaletka writes: > > > > There's no impediment to X on a Kerberized machine. One has to > be careful > > not to type the Kerberos password in an X window (i.e. by > kinit'ing in a X > > terminal window), but once a Kerberized connection has been established > > (with telnet or rlogin, e.g.) you can open all the X windows you like. > > So does this mean that it's only possible to run X applications > through a kerberized telnet session if one is actually sitting at the > workstation terminal? It's not possible to login to the workstation > remotely, then telnet to FNAL and have X forwarding work? That seems > like a pretty severe limitation, especially if kerberos becomes > mandatory at some point. > > -- > -------------------------------------------------------------- > Jeffrey Anderson | JDAnderson@lbl.gov > Lawrence Berkeley National Laboratory | Mailstop 50a-5101 > Phone: 510 486-4208 | Fax: 510 486-6808 > > From kreymer@fnal.gov Wed Feb 23 17:27:22 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA16776 for ; Wed, 23 Feb 2000 17:27:22 -0600 Received: from thwk23.lbl.gov ([131.243.112.65]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JM96WMSUG0000V0J@FNAL.FNAL.GOV> (original mail from anderson@thsrv.lbl.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 23 Feb 2000 17:27:20 -0600 CDT Received: from thwk23.lbl.gov ([131.243.112.65]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JM96WL3YP4000V95@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 23 Feb 2000 17:27:07 -0600 Received: (from anderson@localhost) by thwk23.lbl.gov (8.9.3/8.9.3) id PAA28794; Wed, 23 Feb 2000 15:27:09 -0800 Date: Wed, 23 Feb 2000 15:27:09 -0800 (PST) From: Jeffrey D Anderson Subject: CryptoCards To: kerberos-pilot@fnal.gov Cc: MDShapiro@lbl.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: JDAnderson@lbl.gov Message-id: <14516.27853.347479.2640@thwk23.lbl.gov> MIME-version: 1.0 X-Mailer: VM 6.71 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Status: RO X-Status: X-Keywords: X-UID: 176 The CDF group at LBNL has decided that we cannot become part of the FNAL strengthened realm if doing so would require us to disable sshd. As I understand it, this means that we're going to be living with CryptoCards. Has the specific technology been selected, and is there a test program that we could participate in, so that we are able to verify that we'll still have access to the services we require? -- -------------------------------------------------------------- Jeffrey Anderson | JDAnderson@lbl.gov Lawrence Berkeley National Laboratory | Mailstop 50a-5101 Phone: 510 486-4208 | Fax: 510 486-6808 From kreymer@fnal.gov Thu Feb 24 05:24:51 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id FAA27651 for ; Thu, 24 Feb 2000 05:24:50 -0600 Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JM9VY3ONMO000UJ9@FNAL.FNAL.GOV> (original mail from Ian.McArthur@physics.ox.ac.uk) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 24 Feb 2000 05:24:47 -0600 CDT Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JM9VY0FUBG000UK4@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 24 Feb 2000 05:24:31 -0600 Received: by ppnt41.physics.ox.ac.uk with Internet Mail Service (5.5.2650.21) id ; Thu, 24 Feb 2000 09:20:52 +0000 Content-return: allowed Date: Thu, 24 Feb 2000 09:20:51 +0000 From: Ian McArthur Subject: RE: kerberized things To: Armin Reichold , "'Matt Crawford'" , "'r.stdenis@physics.gla.ac.uk'" Cc: "'kerberos-pilot@fnal.gov'" , Todd Huffman , Peter Renton Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Status: RO X-Status: X-Keywords: X-UID: 177 Dear All, this is to clarify why Armin was frightened by my email last night, but, fear not, its only Kerberos working as advertised. We set up kerberos on my desktop NT system yesterday morning and successfully obtained a ticket-granting-ticket from Fermi using Armin's details. At this stage we couldn't get eXceed telnet to work with V5 and Armin left my office. Once I'd got some help from Hummingbird support and installed the Level 4 patches to V6.2, the telnet client was then Kerberos V5 capable and I successfully connected to FCDFSGI2. I think Armin's surprise was simply that I didn't need his Kerberos password to login but this was entirely due to the fact that the Kerberos ticket on my system was still within its time-to-live. Having said that we should test that the Kerberos tickets are getting deleted properly on logout ! Cheers, Ian -----Original Message----- From: Armin Reichold Sent: 23 February 2000 20:17 To: 'Matt Crawford'; r.stdenis@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov; Ian McArthur; Todd Huffman; Peter Renton Subject: RE: kerberized things Hi Matt, I think you are wrong about the Exceed v4/v5. We logged into fcdfsgi2 using exceed v4-kerberised telnet and Ian McArthur (see above email) can tell you what he has been able to do with this. I guess it is quite frightening. All of this avoids the one big question of how to get x-output/input to the kerberised machine. Cheers Armin ************************************************* * Dr. Armin Reichold | private: * * Research Officer | 17 Frys Hill * * University of Oxford | Oxford * * Particle & Nuclear Phys. Lab. | OX4 5GW * * 1 Keble Road | UK * * Oxford OX1 3RH * * UK * * Room 612 * * * * Tel. : +44-(0)1865-273358...(office) * * Tel. : +44-(0)1865-434856...(private) * * Mobile: +44-(0)7930-431102...(emergency only) * * Fax. : +44-(0)1865-273418...(office) * * E-Mail: a.reichold1@physics.ox.ac.uk * * Netmeeting: ppnt67.physics.ox.ac.uk (business)* * ---//--- Dir. Server: webnt.physics.ox.ac.uk * ************************************************* -----Original Message----- From: Matt Crawford [mailto:crawdad@fnal.gov] Sent: Wednesday, February 23, 2000 7:25 PM To: r.stdenis@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov Subject: Re: kerberized things > >For Windows users, Exceed has a telnet tool that supports Kerberos v4. > >I've never actually tried it, I must admit. > > > >Is this enough? Or do they want us to use v5? The dialogue has a > >button for v5, but that is greyed-out: perhaps it's an optional extra. It has to be Kerberos v5. WRQ's product "Reflection Signature" supports Kerberos v5 telnet, ftp and r-commands. The price is about the same as Exceed. We'd be happy to learn of Exceed support for v5 if it comes out, although many users demand FTP support and we found that many Windows products fell down on that point. > >I assume there is some RPM for linux...? Yes, a Google search turned up several. I didn't investigate export-control issues on them. Fermilab collaborators may find it most convenient to use the Fermi Kerberos product (supported for Lunix, Solaris, IRIX, Compaq Unix) *if* we can solve the export issues ourselves. The outlook for that is fair-to-good. > He also added... > > I don't know why kerberized telnet is supposed to be better than > > ssh, though. Suppose someone's SSH RSA key has been compromised. It's quite a daunting task to revoke it! Users who don't use the RSA mode still face the regular vulnerabilities of the Rhosts and RhostsRSA mechanisms (reduced perhaps 10% by the necessity of exploiting them from the real authorized host) and crackable password files on the server end. Matt Crawford From kreymer@fnal.gov Thu Feb 24 05:24:51 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id FAA27650 for ; Thu, 24 Feb 2000 05:24:50 -0600 Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JM9VY2DZDS000V0J@FNAL.FNAL.GOV> (original mail from Ian.McArthur@physics.ox.ac.uk) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 24 Feb 2000 05:24:47 -0600 CDT Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JM9VY0FUBG000UK4@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 24 Feb 2000 05:24:30 -0600 Received: by ppnt41.physics.ox.ac.uk with Internet Mail Service (5.5.2650.21) id ; Thu, 24 Feb 2000 09:09:35 +0000 Content-return: allowed Date: Thu, 24 Feb 2000 09:09:34 +0000 From: Ian McArthur Subject: RE: kerberized things To: Armin Reichold , "'Matt Crawford'" , "'r.stdenis@physics.gla.ac.uk'" Cc: "'kerberos-pilot@fnal.gov'" , Todd Huffman , Peter Renton Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Status: RO X-Status: X-Keywords: X-UID: 178 Hi All, what I actually achieved was using the telnet client from Exceed V6.2 with level 4 patches to login to fcdfsgi2. This appears to be the first revision which supports Kerberos V5 although previous versions had an enticing V5 box, it was always grayed out. Cheers, Ian -----Original Message----- From: Armin Reichold Sent: 23 February 2000 20:17 To: 'Matt Crawford'; r.stdenis@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov; Ian McArthur; Todd Huffman; Peter Renton Subject: RE: kerberized things Hi Matt, I think you are wrong about the Exceed v4/v5. We logged into fcdfsgi2 using exceed v4-kerberised telnet and Ian McArthur (see above email) can tell you what he has been able to do with this. I guess it is quite frightening. All of this avoids the one big question of how to get x-output/input to the kerberised machine. Cheers Armin ************************************************* * Dr. Armin Reichold | private: * * Research Officer | 17 Frys Hill * * University of Oxford | Oxford * * Particle & Nuclear Phys. Lab. | OX4 5GW * * 1 Keble Road | UK * * Oxford OX1 3RH * * UK * * Room 612 * * * * Tel. : +44-(0)1865-273358...(office) * * Tel. : +44-(0)1865-434856...(private) * * Mobile: +44-(0)7930-431102...(emergency only) * * Fax. : +44-(0)1865-273418...(office) * * E-Mail: a.reichold1@physics.ox.ac.uk * * Netmeeting: ppnt67.physics.ox.ac.uk (business)* * ---//--- Dir. Server: webnt.physics.ox.ac.uk * ************************************************* -----Original Message----- From: Matt Crawford [mailto:crawdad@fnal.gov] Sent: Wednesday, February 23, 2000 7:25 PM To: r.stdenis@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov Subject: Re: kerberized things > >For Windows users, Exceed has a telnet tool that supports Kerberos v4. > >I've never actually tried it, I must admit. > > > >Is this enough? Or do they want us to use v5? The dialogue has a > >button for v5, but that is greyed-out: perhaps it's an optional extra. It has to be Kerberos v5. WRQ's product "Reflection Signature" supports Kerberos v5 telnet, ftp and r-commands. The price is about the same as Exceed. We'd be happy to learn of Exceed support for v5 if it comes out, although many users demand FTP support and we found that many Windows products fell down on that point. > >I assume there is some RPM for linux...? Yes, a Google search turned up several. I didn't investigate export-control issues on them. Fermilab collaborators may find it most convenient to use the Fermi Kerberos product (supported for Lunix, Solaris, IRIX, Compaq Unix) *if* we can solve the export issues ourselves. The outlook for that is fair-to-good. > He also added... > > I don't know why kerberized telnet is supposed to be better than > > ssh, though. Suppose someone's SSH RSA key has been compromised. It's quite a daunting task to revoke it! Users who don't use the RSA mode still face the regular vulnerabilities of the Rhosts and RhostsRSA mechanisms (reduced perhaps 10% by the necessity of exploiting them from the real authorized host) and crackable password files on the server end. Matt Crawford From kreymer@fnal.gov Thu Feb 24 10:16:22 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA01411 for ; Thu, 24 Feb 2000 10:16:21 -0600 Received: from CUERVO ([131.225.87.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMA65HLV9C000V0J@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 24 Feb 2000 10:16:19 -0600 CDT Received: from CUERVO ([131.225.87.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JMA65FVTYW000WM3@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 24 Feb 2000 10:16:01 -0600 Date: Thu, 24 Feb 2000 10:16:01 -0600 From: "Mark O. Kaletka" Subject: RE: CryptoCards In-reply-to: <14516.27853.347479.2640@thwk23.lbl.gov> To: JDAnderson@lbl.gov, kerberos-pilot@fnal.gov Cc: MDShapiro@lbl.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 179 Yes, and yes. We've chosen CryptoCard (brand name) and also plan to support (in the future) S/Key OTP. CryptoCard is implemented now and can be used for telnet and rlogin to fcdfsgi2; ftp is not yet supported. This has to do with modifying the Kerberized ftp daemon code to handle the CryptoCard challenge and response dialogs. That is to say, from an unstrengthened system you can't ftp to a strengthened system (even with a CryptoCard); the other way 'round (strengthened to unstrengthened) is ok and so can be used as a temporary and clumsy workaround (i.e. push instead of pull). I think folks have to give us a read on how big an issue that is. If you would like to be an off-site CryptoCard beta tester, let me know. We have a small number on hand and a larger number due to be delivered "any day now". We also have a small number of PalmPilot "cards" (i.e. software that emulates a CryptoCard). We will have to work out details of shipping the cards (LBNL is not a problem but think there're export problems shipping them off-shore which, as you saw, stalled the UK request). -- Mark K. > -----Original Message----- > From: Jeffrey D Anderson [mailto:JDAnderson@lbl.gov] > Sent: Wednesday, February 23, 2000 5:27 PM > To: kerberos-pilot@fnal.gov > Cc: MDShapiro@lbl.gov > Subject: CryptoCards > > > > The CDF group at LBNL has decided that we cannot become part of the > FNAL strengthened realm if doing so would require us to disable sshd. > As I understand it, this means that we're going to be living with > CryptoCards. Has the specific technology been selected, and is there > a test program that we could participate in, so that we are able to > verify that we'll still have access to the services we require? > > > -- > -------------------------------------------------------------- > Jeffrey Anderson | JDAnderson@lbl.gov > Lawrence Berkeley National Laboratory | Mailstop 50a-5101 > Phone: 510 486-4208 | Fax: 510 486-6808 > > From kreymer@fnal.gov Thu Feb 24 14:01:07 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA01496 for ; Thu, 24 Feb 2000 14:01:07 -0600 Received: from thwk23.lbl.gov ([131.243.112.65]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMADYSGW4W000UV0@FNAL.FNAL.GOV> (original mail from anderson@thsrv.lbl.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 24 Feb 2000 14:01:04 -0600 CDT Received: from thwk23.lbl.gov ([131.243.112.65]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMADYPMZ4K000SIL@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 24 Feb 2000 14:00:27 -0600 Received: (from anderson@localhost) by thwk23.lbl.gov (8.9.3/8.9.3) id MAA03566; Thu, 24 Feb 2000 12:00:28 -0800 Date: Thu, 24 Feb 2000 12:00:27 -0800 (PST) From: Jeffrey D Anderson Subject: RE: CryptoCards In-reply-to: To: "Mark O. Kaletka" Cc: kerberos-pilot@fnal.gov Cc: MDShapiro@lbl.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: JDAnderson@lbl.gov Message-id: <14517.36315.905081.606795@thwk23.lbl.gov> MIME-version: 1.0 X-Mailer: VM 6.71 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit References: <14516.27853.347479.2640@thwk23.lbl.gov> Status: RO X-Status: X-Keywords: X-UID: 180 Mark O. Kaletka writes: > Yes, and yes. We've chosen CryptoCard (brand name) and also plan to support > (in the future) S/Key OTP. CryptoCard is implemented now and can be used for > telnet and rlogin to fcdfsgi2; So, CryptoCard logins will not be restricted to a single portal? That's good. > ftp is not yet supported. This has to do with > modifying the Kerberized ftp daemon code to handle the CryptoCard challenge > and response dialogs. That is to say, from an unstrengthened system you > can't ftp to a strengthened system (even with a CryptoCard); the other way > 'round (strengthened to unstrengthened) is ok and so can be used as a > temporary and clumsy workaround (i.e. push instead of pull). I think folks > have to give us a read on how big an issue that is. Well, we have disabled all ftp INTO the LBNL CDF systems and rely on scp at the moment. It sounds like we'll have to enable ftp TO them FROM FNAL, which we'd rather not do because of the cleartext password issue. Another complication is that the group here makes heavy use of the PDSF system, which I do not administer, and which will certainly NOT be interested in enabling ftp from outside of their local subnet. It sounds like this issue will go away once ftp is fixed at the FNAL side, so fixing it would be a high priority for us. One serious issue for people here is that there doesn't seem to be any way to automate file transfers using the CryptoCard system. We had imagined that we could run batch jobs, and periodically scp the (very large) results to FNAL, but that doesn't seem to be possible under the new regime. How will users perform such batch transfers under the new system? > If you would like to be an off-site CryptoCard beta tester, let me know. We > have a small number on hand and a larger number due to be delivered "any day > now". We also have a small number of PalmPilot "cards" (i.e. software that > emulates a CryptoCard). We will have to work out details of shipping the > cards (LBNL is not a problem but think there're export problems shipping > them off-shore which, as you saw, stalled the UK request). Yes, we'd like to test the system. If you could provide us with two cards, one for me, and one for Marjorie Shapiro, that would help us understand how (and whether) we can perform our work within the new regime. Thanks, -- -------------------------------------------------------------- Jeffrey Anderson | JDAnderson@lbl.gov Lawrence Berkeley National Laboratory | Mailstop 50a-5101 Phone: 510 486-4208 | Fax: 510 486-6808 From kreymer@fnal.gov Thu Feb 24 16:01:18 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA01518 for ; Thu, 24 Feb 2000 16:01:17 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMAI78GWDC000UV0@FNAL.FNAL.GOV> (original mail from mengel@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 24 Feb 2000 16:01:15 -0600 CDT Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMAI77GSN0000WHO@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 24 Feb 2000 16:01:02 -0600 Date: Thu, 24 Feb 2000 16:01:02 -0600 (EST) From: "Marc W. Mengel" Subject: Re: kerberized things In-reply-to: To: "Rick St. Denis" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 181 We've started rolling out MIT krb5 1.0.6 here at Fermilab. The Windows software is functional, but doesn't cache your keys properly to give you real single sign-on (yet). Supposedly a newer release is going to fix that. > He also added... > >I don't know why kerberized telnet is supposed to be better than > >ssh Actually, I think ssh with krb5 is the best way to go (which you can build for UNIX anyway) 'cause it uses krb5 for authentication, forwards tickets, and still gives you ssh side-pipes for X sessions, etc. Anyone looked at the Kermit Kerberos support? According to: http://www.funet.fi/pub/kermit/k95cu/security.htm the newer Kermits can grab a forwardable ticket and use it repeatedly... From kreymer@fnal.gov Thu Feb 24 16:53:39 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA01535 for ; Thu, 24 Feb 2000 16:53:38 -0600 Received: from CUERVO ([131.225.87.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMAK12JO4W000UV0@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 24 Feb 2000 16:53:36 -0600 CDT Received: from CUERVO ([131.225.87.26]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JMAK11KJCC000VCI@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 24 Feb 2000 16:53:20 -0600 Date: Thu, 24 Feb 2000 16:53:20 -0600 From: "Mark O. Kaletka" Subject: RE: CryptoCards In-reply-to: <14517.36315.905081.606795@thwk23.lbl.gov> To: JDAnderson@lbl.gov Cc: kerberos-pilot@fnal.gov, MDShapiro@lbl.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 182 > -----Original Message----- > From: Jeffrey D Anderson [mailto:JDAnderson@lbl.gov] > Sent: Thursday, February 24, 2000 2:00 PM > To: Mark O. Kaletka > Cc: kerberos-pilot@fnal.gov; MDShapiro@lbl.gov > Subject: RE: CryptoCards > >...snip...< > Well, we have disabled all ftp INTO the LBNL CDF systems and rely on > scp at the moment. It sounds like we'll have to enable ftp TO them > FROM FNAL, which we'd rather not do because of the cleartext password > issue. > > Another complication is that the group here makes heavy use of the > PDSF system, which I do not administer, and which will certainly NOT > be interested in enabling ftp from outside of their local subnet. It > sounds like this issue will go away once ftp is fixed at the FNAL > side, so fixing it would be a high priority for us. We wouldn't prohibit CLIENTS on strengthened systems, the restriction is on network SERVERS which might allow a user to reveal OUR passwords, so we wouldn't prohibit an scp client on a strengthened system for access to a non-strengthened LBNL system. > > One serious issue for people here is that there doesn't seem to be > any way to automate file transfers using the CryptoCard system. We > had imagined that we could run batch jobs, and periodically scp the > (very large) results to FNAL, but that doesn't seem to be possible > under the new regime. > > How will users perform such batch transfers under the new system? Hmmm, that's a good question -- I have some ideas but we'll have to think that one through before I post anything. >...snip...< From kreymer@fnal.gov Fri Feb 25 02:07:29 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id CAA03835 for ; Fri, 25 Feb 2000 02:07:29 -0600 Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMB3CV6NZ4000UV0@FNAL.FNAL.GOV> (original mail from huffman@al1.physics.ox.ac.uk) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 02:07:26 -0600 CDT Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMB3CU4C6A000XD0@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 02:07:16 -0600 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 12OFmN-0004WU-00; Fri, 25 Feb 2000 08:07:15 +0000 Date: Fri, 25 Feb 2000 08:07:15 +0000 (GMT) From: "Todd Huffman (CDF/ATLAS)" Subject: RE: CryptoCards In-reply-to: Sender: "Todd Huffman (LHC),631,73370" To: "Mark O. Kaletka" Cc: JDAnderson@lbl.gov, kerberos-pilot@fnal.gov, MDShapiro@lbl.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 183 > > > > > One serious issue for people here is that there doesn't seem to be > > any way to automate file transfers using the CryptoCard system. We > > had imagined that we could run batch jobs, and periodically scp the > > (very large) results to FNAL, but that doesn't seem to be possible > > under the new regime. > > > > How will users perform such batch transfers under the new system? > > Hmmm, that's a good question -- I have some ideas but we'll have to think > that one through before I post anything. > Might I suggest that this be thought through PRIOR to the implementation of a fully strengthened system at FNAL? In the current paradigm, we will have no viable method of code development locally, or of batch downloads of data/code during non-peak network times. Armin has pointed out the troubles with trans-atlantic latency which make remote code development (and certainly analysis) difficult to impossible depending on network route and traffic, and CDF has actually managed to solve this problem with it's use of cron jobs from remote machines that begin a nightly (that's night in local time) download of the latest code. I believe as it stands a human being must initiate this process with a Crypto-card, or join the strengthened realm. As we learn about the consequences of kerberos, joining the strengthened realm seems more and more difficult to us. As an institution of higher learning we receive many site-wide licenses for software that we can share across many platforms, machines, and physics sub-departments (like condensed matter or astrophysics). Much of this software is heavily used and does not support Kerberos. Kerberos (unlike ssh) is not universally supported and probably never will be. This is the problem with a security system that requires individual secure software packages and isn't completely contained in the operating system (like ssh). Also once one server in a LAN Kerberizes there is pressure to drag the rest of the LAN into the depths of Hadez. We cannot convince other departments at Oxford, or indeed most of our own colleagues, that this is a good idea. So we are most likely stuck with Crypto-cards....assuming that the US government decides that this top secret, super-advanced, fully homogenised technology can be allowed outside the US of course. (Quick question about this, what if me, a US citizen and legitimate visitor at Fermilab, needs...say 5 Crypto-cards...and since I live in Britian I must, of course, take them home with me.....??) I am afraid that with the advent of a fully strengthened realm at FNAL, we will break some of the things that we are currently doing right if some thought doesn't go into it first. This process should include the participation of Universities in third-world nations like Michigan, Britain, California, and Japan; not just the Superpower (FNAL). Cheers, Todd From kreymer@fnal.gov Fri Feb 25 12:57:56 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA20114 for ; Fri, 25 Feb 2000 12:57:55 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMBQ3BINLC000VRC@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 12:57:54 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMBQ3AJHYK000WIY@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 12:57:44 -0600 Date: Fri, 25 Feb 2000 12:57:42 -0600 (CST) From: Dane Skow Subject: RE: CryptoCards In-reply-to: To: "Mark O. Kaletka" Cc: JDAnderson@lbl.gov, kerberos-pilot@fnal.gov, MDShapiro@lbl.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 184 > > > > One serious issue for people here is that there doesn't seem to be > > any way to automate file transfers using the CryptoCard system. We > > had imagined that we could run batch jobs, and periodically scp the > > (very large) results to FNAL, but that doesn't seem to be possible > > under the new regime. > > > > How will users perform such batch transfers under the new system? > > Hmmm, that's a good question -- I have some ideas but we'll have to think > that one through before I post anything. Just a quick thought - doesn't the reverse direction work ? Have a batch job running on a strengthened node (with the ssh client) that copies the data from the unstrengthened system ? > >...snip...< > > > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Fri Feb 25 13:14:04 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA20133 for ; Fri, 25 Feb 2000 13:14:03 -0600 Received: from fnpspb.fnal.gov ([131.225.81.79]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMBQN7TQ80000VRC@FNAL.FNAL.GOV> (original mail from garren@fnpspb.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 13:14:01 -0600 CDT Received: from fnpspb.fnal.gov ([131.225.81.79]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMBQN6WH5K000WXP@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 13:13:47 -0600 Received: from localhost (garren@localhost) by fnpspb.fnal.gov (8.9.3/8.9.3) with SMTP id NAA11932; Fri, 25 Feb 2000 13:13:46 -0600 (CST) Date: Fri, 25 Feb 2000 13:13:45 -0600 From: Lynn Garren Subject: Re: CryptoCards In-reply-to: "Your message of Fri, 25 Feb 2000 12:57:42 CST." To: Dane Skow Cc: "Mark O. Kaletka" , JDAnderson@lbl.gov, kerberos-pilot@fnal.gov, MDShapiro@lbl.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002251913.NAA11932@fnpspb.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: fnpspb.fnal.gov: garren@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 185 > Just a quick thought - doesn't the reverse direction work ? Have a > batch job running on a strengthened node (with the ssh client) that > copies the data from the unstrengthened system ? > > Dane Skow, We've been doing just that for BTeV and E831. We distribute code centrally from fnalu. It works, but I would not recommend this. Connections remain a problem. Such a system needs constant watching by someone on the central system. The other method needs to be watched by people at each remote machine, which distributes the workload. Also, any job which needs to run every night at a certain time should really be a cron job, not a batch job. (Again, this becomes a question of minimizing the workload, since batch jobs disappear and have to be restarted.) Lynn From kreymer@fnal.gov Fri Feb 25 14:00:46 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA20381 for ; Fri, 25 Feb 2000 14:00:45 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMBSA1SMCG000VRC@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 14:00:43 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMBSA0MPME000W5D@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 14:00:26 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA00666; Fri, 25 Feb 2000 14:00:13 -0600 (CST) Date: Fri, 25 Feb 2000 14:00:13 -0600 From: Matt Crawford Subject: Re: CryptoCards In-reply-to: "25 Feb 2000 12:57:42 CST." <"Pine.LNX.4.10.10002251256120.3028-100000"@unferth.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Dane Skow Cc: "Mark O. Kaletka" , JDAnderson@lbl.gov, kerberos-pilot@fnal.gov, MDShapiro@lbl.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002252000.OAA00666@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 186 > Just a quick thought - doesn't the reverse direction work ? Have a > batch job running on a strengthened node (with the ssh client) that > copies the data from the unstrengthened system ? Yes, of course. But in our dream world, all systems are strengthened. What had a plan for cron jobs from the very first, and it has been tested and it works. When our trusty developer of helpful extra code pieces gets back from her vacation she'll wrap up the somewhat intricate instructions which are in our user documentation (due out early next week in web and hardcopy) into a nice simple user-friendly "cmd" command package. What Mark was pondering in his response to the Oxford guys was some way to let them continue to use ssh. That can be done, but frankly, based on user feedback all around the HEP community, nobody wants to needlessly subject bulk data to ssh's mandatory encryption. With Kerberos rcp (or ftp) you can have secure authentication and unencrypted data. Matt From kreymer@fnal.gov Fri Feb 25 14:08:39 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA20395 for ; Fri, 25 Feb 2000 14:08:38 -0600 Received: from yagil ([131.225.235.107]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMBSIYXK6O000VRC@FNAL.FNAL.GOV> (original mail from yagil@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 14:08:34 -0600 CDT Received: from yagil ([131.225.235.107]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JMBSIUQ0GW000VCK@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 14:07:33 -0600 Date: Fri, 25 Feb 2000 14:08:52 -0600 From: Avi Yagil Subject: distribution list... In-reply-to: <200002252000.OAA00666@gungnir.fnal.gov> To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: yagil@fnal.gov Message-id: <000301bf7fcc$22df78f0$6bebe183@fnal.gov> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 187 who owns it? can you remove me from this verbose list? avi. From kreymer@fnal.gov Fri Feb 25 14:10:34 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA20399 for ; Fri, 25 Feb 2000 14:10:34 -0600 Received: from pierre.mit.edu ([18.77.0.109]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMBSMC1JZK000VRC@FNAL.FNAL.GOV> (original mail from akorn@mitlns.mit.edu) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 14:10:31 -0600 CDT Received: from pierre.mit.edu ([18.77.0.109]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JMBSMB88DY000VQQ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 14:10:20 -0600 Received: from localhost by pierre.mit.edu (5.65v4.0/1.1.19.2/09Oct99-0412PM) id AA29040; Fri, 25 Feb 2000 15:10:19 -0500 Date: Fri, 25 Feb 2000 15:10:19 -0500 (EST) From: Andreas Korn Subject: configuration In-reply-to: <200002252000.OAA00666@gungnir.fnal.gov> X-Sender: akorn@pierre.mit.edu To: kerberos-pilot@fnal.gov Cc: "Mark O. Kaletka" Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 188 Hi, It might be a good time to post some more detailed steps on how to configure krb5. The ups product crashes nicely with some FRHL versions (e.g. those with a different release Kernel than libs). I got the krb5.conf from ups and compiled krb5.src.B4-3.tar.gz. kinit still isn't happy (which I guess have to issue first) and telnet to fcdfsgi2 for example does not work. This might be an ignorant question, but I would appreciate any advice ;-) Thank you, regards Andreas Korn From kreymer@fnal.gov Fri Feb 25 14:20:56 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA20403 for ; Fri, 25 Feb 2000 14:20:56 -0600 Received: from cdfsga.fnal.gov ([131.225.109.4]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMBSZ10E74000VRC@FNAL.FNAL.GOV> (original mail from ikrav@cdfsga.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 14:20:53 -0600 CDT Received: from cdfsga.fnal.gov ([131.225.109.4]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMBSYYHPOK000W54@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 14:20:32 -0600 Received: from localhost (ikrav@localhost) by cdfsga.fnal.gov (8.9.3/8.9.0) with SMTP id OAA28849 for ; Fri, 25 Feb 2000 14:20:39 -0600 (CST) Date: Fri, 25 Feb 2000 14:20:39 -0600 (CST) From: Ilya Kravchenko Subject: Re:distribution list... To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002252020.OAA28849@cdfsga.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: cdfsga.fnal.gov: ikrav@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 189 >who owns it? >can you remove me from this verbose list? >avi. Please, remove me as well. thanks, Ilya From kreymer@fnal.gov Fri Feb 25 14:22:42 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA20407 for ; Fri, 25 Feb 2000 14:22:41 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMBT1D9G2O000VRC@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 14:22:40 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMBT1COGQ4000VR4@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 14:22:28 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA01184; Fri, 25 Feb 2000 14:22:12 -0600 (CST) Date: Fri, 25 Feb 2000 14:22:12 -0600 From: Matt Crawford Subject: Re: configuration In-reply-to: "25 Feb 2000 15:10:19 EST." <"Pine.OSF.4.10.10002251504510.20079-100000"@pierre.mit.edu> Sender: crawdad@gungnir.fnal.gov To: Andreas Korn Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002252022.OAA01184@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 190 > It might be a good time to post some more > detailed steps on how to configure krb5. They are in the INSTALL_NOTE files of the kerberos and krb5conf products, and on the web at http://www.fnal.gov/cd/security/StrongAuth/UserDocs/Installing-Kerberos.htm A more complete document for users and sysadmins should be out early next week as FNAL CD document GG0019. > The ups product crashes nicely with some FRHL versions (e.g. those > with a different release Kernel than libs). There are lots of packages that crash when your Linux kernel and libs don't match. (But can such a system properly be said to be running any one FRHL release?) > I got the krb5.conf from ups and compiled krb5.src.B4-3.tar.gz. I don't recognize that latter file name. Where did it come from? I think the conceptually simplest thing for you to do is update your system so the libs and kernel are in sync. > kinit still isn't happy (which I guess have to issue first) and > telnet to fcdfsgi2 for example does not work. You need to use either kinit or the Kerberos login program to get a TGT before you can get into some other Kerberos-only system. From kreymer@fnal.gov Fri Feb 25 14:25:02 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA20411 for ; Fri, 25 Feb 2000 14:25:01 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMBT49QWB4000VRC@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 14:24:59 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMBT47R3ZU000W5E@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 14:24:46 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA01229 for ; Fri, 25 Feb 2000 14:24:33 -0600 (CST) Date: Fri, 25 Feb 2000 14:24:33 -0600 From: Matt Crawford Subject: Re: distribution list... In-reply-to: "25 Feb 2000 14:20:39 CST." <"200002252020.OAA28849"@cdfsga.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002252024.OAA01229@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 191 > >who owns it? > >can you remove me from this verbose list? > >avi. > > Please, remove me as well. > thanks, > Ilya You are subscribe automatically when your Kerberos principal is issued. I believe you should have received a message at that time telling you how to unsubscribe. If not, or if you didn't save it, here's how: send the line unsubscribe kerberos-pilot in the BODY of a message to MAILSERV@FNAL.GOV. Send it *from* the address by which you're subscribe, which should be yourid@fnal.gov. Matt From kreymer@fnal.gov Fri Feb 25 14:26:25 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA20415 for ; Fri, 25 Feb 2000 14:26:25 -0600 Received: from thwk23.lbl.gov ([131.243.112.65]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMBT5ZDXC0000VRC@FNAL.FNAL.GOV> (original mail from anderson@thsrv.lbl.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 14:26:23 -0600 CDT Received: from thwk23.lbl.gov ([131.243.112.65]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMBT5X1RJ8000WIY@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 14:26:09 -0600 Received: (from anderson@localhost) by thwk23.lbl.gov (8.9.3/8.9.3) id MAA11625; Fri, 25 Feb 2000 12:26:11 -0800 Date: Fri, 25 Feb 2000 12:26:10 -0800 (PST) From: Jeffrey D Anderson Subject: Re: CryptoCards To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: JDAnderson@lbl.gov Message-id: <14518.58722.733364.10251@thwk23.lbl.gov> MIME-version: 1.0 X-Mailer: VM 6.71 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Status: RO X-Status: X-Keywords: X-UID: 192 Matt Crawford writes: > > Just a quick thought - doesn't the reverse direction work ? Have a > > batch job running on a strengthened node (with the ssh client) that > > copies the data from the unstrengthened system ? > > Yes, of course. But in our dream world, all systems are > strengthened. What had a plan for cron jobs from the very first, and > it has been tested and it works. That seems a little unrealistic to me. I know that CDF at LBNL plans to use computer facilities that are not under our direct management. These facilities will certainly not be willing to accept the restrictions necessary to become part of the strengthened realm. It is necessary that FNAL computers be able to interact with these systems in ways that are not so cumbersome that it is impossible to get our work done. I guess I'm beating a dead horse at this point, but the people here are very concerned that these important issues are resolved before major changes take place. Thanks, -- -------------------------------------------------------------- Jeffrey Anderson | JDAnderson@lbl.gov Lawrence Berkeley National Laboratory | Mailstop 50a-5101 Phone: 510 486-4208 | Fax: 510 486-6808 From kreymer@fnal.gov Fri Feb 25 15:46:16 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA20442 for ; Fri, 25 Feb 2000 15:46:15 -0600 Received: from kfesg.lbl.gov ([128.3.2.46]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMBVXZI67K000VRC@FNAL.FNAL.GOV> (original mail from igv@kfesg.lbl.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 15:46:12 -0600 CDT Received: from kfesg.lbl.gov ([128.3.2.46]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JMBVXYRM54000WYW@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 15:46:01 -0600 Received: (from igv@localhost) by kfesg.lbl.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) id NAA26158 for kerberos-pilot@fnal.gov; Fri, 25 Feb 2000 13:45:59 -0800 Date: Fri, 25 Feb 2000 13:45:59 -0800 From: igv@kfesg.lbl.gov (Igor Volobouev) Subject: unsubscribe To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002252145.NAA26158@kfesg.lbl.gov> Status: RO X-Status: X-Keywords: X-UID: 193 Please unsubscribe me from this mailing list. Thanks, Igor From kreymer@fnal.gov Fri Feb 25 16:16:20 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA20453 for ; Fri, 25 Feb 2000 16:16:20 -0600 Received: from cdfsga.fnal.gov ([131.225.109.4]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMBX09WAUO000VRC@FNAL.FNAL.GOV> (original mail from niu@cdfsga.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 16:16:17 -0600 CDT Received: from cdfsga.fnal.gov ([131.225.109.4]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMBX09D0MI000UM6@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 16:16:07 -0600 Received: (from niu@localhost) by cdfsga.fnal.gov (8.9.3/8.9.0) id QAA16680; Fri, 25 Feb 2000 16:16:14 -0600 (CST) Date: Fri, 25 Feb 2000 16:16:14 -0600 (CST) From: Hongquan Niu Subject: Re: unsubscribe In-reply-to: <200002252145.NAA26158@kfesg.lbl.gov> To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 194 Hi there, Please unsubscribe me also. I tried to unsubscribe, but failed. Sorry about this. -Hongquan From kreymer@fnal.gov Fri Feb 25 19:34:57 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id TAA20482 for ; Fri, 25 Feb 2000 19:34:56 -0600 Received: from kfesg.lbl.gov ([128.3.2.46]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMC3XGTPWG000VRC@FNAL.FNAL.GOV> (original mail from shapiro@kfesg.lbl.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 25 Feb 2000 19:34:53 -0600 CDT Received: from kfesg.lbl.gov ([128.3.2.46]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JMC3XFMYXU000WLR@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 25 Feb 2000 19:34:40 -0600 Received: from localhost (shapiro@localhost) by kfesg.lbl.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id RAA27612; Fri, 25 Feb 2000 17:34:37 -0800 Date: Fri, 25 Feb 2000 17:34:36 -0800 From: Marjorie Shapiro Subject: RE: CryptoCards In-reply-to: To: Dane Skow Cc: "Mark O. Kaletka" , JDAnderson@lbl.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 195 I don;t think copying data with a chron job from the strengthened realm will work for this application. Here is what we are doing: We have a system with on order 30 PC nodes with rather small locally attached scratch disks. I am submitting on order 300 batch jobs (using LSF) which can run on any of the nodes (the number running at once will be determined by LSF using fair share). Each job runs for about 12 hours and makes a data file of about 1 GB on the local scratch disk. Right now, at the end of the job I copy the output to FNAL via scp and then delete the file from the local disk. On Fri, 25 Feb 2000, Dane Skow wrote: > > > > > > > One serious issue for people here is that there doesn't seem to be > > > any way to automate file transfers using the CryptoCard system. We > > > had imagined that we could run batch jobs, and periodically scp the > > > (very large) results to FNAL, but that doesn't seem to be possible > > > under the new regime. > > > > > > How will users perform such batch transfers under the new system? > > > > Hmmm, that's a good question -- I have some ideas but we'll have to think > > that one through before I post anything. > > Just a quick thought - doesn't the reverse direction work ? Have a > batch job running on a strengthened node (with the ssh client) that > copies the data from the unstrengthened system ? > > > >...snip...< > > > > > > > > > > Dane Skow, > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > > From kreymer@fnal.gov Sat Feb 26 15:43:23 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA05379 for ; Sat, 26 Feb 2000 15:43:22 -0600 Received: from kfesg.lbl.gov ([128.3.2.46]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMDA5RWM40000W4P@FNAL.FNAL.GOV> (original mail from shapiro@kfesg.lbl.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Sat, 26 Feb 2000 15:43:20 -0600 CDT Received: from kfesg.lbl.gov ([128.3.2.46]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JMDA5R6412000WIP@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Sat, 26 Feb 2000 15:43:11 -0600 Received: from localhost (shapiro@localhost) by kfesg.lbl.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id NAA00828 for ; Sat, 26 Feb 2000 13:43:07 -0800 Date: Sat, 26 Feb 2000 13:43:07 -0800 From: Marjorie Shapiro Subject: Mail I received from an English CDF collaborator... To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 196 I am forwarding the following email from Armin Reichold (one of our Oxford collaborators). It touches on some of the issues of working over the network from Europe. Armin was interested in getting a product like VNC installed (see his mail below for details). I don't know whether this is the best product to do what he wants. But I was wondering if anyone could tell me whether there are plans to meet this need as part of the security project? We have a very large number of foreign ( Italian, British, Japanese and Korean) collaborators and I expect us to get many requests like this one. (I have already had a very similar request from the Italians). Marjorie ---------- Forwarded message ---------- Date: Tue, 22 Feb 2000 10:10:02 -0000 From: Armin Reichold To: "'Marjorie Shapiro'" , Stefano Belforte Cc: 'Liz Buckley-Geer' , "Shapiro, Marg" , "Amidei, Dan" , Todd Huffman , Ian McArthur , Pete Gronbech , Peter Renton Subject: RE: VNC on fcdfsgi2 Apologies, I think that you (Marjorie) have not been on the cc for most of my communications about this subject. Let me clarify the situation. I know it will be a little long and some have heard it before but please bare with me for the moment. First: The networking status quo for us here at Oxford: During a large fraction of the day our network to the US has round trip delay times of up to 0.6 seconds and at best it is 0.15 seconds. The bandwidth averaged over a minute varies between nothing (very rare) to 200 Kbits/s. The UK is very active right now in improving the connectivity to the US in general and to Fermilab and SLAC in particular but we will never get a line for general purpose that will be able to support the transfer of any sort of CDF data. We may however get a line that has a chance of supporting interactive work at most times if we use the network in a clever way (see third point). Second: the problematic consequences: If we try to establish an interactive session with a Fermilab machine, for example via X, i.e. running xemacs, we run into a lot of problems. X traffic appears to very bad for high latency lines because it has a lot of handshaking (across the high latency line) which means that it can take Order(minutes) before one can open a file with x-emacs. This behaviour is due to the fact that there is a window manager running here and a server running a FNAL and they have to negotiate and synchronise. Third: possible solutions/alleviation's: If we use the network in a more clever way we can overcome the accumulation of latency times. All systems that I know about (Citrix MetaFrame-slow line mode, VNC, MS-Terminal Server Client slow line mode, Exceed-Web thin-X client) that attack this problem work on the same principle. The thin connection: is between a separate display server (for example citrix MetaFrame on cdf-wincenter) and the remote client (e.g. cirtix client on my desktop at Oxford) and the protocol minimises total transfer (caching, compression) and handshaking (i.e. server has explicit knowledge of client display) The thick connection: is between the display server (e.g. cdf-wincenter) and the "big" machine and could be an X type connection. Forth: so what do I want? I do not want to blame the offline group at all for anything. It is certainly not their nor Fermilabs responsibility to provide good transatlantic links and fermilabs network connectivity into the outside world is excellent in European standards I believe. I would like to see some of the above mentioned access methods become available at CDF. Initially only for evaluation and later for use by European collaborators. The kerberised telnet is all fine and great but not good (as far as I can tell) for direct access across the Atlantic. It would be fine to run kerberised telnet between the display server and the "big" machines but that requires that we get something like a display server to start with. One start could be to simply provide an X-service like Exceed on the cdf-wincenter. Or to install Exceed-Web on a separate server (Jump service) or to run VNC on the big machines directly (and allow access via VNC). All of these possibilities require proper integration into the authentication scheme that FNAL proposes but most of them have easy hooks that would allow that. Last: So in summary I think I have to say that at FNAL one tends to forget (this is not meant aggressively) how bad the network across the Atlantic can really be, in particular the latency times are often ignored and bandwidth is the only number one hears about but for interactive work the first is the more important. So lets try to arrange for the most efficient use of what we have, whilst still pushing from the European side to get better lines. Cheers Armin P.S. I think that the for example the distribution has served us excellent here at Oxford. ************************************************* * Dr. Armin Reichold | private: * * Research Officer | 17 Frys Hill * * University of Oxford | Oxford * * Particle & Nuclear Phys. Lab. | OX4 5GW * * 1 Keble Road | UK * * Oxford OX1 3RH * * UK * * Room 612 * * * * Tel. : +44-(0)1865-273358...(office) * * Tel. : +44-(0)1865-434856...(private) * * Mobile: +44-(0)7930-431102...(emergency only) * * Fax. : +44-(0)1865-273418...(office) * * E-Mail: a.reichold1@physics.ox.ac.uk * * Netmeeting: ppnt67.physics.ox.ac.uk (business)* * ---//--- Dir. Server: webnt.physics.ox.ac.uk * ************************************************* -----Original Message----- From: Marjorie Shapiro [mailto:shapiro@kfesg.lbl.gov] Sent: Tuesday, February 22, 2000 12:34 AM To: Stefano Belforte Cc: 'Liz Buckley-Geer'; Shapiro, Marg; Amidei, Dan; Armin Reichold Subject: Re: VNC on fcdfsgi2 I apologize for begin so dense, but I am confused by what you and Armin are requesting. "Good connectivity" to remote institutions is largely determined by the bandwidth available (and the network configuration to the remote site). Are you saying that FNAL is supposed to design the network layout for all the institutions that work at the lab? Or, are you saying that the network pipe out of the lab is too small? The proposed protocol for Run II is a kerborized Telnet. This product will be provided in KITTS. Until it is working, we are asking people to use ssh. I don't believe there are performance problems associated with either product, so I don't understand what the complaint about interactive use is. As for the other issues you raise ( `"data/data-base/DIM/batch/code distribution"), we ARE distributing the code on a daily basis to every site that has requested it. We intend to do the same thing for databases and discussions of the technical issues involved in serving the databases have begun. A short term solution where the databases are served via mSQL has been in place for months. And, we are distributing Oracle clients for linux (the only platform where the client is free). Distribution of large datasets will clearly be by tape (the network bandwidth is not good enough). There will be a tape copy facility, although the issue of whether we share one with D0 or have our own is still under discussion with CD. The DataHandling code is being distributed with the Offline package. There is not fully functional DIM at FNAL, so there is no way we can make it work at the remote sites either. I am not claiming that things are rosy: all the above products still have problems and are under development. But I don't think it is fair to accuse the Offline group of ignoring remote sites. On Mon, 21 Feb 2000, Stefano Belforte wrote: > Dear offline leaders, > already several times Armin has rightfully raised the issue > of how can and should CDF provide good connectivity to > remote institutions. With little success, apparently. > Are we ever going to see this addressed seriously as a > collaboration need ? > Identifying the right tool (wether it is an application, a > network configuration or bandwidth issue, a matter of > QOS implementation or whatever else) is not a think for > individual volenterous people. I am pleased that Armin > is trying out VNC (a tool I like), but I have not the means > to test myself the NT based tools they are using, just to make > an example. > One year has passed since the "remote analsysis workshop" > and we do not seem to have gained much more insight about > what to do about all issues from interactive performance > to data/data-base/DIM/batch/code distribution. I could not > attend Jan 26 workshop, but I understand that this topic > did not raise much interest. > If we only concentrate in "making it work at FNAL first" I > am afraid it may end up much more similar to D0 plan > (all data is analysed at Fermilab) then we ever intended. > May I suggest that you find some ways to make this a > real collaboration-wide issue that can appear in the > WBS ? Myabe if *you* tell collaborators that they should > really start worrying about what data they want to bring > home and what for, or they will never get them, some > lively thinking may be done. > > Stefano > > -- > Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) > Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it > 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte > From kreymer@fnal.gov Mon Feb 28 04:54:58 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id EAA30476 for ; Mon, 28 Feb 2000 04:54:57 -0600 Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMFG3ICILS000XMM@FNAL.FNAL.GOV> (original mail from a.reichold1@physics.ox.ac.uk) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 28 Feb 2000 04:54:53 -0600 CDT Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMFG3HAEG4000WGS@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 28 Feb 2000 04:54:44 -0600 Received: by ppnt41.physics.ox.ac.uk with Internet Mail Service (5.5.2650.21) id ; Mon, 28 Feb 2000 10:54:43 +0000 Content-return: allowed Date: Mon, 28 Feb 2000 10:54:41 +0000 From: Armin Reichold Subject: RE: configuration To: "'Andreas Korn'" , kerberos-pilot@fnal.gov Cc: "Mark O. Kaletka" , Todd Huffman , Ian McArthur , Pete Gronbech Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Status: RO X-Status: X-Keywords: X-UID: 197 May I suggest the following: If the security strategy for Fermilab is supposed to work well we need a list of required kerberos complient clients. The security team should be aware that it will in the future become their responsibility to provide support for those clients and that this will mean "A LOT OF CONTINUOUS HIGH QUALITY HIGH RELIABILITY WORK" since many remote institutions computers will have to rely on these clients for a lot of essential task if we stick to the model of fully kerberising the rest of the world. Now here are some "requests" for clients that we at Oxford would need in terms of kerberised clients: NFS for: Sun, Red Hat Linux Samba for: Sun, Red Hat Linux ftp for: Sun, Red Hat Linux, NT telnet for: Sun, Red Hat Linux, NT dfs for: NT (this is not "the" dfs followup of afs but the NT style dfs) Sun in the above list is out guess as what will be a replacement for our current DEC based central Unix systems. So it may be that this turns out to be a wrong guess but some major Unix flavour (not SGI) is definitely true. Alternatively: If we could agree that is is acceptable for a node that connects to a node in the fnal strengthened real via kerberised services and who's LAN is behing a firewall that blocks the unkerberised services from outside that LAN to that node to run some LAN internal non-kerberised services like nfs, afs (which of course is kerberised), samba, dfs etc, then: we could live with only needing kerberised telnet for NT, Linux and SUN. What do you say? cheers ARmin ************************************************* * Dr. Armin Reichold | private: * * Research Officer | 17 Frys Hill * * University of Oxford | Oxford * * Particle & Nuclear Phys. Lab. | OX4 5GW * * 1 Keble Road | UK * * Oxford OX1 3RH * * UK * * Room 612 * * * * Tel. : +44-(0)1865-273358...(office) * * Tel. : +44-(0)1865-434856...(private) * * Mobile: +44-(0)7930-431102...(emergency only) * * Fax. : +44-(0)1865-273418...(office) * * E-Mail: a.reichold1@physics.ox.ac.uk * * Netmeeting: ppnt67.physics.ox.ac.uk (business)* * ---//--- Dir. Server: webnt.physics.ox.ac.uk * ************************************************* From kreymer@fnal.gov Mon Feb 28 08:16:43 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA10374 for ; Mon, 28 Feb 2000 08:16:42 -0600 Received: from physics.ucla.edu ([128.97.23.13]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMFN4O3L74000XMM@FNAL.FNAL.GOV> (original mail from benn@physics.ucla.edu) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 28 Feb 2000 08:16:40 -0600 CDT Received: from physics.ucla.edu ([128.97.23.13]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMFN4NE7MK000Y4P@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 28 Feb 2000 08:16:30 -0600 Received: from hepsun18.ucla.edu (hepsun18 [128.97.23.89]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id GAA10277 for ; Mon, 28 Feb 2000 06:14:32 -0800 (PST) Received: from localhost by hepsun18.ucla.edu (8.9.1b+Sun/SMI-SVR4) id GAA11776; Mon, 28 Feb 2000 06:14:33 -0800 (PST) Date: Mon, 28 Feb 2000 06:14:33 -0800 (PST) From: Benn Tannenbaum Subject: remote clients X-Sender: benn@hepsun18 To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 198 One thing that I don't see anyone metioning is clients for remote Macintoshes. There are still plenty of people that us them, including myself.... -Benn From kreymer@fnal.gov Mon Feb 28 09:50:19 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA10416 for ; Mon, 28 Feb 2000 09:50:18 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMFQEDX7TS000XMM@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 28 Feb 2000 09:50:09 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMFQEC9THS000WKA@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 28 Feb 2000 09:49:49 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA18397; Mon, 28 Feb 2000 09:49:29 -0600 (CST) Date: Mon, 28 Feb 2000 09:49:29 -0600 From: Matt Crawford Subject: Re: CryptoCards In-reply-to: "25 Feb 2000 17:34:36 PST." <"Pine.SGI.4.03.10002251724200.24650-100000"@kfesg.lbl.gov> Sender: crawdad@gungnir.fnal.gov To: Marjorie Shapiro Cc: JDAnderson@lbl.gov, kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002281549.JAA18397@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 199 > I don't think copying data with a chron job from the strengthened realm > will work for this application. Here is what we are doing: > > We have a system with on order 30 PC nodes with rather small locally > attached scratch disks. I am submitting on order 300 batch jobs ... at > the end of the job I copy the output to FNAL via scp and then delete the > file from the local disk. Our scheme for cron jobs will work fine for batch jobs if each batch node has Kerberos client software and the batch user can log into each batch node interactively one time (not once per job) to prepare the authentication method before any jobs are run. Alternatively, if there's one user-accessible Kerberos node which has access to the output files, the noninteractive copy-to-FNAL could be initiated from there. Either way, the Kerberos copy would also have the advantage of avoiding needless encryption of your 1 GB output file. If neither of these assumptions holds, there are some simple variations we can make to enable this workflow. It's not a difficult problem, we just need to understand the details to provide the most general possible solution. (Cryptocard, by the way, does not figure into any plans for non-interactive use.) I have to ask, though, how are you authenticating the scp transfer today? Matt From kreymer@fnal.gov Mon Feb 28 10:55:59 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA10447 for ; Mon, 28 Feb 2000 10:55:59 -0600 Received: from abacus.fnal.gov ([131.225.84.108]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMFSP2D6ZK000XMM@FNAL.FNAL.GOV> (original mail from amundson@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 28 Feb 2000 10:55:57 -0600 CDT Received: from abacus.fnal.gov ([131.225.84.108]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMFSOZP7KM000WLZ@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 28 Feb 2000 10:55:40 -0600 Received: from fnal.gov (localhost [127.0.0.1]) by abacus.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA01644; Mon, 28 Feb 2000 10:55:38 -0600 Date: Mon, 28 Feb 2000 10:55:38 -0600 From: James Amundson Subject: Re: Mail I received from an English CDF collaborator... Sender: amundson@fnal.gov To: Marjorie Shapiro Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <38BAA88A.ADD38965@fnal.gov> Organization: CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.10 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 200 Dear Marjorie, I saw your message on the kerberos-pilot mailing list. I have nothing to say from the security standpoint (I am only a passive observer on the kerberos list), but I do have some possibilities to point out to your collaborators on long-distance connections to the CDF machines. 1) If people are really using XEmacs over remote connections, they should know about XEmacs's built-in ability to edit remote files through EFS. With EFS, XEmacs runs locally. It has transparent access to files from the remote machine. In general, this is much faster than running XEmacs on the remote machine, even when a fast link is available. Unfortunately, I don't know enough about EFS to know whether secure transfer modes are an option, particularly in the kerberos world. 2) If I were running X over a long-distance link, I would certainly want to try the Differential X Protocol Compressor, dxpc. I haven't used it myself, but it may be a better solution to the problem. The dxpc home page is . I hope this is helpful. Best, Jim Marjorie Shapiro wrote: > > I am forwarding the following email from Armin Reichold (one of our Oxford > collaborators). It touches on some of the issues of working over the > network from Europe. Armin was interested in getting a product like VNC > installed (see his mail below for details). > > I don't know whether this is the best product to do what he wants. But I > was wondering if anyone could tell me whether there are plans to meet this > need as part of the security project? We have a very large number of > foreign ( Italian, British, Japanese and Korean) collaborators and I > expect us to get many requests like this one. (I have already had a very > similar request from the Italians). > > Marjorie > > ---------- Forwarded message ---------- > Date: Tue, 22 Feb 2000 10:10:02 -0000 > From: Armin Reichold > To: "'Marjorie Shapiro'" , > Stefano Belforte > > Cc: 'Liz Buckley-Geer' , > "Shapiro, Marg" , > "Amidei, Dan" , > Todd Huffman , > Ian McArthur , > Pete Gronbech , > Peter Renton > Subject: RE: VNC on fcdfsgi2 > > Apologies, > I think that you (Marjorie) have not been on the cc for most of my > communications about this subject. Let me clarify the situation. I know it > will be a little long and some have heard it before but please bare with me > for the moment. > > First: > The networking status quo for us here at Oxford: > During a large fraction of the day our network to the US has round trip > delay times of up to 0.6 seconds and at best it is 0.15 seconds. The > bandwidth averaged over a minute varies between nothing (very rare) to 200 > Kbits/s. The UK is very active right now in improving the connectivity to > the US in general and to Fermilab and SLAC in particular but we will never > get a line for general purpose that will be able to support the transfer of > any sort of CDF data. > We may however get a line that has a chance of supporting interactive work > at most times if we use the network in a clever way (see third point). > > Second: > the problematic consequences: > If we try to establish an interactive session with a Fermilab machine, for > example via X, i.e. running xemacs, we run into a lot of problems. X traffic > appears to very bad for high latency lines because it has a lot of > handshaking (across the high latency line) which means that it can take > Order(minutes) before one can open a file with x-emacs. This behaviour is > due to the fact that there is a window manager running here and a server > running a FNAL and they have to negotiate and synchronise. > > Third: > possible solutions/alleviation's: > If we use the network in a more clever way we can overcome the accumulation > of latency times. All systems that I know about (Citrix MetaFrame-slow line > mode, VNC, MS-Terminal Server Client slow line mode, Exceed-Web thin-X > client) that attack this problem work on the same principle. > The thin connection: > is between a separate display server (for example citrix MetaFrame on > cdf-wincenter) and the remote client (e.g. cirtix client on my desktop at > Oxford) and the protocol minimises total transfer (caching, compression) and > handshaking (i.e. server has explicit knowledge of client display) > The thick connection: > is between the display server (e.g. cdf-wincenter) and the "big" machine and > could be an X type connection. > > Forth: > so what do I want? > I do not want to blame the offline group at all for anything. It is > certainly not their nor Fermilabs responsibility to provide good > transatlantic links and fermilabs network connectivity into the outside > world is excellent in European standards I believe. > I would like to see some of the above mentioned access methods become > available at CDF. Initially only for evaluation and later for use by > European collaborators. The kerberised telnet is all fine and great but not > good (as far as I can tell) for direct access across the Atlantic. It would > be fine to run kerberised telnet between the display server and the "big" > machines but that requires that we get something like a display server to > start with. > One start could be to simply provide an X-service like Exceed on the > cdf-wincenter. Or to install Exceed-Web on a separate server (Jump service) > or to run VNC on the big machines directly (and allow access via VNC). All > of these possibilities require proper integration into the authentication > scheme that FNAL proposes but most of them have easy hooks that would allow > that. > > Last: > So in summary I think I have to say that at FNAL one tends to forget (this > is not meant aggressively) how bad the network across the Atlantic can > really be, in particular the latency times are often ignored and bandwidth > is the only number one hears about but for interactive work the first is the > more important. So lets try to arrange for the most efficient use of what we > have, whilst still pushing from the European side to get better lines. > > Cheers Armin > > P.S. I think that the for example the distribution has served us excellent > here at Oxford. > > ************************************************* > * Dr. Armin Reichold | private: * > * Research Officer | 17 Frys Hill * > * University of Oxford | Oxford * > * Particle & Nuclear Phys. Lab. | OX4 5GW * > * 1 Keble Road | UK * > * Oxford OX1 3RH * > * UK * > * Room 612 * > * * > * Tel. : +44-(0)1865-273358...(office) * > * Tel. : +44-(0)1865-434856...(private) * > * Mobile: +44-(0)7930-431102...(emergency only) * > * Fax. : +44-(0)1865-273418...(office) * > * E-Mail: a.reichold1@physics.ox.ac.uk * > * Netmeeting: ppnt67.physics.ox.ac.uk (business)* > * ---//--- Dir. Server: webnt.physics.ox.ac.uk * > ************************************************* > > -----Original Message----- > From: Marjorie Shapiro [mailto:shapiro@kfesg.lbl.gov] > Sent: Tuesday, February 22, 2000 12:34 AM > To: Stefano Belforte > Cc: 'Liz Buckley-Geer'; Shapiro, Marg; Amidei, Dan; Armin Reichold > Subject: Re: VNC on fcdfsgi2 > > I apologize for begin so dense, but I am confused by what you and Armin > are requesting. "Good connectivity" to remote institutions is largely > determined by the bandwidth available (and the network configuration to > the remote site). Are you saying that FNAL is supposed to design the > network layout for all the institutions that work at the lab? Or, are you > saying that the network pipe out of the lab is too small? The proposed > protocol for Run II is a kerborized Telnet. This product will be provided > in KITTS. Until it is working, we are asking people to use ssh. I don't > believe there are performance problems associated with either product, so > I don't understand what the complaint about interactive use is. > > As for the other issues you raise ( `"data/data-base/DIM/batch/code > distribution"), we ARE distributing the code on a daily basis to every > site that has requested it. We intend to do the same thing > for databases and discussions of the technical issues involved in serving > the databases have begun. A short term solution where the > databases are served via mSQL has been in place for months. > And, we are distributing Oracle clients for linux (the only > platform where the client is free). Distribution of large datasets > will clearly be by tape (the network bandwidth is not good enough). There > will be a tape copy facility, although the issue of whether we share one > with D0 or have our own is still under discussion with CD. The > DataHandling code is being distributed with the Offline package. There is > not fully functional DIM at FNAL, so there is no way we can make it work > at the remote sites either. > > I am not claiming that things are rosy: all the above products still have > problems and are under development. But I don't think it is fair to > accuse the Offline group of ignoring remote sites. > > On Mon, 21 Feb 2000, Stefano Belforte wrote: > > > Dear offline leaders, > > already several times Armin has rightfully raised the issue > > of how can and should CDF provide good connectivity to > > remote institutions. With little success, apparently. > > Are we ever going to see this addressed seriously as a > > collaboration need ? > > Identifying the right tool (wether it is an application, a > > network configuration or bandwidth issue, a matter of > > QOS implementation or whatever else) is not a think for > > individual volenterous people. I am pleased that Armin > > is trying out VNC (a tool I like), but I have not the means > > to test myself the NT based tools they are using, just to make > > an example. > > One year has passed since the "remote analsysis workshop" > > and we do not seem to have gained much more insight about > > what to do about all issues from interactive performance > > to data/data-base/DIM/batch/code distribution. I could not > > attend Jan 26 workshop, but I understand that this topic > > did not raise much interest. > > If we only concentrate in "making it work at FNAL first" I > > am afraid it may end up much more similar to D0 plan > > (all data is analysed at Fermilab) then we ever intended. > > May I suggest that you find some ways to make this a > > real collaboration-wide issue that can appear in the > > WBS ? Myabe if *you* tell collaborators that they should > > really start worrying about what data they want to bring > > home and what for, or they will never get them, some > > lively thinking may be done. > > > > Stefano > > > > -- > > Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) > > Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it > > 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte > > From kreymer@fnal.gov Mon Feb 28 15:19:44 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA10874 for ; Mon, 28 Feb 2000 15:19:44 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMG1W4VZ00000WVI@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 28 Feb 2000 15:19:42 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMG1W46CR0000WW6@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 28 Feb 2000 15:19:30 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA20860; Mon, 28 Feb 2000 15:19:11 -0600 (CST) Date: Mon, 28 Feb 2000 15:19:10 -0600 From: Matt Crawford Subject: Re: CryptoCards In-reply-to: "24 Feb 2000 12:00:27 PST." <"14517.36315.905081.606795"@thwk23.lbl.gov> Sender: crawdad@gungnir.fnal.gov To: JDAnderson@lbl.gov Cc: kerberos-pilot@fnal.gov, MDShapiro@lbl.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200002282119.PAA20860@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 201 > Well, we have disabled all ftp INTO the LBNL CDF systems and rely on > scp at the moment. It sounds like we'll have to enable ftp TO them > FROM FNAL, which we'd rather not do because of the cleartext password > issue. If you have the Kerberos software installed (stock MIT or Fermi product), you can enable Kerberos-suthenticated ftp without allowing password-authenticated ftp. Just put the "-a" in the argument list of the ftpd entry in inetd.conf. (To allow Kerberos tickets or passwords, leave "-a" out.) When "-a" is present, a non-Kerberos ftp attmpt fails before any password is requested, so an errant user can't even accidently expose a password. (The Kerberos telnetd works in similar fashion: when started with "-a" it wants to see a valid Kerberos ticket at connection time or it will cut the client off.) > Another complication is that the group here makes heavy use of the > PDSF system, which I do not administer, and which will certainly NOT > be interested in enabling ftp from outside of their local subnet. It > sounds like this issue will go away once ftp is fixed at the FNAL > side, so fixing it would be a high priority for us. I don't know what PDSF is ... another batch system? If so, I'll just repeat yet again, if they install Kerberos client software, they can use the Kerberos rcp or ftp commands to move files here. And again I have to wonder, how are they authenticating the scp transfers today?? I have a strong hunch that what they're doing is equivalent, from a security point of view, to either storing a password in a file or to using the traditional Berkeley (no offense) r-command type of authentication. > One serious issue for people here is that there doesn't seem to be > any way to automate file transfers using the CryptoCard system. We > had imagined that we could run batch jobs, and periodically scp the > (very large) results to FNAL, but that doesn't seem to be possible > under the new regime. > > How will users perform such batch transfers under the new system? If you can wait another day or two for the user guide to come out, it's in there. It's under cron, but it works exactly the same for batch if, as I said to Marjorie this morning, the user can log into the batch node once before the first Kerberized batch job runs. > > If you would like to be an off-site CryptoCard beta tester, ... > > Yes, we'd like to test the system. If you could provide us with two > cards, one for me, and one for Marjorie Shapiro, that would help us > understand how (and whether) we can perform our work within the new > regime. Coming up. But one last repetition: the Cryptocards aren't intended for "unattended access" (batch & cron). Is either of you on-site this week? If so, I'll try for hand delivery of a cryptocard. Otherwise, they'll go postal. Matt From kreymer@fnal.gov Mon Feb 28 15:39:45 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA10878 for ; Mon, 28 Feb 2000 15:39:45 -0600 Received: from thwk23.lbl.gov ([131.243.112.65]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMG2LJE2PS000W3H@FNAL.FNAL.GOV> (original mail from anderson@thsrv.lbl.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 28 Feb 2000 15:39:42 -0600 CDT Received: from thwk23.lbl.gov ([131.243.112.65]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMG2L80424000X9B@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 28 Feb 2000 15:38:59 -0600 Received: (from anderson@localhost) by thwk23.lbl.gov (8.9.3/8.9.3) id NAA00403; Mon, 28 Feb 2000 13:38:59 -0800 Date: Mon, 28 Feb 2000 13:38:59 -0800 (PST) From: Jeffrey D Anderson Subject: Re: CryptoCards In-reply-to: <200002282119.PAA20860@gungnir.fnal.gov> To: kerberos-pilot@fnal.gov Cc: MDShapiro@lbl.gov, crawdad@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: JDAnderson@lbl.gov Message-id: <14522.60147.415752.398192@thwk23.lbl.gov> MIME-version: 1.0 X-Mailer: VM 6.71 under 21.1 "20 Minutes to Nikko" XEmacs Lucid (patch 2) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit References: <"14517.36315.905081.606795"@thwk23.lbl.gov> <200002282119.PAA20860@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 202 Matt Crawford writes: > > Well, we have disabled all ftp INTO the LBNL CDF systems and rely on > > scp at the moment. It sounds like we'll have to enable ftp TO them > > FROM FNAL, which we'd rather not do because of the cleartext password > > issue. > > If you have the Kerberos software installed (stock MIT or Fermi > product), you can enable Kerberos-suthenticated ftp without allowing > password-authenticated ftp. I'm beginning to be slightly confused about the significance of the "strengthened realm." We are certainly capable of installing kerberized ftp and telnet clients on our local machines. Is this all that will be necessary for our machines to connect to FNAL? If so, why would a system want to take the additional steps necessary to actually join the strengthened realm? > > Another complication is that the group here makes heavy use of the > > PDSF system, which I do not administer, and which will certainly NOT > > be interested in enabling ftp from outside of their local subnet. It > > sounds like this issue will go away once ftp is fixed at the FNAL > > side, so fixing it would be a high priority for us. > > I don't know what PDSF is ... another batch system? Yes. It's a computing facility that we will use for batch data analysis. > If so, I'll just > repeat yet again, if they install Kerberos client software, they can > use the Kerberos rcp or ftp commands to move files here. So they needn't attempt to join the strengthened realm? > And again I > have to wonder, how are they authenticating the scp transfers today?? > I have a strong hunch that what they're doing is equivalent, from a > security point of view, to either storing a password in a file or to > using the traditional Berkeley (no offense) r-command type of > authentication. Either .shosts or RSA with empty passphrase, depending on the user's preference. More secure than either of the solutions you mention, but admittedly not bulletproof. > Is either of you on-site this week? If so, I'll try for hand > delivery of a cryptocard. Otherwise, they'll go postal. I don't think so, but maybe Marjorie will be. Better send them unless she tells you otherwise. Thanks, -- -------------------------------------------------------------- Jeffrey Anderson | JDAnderson@lbl.gov Lawrence Berkeley National Laboratory | Mailstop 50a-5101 Phone: 510 486-4208 | Fax: 510 486-6808 From kreymer@fnal.gov Tue Feb 29 14:45:24 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA29331 for ; Tue, 29 Feb 2000 14:45:24 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMHEZB9ROG000YKW@FNAL.FNAL.GOV> (original mail from aheavey@fsui02.FNAL.GOV) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 29 Feb 2000 14:45:17 -0600 CDT Received: from fsui02.fnal.gov ([131.225.68.20]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMHEZ3UU9M000Y79@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.fnal.gov); Tue, 29 Feb 2000 14:44:34 -0600 Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id OAA09520 for ; Tue, 29 Feb 2000 14:44:27 -0600 (CST) Date: Tue, 29 Feb 2000 14:44:27 -0600 From: aheavey@fnal.gov Subject: Manual ready Sender: aheavey@fsui02.FNAL.GOV To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200002292044.OAA09520@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 203 The "Strong Authentication at Fermilab (Pilot Phase)" manual, release P1.0 is available in PostScript format from: http://www.fnal.gov/docs/strongauth/ps/strong_auth.ps Bound copies have been ordered, and they should be ready in about a week. I am working on the html conversion of the document and hope to have it ready by the end of this week. I will send the URL when it's ready. -- Anne Anne Heavey Fermilab Computing Division Phone: 630-840-8039 Location: Wilson Hall 8.18 (NE corner) MS: 120 From kreymer@fnal.gov Tue Feb 29 17:46:50 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA29451 for ; Tue, 29 Feb 2000 17:46:49 -0600 Received: from fnal.gov ([131.225.235.30]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMHLBWMQEO000YKW@FNAL.FNAL.GOV> (original mail from ratnikov@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 29 Feb 2000 17:46:47 -0600 CDT Received: from fnal.gov ([131.225.235.30]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMHLBW3RL4000X71@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 29 Feb 2000 17:46:39 -0600 Date: Tue, 29 Feb 2000 17:46:38 -0600 From: Fedor Ratnikov Subject: remote X connection Sender: ratnikov@fnal.gov To: kerberos mailing list Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: ratnikov@fnal.gov Message-id: <38BC5A5E.91D27EEC@fnal.gov> Organization: CDF/RUTGERS MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.0.36 i686) Content-type: text/plain; charset=koi8-r Content-transfer-encoding: 7bit X-Accept-Language: en, ru Status: RO X-Status: X-Keywords: X-UID: 204 Hi, what is the way to open an window on the remote site, like ssh -f $1 xterm -sl 1000 -name $1@$DISPLAY -display $DISPLAY when using ssh? rsh fcdfsgi2 "xterm -display $DISPLAY &" hangs the current screen until the xterm is exited... Cheers, Fedor. -- MS318(CDF/Rutgers) Fermilab, Batavia, IL 60510 USA Tel.:+1(630)840-8435 Fax:+1(630)840-6315 From kreymer@fnal.gov Wed Mar 1 11:14:45 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA15488 for ; Wed, 1 Mar 2000 11:14:44 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMILVT43RK000YKW@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Wed, 1 Mar 2000 11:14:28 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMILVJ0IZM000WU0@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 01 Mar 2000 11:13:18 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA03268; Wed, 01 Mar 2000 11:12:54 -0600 (CST) Date: Wed, 01 Mar 2000 11:12:54 -0600 From: Matt Crawford Subject: Re: remote X connection In-reply-to: "29 Feb 2000 17:46:38 CST." <"38BC5A5E.91D27EEC"@fnal.gov> Sender: crawdad@gungnir.fnal.gov To: ratnikov@fnal.gov Cc: kerberos mailing list Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003011712.LAA03268@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 205 > what is the way to open an window on the remote site, ... > rsh fcdfsgi2 "xterm -display $DISPLAY &" > hangs the current screen until the xterm is exited... Supply "-n" to stop the local end of rsh from looking for input, and put the whole thing in the background: rsh -n -F fcdfsgi2 "xterm -d $DISPLAY &" & There's still one security defect. You're apparnelty using "xhost +" or "xhost +fcdfsgi2" to give access to your X display. This lets some malicious person attach to your display and record keystrokes or examine your screen. It would be better to use the "xauth" method. Setting that up locally depends on your OS and X environment so I can't tell you just how. If you need help on that, start at "man xauth" perhaps, or maybe there's some CD document about it. Once the xauth mechanism is working locally and you've turned off the xhost access (by "xhost -"), then you can start a remote xterm as follows. If DISPLAY includes your hostname (as opposed to simply ":0"), ... rsh -n -x -F fcdfsgi2 "xauth add `xauth list $DISPLAY`; xterm -d $DISPLAY -T fcdfsgi2 &" & This can be refined to take the remote host & user and other args to xterm on the command line, and to cause the rsh and rshd processes on either end to exit, leaving the xterm running. The "-F" is to forward forwardable Kerberos tickets. Omit it if you don't need it. From kreymer@fnal.gov Wed Mar 1 22:43:05 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id WAA15776 for ; Wed, 1 Mar 2000 22:43:05 -0600 Received: from imapserver3.fnal.gov ([131.225.9.17]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMJ9YK3CHC000ZC5@FNAL.FNAL.GOV> (original mail from rharris@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal); Wed, 1 Mar 2000 22:42:58 -0600 CDT Received: from imapserver3.fnal.gov ([131.225.9.17]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMJ9YJ9E30000Y0P@FNAL.FNAL.GOV>; Wed, 01 Mar 2000 22:42:53 -0600 Received: from SMTP ([131.225.9.17]) by imapserver3.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 267; Wed, 01 Mar 2000 22:42:52 -0600 Received: from imapserver3.fnal.gov ([12.66.116.159]) by 131.225.9.17 (Norton AntiVirus for Internet Email Gateways 1.0) ; Thu, 02 Mar 2000 04:42:51 +0000 (GMT) Date: Wed, 01 Mar 2000 22:42:48 -0600 From: "Robert M. Harris" Subject: [Fwd: strong authentication at FNAL and remote sites] Sender: rharris@fnal.gov To: kerberos-pilot@fnal.gov, cdf_code_management@fnal.gov Cc: LAUER@hepvms.physics.yale.edu, mdshapiro@fnal.gov, dan@fnal.gov Errors-to: cdf_code_management-owner@fnal.gov Message-id: <38BDF148.608FD6BB@imapserver3.fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.3.0f2 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 206 Questions regarding kerberos from a CDF Collaborator. The first for cdf_code_management, the rest are for the pilot project. -------- Original Message -------- Subject: strong authentication at FNAL and remote sites Date: Wed, 01 Mar 2000 13:32:44 -0500 (EST) From: "Rochelle Lauer, Yale Univ Physics" To: RHARRIS@IMAPSERVER3.FNAL.GOV CC: BUCKLEY@FNALD.FNAL.GOV, MDSHAPIRO@FNALD.FNAL.GOV Hi Michael Schmidt asked that I look over the "Strong Authentication at Fermilab" in order to understand how these procedures would affect our ability to interface with CDF. Although I have implemented Kerberos (several years ago) I am not up to date on the technical details and therefore I have some (perhaps naive) questions about the implementation and how remote sites are to access Fermilab while also conforming to their local requirements. I hope you will be able to help in answering these questions. 1. Will we need at least 1 "kerberized" machine in order to receive the CDF code distribution ? 2. On a "kerberized" machine is a local login (at the console) authenticated using kerberos ? i.e. I use my kerberos password and therefore the "third party" authenticator (which I assume is at Fermilab) must be up and our network must be available in order to login locally ? 3. How is the Fermilab kerberos distribution tailored ? As I am required to use the FNAL distribution How can I be sure that the kerberos install will not affect something running locally (like TruCluster ?) and if I need to run kerberos authentication for some other applications (at Yale or at BNL) will the implementations conflict ? 4. Will non-CDF users be allowed access to such "kerberized" machines ? We share resources here and not everyone is a CDF collaborator. We share access to our batch farm and therefore all groups have accounts. It appears that I will have to "set aside" certain machines for CDF use alone. Is that correct ? 5. Will there be problems in accessing resources on non-kerberized machines ? Can a (Fermi) "kerberized" desktop be an NFS client to non-kerberized machine be an LSF client where the mbatchd and flexlm run on a non-kerberized host ? Can a (Fermi) "kerberized" desktop telnet to a non-kerberized machine ? Can a non-kerberized host telnet to a (Fermi) kerberized desktop ? Thanks for any help regards Rochelle Lauer Yale University Physics From kreymer@fnal.gov Thu Mar 2 06:01:03 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id GAA26091 for ; Thu, 2 Mar 2000 06:01:01 -0600 Received: from gate.hep.anl.gov ([146.139.180.60]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMJP9HDTXS000ZC5@FNAL.FNAL.GOV> (original mail from reb@anl.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 2 Mar 2000 06:00:58 -0600 CDT Received: from gate.hep.anl.gov ([146.139.180.60]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMJP9GWM7U000YEV@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 02 Mar 2000 06:00:48 -0600 Received: from anl.gov (slip113.slip.anl.gov [146.137.250.14]) by gate.hep.anl.gov (8.8.7/8.8.7) with ESMTP id GAA29114; Thu, 02 Mar 2000 06:00:46 -0600 Date: Thu, 02 Mar 2000 06:00:36 -0600 From: Robert Blair Subject: Re: remote X connection To: kerberos mailing list Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <38BE57E4.780C8BED@anl.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200003011712.LAA03268@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 207 I really haven't been paying close attention to this issue, but the message below got my attention. Is it really true that ssh/port forwarding will not be available to future users of secure systems? Using rsh/xauth instead poses a number of problems and constutes one giant step backward. Here are a few: 1. Experience shows that xauth is pretty much too complicated and too difficult to use and the upshot will be that users WILL use "xhost +" and security minded users WILL use "xhost +host". This is one big step back in security NOT a step forward since this makes the universe able to read everything you type or look at, at worst; the best case limits this to everyone on your host. 2. Systems on networks that limit X11 protocol to local hosts only (something that is presently true at places like CERN and likely will become more common) will have no way at all to use X. This is a problem that needs a real solution and ssh provided one via the port forwarding/encryption approach. It required almost no complicated setup (the user simply had to let sshd set his DISPLAY variable at login) and should not be abandoned without a similarly competent solution. If it is, security will be decreased not increased. Matt Crawford wrote: > > what is the way to open an window on the remote site, ... > > rsh fcdfsgi2 "xterm -display $DISPLAY &" > > hangs the current screen until the xterm is exited... > > Supply "-n" to stop the local end of rsh from looking for input, and > put the whole thing in the background: > > rsh -n -F fcdfsgi2 "xterm -d $DISPLAY &" & > > There's still one security defect. You're apparnelty using "xhost +" > or "xhost +fcdfsgi2" to give access to your X display. This lets > some malicious person attach to your display and record keystrokes or > examine your screen. It would be better to use the "xauth" method. > Setting that up locally depends on your OS and X environment so I > can't tell you just how. If you need help on that, start at "man > xauth" perhaps, or maybe there's some CD document about it. > > Once the xauth mechanism is working locally and you've turned off the > xhost access (by "xhost -"), then you can start a remote xterm as > follows. > > If DISPLAY includes your hostname (as opposed to simply ":0"), ... > > rsh -n -x -F fcdfsgi2 "xauth add `xauth list $DISPLAY`; xterm -d $DISPLAY -T fcdfsgi2 &" & > > This can be refined to take the remote host & user and other args to > xterm on the command line, and to cause the rsh and rshd processes on > either end to exit, leaving the xterm running. > > The "-F" is to forward forwardable Kerberos tickets. Omit it if you > don't need it. -- *C~o~()* Cc{*(o~*Q& Bob Blair ( (( ) |~ ~ | Argonne National Lab. |O - | Room E277, Bldg. 362 \ " / High Energy Physics Div. \ **** / 9700 S. Cass Ave. **^u^** Argonne, IL 60439 ***** Phone (630)-252-7545 *** Fax (630)-252-5782 email: reb@anl.gov fnald::rebcdf From kreymer@fnal.gov Thu Mar 2 10:10:05 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA01296 for ; Thu, 2 Mar 2000 10:10:04 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMJXXW3TQ8000VEN@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal); Thu, 2 Mar 2000 10:09:57 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMJXXQQKN600104C@FNAL.FNAL.GOV>; Thu, 02 Mar 2000 10:09:28 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA09862; Thu, 02 Mar 2000 10:09:01 -0600 (CST) Date: Thu, 02 Mar 2000 10:09:01 -0600 From: Matt Crawford Subject: Re: [Fwd: strong authentication at FNAL and remote sites] In-reply-to: "01 Mar 2000 22:42:48 CST." <"38BDF148.608FD6BB"@imapserver3.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: "Robert M. Harris" Cc: kerberos-pilot@fnal.gov, cdf_code_management@fnal.gov, LAUER@hepvms.physics.yale.edu, mdshapiro@fnal.gov, dan@fnal.gov Errors-to: cdf_code_management-owner@fnal.gov Message-id: <200003021609.KAA09862@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 208 (I'll assume that everyone on the CC list wants to be.) > 1. Will we need at least 1 "kerberized" machine in order to > receive the CDF code distribution ? If the transfer is initiated from the FNAL end, then any mechanism that's acceptable to the security policy of your site is fine with us. If it's initiated at your end but is "anonymous" -- that is, if the information is accessed without a password, or with something akin to a password but which would do no harm if it were published to every wanna-be hacker in the world -- then it's also OK. But if you have to initiate from the remote end and do real authentication to get the code, then yes, using Kerberos will be the preferred way to go. > 2. On a "kerberized" machine is a local login > (at the console) authenticated using kerberos ? > i.e. I use my kerberos password and therefore the > "third party" authenticator (which I assume is at Fermilab) must > be up and our network must be available in order to login locally? When you install the Kerberos login program as the system's login, it checks a password against Kerberos first if the uid of the given username is not 0. (In otherwords, it isn't a root login.) If the uid was zero *or* the username is not in the Kerberos database *or* the password was not the correct Kerberos password *or* the Kerberos KDC could not be reached, *then* the password is checked against the local password file (or NIS password database). If the latter check is OK, the login succeeds but, of course, without a Kerberos ticket. > 3. How is the Fermilab kerberos distribution tailored ? It's a upd product for all the Fermi-supported operating systems. Does that answer the question? > As I am required to use the FNAL distribution Actually, it is perfectly interoperable with straight MIT Kerberos, although you wouldn't have a few features we added, like AFS integration or CryptoCard-authenticated network login to *your* system. > How can I be sure that the kerberos install will not affect > something running locally (like TruCluster ?) I can't give you firm assurances about something I haven't tried. But the installation is not tough to back out, so there should be no barrier to experimentation during a non-production period. > if I need to run kerberos authentication for some other > applications (at Yale or at BNL) will the implementations > conflict ? No. The only caveat is that you'll choose some default realm for your system to belong to. Let's suppose there's a realm YALE.EDU and you make that your default. Then if you want to authenticate yourself as a principal in some other realm, say lauer@FNAL.GOV, you'll have to specify the realm when you initiate the authentication. Also, your system's Kerberos configuration file (/etc/krb5.conf) has to list all the realms you'll need to interact with and their KDC names. Example: [realms] PILOT.FNAL.GOV = { kdc = krb-pilot-1.fnal.gov:88 kdc = krb-pilot-2.fnal.gov:88 admin_server = krb-pilot-admin.fnal.gov default_domain = fnal.gov } CMF.NRL.NAVY.MIL = { kdc = guardian.cmf.nrl.navy.mil kdc = forbin.cmf.nrl.navy.mil admin_server = guardian.cmf.nrl.navy.mil default_domain = cmf.nrl.navy.mil } This information does not change often! > 4. Will non-CDF users be allowed access to such "kerberized" machines ? > We share resources here and not everyone is a CDF collaborator. > We share access to our batch farm and therefore all groups have > accounts. It appears that I will have to "set aside" certain > machines for CDF use alone. Is that correct ? You don't have to install Kerberos on *your* systems unless you need to have those systems *initiate* authenticated network access to a Kerberized service. > 5. Will there be problems in accessing resources on non-kerberized > machines ? No, we do not make any changes in access *from* a Kerberos system *to* a non-Kerberos system. > Can a (Fermi) "kerberized" desktop > be an NFS client to non-kerberized machine > be an LSF client where the mbatchd and flexlm run on a > non-kerberized host ? > Can a (Fermi) "kerberized" desktop telnet to > a non-kerberized machine ? Yes, yes, and yes. > Can a non-kerberized host telnet to a (Fermi) kerberized desktop? Yes, *BUT*, the user would need to employ a single-use authentication method. Today, the only supported method is CryptoCard, which is available as a credit-card shaped device or a Palm Pilot application which provides a response to a challenge the Kerberos system would issue. Here's a transcript of how it works. "Berserk" is a non-Kerberos system and "gungnir" is kerberos only: berserk 103% which telnet /usr/ucb/telnet berserk 104% telnet gungnir Trying 131.225.80.1 ... Connected to gungnir.fnal.gov. Escape character is '^]'. UNIX(r) System V Release 4.0 (gungnir.fnal.gov) (pts/12) Portal NOTICE TO USERS This is a Federal computer that is the property of the United States [..yadda yadda..] login: crawdad <= I ENTER THIS .. Press ENTER and compare this challenge to the one on your display: [30580500] Enter the displayed response: f5b7bbb7 <= .. AND THIS Last login: Wed Mar 1 20:41:11 from na-216-214-16-2 Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996 You have new mail. Terminal type is xterm There are no available articles. gungnir 100% klist Ticket cache: /tmp/krb5cc_12 Default principal: crawdad@PILOT.FNAL.GOV Valid starting Expires Service principal 03/02/00 09:59:41 03/02/00 22:59:41 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 03/07/00 09:58:41 03/02/00 09:59:42 03/02/00 22:59:41 afs/fnal.gov@PILOT.FNAL.GOV renew until 03/07/00 09:58:41 The CryptoCard and the Kerberos KDC both compute the next challenge in the same way, so except for the first time I used my card, I do not have to enter the challenge. I just check to see that it matches, then read off and type in the response. You can see by the klist output that when I log in in this manner, I get Kerberos tickets, so I can then access other Kerberos systems without further ado: gungnir 101% rsh fcdfsgi2 uptime This rsh session is using DES encryption for all data transmissions. 10:03am up 6 days, 23:55, 13 users, load average: 0.00, 0.00, 0.00 From kreymer@fnal.gov Thu Mar 2 10:42:40 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA01334 for ; Thu, 2 Mar 2000 10:42:40 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMJZ2M6PWG000VEN@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 2 Mar 2000 10:42:33 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMJZ297M00000YJK@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 02 Mar 2000 10:41:20 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA10054 for ; Thu, 02 Mar 2000 10:40:56 -0600 (CST) Date: Thu, 02 Mar 2000 10:40:56 -0600 From: Matt Crawford Subject: Re: remote X connection In-reply-to: "02 Mar 2000 06:00:36 CST." <"38BE57E4.780C8BED"@anl.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos mailing list Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003021640.KAA10054@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 209 Have you looked at how ssh works under the hood? It forwards your "xauth" cookie over the encrypted connection, just like the rsh command I suggested. That said, let me point out that we have no need or intention of eliminating ssh. SSH and Kerberos can play together nicely: /etc/sshd_config: [...] KerberosAuthentication yes KerberosTgtPassing yes [...] From kreymer@fnal.gov Thu Mar 2 12:43:15 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA01438 for ; Thu, 2 Mar 2000 12:43:15 -0600 Received: from localhost.localdomain ([146.139.180.51]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMK3B1VN40000ZC5@FNAL.FNAL.GOV> (original mail from reb@anl.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 2 Mar 2000 12:43:12 -0600 CDT Received: from localhost.localdomain ([146.139.180.51]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMK3B0I67G000Z5V@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 02 Mar 2000 12:42:55 -0600 Received: from anl.gov (IDENT:reb@localhost.localdomain [127.0.0.1]) by localhost.localdomain (8.9.3/8.9.3) with ESMTP id MAA01433; Thu, 02 Mar 2000 12:42:04 -0600 Date: Thu, 02 Mar 2000 12:42:04 -0600 From: "Robert E. Blair" Subject: Re: remote X connection Sender: reb@fnal.gov To: Matt Crawford Cc: kerberos mailing list Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <38BEB5FB.7FD87355@anl.gov> Organization: Argonne National Lab (High Energy Physics Div.) MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; U; Linux 2.2.12-20 i586) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200003021640.KAA10054@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 210 "Looking under the hood" is what I suspect most of us would like to avoid ;-> Lest we have it fall on our head! Matt Crawford wrote: > Have you looked at how ssh works under the hood? It forwards your > "xauth" cookie over the encrypted connection, just like the rsh > command I suggested. > > That said, let me point out that we have no need or intention of > eliminating ssh. SSH and Kerberos can play together nicely: > > /etc/sshd_config: > [...] > KerberosAuthentication yes > KerberosTgtPassing yes > [...] -- *C~o~()* Cc{*(o~*Q& Bob Blair ( (( ) |~ ~ | Argonne National Lab. |O - | Room E277, Bldg. 362 \ " / High Energy Physics Div. \ / 9700 S. Cass Ave. . ^u^ . Argonne, IL 60439 ._. Phone (630)-252-7545 Fax (630)-252-5782 Yes! I shaved! email: reb@anl.gov From kreymer@fnal.gov Fri Mar 3 17:54:05 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA20620 for ; Fri, 3 Mar 2000 17:54:04 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMLSGUZFG0000ZPO@FNAL.FNAL.GOV> (original mail from aheavey@fsui02.FNAL.GOV) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 3 Mar 2000 17:54:02 -0600 CDT Received: from fsui02.fnal.gov ([131.225.68.20]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMLSGTFWYS0010V2@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.fnal.gov); Fri, 03 Mar 2000 17:53:50 -0600 Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.8.8+Sun/8.8.8) with SMTP id RAA25503; Fri, 03 Mar 2000 17:53:48 -0600 (CST) Date: Fri, 03 Mar 2000 17:53:48 -0600 From: aheavey@fnal.gov Subject: manual is online Sender: aheavey@fsui02.FNAL.GOV To: kerberos-pilot@fnal.gov Cc: nicholls@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200003032353.RAA25503@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 211 The "Strong Authentication at Fermilab" manual is now online at: http://www.fnal.gov/docs/strongauth/ -- Anne Anne Heavey Fermilab Computing Division Phone: 630-840-8039 Location: Wilson Hall 8.18 (NE corner) MS: 120 From kreymer@fnal.gov Mon Mar 13 12:22:01 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA28785 for ; Mon, 13 Mar 2000 12:22:01 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMZFRJN1VK0012HR@FNAL.FNAL.GOV> (original mail from gcooper@b0rv11.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 13 Mar 2000 12:21:56 -0600 CDT Received: from b0rv11.fnal.gov ([131.225.232.239]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JMZFRIMSRQ0012EO@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 13 Mar 2000 12:21:42 -0600 Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id MAA07008 for ; Mon, 13 Mar 2000 12:22:29 -0600 Date: Mon, 13 Mar 2000 12:22:29 -0600 From: Glenn Cooper Subject: Changing Kerberos password using insecure access? To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 212 CDF users have begun to try out various aspects of the strange new Kerberos world. When they get their Kerberos principal and initial passphrase, they are told they should change the passphrase. The question is, how can a user do this securely if s/he is connected using a CryptoCard over an insecure link, say from a VMS box or an X terminal? Many users will not have access to anything else, except of course remotely. Presumably we don't want them to just go ahead and type "kpasswd". Is there a recommended approach to this? (My apologies if this is already answered in the manual--I couldn't find it.) Thanks, Glenn From kreymer@fnal.gov Mon Mar 13 13:15:52 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA28850 for ; Mon, 13 Mar 2000 13:15:51 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMZHN9D84G0012HR@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 13 Mar 2000 13:15:47 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMZHN8RVHI00138R@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 13 Mar 2000 13:15:31 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA27596 for ; Mon, 13 Mar 2000 13:15:31 -0600 (CST) Date: Mon, 13 Mar 2000 13:15:31 -0600 From: Matt Crawford Subject: Re: Changing Kerberos password using insecure access? In-reply-to: "13 Mar 2000 12:22:29 CST." <"Pine.SGI.4.05.10003131216160.6550-100000"@b0rv11.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003131915.NAA27596@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 213 > The question is, how can a user [change their Kerberos password] > securely if s/he is connected using a CryptoCard over an insecure > link, say from a VMS box or an X terminal? Many users will not > have access to anything else, except of course remotely. > Presumably we don't want them to just go ahead and type "kpasswd". > Is there a recommended approach to this? No, we certainly don't want them to change their password over a clear network link! And there is no practical alternative for doing a secure password change from an insecure keyboard. On one hand this is not such a bad problem because such a user will not be using their Kerberos password in that environment, but on the other hand, by the time they get around to borrowing a system on which they can do a local change, they may forget or lose their initial password. (Also, it will expire 30 days after assignment, but an expired password can still be changed if you can log into a Kerberos-bearing system some other way.) From kreymer@fnal.gov Mon Mar 13 13:22:57 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA28855 for ; Mon, 13 Mar 2000 13:22:56 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMZHW8B4740012HR@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 13 Mar 2000 13:22:55 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMZHW7XVXA00138F@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 13 Mar 2000 13:22:46 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA27652 for ; Mon, 13 Mar 2000 13:22:45 -0600 (CST) Date: Mon, 13 Mar 2000 13:22:45 -0600 From: Matt Crawford Subject: To get a cryptocard ... Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003131922.NAA27652@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 214 Any pilot user who needs a cryptocard (the hardware form, not the Palm software version) can come to my office, FCC 351 (east end) today or this Wednesday between 2:00 and 4:00. Your Kerberos principal must already have been created! And bring your FNAL id card, please. This is NOT a now-or-never offer -- more times will be announced. Matt Crawford Cryptocard initialization -- FCC 351 Mon, 13 Mar 14:00 - 16:00 Wed, 15 Mar 14:00 - 16:00 From kreymer@fnal.gov Mon Mar 13 15:29:01 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA28933 for ; Mon, 13 Mar 2000 15:29:01 -0600 Received: from CUERVO ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMZMBHCLOG0012HR@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 13 Mar 2000 15:28:59 -0600 CDT Received: from CUERVO ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JMZMBFA3Z4000YYF@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 13 Mar 2000 15:28:48 -0600 Date: Mon, 13 Mar 2000 15:28:45 -0600 From: "Mark O. Kaletka" Subject: RE: Changing Kerberos password using insecure access? In-reply-to: To: Olga Lobban , Matt Crawford Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 215 If you're trying to get off this list, send email to mailto:mailserv@fnal.gov with the single line in the (not the subject): unsubscribe kerberos-pilot This message be sent the FNAL email gateway address we've subscribed you from, i.e. kaletka@fnal.gov in my case (for example kaletka@cdfsga.fnal.gov won't work). This may require you set up your email client the "right way". Try http://www.fnal.gov/cd/main/reply.html for how to set up Pine, exmh, Pegasus and Netscape. If you can hold on a few days, we're setting up a separate low-traffic list mailto:kerberos-announce@fnal.gov which will be used to announce important changes in Kerberos (downtime, new version cutovers, etc.), leaving all the fascinating (or annoying) technical discussions on mailto:kerberos-pilot@fnal.gov. Kerberos users will be automatically subscribed to kerberos-announce. If you want off kerberos-pilot, and can't otherwise manage, please send an email directly to me, mailto:kaletka@fnal.gov, not the whole list. Thanks (and apologies) to one and all! -- Mark K. > -----Original Message----- > From: Olga Lobban [mailto:olga@cdfsga.fnal.gov] > Sent: Monday, March 13, 2000 2:46 PM > To: Matt Crawford > Cc: kerberos-pilot@fnal.gov > Subject: Re: Changing Kerberos password using insecure access? > > > I'm going to ask, too, to be removed from this list. I tried what was > suggested a while ago and it didn't work. Could anyone offer any help? > Thanks, > Olga From kreymer@fnal.gov Mon Mar 13 16:47:58 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA28963 for ; Mon, 13 Mar 2000 16:47:58 -0600 Received: from kfesg.lbl.gov ([128.3.2.46]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMZP2D2XPS0013PV@FNAL.FNAL.GOV> (original mail from shapiro@kfesg.lbl.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 13 Mar 2000 16:47:56 -0600 CDT Received: from kfesg.lbl.gov ([128.3.2.46]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JMZP2BVPZK0013AL@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 13 Mar 2000 16:47:44 -0600 Received: from localhost (shapiro@localhost) by kfesg.lbl.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id OAA12385; Mon, 13 Mar 2000 14:47:41 -0800 Date: Mon, 13 Mar 2000 14:47:41 -0800 From: Marjorie Shapiro Subject: Re: Changing Kerberos password using insecure access? In-reply-to: <200003131915.NAA27596@gungnir.fnal.gov> To: Matt Crawford Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: A X-Keywords: X-UID: 216 We have a large number of collaborators who may not be at FNAL for 6 months or more at a time and will only be logging in remotely using the CryptoCard. We need to make sure there is a way of changing these passwords (doing it through an administrative person via phone would be fine). On Mon, 13 Mar 2000, Matt Crawford wrote: > > The question is, how can a user [change their Kerberos password] > > securely if s/he is connected using a CryptoCard over an insecure > > link, say from a VMS box or an X terminal? Many users will not > > have access to anything else, except of course remotely. > > Presumably we don't want them to just go ahead and type "kpasswd". > > Is there a recommended approach to this? > > No, we certainly don't want them to change their password over a > clear network link! And there is no practical alternative for doing > a secure password change from an insecure keyboard. On one hand this > is not such a bad problem because such a user will not be using their > Kerberos password in that environment, but on the other hand, by the > time they get around to borrowing a system on which they can do a > local change, they may forget or lose their initial password. (Also, > it will expire 30 days after assignment, but an expired password can > still be changed if you can log into a Kerberos-bearing system some > other way.) > From kreymer@fnal.gov Mon Mar 13 16:53:54 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA28968 for ; Mon, 13 Mar 2000 16:53:54 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMZP9SKJ0G0013PV@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 13 Mar 2000 16:53:52 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMZP9S6TS40012W6@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 13 Mar 2000 16:53:44 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA29214; Mon, 13 Mar 2000 16:53:43 -0600 (CST) Date: Mon, 13 Mar 2000 16:53:43 -0600 From: Matt Crawford Subject: Re: Changing Kerberos password using insecure access? In-reply-to: "13 Mar 2000 14:47:41 PST." <"Pine.SGI.4.03.10003131444400.10611-100000"@kfesg.lbl.gov> Sender: crawdad@gungnir.fnal.gov To: Marjorie Shapiro Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003132253.QAA29214@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 217 > We have a large number of collaborators who may not be at FNAL for 6 > months or more at a time and will only be logging in remotely using the > CryptoCard. We need to make sure there is a way of changing these > passwords (doing it through an administrative person via phone would be > fine). There certainly is, at least during working hours. Yolanda (or her substitute), who assigned passwords in the first place, can also change them. I believe this path has already been put to the test. From kreymer@fnal.gov Mon Mar 13 17:16:29 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA28979 for ; Mon, 13 Mar 2000 17:16:28 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JMZQ2OT6I80013PV@FNAL.FNAL.GOV> (original mail from kreymer@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 13 Mar 2000 17:16:26 -0600 CDT Received: from patnt2.fnal.gov ([131.225.84.37]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMZQ2O2A1Q0013AH@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 13 Mar 2000 17:16:15 -0600 Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA28975; Mon, 13 Mar 2000 17:16:13 -0600 Date: Mon, 13 Mar 2000 17:16:13 -0600 (EST) From: Art Kreymer Subject: Re: Changing Kerberos password using insecure access? In-reply-to: To: Marjorie Shapiro Cc: Matt Crawford , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 218 I think that it is a very bad idea to allow offsite telnet sessions, even with a CryptoCard. X-terminals should be used locally (if at all). It seems to me that users changing their Kerberos passwords must log in directly to a kerberized node, or a node running an SSH client. This should be made very clear to anyone receiving a CryptoCard. ( They should do this independent of the Kerberos password issue, but that's a different discussion. X-terminals are open to session snooping and session hijacking. "Unsafe At Any Speed" ) Free SSH clients are available for Unix, Windows, and even VMS. Are there really any users left who have ONLY X-terminals available ? From kreymer@fnal.gov Mon Mar 13 18:53:50 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id SAA29017 for ; Mon, 13 Mar 2000 18:53:50 -0600 Received: from kfesg.lbl.gov ([128.3.2.46]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JMZTGNCIVU0013QB@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 13 Mar 2000 18:53:49 -0600 CDT Received: from localhost (shapiro@localhost) by kfesg.lbl.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id QAA13018; Mon, 13 Mar 2000 16:53:46 -0800 Date: Mon, 13 Mar 2000 16:53:45 -0800 From: Marjorie Shapiro Subject: Re: Changing Kerberos password using insecure access? In-reply-to: To: Art Kreymer Cc: Matt Crawford , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 219 Ah. If we can use SSH clients to change Kerberos passwords, then there is no problem. Everyone has SSH or can get it I believe. On Mon, 13 Mar 2000, Art Kreymer wrote: > I think that it is a very bad idea to allow offsite telnet sessions, > even with a CryptoCard. X-terminals should be used locally (if at all). > > It seems to me that users changing their Kerberos passwords must > log in directly to a kerberized node, or a node running an SSH client. > > This should be made very clear to anyone receiving a CryptoCard. > > ( They should do this independent of the Kerberos password issue, > but that's a different discussion. > X-terminals are open to session snooping and session hijacking. > "Unsafe At Any Speed" ) > > Free SSH clients are available for Unix, Windows, and even VMS. > Are there really any users left who have ONLY X-terminals available ? > > > From kreymer@fnal.gov Mon Mar 13 21:06:49 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id VAA29054 for ; Mon, 13 Mar 2000 21:06:49 -0600 Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JMZY4HL5CY0013QA@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 13 Mar 2000 21:06:48 -0600 CDT Received: by ppnt41.physics.ox.ac.uk with Internet Mail Service (5.5.2650.21) id ; Tue, 14 Mar 2000 03:06:45 +0000 Content-return: allowed Date: Tue, 14 Mar 2000 03:06:39 +0000 From: Armin Reichold Subject: RE: Changing Kerberos password using insecure access? To: "'Art Kreymer'" , Marjorie Shapiro Cc: Matt Crawford , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Status: RO X-Status: X-Keywords: X-UID: 220 If I understand Art and Marjorie correctly they say that providing ssh access to the kerberised central machines here at Fermilab is a must or at least a very desirable thing to do. But as far as I understood the security scheme so far, these machines will not allow any such access at all. But maybe I misunderstood the previous comments and only the portal machines into which the crypto card users will have to connect should have ssh. Cheers Armin -----Original Message----- From: Art Kreymer [mailto:kreymer@fnal.gov] Sent: Monday, March 13, 2000 3:16 PM To: Marjorie Shapiro Cc: Matt Crawford; kerberos-pilot@fnal.gov Subject: Re: Changing Kerberos password using insecure access? I think that it is a very bad idea to allow offsite telnet sessions, even with a CryptoCard. X-terminals should be used locally (if at all). It seems to me that users changing their Kerberos passwords must log in directly to a kerberized node, or a node running an SSH client. This should be made very clear to anyone receiving a CryptoCard. ( They should do this independent of the Kerberos password issue, but that's a different discussion. X-terminals are open to session snooping and session hijacking. "Unsafe At Any Speed" ) Free SSH clients are available for Unix, Windows, and even VMS. Are there really any users left who have ONLY X-terminals available ? From kreymer@fnal.gov Tue Mar 14 09:02:51 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA20250 for ; Tue, 14 Mar 2000 09:02:51 -0600 Received: from nascar.fnal.gov ([131.225.80.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JN0N41DPRK0013BI@FNAL.FNAL.GOV> (original mail from stan@nascar.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 14 Mar 2000 09:02:49 -0600 CDT Received: from nascar.fnal.gov ([131.225.80.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JN0N401H3M000CF1@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 14 Mar 2000 09:02:36 -0600 Received: from localhost (stan@localhost) by nascar.fnal.gov (8.8.3/8.8.2) with SMTP id JAA20419 for ; Tue, 14 Mar 2000 09:02:35 -0600 (CST) Date: Tue, 14 Mar 2000 09:02:35 -0600 From: stan@fnal.gov Subject: x-terms To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003141502.JAA20419@nascar.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: nascar.fnal.gov: stan@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 221 As a silent viewer of the kerb project, I noticed the question about x-term use. The answer is yes they are used and used quite a lot. They are at home locations and many locations in various experiments and even on the beam lines. I support the xterm server on fnalu and I hear about it when its down. I wish there was a ssh client for them too. Stan. From kreymer@fnal.gov Tue Mar 14 09:38:45 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA20288 for ; Tue, 14 Mar 2000 09:38:45 -0600 Received: from CUERVO ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JN0ODDQO680013PV@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 14 Mar 2000 09:38:43 -0600 CDT Received: from CUERVO ([131.225.87.41]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JN0OD7IMK60014H1@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 14 Mar 2000 09:38:17 -0600 Date: Tue, 14 Mar 2000 09:38:16 -0600 From: "Mark O. Kaletka" Subject: RE: To get a cryptocard ... In-reply-to: <200003131922.NAA27652@gungnir.fnal.gov> To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 222 Any pilot use who would like a PalmPilot software CryptoCard can stop by my office (East side of inner circle of FCC3, Room FCC3.348) from 14:00-15:00 Tue. thru Thu. this week. If possible, please email or phone (x2965) ahead (just in case). -- Mark K. > -----Original Message----- > From: crawdad@gungnir.fnal.gov [mailto:crawdad@gungnir.fnal.gov]On > Behalf Of Matt Crawford > Sent: Monday, March 13, 2000 1:23 PM > To: kerberos-pilot@fnal.gov > Subject: To get a cryptocard ... > > > Any pilot user who needs a cryptocard (the hardware form, not the > Palm software version) can come to my office, FCC 351 (east end) > today or this Wednesday between 2:00 and 4:00. Your Kerberos > principal must already have been created! And bring your FNAL id > card, please. > > This is NOT a now-or-never offer -- more times will be announced. > > Matt Crawford > > Cryptocard initialization -- FCC 351 > Mon, 13 Mar 14:00 - 16:00 > Wed, 15 Mar 14:00 - 16:00 > > From kreymer@fnal.gov Tue Mar 14 10:54:19 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA20430 for ; Tue, 14 Mar 2000 10:54:19 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JN0R0G38SA0012I0@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 14 Mar 2000 10:54:17 -0600 CDT Date: Tue, 14 Mar 2000 10:54:16 -0600 (EST) From: "Marc W. Mengel" Subject: RE: Changing Kerberos password using insecure access? In-reply-to: To: Armin Reichold Cc: "'Art Kreymer'" , Marjorie Shapiro , Matt Crawford , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 223 On Tue, 14 Mar 2000, Armin Reichold wrote: > > If I understand Art and Marjorie correctly they say that providing ssh > access to the kerberised central machines here at Fermilab is a must or at > least a very desirable thing to do. But as far as I understood the security > scheme so far, these machines will not allow any such access at all. But > maybe I misunderstood the previous comments and only the portal machines > into which the crypto card users will have to connect should have ssh. Why are we issuing crypto card users a password at all? Marc From kreymer@fnal.gov Thu Mar 16 18:35:50 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id SAA23032 for ; Thu, 16 Mar 2000 18:35:49 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JN3ZP6CAZ40012DX@FNAL.FNAL.GOV> (original mail from dane@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 16 Mar 2000 18:35:47 -0600 CDT Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JN3ZP5TJS80014BY@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal); Thu, 16 Mar 2000 18:35:38 -0600 Date: Thu, 16 Mar 2000 18:35:38 -0600 (CST) From: Dane Skow Subject: portal code ? To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 224 Am I wrong by a version, but I thought the portal code was in Kerberos v0_4. However, it doesn't seem to be falling back to a cryptochallenge when I skip the password on my desktop. bash$ env | grep KER KERBEROS_DIR=/local/ups/prd/kerberos/v0_4 SETUP_KERBEROS=kerberos v0_4 -f Linux+2.2 -z /local/ups/db bash$ kinit Password for dane@PILOT.FNAL.GOV: Error while reading password for 'dane@PILOT.FNAL.GOV' bash$ which kinit /local/ups/prd/kerberos/v0_4/bin/kinit bash$ ls -l /local/ups/prd/kerberos/v0_4/bin/kinit -rwxr-xr-x 1 crawdad g150 11748 Jan 21 13:38 /local/ups/prd/kerberos/v0_4/bin/kinit Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Fri Mar 17 09:04:00 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA06885 for ; Fri, 17 Mar 2000 09:03:59 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JN4U0ZATOW0012DX@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 17 Mar 2000 09:03:54 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JN4U0WTJAK00142W@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 17 Mar 2000 09:03:20 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA25710; Fri, 17 Mar 2000 09:03:19 -0600 (CST) Date: Fri, 17 Mar 2000 09:03:15 -0600 From: Matt Crawford Subject: Re: portal code ? In-reply-to: "16 Mar 2000 18:35:38 CST." <"Pine.LNX.4.10.10003161833290.2021-100000"@unferth.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003171503.JAA25710@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 225 > Am I wrong by a version, but I thought the portal code was in Kerberos > v0_4. However, it doesn't seem to be falling back to a cryptochallenge > when I skip the password on my desktop. > > bash$ kinit > Password for dane@PILOT.FNAL.GOV: > Error while reading password for 'dane@PILOT.FNAL.GOV' > ... Yes, the portal code is on v0_4. It is only active for a network login through telnet. There are technical reasons why it would be difficult or risky to add the portal function to kinit. In brief, there has to be some encryption key available for the KDC to deliver the credential if authentication is successful, and the client application must have access to that key to decrypt the credential. When the client is login, it is running as root until the user is authenticated and hence has access to /etc/krb5.keytab and can use a key from that file. Kinit runs as the user and hence has no access to the keytab. The problem could be solved by making kinit setuid, but before that could be done it would have to be combed very carefully for all the file accesses it makes and all the ways it uses any user-supplied input. Matt From kreymer@fnal.gov Mon Mar 20 10:02:14 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA14445 for ; Mon, 20 Mar 2000 10:02:14 -0600 Received: from nascar.fnal.gov ([131.225.80.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JN92X0LO00000BXK@FNAL.FNAL.GOV> (original mail from stan@nascar.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 20 Mar 2000 10:02:09 -0600 CDT Received: from nascar.fnal.gov ([131.225.80.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JN92WULKSA0015HP@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 20 Mar 2000 10:01:18 -0600 Received: from localhost (stan@localhost) by nascar.fnal.gov (8.8.3/8.8.2) with SMTP id KAA27921 for ; Mon, 20 Mar 2000 10:01:16 -0600 (CST) Date: Mon, 20 Mar 2000 10:01:15 -0600 From: stan@fnal.gov Subject: auth cron To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003201601.KAA27921@nascar.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: nascar.fnal.gov: stan@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 226 I was thinking more about this auth cron Lauri asked me about last friday. Now tell me why it is a good thing to spread users tickets all over the place on different hosts etc, versues having a single cron server which better access control. It seems that you are working hard to minimize security problems but all of a sudden we are going to put these tab files all over systems with what amounts to world access. I understand the safe directory idea but user tickets all over the place does not sound right. Why can't they get them from the kdc? Stan. From kreymer@fnal.gov Mon Mar 20 11:24:32 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA14896 for ; Mon, 20 Mar 2000 11:24:31 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JN95SPUOJ4000BXK@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 20 Mar 2000 11:24:29 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JN95SORENA0014PW@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 20 Mar 2000 11:24:14 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA14354; Mon, 20 Mar 2000 11:24:14 -0600 (CST) Date: Mon, 20 Mar 2000 11:24:10 -0600 From: Matt Crawford Subject: Re: auth cron In-reply-to: "20 Mar 2000 10:01:15 CST." <"200003201601.KAA27921"@nascar.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: stan@fnal.gov Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003201724.LAA14354@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 227 (Aside: to unsubscribe from kerberos-pilot, send a message containing "unsubscribe kerberos-pilot" in the *body* and make sure the "From:" address is the address by which you're subscribed -- usually "yourid@fnal.gov". There is a separate list which receives only important announcements about the strong authentication project.) Stan, Can you clarify or elaborate for me what this "single cron server" would do? It's still early enough (just) to consider practical alternatives. Here's the conceptual foundation of the current design for cron jobs. It has undergone a few refinements already. Every principal "princ@REALM" will have (actually, already has) the ability to create, delete or change the encryption key of principals whose names are of the form "princ/cron/*@REALM". For the wildcard, a hostname is intended to be inserted. There will be a canned program to do those operations simply, with the Kerberos password for princ required, and stash the resulting key in a file to which the current unix userid (and root -- no getting around that) have access. Possession of a Kerberos ticket for princ/cron/hostname.fnal.gov@REALM will then establish a process's identity as belonging to a unix userid on hostname which the Kerberos user "princ" has chosen to grant limited access. (Or which root@hostname has impersonated!) How limited is the access? That process will have no Kerberos access to anything except 1. AFS, and 2. what the user grants by placing the pricipal name in a .k5login file. The user can can give different access to princ/cron/bigmultiuserhost.fnal.gov and princ/cron/guardedprivatehost.fnal.gov. From kreymer@fnal.gov Mon Mar 20 13:55:05 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA15054 for ; Mon, 20 Mar 2000 13:55:03 -0600 Received: from nascar.fnal.gov ([131.225.80.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JN9B2FX3E8000BXK@FNAL.FNAL.GOV> (original mail from stan@nascar.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 20 Mar 2000 13:55:01 -0600 CDT Received: from nascar.fnal.gov ([131.225.80.94]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JN9B2FA01M001740@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 20 Mar 2000 13:54:52 -0600 Received: from localhost (stan@localhost) by nascar.fnal.gov (8.8.3/8.8.2) with SMTP id NAA29668; Mon, 20 Mar 2000 13:54:50 -0600 (CST) Date: Mon, 20 Mar 2000 13:54:49 -0600 From: stan@fnal.gov Subject: Re: auth cron In-reply-to: "Your message of Mon, 20 Mar 2000 11:24:10 CST." <200003201724.LAA14354@gungnir.fnal.gov> To: Matt Crawford Cc: kerberos-pilot@fnal.gov, stan@nascar.fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003201954.NAA29668@nascar.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: nascar.fnal.gov: stan@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 228 The current version of authenticating cron running on fnalu uses one host to launch cron jobs. The acrontab command almost acts like crontab and edits a cron file entry for you and drops it on the cron server (fsus02 in this case). The cron on fsus02 runs the jobs and via arc and a special ticket on fsus02 which authenticates the user for afs actions. It does need the arc facility to work and may or maynot be better that what you have already, it does cut down on the number of tab/ticket files on the systems in question. I am sure it is not compatible with kdc's and such in its present form but we are running an old version of arc and have not looked into newer levels. Stan. From kreymer@fnal.gov Tue Mar 21 13:57:12 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA03215 for ; Tue, 21 Mar 2000 13:57:11 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNAPF8A2R40014T7@FNAL.FNAL.GOV> (original mail from LAMMEL@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 21 Mar 2000 13:57:06 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JNAPF7LGHO0016SV@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 21 Mar 2000 13:56:50 -0600 Date: Tue, 21 Mar 2000 13:56:49 -0600 (CST) From: Stephan Lammel Subject: anonymous ftp To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <000321135649.2020f712@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 229 Hallo Matt, et al. it looks like ftp to an anonymous ftp site is broken from machines that have kerberos installed. I tried a couple of our machines. My machine has kerberos v0_3. Is this a known problem, fixed in more recent versions, or a new discovery? Thanks, cheers, Stephan P.S.: try ftp to ftp.exabyte.com and an ls after anonymous login From kreymer@fnal.gov Tue Mar 21 14:09:47 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA03226 for ; Tue, 21 Mar 2000 14:09:46 -0600 Received: from garnet.fnal.gov ([131.225.80.175]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNAPUWDDIO0014T7@FNAL.FNAL.GOV> (original mail from gcooper@garnet.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 21 Mar 2000 14:09:44 -0600 CDT Received: from garnet.fnal.gov ([131.225.80.175]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JNAPUV34CO0017Z8@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 21 Mar 2000 14:09:27 -0600 Received: from localhost (gcooper@localhost) by garnet.fnal.gov (8.8.7/8.8.7) with SMTP id OAA13090; Tue, 21 Mar 2000 14:09:24 -0600 Date: Tue, 21 Mar 2000 14:09:23 -0600 (EST) From: Glenn Cooper Subject: Re: anonymous ftp In-reply-to: <000321135649.2020f712@FNALD.FNAL.GOV> To: Stephan Lammel Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 230 Interesting. I get the same result at ftp.exabyte.com (using the kerberos v0_4 ftp): $ ftp ftp.exabyte.com Connected to www.Exabyte.COM. 220 www.exabyte.com FTP server (Version wu-2.4.2(1) Mon Dec 7 17:11:53 MST 1998) ready. 500 'AUTH GSSAPI': command not understood. Name (ftp.exabyte.com:gcooper): anonymous [yada yada...] 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 227 Entering Passive Mode (161,81,7,101,131,179) ftp: connect: Connection refused However, anonymous ftp to a different site works fine: $ ftp ftp.gnuplot.vt.edu Connected to ligeti.cns.vt.edu. 220 ligeti.cns.vt.edu NcFTPd Server (free educational license) ready. 500 Syntax error, command unrecognized. Name (ftp.gnuplot.vt.edu:gcooper): anonymous [etc...] ftp> ls 227 Entering Passive Mode (128,173,12,161,167,8) 150 Data connection accepted from 131.225.80.175:4212; transfer starting. drwxrwxrwx 2 ftpuser ftpusers 512 Mar 7 11:52 incoming drwxr-x--- 6 ftpuser ftpusers 512 Dec 5 1998 ncftpd drwxrwxr-x 10 ftpuser ftpusers 512 Feb 4 15:57 pub 226 Listing completed. So it must be something about the combination of the kerberized ftp and the ftp server used by Exabyte. (Anonymous ftp to ftp.exabyte.com using an un-kerberized ftp also works fine.) Glenn From kreymer@fnal.gov Tue Mar 21 16:52:35 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA03358 for ; Tue, 21 Mar 2000 16:52:34 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNAVJHEZKW00179V@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Tue, 21 Mar 2000 16:52:26 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JNAVJDI76A0016HA@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 21 Mar 2000 16:51:59 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA26538; Tue, 21 Mar 2000 16:51:56 -0600 (CST) Date: Tue, 21 Mar 2000 16:51:56 -0600 From: Matt Crawford Subject: Re: anonymous ftp In-reply-to: "21 Mar 2000 14:09:23 CST." <"Pine.LNX.3.96.1000321140321.13063A-100000"@garnet.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Stephan Lammel , kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003212251.QAA26538@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 231 There is nothing wrong with the Kerberos ftp. (At least nothing wrong is evidenced by this report.) What is broken is Exabyte's ftp server. Try visiting it in a web browser by entering the URL ftp://ftp.exabyte.com/. Same problem. The ftp client in the web browser defaults to the same "passive" mode that the Kerberos ftp client defaults to, which is not what *some* stock OS-provided ftp clients do. You can work around Exabyte's broken server by giving the command "passive" after logging in but before making any transfers. If you have to access exabyte a lot you can put this in your $HOME/.netrc file: machine ftp.exabyte.com macdef init passive (TWO newlines must follow the word passive.) From kreymer@fnal.gov Mon Mar 27 08:26:33 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA03753 for ; Mon, 27 Mar 2000 08:26:32 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNIRMBD51C0017N4@FNAL.FNAL.GOV> (original mail from LECOMPTE@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 27 Mar 2000 08:26:25 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JNIRMAF1X40018OA@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 27 Mar 2000 08:26:08 -0600 Date: Mon, 27 Mar 2000 08:26:07 -0600 (CST) From: Tom LeCompte - Argonne National Laboratory Subject: fcdfsgi2 and security To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <000327082607.20400793@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 232 Fermilab, 27-MAR-2000 I am afraid that we are beginning to paint ourselves into a corner with security. I wanted to move an EPS file created on fcdfsgi2 onto cdfwinctr so I could put it in PowerPoint. (This follows our mode of analysis: analyze data on fcdfsgi2, and if you want to use PC tools, do that on the WinCenter) However, moving the EPS file proved difficult, since neither machine will accept incoming ftp, and scp seems to be unavailable ("Secure connection to cdfwinctr.fnal.gov refused") on the WinCenter. I ended up moving the files to my home computer and back (both fcdfsgi2 and cdfwinctr will run *outgoing* ftp) so all is well this time, but I can't imagine that this is the way we want to do things long term. I understand the desire to keep hacking to a minimum, but there needs to be a way to move files from one CDF system to another. Short term, this isn't an issue (my problem was solved by bringing in my home PC), but long term, as more people use fcdfsgi2, this problem is going to need a well-documented solution. Tom From kreymer@fnal.gov Mon Mar 27 08:45:38 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA03767 for ; Mon, 27 Mar 2000 08:45:38 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNISB4O7KW0017N4@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 27 Mar 2000 08:45:35 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JNISB3KW040018OA@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 27 Mar 2000 08:45:21 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA02025; Mon, 27 Mar 2000 08:45:19 -0600 (CST) Date: Mon, 27 Mar 2000 08:45:18 -0600 From: Matt Crawford Subject: Re: fcdfsgi2 and security In-reply-to: "27 Mar 2000 08:26:07 CST." <"000327082607.20400793"@FNALD.FNAL.GOV> Sender: crawdad@gungnir.fnal.gov To: Tom LeCompte - Argonne National Laboratory Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003271445.IAA02025@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 233 > I wanted to move an EPS file created on fcdfsgi2 onto cdfwinctr so I > could put it in PowerPoint. [...] However, moving the EPS file proved > difficult, since neither machine will accept incoming ftp, [...] You can map your Unix home directory as a Windows disk drive and then treat your fcdfsgi2 files as any other windows file. Let me see if I can reconstruct the directions the PC support group gave me ... 'Again click the button at the upper-left corner and select "Drive Mapping". Check drive H and highlight the drive. Then click modify. Put a path to your local disk drive in both "Filter" and "Selection" part of the dialogue box. Then click OK and back out to original window screen.' As I recall, it wasn't clear just where to enter the drive mapping so I took another look. You do it in "Citrix ICA Client" before opening your Wincenter connection. Highlight the connection of choice (you may have only one as I do). Click Option => Settings => select "Drive Mapping" click the enable checkboxes for one or more drive letters (I used G and H) and fill in the local path (or browse to it with the "Modify..." button). Oh, make sure the "Enable Drive Mapping" checkbox at the bottom is selected. Even I have to admit that drag & drop sometimes beats ftp or scp. From kreymer@fnal.gov Mon Mar 27 09:26:33 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA03862 for ; Mon, 27 Mar 2000 09:26:33 -0600 Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNITPQU6IO0017N4@FNAL.FNAL.GOV> (original mail from LECOMPTE@fnald.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 27 Mar 2000 09:26:25 -0600 CDT Received: from FNALH.FNAL.GOV ([131.225.109.28]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JNITPQC7HG0017W8@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 27 Mar 2000 09:26:11 -0600 Date: Mon, 27 Mar 2000 09:26:10 -0600 (CST) From: Tom LeCompte - Argonne National Laboratory Subject: fcdfsgi2 and security To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <000327092610.20400795@FNALD.FNAL.GOV> Status: RO X-Status: X-Keywords: X-UID: 234 From: SMTP%"Postmaster@FNALD.FNAL.GOV" 27-MAR-2000 09:25:08.99 To: LECOMPTE CC: Subj: Undeliverable Mail Date: Mon, 27 Mar 2000 9:25:07 -0600 (CST) From: Postmaster@FNALD.FNAL.GOV Subject: Undeliverable Mail To: Bad address -- Error -- Address refused by receiver: (550 5.1.1 unknown or illegal user: kerboros-pilot@fnal.gov) Start of returned message Sorry...I can't spell. Let me try again. Date: Mon, 27 Mar 2000 9:25:05 -0600 (CST) From: Tom LeCompte - Argonne National Laboratory To: crawdad@fnal.gov CC: kerboros-pilot@fnal.gov Message-Id: <000327092505.20400795@FNALD.FNAL.GOV> Subject: Re: fcdfsgi2 and security I'm sorry. I wasn't clear. I was not running wincenter from fcdfsgi2. I was running it from the desktop. But note that your solution is essentially the same as my short term fix: the way to move a file between CDF machines A and B (in this case fcdfsgi2 and cdfwinctr) is to do so via a third machine on the desktop. Your way does it with point and click, and mine uses a command line, but the basic idea is the same: use a third machine to bypass the security restrictions implemented on the first two. Is that really the way we want to do things as a matter of course? I would hope there is a better way. End of returned message From kreymer@fnal.gov Mon Mar 27 09:26:56 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA03866 for ; Mon, 27 Mar 2000 09:26:56 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNITQ0IFM80018OQ@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 27 Mar 2000 09:26:47 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JNITPZE49200192X@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 27 Mar 2000 09:26:23 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA02285 for ; Mon, 27 Mar 2000 09:26:22 -0600 (CST) Date: Mon, 27 Mar 2000 09:26:22 -0600 From: Matt Crawford Subject: "Got Cryptocard?" Sender: crawdad@gungnir.fnal.gov To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003271526.JAA02285@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 235 Anyone who needs a hardware Cryptocard (as opposed to the PalmOS software version) may come to my office, FCC 351 (near the east elevator) during any of the following times Mon 3/27 2-4 PM Wed 3/29 10-12 AM Thu 3/30 2-4 PM Please bring your Fermilab ID card. Instructions for Cryptocard use are in the Kerberos Pilot documentation at http://www.fnal.gov/docs/strongauth/ From kreymer@fnal.gov Mon Mar 27 10:23:50 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA04051 for ; Mon, 27 Mar 2000 10:23:50 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNIVPWG1CG0017N4@FNAL.FNAL.GOV> (original mail from gpope@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 27 Mar 2000 10:23:47 -0600 CDT Received: from fsui02.fnal.gov ([131.225.68.20]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JNIVPVX6AK00175R@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 27 Mar 2000 10:23:34 -0600 Received: from localhost (gpope@localhost) by fsui02.fnal.gov (8.8.8+Sun/8.8.8) with ESMTP id KAA08112 for ; Mon, 27 Mar 2000 10:23:33 -0600 (CST) Date: Mon, 27 Mar 2000 10:23:33 -0600 (CST) From: George Pope Subject: strengthened CDF terminals? In-reply-to: <200003271526.JAA02285@gungnir.fnal.gov> To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsui02.fnal.gov: gpope owned process doing -bs Status: RO X-Status: A X-Keywords: X-UID: 236 Hi, As I understand it, in order to change one's kerberos password one needs access to a strengthened terminal. Using a cryptocard at a regular terminal is not sufficient because the connection is not an encrypted one and the new password gets sent in plain text. Which CDF machines have been strengthened, and are available for users to sit at and change their passwords? - George From kreymer@fnal.gov Mon Mar 27 10:26:15 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA04059 for ; Mon, 27 Mar 2000 10:26:14 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNIVSRPBXS0018OQ@FNAL.FNAL.GOV> (original mail from kreymer@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 27 Mar 2000 10:26:12 -0600 CDT Received: from patnt2.fnal.gov ([131.225.84.37]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JNIVSKTDPK0018CG@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 27 Mar 2000 10:25:45 -0600 Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA04055; Mon, 27 Mar 2000 10:25:44 -0600 Date: Mon, 27 Mar 2000 10:25:44 -0600 (EST) From: Art Kreymer Subject: Re: strengthened CDF terminals? In-reply-to: To: George Pope Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 237 Only X-terminals have this problem. Any machine running SSH should be quite safe to use when changing passwords. From kreymer@fnal.gov Mon Mar 27 10:32:45 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA04068 for ; Mon, 27 Mar 2000 10:32:45 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNIW1O3GLC0017N4@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 27 Mar 2000 10:32:41 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JNIW1MMO4E0018CG@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 27 Mar 2000 10:32:15 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA02593; Mon, 27 Mar 2000 10:32:15 -0600 (CST) Date: Mon, 27 Mar 2000 10:32:15 -0600 From: Matt Crawford Subject: Re: strengthened CDF terminals? In-reply-to: "27 Mar 2000 10:23:33 CST." <"Pine.GS4.4.05.10003271017050.6663-100000"@fsui02.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: George Pope Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003271632.KAA02593@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 238 > Which CDF machines have been strengthened, and are available > for users to sit at and change their passwords? I'm not sure I can distinguish CDF from non-CDF machines by name in every case, so here's an undifferentiated list. Note that you don't have to log in via Kerberos to change your password -- you can borrow a window on a system where someone else has logged in and type "kpasswd yourname". This presumes, of course, that you can trust the logged-in user (and the sysadmin) not to have set up a keystroke recorder to capture your new password. I don't think we're working in that kind of a threat environment, now, are we? b0nd09.fnal.gov b0rv11.fnal.gov b0sun01.fnal.gov bel-kwinth.fnal.gov bldirix62.fnal.gov bldirix65.fnal.gov bldlinux52.fnal.gov bldlinux61.fnal.gov bldosf1v40d.fnal.gov bldsunos26.fnal.gov bldsunos27.fnal.gov boise.fnal.gov cdflx1.lbl.gov cdfsga.fnal.gov condor.fnal.gov daspc0.fnal.gov dcdig.fnal.gov dcdmbl.fnal.gov doofus.fnal.gov fcdfcons.fnal.gov fcdfsgi1.fnal.gov fcdfsgi2.fnal.gov fcdfsun1.fnal.gov fdeb01.fnal.gov flxi01.fnal.gov fndaub.fnal.gov fndds.fnal.gov fsgb01.fnal.gov fsub01.fnal.gov garnet.fnal.gov gungnir.fnal.gov hrothgar.fnal.gov large.fnal.gov nascar.fnal.gov ncdf09.fnal.gov ncdf37.fnal.gov ncdf57.fnal.gov ossbud.fnal.gov outland.fnal.gov raven.fnal.gov rutpc7.fnal.gov unferth.fnal.gov From kreymer@fnal.gov Mon Mar 27 10:42:48 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA04084 for ; Mon, 27 Mar 2000 10:42:47 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNIWE00F280017N4@FNAL.FNAL.GOV> (original mail from gcooper@b0rv11.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 27 Mar 2000 10:42:44 -0600 CDT Received: from b0rv11.fnal.gov ([131.225.232.239]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JNIWDTHTHS001952@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 27 Mar 2000 10:42:06 -0600 Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id KAA13926; Mon, 27 Mar 2000 10:40:34 -0600 Date: Mon, 27 Mar 2000 10:40:33 -0600 From: Glenn Cooper Subject: Re: strengthened CDF terminals? In-reply-to: To: George Pope Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 239 Thanks to Art and Matt for the suggestions on how to get to a machine with kerberos installed, and what to do once you're there. Note, though, that if you always use a CryptoCard, you probably don't need to change your kerberos password, since you aren't using it anyway. Glenn On Mon, 27 Mar 2000, George Pope wrote: > Hi, > > As I understand it, in order to change one's kerberos > password one needs access to a strengthened terminal. Using a > cryptocard at a regular terminal is not sufficient because the > connection is not an encrypted one and the new password gets sent in > plain text. Which CDF machines have been strengthened, and are available > for users to sit at and change their passwords? > > - George From kreymer@fnal.gov Mon Mar 27 15:33:37 2000 -0600 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA04404 for ; Mon, 27 Mar 2000 15:33:36 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNJ6K13MMO0017N4@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Mon, 27 Mar 2000 15:33:35 -0600 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JNJ6K0KRDK0016EX@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 27 Mar 2000 15:33:25 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA04642; Mon, 27 Mar 2000 15:33:20 -0600 (CST) Date: Mon, 27 Mar 2000 15:33:20 -0600 From: Matt Crawford Subject: Re: fcdfsgi2 and security In-reply-to: "27 Mar 2000 09:25:05 CST." <"000327092505.20400795"@FNALD.FNAL.GOV> Sender: crawdad@gungnir.fnal.gov To: Tom LeCompte - Argonne National Laboratory Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200003272133.PAA04642@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 240 > ... the basic idea is the same: use a third machine to bypass the > security restrictions implemented on the first two. I don't see it that way. Rather, you're using the third machine, which has two incomaptible ways of proving your identity to the other two, to bridge the authentication gap. Since you're only performing actions each system intentionally allows you to do, you're not bypassing any security restrictions. > Is that really the way we want to do things as a matter > of course? I would hope there is a better way. We do want a better way. Windows 2000 will improve things since it will, by all appearances to date, allow us to use our Kerberos system for authentication to Windows systems. How far that improvement will permeate in any given interval remains to be seen. (For example, when would the Citrix client be able to pass Kerberos credentials?) On another front, when we have "portal mode" FTP available you'll be able to use the current Windows FTP client directly. From kreymer@fnal.gov Fri Apr 7 10:23:18 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA28403 for ; Fri, 7 Apr 2000 10:23:17 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNY8WW41IO001ESB@FNAL.FNAL.GOV> (original mail from mengel@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 7 Apr 2000 10:23:10 -0500 CDT Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JNY8WVIQRU001CQM@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 07 Apr 2000 10:22:56 -0500 Date: Fri, 07 Apr 2000 10:22:54 -0500 (CDT) From: "Marc W. Mengel" Subject: Can't kerberos rsh ... To: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 241 Trying to rsh to build cluster nodes, I get: bash$ rsh bldosf1v40d rsh: kcmd to host bldosf1v40d failed - Server not found in Kerberos database trying normal rlogin (/usr/bin/rlogin) WARNING: NO ENCRYPTION! Same error for all the nodes... what's up? Marc From kreymer@fnal.gov Fri Apr 7 10:29:33 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA28411 for ; Fri, 7 Apr 2000 10:29:33 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNY94G41NK001ESB@FNAL.FNAL.GOV> (original mail from crawdad@gungnir.fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 7 Apr 2000 10:29:26 -0500 CDT Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JNY94D54PY001FHT@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 07 Apr 2000 10:28:58 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA04764; Fri, 07 Apr 2000 10:28:57 -0500 (CDT) Date: Fri, 07 Apr 2000 10:28:57 -0500 From: Matt Crawford Subject: Re: Can't kerberos rsh ... In-reply-to: "07 Apr 2000 10:22:54 CDT." <"Pine.LNX.4.05.10004071022010.2758-100000"@bel-kwinth.fnal.gov> Sender: crawdad@gungnir.fnal.gov To: "Marc W. Mengel" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Message-id: <200004071528.KAA04764@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 242 I see by the logs that a) it's working for others, including stolz and myself. And b) bel-kwinth is suddenly asking for tickets to service, e.g., host/bldosf1v40d@PILOT.FNAL.GOV rather than the proper host/bldosf1v40d.fnal.gov@PILOT.FNAL.GOV Did you do something funky to a hosts file or DNS configuration? From kreymer@fnal.gov Fri Apr 7 10:31:19 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA28416 for ; Fri, 7 Apr 2000 10:31:19 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNY96TE568001ESB@FNAL.FNAL.GOV> (original mail from lauri@fsui03.FNAL.GOV) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 7 Apr 2000 10:31:15 -0500 CDT Received: from fsui03.fnal.gov ([131.225.68.24]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JNY96RD1AK001F3E@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 07 Apr 2000 10:30:54 -0500 Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id KAA05923; Fri, 07 Apr 2000 10:30:54 -0500 (CDT) Date: Fri, 07 Apr 2000 10:30:54 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Can't kerberos rsh ... Sender: lauri@fnal.gov To: "Marc W. Mengel" Cc: kerberos-pilot@fnal.gov Errors-to: kerberos-pilot-owner@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200004071530.KAA05923@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 243 >From what node are you trying to use rsh? -- lauri On Friday 7 April 2000, our friend "Marc W. Mengel" spaketh thusly: > > Trying to rsh to build cluster nodes, I get: > > bash$ rsh bldosf1v40d > rsh: kcmd to host bldosf1v40d failed - Server not found in Kerberos > database > trying normal rlogin (/usr/bin/rlogin) WARNING: NO ENCRYPTION! > > Same error for all the nodes... what's up? > > Marc > > From kreymer@fnal.gov Fri Apr 7 12:13:16 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA28573 for ; Fri, 7 Apr 2000 12:13:16 -0500 Received: from CUERVO ([131.225.81.19]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNYCR4BPLS001ESB@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 7 Apr 2000 12:13:10 -0500 CDT Received: from CUERVO ([131.225.81.19]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JNYCR37F2S001D6Y@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 07 Apr 2000 12:12:48 -0500 Date: Fri, 07 Apr 2000 12:12:47 -0500 From: "Mark O. Kaletka" Subject: Restructuring Kerberos mailing lists... To: Kerberos Pilot Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 244 The previously announced restructure of the Kerberos mailing lists is occuring this afternoon. All holders of Kerberos principals are subscribed to the kerberos-announce mailing list. This list will be used only for important announcements affecting users of Kerberos. This is an announce-only list, that is, only the list owners may send to it. Subscription to the list is open, and users receiving Kerberos principals will be automatically subscribed. The kerberos-pilot list will remain the forum for technical discussion. All current members of kerberos-pilot will be unsubscribed this afternoon, so if you would like to participate in the discussions you will need to resubscribe to the list. Requests to join the kerberos-pilot mailing list should be sent to mailto:mailserv@fnal.gov with message body of: subscribe kerberos-pilot -- Mark K. From kreymer@fnal.gov Fri Apr 7 12:13:16 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA28573 for ; Fri, 7 Apr 2000 12:13:16 -0500 Received: from CUERVO ([131.225.81.19]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNYCR4BPLS001ESB@FNAL.FNAL.GOV> (original mail from kaletka@fnal.gov) for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 7 Apr 2000 12:13:10 -0500 CDT Received: from CUERVO ([131.225.81.19]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JNYCR37F2S001D6Y@FNAL.FNAL.GOV> for kerberos-pilot-expand@reprocess.FNAL.FNAL.GOV (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 07 Apr 2000 12:12:48 -0500 Date: Fri, 07 Apr 2000 12:12:47 -0500 From: "Mark O. Kaletka" Subject: Restructuring Kerberos mailing lists... To: Kerberos Pilot Errors-to: kerberos-pilot-owner@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 245 The previously announced restructure of the Kerberos mailing lists is occuring this afternoon. All holders of Kerberos principals are subscribed to the kerberos-announce mailing list. This list will be used only for important announcements affecting users of Kerberos. This is an announce-only list, that is, only the list owners may send to it. Subscription to the list is open, and users receiving Kerberos principals will be automatically subscribed. The kerberos-pilot list will remain the forum for technical discussion. All current members of kerberos-pilot will be unsubscribed this afternoon, so if you would like to participate in the discussions you will need to resubscribe to the list. Requests to join the kerberos-pilot mailing list should be sent to mailto:mailserv@fnal.gov with message body of: subscribe kerberos-pilot -- Mark K. From kreymer@fnal.gov Fri Apr 7 12:33:15 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA28592 for ; Fri, 7 Apr 2000 12:33:15 -0500 Received: from mailserv-daemon by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JNYDF5EC8W001D7G@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Fri, 7 Apr 2000 12:33:13 -0500 CDT Date: Fri, 07 Apr 2000 12:33:13 -0500 From: "PMDF Mailserv V5.2" Subject: Re: unsubscribe kerberos-pilot kreymer@fnal.gov To: "Mark O. Kaletka" , kreymer@fnal.gov Message-id: <01JNYDGF4COY001D7G@FNAL.FNAL.GOV> MIME-version: 1.0 Status: RO X-Status: X-Keywords: X-UID: 246 The address: kreymer@fnal.gov has been removed from the kerberos-pilot mailing list by "Mark O. Kaletka" . From kreymer@fnal.gov Sat Apr 8 17:59:34 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA28534 for ; Sat, 8 Apr 2000 17:59:34 -0500 Received: from mailserv-daemon by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JO035BV9OW001FE8@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Sat, 8 Apr 2000 17:59:32 -0500 CDT Date: Sat, 08 Apr 2000 17:59:32 -0500 From: "PMDF Mailserv V5.2" Subject: Re: subscribe kerberos-pilot kreymer@fnal.gov To: Art Kreymer , kreymer@fnal.gov Message-id: <01JO035C7VNM001FE8@FNAL.FNAL.GOV> MIME-version: 1.0 Status: RO X-Status: X-Keywords: X-UID: 247 The address: kreymer@fnal.gov has been added to the kerberos-pilot mailing list by Art Kreymer . From kreymer@fnal.gov Sat Apr 8 17:59:35 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA28538 for ; Sat, 8 Apr 2000 17:59:35 -0500 Received: from mailserv-daemon by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JO035BV9OW001FE8@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Sat, 8 Apr 2000 17:59:32 -0500 CDT Date: Sat, 08 Apr 2000 17:59:32 -0500 From: "PMDF Mailserv V5.2" Subject: Welcome to kerberos-pilot To: kreymer@fnal.gov Message-id: <01JO035CI8MU001FE8@FNAL.FNAL.GOV> MIME-version: 1.0 Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 248 This list is for the use of the sysadmins and users participating in the Kerberos pilot project. This will be the main channel for news, questions and problem reports. Please contact the list owner, crawdad@fnal.gov, for more information If you wish to unsubscribe send mail to mailserv@fnal.gov leave the subject line blank in the body of the message type unsubscribe kerberos-pilot username Do not reply to this message. From kreymer@fnal.gov Wed Apr 19 05:36:33 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id FAA31623 for ; Wed, 19 Apr 2000 05:36:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOEQEVJHWO001IJZ@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 19 Apr 2000 05:36:31 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000373B@listserv.fnal.gov>; Wed, 19 Apr 2000 05:36:29 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 1594 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 19 Apr 2000 05:36:29 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000373A@listserv.fnal.gov>; Wed, 19 Apr 2000 05:36:29 -0500 Received: from ts.infn.it ([140.105.6.150]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JOEQETCZFY001L04@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 19 Apr 2000 05:36:28 -0500 Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Wed, 19 Apr 2000 12:36 +0100 (CET) Date: Wed, 19 Apr 2000 12:36:22 +0200 From: Stefano Belforte Subject: Comments from Italy to Strong Authentication Project Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: Marg Shapiro , Amidei Dan , Robert Harris , Franco Bedeschi , goshaw@fnal.gov, bellettini giorgio Message-id: <38FD8C26.E3A91A61@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.72 [en] (X11; I; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 249 Dear kerberos-pilot, about a month ago the P1.0 release of the Fermilab Strong Authentication Pilot Phase project manual was distributed electronically as CDF note 5246. It was posted by Robert Harris who invited to send comments to kerberos-pilot. As I happen to be the responsible for the analysis of Tevatron Run 2 data by the CDF Italian collaborators I believe I owe not only a comment, but an official, educated, one. Also I hope you will take this seriously and address what are ours (CDF italians) concerns. Being this the official reply of large fraction of the CDF collaboration, I send copy of this to the CDF spokespeople as well, in addition to CDF offline managers and the leader of the CDF Italian group. Please be sure that we take this matters very seriously and I am expressing the joint opinion of several senior members of the collaboration. I am sorry it took me some time to digest the document, but it is a matter very unfamiliar to myself, I also had a very hard time printing it due to the large embedded images, but that's probably because I do not have the same fancy printer as you do. First of all I want to state that I find a bit unappropriate that there is not a more clear and formal way to get into this very important project the feedback of us remote users. This project is about to change completely the life of physicists resident outside the laboratory, still I do not see a clear path by which our needs, constraints and opinions can be taken care of well early at the design stage. I am overall impressed by the detail of the documentation and the status of advancement of the project, please take this as honest appreciation of your work and effort. Neverthless I see this advanced status of the project as a source of major worry for me, it makes it sound like everything is now defined and decided and we have just to live by those rules, no matter what. I hope this is a wrong impression, and you are still willing to reconsider even basic design choices should that be needed. Of course I hope with all my heart that you will dispell all our worries showing that they are simply due to misunderstanding! Although it is worrying to notice that a "remote users feedback group" was about to be formed last summer, but either wasn't or nobody from Italy was put in. Again, I would have expected (naively?) that feedback from offsite users where to be taken into account from the beginning, well into the requirement layout phase of the project. The bottom line is that I find this project very scaring. One may read it and just think "it is all buzzwords for experts" and relax, but if I try to enucleate from the user manual, what the actual way of working will be "in the realms era", it makes a very bad picture, it is the kind of thing that makes people say "we just take our stuff back and go do experiments elsewhere" as one senior CDF physicist said as I mentioned some of the consequences. Again, maybe we just misunderstood... but, believe me, we are very concerned. Here are more specific questions and concerns for your evaluation, please make us happy by showing that there is actually no reason to be concerned. A more general comment is at the end (you may read it first if you prefere). 1) the stated goal of the project is to avoid clear text transmission of passwords. So.. why is not ssh good enough ? It appears to be sufficient for every other laboratory. Fermilab has not even enforced ssh till now. Ssh is very simple to use and available everywhere, why not start from this simple step and go all the way to a sophisticated kerberized system only if really needed ? 2) Similarly, since the goal is to avoid clear text password, why do you not want to allow my local workstation to use kerberos to connect to FNAL, while still running an ssh server to allow myself to connect to it from other nodes in my institution ? 3) It looks like in this project you do not simply want to make sure that connection from user stefano.belforte@ts.infn.it is indeed someone who logged in Trieste, Italy on an INFN computer with username Stefano.Belforte, but also want to make sure that I myself am pressing the keys on the keyboard, so reaching a security equivalent to what a bank ATM requires before yielding out money. Are you sure that such an ambitious and unprecedented goal is really the minimum effort needed to avoid security incidents ? You are certainly aware that implementing the proposed system is going to need significant resources also outside the laboratory, as our primary goal is physics, we ususally strive to put in infrastructure only the minimum needed effort. 4) Going toward a bank-like security raises a naturally a comparison and questions about the daily operations of the system and wether common "minor" problems can easily be overcome: Biggest difference is that the bank is happy with a plastic card that fits in the wallet and that is sent by mail before is needed, not a bulky electronic gadget. What if I forget this CryptoCard at home, do I not work for the day ? What if I loose it ? What if it breakes ? What if I forget it in my pants when doing my laundry ? Do I have to take the plane to Fermilab ? What about people who join the experiment and start working on software *before* they get a chance of flying over there ? 5) How will remote access to data be managed ? We plan to use ftp to copy over here data produced at Fermilab. Definetely we can not allow anonymous ftp access to CDF data, or preliminary analysis result. But I have not seen any other way then anonymous ftp as allowed access for users outside the strenghtened realm. 6) How will we be able to control access to internal web pages ? Now this is done by clear text passwords on the browser, definitely not a practice to be kept, but still there is information there vital to people working on analysis offsite but that must be kept confidential. 7) How will I read my e-mail ? Can I still connect to the FNAL IMAP server if I do not have my crypto-card with me ? 8) How access from home on dial up connection will be managed ? Both when connecting via a commercial ISP, and when using dial-up to a modem pool in my home institute in which case I just have no way to sit in front of a kerberised workstation. 9) What about institutions with a poor internet connection ? There it is just impossible to login through the portal and do "setenv DISPLAY". At present for example many people are trying to get a boost for interactive work by using thin clients that make it possible to access remote desktops without the X protocol, namely VNC in Italy and Citrix Metaframe from UK. VNC supports some security mechanism, but not kerberos. What would be the situation there ? Back to a "telnet only" style of work? At least the possibility to run a remote full screen debugging session is vital to effective software work. 10) A specific example may be Root. Root has very attractive client/server features that may make it possible to access remotely data at Fermilab without the need to transfer large data files, will this kind of connection be supported ? Will it be possible to do it from "normal" remote computers still providing some way to prevent people from rival experiment to take unauthorised preview of physics results ? 11) Can you make specific examples of what a "trusted realm" may be, other that another fully kerberised system, so that we may see what woult it take from our side to be one ? 12) Why "Fermi extensions to Kerberos"? Assuming this way of going overcomes difficulties and become the backbone of each HEP site (at least), what will happen of remote server who host people from Fermi/Slac/CERN experiments ? Will each laboratory require to have its own personalization installed ? Are steps being taken now to make sure that the software that is being developed at Fermilab will be such that can be used "as is" by any other institution, including large laboratories ? 13) Do crypto-card by any chance use 128-bit encription so to make it illegal to carry them across US borders ? Overall the depicted scenario is just terribly, terribly "Fermi-Centric". The strengthned realm is just a fortress called Fermilab, and remote kerberised workstations are just Fermilab extensions. It is like taking an X-Term at Fnal and stretching the cable so that it seats on my desk. It is very convenient if my way of life would be to log in on a Fermilab computer in the morning and work there all day, but it does not (unless at least you allow it to run ssh, as 2) above) make any step into providing communication between my real work environment and Fermilab. What about printing locally for example ? The kerberised workstation on my desk from the functional point of view is as distant from my main computers as if it still were in Batavia. The proposed system seem to have in mind as the typical remote user one Fermi employee who just is visiting INFN for a day, or is at a conference, so he/she has some way to log in by scratching one password from the piece of paper received before leaving, and defintely will not need more then a few. But what about people who make hundreds of connection to FNAL between one trip to Batavia and the next ? It really looks like a project about a "Fnal person" on the road, not about a remote collaborator who is part of a complex environment, shares resources with other scientist from different areas with different requirements, maybe does not even own a personal workstation, and has often very limited system management help for taks that are "just the problem of a small group" in a big university. That is the reality here. People collaborate in our experiments from a lot of places and computers, they often work on large department servers shared with other groups, even not HEP ones. Some CDF groups are just 3 people in a 100 users environment, no way they can have a dedicated system manager for more then a few days a year. In some places local help may not be enough to install and maintain a local replica of the experiment software, people will have to use Fermilab resources to work, we have to find ways to make it easy for them. Thanks for yor time, looking forward to a fruitfull interaction Stefano Belforte -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Wed Apr 19 12:18:21 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA26114 for ; Wed, 19 Apr 2000 12:18:21 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOF4G0B7TQ001HIU@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 19 Apr 2000 12:18:19 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00003A9B@listserv.fnal.gov>; Wed, 19 Apr 2000 12:18:16 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 2529 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 19 Apr 2000 12:18:16 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00003A9A@listserv.fnal.gov>; Wed, 19 Apr 2000 12:18:15 -0500 Received: from cdfsga.fnal.gov ([131.225.109.4]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOF4FY6RRS001FJY@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 19 Apr 2000 12:18:13 -0500 Received: (from giorgiob@localhost) by cdfsga.fnal.gov (8.9.3/8.9.0) id MAA19131; Wed, 19 Apr 2000 12:18:22 -0500 (CDT) Date: Wed, 19 Apr 2000 12:18:22 -0500 (CDT) From: Giorgio Bellettini Subject: Re: Comments from Italy to Strong Authentication Project In-reply-to: <38FD8C26.E3A91A61@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov, Marg Shapiro , Amidei Dan , Robert Harris , Franco Bedeschi , goshaw@fnal.gov, CDF Italia Spokespersons , busetto@pd.infn.it, carlo.dionisi@roma1.infn.it, chiarelli@pi.infn.it, cordelli@lnf.infn.it, dario.bisello@pd.infn.it, frascati@fnald.fnal.gov, introzzi@fnald.fnal.gov, lucia.zanello@roma1.infn.it, menzione@pi.infn.it, pauletta@fnald.fnal.gov, rimondi@fnald.fnal.gov, ristori@pi.infn.it, sandra@fnal.gov Cc: zanetti@trieste.infn.it Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 250 Dear Stefano, dear all, This problem is totally new to me, and I believe to most of us. It is disppointing that a new access system to the Fermilab computers be studied without close contact and collaboration with non-US users. I trust that this will change now, and that we shall find together a mode of operation that will allow the italian groups to analyse confortably and efficiently the run2 CDF data. Giorgio. ========================================================================= On Wed, 19 Apr 2000, Stefano Belforte wrote: > > Dear kerberos-pilot, > about a month ago the P1.0 release of the Fermilab Strong > Authentication Pilot Phase project manual was distributed > electronically as CDF note 5246. It was posted by Robert Harris > who invited to send comments to kerberos-pilot. > > As I happen to be the responsible for the analysis of Tevatron > Run 2 data by the CDF Italian collaborators I believe I owe > not only a comment, but an official, educated, one. Also > I hope you will take this seriously and address what are > ours (CDF italians) concerns. > Being this the official reply of large fraction of the CDF > collaboration, I send copy of this to the CDF spokespeople > as well, in addition to CDF offline managers and the leader > of the CDF Italian group. > Please be sure that we take this matters very seriously and > I am expressing the joint opinion of several senior members of > the collaboration. > > I am sorry it took me some time to digest the document, > but it is a matter very unfamiliar to myself, I also had > a very hard time printing it due to the large embedded > images, but that's probably because I do not have the same > fancy printer as you do. > > First of all I want to state that I find a bit unappropriate that > there is not a more clear and formal way to get into this > very important project the feedback of us remote users. > This project is about to change completely the life of physicists > resident outside the laboratory, still I do not see a clear > path by which our needs, constraints and opinions can be taken > care of well early at the design stage. > > I am overall impressed by the detail of the documentation and > the status of advancement of the project, please take this > as honest appreciation of your work and effort. > Neverthless I see this advanced status of the project as a source > of major worry for me, it makes it sound like everything is now > defined and decided and we have just to live by those rules, no > matter what. I hope this is a wrong impression, and you > are still willing to reconsider even basic design choices should > that be needed. Of course I hope with all my heart that you > will dispell all our worries showing that they are simply due > to misunderstanding! Although it is worrying to notice that > a "remote users feedback group" was about to be formed last summer, > but either wasn't or nobody from Italy was put in. > Again, I would have expected (naively?) that feedback from offsite > users where to be taken into account from the beginning, well into > the requirement layout phase of the project. > > The bottom line is that I find this project very scaring. One may > read it and just think "it is all buzzwords for experts" and > relax, but if I try to enucleate from the user manual, what > the actual way of working will be "in the realms era", it makes > a very bad picture, it is the kind of thing that makes people say > "we just take our stuff back and go do experiments elsewhere" as > one senior CDF physicist said as I mentioned some of the > consequences. Again, maybe we just misunderstood... but, believe > me, we are very concerned. > > Here are more specific questions and concerns for your > evaluation, please make us happy by showing that there is > actually no reason to be concerned. A more general comment is > at the end (you may read it first if you prefere). > > 1) the stated goal of the project is to avoid clear text > transmission of passwords. So.. why is not ssh good enough ? > It appears to be sufficient for every other laboratory. > Fermilab has not even enforced ssh till now. Ssh is very > simple to use and available everywhere, why not start from > this simple step and go all the way to a sophisticated > kerberized system only if really needed ? > > 2) Similarly, since the goal is to avoid clear text > password, why do you not want to allow my local workstation > to use kerberos to connect to FNAL, while still running an > ssh server to allow myself to connect to it from other nodes > in my institution ? > > 3) It looks like in this project you do not simply want to make > sure that connection from user stefano.belforte@ts.infn.it > is indeed someone who logged in Trieste, Italy on an INFN > computer with username Stefano.Belforte, but also want to make > sure that I myself am pressing the keys on the keyboard, so > reaching a security equivalent to what a bank ATM requires > before yielding out money. > Are you sure that such an ambitious and unprecedented goal > is really the minimum effort needed to avoid security > incidents ? > You are certainly aware that implementing the proposed system is > going to need significant resources also outside the laboratory, > as our primary goal is physics, we ususally strive to put in > infrastructure only the minimum needed effort. > > 4) Going toward a bank-like security raises a naturally a comparison > and questions about the daily operations of the system and wether > common "minor" problems can easily be overcome: > Biggest difference is that the bank is happy with a plastic card > that fits in the wallet and that is sent by mail before is needed, > not a bulky electronic gadget. > What if I forget this CryptoCard at home, do I not work for the > day ? What if I loose it ? What if it breakes ? What if I forget > it in my pants when doing my laundry ? Do I have to take the plane > to Fermilab ? > What about people who join the experiment and start working on > software *before* they get a chance of flying over there ? > > 5) How will remote access to data be managed ? > We plan to use ftp to copy over here data produced at > Fermilab. Definetely we can not allow anonymous ftp access > to CDF data, or preliminary analysis result. But I have not > seen any other way then anonymous ftp as allowed access for > users outside the strenghtened realm. > > 6) How will we be able to control access to internal web pages ? > Now this is done by clear text passwords on the browser, > definitely not a practice to be kept, but still there is > information there vital to people working on analysis offsite > but that must be kept confidential. > > 7) How will I read my e-mail ? Can I still connect to the > FNAL IMAP server if I do not have my crypto-card with me ? > > 8) How access from home on dial up connection will be managed ? > Both when connecting via a commercial ISP, and when using > dial-up to a modem pool in my home institute in which case I > just have no way to sit in front of a kerberised workstation. > > 9) What about institutions with a poor internet connection ? > There it is just impossible to login through the portal and > do "setenv DISPLAY". At present for example many people > are trying to get a boost for interactive work by using > thin clients that make it possible to access remote desktops > without the X protocol, namely VNC in Italy and Citrix Metaframe > from UK. VNC supports some security mechanism, but not > kerberos. What would be the situation there ? Back to a > "telnet only" style of work? At least the possibility > to run a remote full screen debugging session is vital to > effective software work. > > 10) A specific example may be Root. Root has very attractive > client/server features that may make it possible to access > remotely data at Fermilab without the need to transfer large > data files, will this kind of connection be supported ? Will > it be possible to do it from "normal" remote computers still > providing some way to prevent people from rival experiment to > take unauthorised preview of physics results ? > > 11) Can you make specific examples of what a "trusted realm" may be, > other that another fully kerberised system, so that we may see > what woult it take from our side to be one ? > > 12) Why "Fermi extensions to Kerberos"? Assuming this way of > going overcomes difficulties and become the backbone of each HEP > site (at least), what will happen of remote server who host > people from Fermi/Slac/CERN experiments ? Will each laboratory > require to have its own personalization installed ? > Are steps being taken now to make sure that the software that is > being developed at Fermilab will be such that can be used "as is" > by any other institution, including large laboratories ? > > 13) Do crypto-card by any chance use 128-bit encription so to > make it illegal to carry them across US borders ? > > > Overall the depicted scenario is just terribly, terribly > "Fermi-Centric". The strengthned realm is just a fortress called > Fermilab, and remote kerberised workstations are just Fermilab > extensions. It is like taking an X-Term at Fnal and stretching > the cable so that it seats on my desk. It is very convenient > if my way of life would be to log in on a Fermilab computer in the > morning and work there all day, but it does not (unless at least you > allow it to run ssh, as 2) above) make any step into providing > communication between my real work environment and Fermilab. > What about printing locally for example ? > The kerberised workstation on my desk from the functional point > of view is as distant from my main computers as if it still were > in Batavia. > The proposed system seem to have in mind as the typical remote user > one Fermi employee who just is visiting INFN for a day, or > is at a conference, so he/she has some way to log in by scratching > one password from the piece of paper received before leaving, and > defintely will not need more then a few. But what about people > who make hundreds of connection to FNAL between one trip to Batavia > and the next ? > It really looks like a project about a "Fnal person" on the road, not > about a remote collaborator who is part of a complex environment, > shares resources with other scientist from different areas with > different requirements, maybe does not even own a personal > workstation, and has often very limited system management help > for taks that are "just the problem of a small group" in a big > university. > That is the reality here. People collaborate in our experiments from a > lot of places and computers, they often work on large department > servers shared with other groups, even not HEP ones. Some CDF > groups are just 3 people in a 100 users environment, no way they > can have a dedicated system manager for more then a few days a year. > In some places local help may not be enough to install and maintain > a local replica of the experiment software, people will have to use > Fermilab resources to work, we have to find ways to make it easy > for them. > > Thanks for yor time, looking forward to a fruitfull interaction > > Stefano Belforte > -- > Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) > Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it > 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte > From kreymer@fnal.gov Fri Apr 21 15:26:52 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA05768 for ; Fri, 21 Apr 2000 15:26:52 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOI3LHSK20001IOO@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 21 Apr 2000 15:26:51 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000519E@listserv.fnal.gov>; Fri, 21 Apr 2000 15:26:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 4364 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 21 Apr 2000 15:26:49 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000519D@listserv.fnal.gov>; Fri, 21 Apr 2000 15:26:49 -0500 Received: from odsmev.fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOI3LH3D24001H4A@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.fnal.gov) ; Fri, 21 Apr 2000 15:26:48 -0500 Received: (from votava@localhost) by odsmev.fnal.gov (8.9.3/8.9.3) id PAA26591 for kerberos-pilot@fnal; Fri, 21 Apr 2000 15:26:48 -0500 Date: Fri, 21 Apr 2000 15:26:48 -0500 From: Margaret Votava Subject: crypto card Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200004212026.PAA26591@odsmev.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 251 Hi, Who do I need to contact about getting one? Thanks, Margaret From kreymer@fnal.gov Mon Apr 24 11:32:39 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA14947 for ; Mon, 24 Apr 2000 11:32:38 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOM29H8Y5K001KOX@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@FNAL.GOV); Mon, 24 Apr 2000 11:32:21 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00005FCF@listserv.fnal.gov>; Mon, 24 Apr 2000 11:31:16 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 8261 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Mon, 24 Apr 2000 11:31:16 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00005FCD@listserv.fnal.gov>; Mon, 24 Apr 2000 11:31:16 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOM29ELRMY001ERG@FNAL.FNAL.GOV> for kerberos-announce@listserv.fnal.gov (ORCPT rfc822;kerberos-announce@fnal.gov) ; Mon, 24 Apr 2000 11:31:13 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA05068 for ; Mon, 24 Apr 2000 11:31:13 -0500 (CDT) Date: Mon, 24 Apr 2000 11:31:10 -0500 From: Matt Crawford Subject: Need a cryptocard? Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200004241631.LAA05068@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 252 If you are a Fermi Kerberos user abd need a hardware Cryptocard (not the Palm software version), come to my office (FCC 351, east end of the third floor) this Wednesday, April 26, between 9-12 or 1-4. You might phone or email ahead so I know when to expect someone. Matt From kreymer@fnal.gov Tue Apr 25 17:18:10 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA26869 for ; Tue, 25 Apr 2000 17:18:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JONSNU94HM0000TD@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Tue, 25 Apr 2000 17:18:08 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000709C@listserv.fnal.gov>; Tue, 25 Apr 2000 17:18:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 12881 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 25 Apr 2000 17:18:07 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000709B@listserv.fnal.gov>; Tue, 25 Apr 2000 17:18:07 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JONSNTHQA40000U6@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal); Tue, 25 Apr 2000 17:18:05 -0500 Date: Tue, 25 Apr 2000 17:18:05 -0500 From: Margaret Votava Subject: Re: kerberos v0_5 is ready for you to test Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3906199D.AB04E44B@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200004202126.QAA12454@fsui03.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 253 Hi, I think I've followed all the steps correctly to install the ssh version of kerberos on my desktop (odsmev), but I can no nlonger ssh into it. What have I done wrong? Thanks, Margaret output from the ups install ============================= odsmev.fnal.gov(root) % ups install-keep-ssh -z /usr/products/ups_database kerbe ros v0_5 Beginning installation of kerberos v0_5 into /usr/krb5. chown: bin/ksu: Operation not permitted chown: bin/v4rcp: Operation not permitted chmod: bin/ksu: Operation not permitted chmod: bin/v4rcp: Operation not permitted Do you have the passwords to enable the ftp and host services? (y/n, default y) Password for ftp/odsmev.fnal.gov service: Password for host/odsmev.fnal.gov service: (default is the same as the ftp/odsme v.fnal.gov password you just entered) Preparing to configure krb5conf on this node... Beginning installation of krb5conf v0_5 on odsmev.fnal.gov. Previous /etc/krb5.conf saved as /etc/krb5.conf.25Apr2000... NOTICE: Entire /etc/krb5.conf file will be replaced. Check the saved version for local changes which might need to be preserv ed. Installing new configuration information... Logging the installation in /usr/products/cluster_disk/krb5conf/v0_5/ups /odsmev.fnal.gov.log... Reminder!!!! You must perform this installation on each node that shares this copy of krb5conf. Installation of krb5conf v0_5 with afs on odsmev.fnal.gov complete. krb5conf configuration complete. Preparing to configure service/byname on this node... Reading template file /usr/products/Linux/kerberos/v0_5/ups/services.tem plate... Saving backup copy of /etc/services... Updating /etc/services file... service/byname configuration complete. Preparing to configure host keys on this node... Service ftp/odsmev.fnal.gov added to krb5.keytab. Service host/odsmev.fnal.gov added to krb5.keytab. Preparing to configure inetd on this node... Reading template file /usr/products/Linux/kerberos/v0_5/ups/inetd.conf.t emplate... Saving backup copy of /etc/inetd.conf... Updating /etc/inetd.conf file... Sending HUP to inetd... inetd configuration complete. Preparing to reconfigure sshd on this node... Reading template file /usr/products/Linux/kerberos/v0_5/ups/sshd_config. weak.template... Saving backup copy of /etc/sshd_config... Updating /etc/sshd_config file... Sending HUP to sshd... Sorry, I can't determine which process is the correct sshd to restart. You'll have to do it. sshd configuration complete. Automated installation of kerberos complete. IMPORTANT: 1) sshd daemon restart was not completed successfully. This step must be completed before the kerberos installation is complete. starting ssh by hand ===================== odsmev.fnal.gov(root) % cd /etc/rc.d odsmev.fnal.gov(root) % ls init.d/*ssh* init.d/sshd.init odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init status Usage: sshd.init {start|stop} odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init stop doneting down sshd: [ OK ] can't ssh in ================ odsmev.fnal.gov % slogin votava@odsmev Secure connection to odsmev refused; reverting to insecure method. Using rsh. WARNING: Connection will not be encrypted. odsmev.fnal.gov: Connection refused odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init start Starting sshd: odsmev.fnal.gov(root) % From kreymer@fnal.gov Tue Apr 25 18:28:34 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id SAA26887 for ; Tue, 25 Apr 2000 18:28:34 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JONV448LFG0000UR@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Tue, 25 Apr 2000 18:28:32 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00007115@listserv.fnal.gov>; Tue, 25 Apr 2000 18:28:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 13009 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 25 Apr 2000 18:28:30 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00007114@listserv.fnal.gov>; Tue, 25 Apr 2000 18:28:30 -0500 Received: from CUERVO ([131.225.81.19]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JONV42ZNCM0000U7@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 25 Apr 2000 18:28:29 -0500 Date: Tue, 25 Apr 2000 18:28:27 -0500 From: "Mark O. Kaletka" Subject: RE: kerberos v0_5 is ready for you to test In-reply-to: <3906199D.AB04E44B@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 254 You need to do "ups install-keep-ssh"; the default installation assumes the final model for strengthened systems, which includes turning off the ssh daemon. It's documented in README.INSTALL. I don't know what magic ups thing (if any) you have to use to undo the first installation, you may have to consult a ups expert (Lauri?). -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Margaret > Votava > Sent: Tuesday, April 25, 2000 5:18 PM > To: kerberos-pilot@fnal.gov > Subject: Re: kerberos v0_5 is ready for you to test > > > Hi, > > I think I've followed all the steps correctly to install the ssh version > of kerberos on my desktop (odsmev), but I can no nlonger ssh into it. > > What have I done wrong? > Thanks, > Margaret > > output from the ups install > ============================= > odsmev.fnal.gov(root) % ups install-keep-ssh -z > /usr/products/ups_database kerbe > ros v0_5 > Beginning installation of kerberos v0_5 > into /usr/krb5. > chown: bin/ksu: Operation not permitted > chown: bin/v4rcp: Operation not permitted > chmod: bin/ksu: Operation not permitted > chmod: bin/v4rcp: Operation not permitted > Do you have the passwords to enable > the ftp and host services? (y/n, default y) > Password for ftp/odsmev.fnal.gov service: > Password for host/odsmev.fnal.gov service: (default is the same > as the ftp/odsme > v.fnal.gov password you just entered) > Preparing to configure krb5conf on this node... > Beginning installation of krb5conf v0_5 on odsmev.fnal.gov. > Previous /etc/krb5.conf saved as /etc/krb5.conf.25Apr2000... > NOTICE: Entire /etc/krb5.conf file will be replaced. > Check the saved version for local changes which might > need to be preserv > ed. > Installing new configuration information... > Logging the installation in > /usr/products/cluster_disk/krb5conf/v0_5/ups > /odsmev.fnal.gov.log... > > Reminder!!!! > You must perform this installation on each node > that shares this copy of krb5conf. > > Installation of krb5conf v0_5 with afs on odsmev.fnal.gov > complete. > krb5conf configuration complete. > Preparing to configure service/byname on this node... > Reading template file > /usr/products/Linux/kerberos/v0_5/ups/services.tem > plate... > Saving backup copy of /etc/services... > Updating /etc/services file... > service/byname configuration complete. > Preparing to configure host keys on this node... > Service ftp/odsmev.fnal.gov added to krb5.keytab. > Service host/odsmev.fnal.gov added to krb5.keytab. > Preparing to configure inetd on this node... > Reading template file > /usr/products/Linux/kerberos/v0_5/ups/inetd.conf.t > emplate... > Saving backup copy of /etc/inetd.conf... > Updating /etc/inetd.conf file... > Sending HUP to inetd... > inetd configuration complete. > Preparing to reconfigure sshd on this node... > Reading template file > /usr/products/Linux/kerberos/v0_5/ups/sshd_config. > weak.template... > Saving backup copy of /etc/sshd_config... > Updating /etc/sshd_config file... > Sending HUP to sshd... > Sorry, I can't determine which process is the correct > sshd to restart. > You'll have to do it. > sshd configuration complete. > > Automated installation of kerberos complete. > IMPORTANT: > 1) sshd daemon restart was not completed successfully. > > This step must be completed before the kerberos installation is complete. > > starting ssh by hand > ===================== > odsmev.fnal.gov(root) % cd /etc/rc.d > odsmev.fnal.gov(root) % ls init.d/*ssh* > init.d/sshd.init > odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init status > Usage: sshd.init {start|stop} > odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init stop > doneting down sshd: [ OK ] > > > can't ssh in > ================ > odsmev.fnal.gov % slogin votava@odsmev > Secure connection to odsmev refused; reverting to insecure method. > Using rsh. WARNING: Connection will not be encrypted. > odsmev.fnal.gov: Connection refused > odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init start > Starting sshd: > odsmev.fnal.gov(root) % > > From kreymer@fnal.gov Wed Apr 26 09:24:59 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA04910 for ; Wed, 26 Apr 2000 09:24:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOOQFJ5VB20000ZG@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 26 Apr 2000 09:24:58 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000074C8@listserv.fnal.gov>; Wed, 26 Apr 2000 09:24:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 14035 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 26 Apr 2000 09:24:56 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000074C7@listserv.fnal.gov>; Wed, 26 Apr 2000 09:24:56 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOOQFIDPS400010B@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 26 Apr 2000 09:24:55 -0500 Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id JAA20606; Wed, 26 Apr 2000 09:24:55 -0500 (CDT) Date: Wed, 26 Apr 2000 09:24:55 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kerberos v0_5 is ready for you to test Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200004261424.JAA20606@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 255 Please send me a copy of: /etc/sshd_config (the new one) /etc/sshd_config.25Apr2000 (the old one) Also, while you showed that you couldn't ssh in while the sshd daemon was stopped, your email doesn't show what happens after you restarted it. (I'm assuming that you still can't ssh in...) -- lauri On Tuesday 25 April 2000, our friend Margaret Votava spaketh thusly: > Hi, > > I think I've followed all the steps correctly to install the ssh version > of kerberos on my desktop (odsmev), but I can no nlonger ssh into it. > > What have I done wrong? > Thanks, > Margaret > > output from the ups install > ============================= > odsmev.fnal.gov(root) % ups install-keep-ssh -z /usr/products/ups_database kerbe > ros v0_5 > Beginning installation of kerberos v0_5 > into /usr/krb5. > chown: bin/ksu: Operation not permitted > chown: bin/v4rcp: Operation not permitted > chmod: bin/ksu: Operation not permitted > chmod: bin/v4rcp: Operation not permitted > Do you have the passwords to enable > the ftp and host services? (y/n, default y) > Password for ftp/odsmev.fnal.gov service: > Password for host/odsmev.fnal.gov service: (default is the same as the ftp/odsme > v.fnal.gov password you just entered) > Preparing to configure krb5conf on this node... > Beginning installation of krb5conf v0_5 on odsmev.fnal.gov. > Previous /etc/krb5.conf saved as /etc/krb5.conf.25Apr2000... > NOTICE: Entire /etc/krb5.conf file will be replaced. > Check the saved version for local changes which might need to be preserv > ed. > Installing new configuration information... > Logging the installation in /usr/products/cluster_disk/krb5conf/v0_5/ups > /odsmev.fnal.gov.log... > > Reminder!!!! > You must perform this installation on each node > that shares this copy of krb5conf. > > Installation of krb5conf v0_5 with afs on odsmev.fnal.gov complete. > krb5conf configuration complete. > Preparing to configure service/byname on this node... > Reading template file /usr/products/Linux/kerberos/v0_5/ups/services.tem > plate... > Saving backup copy of /etc/services... > Updating /etc/services file... > service/byname configuration complete. > Preparing to configure host keys on this node... > Service ftp/odsmev.fnal.gov added to krb5.keytab. > Service host/odsmev.fnal.gov added to krb5.keytab. > Preparing to configure inetd on this node... > Reading template file /usr/products/Linux/kerberos/v0_5/ups/inetd.conf.t > emplate... > Saving backup copy of /etc/inetd.conf... > Updating /etc/inetd.conf file... > Sending HUP to inetd... > inetd configuration complete. > Preparing to reconfigure sshd on this node... > Reading template file /usr/products/Linux/kerberos/v0_5/ups/sshd_config. > weak.template... > Saving backup copy of /etc/sshd_config... > Updating /etc/sshd_config file... > Sending HUP to sshd... > Sorry, I can't determine which process is the correct sshd to restart. > You'll have to do it. > sshd configuration complete. > > Automated installation of kerberos complete. > IMPORTANT: > 1) sshd daemon restart was not completed successfully. > > This step must be completed before the kerberos installation is complete. > > starting ssh by hand > ===================== > odsmev.fnal.gov(root) % cd /etc/rc.d > odsmev.fnal.gov(root) % ls init.d/*ssh* > init.d/sshd.init > odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init status > Usage: sshd.init {start|stop} > odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init stop > doneting down sshd: [ OK ] > > > can't ssh in > ================ > odsmev.fnal.gov % slogin votava@odsmev > Secure connection to odsmev refused; reverting to insecure method. > Using rsh. WARNING: Connection will not be encrypted. > odsmev.fnal.gov: Connection refused > odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init start > Starting sshd: > odsmev.fnal.gov(root) % From kreymer@fnal.gov Wed Apr 26 10:00:15 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA04958 for ; Wed, 26 Apr 2000 10:00:13 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOORMYYVUW0000Z4@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 26 Apr 2000 10:00:02 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000076D8@listserv.fnal.gov>; Wed, 26 Apr 2000 09:59:57 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 14702 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 26 Apr 2000 09:59:57 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000076D7@listserv.fnal.gov>; Wed, 26 Apr 2000 09:59:57 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOORMV5NC000017S@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 26 Apr 2000 09:59:53 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA17438; Wed, 26 Apr 2000 09:59:52 -0500 (CDT) Date: Wed, 26 Apr 2000 09:59:51 -0500 From: Matt Crawford Subject: Re: kerberos v0_5 is ready for you to test In-reply-to: "25 Apr 2000 17:18:05 CDT." <"3906199D.AB04E44B"@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Message-id: <200004261459.JAA17438@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 256 > I think I've followed all the steps correctly to install the ssh version > of kerberos on my desktop (odsmev), but I can no nlonger ssh into it. > > What have I done wrong? You stopped sshd, but didn't start it again: > odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init status > Usage: sshd.init {start|stop} > odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init stop > doneting down sshd: [ OK ] Now do /etc/rc.d/init.d/sshd.init start (Although now that you have a cryptocard, there may be no great need for sshd to be running.) From kreymer@fnal.gov Thu Apr 27 10:45:23 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA10829 for ; Thu, 27 Apr 2000 10:45:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQ7II09K20001OJ@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 27 Apr 2000 10:45:20 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008217@listserv.fnal.gov>; Thu, 27 Apr 2000 10:45:16 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 17858 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Apr 2000 10:45:16 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008216@listserv.fnal.gov>; Thu, 27 Apr 2000 10:45:16 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQ7IDJL8I0001NZ@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Apr 2000 10:45:11 -0500 Date: Thu, 27 Apr 2000 10:45:10 -0500 From: Margaret Votava Subject: Re: kerberos v0_5 is ready for you to test Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <39086086.4A59EDF1@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200004261459.JAA17438@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 257 Hi, I didn't cut and paste enough in my original mail - sorry. I have stopped and restarted the server, but still cant' ssh in: odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init status Usage: sshd.init {start|stop} odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init stop doneting down sshd: [ OK ] odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init start Starting sshd: Something is running: odsmev.fnal.gov(root) % zap -l ssh PID UID COMMAND 2142 amundson :00 [ssh-agent] 2565 moore :00 [ssh-agent] 14174 amundson :00 [ssh-agent] 14261 amundson :00 [ssh-agent] 9731 root :00 sshd 10875 root :00 sshd slogin votava@odsmev Secure connection to odsmev refused; reverting to insecure method. Using rsh. WARNING: Connection will not be encrypted. odsmev.fnal.gov: Connection refused So I am still stuck on this and too cowardly to log out for fear that I will never be able to log in again. Thanks, Margaret Matt Crawford wrote: > > > I think I've followed all the steps correctly to install the ssh version > > of kerberos on my desktop (odsmev), but I can no nlonger ssh into it. > > > > What have I done wrong? > > You stopped sshd, but didn't start it again: > > > odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init status > > Usage: sshd.init {start|stop} > > odsmev.fnal.gov(root) % /etc/rc.d/init.d/sshd.init stop > > doneting down sshd: [ OK ] > > Now do > /etc/rc.d/init.d/sshd.init start > > (Although now that you have a cryptocard, there may be no great need > for sshd to be running.) From kreymer@fnal.gov Thu Apr 27 11:29:45 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA15757 for ; Thu, 27 Apr 2000 11:29:45 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQ92L6GW80001B4@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@fnal.gov); Thu, 27 Apr 2000 11:29:43 -0500 CDT Date: Thu, 27 Apr 2000 11:29:42 -0500 From: Margaret Votava Subject: Re: kerberos v0_5 is ready for you to test Sender: votava@fnal.gov To: Art Kreymer Message-id: <39086AF6.CCDCDBFA@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 258 hi, done that. it says the service isn't running. lauri is looking into it now. thanks, margaret Art Kreymer wrote: > > Use > > ssh -v votava@odsmev > > to see just why the connection is being refused. From kreymer@fnal.gov Thu Apr 27 12:49:55 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA19480 for ; Thu, 27 Apr 2000 12:49:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQBUOS4HC0001BW@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 27 Apr 2000 12:49:44 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000837B@listserv.fnal.gov>; Thu, 27 Apr 2000 12:49:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18231 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Apr 2000 12:49:38 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000837A@listserv.fnal.gov>; Thu, 27 Apr 2000 12:49:38 -0500 Received: from dot.phys.unm.edu ([198.59.169.98]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQBUL4H1G0001Q8@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Apr 2000 12:49:33 -0500 Received: from dot.phys.unm.edu (IDENT:gold@localhost [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id MAA00610; Thu, 27 Apr 2000 12:49:31 -0600 Date: Thu, 27 Apr 2000 12:49:31 -0600 From: Michael Gold Subject: remote xemacs Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: gold@dot.phys.unm.edu Message-id: <200004271849.MAA00610@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.0.3 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 259 I have not kerberized my home machine (dot.phys.unm.edu). I do not plan to unless I have to. There are 2 things I need at least for now: 1) access to fcdfsgi2 for now, i simply slogin via cdfsga. will this coninue to work? 2) file editing on fcdfsgi2 What works best is to run xemacs locally. My present version of xemacs uses ftp and access to fcdfsgi2 is denied. How can I do this? Will kerberizing solve this problem? Will a new version of XEMACS or ftp solve this problem? please advise. -- Michael Gold Department of Physics and Astronomy University of New Mexico Albuquerque, NM 87131 phone: 505-277-2086, 505-277-3604 fax: 505-277-1520 email: mgold@unm.edu From kreymer@fnal.gov Thu Apr 27 16:44:44 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA25336 for ; Thu, 27 Apr 2000 16:44:44 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQK3197780001RD@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 27 Apr 2000 16:44:42 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000085E4@listserv.fnal.gov>; Thu, 27 Apr 2000 16:44:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18898 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Apr 2000 16:44:39 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000085E3@listserv.fnal.gov>; Thu, 27 Apr 2000 16:44:39 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQK2YVIKM0001CW@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal); Thu, 27 Apr 2000 16:44:36 -0500 Date: Thu, 27 Apr 2000 16:44:35 -0500 From: Margaret Votava Subject: the latest status and problems with odsmev (my linux box) Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: csieh@fnal.gov, dawson@fnal.gov Message-id: <3908B4C3.94CF7856@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 260 Hi, Connie, Troy, see point #2 and #3 Lauri didn't see anything obvoiusly wrong with the ssh configuration files. She suggested that reboot to start the servers cleanly. I have and can now successfully telnet (with my cryptocard key) or slogin into my pc. Here are the problems that I have encountered so far: 1) I cannot use my kerberos password at the console. It asks for an account name and password. If I enter my kerberos password, it then asks for my afs password (in fact, it will ask for my afs password, no matter what password I enter), so I assume that I am coming in through afs. What should happen here? 2) I have disabled xntp (per the instructions). My hardware clock was about 45 minutes off. I wasn't able to get any afs tokens because my time was too skewed for AFS to deal with. Ray suggested that I put in ntpdate at system boottime to get my clock in sync quickly. I think this needs to be added to instructions somewhere - or come with the Fermi installation. Will the same problem happen on our IRIX boxes now that we've disabled xntp? 3) I see various pam and gdm errors in /var/log/messages. I don't really understand these so I don't know if they are relevant. I will attach at the end. I also don't believe that they happened before I went into the realm. Thanks, Margaret >From /var/log/messages: Apr 27 16:15:00 odsmev gpm: gpm startup succeeded Apr 27 16:15:01 odsmev gpm[662]: Error in protocol Apr 27 16:15:01 odsmev last message repeated 9 times ... Apr 27 16:21:50 odsmev pam_afs: AFS Authentication failed for user votava. password was incorrect Apr 27 16:21:53 odsmev last message repeated 2 times Apr 27 16:21:53 odsmev PAM_pwdb[713]: (gdm) session opened for user votava by (uid=0) Apr 27 16:21:53 odsmev gdm[713]: gdm_slave_session_start: votava on :0 Apr 27 16:22:02 odsmev gdm[713]: gdm_auth_user_add: Could not lock cookie file /afs/fnal.gov/files/home/room3/votava/.Xauthority Apr 27 16:22:02 odsmev PAM_pwdb[713]: (gdm) session closed for user votava Apr 27 16:22:02 odsmev gdm[702]: gdm_child_action: Aborting display :0 Apr 27 16:22:05 odsmev gpm[662]: Error in protocol Apr 27 16:22:05 odsmev last message repeated 12 times Apr 27 16:22:10 odsmev PAM_pwdb[696]: (login) session opened for user votava by LOGIN(uid=0) From kreymer@fnal.gov Thu Apr 27 16:50:44 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA25340 for ; Thu, 27 Apr 2000 16:50:44 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQKAIOYIS0001QY@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 27 Apr 2000 16:50:43 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000085E8@listserv.fnal.gov>; Thu, 27 Apr 2000 16:50:41 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18902 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Apr 2000 16:50:41 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000085E7@listserv.fnal.gov>; Thu, 27 Apr 2000 16:50:41 -0500 Received: from fsgi02.fnal.gov ([131.225.68.15]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQKAHQTF60001SI@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Apr 2000 16:50:39 -0500 Received: from localhost (csieh@localhost) by fsgi02.fnal.gov (980427.SGI.8.8.8/970903.SGI.AUTOCF) via ESMTP id QAA22910; Thu, 27 Apr 2000 16:50:38 -0500 (CDT) Date: Thu, 27 Apr 2000 16:50:38 -0500 From: Connie Sieh Subject: Re: the latest status and problems with odsmev (my linux box) In-reply-to: <3908B4C3.94CF7856@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov, dawson@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 261 Margaret, I think the system does a equivalent to ntpdate at bootup now. -connie On Thu, 27 Apr 2000, Margaret Votava wrote: > > Hi, > > Connie, Troy, see point #2 and #3 > > Lauri didn't see anything obvoiusly wrong with the ssh configuration > files. She suggested that reboot to start the servers cleanly. I have > and can now successfully telnet (with my cryptocard key) or slogin > into my pc. Here are the problems that I have encountered so far: > > 1) I cannot use my kerberos password at the console. It asks for > an account name and password. If I enter my kerberos password, > it then asks for my afs password (in fact, it will ask for my > afs password, no matter what password I enter), so I assume > that I am coming in through afs. What should happen here? > > 2) I have disabled xntp (per the instructions). My hardware clock > was about 45 minutes off. I wasn't able to get any afs tokens > because my time was too skewed for AFS to deal with. Ray suggested > that I put in ntpdate at system boottime to get my clock in sync > quickly. I think this needs to be added to instructions somewhere - > or come with the Fermi installation. Will the same problem happen > on our IRIX boxes now that we've disabled xntp? > > 3) I see various pam and gdm errors in /var/log/messages. I don't really > understand these so I don't know if they are relevant. I will > attach at the end. I also don't believe that they happened before > I went into the realm. > > Thanks, > Margaret > > > >From /var/log/messages: > > Apr 27 16:15:00 odsmev gpm: gpm startup succeeded > Apr 27 16:15:01 odsmev gpm[662]: Error in protocol > Apr 27 16:15:01 odsmev last message repeated 9 times > ... > Apr 27 16:21:50 odsmev pam_afs: AFS Authentication failed for user votava. > password was incorrect > Apr 27 16:21:53 odsmev last message repeated 2 times > Apr 27 16:21:53 odsmev PAM_pwdb[713]: (gdm) session opened for user votava by > (uid=0) > Apr 27 16:21:53 odsmev gdm[713]: gdm_slave_session_start: votava on :0 > Apr 27 16:22:02 odsmev gdm[713]: gdm_auth_user_add: Could not lock cookie file > /afs/fnal.gov/files/home/room3/votava/.Xauthority > Apr 27 16:22:02 odsmev PAM_pwdb[713]: (gdm) session closed for user votava > Apr 27 16:22:02 odsmev gdm[702]: gdm_child_action: Aborting display :0 > Apr 27 16:22:05 odsmev gpm[662]: Error in protocol > Apr 27 16:22:05 odsmev last message repeated 12 times > Apr 27 16:22:10 odsmev PAM_pwdb[696]: (login) session opened for user votava by > LOGIN(uid=0) > From kreymer@fnal.gov Thu Apr 27 16:54:25 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA25356 for ; Thu, 27 Apr 2000 16:54:25 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQKF24ZE00001ED@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 27 Apr 2000 16:54:23 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000085F1@listserv.fnal.gov>; Thu, 27 Apr 2000 16:54:21 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18911 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Apr 2000 16:54:21 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000085F0@listserv.fnal.gov>; Thu, 27 Apr 2000 16:54:20 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQKF185DO0001SO@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Apr 2000 16:54:19 -0500 Date: Thu, 27 Apr 2000 16:54:19 -0500 From: Margaret Votava Subject: Re: the latest status and problems with odsmev (my linux box) Sender: owner-kerberos-pilot@listserv.fnal.gov To: Connie Sieh Cc: kerberos-pilot@fnal.gov, dawson@fnal.gov Message-id: <3908B70B.F9848F1@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 262 hi, no - that's why i saw the problem to begin with. i disabled xntp, and after a reboot, the clock was 45 minutes off. i couldn't get any afs tokens because the time difference was so great. ray says that it will take long time for afs itself to correct such a large time difference. thanks, margaret Connie Sieh wrote: > > Margaret, > > I think the system does a equivalent to ntpdate at bootup now. > > -connie > On Thu, 27 Apr 2000, Margaret Votava wrote: > > > > > Hi, > > > > Connie, Troy, see point #2 and #3 > > > > Lauri didn't see anything obvoiusly wrong with the ssh configuration > > files. She suggested that reboot to start the servers cleanly. I have > > and can now successfully telnet (with my cryptocard key) or slogin > > into my pc. Here are the problems that I have encountered so far: > > > > 1) I cannot use my kerberos password at the console. It asks for > > an account name and password. If I enter my kerberos password, > > it then asks for my afs password (in fact, it will ask for my > > afs password, no matter what password I enter), so I assume > > that I am coming in through afs. What should happen here? > > > > 2) I have disabled xntp (per the instructions). My hardware clock > > was about 45 minutes off. I wasn't able to get any afs tokens > > because my time was too skewed for AFS to deal with. Ray suggested > > that I put in ntpdate at system boottime to get my clock in sync > > quickly. I think this needs to be added to instructions somewhere - > > or come with the Fermi installation. Will the same problem happen > > on our IRIX boxes now that we've disabled xntp? > > > > 3) I see various pam and gdm errors in /var/log/messages. I don't really > > understand these so I don't know if they are relevant. I will > > attach at the end. I also don't believe that they happened before > > I went into the realm. > > > > Thanks, > > Margaret > > > > > > >From /var/log/messages: > > > > Apr 27 16:15:00 odsmev gpm: gpm startup succeeded > > Apr 27 16:15:01 odsmev gpm[662]: Error in protocol > > Apr 27 16:15:01 odsmev last message repeated 9 times > > ... > > Apr 27 16:21:50 odsmev pam_afs: AFS Authentication failed for user votava. > > password was incorrect > > Apr 27 16:21:53 odsmev last message repeated 2 times > > Apr 27 16:21:53 odsmev PAM_pwdb[713]: (gdm) session opened for user votava by > > (uid=0) > > Apr 27 16:21:53 odsmev gdm[713]: gdm_slave_session_start: votava on :0 > > Apr 27 16:22:02 odsmev gdm[713]: gdm_auth_user_add: Could not lock cookie file > > /afs/fnal.gov/files/home/room3/votava/.Xauthority > > Apr 27 16:22:02 odsmev PAM_pwdb[713]: (gdm) session closed for user votava > > Apr 27 16:22:02 odsmev gdm[702]: gdm_child_action: Aborting display :0 > > Apr 27 16:22:05 odsmev gpm[662]: Error in protocol > > Apr 27 16:22:05 odsmev last message repeated 12 times > > Apr 27 16:22:10 odsmev PAM_pwdb[696]: (login) session opened for user votava by > > LOGIN(uid=0) > > From kreymer@fnal.gov Thu Apr 27 17:01:39 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA25364 for ; Thu, 27 Apr 2000 17:01:39 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQKO1IB2I0001RJ@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 27 Apr 2000 17:01:37 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008612@listserv.fnal.gov>; Thu, 27 Apr 2000 17:01:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18946 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Apr 2000 17:01:35 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008611@listserv.fnal.gov>; Thu, 27 Apr 2000 17:01:35 -0500 Received: from fsgi02.fnal.gov ([131.225.68.15]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQKO0ACS80001RD@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Apr 2000 17:01:33 -0500 Received: from localhost (csieh@localhost) by fsgi02.fnal.gov (980427.SGI.8.8.8/970903.SGI.AUTOCF) via ESMTP id RAA23899; Thu, 27 Apr 2000 17:01:32 -0500 (CDT) Date: Thu, 27 Apr 2000 17:01:32 -0500 From: Connie Sieh Subject: Re: the latest status and problems with odsmev (my linux box) In-reply-to: <3908B70B.F9848F1@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov, dawson@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 263 Margaret, When the system shuts down cleanly it puts its "software" time in the hwclock. When the system reboots it uses the time stored in the hwclock as the "software" time. Note the hwclock works even if the power is off as it has it's own battery. During the install of a system onsite I put the current time from the time servers into the hwclock so as to start it off close. If it gets way off during the "day" then one needs to change it manually if the time sync(ntp or afs) is not able to make such a large leap. -connie On Thu, 27 Apr 2000, Margaret Votava wrote: > > hi, > > no - that's why i saw the problem to begin with. i disabled > xntp, and after a reboot, the clock was 45 minutes off. > i couldn't get any afs tokens because the time difference > was so great. ray says that it will take long time for afs > itself to correct such a large time difference. > > thanks, > margaret > > Connie Sieh wrote: > > > > Margaret, > > > > I think the system does a equivalent to ntpdate at bootup now. > > > > -connie > > On Thu, 27 Apr 2000, Margaret Votava wrote: > > > > > > > > Hi, > > > > > > Connie, Troy, see point #2 and #3 > > > > > > Lauri didn't see anything obvoiusly wrong with the ssh configuration > > > files. She suggested that reboot to start the servers cleanly. I have > > > and can now successfully telnet (with my cryptocard key) or slogin > > > into my pc. Here are the problems that I have encountered so far: > > > > > > 1) I cannot use my kerberos password at the console. It asks for > > > an account name and password. If I enter my kerberos password, > > > it then asks for my afs password (in fact, it will ask for my > > > afs password, no matter what password I enter), so I assume > > > that I am coming in through afs. What should happen here? > > > > > > 2) I have disabled xntp (per the instructions). My hardware clock > > > was about 45 minutes off. I wasn't able to get any afs tokens > > > because my time was too skewed for AFS to deal with. Ray suggested > > > that I put in ntpdate at system boottime to get my clock in sync > > > quickly. I think this needs to be added to instructions somewhere - > > > or come with the Fermi installation. Will the same problem happen > > > on our IRIX boxes now that we've disabled xntp? > > > > > > 3) I see various pam and gdm errors in /var/log/messages. I don't really > > > understand these so I don't know if they are relevant. I will > > > attach at the end. I also don't believe that they happened before > > > I went into the realm. > > > > > > Thanks, > > > Margaret > > > > > > > > > >From /var/log/messages: > > > > > > Apr 27 16:15:00 odsmev gpm: gpm startup succeeded > > > Apr 27 16:15:01 odsmev gpm[662]: Error in protocol > > > Apr 27 16:15:01 odsmev last message repeated 9 times > > > ... > > > Apr 27 16:21:50 odsmev pam_afs: AFS Authentication failed for user votava. > > > password was incorrect > > > Apr 27 16:21:53 odsmev last message repeated 2 times > > > Apr 27 16:21:53 odsmev PAM_pwdb[713]: (gdm) session opened for user votava by > > > (uid=0) > > > Apr 27 16:21:53 odsmev gdm[713]: gdm_slave_session_start: votava on :0 > > > Apr 27 16:22:02 odsmev gdm[713]: gdm_auth_user_add: Could not lock cookie file > > > /afs/fnal.gov/files/home/room3/votava/.Xauthority > > > Apr 27 16:22:02 odsmev PAM_pwdb[713]: (gdm) session closed for user votava > > > Apr 27 16:22:02 odsmev gdm[702]: gdm_child_action: Aborting display :0 > > > Apr 27 16:22:05 odsmev gpm[662]: Error in protocol > > > Apr 27 16:22:05 odsmev last message repeated 12 times > > > Apr 27 16:22:10 odsmev PAM_pwdb[696]: (login) session opened for user votava by > > > LOGIN(uid=0) > > > > From kreymer@fnal.gov Thu Apr 27 17:23:06 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA25386 for ; Thu, 27 Apr 2000 17:23:06 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQLENPH5A0001ST@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 27 Apr 2000 17:23:05 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000862C@listserv.fnal.gov>; Thu, 27 Apr 2000 17:23:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18972 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Apr 2000 17:23:03 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000862B@listserv.fnal.gov>; Thu, 27 Apr 2000 17:23:03 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQLELTGGE0001DY@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal); Thu, 27 Apr 2000 17:23:00 -0500 Date: Thu, 27 Apr 2000 17:23:00 -0500 From: Margaret Votava Subject: Re: the latest status and problems with odsmev (my linux box) Sender: owner-kerberos-pilot@listserv.fnal.gov To: Connie Sieh Cc: kerberos-pilot@fnal.gov, dawson@fnal.gov Message-id: <3908BDC4.708A44E5@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 264 Hi, That's not what the emperical evidence shows. The three times I rebooted today, I did a clean shutdown and the machine came up incorrectly (even after resetting the software time with the "date" command in between). It looks like it's an hour off - maybe some daylight savinges time thing since it is an hour afterall (I thought it was 45 minutes). You can see the entries in my messages file - The first two times I set the clock by hand and the afs syncs. The last time ntpdate corrects. Thanks, Margaret Apr 27 14:15:08 odsmev PAM_pwdb[1756]: (su) session opened for user votava2 by votava(uid=1103) Apr 27 15:15:35 odsmev kernel: afs: setting clock ahead 95 seconds (via 131.225.68.49 in cell fnal.gov). Apr 27 15:15:35 odsmev kernel: afs: setting clock ahead 95 seconds (via 131.225.68.49 in cell fnal.gov). Apr 27 15:15:48 odsmev PAM_pwdb[1756]: (su) session closed for user votava2 Apr 27 14:26:11 odsmev PAM_pwdb[1059]: (login) session opened for user votava by LOGIN(uid=0) Apr 27 14:27:05 odsmev PAM_pwdb[1396]: (su) session opened for user root by votava(uid=1103) Apr 27 15:27:37 odsmev kernel: afs: setting clock ahead 97 seconds (via 131.225.68.49 in cell fnal.gov). Apr 27 15:27:37 odsmev kernel: afs: setting clock ahead 97 seconds (via 131.225.68.49 in cell fnal.gov). Apr 27 15:27:43 odsmev PAM_pwdb[1396]: (su) session closed for user root and here xntp fixes it up: Apr 27 15:15:00 odsmev ntpdate: Syncing time for ntpdate Apr 27 16:14:54 odsmev ntpdate: 27 Apr 16:14:54 ntpdate[466]: step time server 131.225.8.120 offset 3594.101994 sec Apr 27 16:14:54 odsmev ntpdate: Apr 27 16:14:55 odsmev rc: Starting ntpdate succeeded Apr 27 16:14:56 odsmev ssh: sshd startup succeeded Connie Sieh wrote: > > Margaret, > > When the system shuts down cleanly it puts its "software" time in the > hwclock. When the system reboots it uses the time stored in the hwclock > as the "software" time. Note the hwclock works even if the power is off as > it has it's own battery. > > During the install of a system onsite I put the current time from the time > servers into the hwclock so as to start it off close. > > If it gets way off during the "day" then one needs to change it manually > if the time sync(ntp or afs) is not able to make such a large leap. > > -connie > > On Thu, 27 Apr 2000, Margaret Votava wrote: > > > > > hi, > > > > no - that's why i saw the problem to begin with. i disabled > > xntp, and after a reboot, the clock was 45 minutes off. > > i couldn't get any afs tokens because the time difference > > was so great. ray says that it will take long time for afs > > itself to correct such a large time difference. > > > > thanks, > > margaret > > > > Connie Sieh wrote: > > > > > > Margaret, > > > > > > I think the system does a equivalent to ntpdate at bootup now. > > > > > > -connie > > > On Thu, 27 Apr 2000, Margaret Votava wrote: > > > > > > > > > > > Hi, > > > > > > > > Connie, Troy, see point #2 and #3 > > > > > > > > Lauri didn't see anything obvoiusly wrong with the ssh configuration > > > > files. She suggested that reboot to start the servers cleanly. I have > > > > and can now successfully telnet (with my cryptocard key) or slogin > > > > into my pc. Here are the problems that I have encountered so far: > > > > > > > > 1) I cannot use my kerberos password at the console. It asks for > > > > an account name and password. If I enter my kerberos password, > > > > it then asks for my afs password (in fact, it will ask for my > > > > afs password, no matter what password I enter), so I assume > > > > that I am coming in through afs. What should happen here? > > > > > > > > 2) I have disabled xntp (per the instructions). My hardware clock > > > > was about 45 minutes off. I wasn't able to get any afs tokens > > > > because my time was too skewed for AFS to deal with. Ray suggested > > > > that I put in ntpdate at system boottime to get my clock in sync > > > > quickly. I think this needs to be added to instructions somewhere - > > > > or come with the Fermi installation. Will the same problem happen > > > > on our IRIX boxes now that we've disabled xntp? > > > > > > > > 3) I see various pam and gdm errors in /var/log/messages. I don't really > > > > understand these so I don't know if they are relevant. I will > > > > attach at the end. I also don't believe that they happened before > > > > I went into the realm. > > > > > > > > Thanks, > > > > Margaret > > > > > > > > > > > > >From /var/log/messages: > > > > > > > > Apr 27 16:15:00 odsmev gpm: gpm startup succeeded > > > > Apr 27 16:15:01 odsmev gpm[662]: Error in protocol > > > > Apr 27 16:15:01 odsmev last message repeated 9 times > > > > ... > > > > Apr 27 16:21:50 odsmev pam_afs: AFS Authentication failed for user votava. > > > > password was incorrect > > > > Apr 27 16:21:53 odsmev last message repeated 2 times > > > > Apr 27 16:21:53 odsmev PAM_pwdb[713]: (gdm) session opened for user votava by > > > > (uid=0) > > > > Apr 27 16:21:53 odsmev gdm[713]: gdm_slave_session_start: votava on :0 > > > > Apr 27 16:22:02 odsmev gdm[713]: gdm_auth_user_add: Could not lock cookie file > > > > /afs/fnal.gov/files/home/room3/votava/.Xauthority > > > > Apr 27 16:22:02 odsmev PAM_pwdb[713]: (gdm) session closed for user votava > > > > Apr 27 16:22:02 odsmev gdm[702]: gdm_child_action: Aborting display :0 > > > > Apr 27 16:22:05 odsmev gpm[662]: Error in protocol > > > > Apr 27 16:22:05 odsmev last message repeated 12 times > > > > Apr 27 16:22:10 odsmev PAM_pwdb[696]: (login) session opened for user votava by > > > > LOGIN(uid=0) > > > > > > From kreymer@fnal.gov Thu Apr 27 17:27:48 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA25390 for ; Thu, 27 Apr 2000 17:27:48 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQLKHG1R20001RR@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 27 Apr 2000 17:27:46 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000862E@listserv.fnal.gov>; Thu, 27 Apr 2000 17:27:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18974 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Apr 2000 17:27:44 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000862D@listserv.fnal.gov>; Thu, 27 Apr 2000 17:27:44 -0500 Received: from fsgi02.fnal.gov ([131.225.68.15]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOQLKFBYV60001RD@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 27 Apr 2000 17:27:41 -0500 Received: from localhost (csieh@localhost) by fsgi02.fnal.gov (980427.SGI.8.8.8/970903.SGI.AUTOCF) via ESMTP id RAA24801; Thu, 27 Apr 2000 17:27:40 -0500 (CDT) Date: Thu, 27 Apr 2000 17:27:40 -0500 From: Connie Sieh Subject: Re: the latest status and problems with odsmev (my linux box) In-reply-to: <3908BDC4.708A44E5@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov, dawson@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 265 Margaret, That may be a timezone thing. Let me find out where it stores that. -connie On Thu, 27 Apr 2000, Margaret Votava wrote: > > > Hi, > > That's not what the emperical evidence shows. The three times I rebooted > today, I did a clean shutdown and the machine came up incorrectly (even after > resetting the software time with the "date" command in between). It looks > like it's an hour off - maybe some daylight savinges time thing since it > is an hour afterall (I thought it was 45 minutes). > > You can see the entries in my messages file - The first two times I set the > clock by hand and the afs syncs. The last time ntpdate corrects. > > Thanks, > Margaret > > > Apr 27 14:15:08 odsmev PAM_pwdb[1756]: (su) session opened for user votava2 by > votava(uid=1103) > Apr 27 15:15:35 odsmev kernel: afs: setting clock ahead 95 seconds (via > 131.225.68.49 in cell fnal.gov). > Apr 27 15:15:35 odsmev kernel: afs: setting clock ahead 95 seconds (via > 131.225.68.49 in cell fnal.gov). > Apr 27 15:15:48 odsmev PAM_pwdb[1756]: (su) session closed for user votava2 > > > Apr 27 14:26:11 odsmev PAM_pwdb[1059]: (login) session opened for user votava by > LOGIN(uid=0) > Apr 27 14:27:05 odsmev PAM_pwdb[1396]: (su) session opened for user root by > votava(uid=1103) > Apr 27 15:27:37 odsmev kernel: afs: setting clock ahead 97 seconds (via > 131.225.68.49 in cell fnal.gov). > Apr 27 15:27:37 odsmev kernel: afs: setting clock ahead 97 seconds (via > 131.225.68.49 in cell fnal.gov). > Apr 27 15:27:43 odsmev PAM_pwdb[1396]: (su) session closed for user root > > > and here xntp fixes it up: > > Apr 27 15:15:00 odsmev ntpdate: Syncing time for ntpdate > Apr 27 16:14:54 odsmev ntpdate: 27 Apr 16:14:54 ntpdate[466]: step time server > 131.225.8.120 offset 3594.101994 sec > Apr 27 16:14:54 odsmev ntpdate: > Apr 27 16:14:55 odsmev rc: Starting ntpdate succeeded > Apr 27 16:14:56 odsmev ssh: sshd startup succeeded > > > > Connie Sieh wrote: > > > > Margaret, > > > > When the system shuts down cleanly it puts its "software" time in the > > hwclock. When the system reboots it uses the time stored in the hwclock > > as the "software" time. Note the hwclock works even if the power is off as > > it has it's own battery. > > > > During the install of a system onsite I put the current time from the time > > servers into the hwclock so as to start it off close. > > > > If it gets way off during the "day" then one needs to change it manually > > if the time sync(ntp or afs) is not able to make such a large leap. > > > > -connie > > > > On Thu, 27 Apr 2000, Margaret Votava wrote: > > > > > > > > hi, > > > > > > no - that's why i saw the problem to begin with. i disabled > > > xntp, and after a reboot, the clock was 45 minutes off. > > > i couldn't get any afs tokens because the time difference > > > was so great. ray says that it will take long time for afs > > > itself to correct such a large time difference. > > > > > > thanks, > > > margaret > > > > > > Connie Sieh wrote: > > > > > > > > Margaret, > > > > > > > > I think the system does a equivalent to ntpdate at bootup now. > > > > > > > > -connie > > > > On Thu, 27 Apr 2000, Margaret Votava wrote: > > > > > > > > > > > > > > Hi, > > > > > > > > > > Connie, Troy, see point #2 and #3 > > > > > > > > > > Lauri didn't see anything obvoiusly wrong with the ssh configuration > > > > > files. She suggested that reboot to start the servers cleanly. I have > > > > > and can now successfully telnet (with my cryptocard key) or slogin > > > > > into my pc. Here are the problems that I have encountered so far: > > > > > > > > > > 1) I cannot use my kerberos password at the console. It asks for > > > > > an account name and password. If I enter my kerberos password, > > > > > it then asks for my afs password (in fact, it will ask for my > > > > > afs password, no matter what password I enter), so I assume > > > > > that I am coming in through afs. What should happen here? > > > > > > > > > > 2) I have disabled xntp (per the instructions). My hardware clock > > > > > was about 45 minutes off. I wasn't able to get any afs tokens > > > > > because my time was too skewed for AFS to deal with. Ray suggested > > > > > that I put in ntpdate at system boottime to get my clock in sync > > > > > quickly. I think this needs to be added to instructions somewhere - > > > > > or come with the Fermi installation. Will the same problem happen > > > > > on our IRIX boxes now that we've disabled xntp? > > > > > > > > > > 3) I see various pam and gdm errors in /var/log/messages. I don't really > > > > > understand these so I don't know if they are relevant. I will > > > > > attach at the end. I also don't believe that they happened before > > > > > I went into the realm. > > > > > > > > > > Thanks, > > > > > Margaret > > > > > > > > > > > > > > > >From /var/log/messages: > > > > > > > > > > Apr 27 16:15:00 odsmev gpm: gpm startup succeeded > > > > > Apr 27 16:15:01 odsmev gpm[662]: Error in protocol > > > > > Apr 27 16:15:01 odsmev last message repeated 9 times > > > > > ... > > > > > Apr 27 16:21:50 odsmev pam_afs: AFS Authentication failed for user votava. > > > > > password was incorrect > > > > > Apr 27 16:21:53 odsmev last message repeated 2 times > > > > > Apr 27 16:21:53 odsmev PAM_pwdb[713]: (gdm) session opened for user votava by > > > > > (uid=0) > > > > > Apr 27 16:21:53 odsmev gdm[713]: gdm_slave_session_start: votava on :0 > > > > > Apr 27 16:22:02 odsmev gdm[713]: gdm_auth_user_add: Could not lock cookie file > > > > > /afs/fnal.gov/files/home/room3/votava/.Xauthority > > > > > Apr 27 16:22:02 odsmev PAM_pwdb[713]: (gdm) session closed for user votava > > > > > Apr 27 16:22:02 odsmev gdm[702]: gdm_child_action: Aborting display :0 > > > > > Apr 27 16:22:05 odsmev gpm[662]: Error in protocol > > > > > Apr 27 16:22:05 odsmev last message repeated 12 times > > > > > Apr 27 16:22:10 odsmev PAM_pwdb[696]: (login) session opened for user votava by > > > > > LOGIN(uid=0) > > > > > > > > > From kreymer@fnal.gov Fri Apr 28 09:25:33 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA07029 for ; Fri, 28 Apr 2000 09:25:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JORJ0SU9A000025J@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 28 Apr 2000 09:25:27 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008AFB@listserv.fnal.gov>; Fri, 28 Apr 2000 09:25:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 20337 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 28 Apr 2000 09:25:23 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008AFA@listserv.fnal.gov>; Fri, 28 Apr 2000 09:25:23 -0500 Received: from thebrain.fnal.gov ([131.225.80.75]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JORJ0PFE3O00025I@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 28 Apr 2000 09:25:19 -0500 Received: from fnal.gov (localhost.localdomain [127.0.0.1]) by thebrain.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA23556; Fri, 28 Apr 2000 09:25:18 -0500 Date: Fri, 28 Apr 2000 09:25:18 -0500 From: Troy Dawson Subject: Re: the latest status and problems with odsmev (my linux box) Sender: owner-kerberos-pilot@listserv.fnal.gov To: Connie Sieh Cc: Margaret Votava , kerberos-pilot@fnal.gov Message-id: <39099F4E.AD8D326D@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 266 Howdy, This is a problem that I and Lisa were having on our machines. When they rebooted, the clock went back an hour (it might have been 45 minutes, I don't know). If we just let our machines sit for about 20 minutes, afs would sync our clocks up with the AFS servers. I found that our timezones were both set to eastern time by doing the setup (linux setup, not UPD setup) command. Since this only happened when we rebooted, it wasn't to big of a deal, and other work needed to be done. I haven't tested to see if my changing the timezone fixed it because I've never rebooted either machine. As far as the PAM stuff goes, what afs-fermi and afs-pam rpm's do you have installed, and how do you want to do you logins. Do you want them to automatically get you an AFS token, or do you prefer to just do klog. And how does your cluster do it's passwords, with NIS, or strictly AFS? Troy Connie Sieh wrote: > > Margaret, > > That may be a timezone thing. Let me find out where it stores that. > > -connie > > On Thu, 27 Apr 2000, Margaret Votava wrote: > > > > > > > Hi, > > > > That's not what the emperical evidence shows. The three times I rebooted > > today, I did a clean shutdown and the machine came up incorrectly (even after > > resetting the software time with the "date" command in between). It looks > > like it's an hour off - maybe some daylight savinges time thing since it > > is an hour afterall (I thought it was 45 minutes). > > > > You can see the entries in my messages file - The first two times I set the > > clock by hand and the afs syncs. The last time ntpdate corrects. > > > > Thanks, > > Margaret > > > > > > Apr 27 14:15:08 odsmev PAM_pwdb[1756]: (su) session opened for user votava2 by > > votava(uid=1103) > > Apr 27 15:15:35 odsmev kernel: afs: setting clock ahead 95 seconds (via > > 131.225.68.49 in cell fnal.gov). > > Apr 27 15:15:35 odsmev kernel: afs: setting clock ahead 95 seconds (via > > 131.225.68.49 in cell fnal.gov). > > Apr 27 15:15:48 odsmev PAM_pwdb[1756]: (su) session closed for user votava2 > > > > > > Apr 27 14:26:11 odsmev PAM_pwdb[1059]: (login) session opened for user votava by > > LOGIN(uid=0) > > Apr 27 14:27:05 odsmev PAM_pwdb[1396]: (su) session opened for user root by > > votava(uid=1103) > > Apr 27 15:27:37 odsmev kernel: afs: setting clock ahead 97 seconds (via > > 131.225.68.49 in cell fnal.gov). > > Apr 27 15:27:37 odsmev kernel: afs: setting clock ahead 97 seconds (via > > 131.225.68.49 in cell fnal.gov). > > Apr 27 15:27:43 odsmev PAM_pwdb[1396]: (su) session closed for user root > > > > > > and here xntp fixes it up: > > > > Apr 27 15:15:00 odsmev ntpdate: Syncing time for ntpdate > > Apr 27 16:14:54 odsmev ntpdate: 27 Apr 16:14:54 ntpdate[466]: step time server > > 131.225.8.120 offset 3594.101994 sec > > Apr 27 16:14:54 odsmev ntpdate: > > Apr 27 16:14:55 odsmev rc: Starting ntpdate succeeded > > Apr 27 16:14:56 odsmev ssh: sshd startup succeeded > > > > > > > > Connie Sieh wrote: > > > > > > Margaret, > > > > > > When the system shuts down cleanly it puts its "software" time in the > > > hwclock. When the system reboots it uses the time stored in the hwclock > > > as the "software" time. Note the hwclock works even if the power is off as > > > it has it's own battery. > > > > > > During the install of a system onsite I put the current time from the time > > > servers into the hwclock so as to start it off close. > > > > > > If it gets way off during the "day" then one needs to change it manually > > > if the time sync(ntp or afs) is not able to make such a large leap. > > > > > > -connie > > > > > > On Thu, 27 Apr 2000, Margaret Votava wrote: > > > > > > > > > > > hi, > > > > > > > > no - that's why i saw the problem to begin with. i disabled > > > > xntp, and after a reboot, the clock was 45 minutes off. > > > > i couldn't get any afs tokens because the time difference > > > > was so great. ray says that it will take long time for afs > > > > itself to correct such a large time difference. > > > > > > > > thanks, > > > > margaret > > > > > > > > Connie Sieh wrote: > > > > > > > > > > Margaret, > > > > > > > > > > I think the system does a equivalent to ntpdate at bootup now. > > > > > > > > > > -connie > > > > > On Thu, 27 Apr 2000, Margaret Votava wrote: > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > > > > Connie, Troy, see point #2 and #3 > > > > > > > > > > > > Lauri didn't see anything obvoiusly wrong with the ssh configuration > > > > > > files. She suggested that reboot to start the servers cleanly. I have > > > > > > and can now successfully telnet (with my cryptocard key) or slogin > > > > > > into my pc. Here are the problems that I have encountered so far: > > > > > > > > > > > > 1) I cannot use my kerberos password at the console. It asks for > > > > > > an account name and password. If I enter my kerberos password, > > > > > > it then asks for my afs password (in fact, it will ask for my > > > > > > afs password, no matter what password I enter), so I assume > > > > > > that I am coming in through afs. What should happen here? > > > > > > > > > > > > 2) I have disabled xntp (per the instructions). My hardware clock > > > > > > was about 45 minutes off. I wasn't able to get any afs tokens > > > > > > because my time was too skewed for AFS to deal with. Ray suggested > > > > > > that I put in ntpdate at system boottime to get my clock in sync > > > > > > quickly. I think this needs to be added to instructions somewhere - > > > > > > or come with the Fermi installation. Will the same problem happen > > > > > > on our IRIX boxes now that we've disabled xntp? > > > > > > > > > > > > 3) I see various pam and gdm errors in /var/log/messages. I don't really > > > > > > understand these so I don't know if they are relevant. I will > > > > > > attach at the end. I also don't believe that they happened before > > > > > > I went into the realm. > > > > > > > > > > > > Thanks, > > > > > > Margaret > > > > > > > > > > > > > > > > > > >From /var/log/messages: > > > > > > > > > > > > Apr 27 16:15:00 odsmev gpm: gpm startup succeeded > > > > > > Apr 27 16:15:01 odsmev gpm[662]: Error in protocol > > > > > > Apr 27 16:15:01 odsmev last message repeated 9 times > > > > > > ... > > > > > > Apr 27 16:21:50 odsmev pam_afs: AFS Authentication failed for user votava. > > > > > > password was incorrect > > > > > > Apr 27 16:21:53 odsmev last message repeated 2 times > > > > > > Apr 27 16:21:53 odsmev PAM_pwdb[713]: (gdm) session opened for user votava by > > > > > > (uid=0) > > > > > > Apr 27 16:21:53 odsmev gdm[713]: gdm_slave_session_start: votava on :0 > > > > > > Apr 27 16:22:02 odsmev gdm[713]: gdm_auth_user_add: Could not lock cookie file > > > > > > /afs/fnal.gov/files/home/room3/votava/.Xauthority > > > > > > Apr 27 16:22:02 odsmev PAM_pwdb[713]: (gdm) session closed for user votava > > > > > > Apr 27 16:22:02 odsmev gdm[702]: gdm_child_action: Aborting display :0 > > > > > > Apr 27 16:22:05 odsmev gpm[662]: Error in protocol > > > > > > Apr 27 16:22:05 odsmev last message repeated 12 times > > > > > > Apr 27 16:22:10 odsmev PAM_pwdb[696]: (login) session opened for user votava by > > > > > > LOGIN(uid=0) > > > > > > > > > > > > -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS CSS Group __________________________________________________ From kreymer@fnal.gov Fri Apr 28 11:45:16 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA10833 for ; Fri, 28 Apr 2000 11:45:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JORNW1IPVM0001RO@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 28 Apr 2000 11:45:11 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008CBA@listserv.fnal.gov>; Fri, 28 Apr 2000 11:45:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 20858 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 28 Apr 2000 11:45:07 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008CB9@listserv.fnal.gov>; Fri, 28 Apr 2000 11:45:07 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JORNVYWL9E00025Q@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 28 Apr 2000 11:45:04 -0500 Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id LAA26511; Fri, 28 Apr 2000 11:45:03 -0500 (CDT) Date: Fri, 28 Apr 2000 11:45:03 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: logging in on the console of a kerberized machine Sender: owner-kerberos-pilot@listserv.fnal.gov To: votava@fnal.gov Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200004281645.LAA26511@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 267 Margaret, The way things are designed at the present, you do NOT automatically get tickets when you log in at the console. In other words, you log in to your local account, and then you must kinit to get your kerberos tickets. It won't matter whether your kerberos password is the same as your NIS and/or AFS password -- and, in fact, IT SHOULD NOT BE THE SAME. When Matt Crawford returns (middle of May) we can discuss what options there may be to automatically get kerberos tickets as part of logging in to the console (and whether or not you really want that, since it might imply that you cannot use your workstation AT ALL, even locally, if the KDC is down, etc.). -- lauri From kreymer@fnal.gov Fri Apr 28 11:53:59 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA10856 for ; Fri, 28 Apr 2000 11:53:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JORO7PQ6GY0001S5@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 28 Apr 2000 11:53:57 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008CC8@listserv.fnal.gov>; Fri, 28 Apr 2000 11:53:45 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 20874 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 28 Apr 2000 11:53:44 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008CC5@listserv.fnal.gov>; Fri, 28 Apr 2000 11:53:44 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JORO7LAGNM00025T@FNAL.FNAL.GOV>; Fri, 28 Apr 2000 11:53:39 -0500 Date: Fri, 28 Apr 2000 11:53:38 -0500 From: Margaret Votava Subject: Re: logging in on the console of a kerberized machine Sender: owner-kerberos-pilot@listserv.fnal.gov To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov, cdlibrary@fnal.gov Message-id: <3909C212.CD8604A9@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200004281645.LAA26511@fsui03.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 268 ok. the documentation (gg0019) in section 6.2 is wrong then. it says that if my desktop is in the strengthened realm, i log in with my kerberos password and will get my ticket granting ticket automatically. thanks, margaret "Laurelin of Middle Earth, 630-840-2214" wrote: > > Margaret, > > The way things are designed at the present, you do NOT automatically > get tickets when you log in at the console. In other words, you log > in to your local account, and then you must > > kinit > > to get your kerberos tickets. > > It won't matter whether your kerberos password is the same as your > NIS and/or AFS password -- and, in fact, IT SHOULD NOT BE THE SAME. > > When Matt Crawford returns (middle of May) we can discuss what > options there may be to automatically get kerberos tickets as part > of logging in to the console (and whether or not you really want > that, since it might imply that you cannot use your workstation AT > ALL, even locally, if the KDC is down, etc.). > > -- lauri From kreymer@fnal.gov Fri Apr 28 12:29:23 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA10887 for ; Fri, 28 Apr 2000 12:29:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JORPFUWOG60001RM@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 28 Apr 2000 12:29:21 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008D08@listserv.fnal.gov>; Fri, 28 Apr 2000 12:29:20 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 20941 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 28 Apr 2000 12:29:20 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00008D07@listserv.fnal.gov>; Fri, 28 Apr 2000 12:29:20 -0500 Received: from physics.ucla.edu ([128.97.23.13]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JORPFU20MA0001S4@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 28 Apr 2000 12:29:19 -0500 Received: from [128.97.22.48] (mahal [128.97.22.48]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id KAA14182 for ; Fri, 28 Apr 2000 10:26:27 -0700 (PDT) Date: Fri, 28 Apr 2000 10:29:17 -0700 From: Benn Tannenbaum Subject: Using Macs with Kerberos & laptop questions In-reply-to: <200004281645.LAA26511@fsui03.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: owner-kerberos-pilot@listserv.fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 269 I've got a couple of Macs that I use. I'd like to be able to connect, via them, to the strengthened realms. I've seen plenty of Linux and PC discussion, but no Mac discussion. Are we excluded? I really hope not. I went to my favorite search engine and typed in 'macintosh kerberos' and got quite a few hits. One of the returned links was to an MIT authentication manager, and another was to a U. Michigan authentication manager. I installed the U. Michigan Auth. Manager. I then tried to connect directly from my mac to a strengthened computer at FNAL, fcdfsgi2.fnal.gov. No luck. I tried typing in my regular password and my kerberos password. Nothing. Has anyone else been successful in connecting a Mac? I know there are plenty of other Mac users at the lab (Chris Quigg showed up here with one yesterday) and I would be extremely disappointed if we were simply excluded. The present solution is to connect to a unix machine here and then connect to fermilab-- but I can't do that directly since my machine here only runs ssh. So, to log into fcdfsgi2.fnal.gov from my mac (either laptop at work or desktop at home) I telnet to my workstation, then ssh to cdfsga, and then ssh to fcdfsgi2. That seems rather ridiculous to me. What happens if cdfsga is down? I can't connect, which means I can't develop software. My other question is one of laptops. I bring it to the lab. How does it get strengthened? How do I connect to machines at the lab? Do I have to telnet out to my machine at UCLA and then ssh back to the machines at FNAL? Finally, why are we simply not using ssh? It works, is installed on unix machines everywhere, and is essentially transparent to the user. I will be at the lab 15-19 May and would be happy to help in some on-site testing of Mac software. -Benn From kreymer@fnal.gov Mon May 1 16:06:23 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA32141 for ; Mon, 1 May 2000 16:06:22 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOW3VWXGS40003AV@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Mon, 1 May 2000 16:06:20 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00009E2E@listserv.fnal.gov>; Mon, 01 May 2000 16:06:19 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 25624 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 01 May 2000 16:06:19 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00009E2C@listserv.fnal.gov>; Mon, 01 May 2000 16:06:18 -0500 Received: from CUERVO ([131.225.81.19]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JOW3VVLGHU0003CI@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 01 May 2000 16:06:17 -0500 Date: Mon, 01 May 2000 16:06:17 -0500 From: "Mark O. Kaletka" Subject: RE: Using Macs with Kerberos & laptop questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 270 You need to be sure that the Mac client software supprots Kerberos v5, not just v4. Also, be sure the configuration of the authentication client is pointing correctly at the FNAL KDC's, is using the correct default realm, etc. (see KRB5.CONF, for e.g.). MIT have a distribution for Mac Kerberos which includes software to obtain and manage v5 tickets, and a Kerberos v5 version of the Fetch ftp client, but mentions nothing about telnet. Start from http://web.mit.edu/network/kerberos-form.html and answer the "three questions" to get to the software distribution page. The alternative is to use a standard non-Kerberos telnet client and a CryptoCard. This would allow you direct telnet into FCDFSGI2 with no other special software. (P.s. if you need a CryptoCard, send me an email.) We're not at the moment investing resources in Mac Kerberos software but would be very happy to pass on experiences and lend a hand to anyone willing to pioneer it. We don't want to leave Macs out in the cold but they are also not at the top of the list right now (being not-to-brutally frank). The answer to the laptop question depends on the OS you're running on it, but to first approximation, you're only running clients, there is no problem at all. You can either use a non-Kerberos telnet client and a CryptoCard, or install the Kerberos v5 clients on the laptop. The only hitch is that if your IP address changes (e.g. you log on through a different ISP, or DHCP obtains a different address for some reason), any tickets you held with the old address are no longer valid. If you're running Linux on a laptop and you want to offer Kerberos services, you'll need to do it at a fixed address with host principals valid for that address. Hmmm, this raises an interesting question for systems with multiple IP addresses, which I'll have to research. P.p.s feel free to give me a call when you're next a FNAL... -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Benn > Tannenbaum > Sent: Friday, April 28, 2000 12:29 PM > To: owner-kerberos-pilot@listserv.fnal.gov > Cc: kerberos-pilot@fnal.gov > Subject: Using Macs with Kerberos & laptop questions > > > I've got a couple of Macs that I use. I'd like to be able to connect, via > them, to the strengthened realms. I've seen plenty of Linux and PC > discussion, but no Mac discussion. Are we excluded? I really hope not. > > I went to my favorite search engine and typed in 'macintosh kerberos' and > got quite a few hits. One of the returned links was to an MIT > authentication > manager, and another was to a U. Michigan authentication manager. I > installed the U. Michigan Auth. Manager. I then tried to connect directly > from my mac to a strengthened computer at FNAL, fcdfsgi2.fnal.gov. > > No luck. I tried typing in my regular password and my kerberos password. > Nothing. > > Has anyone else been successful in connecting a Mac? I know there > are plenty > of other Mac users at the lab (Chris Quigg showed up here with one > yesterday) and I would be extremely disappointed if we were > simply excluded. > The present solution is to connect to a unix machine here and then connect > to fermilab-- but I can't do that directly since my machine here only runs > ssh. So, to log into fcdfsgi2.fnal.gov from my mac (either laptop > at work or > desktop at home) I telnet to my workstation, then ssh to cdfsga, and then > ssh to fcdfsgi2. That seems rather ridiculous to me. What happens > if cdfsga > is down? I can't connect, which means I can't develop software. > > My other question is one of laptops. I bring it to the lab. How > does it get > strengthened? How do I connect to machines at the lab? Do I have to telnet > out to my machine at UCLA and then ssh back to the machines at FNAL? > Finally, why are we simply not using ssh? It works, is installed on unix > machines everywhere, and is essentially transparent to the user. > > I will be at the lab 15-19 May and would be happy to help in some on-site > testing of Mac software. > > -Benn > > From kreymer@fnal.gov Wed May 3 11:39:40 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA04440 for ; Wed, 3 May 2000 11:39:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOYN5XXEHG0004DI@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 3 May 2000 11:39:39 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000AE74@listserv.fnal.gov>; Wed, 03 May 2000 11:39:37 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 30083 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 May 2000 11:39:37 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000AE72@listserv.fnal.gov>; Wed, 03 May 2000 11:39:37 -0500 Received: from dot.phys.unm.edu ([198.59.169.98]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOYN5W7F9K0004RV@FNAL.FNAL.GOV>; Wed, 03 May 2000 11:39:35 -0500 Received: from dot.phys.unm.edu (IDENT:gold@localhost [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id LAA28109; Wed, 03 May 2000 11:39:33 -0600 Date: Wed, 03 May 2000 11:39:33 -0600 From: Michael Gold Subject: kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: compdiv@fnal.gov, kerberos-pilot@fnal.gov Message-id: <200005031739.LAA28109@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.0.3 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 271 on my machine (dot.phys.unm.edu) I have installed kerberos from MIT (krb5-1.2-beta1) when i do kinit i get dot 236# kinit kinit(v5): Password has expired while getting initial credentials i don't know my kerberos password on fcdfsgi2. can you reset it for me? From kreymer@fnal.gov Wed May 3 11:39:49 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA04448 for ; Wed, 3 May 2000 11:39:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOYN639QLQ0003D5@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 3 May 2000 11:39:47 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000AE7B@listserv.fnal.gov>; Wed, 03 May 2000 11:39:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 30092 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 May 2000 11:39:44 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000AE79@listserv.fnal.gov>; Wed, 03 May 2000 11:39:44 -0500 Received: from dot.phys.unm.edu ([198.59.169.98]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOYN60BXWC0004KC@FNAL.FNAL.GOV>; Wed, 03 May 2000 11:39:41 -0500 Received: from dot.phys.unm.edu (IDENT:gold@localhost [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id LAA28161; Wed, 03 May 2000 11:39:38 -0600 Date: Wed, 03 May 2000 11:39:38 -0600 From: Michael Gold Subject: kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: compdiv@fnal.gov, kerberos-pilot@fnal.gov Message-id: <200005031739.LAA28161@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.0.3 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 272 on my machine (dot.phys.unm.edu) I have installed kerberos from MIT (krb5-1.2-beta1) when i do kinit i get dot 236# kinit kinit(v5): Password has expired while getting initial credentials i don't know my kerberos password on fcdfsgi2. can you reset it for me? -- Michael Gold Department of Physics and Astronomy University of New Mexico Albuquerque, NM 87131 phone: 505-277-2086, 505-277-3604 fax: 505-277-1520 email: mgold@unm.edu From kreymer@fnal.gov Wed May 3 11:59:46 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA04458 for ; Wed, 3 May 2000 11:59:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOYNUSX7P80004RN@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 3 May 2000 11:59:43 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000AEBF@listserv.fnal.gov>; Wed, 03 May 2000 11:59:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 30161 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 May 2000 11:59:39 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000AEBE@listserv.fnal.gov>; Wed, 03 May 2000 11:59:39 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOYNUPJUZQ0004K9@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 03 May 2000 11:59:36 -0500 Received: from localhost (compdiv@localhost) by fsui02.fnal.gov (8.8.8+Sun/8.8.8) with ESMTP id LAA15609; Wed, 03 May 2000 11:59:31 -0500 (CDT) Date: Wed, 03 May 2000 11:59:31 -0500 (CDT) From: Yolanda Valadez Subject: Re: kerberos In-reply-to: <200005031739.LAA28161@dot.phys.unm.edu> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Gold Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsui02.fnal.gov: compdiv owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 273 you need to call me or come by my office to get your kerberos principal password. I suggest your read about kerberos and fcdfsgi2 at url: http://cdfsga/offline/runii/fcdfsgi2/krb5_quickstart.html http://www-cdf.fnal.gov/offline/runii/fcdfsgi2/ p.s. my phone is 840-8118 On Wed, 3 May 2000, Michael Gold wrote: > on my machine (dot.phys.unm.edu) I have installed kerberos > from MIT (krb5-1.2-beta1) > > when i do kinit i get > > dot 236# kinit > kinit(v5): Password has expired while getting initial credentials > > > i don't know my kerberos password on fcdfsgi2. can you reset it > for me? > > > -- > Michael Gold > Department of Physics and Astronomy > University of New Mexico > Albuquerque, NM 87131 > phone: 505-277-2086, 505-277-3604 > fax: 505-277-1520 > email: mgold@unm.edu > From kreymer@fnal.gov Wed May 3 14:11:34 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA04534 for ; Wed, 3 May 2000 14:11:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOYSE7P5G60004SW@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 3 May 2000 14:11:30 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B0A4@listserv.fnal.gov>; Wed, 03 May 2000 14:09:47 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 30747 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 May 2000 14:09:47 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B0A3@listserv.fnal.gov>; Wed, 03 May 2000 14:09:47 -0500 Received: from dot.phys.unm.edu ([198.59.169.98]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOYSEW9Y2K00040K@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 03 May 2000 14:09:38 -0500 Received: from dot.phys.unm.edu (IDENT:gold@localhost [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id OAA29402; Wed, 03 May 2000 14:09:34 -0600 Date: Wed, 03 May 2000 14:09:34 -0600 From: Michael Gold Subject: kinit Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: gold@dot.phys.unm.edu Message-id: <200005032009.OAA29402@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.0.3 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 274 now that I have a kerberos password i get a bit further. still there is a problem, however. dot 254# kinit Password for gold@PILOT.FNAL.GOV: kinit(v5): Preauthentication failed while getting initial credentials dot 255# -- Michael Gold Department of Physics and Astronomy University of New Mexico Albuquerque, NM 87131 phone: 505-277-2086, 505-277-3604 fax: 505-277-1520 email: mgold@unm.edu From kreymer@fnal.gov Wed May 3 14:52:31 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA04560 for ; Wed, 3 May 2000 14:52:31 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOYTVZCRSK00040L@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 3 May 2000 14:52:27 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B11A@listserv.fnal.gov>; Wed, 03 May 2000 14:52:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 30867 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 May 2000 14:52:25 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B119@listserv.fnal.gov>; Wed, 03 May 2000 14:52:24 -0500 Received: from CUERVO ([131.225.81.19]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JOYTVXSG0C0003LX@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 03 May 2000 14:52:22 -0500 Date: Wed, 03 May 2000 14:52:22 -0500 From: "Mark O. Kaletka" Subject: RE: kinit In-reply-to: <200005032009.OAA29402@dot.phys.unm.edu> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Gold , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 275 This means either a) you still have the wrong password (seems unlikely); or, b) your system's clock is more than 5 minutes off synch from the key distribution center's clock. Kerberos uses an encrypted timestamp to prevent replay attacks in the initial authentication exchange. You should try resetting your system clock accurately (better yet, use ntp or xntp to synch it automatically to a known good time source) and also check your time zone setting. If your system clock looks correct and you still have a problem, we'll have to try a different password again... -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Michael Gold > Sent: Wednesday, May 03, 2000 3:10 PM > To: kerberos-pilot@fnal.gov > Cc: gold@dot.phys.unm.edu > Subject: kinit > > > now that I have a kerberos password i get a bit further. still there > is a problem, however. > > dot 254# kinit > Password for gold@PILOT.FNAL.GOV: > kinit(v5): Preauthentication failed while getting initial credentials > dot 255# > > > -- > Michael Gold > Department of Physics and Astronomy > University of New Mexico > Albuquerque, NM 87131 > phone: 505-277-2086, 505-277-3604 > fax: 505-277-1520 > email: mgold@unm.edu > > From kreymer@fnal.gov Wed May 3 16:50:29 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA04664 for ; Wed, 3 May 2000 16:50:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOYY18REWW0004TP@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 3 May 2000 16:50:27 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B246@listserv.fnal.gov>; Wed, 03 May 2000 16:50:24 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 31180 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 May 2000 16:50:24 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B245@listserv.fnal.gov>; Wed, 03 May 2000 16:50:24 -0500 Received: from CUERVO ([131.225.81.19]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JOYY16F5920004TR@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 03 May 2000 16:50:22 -0500 Date: Wed, 03 May 2000 16:50:21 -0500 From: "Mark O. Kaletka" Subject: RE: Comments from Italy to Strong Authentication Project In-reply-to: <38FD8C26.E3A91A61@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: Kerberos Pilot Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 276 Stefano -- Here's the reply I promised which you've probably by now thought I'd forgotten! I've tried to give you thorough answers to your technical points, and hopefully these will help reduce your fears about the possible impacts of the strong authentication project. I'm very interested in continuing the dialogue on the concerns you've raised, so if there are any points that need clarification, or issues I've missed, please let me know. The kerberos-pilot mailing list is the right place for discussion of these kinds of technical issues. Thanks very much for your patience. By the way, the next time you're at Fermilab please be sure to stop by! -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Stefano > Belforte > Sent: Wednesday, April 19, 2000 5:36 AM > To: kerberos-pilot@fnal.gov > Cc: Marg Shapiro; Amidei Dan; Robert Harris; Franco Bedeschi; > goshaw@fnal.gov; bellettini giorgio > Subject: Comments from Italy to Strong Authentication Project >...snip...< > 1) the stated goal of the project is to avoid clear text > transmission of passwords. So.. why is not ssh good enough ? > It appears to be sufficient for every other laboratory. > Fermilab has not even enforced ssh till now. Ssh is very > simple to use and available everywhere, why not start from > this simple step and go all the way to a sophisticated > kerberized system only if really needed ? This is the question we're asked more than any other... Avoiding exposure of cleartext passwords on the network is the primary goal of the project, however, there are also secondary goals. These include, for e.g: - providing a single-signon environment; - integrating AFS accounts & systems; - simplifing account management; - enforcing password policies; ssh does not readily address these secondary goals, whereas Kerberos does. We're also trying to avoid the situation of "illusory security" which can occur with ssh when encryption isn't rigorously enforced end-to-end. A user (say, at a university) at an X terminal who logs into a server over a clear connection and then ssh's to Fermilab, compromises Fermilab since the traffic between the X terminal and the local server can be sniffed. There is no practical way that Fermilab can detect or prevent this situation in ssh. ssh also presents the problem that passwords and/or RSA private keys are stored locally on systems. If a system is root compromised, the password file can still be cracked or the RSA private keys stolen. In Kerberos, all the "secrets" are maintained in one well-secured place, the key distribution center, so that if any system is compromised, the Kerberos passwords are safe. Further, with ssh users must maintain passswords and/or keys on many different systems. With Kerberos the password is only maintained in one place and can easily be changed (or disabled, if needed). > 2) Similarly, since the goal is to avoid clear text > password, why do you not want to allow my local workstation > to use kerberos to connect to FNAL, while still running an > ssh server to allow myself to connect to it from other nodes > in my institution ? This is one area where we've had quite a lot of forceful input from our collaborating institutions. Ideally, of course, we'd like the whole world to be Kerberized (yeah, right :-) In practical terms I think we have to accomodate the situation you're describing. We're ready to propose that remote non-Fermilab strengthened systems be allowed to run ssh servers the clear-text non-Kerberized versions of telnet, ftp and r-commands are disabled on the remote systems (as they will be for Fermilab Kerberized systems) remote sites have a clear and strong security policy which prohibits the "illusory security" of using ssh over a partially clear-text connection. > 3) It looks like in this project you do not simply want to make > sure that connection from user stefano.belforte@ts.infn.it > is indeed someone who logged in Trieste, Italy on an INFN > computer with username Stefano.Belforte, but also want to make > sure that I myself am pressing the keys on the keyboard, so > reaching a security equivalent to what a bank ATM requires > before yielding out money. > Are you sure that such an ambitious and unprecedented goal > is really the minimum effort needed to avoid security > incidents ? > You are certainly aware that implementing the proposed system is > going to need significant resources also outside the laboratory, > as our primary goal is physics, we ususally strive to put in > infrastructure only the minimum needed effort. Access among strengthened systems requires no more than what's required now -- a password. What's different is that from untrusted systems we need to provide a secure way of logging in that doesn't compromise the strengthened systems. In this case we can't rely on any special hardware or software installed on the system you're logging in from; it has to be usable almost anywhere. The best way we've found to do this are the schemes that generate one-time passwords -- CryptoCards and S/Key. The CryptoCards are there more as a convenient way to generate one-time passwords. It does, admittedly, have the convenient side-effect that you have to have it in your hands to log in, and so you're less likely to "share" it with other people. But, it doesn't guarantee to us that you're actually pressing the keys (to do that we'd have to do some sort of biometrics like thumbprint identification). > 4) Going toward a bank-like security raises a naturally a comparison > and questions about the daily operations of the system and wether > common "minor" problems can easily be overcome: > Biggest difference is that the bank is happy with a plastic card > that fits in the wallet and that is sent by mail before is needed, > not a bulky electronic gadget. > What if I forget this CryptoCard at home, do I not work for the > day ? What if I loose it ? What if it breakes ? What if I forget > it in my pants when doing my laundry ? Do I have to take the plane > to Fermilab ? > What about people who join the experiment and start working on > software *before* they get a chance of flying over there ? Admittedly the CryptoCards don't fit in a wallet and you wouldn't want to sit on it or send it through the laundry. And, you need it with you if you're logging in from an untrusted system. If one breaks or is lost (or stolen) we can FedEx a replacement. Likewise we can FedEx them to new users who aren't at Fermilab (although they will still have to be "validated" as Fermilab users first). We also plan to support S/Key one-time passwords, which are simple password lists. In an emergency, these can be fax'ed to authorized and validated users by our 24x7 computer operations. These aren't implemented yet but will be before the end of the pilot project. > 5) How will remote access to data be managed ? > We plan to use ftp to copy over here data produced at > Fermilab. Definetely we can not allow anonymous ftp access > to CDF data, or preliminary analysis result. But I have not > seen any other way then anonymous ftp as allowed access for > users outside the strenghtened realm. I'm also assuming this will have to be done in an automated and unattended way, that is, without a user sitting somewhere to type in a Kerberos password or a CryptoCard response. I'm also assuming that the data source is a strengthened system. If the data sink is also a strengthened system the transfers can be initiated in either direction, using either ftp or rcp with Kerberos authentication and the mechanisms for authenticating through keytab files that we've set up for cron jobs. If the data sink is not a strengthened system there are only two alternatives. The data can either be "pulled" using anonymous ftp (no password or Kerberos authentication involved), or the data can be "pushed" from the strengthened system to the untrusted system. The latter only requires that the strengthened system be able to authenticate with whatever the untrusted system demands (scp, ftp with a password, whatever). > 6) How will we be able to control access to internal web pages ? > Now this is done by clear-text passwords on the browser, > definitely not a practice to be kept, but still there is > information there vital to people working on analysis offsite > but that must be kept confidential. This turns out to be a tough problem, mostly because the web browsers and server don't do Kerberos authentication, and it would be a big research and development effort to figure out how to modify them. There has been some work along these lines at some of the universities, but nothing we think is production quality. For now we've avoided this question by proposing that strengthened systems use ssl to encrypt passwords and use a separate local password file on the web server for web passwords . > 7) How will I read my e-mail ? Can I still connect to the > FNAL IMAP server if I do not have my crypto-card with me ? Again this is an issue of client and server (non-)support of Kerberos which we don't propose to tackle. IMAP is able to keep it's clear-text password off the net, we consider this good enough for now, especially if users are careful to not use their Kerberos password as their IMAP password. > 8) How access from home on dial up connection will be managed ? > Both when connecting via a commercial ISP, and when using > dial-up to a modem pool in my home institute in which case I > just have no way to sit in front of a kerberised workstation. We don't distinguish. Strengthened or untrusted systems can be either local (at Fermilab) or remote. It they're remote it doesn' matter whether they're on a dialup or not. We have no problem with strengthened systems which are on dialups, in fact we have several (both Windows and UNIX) already in the pilot. An untrusted (non-Kerberos) system would need to use a CryptoCard to access a strengthened system, and again it doesn't matter whether it's dialup or not. The only restrictions involve DHCP. If DHCP changes your system's IP address for some reason (say, you disconnect and reconnect), any Kerberos tickets you held are tied to the old address and will be invalid. You'd have to reauthenticate to get new tickets. Also, a DHCP system cannot offer Kerberos services, since the keytab files used for host authentication are tied to the IP address. However, generally DHCP systems will have similar problems with non-Kerberos clients and servers. > 9) What about institutions with a poor internet connection ? > There it is just impossible to login through the portal and > do "setenv DISPLAY". At present for example many people > are trying to get a boost for interactive work by using > thin clients that make it possible to access remote desktops > without the X protocol, namely VNC in Italy and Citrix Metaframe > from UK. VNC supports some security mechanism, but not > kerberos. What would be the situation there ? Back to a > "telnet only" style of work? At least the possibility > to run a remote full screen debugging session is vital to > effective software work. One change documented in the user guide is that the plan no longer calls for a separate portal system. Rather, each system with Fermi Kerberos installed will be able to function as a portal in the sense that it will accept telnet connections with CryptoCard authentication. According to the VNC FAQ, VNC sessions authenticate with a challenge-response method so clear-text passwords are not exchanged. Furthermore VNC sessions can be tunneled through ssh to make screen updates harder to snoop. Strictly speaking this is only necessary (from my point of view) if you will be typing Kerberos passwords. Within the strengthened realm this could be done through Kerberos authrentication of ssh. From an untrusted system to a strengthened system, we would either have to provide a version of ssh which does authentication via CryptoCard (this may be possible), or a user would have to use ordinary telnet and a CryptoCard to log into the strengthened system, then use the ssh client on the strengthened system to set up the ssh tunnel. So there seems in principle a solution for VNC. Actually, I realize I've assumed running VNC between two UNIX systems, with NT this approach may not work. Citrix is a tougher problem, since it uses X between the UNIX display and the NT server. The NT domain password can therefore be snooped in clear-text from the X session. ssh probably doesn't address this issue since it seems unlikely (to my experts here) that you can make an ssh server run on a Citrix NT server. > 10) A specific example may be Root. Root has very attractive > client/server features that may make it possible to access > remotely data at Fermilab without the need to transfer large > data files, will this kind of connection be supported ? Will > it be possible to do it from "normal" remote computers still > providing some way to prevent people from rival experiment to > take unauthorised preview of physics results ? I don't know any details of Root. It depends on how Root does its authentication (if any). If it wants to pass a clear-text password, we would certainly encourage doing Kerberos authentication instead (or as well). > 11) Can you make specific examples of what a "trusted realm" may be, > other that another fully kerberised system, so that we may see > what woult it take from our side to be one ? Well, pretty much a "trusted realm" would have to be a Kerberos realm (to allow cross-authentication) which enforces a security policy similar to and roughly as strong as Fermilab's. We'd want to be assured that access to Kerberos principals is restricted to the authorized and validated owner (i.e. no sharing passwords, etc. the user really is who you claim them to be). We'd also want to be assured that clear-text Kerberos passwords are kept off the network (i.e. trusted realm systems would need to be strengthened just as here -- no telnet, r-commands, etc. with passwords in clear-text). We'd also want to be assured of management resolve to enforce the policies and technical expertise to configure and run everything securely. > 12) Why "Fermi extensions to Kerberos"? Assuming this way of > going overcomes difficulties and become the backbone of each HEP > site (at least), what will happen of remote server who host > people from Fermi/Slac/CERN experiments ? Will each laboratory > require to have its own personalization installed ? > Are steps being taken now to make sure that the software that is > being developed at Fermilab will be such that can be used "as is" > by any other institution, including large laboratories ? First, the Fermi Kerberos interoperates with the MIT standard distribution Kerberos in both directions. Our extensions on the server side are primarily the AFS token support (although AFS is not a prerequisite) and the CryptoCard (and S/Key) support. We've actually incorporated these based on software developed at other laboratories (that is, we're already not the only ones using these extensions -- the CryptoCard extensions came from the Naval Research Laboratory and the AFS support from, I believe, Argonne National Laboratory). We can interoperate with Kerberos clients or servers that don't have these extensions. And, of course, we're happy to work with anyone who wants to head down a similar road (to the extent our resources allow) -- we can add "HEP-standard Kerberos" to the physicists' software nirvana ;-) > 13) Do crypto-card by any chance use 128-bit encription so to > make it illegal to carry them across US borders ? No. Encryption hardware used only for authentication is legal for export, and we've established that we can send CryptoCards to, for e.g. the UK. Let us know if you would like one (or more). We've also established that our Kerberos source code can be downloaded without violating export controls. >...snip...< From kreymer@fnal.gov Wed May 3 19:14:55 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id TAA04718 for ; Wed, 3 May 2000 19:14:55 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOZ32DJ4E200041S@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 3 May 2000 19:14:54 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B2ED@listserv.fnal.gov>; Wed, 03 May 2000 19:14:53 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 31362 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 May 2000 19:14:53 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B2EC@listserv.fnal.gov>; Wed, 03 May 2000 19:14:52 -0500 Received: from dot.phys.unm.edu ([198.59.169.98]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOZ32CSFM800041O@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 03 May 2000 19:14:51 -0500 Received: from dot.phys.unm.edu (IDENT:gold@localhost [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id SAA00863 for ; Wed, 03 May 2000 18:14:08 -0600 Date: Wed, 03 May 2000 18:14:08 -0600 From: Michael Gold Subject: xemacs Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200005040014.SAA00863@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.0.3 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 277 I am having difficulty with remote xemacs. plain ftp works fine. however, there is a problem when trying to open up a remote directory. in fact, xemacs no longer works for remote editing on cdfsga either. by the way, remote editing is critical. here is a transcript of my ftp session with xemacs connecting to fcdfgi2-- 220- 220- Fermilab policy and rules for computing, including appropriate 220- use, may be found at http://www.fnal.gov/cd/main/cpolicy.html 220- 220- 220 fcdfsgi2 FTP server (Version 5.60) ready. quote user "gold" 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type hash GSSAPI authentication succeeded Remote system type is UNIX. Using binary mode to transfer files. ftp> 232 GSSAPI user gold@PILOT.FNAL.GOV is authorized as gold^@ ftp> Hash mark printing on (1024 bytes/hash mark). ftp> quote pwd 530 Please login with USER and PASS.^@ From kreymer@fnal.gov Thu May 4 10:04:54 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA10881 for ; Thu, 4 May 2000 10:04:53 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JOZY36ZX980004SU@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 4 May 2000 10:04:48 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B715@listserv.fnal.gov>; Thu, 04 May 2000 10:03:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 32526 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 04 May 2000 10:03:49 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B714@listserv.fnal.gov>; Thu, 04 May 2000 10:03:49 -0500 Received: from CUERVO ([131.225.81.19]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JOZY4EDKB2000562@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 04 May 2000 10:03:45 -0500 Date: Thu, 04 May 2000 10:03:44 -0500 From: "Mark O. Kaletka" Subject: RE: xemacs In-reply-to: <200005040014.SAA00863@dot.phys.unm.edu> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Gold , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="us-ascii" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 278 If you have tickets on fcdfsgi2 (as evidenced by "GSSAPI authentication succeeded") then there's no need to provide your password later in the session. I suspect this is what's messing you up on fcdfsgi2. Do you have a similar transcript with cdfsga? -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Michael Gold > Sent: Wednesday, May 03, 2000 7:14 PM > To: kerberos-pilot@fnal.gov > Subject: xemacs > > > I am having difficulty with remote xemacs. plain ftp > works fine. however, there is a problem when trying > to open up a remote directory. in fact, xemacs > no longer works for remote editing on cdfsga either. > > by the way, remote editing is critical. > > here is a transcript of my ftp session with xemacs > connecting to fcdfgi2-- > > > 220- > 220- Fermilab policy and rules for computing, including > appropriate > 220- use, may be found at http://www.fnal.gov/cd/main/cpolicy.html > 220- > 220- > 220 fcdfsgi2 FTP server (Version 5.60) ready. > quote user "gold" > 334 Using authentication type GSSAPI; ADAT must follow > GSSAPI accepted as authentication type > hash > GSSAPI authentication succeeded > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> 232 GSSAPI user gold@PILOT.FNAL.GOV is authorized as gold^@ > ftp> Hash mark printing on (1024 bytes/hash mark). > ftp> quote pwd > 530 Please login with USER and PASS.^@ > > From kreymer@fnal.gov Thu May 4 13:25:19 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA10979 for ; Thu, 4 May 2000 13:25:18 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP0557SFO800058J@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 4 May 2000 13:25:15 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B9FE@listserv.fnal.gov>; Thu, 04 May 2000 13:25:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 33314 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 04 May 2000 13:25:13 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000B9FD@listserv.fnal.gov>; Thu, 04 May 2000 13:25:13 -0500 Received: from physics.ucla.edu ([128.97.23.13]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP0556XXHE00042K@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 04 May 2000 13:25:12 -0500 Received: from [128.97.22.48] (mahal [128.97.22.48]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id LAA17312 for ; Thu, 04 May 2000 11:21:52 -0700 (PDT) Date: Thu, 04 May 2000 11:24:30 -0700 From: Benn Tannenbaum Subject: Re: Comments from Italy to Strong Authentication Project In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Kerberos Pilot Message-id: MIME-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 279 Mark, I've read your mail several times, and I must admit that several points you make trouble me greatly. on 3/5/00 2:50 PM, Mark O. Kaletka spake thusly: > We're also trying to avoid the situation of "illusory security" which can > occur with ssh when encryption isn't rigorously enforced end-to-end. A user > (say, at a university) at an X terminal who logs into a server over a clear > connection and then ssh's to Fermilab, compromises Fermilab since the traffic > between the X terminal and the local server can be sniffed. There is no > practical way that Fermilab can detect or prevent this situation in ssh. > Can an Xterm be strengthened? I have a feeling the answer is no, simply because of the nature of what an XTerm is. That means that all the money we've invested in xterms is now wasted. Also, what of sites that are still running VMS? Is there a version of Kerberos for them? Or are you, in a subtle way, dictating what hardware we use? That's not really acceptable. >> 2) Similarly, since the goal is to avoid clear text password, why do you not >> want to allow my local workstation to use kerberos to connect to FNAL, while >> still running an ssh server to allow myself to connect to it from other nodes >> in my institution ? >> > This is one area where we've had quite a lot of forceful input from our > collaborating institutions. Ideally, of course, we'd like the whole world to > be Kerberized (yeah, right :-) In practical terms I think we have to > accomodate the situation you're describing. We're ready to propose that remote > non-Fermilab strengthened systems be allowed to run ssh servers the > clear-text non-Kerberized versions of telnet, ftp and r-commands are disabled > on the remote systems (as they will be for Fermilab Kerberized systems) > remote sites have a clear and strong security policy which prohibits the > "illusory security" of using ssh over a partially clear-text connection. > This scares me. YOU want to control what software WE run on OUR computers. I can accept that you want us to add software for security. But to actively demand we remove software? Don't count on it. There is a wide array of computing resources available at the myriad users of FNAL. Some university groups have a few computers they manage themselves. Some are part of departmental clusters managed by others. We at UCLA are in the latter category. To be compatible with FNAL, we will have to have our system administrator install Kerberos, AND remove software you find unacceptable. What does this do to the other users of the cluster? The vast majority of them also connect to unstrengthened systems. Will they still be able to connect? Will it affect our ability to connect to CERN? And what if our system administrator refuses to install Kerberos? > Access among strengthened systems requires no more than what's required now -- > a password. You make an incredible assumption here-- that the systems are in fact strengthened. It is no small task to install Kerberos on a system (from my attempts and from watching this list). There are dozens and dozens of university groups, all with differing computing resources. Will FNAL provide detailed installation instruction for all the possible configurations? It all sounds so easy, but it practice, I am not convinced it is. How many university groups have successfully Kerberized their systems? How hard was it to do? Do you find connecting now truly as transparent as Mark claims? -Benn From kreymer@fnal.gov Fri May 5 01:41:08 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id BAA31282 for ; Fri, 5 May 2000 01:41:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP0UUHWUJA0004XN@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 5 May 2000 01:41:05 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000BE55@listserv.fnal.gov>; Fri, 05 May 2000 01:41:02 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 34614 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 May 2000 01:41:02 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000BE54@listserv.fnal.gov>; Fri, 05 May 2000 01:41:02 -0500 Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP0UU92MO20005BC@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 05 May 2000 01:41:01 -0500 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 12nbn8-0000V5-00; Fri, 05 May 2000 07:40:50 +0100 Date: Fri, 05 May 2000 07:40:50 +0100 (BST) From: "Todd Huffman (CDF/ATLAS)" Subject: Re: Comments from Italy to Strong Authentication Project In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: Kerberos Pilot Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 280 > > How many university groups have successfully Kerberized their systems? How > hard was it to do? Do you find connecting now truly as transparent as Mark > claims? > > -Benn > Oxford did manage to Kerberize one PC...which is now broken and we don't know why. It can't seem to kinit in the command prompt at the moment and get a ticket-granting-ticket (I think that's what's happening anyway.) We're looking into it, but as is the case with most system administration, ours is under-staffed and just does not have the time at the moment to deal with the problems one NT end-user has. We'll probably have more next week. The actual intial installation on a dest-top NT PC was not too tough, and our experience is that strengthening an end-user PC client (for example) is not going to significantly effect how you work. (I'm assuming our current problems with kerberos on this client are not show stoppers......and I doubt they are.) However based on what we see, we are very reluctant to kerberise servers of any OS flavour because, as far as we can tell, such a kerberized server would become its own domain that no one but a strenghtened system can talk to.....Mark K. will probably indicate that this really IS the point. But the difficulties that Benn states simply will not go away. This is probably tightly related to why the question 'why not ssh + firewalls?' is the most common question Mark K. gets. People are seeking a solution that would add security (perhaps not quite as much as unplugging the machine or kerberizing it) but would better allow for the open sharing of information. ****(next random thought) I'm also quite curious how CERN collaborations on CMS or ATLAS will work in a strengthened realm. The US and the EU are currently proposing large distributed computing Grid architectures to process and analyse LHC data because CERN is not going to centrally support data re-processing or physics analyses. (CERN is planning for a 30% reduction in IT support for the LHC while the LHC data size from all experiments will be about 100 times larger than from even an extended Run-II.) Will Fermilab effectively remove itself from any possibility of becoming an LHC computing center in this distributed model because it is Kerberised and therefore will not respond to requests for data from the Grid users? Or does CERN intend to follow this path as well and become part of the strengthened realm? What are the plans to address these issues? Cheers, Todd From kreymer@fnal.gov Fri May 5 09:32:05 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA06590 for ; Fri, 5 May 2000 09:31:58 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1BA5G9S60005LC@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 5 May 2000 09:31:52 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C04B@listserv.fnal.gov>; Fri, 05 May 2000 09:31:47 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 35185 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 May 2000 09:31:47 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C048@listserv.fnal.gov>; Fri, 05 May 2000 09:31:47 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1BA4RWX00004EF@FNAL.FNAL.GOV>; Fri, 05 May 2000 09:31:46 -0500 Date: Fri, 05 May 2000 09:31:47 -0500 From: Margaret Votava Subject: kerberos 5 and cron jobs Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: cdlibrary@fnal.gov Message-id: <3912DB53.ACAA5540@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 281 Hi, I've randomly had time over the last week to play with kerberos and cron. I basically want to set up two cron jobs - one to send mail daily to the operators requesting them to mount backups tapes and one to run twice daily to renew my ticket so I don't need to kinit every day. Following the instructions in gg0019, my backups cron job looks like: #!/bin/sh PATH=/usr/krb5/bin:$PATH export PATH kinit -l 5m -k -t /usr/tmp/votava-cron.keytab votava/cron . $HOME/.profile; setup ols; Mail -s "ols backups today" operator@fnal < $OLS_DIR/backups/ backup_reminder.txt kdestroy Since it's using the default cache file, the kdestroy removes the entries in my cache file, I no longer have any tickets. Therefore, whenever my cron job runs, it effectively forces me to kinit again. If I don't issue the kdestroy, I still have tickets, but my default principal changes from votava@PILOT.FNAL.GOV to votava/cron@PILOT.FNAL.GOV which is not exactly user friendly either. In both cases, it causes my second cron job to fail since the cache file is not pointing to votava anymore. The documentation said that configuring second cache files can be done, but is not documented. I think one wants to be able to do this. Comments? Margaret -- Margaret Votava votava@fnal.gov Computing Division/Experiment Online Support 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Fri May 5 10:25:47 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA09233 for ; Fri, 5 May 2000 10:25:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1D5T3SJS0004UP@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 5 May 2000 10:25:42 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C103@listserv.fnal.gov>; Fri, 05 May 2000 10:25:33 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 35391 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 May 2000 10:25:33 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C101@listserv.fnal.gov>; Fri, 05 May 2000 10:25:33 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1D5SF6A60004F0@FNAL.FNAL.GOV>; Fri, 05 May 2000 10:25:32 -0500 Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id KAA10540; Fri, 05 May 2000 10:25:32 -0500 (CDT) Date: Fri, 05 May 2000 10:25:32 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kerberos 5 and cron jobs Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov, cdlibrary@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200005051525.KAA10540@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 282 On Friday 5 May 2000, our friend Margaret Votava spaketh thusly: > Hi, > > I've randomly had time over the last week to play with kerberos and > cron. I basically want to set up two cron jobs - one to send mail > daily to the operators requesting them to mount backups tapes and > one to run twice daily to renew my ticket so I don't need to kinit > every day. > > Following the instructions in gg0019, my backups cron job looks like: I think that these instructions are outdated now, I'll get together with Anne to update this section. The kcron command changes the precise details of how to do the cron job. > > #!/bin/sh > PATH=/usr/krb5/bin:$PATH > export PATH > kinit -l 5m -k -t /usr/tmp/votava-cron.keytab votava/cron > . $HOME/.profile; setup ols; Mail -s "ols backups today" operator@fnal < > $OLS_DIR/backups/ > backup_reminder.txt > kdestroy What you should do instead for this: the cron job should look like: #!/bin/sh . $HOME/.profile; setup ols; Mail -s "ols backups today" operator@fnal< $OLS_DIR/backups/ backup_reminder.txt The crontab entry is where the kcron stuff comes in. If your entry looked like this before: 0 17 * * * /afs/fnal.gov/files/home/room3/votava/backup-job you should change it to 0 17 * * * kcron /afs/fnal.gov/files/home/room3/votava/backup-job The "kcron" command will authenticate the process (as votava/cron) using the keytab file created by kcroninit, and then exec the subsequent command. NOTE, the keytab file created by kcroninit is NOT named /usr/tmp/votava-cron.keytab I don't think you need to worry about kdestroy when using kcron; Matt would be the one to issue the Final Edict on this. > > Since it's using the default cache file, the kdestroy removes the > entries in my cache file, I no longer have any tickets. Therefore, > whenever my cron job runs, it effectively forces me to kinit again. Hmmm... Going back to your original scenario and how you were doing this -- did you have trouble with your tickets when the job ran under cron? Or when you issued the command interactively? I would understand the problem if it came about through running the script interactively -- because it is using the same default cache file as the interactive process. > > If I don't issue the kdestroy, I still have tickets, but my default > principal changes from votava@PILOT.FNAL.GOV to votava/cron@PILOT.FNAL.GOV > which is not exactly user friendly either. Again, this would make sense to me if you were running the script from the command line, but not [without more thinking about it] if the job was running under cron. > > In both cases, it causes my second cron job to fail since the cache > file is not pointing to votava anymore. Yes. > > The documentation said that configuring second cache files can be done, > but is not documented. I think this is where the new documentation comes in. -- lauri From kreymer@fnal.gov Fri May 5 11:01:57 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA10526 for ; Fri, 5 May 2000 11:01:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1EFLUPLO0004TE@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 5 May 2000 11:01:54 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C177@listserv.fnal.gov>; Fri, 05 May 2000 11:01:45 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 35515 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 May 2000 11:01:45 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C175@listserv.fnal.gov>; Fri, 05 May 2000 11:01:45 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1EFMIT140004F0@FNAL.FNAL.GOV>; Fri, 05 May 2000 11:01:43 -0500 Date: Fri, 05 May 2000 11:01:43 -0500 From: Margaret Votava Subject: Re: kerberos 5 and cron jobs Sender: owner-kerberos-pilot@listserv.fnal.gov To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov, cdlibrary@fnal.gov Message-id: <3912F067.522CC8AF@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200005051525.KAA10540@fsui03.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 283 hi, > The crontab entry is where the kcron stuff comes in. If your entry > looked like this before: > > 0 17 * * * /afs/fnal.gov/files/home/room3/votava/backup-job > > you should change it to > > 0 17 * * * kron /afs/fnal.gov/files/home/room3/votava/backup-job actually needs to be 0 17 * * * /usr/krb5/bin/kcron /afs/fnal.gov/files/home/room3/votava/backup-job kerberos isn't in my path by default. > The "kcron" command will authenticate the process (as votava/cron) > using the keytab file created by kcroninit, and then exec the > subsequent command. > the document should mention kcroninit too. > > Since it's using the default cache file, the kdestroy removes the > > entries in my cache file, I no longer have any tickets. Therefore, > > whenever my cron job runs, it effectively forces me to kinit again. > > Hmmm... Going back to your original scenario and how you were doing > this -- did you have trouble with your tickets when the job ran > under cron? Or when you issued the command interactively? I would > understand the problem if it came about through running the script > interactively -- because it is using the same default cache file as > the interactive process. yes - i had problems with my tickets when i ran this job under cron. kinit mucks with the default cache file. i wasn't using kcron then. > > > > > If I don't issue the kdestroy, I still have tickets, but my default > > principal changes from votava@PILOT.FNAL.GOV to votava/cron@PILOT.FNAL.GOV > > which is not exactly user friendly either. > > Again, this would make sense to me if you were running the script > from the command line, but not [without more thinking about it] if > the job was running under cron. > it happens when running both interactively and under cron. so i made the switch to kcron and my cron job runs, but i get the following warning [error?] message back from cron: Subject: Cron /usr/krb5/bin/kcron cron/acron.sh Date: Fri, 05 May 2000 10:52:01 -0500 From: root@odsmev.fnal.gov (Cron Daemon) To: votava@odsmev.fnal.gov kinit: No such file or directory while getting initial credentials kdestroy: No credentials cache file found while destroying cache Ticket cache NOT destroyed! Thanks, Margaret From kreymer@fnal.gov Fri May 5 11:08:39 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA10530 for ; Fri, 5 May 2000 11:08:39 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1EO2WNIC0004VK@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 5 May 2000 11:08:37 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C18E@listserv.fnal.gov>; Fri, 05 May 2000 11:08:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 35540 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 May 2000 11:08:32 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C18C@listserv.fnal.gov>; Fri, 05 May 2000 11:08:31 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1EO2345U0004GU@FNAL.FNAL.GOV>; Fri, 05 May 2000 11:08:31 -0500 Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id LAA13625; Fri, 05 May 2000 11:08:30 -0500 (CDT) Date: Fri, 05 May 2000 11:08:30 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kerberos 5 and cron jobs Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov, cdlibrary@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200005051608.LAA13625@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 284 On Friday 5 May 2000, our friend Margaret Votava spaketh thusly: > [snippage] > > > > you should change it to > > > > 0 17 * * * kron /afs/fnal.gov/files/home/room3/votava/backup-job > > actually needs to be > > 0 17 * * * /usr/krb5/bin/kcron /afs/fnal.gov/files/home/room3/votava/backup-job > > kerberos isn't in my path by default. Yes, sorry. You are right. > [snippage] > the document should mention kcroninit too. Actually, the on-line documentation does cover all this; Anne should be sending out an announcement soon about the updates to the printed manual, but in the meantime, the information on how to do authenticated cron jobs is under http://www.fnal.gov/docs/products/kcroninit/ > [snippetysnippet] > > so i made the switch to kcron and my cron job runs, but i get the following > warning [error?] message back from cron: > > Subject: > Cron /usr/krb5/bin/kcron cron/acron.sh > Date: > Fri, 05 May 2000 10:52:01 -0500 > From: > root@odsmev.fnal.gov (Cron Daemon) > To: > votava@odsmev.fnal.gov > > > > > kinit: No such file or directory while getting initial credentials > kdestroy: No credentials cache file found while destroying cache > Ticket cache NOT destroyed! I think that's because you didn't use kcroninit first, please try again. -- lauri From kreymer@fnal.gov Fri May 5 13:17:50 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA10635 for ; Fri, 5 May 2000 13:17:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1J5TYKG40004HL@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;kreymer@FNAL.GOV); Fri, 5 May 2000 13:17:47 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C316@listserv.fnal.gov>; Fri, 05 May 2000 13:17:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 35962 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Fri, 05 May 2000 13:17:22 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C314@listserv.fnal.gov>; Fri, 05 May 2000 13:17:22 -0500 Received: from CUERVO ([131.225.81.19]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JP1J5SOPEA0004VK@FNAL.FNAL.GOV> for kerberos-announce@listserv.fnal.gov (ORCPT rfc822;kerberos-announce@fnal.gov) ; Fri, 05 May 2000 13:17:21 -0500 Date: Fri, 05 May 2000 13:17:20 -0500 From: "Mark O. Kaletka" Subject: Fermilab Kerberos Manual Updates Sender: owner-kerberos-announce@listserv.fnal.gov To: Kerberos Announce List Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: multipart/mixed; boundary="----=_NextPart_000_0045_01BFB694.3E2D1460" Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 285 This is a multi-part message in MIME format. ------=_NextPart_000_0045_01BFB694.3E2D1460 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit ------=_NextPart_000_0045_01BFB694.3E2D1460 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: attachment Reply-To: From: Sender: To: Subject: posting message Date: Fri, 5 May 2000 11:33:49 -0500 Message-ID: <200005051633.LAA08722@fsui02.fnal.gov> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELOprotocol Please post the following message to kerberos-announce (I am not authorized): For those of you using the printed manual, this is a reminder to check the online updates page from time to time. It is available at: http://www.fnal.gov/docs/strongauth/misc/updates.html or from the "UPDATES!!" link on the main page: http://www.fnal.gov/docs/strongauth/. We will update the manual with this information at some time in the future. *************************************************************** In particular, let me draw your attention to two items (numbers correspond to sections in the manual): 6.2 Logging on at a Kerberized UNIX Machine Currently the kerberos login program is not being distributed with the kerberos product. Therefore, after kerberizing your UNIX machine, it still uses its own login program and doesn't accept your kerberos password. You need to kinit after logging on to obtain credentials. Your credentials should then get forwarded to other machines normally. 8.2 Configuring cron Jobs The section is now obsolete. See http://www.fnal.gov/docs/products/kcroninit/ for updated information. This new method is currently working if you have systools installed on your system. The kcroninit product gets installed automatically as part of the kerberos installation. If you don't have or son't want systools, you'll need to wait another couple of weeks for kerberos v0_6 to be released. v0_6 will support kcroninit without systools. -- Anne Anne Heavey Fermilab Computing Division Phone: 630-840-8039 Location: Wilson Hall 8.18 (NE corner) MS: 120 ------=_NextPart_000_0045_01BFB694.3E2D1460-- From kreymer@fnal.gov Fri May 5 13:18:16 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA10639 for ; Fri, 5 May 2000 13:18:15 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1J6T92UE0004I0@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 5 May 2000 13:18:12 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C31E@listserv.fnal.gov>; Fri, 05 May 2000 13:18:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 35971 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 May 2000 13:18:10 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C31D@listserv.fnal.gov>; Fri, 05 May 2000 13:18:10 -0500 Received: from dot.phys.unm.edu ([198.59.169.98]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1J6SFID20004W7@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 05 May 2000 13:18:09 -0500 Received: from dot.phys.unm.edu (IDENT:gold@localhost [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id MAA24033 for ; Fri, 05 May 2000 12:17:25 -0600 Date: Fri, 05 May 2000 12:17:25 -0600 From: Michael Gold Subject: xemacs Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200005051817.MAA24033@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.0.3 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 286 Having installed kerberos as a client on my local machine (dot.phys.unm.edu) I now have some problems with xemacs. Let me first just make a few comments about setting up the client. I grabbed the latest version of kerberos from MIT and installed. After fixing one minor problem (my system clock was off which was bugging me anyway) the basic utilities all work fine. A convenient feature is that with rlogin I can now login to fcdfsgi2 my password. I presume that if you rlogin to cdfsga or other non-kerberized machine your are sending your clear password. Users should be warned to continue to use slogin. However, XEMACS has problems. As a remote user, it is VERY,VERY convenient to edit files remotely with XEMACS. There are basically 2 problems: 1) handshaking is different for KERBERIZED ftp. I can get around this on fcdfsgi2 but now I seem to be stuck on other machines like cdfsga 2) permissions. XEMACS won't let me edit files because it thinks I do not have write permission (chmod a+w not withstanding). Oddly, it will allow me to write and edit a new file. Once written, it will remind me that I do not have permission to write but will allow me to proceed and writes the file anyway. solutions to these problems or hints are welcome. From kreymer@fnal.gov Fri May 5 13:32:18 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA10649 for ; Fri, 5 May 2000 13:32:17 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JP1JO92LSG0005OM@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 5 May 2000 13:32:15 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C345@listserv.fnal.gov>; Fri, 05 May 2000 13:32:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 36013 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 May 2000 13:32:13 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000C344@listserv.fnal.gov>; Fri, 05 May 2000 13:32:13 -0500 Received: from ts.infn.it ([140.105.6.150]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JP1JO7L8GE0004HL@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 05 May 2000 13:32:12 -0500 Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Fri, 05 May 2000 20:32 +0100 (CET) Date: Fri, 05 May 2000 20:32:06 +0200 From: Stefano Belforte Subject: Re: Comments from Italy to Strong Authentication Project Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: Kerberos Pilot Message-id: <391313A6.DED03776@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.72 [en] (X11; I; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 287 Thanks Mark, while I think over in detail the technical issues, let me say that the political ones still strikes me as the real key point. I can rephrase my opinion like this: FNAL does its best to prevent password stealing on site, fine. Then you go one step ahead and try to prevent password stealing at my site. WOW ! Well, great, thanks ! I would love Fermilab to provide a good system manager in any collaborating institutions, but unfortunatley nor you nor anybody else from the lab will be here. So in the end some way will have to be clearly defined by which you can trust us. Since this is a declared goal now (make sure passwords are not stolen because of careless behavior on remote sites) it is necessary to either remove it, or define it very well. Unfortunatelly this is difficult to do, and very very political, indeed you come to this point twice in your nice message, and still have to leave it vague: >remote sites have a clear and strong security policy which >prohibits the "illusory security" of using ssh over a partially >clear-text connection. >We'd also want to be assured that clear-text Kerberos passwords are >kept off the network (i.e. trusted realm systems would need to be >strengthened just as here -- no telnet, r-commands, etc. with >passwords in clear-text). We'd also want to be assured of management >resolve to enforce the policies and technical expertise to configure >and run everything securely. I wholeheartedly agree that the ones above are very desirable features, but when it comes to be realistic, how can we deal with them ? We can probably talk forever about how to turn these conditions into algorithm that can be uncontroversially applied to decide if Univeristy X qualify. That's why I think there is much more need to clear up the overall political landscape, rather then to go into details of each application. I imagine I can hardly say anything new on this subject, still I can not resist throwing some thoughts around. Shall we have just written statements that Univerity x will not allow anybody to take a dumb X-Terminal from the closet and plug it not even for a second, or a laptop, or a MacIntosh ? How exactely one prevents "illusory security" other then by warning the user ? Please, do not misunderstand me, I would be sincerely very glad if FNAL would test and qualify the technical skills of my local system managers, but.. how many remote sites can FNAL realistically imagine to be able to "qualify" per unit of time ? One a day ? One a week ? Only in Italy, only for CDF, only now, we have at least 13 different "local network" from which people engaged in CDF activities are now routinely connecting to Fermilab. I mean 13 different sets of network administrators. The CDF collaboration alone would mean easily more then 100 "sites" all over the world, even if all of them would try to implement a level of security analog to yours, how long would it take to certify it ? How many people ? What about sites that, in spite of heroic efforts, do not qualify ? What if Univeristy x has one good physicist but a poor system manager (it appears to be often the case, by the way, as good system managers are more likely to find better paid jobs) ? We are going to make Universities with one CDF phyicist different from the rest? They need a "fully secure LAN" ! Doesn't this alone sound a a big incentive for people not to join the experiment ? How do FNAL imagine then making sure that offsite sites "do not cheat" ? I imagine that with the proper positive pressure all sites both labs and universities will evolve from present "telnet" era to more secure environment, just as Fnal is doing. Indeed a lot of effort is being put on security issues already in Italy, ssh is more widely used here then at Fermilab already, and steps have and are being taken for dealing with mail and www problems, router safety etc. But the environment is big, complex, the managements understaffed, it is impossible to imagine everyplace to switch at the same time, or in any short period of time to a very different and potentially complex system. At the very minimum I would expect well organised places like FNAL, CERN and SLAC e.g. to find a common way of doing things and sort out all cross-trust issues much before the small groups can do it. A way of dealing with places at different level of security should be the matter of fact for still several years. By the way ? What is the expetect time frame for the "pilot project", Will acces to CDF computers be close in a month ? A year ? Ten years ? Or just "once we are ready" ? Mark, I appreciate your effort, and your competence. But... is this mailing list really the proper place for discussing this ? Who's on the kerberos-pilot list by the way ? I feel a bit at odd at talking with a virtual entity... Stefano -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Thu May 11 19:31:08 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id TAA02686 for ; Thu, 11 May 2000 19:31:08 -0500 Received: from conversion.FNAL.FNAL.GOV by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JPA9Y6NN8W0007J5@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 11 May 2000 19:31:03 -0500 CDT Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPA9Y43JVU0006SK@FNAL.FNAL.GOV>; Thu, 11 May 2000 19:30:59 -0500 Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000F770@listserv.fnal.gov>; Thu, 11 May 2000 19:30:59 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 50350 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 11 May 2000 19:30:59 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000F76F@listserv.fnal.gov>; Thu, 11 May 2000 19:30:58 -0500 Received: from conversion.FNAL.FNAL.GOV by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JPA9Y3EVPS0007P5@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal); Thu, 11 May 2000 19:30:57 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPA9Y33G540008E5@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal); Thu, 11 May 2000 19:30:57 -0500 Date: Thu, 11 May 2000 19:30:57 -0500 (CDT) From: Dane Skow Subject: offsite users concerns Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 288 I've read the recent messages from Stephano, Todd, and responses from Mark and think we've got a good and important dialog going on here. Let me add a few comments from my perspective, hopefully to help keep the cooperative search of solutions going. 1) I think it would be very useful for an offsite user familiar with daily operations working at one of the "ssh only" restricted labs to compare their experiences with their expectations from the Kerberos realm. Anyone want to volunteer to take that on ? We think we know the comparison from the systems perspective, but it would be useful to hear a users. How many of the concerns about difficulty to get access come to bear there as well ? 2) There seems to be a thread that people view the one-time passwords (hardware and/or paper) as too easy to lose. In my mind, I draw the parallel with physical keys. We deal successfully with physical keys all the time. What would be the analogues in the password realm to "spare keys" and "friends letting you in when you've forgotten yours" ? (I think multiple hardware tokens or copies of password lists are not forbidden. I think the "friends" equivalent would be this phone up the datacenter and answer a challenge to get a new password. What would it take to make this acceptable, or are there other alternates ? FNAL: how would we deal with "keys hidden under the mat"? (eg. someone taking a OTP password list and imbedding it in an expect script for running cron jobs on an untrusted -> Kerberized link ?)) 3) There is a thread of commentary along the lines of "why are you alone in moving to Kerberos" ? This is raised with concerns that this will effectively cut FNAL off from the rest of the world. The devil indeed will be in the details, but I don't think the technology is exotic or forbidding. Kerberos (an older version - v4) is at the heart of AFS, which nearly all HEP labs use successfully, more extensively than FNAL. Kerberos (a modified version) is key to Windows 2000 authentication. And Kerberos is quite commonly found in the "Grid-type" projects (we can wonder for days what those really are) in DCE, natively, etc. The major difference I see is the level of care we are trying to take to make sure your Kerberos password is not captured between your fingers and the machine that issues the ticket. We should be able to find a workable ground. 4) The most problematic case that I have seen raised yet is how to deal with the situation where an unstrengthed machine is generating data on its own schedule and needs to either send the file or execute a command on a strengthened machine. Were the strengthened machine the keeper of the clock, this would be a simple ftp or rcommand. However, the reverse is not true. I can see some possibilities but they are not elegant: a) use an anonymous ftp server as a staging ground for data I would be prepared to consider setting up a sitewide service. One characteristic of any permitted service is that anonymous users may not read and write to the same directories. There would be a drop box and public pickup seperately. b) have the strengthened machine poll the unstrengthened one periodically. would need buffering space on the unstrengthened machine and cron scripts running on the strengthened. Anybody else have ideas ? Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Fri May 12 11:17:27 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA05835 for ; Fri, 12 May 2000 11:17:27 -0500 Received: from conversion.FNAL.FNAL.GOV by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JPB6ZXMR0000079T@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 12 May 2000 11:17:18 -0500 CDT Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPB6ZKHS5E0007KZ@FNAL.FNAL.GOV>; Fri, 12 May 2000 11:16:55 -0500 Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000FBE1@listserv.fnal.gov>; Fri, 12 May 2000 11:16:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 1012 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 12 May 2000 11:16:38 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0000FBE0@listserv.fnal.gov>; Fri, 12 May 2000 11:16:38 -0500 Received: from conversion.FNAL.FNAL.GOV by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JPB6YWUAHC00082W@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal); Fri, 12 May 2000 11:16:17 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPB6YKIHSE0008DS@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal); Fri, 12 May 2000 11:15:52 -0500 Date: Fri, 12 May 2000 11:15:50 -0500 (CDT) From: Dane Skow Subject: password feedback Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 289 I've had feedback on the rules checking for password selection: it would be nice if failure listed ALL the requirements for a password rather than just which requirement was not satisfied. This can help reduce iterating. Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Tue May 16 09:42:00 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA05877 for ; Tue, 16 May 2000 09:42:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPGOUHJ362000A3H@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Tue, 16 May 2000 09:41:57 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000116CB@listserv.fnal.gov>; Tue, 16 May 2000 09:41:54 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 8379 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 16 May 2000 09:41:54 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000116CA@listserv.fnal.gov>; Tue, 16 May 2000 09:41:54 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPGOUGE64K0009IN@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 16 May 2000 09:41:53 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA01229; Tue, 16 May 2000 09:41:52 -0500 (CDT) Date: Tue, 16 May 2000 09:41:52 -0500 From: Matt Crawford Subject: Re: password feedback In-reply-to: "12 May 2000 11:15:50 CDT." <"Pine.LNX.4.10.10005121114330.1536-100000"@unferth.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov Message-id: <200005161441.JAA01229@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 290 > I've had feedback on the rules checking for password selection: > it would be nice if failure listed ALL the requirements for a > password rather than just which requirement was not satisfied. > This can help reduce iterating. Before you enter your new password it does list all the simple requirements. It doesn't mention the cracklib test, which is hard to describe in a few words. gungnir 149% kpasswd kpasswd: Changing password for crawdad@PILOT.FNAL.GOV. Old password: kpasswd: crawdad@PILOT.FNAL.GOV's password is controlled by the policy default, which requires a minimum of 10 characters from at least 2 classes (the five classes are lowercase, uppercase, numbers, punctuation, and all other characters). New password: [ Now I enter abcdefghijkl (twice), which is unacceptable, and it mentions only the first requirement which failed. ] New password (again): kpasswd: New password does not have enough character classes. The character classes are: - lower-case letters, - upper-case letters, - digits, - punctuation, and - all other characters (e.g., control characters). Please choose a password with at least 2 character classes. From kreymer@fnal.gov Tue May 16 11:03:23 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA05910 for ; Tue, 16 May 2000 11:03:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPGRNVGQ3W0008Q8@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Tue, 16 May 2000 11:03:21 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000117D9@listserv.fnal.gov>; Tue, 16 May 2000 11:02:52 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 8671 for CDF_COMP_UPG@LISTSERV.FNAL.GOV; Tue, 16 May 2000 11:02:52 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000117D7@listserv.fnal.gov>; Tue, 16 May 2000 11:02:52 -0500 Received: from conversion.FNAL.FNAL.GOV by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JPGRNRNG9C0009IE@FNAL.FNAL.GOV>; Tue, 16 May 2000 11:02:48 -0500 Received: from mail.physics.ox.ac.uk ([163.1.244.140]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPGRNF4T360009WK@FNAL.FNAL.GOV>; Tue, 16 May 2000 11:02:46 -0500 Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by mail.physics.ox.ac.uk with esmtp (Exim 3.13 #5) id 12rjnK-0001ph-00; Tue, 16 May 2000 17:02:06 +0100 Received: by ppnt41.physics.ox.ac.uk with Internet Mail Service (5.5.2650.21) id ; Tue, 16 May 2000 17:02:05 +0100 Date: Tue, 16 May 2000 17:02:00 +0100 From: Armin Reichold Subject: Problems with permissions on fcdfsgi2 for run2 software builds Sender: owner-cdf_comp_upg@listserv.fnal.gov To: kerberos-pilot@fnal.gov, cdf_code_management@fnal.gov, cdf_comp_upg@fnal.gov Cc: Ian McArthur , "Armin Reichold (E-mail)" , "David Waters (E-mail)" , "Giulia Manca (E-mail)" , "hud-hud-e-jAn\"\\ (E-mail)" , "Jim Loken (E-mail)" , Louis Lyons , Matthew Martin , Peter Renton , "Todd Huffman (E-mail)" , "Tracey Pratt (E-mail)" Message-id: MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Status: RO X-Status: X-Keywords: X-UID: 291 Dear Experts I can not perform a gmake command of for example the TrackingMods package on fcdfsgi2 when I log in via kerberos. But when I log in via a double slogin through cdfsga I can do the gmake no problem. I am using kerberos from an NT machine via a ktelnet (from the exceed 6.2 suite with Kerberos V5 patches). I then create an xterminal that is going to my standard exceed x-session. I do notice a strange behaviour during my kinit's. FCDFSGI2 is first asking me to provide my password and then, after I entered it, it asks me to answere a challenge too. I just ignore the challenge and connections can be established ok but my permissions seem to be somewhat screwed up. I need some immediate assistance with this problem which I have reported before but it apparently still persists. *************************************************************************** Here is the transcript of what I get when I log in via Kerberos and try to do a gmake: fcdfsgi2:/cdf/home/reichold/work/dummy(6)>gmake lib; gmake tbin <**lib**> <**lib**> TrackingMods <**compiling**> CTDumpModule.cc "/cdf/home/reichold/work/dummy/TrackingMods/src/CTDumpModule.cc", line 294: warning: variable "xTrk" was set but never used double arg, phiTrk, xTrk, yTrk; ^ "/cdf/home/reichold/work/dummy/TrackingMods/src/CTDumpModule.cc", line 294: warning: variable "yTrk" was set but never used double arg, phiTrk, xTrk, yTrk; ^ 2396440:/usr/lib32/cmplrs/be: rld: Fatal Error: Cannot Successfully map soname 'be.so' under any of the filenames /usr/lib32/be.so:/usr/lib32/internal/be.so:/lib32/be.so:/opt/lib32/be.so:/us r/lib32/be.so.1:/usr/lib32/internal/be.so.1:/lib32/be.so.1:/opt/lib32/be.so. 1: cc INTERNAL ERROR: /usr/lib32/cmplrs/be returned non-zero status 1 /cdf/home/reichold/work/dummy/tmp/IRIX6-KCC_3_3/TrackingMods/libTrackingMods -static/CTDumpModule.o: No such file or directory KCC: Object post-processor failed. gmake[3]: *** [/cdf/home/reichold/work/dummy/tmp/IRIX6-KCC_3_3/TrackingMods/libTrackingMod s-static/CTDumpModule.o] Error 1 gmake[2]: *** [src.lib] Error 2 gmake[1]: *** [TrackingMods.lib] Error 2 gmake: *** [lib] Error 2 <**tbin**> <**tbin**> TrackingMods <**compiling**> testSiBanks.cc "/cdf/home/reichold/work/dummy/TrackingMods/test/testSiBanks.cc", line 42: warning: variable "rcsid" was declared but never referenced static const char rcsid[] = "AppUserBuild.cc,v 1.6 1996/02/19 06:17:12 jake Exp"; ^ 2396843:/usr/lib32/cmplrs/be: rld: Fatal Error: Cannot Successfully map soname 'be.so' under any of the filenames /usr/lib32/be.so:/usr/lib32/internal/be.so:/lib32/be.so:/opt/lib32/be.so:/us r/lib32/be.so.1:/usr/lib32/internal/be.so.1:/lib32/be.so.1:/opt/lib32/be.so. 1: cc INTERNAL ERROR: /usr/lib32/cmplrs/be returned non-zero status 1 /cdf/home/reichold/work/dummy/tmp/IRIX6-KCC_3_3/TrackingMods/testSiBanks.o: No such file or directory KCC: Object post-processor failed. gmake[3]: *** [/cdf/home/reichold/work/dummy/tmp/IRIX6-KCC_3_3/TrackingMods/testSiBanks.o] Error 1 gmake[2]: *** [test.tbin] Error 2 gmake[1]: *** [TrackingMods.tbin] Error 2 gmake: *** [tbin] Error 2 ************************************************* * Dr. Armin Reichold | private: * * Research Officer | 17 Frys Hill * * University of Oxford | Oxford * * Particle & Nuclear Phys. Lab. | OX4 7GW * * 1 Keble Road | UK * * Oxford OX1 3RH * * UK * * Room 612 * * * * Tel. : +44-(0)1865-273358...(office) * * Tel. : +44-(0)1865-434856...(private) * * Mobile: +44-(0)7930-431102...(emergency only) * * Fax. : +44-(0)1865-273418...(office) * * E-Mail: a.reichold1@physics.ox.ac.uk * * Netmeeting: ppnt67.physics.ox.ac.uk (business)* * ---//--- Dir. Server: webnt.physics.ox.ac.uk * ************************************************* From kreymer@fnal.gov Tue May 16 11:50:42 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA05927 for ; Tue, 16 May 2000 11:50:41 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPGTC1LC3K0008DG@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Tue, 16 May 2000 11:50:37 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00011880@listserv.fnal.gov>; Tue, 16 May 2000 11:50:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 8852 for CDF_CODE_MANAGEMENT@LISTSERV.FNAL.GOV; Tue, 16 May 2000 11:50:35 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001187F@listserv.fnal.gov>; Tue, 16 May 2000 11:50:35 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JPGTC0KE8A0008RN@FNAL.FNAL.GOV>; Tue, 16 May 2000 11:50:34 -0500 Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id LAA17279; Tue, 16 May 2000 11:51:00 -0500 Date: Tue, 16 May 2000 11:51:00 -0500 From: Glenn Cooper Subject: Re: Problems with permissions on fcdfsgi2 for run2 software builds In-reply-to: Sender: owner-cdf_code_management@listserv.fnal.gov To: Armin Reichold Cc: kerberos-pilot@fnal.gov, cdf_code_management@fnal.gov, cdf_comp_upg@fnal.gov, Ian McArthur , "David Waters (E-mail)" , "Giulia Manca (E-mail)" , "hud-hud-e-jAn\"\\ (E-mail)" , "Jim Loken (E-mail)" , Louis Lyons , Matthew Martin , Peter Renton , "Todd Huffman (E-mail)" , "Tracey Pratt (E-mail)" Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 292 Hi Armin, This is a known problem caused by an interaction between our kerberized telnetd and something in IRIX called "capabilities", with the result that some environment variables like LD_LIBRARY_PATH are ignored. We have been trying for some time to get a permanent solution from SGI, but we don't have one yet. The workarounds are: 1) Use (kerberized) rlogin/rsh, rather than telnet, to connect. Or slogin/ssh via cdfsga also works. 2) If using telnet, immediately su to yourself--e.g., "su reichold"-- after logging in. This resets your capabilities and restores use of LD_LIBRARY_PATH etc. Sorry for the confusion. We are trying to push hard for a real solution; I'll let you know when we have one. Glenn On Tue, 16 May 2000, Armin Reichold wrote: > Dear Experts > I can not perform a gmake command of for example the TrackingMods package on > fcdfsgi2 when I log in via kerberos. But when I log in via a double slogin > through cdfsga I can do the gmake no problem. I am using kerberos from an NT > machine via a ktelnet (from the exceed 6.2 suite with Kerberos V5 patches). > I then create an xterminal that is going to my standard exceed x-session. > I do notice a strange behaviour during my kinit's. FCDFSGI2 is first asking > me to provide my password and then, after I entered it, it asks me to > answere a challenge too. I just ignore the challenge and connections can be > established ok but my permissions seem to be somewhat screwed up. I need > some immediate assistance with this problem which I have reported before but > it apparently still persists. > > *************************************************************************** > Here is the transcript of what I get when I log in via Kerberos and try to > do a gmake: > fcdfsgi2:/cdf/home/reichold/work/dummy(6)>gmake lib; gmake tbin > <**lib**> > <**lib**> TrackingMods > <**compiling**> CTDumpModule.cc > "/cdf/home/reichold/work/dummy/TrackingMods/src/CTDumpModule.cc", line 294: > warning: > variable "xTrk" was set but never used > double arg, phiTrk, xTrk, yTrk; > ^ > > "/cdf/home/reichold/work/dummy/TrackingMods/src/CTDumpModule.cc", line 294: > warning: > variable "yTrk" was set but never used > double arg, phiTrk, xTrk, yTrk; > ^ > > 2396440:/usr/lib32/cmplrs/be: rld: Fatal Error: Cannot Successfully map > soname 'be.so' under any of the filenames > /usr/lib32/be.so:/usr/lib32/internal/be.so:/lib32/be.so:/opt/lib32/be.so:/us > r/lib32/be.so.1:/usr/lib32/internal/be.so.1:/lib32/be.so.1:/opt/lib32/be.so. > 1: > cc INTERNAL ERROR: /usr/lib32/cmplrs/be returned non-zero status 1 > /cdf/home/reichold/work/dummy/tmp/IRIX6-KCC_3_3/TrackingMods/libTrackingMods > -static/CTDumpModule.o: No such file or directory > KCC: Object post-processor failed. > gmake[3]: *** > [/cdf/home/reichold/work/dummy/tmp/IRIX6-KCC_3_3/TrackingMods/libTrackingMod > s-static/CTDumpModule.o] Error 1 > gmake[2]: *** [src.lib] Error 2 > gmake[1]: *** [TrackingMods.lib] Error 2 > gmake: *** [lib] Error 2 > <**tbin**> > <**tbin**> TrackingMods > <**compiling**> testSiBanks.cc > "/cdf/home/reichold/work/dummy/TrackingMods/test/testSiBanks.cc", line 42: > warning: > variable "rcsid" was declared but never referenced > static const char rcsid[] = "AppUserBuild.cc,v 1.6 1996/02/19 06:17:12 > jake Exp"; > ^ > > 2396843:/usr/lib32/cmplrs/be: rld: Fatal Error: Cannot Successfully map > soname 'be.so' under any of the filenames > /usr/lib32/be.so:/usr/lib32/internal/be.so:/lib32/be.so:/opt/lib32/be.so:/us > r/lib32/be.so.1:/usr/lib32/internal/be.so.1:/lib32/be.so.1:/opt/lib32/be.so. > 1: > cc INTERNAL ERROR: /usr/lib32/cmplrs/be returned non-zero status 1 > /cdf/home/reichold/work/dummy/tmp/IRIX6-KCC_3_3/TrackingMods/testSiBanks.o: > No such file or directory > KCC: Object post-processor failed. > gmake[3]: *** > [/cdf/home/reichold/work/dummy/tmp/IRIX6-KCC_3_3/TrackingMods/testSiBanks.o] > Error 1 > gmake[2]: *** [test.tbin] Error 2 > gmake[1]: *** [TrackingMods.tbin] Error 2 > gmake: *** [tbin] Error 2 > > ************************************************* > * Dr. Armin Reichold | private: * > * Research Officer | 17 Frys Hill * > * University of Oxford | Oxford * > * Particle & Nuclear Phys. Lab. | OX4 7GW * > * 1 Keble Road | UK * > * Oxford OX1 3RH * > * UK * > * Room 612 * > * * > * Tel. : +44-(0)1865-273358...(office) * > * Tel. : +44-(0)1865-434856...(private) * > * Mobile: +44-(0)7930-431102...(emergency only) * > * Fax. : +44-(0)1865-273418...(office) * > * E-Mail: a.reichold1@physics.ox.ac.uk * > * Netmeeting: ppnt67.physics.ox.ac.uk (business)* > * ---//--- Dir. Server: webnt.physics.ox.ac.uk * > ************************************************* > From kreymer@fnal.gov Tue May 16 12:11:47 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA05956 for ; Tue, 16 May 2000 12:11:47 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPGU34XJEE0008RN@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Tue, 16 May 2000 12:11:44 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000118B9@listserv.fnal.gov>; Tue, 16 May 2000 12:11:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 8912 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 16 May 2000 12:11:39 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000118B8@listserv.fnal.gov>; Tue, 16 May 2000 12:11:39 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPGU33KOZ40008DZ@FNAL.FNAL.GOV>; Tue, 16 May 2000 12:11:38 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA02152; Tue, 16 May 2000 12:11:33 -0500 (CDT) Date: Tue, 16 May 2000 12:11:33 -0500 From: Matt Crawford Subject: Re: Problems with permissions on fcdfsgi2 for run2 software builds In-reply-to: "16 May 2000 17:02:00 BST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Armin Reichold , gcooper@fnal.gov Cc: kerberos-pilot@fnal.gov, cdf_code_management@fnal.gov, cdf_comp_upg@fnal.gov, Ian McArthur , "David Waters (E-mail)" , "Giulia Manca (E-mail)" , "hud-hud-e-jAn\"\\ (E-mail)" , "Jim Loken (E-mail)" , Louis Lyons , Matthew Martin , Peter Renton , "Todd Huffman (E-mail)" , "Tracey Pratt (E-mail)" Message-id: <200005161711.MAA02152@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 293 Armin, Many things to say about this ... 1. I am just catching up on email after a vacation. I didn't recall any earlier message from you about this problem, but Glenn Cooper has been working on it since mid-February. He's the one who understands the most about this problem, which stems from SGI's introduction of something they call "capabilities". (Eg: CAP_COMPILE_FORTRAN_ON_WEEKENDS or some such minutiae.) 2. Regarding > I am using kerberos from an NT machine via a ktelnet (from the exceed > 6.2 suite with Kerberos V5 patches). I then create an xterminal that > is going to my standard exceed x-session. I do notice a strange > behaviour during my kinit's. Am I to understand that you open an xterm window running on fcdfsgi2, displayed on your PC, and then IN THAT WINDOW you type "kinit" and your Kerberos password?? Aren't the implications of this obvious? 3. Regarding > FCDFSGI2 is first asking me to provide my password and then, after I > entered it, it asks me to answere a challenge too. I just ignore the > challenge and connections can be established ok That tells me that fcdfsgi2 is running Fermi Keberos v0_3 or earlier. v0_5 has been current for some weeks now. But I can assure you that ignoring the challenge works fine. > but my permissions seem to be somewhat screwed up. The permissions on your files? Your unix gid set? Or are you seeing clear signs of this capability problem? From kreymer@fnal.gov Tue May 16 17:00:49 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA06368 for ; Tue, 16 May 2000 17:00:48 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPH46K7Q1E000A0Z@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Tue, 16 May 2000 17:00:47 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00011CB3@listserv.fnal.gov>; Tue, 16 May 2000 17:00:45 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 10005 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 16 May 2000 17:00:45 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00011CB2@listserv.fnal.gov>; Tue, 16 May 2000 17:00:45 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPH46J1HQI0009M6@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 16 May 2000 17:00:43 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA04440; Tue, 16 May 2000 17:00:43 -0500 (CDT) Date: Tue, 16 May 2000 17:00:42 -0500 From: Matt Crawford Subject: Re: kerberos v0_5 is ready for you to test In-reply-to: "27 Apr 2000 10:45:10 CDT." <"39086086.4A59EDF1"@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Message-id: <200005162200.RAA04440@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 294 (Catching up after vacation) > I didn't cut and paste enough in my original mail - sorry. I have stopped > and restarted the server, but still cant' ssh in: > [...] > Something is running: > odsmev.fnal.gov(root) % zap -l ssh > PID UID COMMAND > 2142 amundson :00 [ssh-agent] > 2565 moore :00 [ssh-agent] > 14174 amundson :00 [ssh-agent] > 14261 amundson :00 [ssh-agent] > 9731 root :00 sshd > 10875 root :00 sshd If anyone made an ssh connection before you stopped & started sshd, there will be an sshd process for each such user. I suspect something's not quite right in the /etc/rc.d/init.d/sshd.init script when it comes to restarting sshd. Your later message says sshd started all right upon reboot. Your clock problem has apparently been solved leaving just the initial console login. I believe it's the case that none of our Fermi Kerberos installation procedures to date take the step of replacing the system login program with the Kerberos one. Several people, including me, have made that step by hand without any troubles reported, so I think we're ready to take the plunge and put that onto the change list for the next release. Any dissent? From kreymer@fnal.gov Tue May 16 17:18:35 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA06377 for ; Tue, 16 May 2000 17:18:35 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPH4SLOX40000993@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Tue, 16 May 2000 17:18:34 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00011CDF@listserv.fnal.gov>; Tue, 16 May 2000 17:18:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 10054 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 16 May 2000 17:18:31 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00011CDE@listserv.fnal.gov>; Tue, 16 May 2000 17:18:31 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPH4SKSAFM0008UO@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 16 May 2000 17:18:30 -0500 Date: Tue, 16 May 2000 17:18:30 -0500 From: Margaret Votava Subject: Re: kerberos v0_5 is ready for you to test Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3921C936.36569414@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200005162200.RAA04440@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 295 hi, in addition to the the console login issue, i still haven't been able to run cron jobs yet - issues with systools and cmd. my opinion on console login - - how dead will my desktop be if the kerberos ticketing machine is down? can i still log into local accounts? if my desktop is totatlly reliant on it, then i'm not so anxious. - unless the default ticket length is extended from 13 hours, i don't see an advantage to replace the login program. i would immediately do a kinit -r 7d upon login anyway. it means that i type in my super duper secure password yet another time. thanks, margaret Matt Crawford wrote: > > (Catching up after vacation) > > > I didn't cut and paste enough in my original mail - sorry. I have stopped > > and restarted the server, but still cant' ssh in: > > [...] > > Something is running: > > odsmev.fnal.gov(root) % zap -l ssh > > PID UID COMMAND > > 2142 amundson :00 [ssh-agent] > > 2565 moore :00 [ssh-agent] > > 14174 amundson :00 [ssh-agent] > > 14261 amundson :00 [ssh-agent] > > 9731 root :00 sshd > > 10875 root :00 sshd > > If anyone made an ssh connection before you stopped & started sshd, > there will be an sshd process for each such user. I suspect > something's not quite right in the /etc/rc.d/init.d/sshd.init script > when it comes to restarting sshd. Your later message says sshd > started all right upon reboot. > > Your clock problem has apparently been solved leaving just the > initial console login. I believe it's the case that none of our > Fermi Kerberos installation procedures to date take the step of > replacing the system login program with the Kerberos one. Several > people, including me, have made that step by hand without any > troubles reported, so I think we're ready to take the plunge and put > that onto the change list for the next release. Any dissent? From kreymer@fnal.gov Tue May 16 17:46:20 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA06388 for ; Tue, 16 May 2000 17:46:20 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPH5R19O0M00098P@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Tue, 16 May 2000 17:46:19 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00011D1E@listserv.fnal.gov>; Tue, 16 May 2000 17:46:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 10117 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 16 May 2000 17:46:17 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00011D1D@listserv.fnal.gov>; Tue, 16 May 2000 17:46:17 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPH5QWMHGI00098R@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 16 May 2000 17:46:11 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA04835; Tue, 16 May 2000 17:46:10 -0500 (CDT) Date: Tue, 16 May 2000 17:46:10 -0500 From: Matt Crawford Subject: Re: kerberos v0_5 is ready for you to test In-reply-to: "16 May 2000 17:18:30 CDT." <"3921C936.36569414"@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Message-id: <200005162246.RAA04835@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 296 > in addition to the the console login issue, i still haven't > been able to run cron jobs yet - issues with systools and cmd. Ah, right. A non-systools version of kcroninit is in the works. > my opinion on console login - > > - how dead will my desktop be if the kerberos ticketing machine is > down? can i still log into local accounts? if my desktop is > totatlly reliant on it, then i'm not so anxious. If the password you enter is not your kerberos password, or if there's no response form a KDC, it will try that password against the local (or NIS) password file. If the username is "root" it skips the Kerberos attempt entirely and goes right to the local method. This means that if all the KDCs are down (or unreachable) and you didn't know that in advance, you'll try once with your kerberos password and then have to try again with your unix password. > - unless the default ticket length is extended from 13 hours, i > don't see an advantage to replace the login program. i would > immediately do a kinit -r 7d upon login anyway. it means that > i type in my super duper secure password yet another time. That's under control of some lines in your /etc/krb5.conf. I have mine set to: [appdefaults] default_lifetime = 5d ... login = { krb5_get_tickets = true forwardable = true renewable = true ... } ... The fact that 5d > 13h and "renewable = true" means I wind up with a 5 day renewable ticket upon console login. From kreymer@fnal.gov Wed May 17 15:45:10 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA09670 for ; Wed, 17 May 2000 15:45:09 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPIFT3JR2G000A2Q@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Wed, 17 May 2000 15:45:06 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012648@listserv.fnal.gov>; Wed, 17 May 2000 15:45:04 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 12564 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 17 May 2000 15:45:04 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012647@listserv.fnal.gov>; Wed, 17 May 2000 15:45:04 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPIFT2XTT8000A2J@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 17 May 2000 15:45:03 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA10571; Wed, 17 May 2000 15:45:02 -0500 (CDT) Date: Wed, 17 May 2000 15:45:02 -0500 From: Matt Crawford Subject: Re: remote xemacs In-reply-to: "27 Apr 2000 12:49:31 MDT." <"200004271849.MAA00610"@dot.phys.unm.edu> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Gold Cc: kerberos-pilot@fnal.gov Message-id: <200005172045.PAA10571@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 297 I'm having a look into this. Are you using xemacs' "efs" or the older "ange-ftp" to access remote files? From kreymer@fnal.gov Thu May 18 03:04:08 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id DAA10310 for ; Thu, 18 May 2000 03:04:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJ3IX08LW0009HF@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 03:04:06 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012966@listserv.fnal.gov>; Thu, 18 May 2000 03:04:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 13386 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 18 May 2000 03:04:03 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012965@listserv.fnal.gov>; Thu, 18 May 2000 03:04:03 -0500 Received: from conversion.FNAL.FNAL.GOV by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JPJ3IW1NHS0009YZ@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 03:04:02 -0500 Received: from mail.physics.ox.ac.uk ([163.1.244.140]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJ3IUV01O00094S@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 03:04:01 -0500 Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by mail.physics.ox.ac.uk with esmtp (Exim 3.13 #5) id 12sLHj-0001Ef-00; Thu, 18 May 2000 09:03:59 +0100 Received: by ppnt41.physics.ox.ac.uk with Internet Mail Service (5.5.2650.21) id ; Thu, 18 May 2000 09:03:58 +0100 Date: Thu, 18 May 2000 09:03:55 +0100 From: Armin Reichold Subject: FW: CERT Advisory CA-2000-06 Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: Ian McArthur , Todd Huffman Message-id: MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset="iso-8859-1" Status: RO X-Status: X-Keywords: X-UID: 298 Dear All, I believe the below message indicating vulnerabilities of kerberos systems has reached fermilab kerberos experts well before it reaches me, however, this may prove to be a good test point to how fast and consistent we can close these holes in the Fermilab keberos domains and wether our support strategy is up to speed to progress any required changes to any of teh up to know very few hosts participating in the pilot phase, be it as clients or as parts of the strengthened realm. I believe fixing these problems is no more urgent as "secure" systems are much more of an interesting challenge to real hackers than insecure ones and I expect attempts to exploit these weaknesses to start rather soon. Cheers Armin ************************************************* * Dr. Armin Reichold | private: * * Research Officer | 17 Frys Hill * * University of Oxford | Oxford * * Particle & Nuclear Phys. Lab. | OX4 7GW * * 1 Keble Road | UK * * Oxford OX1 3RH * * UK * * Room 612 * * * * Tel. : +44-(0)1865-273358...(office) * * Tel. : +44-(0)1865-434856...(private) * * Mobile: +44-(0)7930-431102...(emergency only) * * Fax. : +44-(0)1865-273418...(office) * * E-Mail: a.reichold1@physics.ox.ac.uk * * Netmeeting: ppnt67.physics.ox.ac.uk (business)* * ---//--- Dir. Server: webnt.physics.ox.ac.uk * ************************************************* -----Original Message----- From: CERT Advisory [mailto:cert-advisory@cert.org] Sent: 18 May 2000 03:44 To: cert-advisory@cert.org Subject: CERT Advisory CA-2000-06 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CERT Advisory CA-2000-06 Multiple Buffer Overflows in Kerberos Authenticated Services Original release date: May 17, 2000 Last revised: -- Source: The MIT Kerberos Team, CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running services authenticated via Kerberos 4 * Some systems running services authenticated via Kerberos 5 * Systems running the Kerberized remote shell daemon (krshd) * Systems with the Kerberos 5 ksu utility installed * Systems with the Kerberos 5 v4rcp utility installed Overview The CERT Coordination Center has recently been notified of several buffer overflow vulnerabilities in the Kerberos authentication software. The most severe vulnerability allows remote intruders to gain root privileges on systems running services using Kerberos authentication. If vulnerable services are enabled on the Key Distribution Center (KDC) system, the entire Kerberos domain may be compromised. I. Description There are at least four distinct vulnerabilities in various versions and implementations of the Kerberos software. All of these vulnerabilities may be exploited to obtain root privileges. Buffer overflow in krb_rd_req() library function This vulnerability is present in version 4 of Kerberos. It is also present in version 5 (in the version 4 compatibility code). This vulnerability can be exploited in services using version 4 or 5 when they perform version 4 authentication. This vulnerability may also be exploited locally via the v4rcp setuid root program of Kerberos 5. This vulnerability may be exploitable in version 4. This vulnerability is exploitable in version 5 in conjunction with the krb425_conv_principal() vulnerability, described below. Buffer overflow in krb425_conv_principal() library function This vulnerability is present in version 5's backward compatibility code. This vulnerability is known to be exploitable in version 5 in conjunction with an exploit of the krb_rd_req() vulnerability. Buffer overflow in krshd This vulnerability is only present in version 5. This vulnerability is not related to the previous two vulnerabilities. Buffer overflow in ksu This vulnerability is only present in version 5, and is corrected in krb5-1.1.1 and krb5-1.0.7-beta1. The ksu vulnerability is unrelated to the other vulnerabilities. The MIT Kerberos Team Advisory The MIT Kerberos Team described these vulnerabilities in detail in an advisory they recently issued. The text of this advisory is included below. | SUMMARY Serious buffer overrun vulnerabilities exist in many implementations of Kerberos 4, including implementations included for backwards compatibility in Kerberos 5 implementations. Other less serious buffer overrun vulnerabilities have also been discovered. ALL KNOWN KERBEROS 4 IMPLEMENTATIONS derived from MIT sources are believed to be vulnerable. IMPACT * A remote user may gain unauthorized root access to a machine running services authenticated with Kerberos 4. * A remote user may gain unauthorized root access to a machine running krshd, regardless of whether the program is configured to accept Kerberos 4 authentication. * A local user may gain unauthorized root access by exploiting v4rcp or ksu. DETAILS The MIT Kerberos Team has been made aware of a security vulnerability in the Kerberos 4 compatibility code contained within the MIT Kerberos 5 source distributions. This vulnerability consists of a buffer overrun in the krb_rd_req() function, which is used by essentially all Kerberos-authenticated services that use Kerberos 4 for authentication. It is possible for an attacker to gain root access over the network by exploiting this vulnerability. An exploit is known to exist for the Kerberized Berkeley remote shell daemon (krshd) for at least the i386-Linux platform, and possibly others. The extent of distribution of this exploit is unknown at this time. Other buffer overruns have been discovered as well, though with less far-reaching impact. The existing exploit does not directly use the buffer overrun in krb_rd_req(); rather, it uses the buffer that was overrun by krb_rd_req() to exploit a second overrun in krb425_conv_principal(). The krb_rd_req() code itself might not be exploitable once the overrun in krb425_conv_principal() is repaired, though it is likely that some other method of exploit may be found that does not require that an overrun exist in krb425_conv_principal(). VULNERABLE DISTRIBUTIONS AND PROGRAMS Source distributions which may contain vulnerable code include: * MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1 * MIT Kerberos 4 patch 10, and likely earlier releases as well * KerbNet (Cygnus implementation of Kerberos 5) * Cygnus Network Security (CNS -- Cygnus implementation of Kerberos 4) Daemons or services that may call krb_rd_req() and are thus vulnerable to remote exploit include: krshd klogind (if accepting Kerberos 4 authentication) telnetd (if accepting Kerberos 4 authentication) ftpd (if accepting Kerberos 4 authentication) rkinitd kpopd In addition, it is possible that the v4rcp program, which is usually installed setuid to root, may be exploited by a local user to gain root access by means of exploiting the krb_rd_req vulnerability. The ksu program in some MIT Kerberos 5 releases has a vulnerability that may result in unauthorized local root access. This bug was fixed in krb5-1.1.1, as well as in krb5-1.0.7-beta1. Release krb5-1.1, as well as krb5-1.0.6 and earlier, are believed to be vulnerable. There is an unrelated buffer overrun in the krshd that is distributed with at least the MIT Kerberos 5 source distributions. It is not known whether an exploit exists for this buffer overrun. It is also not known whether this buffer overrun is actually exploitable. WORKAROUNDS Certain daemons that are called from inetd may be safe from exploitation if their command line invocation is modified to exclude the use of Kerberos 4 for authentication. Please consult the manpages or other documentation for your Kerberos distribution in order to determine the correct command line for disabling Kerberos 4 authentication. Daemons for which this approach may work include: krshd (*) klogind telnetd (*) The krshd program may still be vulnerable to remote attack if Kerberos 4 authentication is disabled, due to the unrelated buffer overrun mentioned above. It is best to disable the krshd program completely until a patched version can be installed. The v4rcp program should have its setuid permission removed, since it may be possible to perform a local exploit against it. The krb5 ksu program should have its setuid permission removed, if it was not compiled from krb5-1.1.1, krb5-1.0.7-beta1, or later code. Merely replacing the ksu binary with one compiled from krb5-1.1.1 or krb5-1.0.7-beta1 should be safe, provided that it is not compiled with shared libraries (the vulnerability is related to some library bugs). If ksu was compiled with shared libraries, it may be best to install a new release that has the library bug fixed. In the MIT Kerberos 5 releases, it may not be possible to disable Kerberos 4 authentication in the ftpd program. Note that only releases krb5-1.1 and later will have the ability to receive Kerberos 4 authentication. FIXES The best course of action is to patch the code in the krb4 library, in addition to patching the code in the krshd program. The following patches include some less essential patches that also affect buffer overruns in potentially vulnerable code, but for which exploits are somewhat more difficult to construct. Please note that there are two sets of patches in this file that apply against identically named files in two different releases. You should separate out the patch set that is relevant to you prior to applying them; otherwise, you may inadvertently patch some files twice. MIT will soon release krb5-1.2, which will have these changes incorporated. PATCHES AGAINST krb5-1.0.x The following are patches against 1.0.7-beta1 (roughly). The most critical ones are: appl/bsd/krshd.c lib/krb4/rd_req.c lib/krb5/krb/conv_princ.c The rest are not as important but you may wish to apply them anyway out of paranoia. These patches may apply with a little bit of fuzz against releases prior to krb5-1.0.7-beta1, but there likely have not been significant changes in the affected code. These patches may also apply against KerbNet. The lib/krb4/rd_req.c patch may also apply against CNS and MIT Kerberos 4. [Patches to correct this issue in Kerberos version 5-1.0.x were included at this point in the MIT advisory. The CERT Coordination Center has made these patches available at the following link: http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt -- CERT/CC] | PATCHES AGAINST krb5-1.1.1 The following are patches against 1.1.1. The most critical ones are: appl/bsd/krshd.c lib/krb4/rd_req.c lib/krb5/krb/conv_princ.c IMPORTANT NOTE: If you are upgrading to krb5-1.1.1 (or krb5-1.1, but we recommend krb5-1.1.1 if you are going to upgrade at all) and compile the source tree with the --without-krb4 option, then you will also want to install the patch to login.c that is also provided below. The rest are not as important but you may wish to apply them anyway out of paranoia. [Patches to correct this issue in Kerberos version 5-1.1.1 were included at this point in the MIT advisory. The CERT Coordination Center has made these patches available at the following link: http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt -- CERT/CC] | ACKNOWLEDGMENTS Thanks to Jim Paris (MIT class of 2003) for pointing out the krb_rd_req() vulnerability. Thanks to Nalin Dahyabhai of Redhat for pointing out some other buffer overruns and coming up with patches. The full text of the MIT Kerberos Team advisory is also available from: http://web.mit.edu/kerberos/www/advisories/krb4buf.txt II. Impact The most significant impact of these vulnerabilities may allow a remote intruder to gain root access to systems running vulnerable services, including the KDC for the domain. Buffer overflow in krb_rd_req() library function This vulnerability may be exploited by remote users to gain root privileges on systems running services linked against the vulnerable library. As MIT indicated, these services include (but may not be limited to): krshd klogind (if accepting Kerberos 4 authentication) telnetd (if accepting Kerberos 4 authentication) ftpd (if accepting Kerberos 4 authentication) rkinitd kpopd Local users can execute arbitrary code as root on systems where v4rcp is installed setuid root. Buffer overflow in krb425_conv_principal() library function This vulnerability can be exploited by remote users in conjunction with the krb_rd_req vulnerability to gain root privileges on systems running services linked against the vulnerable library. Buffer overflow in krshd Remote users may be able to execute arbitrary code as root on systems running a vulnerable version of krshd. Buffer overflow in ksu Local users can can gain root privileges by exploiting the buffer overflow in ksu. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Apply the MIT patches If you are running the Kerberos 5 distribution from MIT, and can rebuild your binaries from source, you can apply the source code patches from MIT to correct these problems. If you are running Kerberos version 4, you may be able to patch your source code based on the version 5 patch provided by MIT. Only the patches for the krb_rd_req() vulnerability need to be applied to version 4 to address the issues described in this advisory. With either version, you will need to recompile the libraries and the vulnerable programs (krshd and ksu). You will also need to recompile any programs that have been statically linked with the vulnerable libraries. In version 4, you should also recompile the KDC server software. These patches are available at: http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt Disable version 4 authentication in version 5 if possible As suggested by MIT, version 4 authentication in some daemons can be disabled at run time by supplying command line options to these programs when started by inetd. This approach may work for the following daemons: krshd klogind telnetd This addresses the krb_rd_req() and krb425_conv_principal() vulnerabilities. Note that krshd may still be vulnerable to the krshd specific vulnerability described in this document. Upgrade to MIT Kerberos 5 version 1.2 The vulnerabilities described in this advisory will be addressed in Kerberos 5 version 1.2. This version will be available from the MIT Kerberos web site: http://web.mit.edu/kerberos/www/ Appendix A. Vendor Information Microsoft Corporation No Microsoft products are affected by this vulnerability. MIT Kerberos The MIT Kerberos Team advisory on this topic is available from: http://web.mit.edu/kerberos/www/advisories/krb4buf.txt NetBSD NetBSD has two codebases for crypto software, a legacy of the US's export laws until recently (and also some patent issues). The crypto-intl tree intended for use by those outside the US was not affected. For the crypto-us tree, * krb5 was not affected * krb4 was affected, and has been fixed in NetBSD-current since Jeff's announcement; this fix is making it's way into the 1.4.x release branch. We will release an advisory and patches shortly. In summary, users of NetBSD releases 1.4.2 and earlier or -current up until yesterday, who have installed the crypto-us "secr" set and who have enabled kerberos4, are vulnerable. OpenBSD OpenBSD uses the KTH Kerberos distribution, which has been reported to be not vulnerable. Washington University We do not distribute any "default" binaries which uses Kerberos. In order to get Kerberos support, you must rebuild the software specifically to use Kerberos (the default build will not use Kerberos). We believe that the University of Washington IMAP and POP3 servers are not vulnerable. The message from MIT specifically stated that the problem was in the Kerberos 4 routines from MIT. Kerberos support in these servers is based upon Kerberos 5, not Kerberos 4. UW imapd/ipop3d only uses GSSAPI and Kerberos 5 calls; Kerberos 4 routines are never called. There is an unsupported, contributed code, module for Kerberos 4 available in our software, but that is client only. We are not aware of the existence of any Kerberos 4 server code for UW imapd/ipop3d. _________________________________________________________________ The CERT Coordination Center thanks Jeff Schiller and the MIT Kerberos Team for notifying us about this problem and their help in developing this advisory. _________________________________________________________________ Cory Cohen and Jeff Havrilla were the primary authors of the CERT/CC portions of this document. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2000-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2000 Carnegie Mellon University, portions copyright MIT University. Revision History May 17, 2000: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOSNVWlr9kb5qlZHQEQIjRwCfepYRvrNqpyvLVu3nT3L9smypiA0An3FJ H/bJQhVrnAnjknEma2pl9XQX =sFsd -----END PGP SIGNATURE----- From kreymer@fnal.gov Thu May 18 07:36:23 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id HAA08195 for ; Thu, 18 May 2000 07:36:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJCWDACNU000AR4@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 07:36:19 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012A8B@listserv.fnal.gov>; Thu, 18 May 2000 07:33:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 13704 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 18 May 2000 07:33:11 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012A8A@listserv.fnal.gov>; Thu, 18 May 2000 07:33:10 -0500 Received: from cdfsga.fnal.gov ([131.225.109.4]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJCXBFG5G0009K7@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 07:32:59 -0500 Received: (from niimi@localhost) by cdfsga.fnal.gov (8.9.3/8.9.0) id HAA25972; Thu, 18 May 2000 07:33:27 -0500 (CDT) Date: Thu, 18 May 2000 07:33:26 -0500 (CDT) From: "B. Todd Huffman" Subject: FW: CERT Advisory CA-2000-06 (fwd) Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 299 Just in case this didn't get to someone in the Pilot. Cheers, Todd -----Original Message----- From: CERT Advisory [mailto:cert-advisory@cert.org] Sent: 18 May 2000 03:44 To: cert-advisory@cert.org Subject: CERT Advisory CA-2000-06 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CERT Advisory CA-2000-06 Multiple Buffer Overflows in Kerberos Authenticated Services Original release date: May 17, 2000 Last revised: -- Source: The MIT Kerberos Team, CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running services authenticated via Kerberos 4 * Some systems running services authenticated via Kerberos 5 * Systems running the Kerberized remote shell daemon (krshd) * Systems with the Kerberos 5 ksu utility installed * Systems with the Kerberos 5 v4rcp utility installed Overview The CERT Coordination Center has recently been notified of several buffer overflow vulnerabilities in the Kerberos authentication software. The most severe vulnerability allows remote intruders to gain root privileges on systems running services using Kerberos authentication. If vulnerable services are enabled on the Key Distribution Center (KDC) system, the entire Kerberos domain may be compromised. I. Description There are at least four distinct vulnerabilities in various versions and implementations of the Kerberos software. All of these vulnerabilities may be exploited to obtain root privileges. Buffer overflow in krb_rd_req() library function This vulnerability is present in version 4 of Kerberos. It is also present in version 5 (in the version 4 compatibility code). This vulnerability can be exploited in services using version 4 or 5 when they perform version 4 authentication. This vulnerability may also be exploited locally via the v4rcp setuid root program of Kerberos 5. This vulnerability may be exploitable in version 4. This vulnerability is exploitable in version 5 in conjunction with the krb425_conv_principal() vulnerability, described below. Buffer overflow in krb425_conv_principal() library function This vulnerability is present in version 5's backward compatibility code. This vulnerability is known to be exploitable in version 5 in conjunction with an exploit of the krb_rd_req() vulnerability. Buffer overflow in krshd This vulnerability is only present in version 5. This vulnerability is not related to the previous two vulnerabilities. Buffer overflow in ksu This vulnerability is only present in version 5, and is corrected in krb5-1.1.1 and krb5-1.0.7-beta1. The ksu vulnerability is unrelated to the other vulnerabilities. The MIT Kerberos Team Advisory The MIT Kerberos Team described these vulnerabilities in detail in an advisory they recently issued. The text of this advisory is included below. | SUMMARY Serious buffer overrun vulnerabilities exist in many implementations of Kerberos 4, including implementations included for backwards compatibility in Kerberos 5 implementations. Other less serious buffer overrun vulnerabilities have also been discovered. ALL KNOWN KERBEROS 4 IMPLEMENTATIONS derived from MIT sources are believed to be vulnerable. IMPACT * A remote user may gain unauthorized root access to a machine running services authenticated with Kerberos 4. * A remote user may gain unauthorized root access to a machine running krshd, regardless of whether the program is configured to accept Kerberos 4 authentication. * A local user may gain unauthorized root access by exploiting v4rcp or ksu. DETAILS The MIT Kerberos Team has been made aware of a security vulnerability in the Kerberos 4 compatibility code contained within the MIT Kerberos 5 source distributions. This vulnerability consists of a buffer overrun in the krb_rd_req() function, which is used by essentially all Kerberos-authenticated services that use Kerberos 4 for authentication. It is possible for an attacker to gain root access over the network by exploiting this vulnerability. An exploit is known to exist for the Kerberized Berkeley remote shell daemon (krshd) for at least the i386-Linux platform, and possibly others. The extent of distribution of this exploit is unknown at this time. Other buffer overruns have been discovered as well, though with less far-reaching impact. The existing exploit does not directly use the buffer overrun in krb_rd_req(); rather, it uses the buffer that was overrun by krb_rd_req() to exploit a second overrun in krb425_conv_principal(). The krb_rd_req() code itself might not be exploitable once the overrun in krb425_conv_principal() is repaired, though it is likely that some other method of exploit may be found that does not require that an overrun exist in krb425_conv_principal(). VULNERABLE DISTRIBUTIONS AND PROGRAMS Source distributions which may contain vulnerable code include: * MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1 * MIT Kerberos 4 patch 10, and likely earlier releases as well * KerbNet (Cygnus implementation of Kerberos 5) * Cygnus Network Security (CNS -- Cygnus implementation of Kerberos 4) Daemons or services that may call krb_rd_req() and are thus vulnerable to remote exploit include: krshd klogind (if accepting Kerberos 4 authentication) telnetd (if accepting Kerberos 4 authentication) ftpd (if accepting Kerberos 4 authentication) rkinitd kpopd In addition, it is possible that the v4rcp program, which is usually installed setuid to root, may be exploited by a local user to gain root access by means of exploiting the krb_rd_req vulnerability. The ksu program in some MIT Kerberos 5 releases has a vulnerability that may result in unauthorized local root access. This bug was fixed in krb5-1.1.1, as well as in krb5-1.0.7-beta1. Release krb5-1.1, as well as krb5-1.0.6 and earlier, are believed to be vulnerable. There is an unrelated buffer overrun in the krshd that is distributed with at least the MIT Kerberos 5 source distributions. It is not known whether an exploit exists for this buffer overrun. It is also not known whether this buffer overrun is actually exploitable. WORKAROUNDS Certain daemons that are called from inetd may be safe from exploitation if their command line invocation is modified to exclude the use of Kerberos 4 for authentication. Please consult the manpages or other documentation for your Kerberos distribution in order to determine the correct command line for disabling Kerberos 4 authentication. Daemons for which this approach may work include: krshd (*) klogind telnetd (*) The krshd program may still be vulnerable to remote attack if Kerberos 4 authentication is disabled, due to the unrelated buffer overrun mentioned above. It is best to disable the krshd program completely until a patched version can be installed. The v4rcp program should have its setuid permission removed, since it may be possible to perform a local exploit against it. The krb5 ksu program should have its setuid permission removed, if it was not compiled from krb5-1.1.1, krb5-1.0.7-beta1, or later code. Merely replacing the ksu binary with one compiled from krb5-1.1.1 or krb5-1.0.7-beta1 should be safe, provided that it is not compiled with shared libraries (the vulnerability is related to some library bugs). If ksu was compiled with shared libraries, it may be best to install a new release that has the library bug fixed. In the MIT Kerberos 5 releases, it may not be possible to disable Kerberos 4 authentication in the ftpd program. Note that only releases krb5-1.1 and later will have the ability to receive Kerberos 4 authentication. FIXES The best course of action is to patch the code in the krb4 library, in addition to patching the code in the krshd program. The following patches include some less essential patches that also affect buffer overruns in potentially vulnerable code, but for which exploits are somewhat more difficult to construct. Please note that there are two sets of patches in this file that apply against identically named files in two different releases. You should separate out the patch set that is relevant to you prior to applying them; otherwise, you may inadvertently patch some files twice. MIT will soon release krb5-1.2, which will have these changes incorporated. PATCHES AGAINST krb5-1.0.x The following are patches against 1.0.7-beta1 (roughly). The most critical ones are: appl/bsd/krshd.c lib/krb4/rd_req.c lib/krb5/krb/conv_princ.c The rest are not as important but you may wish to apply them anyway out of paranoia. These patches may apply with a little bit of fuzz against releases prior to krb5-1.0.7-beta1, but there likely have not been significant changes in the affected code. These patches may also apply against KerbNet. The lib/krb4/rd_req.c patch may also apply against CNS and MIT Kerberos 4. [Patches to correct this issue in Kerberos version 5-1.0.x were included at this point in the MIT advisory. The CERT Coordination Center has made these patches available at the following link: http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt -- CERT/CC] | PATCHES AGAINST krb5-1.1.1 The following are patches against 1.1.1. The most critical ones are: appl/bsd/krshd.c lib/krb4/rd_req.c lib/krb5/krb/conv_princ.c IMPORTANT NOTE: If you are upgrading to krb5-1.1.1 (or krb5-1.1, but we recommend krb5-1.1.1 if you are going to upgrade at all) and compile the source tree with the --without-krb4 option, then you will also want to install the patch to login.c that is also provided below. The rest are not as important but you may wish to apply them anyway out of paranoia. [Patches to correct this issue in Kerberos version 5-1.1.1 were included at this point in the MIT advisory. The CERT Coordination Center has made these patches available at the following link: http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt -- CERT/CC] | ACKNOWLEDGMENTS Thanks to Jim Paris (MIT class of 2003) for pointing out the krb_rd_req() vulnerability. Thanks to Nalin Dahyabhai of Redhat for pointing out some other buffer overruns and coming up with patches. The full text of the MIT Kerberos Team advisory is also available from: http://web.mit.edu/kerberos/www/advisories/krb4buf.txt II. Impact The most significant impact of these vulnerabilities may allow a remote intruder to gain root access to systems running vulnerable services, including the KDC for the domain. Buffer overflow in krb_rd_req() library function This vulnerability may be exploited by remote users to gain root privileges on systems running services linked against the vulnerable library. As MIT indicated, these services include (but may not be limited to): krshd klogind (if accepting Kerberos 4 authentication) telnetd (if accepting Kerberos 4 authentication) ftpd (if accepting Kerberos 4 authentication) rkinitd kpopd Local users can execute arbitrary code as root on systems where v4rcp is installed setuid root. Buffer overflow in krb425_conv_principal() library function This vulnerability can be exploited by remote users in conjunction with the krb_rd_req vulnerability to gain root privileges on systems running services linked against the vulnerable library. Buffer overflow in krshd Remote users may be able to execute arbitrary code as root on systems running a vulnerable version of krshd. Buffer overflow in ksu Local users can can gain root privileges by exploiting the buffer overflow in ksu. III. Solution Apply a patch from your vendor Appendix A contains information provided by vendors for this advisory. We will update the appendix as we receive more information. If you do not see your vendor's name, the CERT/CC did not hear from that vendor. Please contact your vendor directly. Apply the MIT patches If you are running the Kerberos 5 distribution from MIT, and can rebuild your binaries from source, you can apply the source code patches from MIT to correct these problems. If you are running Kerberos version 4, you may be able to patch your source code based on the version 5 patch provided by MIT. Only the patches for the krb_rd_req() vulnerability need to be applied to version 4 to address the issues described in this advisory. With either version, you will need to recompile the libraries and the vulnerable programs (krshd and ksu). You will also need to recompile any programs that have been statically linked with the vulnerable libraries. In version 4, you should also recompile the KDC server software. These patches are available at: http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt Disable version 4 authentication in version 5 if possible As suggested by MIT, version 4 authentication in some daemons can be disabled at run time by supplying command line options to these programs when started by inetd. This approach may work for the following daemons: krshd klogind telnetd This addresses the krb_rd_req() and krb425_conv_principal() vulnerabilities. Note that krshd may still be vulnerable to the krshd specific vulnerability described in this document. Upgrade to MIT Kerberos 5 version 1.2 The vulnerabilities described in this advisory will be addressed in Kerberos 5 version 1.2. This version will be available from the MIT Kerberos web site: http://web.mit.edu/kerberos/www/ Appendix A. Vendor Information Microsoft Corporation No Microsoft products are affected by this vulnerability. MIT Kerberos The MIT Kerberos Team advisory on this topic is available from: http://web.mit.edu/kerberos/www/advisories/krb4buf.txt NetBSD NetBSD has two codebases for crypto software, a legacy of the US's export laws until recently (and also some patent issues). The crypto-intl tree intended for use by those outside the US was not affected. For the crypto-us tree, * krb5 was not affected * krb4 was affected, and has been fixed in NetBSD-current since Jeff's announcement; this fix is making it's way into the 1.4.x release branch. We will release an advisory and patches shortly. In summary, users of NetBSD releases 1.4.2 and earlier or -current up until yesterday, who have installed the crypto-us "secr" set and who have enabled kerberos4, are vulnerable. OpenBSD OpenBSD uses the KTH Kerberos distribution, which has been reported to be not vulnerable. Washington University We do not distribute any "default" binaries which uses Kerberos. In order to get Kerberos support, you must rebuild the software specifically to use Kerberos (the default build will not use Kerberos). We believe that the University of Washington IMAP and POP3 servers are not vulnerable. The message from MIT specifically stated that the problem was in the Kerberos 4 routines from MIT. Kerberos support in these servers is based upon Kerberos 5, not Kerberos 4. UW imapd/ipop3d only uses GSSAPI and Kerberos 5 calls; Kerberos 4 routines are never called. There is an unsupported, contributed code, module for Kerberos 4 available in our software, but that is client only. We are not aware of the existence of any Kerberos 4 server code for UW imapd/ipop3d. _________________________________________________________________ The CERT Coordination Center thanks Jeff Schiller and the MIT Kerberos Team for notifying us about this problem and their help in developing this advisory. _________________________________________________________________ Cory Cohen and Jeff Havrilla were the primary authors of the CERT/CC portions of this document. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2000-06.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org and include SUBSCRIBE your-email-address in the subject of your message. * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2000 Carnegie Mellon University, portions copyright MIT University. Revision History May 17, 2000: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOSNVWlr9kb5qlZHQEQIjRwCfepYRvrNqpyvLVu3nT3L9smypiA0An3FJ H/bJQhVrnAnjknEma2pl9XQX =sFsd -----END PGP SIGNATURE----- From kreymer@fnal.gov Thu May 18 08:46:39 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA13172 for ; Thu, 18 May 2000 08:46:38 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJFH7SEMS0009Y4@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 08:46:30 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012B2A@listserv.fnal.gov>; Thu, 18 May 2000 08:46:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 13872 for LINUX-USERS@LISTSERV.FNAL.GOV; Thu, 18 May 2000 08:46:17 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012B28@listserv.fnal.gov>; Thu, 18 May 2000 08:46:17 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJFH5MB8Q0009K9@FNAL.FNAL.GOV>; Thu, 18 May 2000 08:46:14 -0500 Date: Thu, 18 May 2000 08:46:14 -0500 (CDT) From: Dane Skow Subject: keeping time Sender: owner-linux-users@listserv.fnal.gov To: linux-users@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 300 I've been having a problem with a couple PCs keeping reasonably accurate time (particularly when powered off for a few days) often losing more than an hour. (I assume this is an indication of a weak battery somewhere). However, I'd expect that the machines should resync with the time source rapidly, yet I've waited up to an hour after turning on the machine and still need to reset the clock by hand. I'm running standard FRHL 6.1 with the OSS workgroup (so AFS is installed). I would expect the AFS clock synchronization to kick in; do I need to put something in my startup ? Since I connect to the lab via ISDN, I'm not certain when the network connection is "up" in the boot cycle so perhaps I need to force a resync somehow ? The major symptom of this is that until the clock is resynced (by logging in as root and setting date by hand currently), the Kerberos authentication won't work and I can't log into my user account. I'd imagine this could be a common problem for the "occasional use" PCs used in Xterm-like mode around the lab. Is the answer never shut the power off ? (Not very enviro friendly) Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Thu May 18 09:27:43 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA13217 for ; Thu, 18 May 2000 09:27:42 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJGX830SK000ATH@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 09:27:35 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012B9C@listserv.fnal.gov>; Thu, 18 May 2000 09:27:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 13990 for LINUX-USERS@LISTSERV.FNAL.GOV; Thu, 18 May 2000 09:27:25 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012B9A@listserv.fnal.gov>; Thu, 18 May 2000 09:27:25 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJGX6MO6A000AS6@FNAL.FNAL.GOV>; Thu, 18 May 2000 09:27:24 -0500 Date: Thu, 18 May 2000 09:27:24 -0500 From: Margaret Votava Subject: Re: keeping time Sender: owner-linux-users@listserv.fnal.gov To: Dane Skow Cc: linux-users@fnal.gov, kerberos-pilot@fnal.gov Message-id: <3923FDCC.ED550CE9@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 301 Hi, I had a similar problem. I found that the clock used at boot time was set to EST. According to Ray, it would take AFS a *long* time to recover from such a delta. Connie was looking into if this is a general problem in the FRHL distribution, or if I inadvertantly didn't set this correctly during the installation. Margaret Dane Skow wrote: > > I've been having a problem with a couple PCs keeping reasonably accurate > time (particularly when powered off for a few days) often losing more > than an hour. (I assume this is an indication of a weak battery > somewhere). However, I'd expect that the machines should resync with > the time source rapidly, yet I've waited up to an hour after turning > on the machine and still need to reset the clock by hand. > > I'm running standard FRHL 6.1 with the OSS workgroup (so AFS is > installed). I would expect the AFS clock synchronization to kick in; > do I need to put something in my startup ? Since I connect to the lab > via ISDN, I'm not certain when the network connection is "up" in the > boot cycle so perhaps I need to force a resync somehow ? > > The major symptom of this is that until the clock is resynced (by logging > in as root and setting date by hand currently), the Kerberos > authentication won't work and I can't log into my user account. > I'd imagine this could be a common problem for the "occasional use" > PCs used in Xterm-like mode around the lab. > > Is the answer never shut the power off ? (Not very enviro friendly) > > Dane Skow, > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 -- Margaret Votava votava@fnal.gov Computing Division/Experiment Online Support 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Thu May 18 09:59:25 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA13299 for ; Thu, 18 May 2000 09:59:25 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJI1CUQKK000AS6@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 09:59:17 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C08@listserv.fnal.gov>; Thu, 18 May 2000 09:59:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 14102 for LINUX-USERS@LISTSERV.FNAL.GOV; Thu, 18 May 2000 09:59:00 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C06@listserv.fnal.gov>; Thu, 18 May 2000 09:59:00 -0500 Received: from thebrain.fnal.gov ([131.225.80.75]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJI1BL1320009N6@FNAL.FNAL.GOV>; Thu, 18 May 2000 09:58:58 -0500 Received: from fnal.gov (localhost.localdomain [127.0.0.1]) by thebrain.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA15602; Thu, 18 May 2000 09:58:58 -0500 Date: Thu, 18 May 2000 09:58:57 -0500 From: Troy Dawson Subject: Re: keeping time Sender: owner-linux-users@listserv.fnal.gov To: Margaret Votava Cc: Dane Skow , linux-users@fnal.gov, kerberos-pilot@fnal.gov Message-id: <39240531.DF67959A@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-5.0smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3923FDCC.ED550CE9@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 302 Howdy, I thought that this had already gotten answered, but instead of digging through the e-mails I'll post what I found and how I fixed it. (even though temporarily) Here's what I have observed. For the OSS install, xntp get's turned off because it conflicts with the afs time syncing. We have our AFS server setup so that all AFS clients sync thier time to it. (That's a server setting, not a client setting). So after so many minutes the client sync's up it's time. (I've noticed that there is a wait of 20 minutes, but I never measured exactly) Here's the real problem. When afs sync's up it's time, it only does a software sync, it doesn't set the hardware clock. xntp set's the hardware clock when it does it's time syncing. Because of that, and because we went through daylight savings, all of the hardware clocks are an hour off. When we go back through daylight savings they'll be back on, or at least close. How to fix it? (Three different ways) 1 - if your clock is currently out of sync, start xntp, let it sync of the clock, then turn it off again. This doesn't work if there isn't that hour difference. 2 - make sure your date is correct, then as root run '/sbin/hwclock --systohc' This sets the hardware clock to the current system time. 3 - (best option) edit your crontab to run the above command once a day/week/month/year whatever you want such as 33 3 3 * * /sbin/hwclock --systohc which will sync up your hardware clock once a month. Troy Margaret Votava wrote: > > Hi, > > I had a similar problem. I found that the clock used at boot > time was set to EST. According to Ray, it would take AFS > a *long* time to recover from such a delta. > > Connie was looking into if this is a general problem in the > FRHL distribution, or if I inadvertantly didn't set this > correctly during the installation. > > Margaret > > Dane Skow wrote: > > > > I've been having a problem with a couple PCs keeping reasonably accurate > > time (particularly when powered off for a few days) often losing more > > than an hour. (I assume this is an indication of a weak battery > > somewhere). However, I'd expect that the machines should resync with > > the time source rapidly, yet I've waited up to an hour after turning > > on the machine and still need to reset the clock by hand. > > > > I'm running standard FRHL 6.1 with the OSS workgroup (so AFS is > > installed). I would expect the AFS clock synchronization to kick in; > > do I need to put something in my startup ? Since I connect to the lab > > via ISDN, I'm not certain when the network connection is "up" in the > > boot cycle so perhaps I need to force a resync somehow ? > > > > The major symptom of this is that until the clock is resynced (by logging > > in as root and setting date by hand currently), the Kerberos > > authentication won't work and I can't log into my user account. > > I'd imagine this could be a common problem for the "occasional use" > > PCs used in Xterm-like mode around the lab. > > > > Is the answer never shut the power off ? (Not very enviro friendly) > > > > Dane Skow, > > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > > -- > Margaret Votava votava@fnal.gov > Computing Division/Experiment Online Support 630-840-2625 (office) > Fermi National Accelerator Laboratory 630-840-6345 (fax) -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS CSS Group __________________________________________________ From kreymer@fnal.gov Thu May 18 10:15:54 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA13320 for ; Thu, 18 May 2000 10:15:53 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJIM2S4S4000B8B@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 10:15:47 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C43@listserv.fnal.gov>; Thu, 18 May 2000 10:15:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 14161 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 18 May 2000 10:15:42 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C42@listserv.fnal.gov>; Thu, 18 May 2000 10:15:41 -0500 Received: from CUERVO ([131.225.80.193]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JPJILY283W0009N4@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 10:15:39 -0500 Date: Thu, 18 May 2000 10:15:36 -0500 From: "Mark O. Kaletka" Subject: RE: CERT Advisory CA-2000-06 In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Armin Reichold , kerberos-pilot@fnal.gov Cc: Ian McArthur , Todd Huffman Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset="iso-8859-1" Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 303 The ksu vulnerability was reported by us to CIAC and MIT in November and is already fixed in our code as well as the MIT beta. We aren't using the v4 compatibility mode and therefore don't believe we're vulnerable to those overflows. The krshd fix is being incorporated and rebuilt for test and distribution even as I write this. When it's availabe for installation we'll make a general announcement on kerberos-announce. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Armin > Reichold > Sent: Thursday, May 18, 2000 3:04 AM > To: kerberos-pilot@fnal.gov > Cc: Ian McArthur; Todd Huffman > Subject: FW: CERT Advisory CA-2000-06 > > > Dear All, > I believe the below message indicating vulnerabilities of kerberos systems > has reached fermilab kerberos experts well before it reaches me, however, > this may prove to be a good test point to how fast and consistent we can > close these holes in the Fermilab keberos domains and wether our support > strategy is up to speed to progress any required changes to any > of teh up to > know very few hosts participating in the pilot phase, be it as > clients or as > parts of the strengthened realm. I believe fixing these problems > is no more > urgent as "secure" systems are much more of an interesting > challenge to real > hackers than insecure ones and I expect attempts to exploit these > weaknesses > to start rather soon. > > Cheers Armin > > ************************************************* > * Dr. Armin Reichold | private: * > * Research Officer | 17 Frys Hill * > * University of Oxford | Oxford * > * Particle & Nuclear Phys. Lab. | OX4 7GW * > * 1 Keble Road | UK * > * Oxford OX1 3RH * > * UK * > * Room 612 * > * * > * Tel. : +44-(0)1865-273358...(office) * > * Tel. : +44-(0)1865-434856...(private) * > * Mobile: +44-(0)7930-431102...(emergency only) * > * Fax. : +44-(0)1865-273418...(office) * > * E-Mail: a.reichold1@physics.ox.ac.uk * > * Netmeeting: ppnt67.physics.ox.ac.uk (business)* > * ---//--- Dir. Server: webnt.physics.ox.ac.uk * > ************************************************* > > > -----Original Message----- > From: CERT Advisory [mailto:cert-advisory@cert.org] > Sent: 18 May 2000 03:44 > To: cert-advisory@cert.org > Subject: CERT Advisory CA-2000-06 > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > CERT Advisory CA-2000-06 Multiple Buffer Overflows in Kerberos > Authenticated Services > > Original release date: May 17, 2000 > Last revised: -- > Source: The MIT Kerberos Team, CERT/CC > > A complete revision history is at the end of this file. > > Systems Affected > > * Systems running services authenticated via Kerberos 4 > * Some systems running services authenticated via Kerberos 5 > * Systems running the Kerberized remote shell daemon (krshd) > * Systems with the Kerberos 5 ksu utility installed > * Systems with the Kerberos 5 v4rcp utility installed > > Overview > > The CERT Coordination Center has recently been notified of several > buffer overflow vulnerabilities in the Kerberos authentication > software. The most severe vulnerability allows remote intruders to > gain root privileges on systems running services using Kerberos > authentication. If vulnerable services are enabled on the Key > Distribution Center (KDC) system, the entire Kerberos domain may be > compromised. > > I. Description > > There are at least four distinct vulnerabilities in various versions > and implementations of the Kerberos software. All of these > vulnerabilities may be exploited to obtain root privileges. > > Buffer overflow in krb_rd_req() library function > > This vulnerability is present in version 4 of Kerberos. It is also > present in version 5 (in the version 4 compatibility code). This > vulnerability can be exploited in services using version 4 or 5 when > they perform version 4 authentication. This vulnerability may also be > exploited locally via the v4rcp setuid root program of Kerberos 5. > > This vulnerability may be exploitable in version 4. This vulnerability > is exploitable in version 5 in conjunction with the > krb425_conv_principal() vulnerability, described below. > > Buffer overflow in krb425_conv_principal() library function > > This vulnerability is present in version 5's backward compatibility > code. This vulnerability is known to be exploitable in version 5 in > conjunction with an exploit of the krb_rd_req() vulnerability. > > Buffer overflow in krshd > > This vulnerability is only present in version 5. This vulnerability is > not related to the previous two vulnerabilities. > > Buffer overflow in ksu > > This vulnerability is only present in version 5, and is corrected in > krb5-1.1.1 and krb5-1.0.7-beta1. The ksu vulnerability is unrelated to > the other vulnerabilities. > > The MIT Kerberos Team Advisory > > The MIT Kerberos Team described these vulnerabilities in detail in an > advisory they recently issued. The text of this advisory is included > below. > > | > > SUMMARY > > Serious buffer overrun vulnerabilities exist in many implementations > of Kerberos 4, including implementations included for backwards > compatibility in Kerberos 5 implementations. Other less serious buffer > overrun vulnerabilities have also been discovered. ALL KNOWN KERBEROS > 4 IMPLEMENTATIONS derived from MIT sources are believed to be > vulnerable. > > IMPACT > > * A remote user may gain unauthorized root access to a machine > running services authenticated with Kerberos 4. > * A remote user may gain unauthorized root access to a machine > running krshd, regardless of whether the program is configured to > accept Kerberos 4 authentication. > * A local user may gain unauthorized root access by exploiting v4rcp > or ksu. > > DETAILS > > The MIT Kerberos Team has been made aware of a security vulnerability > in the Kerberos 4 compatibility code contained within the MIT Kerberos > 5 source distributions. This vulnerability consists of a buffer > overrun in the krb_rd_req() function, which is used by essentially all > Kerberos-authenticated services that use Kerberos 4 for > authentication. It is possible for an attacker to gain root access > over the network by exploiting this vulnerability. > > An exploit is known to exist for the Kerberized Berkeley remote shell > daemon (krshd) for at least the i386-Linux platform, and possibly > others. The extent of distribution of this exploit is unknown at this > time. > > Other buffer overruns have been discovered as well, though with less > far-reaching impact. > > The existing exploit does not directly use the buffer overrun in > krb_rd_req(); rather, it uses the buffer that was overrun by > krb_rd_req() to exploit a second overrun in krb425_conv_principal(). > The krb_rd_req() code itself might not be exploitable once the overrun > in krb425_conv_principal() is repaired, though it is likely that some > other method of exploit may be found that does not require that an > overrun exist in krb425_conv_principal(). > > VULNERABLE DISTRIBUTIONS AND PROGRAMS > > Source distributions which may contain vulnerable code include: > * MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1 > * MIT Kerberos 4 patch 10, and likely earlier releases as well > * KerbNet (Cygnus implementation of Kerberos 5) > * Cygnus Network Security (CNS -- Cygnus implementation of Kerberos > 4) > > Daemons or services that may call krb_rd_req() and are thus vulnerable > to remote exploit include: > > krshd > klogind (if accepting Kerberos 4 authentication) > telnetd (if accepting Kerberos 4 authentication) > ftpd (if accepting Kerberos 4 authentication) > rkinitd > kpopd > > In addition, it is possible that the v4rcp program, which is usually > installed setuid to root, may be exploited by a local user to gain > root access by means of exploiting the krb_rd_req vulnerability. > > The ksu program in some MIT Kerberos 5 releases has a vulnerability > that may result in unauthorized local root access. This bug was fixed > in krb5-1.1.1, as well as in krb5-1.0.7-beta1. Release krb5-1.1, as > well as krb5-1.0.6 and earlier, are believed to be vulnerable. > > There is an unrelated buffer overrun in the krshd that is distributed > with at least the MIT Kerberos 5 source distributions. It is not known > whether an exploit exists for this buffer overrun. It is also not > known whether this buffer overrun is actually exploitable. > > WORKAROUNDS > > Certain daemons that are called from inetd may be safe from > exploitation if their command line invocation is modified to exclude > the use of Kerberos 4 for authentication. Please consult the manpages > or other documentation for your Kerberos distribution in order to > determine the correct command line for disabling Kerberos 4 > authentication. Daemons for which this approach may work include: > > krshd (*) > klogind > telnetd > > (*) The krshd program may still be vulnerable to remote attack if > Kerberos 4 authentication is disabled, due to the unrelated buffer > overrun mentioned above. It is best to disable the krshd program > completely until a patched version can be installed. > > The v4rcp program should have its setuid permission removed, since it > may be possible to perform a local exploit against it. > > The krb5 ksu program should have its setuid permission removed, if it > was not compiled from krb5-1.1.1, krb5-1.0.7-beta1, or later code. > Merely replacing the ksu binary with one compiled from krb5-1.1.1 or > krb5-1.0.7-beta1 should be safe, provided that it is not compiled with > shared libraries (the vulnerability is related to some library bugs). > If ksu was compiled with shared libraries, it may be best to install a > new release that has the library bug fixed. > > In the MIT Kerberos 5 releases, it may not be possible to disable > Kerberos 4 authentication in the ftpd program. Note that only releases > krb5-1.1 and later will have the ability to receive Kerberos 4 > authentication. > > FIXES > > The best course of action is to patch the code in the krb4 library, in > addition to patching the code in the krshd program. The following > patches include some less essential patches that also affect buffer > overruns in potentially vulnerable code, but for which exploits are > somewhat more difficult to construct. > > Please note that there are two sets of patches in this file that apply > against identically named files in two different releases. You should > separate out the patch set that is relevant to you prior to applying > them; otherwise, you may inadvertently patch some files twice. > > MIT will soon release krb5-1.2, which will have these changes > incorporated. > > PATCHES AGAINST krb5-1.0.x > > The following are patches against 1.0.7-beta1 (roughly). The most > critical ones are: > > appl/bsd/krshd.c > lib/krb4/rd_req.c > lib/krb5/krb/conv_princ.c > > The rest are not as important but you may wish to apply them anyway > out of paranoia. These patches may apply with a little bit of fuzz > against releases prior to krb5-1.0.7-beta1, but there likely have not > been significant changes in the affected code. These patches may also > apply against KerbNet. The lib/krb4/rd_req.c patch may also apply > against CNS and MIT Kerberos 4. > > [Patches to correct this issue in Kerberos version 5-1.0.x were > included at this point in the MIT advisory. The CERT Coordination > Center has made these patches available at the following link: > > http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt > > -- CERT/CC] > | > > PATCHES AGAINST krb5-1.1.1 > > The following are patches against 1.1.1. The most critical ones are: > > appl/bsd/krshd.c > lib/krb4/rd_req.c > lib/krb5/krb/conv_princ.c > > IMPORTANT NOTE: If you are upgrading to krb5-1.1.1 (or krb5-1.1, but > we recommend krb5-1.1.1 if you are going to upgrade at all) and > compile the source tree with the --without-krb4 option, then you will > also want to install the patch to login.c that is also provided below. > > The rest are not as important but you may wish to apply them anyway > out of paranoia. > > [Patches to correct this issue in Kerberos version 5-1.1.1 were > included at this point in the MIT advisory. The CERT Coordination > Center has made these patches available at the following link: > > http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt > > -- CERT/CC] > | > > ACKNOWLEDGMENTS > > Thanks to Jim Paris (MIT class of 2003) for pointing out the > krb_rd_req() vulnerability. > > Thanks to Nalin Dahyabhai of Redhat for pointing out some other buffer > overruns and coming up with patches. > > The full text of the MIT Kerberos Team advisory is also available > from: > > http://web.mit.edu/kerberos/www/advisories/krb4buf.txt > > II. Impact > > The most significant impact of these vulnerabilities may allow a > remote intruder to gain root access to systems running vulnerable > services, including the KDC for the domain. > > Buffer overflow in krb_rd_req() library function > > This vulnerability may be exploited by remote users to gain root > privileges on systems running services linked against the vulnerable > library. As MIT indicated, these services include (but may not be > limited to): > > krshd > klogind (if accepting Kerberos 4 authentication) > telnetd (if accepting Kerberos 4 authentication) > ftpd (if accepting Kerberos 4 authentication) > rkinitd > kpopd > > Local users can execute arbitrary code as root on systems where v4rcp > is installed setuid root. > > Buffer overflow in krb425_conv_principal() library function > > This vulnerability can be exploited by remote users in conjunction > with the krb_rd_req vulnerability to gain root privileges on systems > running services linked against the vulnerable library. > > Buffer overflow in krshd > > Remote users may be able to execute arbitrary code as root on systems > running a vulnerable version of krshd. > > Buffer overflow in ksu > > Local users can can gain root privileges by exploiting the buffer > overflow in ksu. > > III. Solution > > Apply a patch from your vendor > > Appendix A contains information provided by vendors for this advisory. > We will update the appendix as we receive more information. If you do > not see your vendor's name, the CERT/CC did not hear from that vendor. > Please contact your vendor directly. > > Apply the MIT patches > > If you are running the Kerberos 5 distribution from MIT, and can > rebuild your binaries from source, you can apply the source code > patches from MIT to correct these problems. > > If you are running Kerberos version 4, you may be able to patch your > source code based on the version 5 patch provided by MIT. Only the > patches for the krb_rd_req() vulnerability need to be applied to > version 4 to address the issues described in this advisory. > > With either version, you will need to recompile the libraries and the > vulnerable programs (krshd and ksu). You will also need to recompile > any programs that have been statically linked with the vulnerable > libraries. In version 4, you should also recompile the KDC server > software. > > These patches are available at: > > http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt > http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt > > Disable version 4 authentication in version 5 if possible > > As suggested by MIT, version 4 authentication in some daemons can be > disabled at run time by supplying command line options to these > programs when started by inetd. This approach may work for the > following daemons: > > krshd > klogind > telnetd > > This addresses the krb_rd_req() and krb425_conv_principal() > vulnerabilities. Note that krshd may still be vulnerable to the krshd > specific vulnerability described in this document. > > Upgrade to MIT Kerberos 5 version 1.2 > > The vulnerabilities described in this advisory will be addressed in > Kerberos 5 version 1.2. This version will be available from the MIT > Kerberos web site: > > http://web.mit.edu/kerberos/www/ > > Appendix A. Vendor Information > > Microsoft Corporation > > No Microsoft products are affected by this vulnerability. > > MIT Kerberos > > The MIT Kerberos Team advisory on this topic is available from: > > http://web.mit.edu/kerberos/www/advisories/krb4buf.txt > > NetBSD > > NetBSD has two codebases for crypto software, a legacy of the US's > export laws until recently (and also some patent issues). > > The crypto-intl tree intended for use by those outside the US was not > affected. > > For the crypto-us tree, > * krb5 was not affected > * krb4 was affected, and has been fixed in NetBSD-current since > Jeff's announcement; this fix is making it's way into the 1.4.x > release branch. We will release an advisory and patches shortly. > > In summary, users of NetBSD releases 1.4.2 and earlier or -current up > until yesterday, who have installed the crypto-us "secr" set and who > have enabled kerberos4, are vulnerable. > > OpenBSD > > OpenBSD uses the KTH Kerberos distribution, which has been reported to > be not vulnerable. > > Washington University > > We do not distribute any "default" binaries which uses Kerberos. In > order to get Kerberos support, you must rebuild the software > specifically to use Kerberos (the default build will not use > Kerberos). > > We believe that the University of Washington IMAP and POP3 servers are > not vulnerable. The message from MIT specifically stated that the > problem was in the Kerberos 4 routines from MIT. > > Kerberos support in these servers is based upon Kerberos 5, not > Kerberos 4. UW imapd/ipop3d only uses GSSAPI and Kerberos 5 calls; > Kerberos 4 routines are never called. > > There is an unsupported, contributed code, module for Kerberos 4 > available in our software, but that is client only. We are not aware > of the existence of any Kerberos 4 server code for UW imapd/ipop3d. > _________________________________________________________________ > > The CERT Coordination Center thanks Jeff Schiller and the MIT Kerberos > Team for notifying us about this problem and their help in developing > this advisory. > _________________________________________________________________ > > Cory Cohen and Jeff Havrilla were the primary authors of the CERT/CC > portions of this document. > ______________________________________________________________________ > > This document is available from: > http://www.cert.org/advisories/CA-2000-06.html > ______________________________________________________________________ > > CERT/CC Contact Information > > Email: cert@cert.org > Phone: +1 412-268-7090 (24-hour hotline) > Fax: +1 412-268-6989 > Postal address: > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > U.S.A. > > CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4) > Monday through Friday; they are on call for emergencies during other > hours, on U.S. holidays, and on weekends. > > Using encryption > > We strongly urge you to encrypt sensitive information sent by email. > Our public PGP key is available from > > http://www.cert.org/CERT_PGP.key > > If you prefer to use DES, please call the CERT hotline for more > information. > > Getting security information > > CERT publications and other security information are available from > our web site > > http://www.cert.org/ > > To be added to our mailing list for advisories and bulletins, send > email to cert-advisory-request@cert.org and include SUBSCRIBE > your-email-address in the subject of your message. > > * "CERT" and "CERT Coordination Center" are registered in the U.S. > Patent and Trademark Office. > ______________________________________________________________________ > > NO WARRANTY > Any material furnished by Carnegie Mellon University and the Software > Engineering Institute is furnished on an "as is" basis. Carnegie > Mellon University makes no warranties of any kind, either expressed or > implied as to any matter including, but not limited to, warranty of > fitness for a particular purpose or merchantability, exclusivity or > results obtained from use of the material. Carnegie Mellon University > does not make any warranty of any kind with respect to freedom from > patent, trademark, or copyright infringement. > _________________________________________________________________ > > Conditions for use, disclaimers, and sponsorship information > > Copyright 2000 Carnegie Mellon University, portions copyright MIT > University. > > Revision History > May 17, 2000: Initial release > > -----BEGIN PGP SIGNATURE----- > Version: PGP for Personal Privacy 5.0 > Charset: noconv > > iQA/AwUBOSNVWlr9kb5qlZHQEQIjRwCfepYRvrNqpyvLVu3nT3L9smypiA0An3FJ > H/bJQhVrnAnjknEma2pl9XQX > =sFsd > -----END PGP SIGNATURE----- > > From kreymer@fnal.gov Thu May 18 10:21:19 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA13324 for ; Thu, 18 May 2000 10:21:19 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJISZUPYK000AFY@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 10:21:19 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C4F@listserv.fnal.gov>; Thu, 18 May 2000 10:21:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 14173 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 18 May 2000 10:21:17 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C4E@listserv.fnal.gov>; Thu, 18 May 2000 10:21:17 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJISZ62QY0009N7@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 10:21:16 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA15646; Thu, 18 May 2000 10:21:13 -0500 (CDT) Date: Thu, 18 May 2000 10:21:13 -0500 From: Matt Crawford Subject: Re: FW: CERT Advisory CA-2000-06 In-reply-to: "18 May 2000 09:03:55 BST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Armin Reichold Cc: kerberos-pilot@fnal.gov, Ian McArthur , Todd Huffman Message-id: <200005181521.KAA15646@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 304 > Buffer overflow in krb_rd_req() library function We are immune to *remote* exploit of this because of our configuration (we don't enable v4 authentication). All sysadmins should "chmod u-s /usr/krb5/bin/v4rcp" at once to prevent *local* exploit. This should have no impact on users since there's no reason to be using v4rcp in our environment. > Buffer overflow in krb425_conv_principal() library function We are immune to any exploit of this due to not having a certain sort of stanza in our krb5.conf files. Of course we'll apply the patch anyway in case some remote site adds v4 instance conversion for their own purposes. > Buffer overflow in krshd This one is real and will be patched on Fermi v0_6, coming soon. But note the text: "It is also not known whether this buffer overrun is actually exploitable." (See next item.) > Buffer overflow in ksu This one has been fixed in Fermi Kerberos since our v0_3 (six months ago). I was the one who reported this problem to MIT in the first place. It's not at all clear the overflow was ever exploitable due to the very limited class of strings which can be used to overflow the buffer in question. Bottom line: removing setuid privilege from v4rcp as described above will prevent any local exploit of these bugs. (Unless you have Fermi v0_1 or v0_2 installed, in which case ksu might be vulnerable.) No remote exploit is possible unless one of the following conditions exists: You have altered your /etc/krb5.conf (needs root priv) add a "v4_instance_convert" clause. You have altered your /etc/inetd.conf (needs root priv) to enable Kerberos v4 authentication by adding a "-4" flag to one of the servers. You have a user in your password file whose home directory's name is more than 1014 characters long. (4085 characters in the case of Linux 6.2.) From kreymer@fnal.gov Thu May 18 10:24:27 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA13332 for ; Thu, 18 May 2000 10:24:27 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJIW9DIIC000B7W@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 10:24:15 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C57@listserv.fnal.gov>; Thu, 18 May 2000 10:23:55 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 14182 for LINUX-USERS@LISTSERV.FNAL.GOV; Thu, 18 May 2000 10:23:55 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C55@listserv.fnal.gov>; Thu, 18 May 2000 10:23:54 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJIW5P6L4000AFZ@FNAL.FNAL.GOV>; Thu, 18 May 2000 10:23:50 -0500 Date: Thu, 18 May 2000 10:23:49 -0500 (CDT) From: Dane Skow Subject: Re: keeping time In-reply-to: <39240531.DF67959A@fnal.gov> Sender: owner-linux-users@listserv.fnal.gov To: Troy Dawson Cc: linux-users@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 305 I can try your fixes Troy. I think my problem is different than Margaret's. The clock clearly says CST from a date prompt and the time is clearly off (last night it was almost exactly 4 hours off). I've seen some whopping big time corrections from AFS in my logs so it seem it is willing to swing the big axe in some situations. dane On Thu, 18 May 2000, Troy Dawson wrote: > Howdy, > I thought that this had already gotten answered, but instead of digging > through the e-mails I'll post what I found and how I fixed it. (even > though temporarily) > > Here's what I have observed. > For the OSS install, xntp get's turned off because it conflicts with the > afs time syncing. We have our AFS server setup so that all AFS clients > sync thier time to it. (That's a server setting, not a client > setting). So after so many minutes the client sync's up it's time. > (I've noticed that there is a wait of 20 minutes, but I never measured > exactly) > > Here's the real problem. > When afs sync's up it's time, it only does a software sync, it doesn't > set the hardware clock. xntp set's the hardware clock when it does it's > time syncing. Because of that, and because we went through daylight > savings, all of the hardware clocks are an hour off. When we go back > through daylight savings they'll be back on, or at least close. > > How to fix it? (Three different ways) > 1 - if your clock is currently out of sync, start xntp, let it sync of > the clock, then turn it off again. This doesn't work if there isn't > that hour difference. > 2 - make sure your date is correct, then as root run '/sbin/hwclock > --systohc' > This sets the hardware clock to the current system time. > 3 - (best option) edit your crontab to run the above command once a > day/week/month/year whatever you want such as > 33 3 3 * * /sbin/hwclock --systohc > which will sync up your hardware clock once a month. > > Troy > Margaret Votava wrote: > > > > Hi, > > > > I had a similar problem. I found that the clock used at boot > > time was set to EST. According to Ray, it would take AFS > > a *long* time to recover from such a delta. > > > > Connie was looking into if this is a general problem in the > > FRHL distribution, or if I inadvertantly didn't set this > > correctly during the installation. > > > > Margaret > > > > Dane Skow wrote: > > > > > > I've been having a problem with a couple PCs keeping reasonably accurate > > > time (particularly when powered off for a few days) often losing more > > > than an hour. (I assume this is an indication of a weak battery > > > somewhere). However, I'd expect that the machines should resync with > > > the time source rapidly, yet I've waited up to an hour after turning > > > on the machine and still need to reset the clock by hand. > > > > > > I'm running standard FRHL 6.1 with the OSS workgroup (so AFS is > > > installed). I would expect the AFS clock synchronization to kick in; > > > do I need to put something in my startup ? Since I connect to the lab > > > via ISDN, I'm not certain when the network connection is "up" in the > > > boot cycle so perhaps I need to force a resync somehow ? > > > > > > The major symptom of this is that until the clock is resynced (by logging > > > in as root and setting date by hand currently), the Kerberos > > > authentication won't work and I can't log into my user account. > > > I'd imagine this could be a common problem for the "occasional use" > > > PCs used in Xterm-like mode around the lab. > > > > > > Is the answer never shut the power off ? (Not very enviro friendly) > > > > > > Dane Skow, > > > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > > > > -- > > Margaret Votava votava@fnal.gov > > Computing Division/Experiment Online Support 630-840-2625 (office) > > Fermi National Accelerator Laboratory 630-840-6345 (fax) > > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS CSS Group > __________________________________________________ > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Thu May 18 10:28:30 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA13344 for ; Thu, 18 May 2000 10:28:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJIW9DIIC000B7W@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 10:28:14 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C66@listserv.fnal.gov>; Thu, 18 May 2000 10:27:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 14198 for LINUX-USERS@LISTSERV.FNAL.GOV; Thu, 18 May 2000 10:27:42 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C64@listserv.fnal.gov>; Thu, 18 May 2000 10:27:42 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJJ0SZG02000AU5@FNAL.FNAL.GOV>; Thu, 18 May 2000 10:27:36 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA15715; Thu, 18 May 2000 10:27:34 -0500 (CDT) Date: Thu, 18 May 2000 10:27:34 -0500 From: Matt Crawford Subject: Re: keeping time In-reply-to: "18 May 2000 09:58:57 CDT." <"39240531.DF67959A"@fnal.gov> Sender: owner-linux-users@listserv.fnal.gov To: Troy Dawson Cc: Margaret Votava , Dane Skow , linux-users@fnal.gov, kerberos-pilot@fnal.gov Message-id: <200005181527.KAA15715@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 306 See if the afsd on Linux has a -nosettime option like the Solaris one does. On my machine, I have afsd start with -nosettime (which reduces the count of afsd processes by one) and run xntpd to handle the timekeeping. From kreymer@fnal.gov Thu May 18 10:33:35 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA13354 for ; Thu, 18 May 2000 10:33:35 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJJ861M4G000AU5@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 10:33:34 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C88@listserv.fnal.gov>; Thu, 18 May 2000 10:33:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 14232 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 18 May 2000 10:33:31 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012C87@listserv.fnal.gov>; Thu, 18 May 2000 10:33:31 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJJ84AEMS000AGH@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 10:33:29 -0500 Date: Thu, 18 May 2000 10:33:29 -0500 From: Margaret Votava Subject: Re: keeping time Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: Troy Dawson , Dane Skow , kerberos-pilot@fnal.gov Message-id: <39240D49.2A43B259@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200005181527.KAA15715@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 307 Hi, Is this more of an "expert" approach? The pilot project documentation (gg0019) says explicitly to use the afs time syncing functionality and to disable xntp. Thanks, Margaret Matt Crawford wrote: > > See if the afsd on Linux has a -nosettime option like the Solaris one > does. On my machine, I have afsd start with -nosettime (which > reduces the count of afsd processes by one) and run xntpd to handle > the timekeeping. -- Margaret Votava votava@fnal.gov Computing Division/Experiment Online Support 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Thu May 18 11:02:46 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA13373 for ; Thu, 18 May 2000 11:02:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJK8JUQH8000AUU@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 11:02:39 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012CE0@listserv.fnal.gov>; Thu, 18 May 2000 11:02:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 14323 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 18 May 2000 11:02:22 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012CDF@listserv.fnal.gov>; Thu, 18 May 2000 11:02:22 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJK8PZDYE0009N5@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 11:02:13 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA16033; Thu, 18 May 2000 11:02:11 -0500 (CDT) Date: Thu, 18 May 2000 11:02:11 -0500 From: Matt Crawford Subject: Re: keeping time In-reply-to: "18 May 2000 10:33:29 CDT." <"39240D49.2A43B259"@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Message-id: <200005181602.LAA16033@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 308 > Is this more of an "expert" approach? ... Uh, gee, you got me there. It was the AFS people who had me turn off AFS time synch. I don't recall why. One thing is clear, though: You should do exactly one of the two! From kreymer@fnal.gov Thu May 18 12:04:33 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA14323 for ; Thu, 18 May 2000 12:04:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJMEPXGXA000AFY@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 12:04:27 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012DB3@listserv.fnal.gov>; Thu, 18 May 2000 12:04:18 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 14539 for LINUX-USERS@LISTSERV.FNAL.GOV; Thu, 18 May 2000 12:04:18 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012DB1@listserv.fnal.gov>; Thu, 18 May 2000 12:04:18 -0500 Received: from conversion.FNAL.FNAL.GOV by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) id <01JPJMENXX2O000A0M@FNAL.FNAL.GOV>; Thu, 18 May 2000 12:04:16 -0500 Received: from mayne.wellner.org ([128.105.143.102]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJMEM7QBO0009OT@FNAL.FNAL.GOV>; Thu, 18 May 2000 12:04:14 -0500 Received: (from wellner@localhost) by mayne.wellner.org (8.9.3/8.9.3) id MAA01263; Thu, 18 May 2000 12:04:36 -0500 Date: Thu, 18 May 2000 12:04:36 -0500 From: Rich Wellner Subject: Re: keeping time In-reply-to: Dane Skow's message of "Thu, 18 May 2000 10:23:49 -0500 (CDT)" Sender: owner-linux-users@listserv.fnal.gov To: Dane Skow Cc: Troy Dawson , linux-users@fnal.gov, kerberos-pilot@fnal.gov Message-id: Organization: Fermilab (the coolest place on earth) MIME-version: 1.0 Content-type: text/plain; charset=us-ascii User-Agent: Gnus/5.070099 (Pterodactyl Gnus v0.99) XEmacs/21.1 (Bryce Canyon) X-Stock-Tip: AMD Lines: 20 References: Status: RO X-Status: X-Keywords: X-UID: 309 Dane Skow writes: > I can try your fixes Troy. I think my problem is different than > Margaret's. The clock clearly says CST from a date prompt and the > time is clearly off (last night it was almost exactly 4 hours > off). I've seen some whopping big time corrections from AFS in my > logs so it seem it is willing to swing the big axe in some > situations. I could say that but still have the hardware clock set for a different timezone. Double check that hw and the os are on the same place on earth before you rule out Troy's comments. rw2 -- "Debugging is at least twice as hard as programming. If your code is as clever as you can possibly make it, then by definition you're not smart enough to debug it." -- Brian Kernighan From kreymer@fnal.gov Thu May 18 15:17:10 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA14412 for ; Thu, 18 May 2000 15:17:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJT4MKFVY000A3D@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 15:17:04 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012FF4@listserv.fnal.gov>; Thu, 18 May 2000 15:16:59 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 15138 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 18 May 2000 15:16:59 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00012FF3@listserv.fnal.gov>; Thu, 18 May 2000 15:16:59 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJT4JQWLC0008X3@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 15:16:56 -0500 Date: Thu, 18 May 2000 15:16:56 -0500 From: Margaret Votava Subject: Re: kerberos v0_5 is ready for you to test Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <39244FB8.7360E7DF@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200005162246.RAA04835@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 310 hi, do i need to restart anything for changes in this file to take effect? i blindly added a renewable = true for kinit, but it didn't seem to do anything. thanks, margaret > > That's under control of some lines in your /etc/krb5.conf. I have > mine set to: > > [appdefaults] > default_lifetime = 5d > ... > login = { > krb5_get_tickets = true > forwardable = true > renewable = true > ... > } > ... > > The fact that 5d > 13h and "renewable = true" means I wind up with a > 5 day renewable ticket upon console login. From kreymer@fnal.gov Thu May 18 15:31:04 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA14426 for ; Thu, 18 May 2000 15:31:04 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJTLY0PRO0009OS@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 15:31:01 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001301A@listserv.fnal.gov>; Thu, 18 May 2000 15:30:57 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 15179 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 18 May 2000 15:30:57 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00013019@listserv.fnal.gov>; Thu, 18 May 2000 15:30:57 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJTLWWAMW0008X3@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 15:30:56 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA17262; Thu, 18 May 2000 15:30:55 -0500 (CDT) Date: Thu, 18 May 2000 15:30:55 -0500 From: Matt Crawford Subject: Re: kerberos v0_5 is ready for you to test In-reply-to: "18 May 2000 15:16:56 CDT." <"39244FB8.7360E7DF"@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Message-id: <200005182030.PAA17262@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 311 > do i need to restart anything for changes in this file > [/etc/krb5.conf] to take effect? No, but it doesn't act retroactively. For example > i blindly added a renewable = true for kinit, but it didn't seem to > do anything. Tickets you already have won't change, but if you run kinit after the change you should get a renewable ticket, distinguishable by the "R" flag in the "klist -f" output: gungnir 156% klist -f Ticket cache: /tmp/krb5cc_console Default principal: crawdad@PILOT.FNAL.GOV Valid starting Expires Service principal 05/18/00 08:02:00 05/18/00 21:02:00 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 05/20/00 08:13:32, Flags: FRIA [...] From kreymer@fnal.gov Thu May 18 15:39:01 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA14431 for ; Thu, 18 May 2000 15:39:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJTVOHH0E000A3D@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 15:38:54 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001301E@listserv.fnal.gov>; Thu, 18 May 2000 15:38:48 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 15183 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 18 May 2000 15:38:48 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001301D@listserv.fnal.gov>; Thu, 18 May 2000 15:38:48 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJTVLNKJE0009WI@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 15:38:44 -0500 Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id PAA20139; Thu, 18 May 2000 15:38:45 -0500 (CDT) Date: Thu, 18 May 2000 15:38:44 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kerberos v0_5 is ready for you to test Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: Margaret Votava , kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200005182038.PAA20139@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 312 Margaret said: > > > - unless the default ticket length is extended from 13 hours, i > > don't see an advantage to replace the login program. i would > > immediately do a kinit -r 7d upon login anyway. it means that > > i type in my super duper secure password yet another time. Matt said: > > That's under control of some lines in your /etc/krb5.conf. > [snippage] > The fact that 5d > 13h and "renewable = true" means I wind up with a > 5 day renewable ticket upon console login. My comments: First, Matt gets a 5-day renewable ticket upon console login because he changed his login program to run the kerberized version. That is NOT part of the standard kerberos installation [yet] during the pilot phase (and in fact, I don't know what steps are required for this to happen). Just changing the /etc/krb5.conf file is NOT enough, you need to also change the login program. Second, while you may end up with a renewable ticket, you still have to renew it every 13 hours (or enter your password again). I find this 13 hour business to be a REAL pain, since I'm generally away from work for something closer to 14-16 hours (depends on the day), not 13 hours. I end up having to re-kinit (with password) every single day, even if I remember to renew just before I leave and renew immediately when I return. 13 HOURS IS A BAD BAD CHOICE. Third: why aren't we including "renewable" in the default krb5.conf that we distribute? The default file looks like: [appdefaults] default_lifetime = 7d retain_ccache = false autologin = true forward = true forwardable = true encrypt = true krb5_aklog_path = /usr/krb5/bin/aklog Why don't we add "renewable = true" to this? -- lauri From kreymer@fnal.gov Thu May 18 15:52:21 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA14436 for ; Thu, 18 May 2000 15:52:20 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJUD4X6IG000A3D@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 15:52:17 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00013037@listserv.fnal.gov>; Thu, 18 May 2000 15:52:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 15208 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 18 May 2000 15:52:06 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00013036@listserv.fnal.gov>; Thu, 18 May 2000 15:52:06 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJUCWWSJE000A3T@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 15:51:56 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA17588; Thu, 18 May 2000 15:51:54 -0500 (CDT) Date: Thu, 18 May 2000 15:51:54 -0500 From: Matt Crawford Subject: Re: kerberos v0_5 is ready for you to test In-reply-to: "18 May 2000 15:40:35 CDT." <"39245543.4FCDE13"@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Message-id: <200005182051.PAA17588@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 313 Lauri: > Third: why aren't we including "renewable" in the default krb5.conf > that we distribute? The default file looks like: Margaret: > i changed the .conf file and then did a kinit, and > i don't see my tickets as renewable: Silly me -- I didn't check. The kinit program doesn't look for any "renewable" parameter in krb5.conf even though login does. You have to do "kinit -r 5d" to get a 5-day renewable ticket. Or you can put the Kerberos login program in place, which is done by the following steps (as root). # cp /bin/login /bin/login.no-krb # cp /usr/krb5/sbin/login.krb5 /bin/login Be sure not to make the final step a "mv" because the Kerberos telnetd and rlogind look for it in /usr/krb5/sbin. From kreymer@fnal.gov Thu May 18 17:37:28 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA14531 for ; Thu, 18 May 2000 17:37:27 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJY1NM1FA0009IO@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Thu, 18 May 2000 17:37:26 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000130F7@listserv.fnal.gov>; Thu, 18 May 2000 17:37:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 15414 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 18 May 2000 17:37:22 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000130F6@listserv.fnal.gov>; Thu, 18 May 2000 17:37:22 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPJY1JZMCM0009J9@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Thu, 18 May 2000 17:37:17 -0500 Date: Thu, 18 May 2000 17:37:17 -0500 From: Margaret Votava Subject: Re: kerberos v0_5 is ready for you to test Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3924709D.6A9237EB@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200005182051.PAA17588@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 314 > Silly me -- I didn't check. The kinit program doesn't look for any > "renewable" parameter in krb5.conf even though login does. You have > to do "kinit -r 5d" to get a 5-day renewable ticket. Or you can put > the Kerberos login program in place, which is done by the following > steps (as root). > > # cp /bin/login /bin/login.no-krb > # cp /usr/krb5/sbin/login.krb5 /bin/login > > Be sure not to make the final step a "mv" because the Kerberos > telnetd and rlogind look for it in /usr/krb5/sbin. hi, tried it and it seems to work fine. two notes: - if i just use my afs password and not my kerberos 5 password, i can still log in, but do not get any afs tokens (error message that says preautentication failed while getting initial credentials). this is not intuative to me. - it's a bit of a pain to copy the login binary because it's in use. i had to logout from the console and slogin from somewhere else. thanks, margaret From kreymer@fnal.gov Fri May 19 10:24:33 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA18110 for ; Fri, 19 May 2000 10:24:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPKV3R5XRM000A38@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 19 May 2000 10:23:50 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000138A5@listserv.fnal.gov>; Fri, 19 May 2000 09:43:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 17450 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 19 May 2000 09:43:15 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000138A4@listserv.fnal.gov>; Fri, 19 May 2000 09:43:15 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPKVQWZ782000BA7@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 19 May 2000 09:43:03 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA23690; Fri, 19 May 2000 09:43:01 -0500 (CDT) Date: Fri, 19 May 2000 09:43:00 -0500 From: Matt Crawford Subject: Re: kerberos v0_5 is ready for you to test In-reply-to: "18 May 2000 17:37:17 CDT." <"3924709D.6A9237EB"@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Message-id: <200005191443.JAA23690@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 315 > tried it and it seems to work fine. two notes: > > - if i just use my afs password and not my kerberos 5 password, i can > still log in, but do not get any afs tokens (error message that says > preautentication failed while getting initial credentials). this is > not intuative to me. I can only understand this if your AFS password is the same as your local Unix password. If you're unsure, you can test whether this is the case with the system's su command. "su votava" and supply your AFS password. If it works, it's also your unix password. The Kerberos login program first tries the password you gave as a Kerberos password (which gets your the preauth. failed message if it isn't), then as a (local or NIS) Unix password. It doesn't try AFS. > - it's a bit of a pain to copy the login binary because it's in use. i had > to logout from the console and slogin from somewhere else. Oh, one of those systems. Odd that login was in use, but here are the instructions I ought to have given: cp /usr/krb5/sbin/login.krb5 /bin/login.new ln /bin/login /bin/login.no-krb mv /bin/login.new /bin/login That way there is always one and only one perfectly consistent /bin/login file; no process will ever see a partially-written hybrid. Note, though, that we've discovered this doesn't do you any good on IRIX, where /bin/login (which is really /usr/bin/login since /bin -> /usr/bin) is a symlink to /usr/lib/iaf/scheme and getty executes the latter directly if it exists, then /bin/login, then /etc/login. We don't know yet whether there would be any ill effects from removing or replacing /usr/lib/iaf/scheme. If anyone with an IRIX workstation would like to perform an experiment ... ? From kreymer@fnal.gov Fri May 19 10:38:34 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA18120 for ; Fri, 19 May 2000 10:38:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPKV3R5XRM000A38@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 19 May 2000 10:37:52 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000138E9@listserv.fnal.gov>; Fri, 19 May 2000 10:02:40 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 17519 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 19 May 2000 10:02:40 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000138E8@listserv.fnal.gov>; Fri, 19 May 2000 10:02:39 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPKWFSYUXI000AVV@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 19 May 2000 10:02:21 -0500 Date: Fri, 19 May 2000 10:02:18 -0500 From: Margaret Votava Subject: Re: kerberos v0_5 is ready for you to test Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3925577A.5E813CA1@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200005191443.JAA23690@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 316 Matt Crawford wrote: > > > tried it and it seems to work fine. two notes: > > > > - if i just use my afs password and not my kerberos 5 password, i can > > still log in, but do not get any afs tokens (error message that says > > preautentication failed while getting initial credentials). this is > > not intuative to me. > > I can only understand this if your AFS password is the same as your > local Unix password. If you're unsure, you can test whether this is > the case with the system's su command. "su votava" and supply your > AFS password. If it works, it's also your unix password. The > Kerberos login program first tries the password you gave as a > Kerberos password (which gets your the preauth. failed message if it > isn't), then as a (local or NIS) Unix password. It doesn't try AFS. > This will cause some confusion in the general world. If I slogin into my system with the same password as logging in from the console, I see different behavior because ssh has been mapped with afs. Yes, my local password is the same as my yp password. Now that we have migrated fndau* users to afs space, we have implemented a recommendation that all non ODS people have their password be their afs password (ie, a '!' in the password file which is nis served).What will happen in this case, since the local password would be the afs password by definition? Would one be able to login from the console and get tokens? Thanks, Margaret From kreymer@fnal.gov Fri May 19 15:43:25 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA21691 for ; Fri, 19 May 2000 15:43:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPL8CERVSQ0009XL@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 19 May 2000 15:43:15 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00013C12@listserv.fnal.gov>; Fri, 19 May 2000 15:43:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18383 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 19 May 2000 15:43:10 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00013C11@listserv.fnal.gov>; Fri, 19 May 2000 15:43:10 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPL8CDH1W8000APM@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal); Fri, 19 May 2000 15:43:08 -0500 Date: Fri, 19 May 2000 15:43:08 -0500 From: Margaret Votava Subject: tickets/tokens don't seem to be forwarding Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3925A75C.C61B9A5D@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 317 Hi, I'm logged onto my Linux box (which is in the strengthened realm), and slogged into one of our Sun machines, but my afs tokens weren't forwarded. Should they be? Thanks, Margaret odsmev.fnal.gov % klist -f Ticket cache: /tmp/krb5cc_1103 Default principal: votava@PILOT.FNAL.GOV Valid starting Expires Service principal 05/19/00 09:05:32 05/19/00 22:05:32 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 05/26/00 09:05:30, Flags: FRIA 05/19/00 09:05:32 05/19/00 22:05:32 afs/fnal.gov@PILOT.FNAL.GOV renew until 05/26/00 09:05:30, Flags: FRA 05/19/00 12:11:03 05/19/00 22:05:32 host/fndaub.fnal.gov@PILOT.FNAL.GOV renew until 05/26/00 09:05:30, Flags: FRA odsmev.fnal.gov % date Fri May 19 15:38:51 CDT 2000 odsmev.fnal.gov % slogin fndauk ... /usr/openwin/bin/xauth: timeout in locking authority file /afs/fnal.gov/files/home/room3/votava/.Xauthority ... Terminal type is vt100 There are no available articles. touch: cannot change times on /afs/fnal.gov/files/home/room3/votava/.Info tokens.krb Tokens held by the Cache Manager: --End of list-- -- Margaret Votava votava@fnal.gov Computing Division/Experiment Online Support 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Fri May 19 15:58:41 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA21696 for ; Fri, 19 May 2000 15:58:41 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPL8VGRZGW000APM@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Fri, 19 May 2000 15:58:38 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00013C48@listserv.fnal.gov>; Fri, 19 May 2000 15:58:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18441 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 19 May 2000 15:58:32 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00013C47@listserv.fnal.gov>; Fri, 19 May 2000 15:58:32 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPL8VAO37G000AC1@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Fri, 19 May 2000 15:58:25 -0500 Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id PAA21275; Fri, 19 May 2000 15:58:24 -0500 (CDT) Date: Fri, 19 May 2000 15:58:24 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: tickets/tokens don't seem to be forwarding Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200005192058.PAA21275@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 318 I don't think so -- slogin is from ssh, not kerberos. Use rlogin (and make sure it's the rlogin from /usr/krb5/bin -- should be set this way by default if you're running "setup setpath" when you log in). Is fndauk running kerberos? If not, then the kerberos rlogin will fail over to the "normal" rlogin, and you'll have to enter your password for fndauk. -- lauri On Friday 19 May 2000, our friend Margaret Votava spaketh thusly: > Hi, > > I'm logged onto my Linux box (which is in the strengthened > realm), and slogged into one of our Sun machines, but > my afs tokens weren't forwarded. Should they be? > > Thanks, > Margaret > > odsmev.fnal.gov % klist -f > Ticket cache: /tmp/krb5cc_1103 > Default principal: votava@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 05/19/00 09:05:32 05/19/00 22:05:32 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > renew until 05/26/00 09:05:30, Flags: FRIA > 05/19/00 09:05:32 05/19/00 22:05:32 afs/fnal.gov@PILOT.FNAL.GOV > renew until 05/26/00 09:05:30, Flags: FRA > 05/19/00 12:11:03 05/19/00 22:05:32 host/fndaub.fnal.gov@PILOT.FNAL.GOV > renew until 05/26/00 09:05:30, Flags: FRA > odsmev.fnal.gov % date > Fri May 19 15:38:51 CDT 2000 > odsmev.fnal.gov % slogin fndauk > > ... > /usr/openwin/bin/xauth: timeout in locking authority file > /afs/fnal.gov/files/home/room3/votava/.Xauthority > ... > Terminal type is vt100 > There are no available articles. > touch: cannot change times on /afs/fnal.gov/files/home/room3/votava/.Info > tokens.krb > > Tokens held by the Cache Manager: > > --End of list-- > > > -- > Margaret Votava votava@fnal.gov > Computing Division/Experiment Online Support 630-840-2625 (office) > Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Tue May 23 12:27:13 2000 -0500 Return-Path: Received: from FNAL.FNAL.Gov (fnal.fnal.gov [131.225.9.8]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA01411 for ; Tue, 23 May 2000 12:27:13 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPQMNT7Y1W000COC@FNAL.FNAL.GOV> for kreymer@patnt2.fnal.gov (ORCPT rfc822;KREYMER@FNAL.GOV); Tue, 23 May 2000 12:27:13 -0500 CDT Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001620C@listserv.fnal.gov>; Tue, 23 May 2000 12:27:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 17742 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 23 May 2000 12:27:11 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001620B@listserv.fnal.gov>; Tue, 23 May 2000 12:27:11 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JPQMNSIHJM000BIS@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 23 May 2000 12:27:10 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA01479 for ; Tue, 23 May 2000 12:27:09 -0500 (CDT) Date: Tue, 23 May 2000 12:27:09 -0500 From: Matt Crawford Subject: Replacing /bin/login on IRIX - don't bother Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200005231727.MAA01479@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 319 After getting opinions form outside, it doesn't seem worth the bother of trying to get IRIX to perform a direct Kerberos-validated login at the console. Replacing /bin/login (really /usr/lib/iaf/scheme) only works for a text-mode console login, and under IRIX if you use the text mode of logging in, lots of other things break. SGI's position is that text login is not supported. There's a possibility of providing a dynamic library which will be called by login if present and I'll put this on the back burner for a later date. From kreymer@fnal.gov Fri May 26 12:07:46 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA25276 for ; Fri, 26 May 2000 12:07:46 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FV600D01FKT33@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Fri, 26 May 2000 12:07:41 -0500 (CDT) Received: from listserv.fnal.gov (listserv.fnal.gov [131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FV600B5FFKR81@smtp.fnal.gov>; Fri, 26 May 2000 12:07:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000181A9@listserv.fnal.gov>; Fri, 26 May 2000 12:07:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 26468 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Fri, 26 May 2000 12:07:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000181A7@listserv.fnal.gov>; Fri, 26 May 2000 12:07:43 -0500 Received: from gungnir.fnal.gov (gungnir.fnal.gov [131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FV600B66FKQ80@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Fri, 26 May 2000 12:07:39 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA29564 for ; Fri, 26 May 2000 12:07:42 -0500 (CDT) Date: Fri, 26 May 2000 12:07:42 -0500 From: Matt Crawford Subject: Fermi Kerberos v0_6 released Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200005261707.MAA29564@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 320 Version v0_6 is "current" on fnkits, except for the Linux+2.0 flavor which is delayed due to some filesystem problem on the Linux 5.2 build node. New features are: Bug fixes for various buffer overflows announced last week. (Many of the bugs don't concern us, but the one in v4rcp *might* be locally exploitable.) Support for Kerberos-authenticated cron jobs (and, to a certain extent, batch jobs) is provided now without requiring systools. See the commands kcron, kcron-create and kcron-destroy. From kreymer@fnal.gov Fri May 26 13:43:32 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA25333 for ; Fri, 26 May 2000 13:43:32 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FV600G01K01JN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Fri, 26 May 2000 13:43:14 -0500 (CDT) Received: from listserv.fnal.gov (listserv.fnal.gov [131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FV600G18JW12O@smtp.fnal.gov>; Fri, 26 May 2000 13:40:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000182AC@listserv.fnal.gov>; Fri, 26 May 2000 13:40:53 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 26749 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Fri, 26 May 2000 13:40:53 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000182AA@listserv.fnal.gov>; Fri, 26 May 2000 13:40:53 -0500 Received: from gungnir.fnal.gov (gungnir.fnal.gov [131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FV600G19JW03B@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Fri, 26 May 2000 13:40:48 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA00160 for ; Fri, 26 May 2000 13:40:52 -0500 (CDT) Date: Fri, 26 May 2000 13:40:52 -0500 From: Matt Crawford Subject: Re: Fermi Kerberos v0_6 released Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200005261840.NAA00160@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 321 Two updates: First, this release has an IRIX+6.5 flavor in addition to the IRIX+6 that previous releases had, and this 6.5 flavor fixes the strange troubles some users noted when compiling under a Kerberized telnet session. Second, the cron-related user commands are named kcron, kcroninit and kcrondestroy, not what I wrote before. From kreymer@fnal.gov Wed May 31 17:24:45 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA09747 for ; Wed, 31 May 2000 17:24:45 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FVG005013L8NQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 31 May 2000 17:24:44 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FVG0043G3L8CQ@smtp.fnal.gov>; Wed, 31 May 2000 17:24:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001AC0F@listserv.fnal.gov>; Wed, 31 May 2000 17:24:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 3099 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 31 May 2000 17:24:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001AC0E@listserv.fnal.gov>; Wed, 31 May 2000 17:24:44 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FVG003823L70B@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 31 May 2000 17:24:44 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA28646; Wed, 31 May 2000 17:24:43 -0500 (CDT) Date: Wed, 31 May 2000 17:24:42 -0500 From: Matt Crawford Subject: Re: remote xemacs In-reply-to: "27 Apr 2000 12:49:31 MDT." <200004271849.MAA00610@dot.phys.unm.edu> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Gold Cc: kerberos-pilot@fnal.gov Message-id: <200005312224.RAA28646@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 322 xemacs and efs are not forgotten. I've worked out a simple change to the Kerberos ftp client which will let it work with an unaltered efs.el *if* you already have your Kerberos ticket. Right now I'm checking with the rest of the Kerberos development community to see if my proposed change makes anyone violently ill. Details, for the morbidly curious: efs mode always invokes ftp with the "-n" flag, which suppresses processing of any $HOME/.netrc file which may be present, and any prompting for a remote username. Compare: % /usr/bin/ftp gungnir Connected to gungnir.fnal.gov. 220 gungnir.fnal.gov FTP server (Version 5.60) ready. Name (gungnir:crawdad): ^C % /usr/bin/ftp -n gungnir Connected to gungnir.fnal.gov. 220 gungnir.fnal.gov FTP server (Version 5.60) ready. ftp> quit 221 Goodbye. % The difficulty is that with the Kerberos ftp client, "-n" also suppresses the GSSAPI authentication exchange that precedes the USER command. Compare: % /usr/krb5/bin/ftp -dv gungnir Connected to gungnir.fnal.gov. 220 gungnir.fnal.gov FTP server (Version 5.60) ready. ---> AUTH GSSAPI 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type Trying to authenticate to calling gss_init_sec_context ---> ADAT YIIB9gYJKoZIhvcSAQICAQBuggHlMIIB4aADAgEFoQMCAQ6iBwMFACAAAACjggEhYYIBHTCCARmgAwIBBaEQGw5QSUxPVC5GTkFMLkdPVqIiMCCgAwIBA6EZMBcbA2Z0cBsQZ3VuZ25pci5mbmFsLmdvdqOB2zCB2KADAgEBoQMCAQOigcsEgcgz268mO6tPlIa0DR8qbUB+OiLH2rXBoRtq2QwuiBO5/VfHxTeGAjUWbnAelCdlAzM7YEcI/XuJPOln7WQh6KccB2pklBo4c56BzI89jeT9C2uiJBBbWx1BeMQnSztxLRamIkh8PWqhgY7nQ9Ph64oKB+TGVKXnJYCakNp9MIS3LOOyzXF3wnIEXfGx7MLWMVUXb5FbWvSRIz9PfXBbuNyRnSbvOpqDP1qxq5czyJ/4/e/YL7V+HyDWpsudIG97ydXPC9Re5WDbHKSBpjCBo6ADAgEBooGbBIGYtBTxQPyzY00vmpt2KisOGoQyygqqSf7VyhVYELmSZHinsC7Sac+pBFM8B4SKsjIeHABDZTooWarwG36MbICCYIZHx/S/f1hQ+kwypBxY9N4maYogvpe3CBZ24l8kgXORaRPDEmBIpUYbRcl08VYUu+32aqYzeO3a1aRZVCslKfXP9wunryfiq6XfnAAz119gtvlLpCSACzk= calling gss_init_sec_context GSSAPI authentication succeeded Name (gungnir:crawdad): ^C % /usr/krb5/bin/ftp -dvn gungnir Connected to gungnir.fnal.gov. 220 gungnir.fnal.gov FTP server (Version 5.60) ready. ---> SYST 215 UNIX Type: L8 Remote system type is UNIX. Using binary mode to transfer files. ftp> quote USER crawdad ---> USER crawdad 530 User crawdad access denied: authentication required. There's no command available to cause the AUTH/ADAT sequence to be performed if it was suppressed by "-n". The choices are to hack efs.el to add yet another special case, or to change what "-n" means to ftp so it does AUTH/ADAT but does not process .netrc or prompt for a username. Stay tuned. From kreymer@fnal.gov Tue Jun 6 11:28:45 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA30389 for ; Tue, 6 Jun 2000 11:28:45 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FVQ00E01R3WRQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Jun 2000 11:28:44 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FVQ00C6WR3WFE@smtp.fnal.gov>; Tue, 06 Jun 2000 11:28:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001D98D@listserv.fnal.gov>; Tue, 06 Jun 2000 11:28:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 15462 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Jun 2000 11:28:44 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001D98C@listserv.fnal.gov>; Tue, 06 Jun 2000 11:28:44 -0500 Received: from CUERVO ([131.225.80.193]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JQA4P5QSBQ000FVS@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Tue, 06 Jun 2000 11:28:43 -0500 Date: Tue, 06 Jun 2000 11:28:42 -0500 From: "Mark O. Kaletka" Subject: RE: adding kerberized services on zeno.physics.lsa.umich.edu In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: David Gerdes Cc: Kerberos Pilot List Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 323 > -----Original Message----- > From: David Gerdes [mailto:gerdes@umich.edu] > Sent: Thursday, June 01, 2000 2:55 PM > To: crawdad@fnal.gov; kaletka@fnal.gov > Subject: adding kerberized services on zeno.physics.lsa.umich.edu >...snip...< > I've managed to successfully install kerberos on my Linux workstation at > Michigan, zeno.physics.lsa.umich.edu. I did so using the MIT sources, > since I don't have UPS/UPD installed. I obtained and changed my initial > kerberos password and was able to log into fcdfsgi2. > > I have a couple of questions and requests: > * I used the same /etc/krb5.conf file as on cdfsga. Is > that appropriate, or should I make changes? The best thing would be to grab the most recent ups tar file for krb5.conf from ftp://ftp.fnal.gov/products/krb5conf/ (currently this would be ftp://ftp.fnal.gov/products/krb5conf/v0_6a/NULL/krb5conf_v0_6a_NULL.ups.tar) . Untar it and look at the top of the installAsRoot script for instructions on how to install it without ups. If you're NOT running AFS (I assume you're not), then check to be sure that the installAsRoot script changes the lines in krb5.conf to krb5_run_aklog = false. The krb5.conf template is updated from time-to-time, these are announced on the kerberos-announce mailing list. > * What should I use for my kdb.conf file? Seems like this file > was not necessary to log into fcdfsgi2. Do you mean kdc.conf? That would be the configuration file for a key distribution center (kdc), which you aren't (shouldn't) be running. > * I would like to register this host for incoming telnet and ftp > connections. Can we do this by phone? Please send an email to mailto:compdiv@fnal.gov requesting host and ftp principals for your system. Yolanda Valadez will phone you with the passwords for these principals. Once you have the passwords you can install the keytab files following the instructions in http://www.fnal.gov/docs/strongauth/html/strong_auth.4.html. > * Do you recommend enabling these services in light of the > recent CERT advisory regarding buffer overflow exploits in > MIT Kerberos? Do you have a workaround? The two major problems are in the krshd and ksu (the others affect v4-v5 compatibility mode). You best bet is to upgrade to v1.0.7-beta1 and apply the patches described in the CERT advisory. > * Finally, please subscribe me to the kerberos-pilot mailing > list. Done, and kerberos-announce, too. Ooops, should've checked, you were already subscribed to kerberos-announce! > > Thanks in advance for your help. > > Regards, > > David Gerdes > > -------------------------------------- > David Gerdes, University of Michigan > (734) 647-3807 / (734) 936-1817 FAX > gerdes@umich.edu > http://umaxp1.physics.lsa.umich.edu/~gerdes/ > > > > From kreymer@fnal.gov Fri Jun 9 21:23:04 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id VAA19012 for ; Fri, 9 Jun 2000 21:23:04 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FVX00I012MFIK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 09 Jun 2000 21:23:03 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FVX00BN62MELH@smtp.fnal.gov>; Fri, 09 Jun 2000 21:23:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001F9DC@listserv.fnal.gov>; Fri, 09 Jun 2000 21:23:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 24332 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 09 Jun 2000 21:23:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001F9DA@listserv.fnal.gov>; Fri, 09 Jun 2000 21:23:03 -0500 Received: from imapserver3.fnal.gov ([131.225.9.17]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FVX00BND2MEKT@smtp.fnal.gov>; Fri, 09 Jun 2000 21:23:02 -0500 (CDT) Received: from SMTP ([131.225.9.17]) by imapserver3.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 1310; Fri, 09 Jun 2000 21:23:01 -0500 Received: from d6mil ([12.75.172.210]) by 131.225.9.17 (Norton AntiVirus for Internet Email Gateways 1.0) ; Sat, 10 Jun 2000 02:22:59 +0000 (GMT) Date: Fri, 09 Jun 2000 21:22:52 -0500 From: "Robert M. Harris" Subject: Re: Kerberos client (fwd) Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Nigel S. Lockyer" Cc: kerberos-pilot@fnal.gov, cdfsys@fnal.gov, shapiro@fnal.gov, heinrich@rutherford.hep.upenn.edu Message-id: <007101bfd282$cc13e2e0$31c2fea9@d6mil> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2615.200 X-Mailer: Microsoft Outlook Express 5.00.2615.200 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: Status: RO X-Status: X-Keywords: X-UID: 324 Dear Nigel, This mail message is being cc'd to kerberos-pilot@fnal.gov so that they may address Joel's questions. My initial reaction would be "no, you probably shouldn't be too concerned", the strong authentication group at Fermilab is not going to prevent you from receiving e-mail, and I suspect they are aware of security holes in various versions of Kerberos and they should have a response. Thanks, Robert ----- Original Message ----- From: Nigel S. Lockyer To: ; Sent: Friday, June 09, 2000 2:23 PM Subject: Re: Kerberos client (fwd) > > Marj and Rob, > > Should I be concerned? > > > Nigel > > > > > ---------- Forwarded message ---------- > Date: Fri, 9 Jun 2000 15:16:21 -0400 (EDT) > From: Joel G. Heinrich > To: Nigel S. Lockyer > Subject: Re: Kerberos client > > A month ago I was more enthusiastic about trying out kerberos on the > einstein node (Chun's machine) at penn. I postponed this because of > two issues which came to my attention recently. The first is this part of > the Fermilab Policy on Computing (http://www.fnal.gov/cd/main/cpolicy.html) > > "The policy and rules described here cover these systems no matter who > is the owner or the method of connection to the network. > Included are all on or off-site computers that are included in > Fermilab's "Strengthened Realm" and authenticated by the Fermilab > Kerberos Key Server." > > which seems to imply that Fermilab regulations are enforced on any machine > authenticated by the Fermilab Kerberos Key Server. These regulations > do not seem at all apropriate for a machine at penn. For example, > the Fermilab Policy on Computing goes on to say: > > "The following services will become restricted as Computing Division > support for them is upgraded to a sufficient level. This upgrade is > scheduled for completion by June 30, 2000. At that time exceptional > approval for workgroup-local implementation will be considered by the FCSC. > > . Externally-reachable email servers, including SMTP, POP and IMAP." > > which means that we will not be allowed to receive email on > a machine at penn authenticated by the Fermilab Kerberos Key Server. > Also, "all externally-reachable DNS service" is prohibited. > > > The second issue is the following recent report of a serious security hole > in Kerberos: > > > http://www.ciac.org/ciac/bulletins/k-043.shtml > > > PROBLEM: Security vulnerabilities were found in the krb_rd_req() > function, the Kerberized Berkeley remote shell daemon (krshd), > and the v4rcp and ksu programs. > PLATFORM: Those running any of the following: > (1) Systems running services authenticated via Kerberos 4. > (2) Some systems running services authenticated via Kerberos 5. > (3) Systems running the Kerberized remote shell daemon (krshd). > (4) Systems with the Kerberos 5 ksu utility installed. > (5) Systems with the Kerberos 5 v4rcp utility installed. > DAMAGE: These vulnerabilities may allow users to gain root access. > SOLUTION: Apply the patches as directed by the advisory. > > > VULNERABILITY The risk is HIGH. There is at least one known exploit that will > ASSESSMENT: lead to a root compromise. These vulnerabilities have been > discussed in public forums. > > > > > On Fri, 9 Jun 2000, Nigel S. Lockyer wrote: > > > > > > > Rob Harris told me at the computer meeting yesterday > > that universities should go ahead and install Kerberos client. > > I thought you might enjoy this and actually know how to do it > > already. > > > > Nigel > > > From kreymer@fnal.gov Sun Jun 11 14:19:25 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA00135 for ; Sun, 11 Jun 2000 14:19:25 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW000G018CCYN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sun, 11 Jun 2000 14:19:24 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW000E6X8CCAO@smtp.fnal.gov>; Sun, 11 Jun 2000 14:19:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001FEF7@listserv.fnal.gov>; Sun, 11 Jun 2000 14:19:24 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 25677 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sun, 11 Jun 2000 14:19:24 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0001FEF6@listserv.fnal.gov>; Sun, 11 Jun 2000 14:19:24 -0500 Received: from mtiwmhc27.worldnet.att.net ([204.127.131.52]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW000E7Q8CBA5@smtp.fnal.gov>; Sun, 11 Jun 2000 14:19:23 -0500 (CDT) Received: from riven ([12.75.83.97]) by mtiwmhc27.worldnet.att.net (InterMail vM.4.01.02.39 201-229-119-122) with SMTP id <20000611191921.FTHX2120.mtiwmhc27.worldnet.att.net@riven>; Sun, 11 Jun 2000 19:19:21 +0000 Date: Sun, 11 Jun 2000 14:03:08 -0500 From: "Mark O. Kaletka" Subject: Re: Kerberos client (fwd) Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Robert M. Harris" , "Nigel S. Lockyer" Cc: kerberos-pilot@fnal.gov, cdfsys@fnal.gov, shapiro@fnal.gov, heinrich@rutherford.hep.upenn.edu, nash@fnal.gov, crawdad@fnal.gov, kaletka@fnal.gov Message-id: <002401bfd3d9$cbe7e700$61534b0c@riven> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 X-Mailer: Microsoft Outlook Express 5.00.2919.6600 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: <007101bfd282$cc13e2e0$31c2fea9@d6mil> Status: RO X-Status: X-Keywords: X-UID: 325 Rob, Nigel, et al: The first question is a policy question regarding which of our computer security rules will apply to off-site systems in the strengthened realm. My personal interpretation is that certain of the rules must not apply to off-site systems (e.g. the "central services" rule about email servers you refer to), but I will defer to our policy makers and interpreters (Tom Nash and Matt Crawford) to explain this further. As far as the second question, Fermi Kerberos v0_6a already contains the necessary security patches, although we'll have to look at a new set of buffer overflows in a CERT advisory released late Friday. Our intention, of course, is to fold security patches into the distribution as quickly as we test them. Users of the MIT distribution will need to apply the recommended patches themselves, of course. -- Mark K. ----- Original Message ----- From: "Robert M. Harris" To: "Nigel S. Lockyer" Cc: ; ; ; Sent: Friday, June 09, 2000 9:22 PM Subject: Re: Kerberos client (fwd) > Dear Nigel, > > This mail message is being cc'd to kerberos-pilot@fnal.gov so that they > may address Joel's questions. My initial reaction would be "no, you > probably shouldn't be too concerned", the strong authentication group at > Fermilab is not going to prevent you from receiving e-mail, and I suspect > they are aware of security holes in various versions of Kerberos and they > should have a response. > > Thanks, > Robert > > ----- Original Message ----- > From: Nigel S. Lockyer > To: ; > Sent: Friday, June 09, 2000 2:23 PM > Subject: Re: Kerberos client (fwd) > > > > > > Marj and Rob, > > > > Should I be concerned? > > > > > > Nigel > > > > > > > > > > ---------- Forwarded message ---------- > > Date: Fri, 9 Jun 2000 15:16:21 -0400 (EDT) > > From: Joel G. Heinrich > > To: Nigel S. Lockyer > > Subject: Re: Kerberos client > > > > A month ago I was more enthusiastic about trying out kerberos on the > > einstein node (Chun's machine) at penn. I postponed this because of > > two issues which came to my attention recently. The first is this part of > > the Fermilab Policy on Computing > (http://www.fnal.gov/cd/main/cpolicy.html) > > > > "The policy and rules described here cover these systems no matter who > > is the owner or the method of connection to the network. > > Included are all on or off-site computers that are included in > > Fermilab's "Strengthened Realm" and authenticated by the Fermilab > > Kerberos Key Server." > > > > which seems to imply that Fermilab regulations are enforced on any machine > > authenticated by the Fermilab Kerberos Key Server. These regulations > > do not seem at all apropriate for a machine at penn. For example, > > the Fermilab Policy on Computing goes on to say: > > > > "The following services will become restricted as Computing Division > > support for them is upgraded to a sufficient level. This upgrade is > > scheduled for completion by June 30, 2000. At that time exceptional > > approval for workgroup-local implementation will be considered by the > FCSC. > > > > . Externally-reachable email servers, including SMTP, POP and IMAP." > > > > which means that we will not be allowed to receive email on > > a machine at penn authenticated by the Fermilab Kerberos Key Server. > > Also, "all externally-reachable DNS service" is prohibited. > > > > > > The second issue is the following recent report of a serious security > hole > > in Kerberos: > > > > > > http://www.ciac.org/ciac/bulletins/k-043.shtml > > > > > > PROBLEM: Security vulnerabilities were found in the krb_rd_req() > > function, the Kerberized Berkeley remote shell daemon > (krshd), > > and the v4rcp and ksu programs. > > PLATFORM: Those running any of the following: > > (1) Systems running services authenticated via Kerberos 4. > > (2) Some systems running services authenticated via > Kerberos 5. > > (3) Systems running the Kerberized remote shell daemon > (krshd). > > (4) Systems with the Kerberos 5 ksu utility installed. > > (5) Systems with the Kerberos 5 v4rcp utility installed. > > DAMAGE: These vulnerabilities may allow users to gain root access. > > SOLUTION: Apply the patches as directed by the advisory. > > > > > > VULNERABILITY The risk is HIGH. There is at least one known exploit that > will > > ASSESSMENT: lead to a root compromise. These vulnerabilities have been > > discussed in public forums. > > > > > > > > > > On Fri, 9 Jun 2000, Nigel S. Lockyer wrote: > > > > > > > > > > > Rob Harris told me at the computer meeting yesterday > > > that universities should go ahead and install Kerberos client. > > > I thought you might enjoy this and actually know how to do it > > > already. > > > > > > Nigel > > > > > > > > From kreymer@fnal.gov Mon Jun 12 11:46:49 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA06892 for ; Mon, 12 Jun 2000 11:46:49 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW100C01VY0G3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 11:46:48 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW100B1UVY0OF@smtp.fnal.gov>; Mon, 12 Jun 2000 11:46:48 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020428@listserv.fnal.gov>; Mon, 12 Jun 2000 11:46:48 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 27061 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 11:46:48 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020427@listserv.fnal.gov>; Mon, 12 Jun 2000 11:46:48 -0500 Received: from resolute.fnal.gov ([131.225.7.62]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW100C0QVXX99@smtp.fnal.gov>; Mon, 12 Jun 2000 11:46:48 -0500 (CDT) Date: Mon, 12 Jun 2000 11:45:59 -0500 From: Thomas Nash Subject: Policies and rules in the strengthened realm In-reply-to: <002401bfd3d9$cbe7e700$61534b0c@riven> Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: nash@popgtw.fnal.gov To: "Robert M. Harris" , "Nigel S. Lockyer" , shapiro@fnal.gov, heinrich@rutherford.hep.upenn.edu Cc: kerberos-pilot@fnal.gov, cdfsys@fnal.gov, computer_security@fnal.gov Message-id: <4.3.2.7.2.20000612100819.00c8ff00@popgtw.fnal.gov> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Content-type: text/plain; format=flowed; charset=us-ascii References: <007101bfd282$cc13e2e0$31c2fea9@d6mil> Status: RO X-Status: X-Keywords: X-UID: 326 This is an important question. It is clear that we are not being clear enough either in our thinking or in the written policy about what we intend regarding rules that would apply to strengthened realm computers located outside of the Fermilab site and not owned by Fermilab. Obviously there are important differences from machines on site. As Mark indicates, we do not want to unreasonably restrict services and activities that a university group might want to implement. On the other hand there is an important trust relationship involving any machine in the strengthened realm -- either on or off site. We will go over the existing rules in our policy so we can clarify exactly what we intend to apply to off-site strengthened realm systems. We will also decide how to clearly state what special restrictions we need to apply to the configuration of strengthened realm systems. We would like the relevant advisory groups to consider this question and start discussing it so we can get their views. They are the Computer Security Working Group and the users' working groups on off site strong authentication (sorry, I don't know the exact name) which Matthias is setting up with CDF and D0 and other users. I hope we will be able to have this matter clarified in the next month or so. Thanks for raising the question! Tom PS: So this issue does not delay any off site strong authentication testing, I formally waive any application of the Fermilab Policy on Computing to off-site non-Fermilab owned computers until August 31, 2000, by which time we should have clarified to everyone's satisfaction what rules we do and do not intend to apply to these systems. At 02:03 PM 6/11/00 -0500, Mark O. Kaletka wrote: >Rob, Nigel, et al: > >The first question is a policy question regarding which of our computer >security rules will apply to off-site systems in the strengthened realm. My >personal interpretation is that certain of the rules must not apply to >off-site systems (e.g. the "central services" rule about email servers you >refer to), but I will defer to our policy makers and interpreters (Tom Nash >and Matt Crawford) to explain this further. > >As far as the second question, Fermi Kerberos v0_6a already contains the >necessary security patches, although we'll have to look at a new set of >buffer overflows in a CERT advisory released late Friday. Our intention, of >course, is to fold security patches into the distribution as quickly as we >test them. Users of the MIT distribution will need to apply the recommended >patches themselves, of course. > >-- Mark K. > >----- Original Message ----- >From: "Robert M. Harris" >To: "Nigel S. Lockyer" >Cc: ; ; ; > >Sent: Friday, June 09, 2000 9:22 PM >Subject: Re: Kerberos client (fwd) > > > > Dear Nigel, > > > > This mail message is being cc'd to kerberos-pilot@fnal.gov so that they > > may address Joel's questions. My initial reaction would be "no, you > > probably shouldn't be too concerned", the strong authentication group at > > Fermilab is not going to prevent you from receiving e-mail, and I suspect > > they are aware of security holes in various versions of Kerberos and they > > should have a response. > > > > Thanks, > > Robert > > > > ----- Original Message ----- > > From: Nigel S. Lockyer > > To: ; > > Sent: Friday, June 09, 2000 2:23 PM > > Subject: Re: Kerberos client (fwd) > > > > > > > > > > Marj and Rob, > > > > > > Should I be concerned? > > > > > > > > > Nigel > > > > > > > > > > > > > > > ---------- Forwarded message ---------- > > > Date: Fri, 9 Jun 2000 15:16:21 -0400 (EDT) > > > From: Joel G. Heinrich > > > To: Nigel S. Lockyer > > > Subject: Re: Kerberos client > > > > > > A month ago I was more enthusiastic about trying out kerberos on the > > > einstein node (Chun's machine) at penn. I postponed this because of > > > two issues which came to my attention recently. The first is this part >of > > > the Fermilab Policy on Computing > > (http://www.fnal.gov/cd/main/cpolicy.html) > > > > > > "The policy and rules described here cover these systems no matter >who > > > is the owner or the method of connection to the network. > > > Included are all on or off-site computers that are included in > > > Fermilab's "Strengthened Realm" and authenticated by the Fermilab > > > Kerberos Key Server." > > > > > > which seems to imply that Fermilab regulations are enforced on any >machine > > > authenticated by the Fermilab Kerberos Key Server. These regulations > > > do not seem at all apropriate for a machine at penn. For example, > > > the Fermilab Policy on Computing goes on to say: > > > > > > "The following services will become restricted as Computing Division > > > support for them is upgraded to a sufficient level. This upgrade is > > > scheduled for completion by June 30, 2000. At that time exceptional > > > approval for workgroup-local implementation will be considered by the > > FCSC. > > > > > > . Externally-reachable email servers, including SMTP, POP and >IMAP." > > > > > > which means that we will not be allowed to receive email on > > > a machine at penn authenticated by the Fermilab Kerberos Key Server. > > > Also, "all externally-reachable DNS service" is prohibited. > > > > > > > > > The second issue is the following recent report of a serious security > > hole > > > in Kerberos: > > > > > > > > > http://www.ciac.org/ciac/bulletins/k-043.shtml > > > > > > > > > PROBLEM: Security vulnerabilities were found in the krb_rd_req() > > > function, the Kerberized Berkeley remote shell daemon > > (krshd), > > > and the v4rcp and ksu programs. > > > PLATFORM: Those running any of the following: > > > (1) Systems running services authenticated via Kerberos >4. > > > (2) Some systems running services authenticated via > > Kerberos 5. > > > (3) Systems running the Kerberized remote shell daemon > > (krshd). > > > (4) Systems with the Kerberos 5 ksu utility installed. > > > (5) Systems with the Kerberos 5 v4rcp utility installed. > > > DAMAGE: These vulnerabilities may allow users to gain root >access. > > > SOLUTION: Apply the patches as directed by the advisory. > > > > > > > > > VULNERABILITY The risk is HIGH. There is at least one known exploit >that > > will > > > ASSESSMENT: lead to a root compromise. These vulnerabilities have >been > > > discussed in public forums. > > > > > > > > > > > > > > > On Fri, 9 Jun 2000, Nigel S. Lockyer wrote: > > > > > > > > > > > > > > > Rob Harris told me at the computer meeting yesterday > > > > that universities should go ahead and install Kerberos client. > > > > I thought you might enjoy this and actually know how to do it > > > > already. > > > > > > > > Nigel > > > > > > > > > > > > > From kreymer@fnal.gov Mon Jun 12 12:09:42 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA06936 for ; Mon, 12 Jun 2000 12:09:41 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW100D01X05T0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 12:09:41 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW100B93X05F7@smtp.fnal.gov>; Mon, 12 Jun 2000 12:09:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002054F@listserv.fnal.gov>; Mon, 12 Jun 2000 12:09:41 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 27368 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 12:09:41 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002054E@listserv.fnal.gov>; Mon, 12 Jun 2000 12:09:41 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JQIJUYM2O4000GOB@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal); Mon, 12 Jun 2000 12:09:37 -0500 Date: Mon, 12 Jun 2000 12:09:37 -0500 From: Margaret Votava Subject: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <39451951.BB9C96DE@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 327 Hi, I'm trying to run it, and get the following error. What have I done wrong? Thanks Margaret odsmev.fnal.gov % kcroninit ************************************************************************* * * * NOTE: You will be required to enter your kerberos password. * * * * YOU MUST BE ON A SECURE CHANNEL (e.g., you must be running * * this script on your local machine, or you must be connected * * via an encrypted session). * * * * IF YOU ARE NOT ON A SECURE CHANNEL, DO NOT CONTINUE! * * * ************************************************************************* Are you on a secure channel? (default = y): What is your kerberos principal (default = votava@PILOT.FNAL.GOV): Enter the password for votava@PILOT.FNAL.GOV: Now adding principal votava/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... add_principal: Principal or policy already exists while creating "votava/cron/odsmev.fnal.gov@PILOT.FNAL.GOV". Now creating empty keytab file for votava/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... Now writing temporary keytab for votava/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... Temporary keytab created. Now transferring temporary keytab file contents... ERROR transferring keytab file contents; ABORT. All done. odsmev.fnal.gov % which kcroninit /usr/products/cluster_disk/kcroninit/v0_6/bin/kcroninit odsmev.fnal.gov % klist Ticket cache: /tmp/krb5cc_1103 Default principal: votava@PILOT.FNAL.GOV Valid starting Expires Service principal 06/12/00 12:01:00 06/13/00 14:01:00 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 06/19/00 12:00:57 06/12/00 12:01:00 06/13/00 14:01:00 afs/fnal.gov@PILOT.FNAL.GOV renew until 06/19/00 12:00:57 From kreymer@fnal.gov Mon Jun 12 12:38:05 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA06954 for ; Mon, 12 Jun 2000 12:38:05 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW100E01YBGWP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 12:38:05 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW100ADPYBGSG@smtp.fnal.gov>; Mon, 12 Jun 2000 12:38:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000205C1@listserv.fnal.gov>; Mon, 12 Jun 2000 12:38:04 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 27488 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 12:38:04 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000205C0@listserv.fnal.gov>; Mon, 12 Jun 2000 12:38:04 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW100BDOYBG7A@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Jun 2000 12:38:04 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id MAA14856; Mon, 12 Jun 2000 12:38:04 -0500 (CDT) Date: Mon, 12 Jun 2000 12:38:04 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200006121738.MAA14856@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 328 Could you please do the following and send the output? Thanks, lauri ls -al /var/adm/krb5/`kcron -f` kcroninit -d ls -al /var/adm/krb5/`kcron -f` (The "-d" on kcroninit should enable debugging, lots more output that might help figure out what is happening). Thanks, lauri On Monday 12 June 2000, our friend Margaret Votava spaketh thusly: > Hi, > > I'm trying to run it, and get the following error. What have I done wrong? > > Thanks > Margaret > > > odsmev.fnal.gov % kcroninit > > ************************************************************************* > * * > * NOTE: You will be required to enter your kerberos password. * > * * > * YOU MUST BE ON A SECURE CHANNEL (e.g., you must be running * > * this script on your local machine, or you must be connected * > * via an encrypted session). * > * * > * IF YOU ARE NOT ON A SECURE CHANNEL, DO NOT CONTINUE! * > * * > ************************************************************************* > > Are you on a secure channel? (default = y): > What is your kerberos principal (default = votava@PILOT.FNAL.GOV): > Enter the password for votava@PILOT.FNAL.GOV: > Now adding principal votava/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... > add_principal: Principal or policy already exists while creating > "votava/cron/odsmev.fnal.gov@PILOT.FNAL.GOV". > Now creating empty keytab file for votava/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... > Now writing temporary keytab for votava/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... > Temporary keytab created. > Now transferring temporary keytab file contents... > ERROR transferring keytab file contents; ABORT. > All done. > odsmev.fnal.gov % which kcroninit > /usr/products/cluster_disk/kcroninit/v0_6/bin/kcroninit > odsmev.fnal.gov % klist > Ticket cache: /tmp/krb5cc_1103 > Default principal: votava@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 06/12/00 12:01:00 06/13/00 14:01:00 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > renew until 06/19/00 12:00:57 > 06/12/00 12:01:00 06/13/00 14:01:00 afs/fnal.gov@PILOT.FNAL.GOV > renew until 06/19/00 12:00:57 From kreymer@fnal.gov Mon Jun 12 13:07:31 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA06964 for ; Mon, 12 Jun 2000 13:07:31 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW100F01ZOJUM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 13:07:31 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW100BIUZNY1J@smtp.fnal.gov>; Mon, 12 Jun 2000 13:07:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020615@listserv.fnal.gov>; Mon, 12 Jun 2000 13:07:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 27575 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 13:07:11 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020614@listserv.fnal.gov>; Mon, 12 Jun 2000 13:07:11 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JQILVAVTOG000H67@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 12 Jun 2000 13:07:09 -0500 Date: Mon, 12 Jun 2000 13:07:10 -0500 From: Margaret Votava Subject: Re: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <394526CE.6BFD245D@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200006121738.MAA14856@fsui03.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 329 I can't do the ls commands. It looks like permissions on /var/adm are funny? I didn't specifically change them - would the installation scripts? odsmev.fnal.gov % ls -l /var total 84 drwx-----x 3 root g023 4096 Jun 12 12:01 adm drwxr-xr-x 2 root root 4096 Jan 26 02:08 arpwatch drwxr-xr-x 2 root root 4096 Aug 23 1999 cache drwxrwxr-x 14 root man 4096 Jan 26 02:14 catman drwxr-xr-x 2 root root 4096 Jan 26 02:07 db ... [root@odsmev /var]# ls -l /var/adm total 4 drwx--s--x 2 root root 4096 Jun 12 12:01 krb5 It looks like kcroninit wants to write in this /var/adm/krb5. Should this directory be writable by everyone? ... Now transferring temporary keytab file contents... now doing copy: tempKeytabFile = >/tmp/6444/votava<, realKeytabFile = >/var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw< ERROR transferring keytab file contents; ABORT. Thanks, Margaret "Laurelin of Middle Earth, 630-840-2214" wrote: > > Could you please do the following and send the output? Thanks, > lauri > > ls -al /var/adm/krb5/`kcron -f` > kcroninit -d > ls -al /var/adm/krb5/`kcron -f` > > (The "-d" on kcroninit should enable debugging, lots more output > that might help figure out what is happening). > > Thanks, lauri > > On Monday 12 June 2000, > our friend Margaret Votava spaketh thusly: > From kreymer@fnal.gov Mon Jun 12 13:24:32 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA06974 for ; Mon, 12 Jun 2000 13:24:32 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW200G010GWHN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 13:24:32 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200BK00GV7A@smtp.fnal.gov>; Mon, 12 Jun 2000 13:24:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020650@listserv.fnal.gov>; Mon, 12 Jun 2000 13:24:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 27635 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 13:24:32 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002064F@listserv.fnal.gov>; Mon, 12 Jun 2000 13:24:31 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200BIQ0GV0H@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Jun 2000 13:24:31 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id NAA16911; Mon, 12 Jun 2000 13:24:31 -0500 (CDT) Date: Mon, 12 Jun 2000 13:24:31 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: lauri@fnal.gov, kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200006121824.NAA16911@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 330 kcroninit wants to write into /var/adm/krb5 -- but the $KERBEROS_DIR/bin/kcron-create image should be suid and able to create the files that it neeeds. Please check the ownership and permissions on $KERBEROS_DIR/bin/kcron-create and /usr/krb5/bin/kcron-create, should both be: -rwsr-xr-x 1 root root 14896 May 24 11:41 kcron-create Then if you could su to root and give me an output of ls -al /var/adm/krb5 -- lauri On Monday 12 June 2000, our friend Margaret Votava spaketh thusly: > > I can't do the ls commands. It looks like permissions on > /var/adm are funny? I didn't specifically change them - would > the installation scripts? > > odsmev.fnal.gov % ls -l /var > total 84 > drwx-----x 3 root g023 4096 Jun 12 12:01 adm > drwxr-xr-x 2 root root 4096 Jan 26 02:08 arpwatch > drwxr-xr-x 2 root root 4096 Aug 23 1999 cache > drwxrwxr-x 14 root man 4096 Jan 26 02:14 catman > drwxr-xr-x 2 root root 4096 Jan 26 02:07 db > ... > > [root@odsmev /var]# ls -l /var/adm > total 4 > drwx--s--x 2 root root 4096 Jun 12 12:01 krb5 > > It looks like kcroninit wants to write in this /var/adm/krb5. Should > this directory be writable by everyone? > > ... > Now transferring temporary keytab file contents... > now doing copy: tempKeytabFile = >/tmp/6444/votava<, realKeytabFile = > >/var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw< > ERROR transferring keytab file contents; ABORT. > > Thanks, > Margaret > > "Laurelin of Middle Earth, 630-840-2214" wrote: > > > > Could you please do the following and send the output? Thanks, > > lauri > > > > ls -al /var/adm/krb5/`kcron -f` > > kcroninit -d > > ls -al /var/adm/krb5/`kcron -f` > > > > (The "-d" on kcroninit should enable debugging, lots more output > > that might help figure out what is happening). > > > > Thanks, lauri > > > > On Monday 12 June 2000, > > our friend Margaret Votava spaketh thusly: > > From kreymer@fnal.gov Mon Jun 12 13:45:35 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA07014 for ; Mon, 12 Jun 2000 13:45:35 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW200H011FY97@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 13:45:34 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200CI61FYCA@smtp.fnal.gov>; Mon, 12 Jun 2000 13:45:34 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000206B3@listserv.fnal.gov>; Mon, 12 Jun 2000 13:45:34 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 27746 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 13:45:34 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000206B2@listserv.fnal.gov>; Mon, 12 Jun 2000 13:45:34 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JQIN7VW9X2000ID2@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 12 Jun 2000 13:45:33 -0500 Date: Mon, 12 Jun 2000 13:45:33 -0500 From: Margaret Votava Subject: Re: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <39452FCD.ED73D119@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200006121824.NAA16911@fsui03.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 331 Hi, This is the same issue of where should I be when I run this stuff as root. I am on odsmev, and my filesystem is on fndauk. I'm running as root on odsmev and the filesystem is not imported with root access. So, the files in $KERBEROS_DIR/bin do not have the setuid bit set, but the same files in /usr/krb5/bin do. Should kcron-create be running out of /usr/krb5/bin or $KERBEROS_DIR/bin? Anyway, if I do NOT have kerberos setup, it still fails. odsmev.fnal.gov % ls -l /usr/krb5/bin/kcron-create -rwsrwxr-x 1 root root 10148 May 24 10:28 /usr/krb5/bin/kcron-create odsmev.fnal.gov(root) % ls -la /var/adm/krb5 total 8 drwx--s--x 2 root root 4096 Jun 12 13:43 . drwx-----x 3 root g023 4096 Jun 12 12:01 .. -rw------- 1 votava g023 0 Jun 12 13:43 T9ZLE2W_+dwC10PWQhN1bw odsmev.fnal.gov % setup kerberos odsmev.fnal.gov % ls -la $KERBEROS_DIR/bin/kcron-create -rwxrwxr-x 1 votava g023 10148 May 24 10:28 /usr/products/Linux/kerberos/v0_6/bin/kcron-create Margaret "Laurelin of Middle Earth, 630-840-2214" wrote: > > kcroninit wants to write into /var/adm/krb5 -- but the > $KERBEROS_DIR/bin/kcron-create image should be suid and able to > create the files that it neeeds. Please check the ownership and > permissions on > > $KERBEROS_DIR/bin/kcron-create > > and /usr/krb5/bin/kcron-create, should both be: > > -rwsr-xr-x 1 root root 14896 May 24 11:41 kcron-create > > Then if you could su to root and give me an output of > > ls -al /var/adm/krb5 > > -- lauri > > On Monday 12 June 2000, > our friend Margaret Votava spaketh thusly: > > > > > I can't do the ls commands. It looks like permissions on > > /var/adm are funny? I didn't specifically change them - would > > the installation scripts? > > > > odsmev.fnal.gov % ls -l /var > > total 84 > > drwx-----x 3 root g023 4096 Jun 12 12:01 adm > > drwxr-xr-x 2 root root 4096 Jan 26 02:08 arpwatch > > drwxr-xr-x 2 root root 4096 Aug 23 1999 cache > > drwxrwxr-x 14 root man 4096 Jan 26 02:14 catman > > drwxr-xr-x 2 root root 4096 Jan 26 02:07 db > > ... > > > > [root@odsmev /var]# ls -l /var/adm > > total 4 > > drwx--s--x 2 root root 4096 Jun 12 12:01 krb5 > > > > It looks like kcroninit wants to write in this /var/adm/krb5. Should > > this directory be writable by everyone? > > > > ... > > Now transferring temporary keytab file contents... > > now doing copy: tempKeytabFile = >/tmp/6444/votava<, realKeytabFile = > > >/var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw< > > ERROR transferring keytab file contents; ABORT. > > > > Thanks, > > Margaret > > > > "Laurelin of Middle Earth, 630-840-2214" wrote: > > > > > > Could you please do the following and send the output? Thanks, > > > lauri > > > > > > ls -al /var/adm/krb5/`kcron -f` > > > kcroninit -d > > > ls -al /var/adm/krb5/`kcron -f` > > > > > > (The "-d" on kcroninit should enable debugging, lots more output > > > that might help figure out what is happening). > > > > > > Thanks, lauri > > > > > > On Monday 12 June 2000, > > > our friend Margaret Votava spaketh thusly: > > > -- Margaret Votava votava@fnal.gov Computing Division/Experiment Online Support 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Mon Jun 12 13:59:27 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA07026 for ; Mon, 12 Jun 2000 13:59:27 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW200H01232OK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 13:59:26 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200BPF2321J@smtp.fnal.gov>; Mon, 12 Jun 2000 13:59:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000206DC@listserv.fnal.gov>; Mon, 12 Jun 2000 13:59:26 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 27788 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 13:59:26 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000206DB@listserv.fnal.gov>; Mon, 12 Jun 2000 13:59:26 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200BNS2323O@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Jun 2000 13:59:26 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id NAA18888; Mon, 12 Jun 2000 13:59:26 -0500 (CDT) Date: Mon, 12 Jun 2000 13:59:26 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: lauri@fnal.gov, kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200006121859.NAA18888@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 332 On Monday 12 June 2000, our friend Margaret Votava spaketh thusly: > > Hi, > > This is the same issue of where should I be when I run > this stuff as root. I am on odsmev, and my filesystem > is on fndauk. I'm running as root on odsmev and the > filesystem is not imported with root access. Right, and the Official Answer is that you need to temporarily export the file system so that you *can* write into it as root, and then reconfigure when you're done with the installation. > So, the > files in $KERBEROS_DIR/bin do not have the setuid bit > set, but the same files in /usr/krb5/bin do. Should > kcron-create be running out of /usr/krb5/bin or > $KERBEROS_DIR/bin? It runs out of $KERBEROS_DIR/bin if kerberos is setup, out of /usr/krb5/bin if it is NOT setup. > > Anyway, if I do NOT have kerberos setup, it still fails. Same error? Anyway, the kcron-create portion seems to have worked, because there is in fact a 0-block file with the correct name and ownership sitting in the /var/adm/krb5 directory. So the error is coming from someplace else. I'm wondering if by chance the "+" in the filename is causing some problems. Let me play around with some perl scripts and get back to you on this... -- lauri > > odsmev.fnal.gov % ls -l /usr/krb5/bin/kcron-create > -rwsrwxr-x 1 root root 10148 May 24 10:28 > /usr/krb5/bin/kcron-create > > odsmev.fnal.gov(root) % ls -la /var/adm/krb5 > total 8 > drwx--s--x 2 root root 4096 Jun 12 13:43 . > drwx-----x 3 root g023 4096 Jun 12 12:01 .. > -rw------- 1 votava g023 0 Jun 12 13:43 T9ZLE2W_+dwC10PWQhN1bw > > odsmev.fnal.gov % setup kerberos > odsmev.fnal.gov % ls -la $KERBEROS_DIR/bin/kcron-create > -rwxrwxr-x 1 votava g023 10148 May 24 10:28 > /usr/products/Linux/kerberos/v0_6/bin/kcron-create > > Margaret > > > "Laurelin of Middle Earth, 630-840-2214" wrote: > > > > kcroninit wants to write into /var/adm/krb5 -- but the > > $KERBEROS_DIR/bin/kcron-create image should be suid and able to > > create the files that it neeeds. Please check the ownership and > > permissions on > > > > $KERBEROS_DIR/bin/kcron-create > > > > and /usr/krb5/bin/kcron-create, should both be: > > > > -rwsr-xr-x 1 root root 14896 May 24 11:41 kcron-create > > > > Then if you could su to root and give me an output of > > > > ls -al /var/adm/krb5 > > > > -- lauri > > > > On Monday 12 June 2000, > > our friend Margaret Votava spaketh thusly: > > > > > > > > I can't do the ls commands. It looks like permissions on > > > /var/adm are funny? I didn't specifically change them - would > > > the installation scripts? > > > > > > odsmev.fnal.gov % ls -l /var > > > total 84 > > > drwx-----x 3 root g023 4096 Jun 12 12:01 adm > > > drwxr-xr-x 2 root root 4096 Jan 26 02:08 arpwatch > > > drwxr-xr-x 2 root root 4096 Aug 23 1999 cache > > > drwxrwxr-x 14 root man 4096 Jan 26 02:14 catman > > > drwxr-xr-x 2 root root 4096 Jan 26 02:07 db > > > ... > > > > > > [root@odsmev /var]# ls -l /var/adm > > > total 4 > > > drwx--s--x 2 root root 4096 Jun 12 12:01 krb5 > > > > > > It looks like kcroninit wants to write in this /var/adm/krb5. Should > > > this directory be writable by everyone? > > > > > > ... > > > Now transferring temporary keytab file contents... > > > now doing copy: tempKeytabFile = >/tmp/6444/votava<, realKeytabFile = > > > >/var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw< > > > ERROR transferring keytab file contents; ABORT. > > > > > > Thanks, > > > Margaret > > > > > > "Laurelin of Middle Earth, 630-840-2214" wrote: > > > > > > > > Could you please do the following and send the output? Thanks, > > > > lauri > > > > > > > > ls -al /var/adm/krb5/`kcron -f` > > > > kcroninit -d > > > > ls -al /var/adm/krb5/`kcron -f` > > > > > > > > (The "-d" on kcroninit should enable debugging, lots more output > > > > that might help figure out what is happening). > > > > > > > > Thanks, lauri > > > > > > > > On Monday 12 June 2000, > > > > our friend Margaret Votava spaketh thusly: > > > > > > -- > Margaret Votava votava@fnal.gov > Computing Division/Experiment Online Support 630-840-2625 (office) > Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Mon Jun 12 14:48:41 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA07069 for ; Mon, 12 Jun 2000 14:48:41 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW200J014D5PK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 14:48:41 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200CPE4D56D@smtp.fnal.gov>; Mon, 12 Jun 2000 14:48:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000207A5@listserv.fnal.gov>; Mon, 12 Jun 2000 14:48:41 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28000 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 14:48:41 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000207A4@listserv.fnal.gov>; Mon, 12 Jun 2000 14:48:41 -0500 Received: from fnal.gov ([131.225.84.114]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with ESMTP id <01JQIPF576C4000HYO@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Mon, 12 Jun 2000 14:48:40 -0500 Date: Mon, 12 Jun 2000 14:48:40 -0500 From: Margaret Votava Subject: Re: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <39453E98.9D499FF4@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.2.0f1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200006121859.NAA18888@fsui03.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 333 "Laurelin of Middle Earth, 630-840-2214" wrote: > > On Monday 12 June 2000, > our friend Margaret Votava spaketh thusly: > > > > > Hi, > > > > This is the same issue of where should I be when I run > > this stuff as root. I am on odsmev, and my filesystem > > is on fndauk. I'm running as root on odsmev and the > > filesystem is not imported with root access. > > Right, and the Official Answer is that you need to temporarily > export the file system so that you *can* write into it as root, > and then reconfigure when you're done with the installation. And I still think that this is an unacceptable solution. It's ok as temporary during the pilot phase, but I think it is a really bad plan for mass deployment. CDF should correct me if I'm wrong, but I believe the CDF trailers have the same configuration we do - a central file server serving several Linux PCs. Right now it's not an issue for this particular product because it still worked if the chmod and chowns failed in $KERBEROS_DIR/bin because the binaries are copied to /usr/krb5/bin and modifications and permission bits were set there. The average user does not setup kerberos, and therefore gets his binaries from /usr/krb5. > > > So, the > > files in $KERBEROS_DIR/bin do not have the setuid bit > > set, but the same files in /usr/krb5/bin do. Should > > kcron-create be running out of /usr/krb5/bin or > > $KERBEROS_DIR/bin? > > It runs out of $KERBEROS_DIR/bin if kerberos is setup, out of > /usr/krb5/bin if it is NOT setup. > > > > > Anyway, if I do NOT have kerberos setup, it still fails. > > Same error? yes - same error. it creates the file, but can't but can't fill it: Now transferring temporary keytab file contents... now doing copy: tempKeytabFile = >/tmp/6679/votava<, realKeytabFile = >/var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw< ERROR transferring keytab file contents; ABORT. cleaning up, removing >/tmp/6679< Thanks, Margaret From kreymer@fnal.gov Mon Jun 12 15:44:31 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA07104 for ; Mon, 12 Jun 2000 15:44:31 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW200L016Y6QB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 15:44:30 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200L1C6Y1B0@smtp.fnal.gov>; Mon, 12 Jun 2000 15:44:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000207E9@listserv.fnal.gov>; Mon, 12 Jun 2000 15:22:47 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28072 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 15:22:47 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000207E8@listserv.fnal.gov>; Mon, 12 Jun 2000 15:22:47 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200K0N5XZGP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Jun 2000 15:22:47 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id PAA21364; Mon, 12 Jun 2000 15:07:41 -0500 (CDT) Date: Mon, 12 Jun 2000 15:07:41 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200006122007.PAA21364@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 334 I just logged in to odsmev: odsmev:~> setup kcroninit odsmev:~> which kcron-create /usr/krb5/bin/kcron-create odsmev:~> kcroninit ... Now adding principal lauri/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... add_principal: Principal or policy already exists while creating "lauri/cron/odsmev.fnal.gov@PILOT.FNAL.GOV". Now creating empty keytab file for lauri/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... Now writing temporary keytab for lauri/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... Temporary keytab created. Now transferring temporary keytab file contents... Transfer complete. All done. odsmev:~> ls -al /var/adm/krb5/`kcron -f` -rw------- 1 lauri g150 75 Jun 12 14:57 /var/adm/krb5/aCkuL4SiQGTG8oDrZ0PSZw odsmev:~> ls -al /var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw -rw------- 1 votava g023 0 Jun 12 13:43 /var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw Hmmm... so what's different between you and me on odsmev? I think we use different login shells, but that would be a weird thing to cause permission problems... I can duplicate your errors *if* I setup kerberos (which is explainable because of the permission problems). But if I only setup kcroninit, and make sure that $KERBEROS_DIR is not set, then it works just fine for me (both kcroninit and kcrondestroy). What is different between our two accounts? -- lauri On Monday 12 June 2000, our friend Margaret Votava spaketh thusly: > > > odsmev.fnal.gov % unsetup kerberos > odsmev.fnal.gov % ls -al /var/adm/krb5/`kcron -f` > ls: /var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw: Permission denied > odsmev.fnal.gov % > odsmev.fnal.gov % setup kerberos > odsmev.fnal.gov % ls -al /var/adm/krb5/`kcron -f` > ls: /var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw: Permission denied > > you have an account on odsmev - it's part of the fndau* > cluster ... > > thanks, > me > > > > "Laurelin of Middle Earth, 630-840-2214" wrote: > > > > What happens when you: > > > > unsetup kerberos > > ls -al /var/adm/krb5/`kcron -f` > > > > setup kerberos > > ls -al /var/adm/krb5/`kcron -f` > > > > -- l. > > -- > Margaret Votava votava@fnal.gov > Computing Division/Experiment Online Support 630-840-2625 (office) > Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Mon Jun 12 15:44:33 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA07108 for ; Mon, 12 Jun 2000 15:44:33 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW200L016Y7QH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 15:44:31 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200L1C6Y1B0@smtp.fnal.gov>; Mon, 12 Jun 2000 15:44:30 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000207ED@listserv.fnal.gov>; Mon, 12 Jun 2000 15:23:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28076 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 15:23:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000207EC@listserv.fnal.gov>; Mon, 12 Jun 2000 15:23:17 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200K0P5YTGK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Jun 2000 15:23:17 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA15996; Mon, 12 Jun 2000 15:23:16 -0500 (CDT) Date: Mon, 12 Jun 2000 15:23:16 -0500 From: Matt Crawford Subject: Re: kcroninit in kerberos v0_6 In-reply-to: "12 Jun 2000 13:45:33 CDT." <39452FCD.ED73D119@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: lauri@fnal.gov, kerberos-pilot@fnal.gov Message-id: <200006122023.PAA15996@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 335 Assuming that "votava" is a member of group "g023", the problem is clear. odsmev.fnal.gov(root) % ls -la /var/adm/krb5 total 8 drwx--s--x 2 root root 4096 Jun 12 13:43 . drwx-----x 3 root g023 4096 Jun 12 12:01 .. -rw------- 1 votava g023 0 Jun 12 13:43 T9ZLE2W_+dwC10PWQhN1bw The unusual permissions on ".." (/var/adm) mean that the all users have "x" access *except* those in group g023. Suggestion: change to mode 711. A suggestion about Kerberos parts that should be setuid, but generally aren't when they live in the products area: How about if we build the tar file so that those binaries have mode 644 (no execute permission) and have the installation script change it to owner root and, only if that succeeds, to mode 4755 (-rwsr-xr-x)? That should succeed on the file server and do no harm on the NFS client nodes. And for those who have "setup kerberos", a non-executable file earlier in the $path (csh) or $PATH (sh) does not mask an executable file of the same name in a later directory. From kreymer@fnal.gov Mon Jun 12 15:49:48 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA07130 for ; Mon, 12 Jun 2000 15:49:48 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW200M0176Z3X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 15:49:47 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200L3476Z9W@smtp.fnal.gov>; Mon, 12 Jun 2000 15:49:47 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020853@listserv.fnal.gov>; Mon, 12 Jun 2000 15:49:47 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28186 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 15:49:47 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020852@listserv.fnal.gov>; Mon, 12 Jun 2000 15:49:47 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200L1S76YAY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Jun 2000 15:49:46 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id PAA23332; Mon, 12 Jun 2000 15:49:47 -0500 (CDT) Date: Mon, 12 Jun 2000 15:49:47 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: Margaret Votava , lauri@fnal.gov, kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200006122049.PAA23332@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 336 Margaret, did you create this directory by hand, or modify it in any way? (Probably not, but worth asking). We'll take a look at the kcron-create script to make sure that it sets the correct permissions, etc. In the meantime, if you fix the directory permissions things should work. The permissions should be: # ls -ald krb5 drwx--s--x 2 root root 512 May 30 09:52 krb5 -- l. On Monday 12 June 2000, our friend Matt Crawford spaketh thusly: > Assuming that "votava" is a member of group "g023", the problem is > clear. > > odsmev.fnal.gov(root) % ls -la /var/adm/krb5 > total 8 > drwx--s--x 2 root root 4096 Jun 12 13:43 . > drwx-----x 3 root g023 4096 Jun 12 12:01 .. > -rw------- 1 votava g023 0 Jun 12 13:43 T9ZLE2W_+dwC10PWQhN1bw > > The unusual permissions on ".." (/var/adm) mean that the all users > have "x" access *except* those in group g023. Suggestion: change to > mode 711. > > A suggestion about Kerberos parts that should be setuid, but > generally aren't when they live in the products area: How about if > we build the tar file so that those binaries have mode 644 (no > execute permission) and have the installation script change it to > owner root and, only if that succeeds, to mode 4755 (-rwsr-xr-x)? > That should succeed on the file server and do no harm on the NFS > client nodes. And for those who have "setup kerberos", a > non-executable file earlier in the $path (csh) or $PATH (sh) does not > mask an executable file of the same name in a later directory. From kreymer@fnal.gov Mon Jun 12 18:35:18 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id SAA07323 for ; Mon, 12 Jun 2000 18:35:17 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW200401EUPYU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Jun 2000 18:35:14 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW20041QETE0C@smtp.fnal.gov>; Mon, 12 Jun 2000 18:34:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020A73@listserv.fnal.gov>; Mon, 12 Jun 2000 18:30:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28760 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Jun 2000 18:30:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020A5C@listserv.fnal.gov>; Mon, 12 Jun 2000 18:30:37 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW200K0558T8A@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Jun 2000 15:07:41 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id PAA21364; Mon, 12 Jun 2000 15:07:41 -0500 (CDT) Date: Mon, 12 Jun 2000 15:07:41 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200006122007.PAA21364@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 337 I just logged in to odsmev: odsmev:~> setup kcroninit odsmev:~> which kcron-create /usr/krb5/bin/kcron-create odsmev:~> kcroninit ... Now adding principal lauri/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... add_principal: Principal or policy already exists while creating "lauri/cron/odsmev.fnal.gov@PILOT.FNAL.GOV". Now creating empty keytab file for lauri/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... Now writing temporary keytab for lauri/cron/odsmev.fnal.gov@PILOT.FNAL.GOV... Temporary keytab created. Now transferring temporary keytab file contents... Transfer complete. All done. odsmev:~> ls -al /var/adm/krb5/`kcron -f` -rw------- 1 lauri g150 75 Jun 12 14:57 /var/adm/krb5/aCkuL4SiQGTG8oDrZ0PSZw odsmev:~> ls -al /var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw -rw------- 1 votava g023 0 Jun 12 13:43 /var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw Hmmm... so what's different between you and me on odsmev? I think we use different login shells, but that would be a weird thing to cause permission problems... I can duplicate your errors *if* I setup kerberos (which is explainable because of the permission problems). But if I only setup kcroninit, and make sure that $KERBEROS_DIR is not set, then it works just fine for me (both kcroninit and kcrondestroy). What is different between our two accounts? -- lauri On Monday 12 June 2000, our friend Margaret Votava spaketh thusly: > > > odsmev.fnal.gov % unsetup kerberos > odsmev.fnal.gov % ls -al /var/adm/krb5/`kcron -f` > ls: /var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw: Permission denied > odsmev.fnal.gov % > odsmev.fnal.gov % setup kerberos > odsmev.fnal.gov % ls -al /var/adm/krb5/`kcron -f` > ls: /var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw: Permission denied > > you have an account on odsmev - it's part of the fndau* > cluster ... > > thanks, > me > > > > "Laurelin of Middle Earth, 630-840-2214" wrote: > > > > What happens when you: > > > > unsetup kerberos > > ls -al /var/adm/krb5/`kcron -f` > > > > setup kerberos > > ls -al /var/adm/krb5/`kcron -f` > > > > -- l. > > -- > Margaret Votava votava@fnal.gov > Computing Division/Experiment Online Support 630-840-2625 (office) > Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Tue Jun 13 03:11:45 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id DAA21425 for ; Tue, 13 Jun 2000 03:11:44 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW300C012RJ0N@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Jun 2000 03:11:44 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW3007F92RJG0@smtp.fnal.gov>; Tue, 13 Jun 2000 03:11:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020C71@listserv.fnal.gov>; Tue, 13 Jun 2000 03:11:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 29308 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Jun 2000 03:11:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020C70@listserv.fnal.gov>; Tue, 13 Jun 2000 03:11:43 -0500 Received: from mail.physics.ox.ac.uk ([163.1.244.140]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW3007EH2RIG5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Jun 2000 03:11:43 -0500 (CDT) Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by mail.physics.ox.ac.uk with esmtp (Exim 3.13 #5) id 131lnS-0002Rc-00; Tue, 13 Jun 2000 09:11:42 +0100 Received: by ppnt41.physics.ox.ac.uk with Internet Mail Service (5.5.2650.21) id ; Tue, 13 Jun 2000 09:12:00 +0100 Date: Tue, 13 Jun 2000 09:11:58 +0100 From: Armin Reichold Subject: RE: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'Margaret Votava'" , lauri@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-type: text/plain; charset=iso-8859-1 Status: RO X-Status: X-Keywords: X-UID: 338 My five cent, may I slightly agree with Margaret? The trailers are setup the same way, no su export of centrally served disks and much more so, if your machine is under the trailer computing groups administration, also no root access for the owner of the machine. Meaning that it has to be the central team that deals with this. cheers Armin ************************************************* * Dr. Armin Reichold | private: * * Research Officer | 17 Frys Hill * * University of Oxford | Oxford * * Particle & Nuclear Phys. Lab. | OX4 7GW * * 1 Keble Road | UK * * Oxford OX1 3RH * * UK * * Room 612 * * * * Tel. : +44-(0)1865-273358...(office) * * Tel. : +44-(0)1865-434856...(private) * * Mobile: +44-(0)7930-431102...(emergency only) * * Fax. : +44-(0)1865-273418...(office) * * E-Mail: a.reichold1@physics.ox.ac.uk * * Netmeeting: ppnt67.physics.ox.ac.uk (business)* * ---//--- Dir. Server: webnt.physics.ox.ac.uk * ************************************************* -----Original Message----- From: Margaret Votava [mailto:votava@fnal.gov] Sent: Monday, June 12, 2000 8:49 PM To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov Subject: Re: kcroninit in kerberos v0_6 "Laurelin of Middle Earth, 630-840-2214" wrote: > > On Monday 12 June 2000, > our friend Margaret Votava spaketh thusly: > > > > > Hi, > > > > This is the same issue of where should I be when I run > > this stuff as root. I am on odsmev, and my filesystem > > is on fndauk. I'm running as root on odsmev and the > > filesystem is not imported with root access. > > Right, and the Official Answer is that you need to temporarily > export the file system so that you *can* write into it as root, > and then reconfigure when you're done with the installation. And I still think that this is an unacceptable solution. It's ok as temporary during the pilot phase, but I think it is a really bad plan for mass deployment. CDF should correct me if I'm wrong, but I believe the CDF trailers have the same configuration we do - a central file server serving several Linux PCs. Right now it's not an issue for this particular product because it still worked if the chmod and chowns failed in $KERBEROS_DIR/bin because the binaries are copied to /usr/krb5/bin and modifications and permission bits were set there. The average user does not setup kerberos, and therefore gets his binaries from /usr/krb5. > > > So, the > > files in $KERBEROS_DIR/bin do not have the setuid bit > > set, but the same files in /usr/krb5/bin do. Should > > kcron-create be running out of /usr/krb5/bin or > > $KERBEROS_DIR/bin? > > It runs out of $KERBEROS_DIR/bin if kerberos is setup, out of > /usr/krb5/bin if it is NOT setup. > > > > > Anyway, if I do NOT have kerberos setup, it still fails. > > Same error? yes - same error. it creates the file, but can't but can't fill it: Now transferring temporary keytab file contents... now doing copy: tempKeytabFile = >/tmp/6679/votava<, realKeytabFile = >/var/adm/krb5/T9ZLE2W_+dwC10PWQhN1bw< ERROR transferring keytab file contents; ABORT. cleaning up, removing >/tmp/6679< Thanks, Margaret From kreymer@fnal.gov Tue Jun 13 08:53:05 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA27089 for ; Tue, 13 Jun 2000 08:53:04 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW300I01IJ88U@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Jun 2000 08:52:23 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW300F8ZIFWVT@smtp.fnal.gov>; Tue, 13 Jun 2000 08:50:20 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020E02@listserv.fnal.gov>; Tue, 13 Jun 2000 08:50:20 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 29726 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Jun 2000 08:50:20 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00020E01@listserv.fnal.gov>; Tue, 13 Jun 2000 08:50:20 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW300FA0IFVIS@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Jun 2000 08:50:19 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id IAA09511; Tue, 13 Jun 2000 08:50:20 -0500 (CDT) Date: Tue, 13 Jun 2000 08:50:20 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kcroninit in kerberos v0_6 Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: lauri@fnal.gov, Matt Crawford , kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200006131350.IAA09511@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 339 We'll look at the kcron-create process to make sure it is fixed to correct these permissions. NOTE, it should be rwx--s--x not rwx--x--x (needs to inherit the group of the person calling kcron-create, hence the "s"). -- lauri On Monday 12 June 2000, our friend Margaret Votava spaketh thusly: > > Hi, > > To the best of my recollection, I didn't create or modify > permission on /var/adm. After the changing permissions to > rwx--x--x, everything works > fine - yeah! First time I've run cron jobs successfully > in weeks. > > Matt's suggestion about file permissions on the server vs > local machines works for me. > > Thanks, > Margaret > > > "Laurelin of Middle Earth, 630-840-2214" wrote: > > > > Margaret, did you create this directory by hand, or modify it in any > > way? (Probably not, but worth asking). We'll take a look at the > > kcron-create script to make sure that it sets the correct > > permissions, etc. In the meantime, if you fix the directory > > permissions things should work. The permissions should be: > > # ls -ald krb5 > > drwx--s--x 2 root root 512 May 30 09:52 krb5 > > > > -- l. > > > > On Monday 12 June 2000, > > our friend Matt Crawford spaketh thusly: > > > > > Assuming that "votava" is a member of group "g023", the problem is > > > clear. > > > > > > odsmev.fnal.gov(root) % ls -la /var/adm/krb5 > > > total 8 > > > drwx--s--x 2 root root 4096 Jun 12 13:43 . > > > drwx-----x 3 root g023 4096 Jun 12 12:01 .. > > > -rw------- 1 votava g023 0 Jun 12 13:43 T9ZLE2W_+dwC10PWQhN1bw > > > > > > The unusual permissions on ".." (/var/adm) mean that the all users > > > have "x" access *except* those in group g023. Suggestion: change to > > > mode 711. > > > > > > A suggestion about Kerberos parts that should be setuid, but > > > generally aren't when they live in the products area: How about if > > > we build the tar file so that those binaries have mode 644 (no > > > execute permission) and have the installation script change it to > > > owner root and, only if that succeeds, to mode 4755 (-rwsr-xr-x)? > > > That should succeed on the file server and do no harm on the NFS > > > client nodes. And for those who have "setup kerberos", a > > > non-executable file earlier in the $path (csh) or $PATH (sh) does not > > > mask an executable file of the same name in a later directory. > > -- > Margaret Votava votava@fnal.gov > Computing Division/Experiment Online Support 630-840-2625 (office) > Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Tue Jun 13 15:27:21 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA30217 for ; Tue, 13 Jun 2000 15:27:21 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW400B010TLI8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Jun 2000 15:27:21 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW4006FP0TKH1@smtp.fnal.gov>; Tue, 13 Jun 2000 15:27:20 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000214C3@listserv.fnal.gov>; Tue, 13 Jun 2000 15:27:21 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 31542 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Jun 2000 15:27:21 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000214C2@listserv.fnal.gov>; Tue, 13 Jun 2000 15:27:20 -0500 Received: from zeno.physics.lsa.umich.edu ([141.211.101.161]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW4006I40TKH7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Jun 2000 15:27:20 -0500 (CDT) Received: from localhost (gerdes@localhost) by zeno.physics.lsa.umich.edu (8.8.7/8.8.7) with ESMTP id QAA18778 for ; Tue, 13 Jun 2000 16:27:20 -0400 Date: Tue, 13 Jun 2000 16:27:20 -0400 (EDT) From: David Gerdes Subject: authenticating to off-site machine Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: gerdes@zeno.physics.lsa.umich.edu To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: zeno.physics.lsa.umich.edu: gerdes owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 340 Hi, I just tried adding host and ftp keys to my off-site workstation, zeno.physics.lsa.umich.edu, after getting the passwords from Yolanda: [gerdes@zeno gerdes]# kadmin -p host/zeno.physics.lsa.umich.edu Authenticating as principal host/zeno.physics.lsa.umich.edu with password. Enter password: kadmin: ktadd host/zeno.physics.lsa.umich.edu Entry for principal host/zeno.physics.lsa.umich.edu with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: exit [gerdes@zeno gerdes]# kadmin -p ftp/zeno.physics.lsa.umich.edu Authenticating as principal ftp/zeno.physics.lsa.umich.edu with password. Enter password: Enter password: kadmin: ktadd ftp/zeno.physics.lsa.umich.edu Entry for principal ftp/zeno.physics.lsa.umich.edu with kvno 2, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/etc/krb5.keytab. kadmin: exit So all seems well. Then I tried to rlogin to this host from fcdfsgi2 after doing kinit: > rlogin zeno.physics.lsa.umich.edu rlogin: kcmd to host zeno.physics.lsa.umich.edu failed - Server not found in Kerberos database trying normal rlogin (/usr/bsd/rlogin) WARNING: NO ENCRYPTION! Any my local syslog reads: Jun 13 16:22:30 zeno klogind[18482]: Authentication failed from 131.225.240.129 (fcdfsgi2.fnal.gov): Software caused connection abort Jun 13 16:22:30 zeno klogind[18482]: Kerberos authentication failed Does some additional configuration need to be done on the FNAL end, or am I doing something wrong? Regards, David Gerdes -------------------------------------- David Gerdes, University of Michigan (734) 647-3807 / (734) 936-1817 FAX gerdes@umich.edu http://umaxp1.physics.lsa.umich.edu/~gerdes/ From kreymer@fnal.gov Tue Jun 13 17:01:44 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA30895 for ; Tue, 13 Jun 2000 17:01:44 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW400F0156V4U@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Jun 2000 17:01:43 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW4006S656VH1@smtp.fnal.gov>; Tue, 13 Jun 2000 17:01:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002160A@listserv.fnal.gov>; Tue, 13 Jun 2000 17:01:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 31892 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Jun 2000 17:01:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00021609@listserv.fnal.gov>; Tue, 13 Jun 2000 17:01:43 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW4006RV56VGY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Jun 2000 17:01:43 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA23691; Tue, 13 Jun 2000 17:01:41 -0500 (CDT) Date: Tue, 13 Jun 2000 17:01:41 -0500 From: Matt Crawford Subject: Re: authenticating to off-site machine In-reply-to: "13 Jun 2000 16:27:20 EDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: David Gerdes Cc: kerberos-pilot@fnal.gov Message-id: <200006132201.RAA23691@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 341 The trouble seems to be that the Kerberos application (rlogin) doesn't know that the target host is in realm PILOT.FNAL.GOV. It tries to cross-realm authenticate to PHYSICS.LSA.UMICH.EDU (which it can't do, since there's no configured trust relation -- and that realm may not even exist), then LSA.UMICH.EDU, UMICH.EDU, EDU, GOV and FNAL.GOV. Specifying the realm of the target system works: % rlogin -k PILOT.FNAL.GOV zeno.physics.lsa.umich.edu klogind: User crawdad@PILOT.FNAL.GOV is not authorized to login to account crawdad. As would adding your host or domain name to the [domain_realm] section of /etc/krb5.conf on fcdfsgi2 and any other machines you use here. [domain_realm] .fnal.gov = PILOT.FNAL.GOV .physics.lsa.umich.edu = PILOT.FNAL.GOV For *some* applications you can copy the entire /etc/krb5.conf to a file of your own, then edit in this line and set an environment variable KRB5_CONFIG to the name of your file. But other applications demand a "secure" config file and won't honor your setting. Rlogin will honor it, but what a headache for you to maintain it if other changes are made. I think we may have to periodically check the list of "host" principals in our realm and add them to the krb5.conf template file we maintain. We'd also have to inform users such as yourself that until their "home" domain or host appears in krb5.conf, to use a command-line flag to specify the realm when connecting back homeward. Matt From kreymer@fnal.gov Fri Jun 16 14:55:12 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA06286 for ; Fri, 16 Jun 2000 14:55:12 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FW900001JC07A@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Fri, 16 Jun 2000 14:55:12 -0500 (CDT) Received: from theory.hep.anl.gov ([146.139.180.65]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FW900GMVJC0IL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Fri, 16 Jun 2000 14:55:12 -0500 (CDT) Received: from localhost (kovacs@localhost) by theory.hep.anl.gov (8.9.3/8.9.3) with ESMTP id OAA11359 for ; Fri, 16 Jun 2000 14:55:11 -0500 Date: Fri, 16 Jun 2000 14:55:11 -0500 (CDT) From: "Eve V. E. Kovacs" Subject: Re: [Fwd: afs] (fwd) To: kreymer@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: theory.hep.anl.gov: kovacs owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 342 *************************************************************** Eve Kovacs Argonne National Laboratory, Room E253, Bldg. 362, HEP 9700 S. Cass Ave. Argonne, IL 60439 USA Phone: (630)-252-6208 Fax: (630)-252-5047 email: kovacs@anl.gov *************************************************************** ---------- Forwarded message ---------- Date: Fri, 16 Jun 2000 08:28:38 -0500 From: Douglas E. Engert To: Eve V. E. Kovacs Cc: "Peter J. Bertoncini " Subject: Re: [Fwd: afs] "Eve V. E. Kovacs" wrote: > > Hi Doug, > > I really do think we have krb5 (see my message to Pete, that I cc'ed to > you). I do indeed have the anl cell listed in > the CellServDB: > atlas.hep.anl.gov:14>grep anl /etc/arla/CellServDB > >anl.gov # Argonne National Laboratory > 146.137.162.88 #agamemnon.ctd.anl.gov > 146.137.96.33 #arteus.ctd.anl.gov > 146.137.194.80 #antenor.ctd.anl.gov > > So that is not the problem. I copied the krb5.conf as Pete suggested. > However, since I don't have a krb5/dce account, I can't try it. Could I > get an account? Whom do I contact? http://www.anl.gov/ECT/accserv/ > > I also wanted to try your ak5log. I looked in > /afs/anl.gov/appl/krb5/i386_linux22/krb5/bin/, which is where you pointed > me. (Well the appl was missing below, but I assume that was a typo) > > There was no ak5log in this directory. Am I in the wrong place? Sorry, its in sbin. And you will need the k5/dce account first. > > Thanks for your help. > > Eve > > On Wed, 14 Jun 2000, Douglas E. Engert wrote: > > > Date: Wed, 14 Jun 2000 12:30:01 -0500 > > From: Douglas E. Engert > > To: "Peter J. Bertoncini " > > Cc: kovacs@hep.anl.gov > > Subject: Re: [Fwd: afs] > > > > Let me add some comments see below. > > > > > > > > "Peter J. Bertoncini " wrote: > > > > > > Eve, the krb5.conf file for the ANL cell is in the AFS directory: > > > > > > /afs/anl/appl/krb5 > > > > > > I have successfully installed and used the Kerberos 5 package which comes with > > > RedHat 6.2. It works well. > > > > > > However, in order for your users to authenticate to the ANL Kerberos 5 cell, > > > they have to be registered in the ANL Kerberos 5/DCE cell. Most of them are > > > probably not registered in our cell. > > > > > > What version of Arla did you install? Did you build it, or are you using a > > > pre-built version. > > > > > > The version of Arla we have been using doesn't use Kerberos 5 authentication. > > > > > > >Date: Wed, 14 Jun 2000 09:43:24 -0500 > > > >From: "Douglas E. Engert" > > > >X-Accept-Language: en > > > >MIME-Version: 1.0 > > > >To: "Peter J. Bertoncini" > > > >Subject: [Fwd: afs] > > > >Content-Transfer-Encoding: 7bit > > > > > > > > > > > > > > > >"Eve V. E. Kovacs" wrote: > > > >> > > > >> Hi Peter, > > > >> > > > >> We have upgraded some of our systems to redhat 6.2, running the 2.2.14-12 > > > >> kernel. I was able to find a version of arla (free afs) that works with > > > >> this kernel, and it is now installed and running. > > > >> > > > >> The problem I have is that it uses kerberos 5 for authentication, and I > > > >> don't know how to configure the krb5.conf file so that I can get access > > > >> to the ANL cell. For example, when I try to do a klog I get the error: > > > >> > > > >> atlas.hep.anl.gov:7>klog kovacs@ANL.GOV > > > >> klog: Can't find any db server for cell ANL.GOV > > > >> > > > > As far as I can tell, ARLS is using the Kerberos 5 compatability mods, for K4 > > so when you say ARLA is using K5, it is really using K4. The klog command does > > not need a kinit, as it is built in. I suspect that the problem is that the > > ANL afs cell is not listed in the ARLA CellServDB file. > > > > We have at ANL a way to use the K5 dce.anl.gov cell to get tickets for the > > anl.gov AFS cell. Its called ak5log. > > Its located in the /afs/anl.gov/krb5/@sys/krb5/bin/ak5log. This was built > > for RedHat 6.1 but should run on 6.2. > > > > > > > >> I need to add the information for the anl realm . > > > >> Can you point me to a place that has this? > > > >> > > > >> However, there may be a bigger problem. Judging from an old message of > > > >> yours below, I can't use kerberos 5 to get authentication to access the > > > >> anl.gov cell because the DCE/Kerberos 5 cell has nothing to do with the > > > >> afs area. > > > > As I said, we can use ak5log to get AFS tokens using the dce.anl.gov > > > >> > > > >> Is this true? If so, what are the prospects for adding krb5 authentication > > > >> for access to anl.gov in the near future? We need to do kernel upgrades > > > >> which will mean that the continued use of kerberos 4 is impossible. > > > >> > > > >> Thanks, > > > >> > > > >> Eve > > > >> > > > > >> > As far as Kerberos 5 and AFS, they are separate issues. We use Kerberos 5 > > > for > > > >> > remote encrypted access to our systems, which are each registered in the > > > ANL > > > >> > DCE/Kerberos 5 cell. > > > >> > > > > >> > AFS uses Kerberos 4 for authentication, and that won't change if you move > > > from > > > >> > ARLA to Transarc's AFS until Transarc implements Kerberos 5 as the AFS > > > >> > authentication mechanism. > > > >> > > > > >> > ---------------------- > > > >> > > > > > > > > >-- > > > > > > > > Douglas E. Engert > > > > Argonne National Laboratory > > > > 9700 South Cass Avenue > > > > Argonne, Illinois 60439 > > > > (630) 252-5444 > > > > -- > > > > Douglas E. Engert > > Argonne National Laboratory > > 9700 South Cass Avenue > > Argonne, Illinois 60439 > > (630) 252-5444 > > > > *************************************************************** > Eve Kovacs > Argonne National Laboratory, > Room E253, Bldg. 362, HEP > 9700 S. Cass Ave. > Argonne, IL 60439 USA > Phone: (630)-252-6208 > Fax: (630)-252-5047 > email: kovacs@anl.gov > *************************************************************** -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 From kreymer@fnal.gov Tue Jun 20 17:10:46 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id RAA28734 for ; Tue, 20 Jun 2000 17:10:46 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWH0050149XD4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Jun 2000 17:10:45 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWH00LO149XME@smtp.fnal.gov>; Tue, 20 Jun 2000 17:10:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025739@listserv.fnal.gov>; Tue, 20 Jun 2000 17:10:45 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 49642 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Jun 2000 17:10:45 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025738@listserv.fnal.gov>; Tue, 20 Jun 2000 17:10:45 -0500 Received: from nascar.fnal.gov ([131.225.80.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWH00MNJ49W3V@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Jun 2000 17:10:44 -0500 (CDT) Received: from localhost (stan@localhost) by nascar.fnal.gov (8.8.3/8.8.2) with SMTP id RAA02535 for ; Tue, 20 Jun 2000 17:10:43 -0500 (CDT) Date: Tue, 20 Jun 2000 17:10:43 -0500 From: stan@fnal.gov Subject: bldlinux61 Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200006202210.RAA02535@nascar.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: nascar.fnal.gov: stan@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 343 I can't login via the console server as root to work on bldlinux61. I thought the the k5 stuff was only there for sessions other that the real system console. Or is this a pam file issue. Stan. From kreymer@fnal.gov Wed Jun 21 08:45:02 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA30263 for ; Wed, 21 Jun 2000 08:45:01 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWI00K01BIZ2O@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Jun 2000 08:44:59 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI00DLHBIZSB@smtp.fnal.gov>; Wed, 21 Jun 2000 08:44:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025CE3@listserv.fnal.gov>; Wed, 21 Jun 2000 08:45:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 51111 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Jun 2000 08:45:00 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025CE2@listserv.fnal.gov>; Wed, 21 Jun 2000 08:44:59 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI00FCXBIZTJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Jun 2000 08:44:59 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA19904; Wed, 21 Jun 2000 08:44:58 -0500 (CDT) Date: Wed, 21 Jun 2000 08:44:58 -0500 From: Matt Crawford Subject: Re: bldlinux61 In-reply-to: "20 Jun 2000 17:10:43 CDT." <200006202210.RAA02535@nascar.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: stan@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <200006211344.IAA19904@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 344 The login program has been replaced with the Kerberos login program (except on IRIX where it would be a no-op to do so). This lets you log in as a "mortal" user at the console and acquire Kerberos credentials in the process, or as root with a local password. I don't know what anyone may have done with PAMs on that system, but it shouldn't matter in this case. I see that /etc/shadow is 9 months old. Did you have the right root password? Did you get any message other than "login incorrect"? What time was it? Sorry I can't deduce more myself, but the log files are readable only by root there. From kreymer@fnal.gov Wed Jun 21 08:55:46 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA30299 for ; Wed, 21 Jun 2000 08:55:46 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWI00K01C0XJG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Jun 2000 08:55:45 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI00EFRC0XJS@smtp.fnal.gov>; Wed, 21 Jun 2000 08:55:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025D0D@listserv.fnal.gov>; Wed, 21 Jun 2000 08:55:46 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 51157 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Jun 2000 08:55:46 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025D0C@listserv.fnal.gov>; Wed, 21 Jun 2000 08:55:46 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI00DNDC0XSB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Jun 2000 08:55:45 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id IAA11269; Wed, 21 Jun 2000 08:55:44 -0500 (CDT) Date: Wed, 21 Jun 2000 08:55:44 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: bldlinux61 Sender: owner-kerberos-pilot@listserv.fnal.gov To: stan@fnal.gov Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200006211355.IAA11269@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 345 Or, the other possibility: the root password on bldlinux61 is different than the rest of the build cluster. bldlinux61 for some reason has a local password file; password for "products" account (and $HOME area for products account) are different than on the rest of the cluster. I have added you to the .k5login file on bldlinux61 (and to the other nodes of the build cluster, namely: bldirix62 bldirix65 bldlinux52 bldosf1v40d ossbud bldsunos26 bldsunos27 ) so that if you are authenticated on any node, you can ksu to get into the root account. -- lauri On Tuesday 20 June 2000, our friend stan@fnal.gov spaketh thusly: > I can't login via the console server as root to work on bldlinux61. I thought > the the k5 stuff was only there for sessions other that the real system > console. Or is this a pam file issue. > Stan. From kreymer@fnal.gov Wed Jun 21 09:14:02 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA30317 for ; Wed, 21 Jun 2000 09:14:02 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWI00L01CVE84@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Jun 2000 09:14:02 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI00ERJCVD24@smtp.fnal.gov>; Wed, 21 Jun 2000 09:14:01 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025D46@listserv.fnal.gov>; Wed, 21 Jun 2000 09:14:02 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 51217 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Jun 2000 09:14:02 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025D45@listserv.fnal.gov>; Wed, 21 Jun 2000 09:14:02 -0500 Received: from nascar.fnal.gov ([131.225.80.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI00DOJCVDPY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Jun 2000 09:14:01 -0500 (CDT) Received: from localhost (stan@localhost) by nascar.fnal.gov (8.8.3/8.8.2) with SMTP id JAA09105 for ; Wed, 21 Jun 2000 09:14:00 -0500 (CDT) Date: Wed, 21 Jun 2000 09:14:00 -0500 From: stan@fnal.gov Subject: bldlinux61 Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200006211414.JAA09105@nascar.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: nascar.fnal.gov: stan@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 346 So I tried to log in via the console server and as user Stan and used my k5 passwd. That worked ok. I can su and ksu from that point. The su asked for the passwd and I used the normal bldcluster passwd and it accepted it. So the root passwd is what I think it is. So back to just loging in as root at the console prompt. I get the following. Red Hat Linux release 6.1 (Cartman) Kernel 2.2.14-1.2.0f1smp on a 2-processor i686 bldlinux61 login: root Red Hat Linux release 6.1 (Cartman) Kernel 2.2.14-1.2.0f1smp on a 2-processor i686 Password for root: Login incorrect login: and this in messages log Jun 21 09:03:10 bldlinux61 login: REPEATED LOGIN FAILURES ON ttyS0, root Stan. From kreymer@fnal.gov Wed Jun 21 09:44:23 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA30354 for ; Wed, 21 Jun 2000 09:44:22 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWI00M01E9YFN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Jun 2000 09:44:22 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI00L4JE9XF9@smtp.fnal.gov>; Wed, 21 Jun 2000 09:44:22 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025DB8@listserv.fnal.gov>; Wed, 21 Jun 2000 09:44:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 51337 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Jun 2000 09:44:22 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025DB7@listserv.fnal.gov>; Wed, 21 Jun 2000 09:44:22 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI00L2LE9XNX@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Jun 2000 09:44:21 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA20356; Wed, 21 Jun 2000 09:44:20 -0500 (CDT) Date: Wed, 21 Jun 2000 09:44:20 -0500 From: Matt Crawford Subject: Re: bldlinux61 In-reply-to: "21 Jun 2000 09:14:00 CDT." <200006211414.JAA09105@nascar.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: stan@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <200006211444.JAA20356@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 347 Here's a thought ... does that machine use a non-standard password hashing algorithm? I've heard that some Linuxes (and other free unices) can be configured to do that. From kreymer@fnal.gov Wed Jun 21 10:42:20 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA30405 for ; Wed, 21 Jun 2000 10:42:20 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWI00101GYJQS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Jun 2000 10:42:19 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI0005CGYJ40@smtp.fnal.gov>; Wed, 21 Jun 2000 10:42:19 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025EA3@listserv.fnal.gov>; Wed, 21 Jun 2000 10:42:19 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 51587 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Jun 2000 10:42:19 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025EA2@listserv.fnal.gov>; Wed, 21 Jun 2000 10:42:19 -0500 Received: from nascar.fnal.gov ([131.225.80.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI0005OGYI2D@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Jun 2000 10:42:18 -0500 (CDT) Received: from localhost (stan@localhost) by nascar.fnal.gov (8.8.3/8.8.2) with SMTP id KAA09697; Wed, 21 Jun 2000 10:42:17 -0500 (CDT) Date: Wed, 21 Jun 2000 10:42:17 -0500 From: stan@fnal.gov Subject: Re: bldlinux61 In-reply-to: "Your message of Wed, 21 Jun 2000 09:44:20 CDT." <200006211444.JAA20356@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov, stan@nascar.fnal.gov Message-id: <200006211542.KAA09697@nascar.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: nascar.fnal.gov: stan@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 348 I don't know about any hashing, but you use to be able to login as root via the console server before. We do on several linux boxes. Stan. > Here's a thought ... does that machine use a non-standard password > hashing algorithm? I've heard that some Linuxes (and other free > unices) can be configured to do that. From kreymer@fnal.gov Wed Jun 21 11:52:34 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA30551 for ; Wed, 21 Jun 2000 11:52:34 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWI00401K7LUK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Jun 2000 11:52:33 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI000GJK7L40@smtp.fnal.gov>; Wed, 21 Jun 2000 11:52:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025F97@listserv.fnal.gov>; Wed, 21 Jun 2000 11:52:33 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 51849 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Jun 2000 11:52:33 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00025F96@listserv.fnal.gov>; Wed, 21 Jun 2000 11:52:33 -0500 Received: from zeno.physics.lsa.umich.edu ([141.211.101.161]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI00LNGK7KYY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Jun 2000 11:52:32 -0500 (CDT) Received: from localhost (gerdes@localhost) by zeno.physics.lsa.umich.edu (8.8.7/8.8.7) with ESMTP id MAA05745; Wed, 21 Jun 2000 12:52:32 -0400 Date: Wed, 21 Jun 2000 12:52:32 -0400 (EDT) From: David Gerdes Subject: Re: bldlinux61 In-reply-to: <200006211542.KAA09697@nascar.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: gerdes@zeno.physics.lsa.umich.edu To: stan@fnal.gov Cc: Matt Crawford , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: zeno.physics.lsa.umich.edu: gerdes owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 349 Any chance the machine has been hacked, and someone replaced /bin/login with a trojan to capture passwords? --D -------------------------------------- David Gerdes, University of Michigan (734) 647-3807 / (734) 936-1817 FAX gerdes@umich.edu http://umaxp1.physics.lsa.umich.edu/~gerdes/ On Wed, 21 Jun 2000 stan@fnal.gov wrote: > I don't know about any hashing, but you use to be able to login as root via > the console server before. We do on several linux boxes. > > Stan. > > > Here's a thought ... does that machine use a non-standard password > > hashing algorithm? I've heard that some Linuxes (and other free > > unices) can be configured to do that. > From kreymer@fnal.gov Wed Jun 21 13:19:07 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA30637 for ; Wed, 21 Jun 2000 13:19:07 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWI00701O7UW9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Jun 2000 13:19:06 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI00662O7UBX@smtp.fnal.gov>; Wed, 21 Jun 2000 13:19:06 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00026091@listserv.fnal.gov>; Wed, 21 Jun 2000 13:19:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 52118 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Jun 2000 13:19:06 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00026090@listserv.fnal.gov>; Wed, 21 Jun 2000 13:19:06 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI0063OO7UWD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Jun 2000 13:19:06 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id NAA20884; Wed, 21 Jun 2000 13:19:05 -0500 (CDT) Date: Wed, 21 Jun 2000 13:19:05 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: bldlinux61 Sender: owner-kerberos-pilot@listserv.fnal.gov To: David Gerdes Cc: stan@fnal.gov, Matt Crawford , kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200006211819.NAA20884@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 350 Not likely: $ sum $KERBEROS_DIR/sbin/login.krb5 25635 107 $ sum /bin/login 25635 107 It's the image from the kerberos v2_2 product. -- lauri On Wednesday 21 June 2000, our friend David Gerdes spaketh thusly: > Any chance the machine has been hacked, and someone replaced /bin/login > with a trojan to capture passwords? > > --D > > -------------------------------------- > David Gerdes, University of Michigan > (734) 647-3807 / (734) 936-1817 FAX > gerdes@umich.edu > http://umaxp1.physics.lsa.umich.edu/~gerdes/ > On Wed, 21 Jun 2000 stan@fnal.gov wrote: > > > I don't know about any hashing, but you use to be able to login as root via > > the console server before. We do on several linux boxes. > > > > Stan. > > > > > Here's a thought ... does that machine use a non-standard password > > > hashing algorithm? I've heard that some Linuxes (and other free > > > unices) can be configured to do that. > > From kreymer@fnal.gov Wed Jun 21 13:27:52 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA30650 for ; Wed, 21 Jun 2000 13:27:51 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWI00801OMFDF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Jun 2000 13:27:51 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI0073UOME7X@smtp.fnal.gov>; Wed, 21 Jun 2000 13:27:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000260AB@listserv.fnal.gov>; Wed, 21 Jun 2000 13:27:50 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 52149 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Jun 2000 13:27:50 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000260AA@listserv.fnal.gov>; Wed, 21 Jun 2000 13:27:50 -0500 Received: from nascar.fnal.gov ([131.225.80.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI0072AOMEKX@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Jun 2000 13:27:50 -0500 (CDT) Received: from localhost (stan@localhost) by nascar.fnal.gov (8.8.3/8.8.2) with SMTP id NAA10821; Wed, 21 Jun 2000 13:27:49 -0500 (CDT) Date: Wed, 21 Jun 2000 13:27:48 -0500 From: stan@fnal.gov Subject: Re: bldlinux61 In-reply-to: "Your message of Wed, 21 Jun 2000 13:19:05 CDT." <200006211819.NAA20884@fsui03.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: lauri@fnal.gov Cc: David Gerdes , stan@fnal.gov, Matt Crawford , kerberos-pilot@fnal.gov, stan@nascar.fnal.gov Message-id: <200006211827.NAA10821@nascar.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: nascar.fnal.gov: stan@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 351 So after some looking around and a tip from Matt, the pam config files on linux61 have md5 turned on by default. So I can turn that off and it will be like all the rest of the encryptions. The question is which does fermi linux support? Stan. From kreymer@fnal.gov Wed Jun 21 13:42:18 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA30658 for ; Wed, 21 Jun 2000 13:42:18 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWI00901PAI52@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Jun 2000 13:42:18 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI0066MPAHU8@smtp.fnal.gov>; Wed, 21 Jun 2000 13:42:17 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000260E8@listserv.fnal.gov>; Wed, 21 Jun 2000 13:42:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 52214 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Jun 2000 13:42:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000260E7@listserv.fnal.gov>; Wed, 21 Jun 2000 13:42:17 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWI0074UPAH7U@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Jun 2000 13:42:17 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA21396; Wed, 21 Jun 2000 13:42:16 -0500 (CDT) Date: Wed, 21 Jun 2000 13:42:16 -0500 From: Matt Crawford Subject: Re: bldlinux61 In-reply-to: "21 Jun 2000 13:27:48 CDT." <200006211827.NAA10821@nascar.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: stan@fnal.gov Cc: lauri@fnal.gov, kerberos-pilot@fnal.gov Message-id: <200006211842.NAA21396@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 352 > So after some looking around and a tip from Matt, the pam config files on > linux61 have md5 turned on by default. So I can turn that off and it will be > like all the rest of the encryptions. (Hashes, strictly speaking, not encryptions -- because the function is not reversible.) It's my impression that some OSes that support alternative password hashing can only use one at a time, system-wide. So if you change it, all passwords need to be reset. It's technically possible to mark each password in the shadow file according to which hash function was used for it. Maaaayyyybe Linux does this. Maybe not. So use care. > The question is which does fermi linux support? I'm not the one to answer that. From kreymer@fnal.gov Wed Jun 28 16:28:31 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA22568 for ; Wed, 28 Jun 2000 16:28:31 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWV00K01VNIWD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 28 Jun 2000 16:28:30 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWV00J70VNIBY@smtp.fnal.gov>; Wed, 28 Jun 2000 16:28:30 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002A7C0@listserv.fnal.gov>; Wed, 28 Jun 2000 16:28:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 71611 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 28 Jun 2000 16:28:30 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002A7BF@listserv.fnal.gov>; Wed, 28 Jun 2000 16:28:30 -0500 Received: from nascar.fnal.gov ([131.225.80.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWV00I8YVNI1G@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 28 Jun 2000 16:28:30 -0500 (CDT) Received: from localhost (stan@localhost) by nascar.fnal.gov (8.8.3/8.8.2) with SMTP id QAA29524 for ; Wed, 28 Jun 2000 16:28:27 -0500 (CDT) Date: Wed, 28 Jun 2000 16:28:27 -0500 From: stan@fnal.gov Subject: su Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200006282128.QAA29524@nascar.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: nascar.fnal.gov: stan@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 353 I know you all know this already, but if we let people su on strong boxes we are typing the root passwd in the clear. Unless the telnet is encrypted from ossbud. Is it. Stan. From kreymer@fnal.gov Wed Jun 28 16:44:01 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA22581 for ; Wed, 28 Jun 2000 16:44:01 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWV00L01WDCEQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 28 Jun 2000 16:44:00 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWV00J5LWDCSA@smtp.fnal.gov>; Wed, 28 Jun 2000 16:44:00 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002A7F8@listserv.fnal.gov>; Wed, 28 Jun 2000 16:44:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 71668 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 28 Jun 2000 16:44:00 -0500 Received: from FNAL.FNAL.Gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002A7F7@listserv.fnal.gov>; Wed, 28 Jun 2000 16:44:00 -0500 Received: from CUERVO ([131.225.80.193]) by FNAL.FNAL.GOV (PMDF V5.2-32 #36665) with SMTP id <01JR564MDH22000LD8@FNAL.FNAL.GOV> for KERBEROS-PILOT@listserv.fnal.gov (ORCPT rfc822;kerberos-pilot@fnal.gov); Wed, 28 Jun 2000 16:43:59 -0500 Date: Wed, 28 Jun 2000 16:43:58 -0500 From: "Mark O. Kaletka" Subject: RE: su In-reply-to: <200006282128.QAA29524@nascar.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: stan@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 354 The telnet can be encrypted, but isn't necessarily, so you should use ksu instead. Add the principals who should be able to ksu to the .k5login file for root. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of > stan@fnal.gov > Sent: Wednesday, June 28, 2000 4:28 PM > To: kerberos-pilot@fnal.gov > Subject: su > > > I know you all know this already, but if we let people su on > strong boxes we > are typing the root passwd in the clear. Unless the telnet is > encrypted from > ossbud. Is it. > > Stan. > > From kreymer@fnal.gov Wed Jun 28 16:49:21 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA22589 for ; Wed, 28 Jun 2000 16:49:21 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWV00L01WM8N4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 28 Jun 2000 16:49:20 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWV00J9OWM802@smtp.fnal.gov>; Wed, 28 Jun 2000 16:49:20 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002A816@listserv.fnal.gov>; Wed, 28 Jun 2000 16:49:20 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 71700 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 28 Jun 2000 16:49:20 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002A815@listserv.fnal.gov>; Wed, 28 Jun 2000 16:49:20 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWV00EQWWM7QX@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 28 Jun 2000 16:49:20 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id QAA25057; Wed, 28 Jun 2000 16:49:20 -0500 (CDT) Date: Wed, 28 Jun 2000 16:49:19 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: su Sender: owner-kerberos-pilot@listserv.fnal.gov To: stan@fnal.gov Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200006282149.QAA25057@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 355 On strong boxes you are supposed to "ksu", not "su". The "ksu" looks in the .k5login in root's $HOME area for authorization. If you're in there, no password is necessary. -- lauri On Wednesday 28 June 2000, our friend stan@fnal.gov spaketh thusly: > I know you all know this already, but if we let people su on strong boxes we > are typing the root passwd in the clear. Unless the telnet is encrypted from > ossbud. Is it. > > Stan. From kreymer@fnal.gov Thu Jun 29 11:26:04 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA10902 for ; Thu, 29 Jun 2000 11:26:04 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWX00L01CBF7U@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 29 Jun 2000 11:26:03 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWX00J7SCBFBE@smtp.fnal.gov>; Thu, 29 Jun 2000 11:26:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002AD3E@listserv.fnal.gov>; Thu, 29 Jun 2000 11:26:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 73084 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 29 Jun 2000 11:26:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002AD3D@listserv.fnal.gov>; Thu, 29 Jun 2000 11:26:03 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWX00HD4CBEVX@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 29 Jun 2000 11:26:02 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA12516; Thu, 29 Jun 2000 11:26:02 -0500 (CDT) Date: Thu, 29 Jun 2000 11:26:02 -0500 From: Matt Crawford Subject: Re: su In-reply-to: "28 Jun 2000 16:28:27 CDT." <200006282128.QAA29524@nascar.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: stan@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <200006291626.LAA12516@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 356 > I know you all know this already, but if we let people su on strong boxes we > are typing the root passwd in the clear. That's why ksu is such a cool thing. > Unless the telnet is encrypted from ossbud. Is it. Initiator's option: -x on command line or encrypt=true in the appdefaults section of /etc/krb5.conf to get encryoption. From kreymer@fnal.gov Fri Jun 30 16:41:48 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA26409 for ; Fri, 30 Jun 2000 16:41:48 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FWZ00H01LLOW7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 30 Jun 2000 16:41:48 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWZ00DI3LLN7M@smtp.fnal.gov>; Fri, 30 Jun 2000 16:41:47 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002B964@listserv.fnal.gov>; Fri, 30 Jun 2000 16:41:48 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 76441 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 30 Jun 2000 16:41:48 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002B963@listserv.fnal.gov>; Fri, 30 Jun 2000 16:41:48 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWZ00ECWLLNFK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal); Fri, 30 Jun 2000 16:41:47 -0500 (CDT) Date: Fri, 30 Jun 2000 16:41:48 -0500 (CDT) From: Dane Skow Subject: KRB5 PAM for Linux Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 357 Okay, I think we've got something that's ready for a few others to try and comment on: a Kerberos 5 PAM module for Linux. While in principle, this might be useful for several Linux purposes, the thing I was interested in was enabling the KDE screensaver to use KRB5 authentication and refresh the ticket. To use it, one needs to get the /lib/security/pam_krb5.so module from me (Hmmm. how should we package this folks ? It's ~700K so too large to send to the list) and then add the appropriate line in your /etc/pam.d/kde file. Mine looks like: bash$ cat /etc/pam.d/kde #%PAM-1.0 auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_krb5.so keep_cred auth sufficient /lib/security/pam_afs.so ignore_root auth required /lib/security/pam_pwdb.so use_first_pass shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session optional /lib/security/pam_console.so With this configuration, I can use either my KRB5 or AFS passwords. Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Wed Jul 5 10:43:41 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA26408 for ; Wed, 5 Jul 2000 10:43:41 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FX800M01ECSF6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 05 Jul 2000 10:43:40 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FX800K6RECSUH@smtp.fnal.gov>; Wed, 05 Jul 2000 10:43:40 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002D0D5@listserv.fnal.gov>; Wed, 05 Jul 2000 10:43:40 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 82689 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 05 Jul 2000 10:43:40 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002D0D4@listserv.fnal.gov>; Wed, 05 Jul 2000 10:43:40 -0500 Received: from nascar.fnal.gov ([131.225.80.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FX800L36ECRBQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 05 Jul 2000 10:43:39 -0500 (CDT) Received: from localhost (stan@localhost) by nascar.fnal.gov (8.8.3/8.8.2) with SMTP id KAA10721; Wed, 05 Jul 2000 10:43:37 -0500 (CDT) Date: Wed, 05 Jul 2000 10:43:37 -0500 From: stan@fnal.gov Subject: Re: su In-reply-to: "Your message of Wed, 28 Jun 2000 16:49:19 CDT." <200006282149.QAA25057@fsui03.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: lauri@fnal.gov Cc: kerberos-pilot@fnal.gov, stan@nascar.fnal.gov Message-id: <200007051543.KAA10721@nascar.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: nascar.fnal.gov: stan@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 358 I understand how ksu works and why you should use it. My point is that su is still there. If I can't ksu and I can su, the box is not protected. If a box is in the relm it should not be able to do things that will compromise it's self. So should su be linked to ksu like passwd is linked to yppasswd? Stan. From kreymer@fnal.gov Wed Jul 5 12:04:00 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA26445 for ; Wed, 5 Jul 2000 12:03:59 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FX800201I0CTD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 05 Jul 2000 12:02:36 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FX800KJDHWXK1@smtp.fnal.gov>; Wed, 05 Jul 2000 12:00:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002D1DB@listserv.fnal.gov>; Wed, 05 Jul 2000 12:00:33 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 82963 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 05 Jul 2000 12:00:33 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002D1DA@listserv.fnal.gov>; Wed, 05 Jul 2000 12:00:33 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FX800LH2HWX6Q@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 05 Jul 2000 12:00:33 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA25154 for ; Wed, 05 Jul 2000 12:00:32 -0500 (CDT) Date: Wed, 05 Jul 2000 12:00:32 -0500 From: Matt Crawford Subject: Uncommon problem and solution Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200007051700.MAA25154@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 359 I just finished diagnosing an odd problem with the sysadmin of a new Kerberos host and since the trouble, while improbable, could happen to someone else I'm going to explain it here. After the host and ftp service keys were created in the KDC for the new machine, but before the keytab had been created (perhaps even before the Kerberos software had been installed), the sysadmin tried "telnet " from his workstation. This obtained a service ticket for host/newhost.fnal.gov@PILOT.FNAL.GOV based on the host key corresponding to the password Yolanda assigned. Of course this ticket was of no use yet because there was no keytab file on the host. After installing Kerberos and creating the keytab, the sysadmin still couldn't log in from his workstation. There was a syslog error from telnetd "krb5_rd_req failed: Key version number for principal in key table is incorrect". The trouble was that the client still had a service ticket with the original key, but the process of creating the keytab file changes the key. So the newhost couldn't honor the old service ticket. Getting rid of the old service ticket by "kinit -R" solved the problem. "kdestroy; kinit" would work also, as would the passage of 26 hours of time. From kreymer@fnal.gov Wed Jul 5 13:34:33 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA26482 for ; Wed, 5 Jul 2000 13:34:33 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FX800501M9KZ3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 05 Jul 2000 13:34:32 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FX800LPVM9KR8@smtp.fnal.gov>; Wed, 05 Jul 2000 13:34:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002D2B7@listserv.fnal.gov>; Wed, 05 Jul 2000 13:34:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 83198 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 05 Jul 2000 13:34:32 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0002D2B6@listserv.fnal.gov>; Wed, 05 Jul 2000 13:34:32 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FX80052KM9JAU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 05 Jul 2000 13:34:31 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA25731; Wed, 05 Jul 2000 13:34:31 -0500 (CDT) Date: Wed, 05 Jul 2000 13:34:31 -0500 From: Matt Crawford Subject: Re: su In-reply-to: "05 Jul 2000 10:43:37 CDT." <200007051543.KAA10721@nascar.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: stan@fnal.gov Cc: lauri@fnal.gov, kerberos-pilot@fnal.gov Message-id: <200007051834.NAA25731@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 360 Welcome back, Stan. > [...] My point is that su is still there. If I can't ksu and I can > su, the box is not protected. If a box is in the relm it should not > be able to do things that will compromise it's self. A fair point, but our goals stop short of the impossible dream of making every dangerous action impossible. We want to protect Kerberos passwords as much as possible, but trying to stamp out unix passwords goes beyond our charter. Besides, taking away su outright (which is beyond what you suggested) could leave a sysadmin in the lurch if the system is off the net or isolated from the KDCs. > So should su be linked to ksu like passwd is linked to yppasswd? Maybe a script or program called /usr/krb5/bin/su could be cooked up which would try ksu and fall back to the system's own su? Volunteer? I'm not sure whether this merits any great effort. From kreymer@fnal.gov Tue Jul 11 16:22:44 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA17674 for ; Tue, 11 Jul 2000 16:22:44 -0500 Received: from PROCESS-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #44770) id <0FXJ00D01Y19MH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 11 Jul 2000 16:22:41 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXJ007LCXULCV@smtp.fnal.gov>; Tue, 11 Jul 2000 16:18:21 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000306FF@listserv.fnal.gov>; Tue, 11 Jul 2000 16:18:21 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 97276 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 11 Jul 2000 16:18:21 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000306FE@listserv.fnal.gov>; Tue, 11 Jul 2000 16:18:21 -0500 Received: from cactus.phyast.pitt.edu ([131.225.235.63]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXJ008JWXUL8H@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 11 Jul 2000 16:18:21 -0500 (CDT) Date: Tue, 11 Jul 2000 17:16:18 -0400 From: Joe Boudreau Subject: Problems with Kerberos. Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <396B8EA2.AB4660BB@cactus.phyast.pitt.edu> MIME-version: 1.0 X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.12-20 i686) Content-type: multipart/mixed; boundary="Boundary_(ID_jPTWhC67lIyk3QgsbcNiMA)" X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 361 This is a multi-part message in MIME format. --Boundary_(ID_jPTWhC67lIyk3QgsbcNiMA) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Hi Matt & al: I have just kerberized my system (a laptop running linux 6.1) and I have some problem telnetting to fcdfsgi2. I have shown the problem to our local managers Glen Cooper and Richard Jetton and they have assured me this isn't first-order stupidity on my part, and recommended that I address this to you. I am attaching a script that shows exactly how 1) I have obtained a valid certificate. 2) I am using the right telnet. 3) My credentials are accepted on fcdfsgi2 4) Then I am thrown out in the login procedure. Thanks for any light you can shed on this, and if you want I can bring the machine in question around to you--it's a laptop. Thanks, Joe. --Boundary_(ID_jPTWhC67lIyk3QgsbcNiMA) Content-type: text/plain; charset=iso-8859-1; name="forMattEtAl.txt" Content-transfer-encoding: quoted-printable Content-disposition: inline; filename="forMattEtAl.txt" Script started on Tue Jul 11 17:09:57 2000 > kdestroy kdestroy: No credentials cache file found while destroying cache Ticket cache =07NOT=07 destroyed! > kinit Password for boudreau@PILOT.FNAL.GOV: = > klist Ticket cache: /tmp/krb5cc_500 Default principal: boudreau@PILOT.FNAL.GOV Valid starting Expires Service principal 07/11/00 17:12:25 07/12/00 19:12:25 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GO= V > which tlen=08=1B[K=08=1B[K=08=1B[Kelnet /usr/products/kerberos/v0_6/./bin/telnet > telnet fcdfsgi2 Trying 131.225.240.129... Connected to fcdfsgi2.fnal.gov (131.225.240.129). Escape character is '^]'. = NOTICE TO USERS = This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United States Government. It is for authorized use only. Users (autho- rized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copy- ing, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. = Unauthorized or improper use of this system may result in admin- istrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMME- DIATELY if you do not agree to the conditions stated in this warning. = Fermilab policy and rules for computing, including appropriate use, may be found at http://www.fnal.gov/cd/main/cpolicy.html [ Kerberos V5 accepts you as ``boudreau@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Login incorrect =00login: ^D=08=08Connection closed by foreign host. > exit exit Script done on Tue Jul 11 17:10:50 2000 --Boundary_(ID_jPTWhC67lIyk3QgsbcNiMA)-- From kreymer@fnal.gov Tue Jul 11 16:30:12 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA17683 for ; Tue, 11 Jul 2000 16:30:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXJ00D2GYEBGN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 11 Jul 2000 16:30:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003073D@listserv.fnal.gov>; Tue, 11 Jul 2000 16:30:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 97343 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 11 Jul 2000 16:30:12 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003073C@listserv.fnal.gov>; Tue, 11 Jul 2000 16:30:12 -0500 Received: from cactus.phyast.pitt.edu ([131.225.235.63]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXJ00D1VYEBGT@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 11 Jul 2000 16:30:11 -0500 (CDT) Date: Tue, 11 Jul 2000 17:28:08 -0400 From: Joe Boudreau Subject: FYI WRT last message Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <396B9168.870E50B6@cactus.phyast.pitt.edu> MIME-version: 1.0 X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.12-20 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 362 HI, with respect to the last message, I have discovered that there is no problem when telnetting to cdfsga, only to fcdfsgi2. --Joe. From kreymer@fnal.gov Tue Jul 11 16:51:32 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA17699 for ; Tue, 11 Jul 2000 16:51:31 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXJ00D2BZDVYH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 11 Jul 2000 16:51:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00030776@listserv.fnal.gov>; Tue, 11 Jul 2000 16:51:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 97402 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 11 Jul 2000 16:51:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00030775@listserv.fnal.gov>; Tue, 11 Jul 2000 16:51:31 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXJ00D2IZDUZD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 11 Jul 2000 16:51:30 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA10245; Tue, 11 Jul 2000 16:51:29 -0500 (CDT) Date: Tue, 11 Jul 2000 16:51:29 -0500 From: Matt Crawford Subject: Re: Problems with Kerberos. In-reply-to: "11 Jul 2000 17:16:18 EDT." <396B8EA2.AB4660BB@cactus.phyast.pitt.edu> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Joe Boudreau Cc: kerberos-pilot@fnal.gov Message-id: <200007112151.QAA10245@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 363 I bet your unix id is "joe" on your laptop and it's trying to log you into fcdfsgi2 as user "joe" also. Try telnet -l boudreau fcdfsgi2 From kreymer@fnal.gov Tue Jul 11 20:27:09 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id UAA17830 for ; Tue, 11 Jul 2000 20:27:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXK00DN797YZ2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 11 Jul 2000 20:23:58 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000308C5@listserv.fnal.gov>; Tue, 11 Jul 2000 20:23:59 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 97753 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 11 Jul 2000 20:23:59 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000308C4@listserv.fnal.gov>; Tue, 11 Jul 2000 20:23:58 -0500 Received: from cactus.phyast.pitt.edu ([131.225.235.63]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXK00DHL97YYR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 11 Jul 2000 20:23:58 -0500 (CDT) Date: Tue, 11 Jul 2000 21:21:54 -0400 From: Joe Boudreau Subject: Re: Problems with Kerberos. Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <396BC832.B9ADB98E@cactus.phyast.pitt.edu> MIME-version: 1.0 X-Mailer: Mozilla 4.61 [en] (X11; U; Linux 2.2.12-20 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200007112151.QAA10245@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 364 Hi Matt, The good news is that this is now working. The bad news is, we don't know why. We tried your suggestion and even went so far as creating a "boudreau" account in case that wasn't sufficient. Still didn't work. I thought that removing a .shosts file cured the problem, but since I (successfully) did that we are unable to cause the problem to recurr even by putting the file back! Anyhow I'm happy. Ignorance is bliss, as they say. --Joe. From kreymer@fnal.gov Wed Jul 19 15:08:24 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA12750 for ; Wed, 19 Jul 2000 15:08:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXY00J05NXZ97@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 19 Jul 2000 15:08:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00035BB7@listserv.fnal.gov>; Wed, 19 Jul 2000 15:08:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 1259 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 19 Jul 2000 15:08:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00035BB6@listserv.fnal.gov>; Wed, 19 Jul 2000 15:08:23 -0500 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXY00DOMNXY0R@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 19 Jul 2000 15:08:23 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA12746 for ; Wed, 19 Jul 2000 15:08:22 -0500 Date: Wed, 19 Jul 2000 15:08:22 -0500 (CDT) From: Art Kreymer Subject: kerberos setup versus perl/gtools Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 365 As I recall, in order to use the kerberos client software, the standard instructions are to 'setup kerberos'. The kerberos table file contains SetupRequired actions for the 'current' versions of perl and gtools. But the CDF offline software requires specific versions of these packages. Indeed, each numbered release of the cdf offline software may require a different version of perl and gtools. I'm sure other projects also require specific versions of perl and gtools. This is a slight problem for code developers. Surely the normal use of kerberos does not require the ups setup of perl and gtools ! Can we remove these from the kerberos setup action ? From kreymer@fnal.gov Wed Jul 19 15:22:55 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA12761 for ; Wed, 19 Jul 2000 15:22:55 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXY00HCVOM7TM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Wed, 19 Jul 2000 15:22:55 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id PAA23819; Wed, 19 Jul 2000 15:22:55 -0500 (CDT) Date: Wed, 19 Jul 2000 15:22:55 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kerberos setup versus perl/gtools Sender: lauri@fnal.gov To: Art Kreymer Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200007192022.PAA23819@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 366 On Wednesday 19 July 2000, our friend Art Kreymer spaketh thusly: > As I recall, in order to use the kerberos client software, > the standard instructions are to 'setup kerberos'. No. Kerberos is NOT a product that needs to be "setup" prior to use. The setpath product (called by the login product, called by user's login scripts) inserts the /usr/krb5/bin directory into the user's path, so that the kerberos client applications are available without a "setup". > > The kerberos table file contains SetupRequired actions for > the 'current' versions of perl and gtools. Actually, kerberos only requires perl and gtools for *installation*, not for actual usage. However, there is no provision in table files for making sure that a product exists when you are doing "ups install", without putting it into a SetupRequired (or SetupOptional) in the "Action=setup" stanza. In other words, I can't do Action=install setupRequired( product-required-only-for-installation ) and have upd understand that it will need to bring over the subproduct. > > But the CDF offline software requires specific versions of these packages. > Indeed, each numbered release of the cdf offline software may require a > different version of perl and gtools. > > I'm sure other projects also require specific versions of perl and gtools. > > This is a slight problem for code developers. > > Surely the normal use of kerberos does not require > the ups setup of perl and gtools ! > Can we remove these from the kerberos setup action ? Nope, not until ups/upd are modified so that there is some way of saying "I need this other product to be installed on the system, but NOT during 'action=setup'". -- lauri From kreymer@fnal.gov Wed Jul 19 15:54:53 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA12874 for ; Wed, 19 Jul 2000 15:54:53 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXY00K0XQ2YAU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 19 Jul 2000 15:54:34 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00035C38@listserv.fnal.gov>; Wed, 19 Jul 2000 15:54:34 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 1399 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 19 Jul 2000 15:54:34 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00035C37@listserv.fnal.gov>; Wed, 19 Jul 2000 15:54:34 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXY00K3EQ2YCM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 19 Jul 2000 15:54:34 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA13468; Wed, 19 Jul 2000 15:54:33 -0500 (CDT) Date: Wed, 19 Jul 2000 15:54:33 -0500 From: Matt Crawford Subject: Re: kerberos setup versus perl/gtools In-reply-to: "19 Jul 2000 15:08:22 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Art Kreymer Cc: kerberos-pilot@fnal.gov Message-id: <200007192054.PAA13468@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 367 > As I recall, in order to use the kerberos client software, > the standard instructions are to 'setup kerberos'. They are? That should not be necessary. The shells-or-whatever setup puts /usr/krb5/bin early in the path so no setup of Kerberos should be needed. > The kerberos table file contains SetupRequired actions for > the 'current' versions of perl and gtools. The comment just before that says Action=setup [...] # Technically these are not required for # USING kerberos, but they ARE required in order # for the installation to succeed, and this # is the only way to guarantee that they are on # the system. # setupRequired(krb5conf) setupRequired(perl) setupRequired(gtools) Perhaps some UPS expert can see a cleaner way to accomplish this goal? > But the CDF offline software requires specific versions of these packages. > Indeed, each numbered release of the cdf offline software may require a > different version of perl and gtools. In the meantime I'd advise not setting up kerberos. (I can't find any instruction to do so in the green book, but then paper is not so easy to grep.) From kreymer@fnal.gov Wed Jul 19 16:18:38 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id QAA12924 for ; Wed, 19 Jul 2000 16:18:38 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FXY00L1SR71AA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Wed, 19 Jul 2000 16:18:37 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.9.3/8.9.3) with SMTP id QAA26655; Wed, 19 Jul 2000 16:18:37 -0500 (CDT) Date: Wed, 19 Jul 2000 16:18:37 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: kerberos setup versus perl/gtools Sender: lauri@fnal.gov To: Matt Crawford Cc: Art Kreymer , kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200007192118.QAA26655@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 368 On Wednesday 19 July 2000, our friend Matt Crawford spaketh thusly: > > [snippage] > Perhaps some UPS expert can see a cleaner way to accomplish this goal? > Nope, sorry, not without enhancements to ups/upd. One could make a fair assumption that perl is available on the system, and that it's a "recent enough" perl -- because if you're using ups/upd, you've got perl. Therefore, you probably wouldn't shoot yourself in the foot if you removed the SetupRequired(perl). But gtools is missing on LOTS of systems, and we specifically use the gtar from gtools to do the transfer of the files to /usr/krb5/bin to avoid ripping the rug out from underneath you if you were logged in using kerberos vX.n while upgrading to kerberos vX.m. A theoretical workaround would be to have the installation script itself modify the table file to comment out these lines. This would be somewhat tricky -- you'd have to: ups list -K@table_file to get the name of the table file, then make sure that you could modify the file, then find the lines which setup the products perl and gtools and comment them out. -- lauri From kreymer@fnal.gov Wed Jul 26 19:00:27 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id TAA06718 for ; Wed, 26 Jul 2000 19:00:27 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYB003FGXCRDY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 26 Jul 2000 19:00:27 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003BC90@listserv.fnal.gov>; Wed, 26 Jul 2000 19:00:27 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 25253 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 26 Jul 2000 19:00:27 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003BC8F@listserv.fnal.gov>; Wed, 26 Jul 2000 19:00:27 -0500 Received: from janus.physics.ox.ac.uk ([163.1.243.65]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYB0049RXCQEE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 26 Jul 2000 19:00:27 -0500 (CDT) Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by janus.physics.ox.ac.uk with smtp (Exim 3.13 #5) id 13Hb68-0006DR-00; Thu, 27 Jul 2000 01:00:25 +0100 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 13Hb68-0005Lx-00; Thu, 27 Jul 2000 01:00:24 +0100 Date: Thu, 27 Jul 2000 01:00:24 +0100 (BST) From: "Todd Huffman (CDF/ATLAS)" Subject: I'm sure this is a small problem Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: "B. Todd Huffman" Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 369 Hi, I have just received a kerberos principle. I log on to a kerberos client, oxpc01 but there my username is 'huffman' I wish to connect to fcdfsgi2 where my kerberos username is 'niimi' Here is what happens on oxpc01: >kinit Password for niimi@PILOT.FNAL.GOV: >telnet fcdfsgi2 Trying 131.225.240.129... Connected to fcdfsgi2.fnal.gov (131.225.240.129). Escape character is '^]'. NOTICE TO USERS This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United States Government. It is for authorized use only. Users (autho- rized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copy- ing, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in admin- istrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMME- DIATELY if you do not agree to the conditions stated in this warning. Fermilab policy and rules for computing, including appropriate use, may be found at http://www.fnal.gov/cd/main/cpolicy.html [ Kerberos V5 accepts you as ``niimi@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Login incorrect login: I then type 'niimi' at login (which I thought I wasn't supposed to have to do) and I get a challenge for a cryptocard. I suspect this problem is related to the disparity between my user names on the two machines, but how do I get around this? Cheers, Todd ************************************************* ~ Dr. B. Todd Huffman ~ ~ Particle and Nuclear Physics ~ ~ University of Oxford ~ ~ Rm 631 ~ ~ Keble Rd ~ ~ Oxford OX1 3RH UK ~ ~ ~ ~ Phone: 44 - 1865 - 273402 ~ ~ LMH: 44 - 1865 - 274307 ~ ~ FAX: 44 - 1865 - 273418 ~ ~ Home: 44 - 1865 - 450240 ~ ~ URL of my home page: ~ ~ http://www-pnp.physics.ox.ac.uk/~huffman/ ************************************************* From kreymer@fnal.gov Thu Jul 27 07:26:51 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id HAA07203 for ; Thu, 27 Jul 2000 07:26:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYC009OUVWQCB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 27 Jul 2000 07:26:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003C07C@listserv.fnal.gov>; Thu, 27 Jul 2000 07:26:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 26294 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Jul 2000 07:26:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003C07B@listserv.fnal.gov>; Thu, 27 Jul 2000 07:26:51 -0500 Received: from janus.physics.ox.ac.uk ([163.1.243.65]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYC00BHGVWP4F@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 27 Jul 2000 07:26:50 -0500 (CDT) Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by janus.physics.ox.ac.uk with smtp (Exim 3.13 #5) id 13HmkT-0007bx-00; Thu, 27 Jul 2000 13:26:49 +0100 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 13HmkS-00026i-00; Thu, 27 Jul 2000 13:26:48 +0100 Date: Thu, 27 Jul 2000 13:26:48 +0100 (BST) From: "Todd Huffman (CDF/ATLAS)" Subject: Re: I'm sure this is a small problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Glenn Cooper Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 370 from oxpc01 the following line: >telnet -l niimi fcdfsgi2 returns: Connected to fcdfsgi2.fnal.gov. Escape character is '^]'. NOTICE TO USERS This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United States Government. It is for authorized use only. Users (autho- rized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copy- ing, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in admin- istrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMME- DIATELY if you do not agree to the conditions stated in this warning. Fermilab policy and rules for computing, including appropriate use, may be found at http://www.fnal.gov/cd/main/cpolicy.html Press ENTER and compare this challenge to the one on your display: [13180931] Enter the displayed response: Which is a cryptocard challenge...same as I get with a straight telnet. Stephan Lammel suggested that I try: >telnet -l huffman fcdfsgi2 # which I didn't expect to work because my account on fcdfsgi2 has the username niimi, and it doesn't...what I get is below: > telnet -l huffman fcdfsgi2 Trying 131.225.240.129... Connected to fcdfsgi2.fnal.gov. Escape character is '^]'. NOTICE TO USERS This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United States Government. It is for authorized use only. Users (autho- rized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copy- ing, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in admin- istrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMME- DIATELY if you do not agree to the conditions stated in this warning. Fermilab policy and rules for computing, including appropriate use, may be found at http://www.fnal.gov/cd/main/cpolicy.html Login incorrect login: niimi Press ENTER and compare this challenge to the one on your display: [13180931] Enter the displayed response: again, another cryptocard challenge. This is all taking place within the lab, but wouldn't one expect a similar problem if I were doing this from a kerberos client remotely? Cheers, Todd ************************************************* ~ Dr. B. Todd Huffman ~ ~ Particle and Nuclear Physics ~ ~ University of Oxford ~ ~ Rm 631 ~ ~ Keble Rd ~ ~ Oxford OX1 3RH UK ~ ~ ~ ~ Phone: 44 - 1865 - 273402 ~ ~ LMH: 44 - 1865 - 274307 ~ ~ FAX: 44 - 1865 - 273418 ~ ~ Home: 44 - 1865 - 450240 ~ ~ URL of my home page: ~ ~ http://www-pnp.physics.ox.ac.uk/~huffman/ ************************************************* From kreymer@fnal.gov Thu Jul 27 07:59:05 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id HAA07228 for ; Thu, 27 Jul 2000 07:59:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYC00F2EXEHIE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 27 Jul 2000 07:59:05 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003C0B4@listserv.fnal.gov>; Thu, 27 Jul 2000 07:59:05 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 26354 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Jul 2000 07:59:05 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003C0B3@listserv.fnal.gov>; Thu, 27 Jul 2000 07:59:05 -0500 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYC00F1ZXEGHI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 27 Jul 2000 07:59:04 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id HAA07224; Thu, 27 Jul 2000 07:59:02 -0500 Date: Thu, 27 Jul 2000 07:59:02 -0500 (CDT) From: Art Kreymer Subject: Re: I'm sure this is a small problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: Glenn Cooper , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 371 You probably lack /usr/krb5/bin at the head of your path. Look at echo $PATH | tr : \\\n Or see whether 'which rlogin' shows /usr/krv5/bin/rlogin. Try /usr/krb5/bin/rlogin. (Personally, my fingers refuse to type 'telnet' anymore, and rlogin is equivalent for authenticated logins) From kreymer@fnal.gov Thu Jul 27 08:37:00 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA07363 for ; Thu, 27 Jul 2000 08:37:00 -0500 Received: from janus.physics.ox.ac.uk ([163.1.243.65]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYC00F6FZ5NI0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Thu, 27 Jul 2000 08:37:00 -0500 (CDT) Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by janus.physics.ox.ac.uk with smtp (Exim 3.13 #5) id 13HnqN-0007nt-00 for kreymer@fnal.gov; Thu, 27 Jul 2000 14:36:59 +0100 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 13HnqM-0006OK-00 for kreymer@fnal.gov; Thu, 27 Jul 2000 14:36:58 +0100 Date: Thu, 27 Jul 2000 14:36:58 +0100 (BST) From: "Todd Huffman (CDF/ATLAS)" Subject: Re: I'm sure this is a small problem In-reply-to: Sender: "Todd Huffman (LHC),631,73370" To: Art Kreymer Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 372 >which rlogin /usr/bin/rlogin looks like you hit on it. I'll get this in my path directly. Cheers, Todd ************************************************* ~ Dr. B. Todd Huffman ~ ~ Particle and Nuclear Physics ~ ~ University of Oxford ~ ~ Rm 631 ~ ~ Keble Rd ~ ~ Oxford OX1 3RH UK ~ ~ ~ ~ Phone: 44 - 1865 - 273402 ~ ~ LMH: 44 - 1865 - 274307 ~ ~ FAX: 44 - 1865 - 273418 ~ ~ Home: 44 - 1865 - 450240 ~ ~ URL of my home page: ~ ~ http://www-pnp.physics.ox.ac.uk/~huffman/ ************************************************* From kreymer@fnal.gov Thu Jul 27 09:07:35 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA07401 for ; Thu, 27 Jul 2000 09:07:35 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYD00FC30KMI6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 27 Jul 2000 09:07:35 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003C17F@listserv.fnal.gov>; Thu, 27 Jul 2000 09:07:34 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 26567 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Jul 2000 09:07:34 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003C17E@listserv.fnal.gov>; Thu, 27 Jul 2000 09:07:34 -0500 Received: from b0sun01.fnal.gov ([131.225.232.72]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYD00FAY0KMHF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 27 Jul 2000 09:07:34 -0500 (CDT) Date: Thu, 27 Jul 2000 09:07:34 -0500 (CDT) From: Stephan Lammel Subject: Re: I'm sure this is a small problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: Glenn Cooper , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 373 I thought you wrote your fcdfsgi2 account was huffman. Anyhow, you need to get a ticket for that principle. I don't know how you kinit-ed on your desktop. If you have a different, huffman, account there, you need to "kinit niimi@PILOT.fnal.gov" there before "telnet -l niimi fcdfsgi2". That all assumes that your kerberos principle is niimi@PILOT.fnal.gov... Todd, you may want to get the same account on all machines... cheers, Stephan From kreymer@fnal.gov Thu Jul 27 11:50:47 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA07562 for ; Thu, 27 Jul 2000 11:50:47 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYD00M8B84N7Z@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 27 Jul 2000 11:50:47 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003C3EF@listserv.fnal.gov>; Thu, 27 Jul 2000 11:50:47 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 27222 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 27 Jul 2000 11:50:47 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003C3EE@listserv.fnal.gov>; Thu, 27 Jul 2000 11:50:47 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYD00M8484MMD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 27 Jul 2000 11:50:46 -0500 (CDT) Date: Thu, 27 Jul 2000 11:50:45 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: I'm sure this is a small problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: Glenn Cooper , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 374 On Thu, 27 Jul 2000, Todd Huffman (CDF/ATLAS) wrote: > > from oxpc01 the following line: > > >telnet -l niimi fcdfsgi2 > Isn't it possible you're using the wrong telnet? This sounds like the response you should get if using a non-kerberos telnet client... From kreymer@fnal.gov Fri Jul 28 08:59:11 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA08578 for ; Fri, 28 Jul 2000 08:59:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYE00K8OUUMRN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 28 Jul 2000 08:59:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003CDB0@listserv.fnal.gov>; Fri, 28 Jul 2000 08:59:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 29823 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 28 Jul 2000 08:59:10 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003CDAF@listserv.fnal.gov>; Fri, 28 Jul 2000 08:59:10 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYE00K94UUMRR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 28 Jul 2000 08:59:10 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA00123; Fri, 28 Jul 2000 08:59:08 -0500 (CDT) Date: Fri, 28 Jul 2000 08:59:07 -0500 From: Matt Crawford Subject: Re: I'm sure this is a small problem In-reply-to: "27 Jul 2000 01:00:24 BST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: kerberos-pilot@fnal.gov Message-id: <200007281359.IAA00123@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 375 > I log on to a kerberos client, > oxpc01 but there my username is 'huffman' > > I wish to connect to fcdfsgi2 where my kerberos username is 'niimi' > [...] > I suspect this problem is related to the disparity between my user > names on the two machines, but how do I get around this? Your diagnosis is correct and the solution is telnet -l niimi [-x] fcdfsgi2 (with the -x optional, for encryption). Many non-kerberos telnet clients also accept the "-l user" flag and pass an env. var. to the server. From kreymer@fnal.gov Fri Jul 28 09:08:32 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA08588 for ; Fri, 28 Jul 2000 09:08:31 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYE00KA0VA7RO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 28 Jul 2000 09:08:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003CDCE@listserv.fnal.gov>; Fri, 28 Jul 2000 09:08:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 29855 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 28 Jul 2000 09:08:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003CDCD@listserv.fnal.gov>; Fri, 28 Jul 2000 09:08:31 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYE00K9CVA7RM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 28 Jul 2000 09:08:31 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA00210 for ; Fri, 28 Jul 2000 09:08:30 -0500 (CDT) Date: Fri, 28 Jul 2000 09:08:30 -0500 From: Matt Crawford Subject: Re: I'm sure this is a small problem In-reply-to: "27 Jul 2000 07:59:02 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200007281408.JAA00210@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 376 > You probably lack /usr/krb5/bin at the head of your path. > Look at > echo $PATH | tr : \\\n > Or see whether 'which rlogin' shows /usr/krb5/bin/rlogin. I believe you are correct because of the lack of a "Kerberos accepts you as ..." in the second transcript. > Try /usr/krb5/bin/rlogin. > (Personally, my fingers refuse to type 'telnet' anymore, > and rlogin is equivalent for authenticated logins) Equivalent, yes, except for how you break out of it or suspend it. From kreymer@fnal.gov Tue Aug 1 09:56:19 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA13526 for ; Tue, 1 Aug 2000 09:56:19 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM00KO4C5VWA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 01 Aug 2000 09:56:19 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F0DD@listserv.fnal.gov>; Tue, 01 Aug 2000 09:56:19 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 39437 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 01 Aug 2000 09:56:19 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F0DC@listserv.fnal.gov>; Tue, 01 Aug 2000 09:56:19 -0500 Received: from fnal.gov ([131.225.80.78]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM00KNCC5UVQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 01 Aug 2000 09:56:19 -0500 (CDT) Date: Tue, 01 Aug 2000 09:56:18 -0500 From: Gerald Guglielmo Subject: documentation questions Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: gug@fnal.gov Message-id: <3986E512.7121CDDE@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 377 Hi, I am in the process of stating to install kerberos on my machine and have run into some trouble trying to follow the documentation. To request principals, the documentation doesn't say where to send email to unless you are at CDF (others it says should contact their computing division liaison). I work for the computing division and it was unclear to me who to contact for requesting principals. I had to ask several different people before someone suggested trying Yolanda Valadez. Also, I thought the pilot realm was for cdf, are we supposed to be requesting principals for a different realm or will there be just the one? I also became confused over the format for the the kerberos host principal. Following the pattern for the ftp principal and the README.INSTALL page for v0_6_1 I was given, the host principal for a node called "mynode" should be "host/mynode.fnal.gov" but the documentation on the web in section 4.1.3 says "mynode/mynode.fnal.gov" (note ftp for the node is given as "ftp/mynode.fnal.gov"). Which is the correct principal format? -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Tue Aug 1 10:38:38 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id KAA13556 for ; Tue, 1 Aug 2000 10:38:38 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM0040IE4CV6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 01 Aug 2000 10:38:37 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F18D@listserv.fnal.gov>; Tue, 01 Aug 2000 10:38:36 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 39640 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 01 Aug 2000 10:38:36 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F18A@listserv.fnal.gov>; Tue, 01 Aug 2000 10:38:36 -0500 Received: from CUERVO ([131.225.80.193]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0FYM0040EE4BVF@smtp.fnal.gov>; Tue, 01 Aug 2000 10:38:36 -0500 (CDT) Date: Tue, 01 Aug 2000 10:38:35 -0500 From: "Mark O. Kaletka" Subject: RE: documentation questions In-reply-to: <3986E512.7121CDDE@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: gug@fnal.gov, kerberos-pilot@fnal.gov Cc: OSS Department , ods-dept@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 378 CD pilot users should request their user or host principals via email to mailto:compdiv@fnal.gov. CryptoCards (for the interim) should be requested by email directly to mailto:dcd_security_team@fnal.gov. Principals are still being assigned in the pilot realm. Plans to transition to another realm name are part of the rollout planning which is just getting underway. OSS and ODS are on the bleeding edge in this respect. "host/mynode.domain@PILOT.FNAL.GOV" is the correct format for the host principal. We'll have the documentation corrected. Note that earlier in the same sentence of 4.1.3 the host prinicpal is given correctly, I suspect a cut-and-paste-and-replace error. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Gerald > Guglielmo > Sent: Tuesday, August 01, 2000 9:56 AM > To: kerberos-pilot@fnal.gov > Subject: documentation questions > > > Hi, > I am in the process of stating to install kerberos on my machine and > have run into some trouble trying to follow the documentation. To > request principals, the documentation doesn't say where to send email to > unless you are at CDF (others it says should contact their computing > division liaison). I work for the computing division and it was unclear > to me who to contact for requesting principals. I had to ask several > different people before someone suggested trying Yolanda Valadez. Also, > I thought the pilot realm was for cdf, are we supposed to be requesting > principals for a different realm or will there be just the one? I also > became confused over the format for the the kerberos host principal. > Following the pattern for the ftp principal and the README.INSTALL page > for v0_6_1 I was given, the host principal for a node called "mynode" > should be "host/mynode.fnal.gov" but the documentation on the web in > section 4.1.3 says "mynode/mynode.fnal.gov" (note ftp for the node is > given as "ftp/mynode.fnal.gov"). Which is the correct principal format? > > > -- > -Jerry-> > gug@fnal.gov > Pepe's Theory of everything: "Under the right circumstances, things > happen." > > From kreymer@fnal.gov Tue Aug 1 11:20:01 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA13709 for ; Tue, 1 Aug 2000 11:20:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM004A5G1CE3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 01 Aug 2000 11:20:01 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F22F@listserv.fnal.gov>; Tue, 01 Aug 2000 11:20:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 39826 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 01 Aug 2000 11:20:00 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F22D@listserv.fnal.gov>; Tue, 01 Aug 2000 11:20:00 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM0048BG1CWJ@smtp.fnal.gov>; Tue, 01 Aug 2000 11:20:00 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id e71GJw326808; Tue, 01 Aug 2000 11:19:58 -0500 (CDT) Date: Tue, 01 Aug 2000 11:19:58 -0500 From: Anne Heavey Subject: Re: documentation questions In-reply-to: "Your message of Tue, 01 Aug 2000 10:38:35 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: gug@fnal.gov, kerberos-pilot@fnal.gov, OSS Department , ods-dept@fnal.gov, aheavey@fsui02.fnal.gov Message-id: <200008011619.e71GJw326808@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 379 > CD pilot users should request their user or host principals via email to > mailto:compdiv@fnal.gov. > > CryptoCards (for the interim) should be requested by email directly to > mailto:dcd_security_team@fnal.gov. > > Principals are still being assigned in the pilot realm. Plans to transition > to another realm name are part of the rollout planning which is just getting > underway. OSS and ODS are on the bleeding edge in this respect. > > "host/mynode.domain@PILOT.FNAL.GOV" is the correct format for the host > principal. We'll have the documentation corrected. Note that earlier in the > same sentence of 4.1.3 the host prinicpal is given correctly, I suspect a > cut-and-paste-and-replace error. > Online documentation has been corrected. -- Anne Anne Heavey Fermilab Computing Division Phone: 630-840-8039 Location: Wilson Hall 8.18 (NE corner) MS: 120 From kreymer@fnal.gov Tue Aug 1 11:34:44 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA13725 for ; Tue, 1 Aug 2000 11:34:44 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM004FGGPV7A@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 01 Aug 2000 11:34:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F26B@listserv.fnal.gov>; Tue, 01 Aug 2000 11:34:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 39899 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 01 Aug 2000 11:34:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F26A@listserv.fnal.gov>; Tue, 01 Aug 2000 11:34:43 -0500 Received: from fnal.gov ([131.225.80.78]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM0049BGPVTJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 01 Aug 2000 11:34:43 -0500 (CDT) Date: Tue, 01 Aug 2000 11:34:41 -0500 From: Gerald Guglielmo Subject: unable to get telnet to work Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: gug@fnal.gov Message-id: <3986FC21.69C47EA4@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: A X-Keywords: X-UID: 380 Hi, We have 2 linux boxes in the ODS department with kerberos now installed. Unofrutnately we have not been able to figure out how to get telnet (kerberos bersion) to work between the machines. The nodes are odsmev and fndapg. Trying to telnet between either machine or to the same machine fails: fndapg}(g023) telnet odsmev Trying 131.225.84.114... telnet: Unable to connect to remote host: Connection refused I didn't notice anything additional we needed to do in the instructions. Note that these machines have afs installed and thus afs enabled versions of some daemons. -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Tue Aug 1 11:58:07 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id LAA13758 for ; Tue, 1 Aug 2000 11:58:07 -0500 Received: from fnal.gov ([131.225.80.78]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM004GEHSVG3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Tue, 01 Aug 2000 11:58:07 -0500 (CDT) Date: Tue, 01 Aug 2000 11:58:07 -0500 From: Gerald Guglielmo Subject: Re: unable to get telnet to work Sender: gug@heffalump.fnal.gov To: Art Kreymer Reply-to: gug@fnal.gov Message-id: <3987019F.35D7A460@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 381 fndapg}(g023) which telnet /usr/krb5/bin/telnet fndapg}(g023) /usr/krb5/bin/rlogin odsmev odsmev.fnal.gov: Connection refused trying normal rlogin (/usr/bin/rlogin) WARNING: NO ENCRYPTION! I do get in with rlogin, but I would think that the kerberized telnet should also work. Could it be an issue of tcp_wrappers (we use the default configuration that disallows telnet services but I would have thought the kerberos installation would deal with that appropriately). By the way I also did an strace on the telnet call and it is accessing kerberos related files like /etc/krb5.conf. Art Kreymer wrote: > > You are almost certainly getting the non-kerberos telnet. > I would NEVER use telnet for a secure connection, at least try rlogin. > > What does 'which telnet' or 'which rlogin' show ? > Is /usr/krb5/bin in your path ? > > Try /usr/krb5/bin/rlogin directly. -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Tue Aug 1 13:09:03 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA13799 for ; Tue, 1 Aug 2000 13:09:03 -0500 Received: from fnal.gov ([131.225.80.78]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM004PAL33G3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Tue, 01 Aug 2000 13:09:03 -0500 (CDT) Date: Tue, 01 Aug 2000 13:09:02 -0500 From: Gerald Guglielmo Subject: Re: unable to get telnet to work Sender: gug@heffalump.fnal.gov To: Art Kreymer , kerberos-pilot@fnal.gov Reply-to: gug@fnal.gov Message-id: <3987123E.6DFE8837@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: A X-Keywords: X-UID: 382 Hi, So then what is the recommended way to connect from machine to machine within the strengthened realm so that one does not have to retype passwords? I know how to set things up with ssh to use agents for accomplishing this and have been doing this for awhile so there was no need to go to kerberos if that is the answer. Art Kreymer wrote: > > I suspect you're right, something rejects you in tcpwrappers. > > Personally, I would NEVER use telnet to log in from now on. > A hostile external system could spoof your target system, > letting you log in with that you think is kerberos, > but in fact is an unsecure unencrypted login. > > rlogin is not much better. > > We urgently need krb5 support in ssh. This is being worked on. -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Tue Aug 1 14:08:40 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA13859 for ; Tue, 1 Aug 2000 14:08:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM00A4UNUEZE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 01 Aug 2000 14:08:38 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F423@listserv.fnal.gov>; Tue, 01 Aug 2000 14:08:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 40368 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 01 Aug 2000 14:08:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F422@listserv.fnal.gov>; Tue, 01 Aug 2000 14:08:38 -0500 Received: from CUERVO ([131.225.82.194]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0FYM00A45NTDZL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 01 Aug 2000 14:08:38 -0500 (CDT) Date: Tue, 01 Aug 2000 14:08:01 -0500 From: "Mark O. Kaletka" Subject: RE: documentation questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: Kerberos Pilot List Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 383 No, no black helicopters. You only need to inform us as soon as possible. We'll disable the missing card in the kdc (so it can't be used if it turns up somewhere else) and arrange to initialize and ship a new one. All with some suitable verificaton of identity, of course. -- Mark K. > -----Original Message----- > From: Todd Huffman (LHC),631,73370 > [mailto:huffman@al1.physics.ox.ac.uk]On Behalf Of Todd Huffman > (CDF/ATLAS) > Sent: Tuesday, August 01, 2000 12:54 PM > To: Mark O. Kaletka > Subject: RE: documentation questions > > > > Hey Mark, > > Just a random question. > > If someone were to have a Cryptocard lost or stolen....would > this bring the FBI and CIA around with the black > helicopters? (because of the sensitive nature of > the technology) > > Or is there some procedure that gets them replaced? > > cheers, > Todd > > > ************************************************* > ~ Dr. B. Todd Huffman ~ > ~ Particle and Nuclear Physics ~ > ~ University of Oxford ~ > ~ Rm 631 ~ > ~ Keble Rd ~ > ~ Oxford OX1 3RH UK ~ > ~ ~ > ~ Phone: 44 - 1865 - 273402 ~ > ~ LMH: 44 - 1865 - 274307 ~ > ~ FAX: 44 - 1865 - 273418 ~ > ~ Home: 44 - 1865 - 450240 ~ > ~ URL of my home page: ~ > ~ http://www-pnp.physics.ox.ac.uk/~huffman/ > ************************************************* > > > > From kreymer@fnal.gov Tue Aug 1 14:50:55 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id OAA13882 for ; Tue, 1 Aug 2000 14:50:55 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM00AA7PLYYB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Tue, 01 Aug 2000 14:46:46 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA29394; Tue, 01 Aug 2000 14:46:46 -0500 (CDT) Date: Tue, 01 Aug 2000 14:46:46 -0500 From: Matt Crawford Subject: Re: unable to get telnet to work In-reply-to: "01 Aug 2000 13:09:02 CDT." <3987123E.6DFE8837@fnal.gov> Sender: crawdad@gungnir.fnal.gov To: gug@fnal.gov Cc: Art Kreymer , kerberos-pilot@fnal.gov Message-id: <200008011946.OAA29394@gungnir.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: A X-Keywords: X-UID: 384 You could not connect to odsmev because no telnet server was running. Lok at /etc/inetd.conf to see what is enabled. To enabled Kerberized telnet, add this line telnet stream tcp nowait root /usr/krb5/sbin/telnetd telnetd -Pa valid If you elect to forward your credentials from one machine to the next when you telnet, you'll be able to log into a third machine without any pasword prompt. And Art, Kerberized telnet does mutually authenticate the client and server to each other, and does so more reliably than ssh1 because it does not rely on maintenance of a known_hosts file. From kreymer@fnal.gov Tue Aug 1 15:14:42 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA13949 for ; Tue, 1 Aug 2000 15:14:42 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM00AI0QWIZE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Tue, 01 Aug 2000 15:14:42 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA29699; Tue, 01 Aug 2000 15:14:42 -0500 (CDT) Date: Tue, 01 Aug 2000 15:14:41 -0500 From: Matt Crawford Subject: Re: unable to get telnet to work In-reply-to: "01 Aug 2000 15:07:48 CDT." <39872E14.F208F2C4@fnal.gov> Sender: crawdad@gungnir.fnal.gov To: gug@fnal.gov Cc: Art Kreymer Message-id: <200008012014.PAA29699@gungnir.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 385 Sometimes the kerberos install process is unable to determine the pid of the inetd process and send it a SIGHUP. When this is the case, the install process prints a message instructing you to do it "by hand". Try sending a SIGHUP to inetd. Tcpwrappers is (are?) not the problem in this instance. If it (they?) were, the message would have been something like "connection reset by peer" instead of "connection refused." From kreymer@fnal.gov Tue Aug 1 15:41:06 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA13957 for ; Tue, 1 Aug 2000 15:41:06 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM00AMUS4HY6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 01 Aug 2000 15:41:05 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F561@listserv.fnal.gov>; Tue, 01 Aug 2000 15:41:05 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 40717 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 01 Aug 2000 15:41:05 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003F560@listserv.fnal.gov>; Tue, 01 Aug 2000 15:41:05 -0500 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYM00AI8S4GYK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 01 Aug 2000 15:41:04 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id PAA13953; Tue, 01 Aug 2000 15:41:04 -0500 Date: Tue, 01 Aug 2000 15:41:04 -0500 (CDT) From: Art Kreymer Subject: Re: unable to get telnet to work In-reply-to: <200008011946.OAA29394@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: gug@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 386 Kerberize telnet and rlogin do not mutually authenticate the local and remote nodes when they fall back almost silently to the non-kerberized protocols. A malicious remote node could easily reject the initial kerberized connection attempt, fall back to telnet, let you into a fake account, and perform other dirty tricks. I repeat my suggestion that we have a distinct command for a kerberized rlogin which cannot fall back to non-kerberized mode. From kreymer@fnal.gov Wed Aug 2 08:42:02 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id IAA14788 for ; Wed, 2 Aug 2000 08:42:02 -0500 Received: from CUERVO ([131.225.80.193]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0FYO000UJ39RPK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Wed, 02 Aug 2000 08:39:31 -0500 (CDT) Date: Wed, 02 Aug 2000 08:39:27 -0500 From: "Mark O. Kaletka" Subject: RE: unable to get telnet to work In-reply-to: <3987123E.6DFE8837@fnal.gov> To: gug@fnal.gov, Art Kreymer , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 387 Well, this is a religious discussion, and Art does say "Personally..." he would never... There are advantages to using ssh with kerberos authentication beyond simply hiding passwords. If that were the only goal we could have achieved it with either ssh or kerberos alone. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Gerald > Guglielmo > Sent: Tuesday, August 01, 2000 1:09 PM > To: Art Kreymer; kerberos-pilot@fnal.gov > Subject: Re: unable to get telnet to work > > > Hi, > So then what is the recommended way to connect from machine to > machine within the strengthened realm so that one does not have to > retype passwords? I know how to set things up with ssh to use agents for > accomplishing this and have been doing this for awhile so there was no > need to go to kerberos if that is the answer. > > Art Kreymer wrote: > > > > I suspect you're right, something rejects you in tcpwrappers. > > > > Personally, I would NEVER use telnet to log in from now on. > > A hostile external system could spoof your target system, > > letting you log in with that you think is kerberos, > > but in fact is an unsecure unencrypted login. > > > > rlogin is not much better. > > > > We urgently need krb5 support in ssh. This is being worked on. > > -- > -Jerry-> > gug@fnal.gov > Pepe's Theory of everything: "Under the right circumstances, things > happen." > > From kreymer@fnal.gov Wed Aug 2 09:44:14 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id JAA14830 for ; Wed, 2 Aug 2000 09:44:14 -0500 Received: from fnal.gov ([131.225.80.78]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYO0069F69QV9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Wed, 02 Aug 2000 09:44:14 -0500 (CDT) Date: Wed, 02 Aug 2000 09:44:14 -0500 From: Gerald Guglielmo Subject: Re: unable to get telnet to work Sender: gug@heffalump.fnal.gov To: "Mark O. Kaletka" Cc: Art Kreymer , kerberos-pilot@fnal.gov Reply-to: gug@fnal.gov Message-id: <398833BE.544A3865@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 388 Hi, Before installing kerberos, when trying to telnet into one of our linux boxes it would look like this: fndapm}(g023) telnet fndapm Trying 131.225.81.29... telnet: Unable to connect to remote host: Connection refused Now whe I try telneting into a kerberized machine from a node outside the strengthened realm, the attmpt looks like this: fndapm}(g023) telnet fndapg Trying 131.225.80.78... Connected to fndapg.fnal.gov. Escape character is '^]'. 4.4 BSD UNIX (fndapg.fnal.gov) (ttyp1) Portal Fermi Linux Release 6.1.1 (Strange) Kernel 2.2.16-3 on an i686 login: gug login: Additional pre-authentication required while getting initial credentials Login incorrect login: altgug login: Client not found in Kerberos database while getting initial credentials Login incorrect Are we making ourselves more vulnerable by not completely refusing connections from outside the strengthened realm and instead allowing access to the login prompt? I am trying to understand both the benefits and liabilities of kerberizing our systems. I too would like to see a kerberized ssh so that things like X traffic are encrypted. "Mark O. Kaletka" wrote: > > Well, this is a religious discussion, and Art does say "Personally..." he > would never... > > There are advantages to using ssh with kerberos authentication beyond simply > hiding passwords. If that were the only goal we could have achieved it with > either ssh or kerberos alone. > > -- Mark K. > > > -----Original Message----- > > From: owner-kerberos-pilot@listserv.fnal.gov > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Gerald > > Guglielmo > > Sent: Tuesday, August 01, 2000 1:09 PM > > To: Art Kreymer; kerberos-pilot@fnal.gov > > Subject: Re: unable to get telnet to work > > > > > > Hi, > > So then what is the recommended way to connect from machine to > > machine within the strengthened realm so that one does not have to > > retype passwords? I know how to set things up with ssh to use agents for > > accomplishing this and have been doing this for awhile so there was no > > need to go to kerberos if that is the answer. > > > > Art Kreymer wrote: > > > > > > I suspect you're right, something rejects you in tcpwrappers. > > > > > > Personally, I would NEVER use telnet to log in from now on. > > > A hostile external system could spoof your target system, > > > letting you log in with that you think is kerberos, > > > but in fact is an unsecure unencrypted login. > > > > > > rlogin is not much better. > > > > > > We urgently need krb5 support in ssh. This is being worked on. > > > > -- > > -Jerry-> > > gug@fnal.gov > > Pepe's Theory of everything: "Under the right circumstances, things > > happen." > > > > -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Wed Aug 2 12:15:37 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id MAA15038 for ; Wed, 2 Aug 2000 12:15:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYO00D2NDA0O1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 02 Aug 2000 12:15:37 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003FE16@listserv.fnal.gov>; Wed, 02 Aug 2000 12:15:36 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 43106 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 02 Aug 2000 12:15:36 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003FE15@listserv.fnal.gov>; Wed, 02 Aug 2000 12:15:36 -0500 Received: from imapserver3.fnal.gov ([131.225.9.17]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYO00C7FDA0RI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 02 Aug 2000 12:15:36 -0500 (CDT) Received: from SMTP ([131.225.9.17]) by imapserver3.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 663 for ; Wed, 02 Aug 2000 12:15:35 -0500 Received: from imapserver3.fnal.gov ([131.225.235.37]) by 131.225.9.17 (Norton AntiVirus for Internet Email Gateways 1.0) ; Wed, 02 Aug 2000 17:15:34 +0000 (GMT) Date: Wed, 02 Aug 2000 12:15:14 -0500 From: Robert Harris Subject: [Fwd: kerkeros on Win-98 laptops] Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <39885722.88680B58@imapserver3.fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.16-3 i686) Content-type: multipart/mixed; boundary=------------A300A43955CED850FB717B42 X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 389 This is a multi-part message in MIME format. --------------A300A43955CED850FB717B42 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------A300A43955CED850FB717B42 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from SMTP ([131.225.9.17]) by imapserver3.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 898 for ; Wed, 2 Aug 2000 11:36:51 -0500 Received: from heffalump ([131.225.9.20]) by 131.225.9.17 (Norton AntiVirus for Internet Email Gateways 1.0) ; Wed, 02 Aug 2000 16:36:50 0000 (GMT) Received: from fnal.gov ([131.225.201.99]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYO006SYBHEIP@smtp.fnal.gov> for rharris@imapserver3.fnal.gov (ORCPT rharris@fnal.gov); Wed, 02 Aug 2000 11:36:50 -0500 (CDT) Date: Wed, 02 Aug 2000 11:37:21 -0500 From: Doug Benjamin Subject: kerkeros on Win-98 laptops To: t.huffman1@physics.ox.ac.uk, rharris@fnal.gov Message-id: <39884E41.200EDB09@fnal.gov> Organization: Duke University/CDF MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (WinNT; I) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Robert and Todd, I would like to install the kerberized utilities for the PC. I am offering my services as guinea pig. I have a laptop that I am not sure , I can convert to linux so I would like to try this using Win-98. I have got kerberos password and Kerberos principle. According to the kerberos web information, I need to use the WRQ Reflection software. It also said that I should contact the PC administrator for the license. When I asked Rich Krull about it, he knew nothing about this software. Who do I get the license from? I also have a NT desktop that I would like to install the software on also. Thanks, Doug --------------A300A43955CED850FB717B42-- From kreymer@fnal.gov Wed Aug 2 13:05:04 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA15063 for ; Wed, 2 Aug 2000 13:05:04 -0500 Received: from CUERVO ([131.225.82.194]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0FYO00DAAFKEMJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Wed, 02 Aug 2000 13:05:04 -0500 (CDT) Date: Wed, 02 Aug 2000 13:05:03 -0500 From: "Mark O. Kaletka" Subject: RE: unable to get telnet to work In-reply-to: <398833BE.544A3865@fnal.gov> To: gug@fnal.gov Cc: Art Kreymer , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 390 The telnet server allows access to the login prompt in order to accomodate the CryptoCard users. This was specifically added to allow access to strengthened systems from non-strengthened clients, e.g. for people who travel. We could've required Kerberos authentication only, but people wouldn't've liked that. Btw, you don't see the CryptoCard challenge which would follow the login prompt because you don't yet have a CryptoCard yet, but we'll take care of that this afternoon. -- Mark K. > -----Original Message----- > From: gug@smtp.fnal.gov [mailto:gug@smtp.fnal.gov]On Behalf Of Gerald > Guglielmo > Sent: Wednesday, August 02, 2000 9:44 AM > To: Mark O. Kaletka > Cc: Art Kreymer; kerberos-pilot@fnal.gov > Subject: Re: unable to get telnet to work > > > Hi, > Before installing kerberos, when trying to telnet into one of our > linux boxes it would look like this: > fndapm}(g023) telnet fndapm > Trying 131.225.81.29... > telnet: Unable to connect to remote host: Connection refused > Now whe I try telneting into a kerberized machine from a node outside > the strengthened realm, the attmpt looks like this: > > fndapm}(g023) telnet fndapg > Trying 131.225.80.78... > Connected to fndapg.fnal.gov. > Escape character is '^]'. > > 4.4 BSD UNIX (fndapg.fnal.gov) (ttyp1) Portal > > > Fermi Linux Release 6.1.1 (Strange) > Kernel 2.2.16-3 on an i686 > > login: gug > login: Additional pre-authentication required while getting initial > credentials > Login incorrect > login: altgug > login: Client not found in Kerberos database while getting initial > credentials > Login > incorrect > > > Are we making ourselves more vulnerable by not completely refusing > connections from outside the strengthened realm and instead allowing > access to the login prompt? I am trying to understand both the benefits > and liabilities of kerberizing our systems. > I too would like to see a kerberized ssh so that things like X traffic > are encrypted. > > > "Mark O. Kaletka" wrote: > > > > Well, this is a religious discussion, and Art does say > "Personally..." he > > would never... > > > > There are advantages to using ssh with kerberos authentication > beyond simply > > hiding passwords. If that were the only goal we could have > achieved it with > > either ssh or kerberos alone. > > > > -- Mark K. > > > > > -----Original Message----- > > > From: owner-kerberos-pilot@listserv.fnal.gov > > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Gerald > > > Guglielmo > > > Sent: Tuesday, August 01, 2000 1:09 PM > > > To: Art Kreymer; kerberos-pilot@fnal.gov > > > Subject: Re: unable to get telnet to work > > > > > > > > > Hi, > > > So then what is the recommended way to connect from machine to > > > machine within the strengthened realm so that one does not have to > > > retype passwords? I know how to set things up with ssh to use > agents for > > > accomplishing this and have been doing this for awhile so there was no > > > need to go to kerberos if that is the answer. > > > > > > Art Kreymer wrote: > > > > > > > > I suspect you're right, something rejects you in tcpwrappers. > > > > > > > > Personally, I would NEVER use telnet to log in from now on. > > > > A hostile external system could spoof your target system, > > > > letting you log in with that you think is kerberos, > > > > but in fact is an unsecure unencrypted login. > > > > > > > > rlogin is not much better. > > > > > > > > We urgently need krb5 support in ssh. This is being worked on. > > > > > > -- > > > -Jerry-> > > > gug@fnal.gov > > > Pepe's Theory of everything: "Under the right circumstances, things > > > happen." > > > > > > > > -- > -Jerry-> > gug@fnal.gov > Pepe's Theory of everything: "Under the right circumstances, things > happen." > > From kreymer@fnal.gov Wed Aug 2 13:10:13 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.8.7/8.8.7) with ESMTP id NAA15072 for ; Wed, 2 Aug 2000 13:10:13 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYO00DCHFT0F2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 02 Aug 2000 13:10:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003FEA5@listserv.fnal.gov>; Wed, 02 Aug 2000 13:10:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 43267 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 02 Aug 2000 13:10:12 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0003FEA4@listserv.fnal.gov>; Wed, 02 Aug 2000 13:10:12 -0500 Received: from CUERVO ([131.225.82.194]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0FYO00DC2FSZ0R@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 02 Aug 2000 13:10:12 -0500 (CDT) Date: Wed, 02 Aug 2000 13:10:11 -0500 From: "Mark O. Kaletka" Subject: RE: kerkeros on Win-98 laptops In-reply-to: <39884E41.200EDB09@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Doug Benjamin , t.huffman1@physics.ox.ac.uk, rharris@fnal.gov Cc: Kerberos Pilot List , Cele Bruce Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 391 You need to talk to Cele Bruce for the license and media. -- Mark K. > -----Original Message----- > From: Doug Benjamin [mailto:dbenjamin@fnal.gov] > Sent: Wednesday, August 02, 2000 11:37 AM > To: t.huffman1@physics.ox.ac.uk; rharris@fnal.gov > Subject: kerkeros on Win-98 laptops > > > Robert and Todd, > > I would like to install the kerberized utilities for > the PC. I am offering my services as guinea pig. > I have a laptop that I am not sure , I can convert > to linux so I would like to try this using Win-98. I have > got kerberos password and Kerberos principle. According to the > kerberos web information, I need to use the WRQ Reflection > software. It also said that I should contact the PC administrator > for the license. When I asked Rich Krull about it, he knew > nothing about this software. Who do I get the license from? > I also have a NT desktop that I would like to install the > software on also. > > Thanks, > > Doug > > From kreymer@fnal.gov Thu Aug 3 10:26:18 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05046 for ; Thu, 3 Aug 2000 10:26:18 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00EJK2VT5H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 10:26:18 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000408C6@listserv.fnal.gov>; Thu, 03 Aug 2000 10:26:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46055 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 10:26:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000408C5@listserv.fnal.gov>; Thu, 03 Aug 2000 10:26:17 -0500 Received: from CUERVO ([131.225.82.175]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0FYQ00EIO2VS5F@smtp.fnal.gov>; Thu, 03 Aug 2000 10:26:17 -0500 (CDT) Date: Thu, 03 Aug 2000 10:26:16 -0500 From: "Mark O. Kaletka" Subject: RE: Kerberos clarification In-reply-to: <002101bffcb0$14571c00$c652e183@pcsurish> Sender: owner-kerberos-pilot@listserv.fnal.gov To: John Urish , Kerberos Pilot List Cc: OSS Department Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 392 Hmmm. This is an interesting effect. According to my understanding, the authentication process is supposed to check that the ticket is being used from the source IP address that it was issued to. From RFC 1510: "In order to complicate the use of stolen credentials, Kerberos tickets are usually valid from only those network addresses specifically included in the ticket " However there seems to be enough wriggle room in the protocol specification for the client and/or server to ignore this. I did verify that, using WRQ at least, I can get a set of tickets, change the IP address of my Win2k client, and continue to use the tickets. I verified that Win2k indeed obtained a new IP address and that WRQ indeed had the old address in the tickets. To answer Ken Stox's question, the standard clients and servers must construct the host principal name based on the hostname, so if a server were using DHCP it would need a host principal name which matched its DHCP hostname. With DataComm's new DHCP/DNS software this is a little more deterministic. DHCP clients can request specific hostnames in the dhcp.fnal.gov DNS domain. We haven't tested this with Kerberos and I'm not sure if UNIX DHCP clients have this capability. -- Mark K. > -----Original Message----- > From: John Urish [mailto:urish@fnal.gov] > Sent: Wednesday, August 02, 2000 1:33 PM > To: Mark O. Kaletka > Subject: Kerberos clarification > > > Mark, > > When you and Ken Stocks were discussing the DHCP/Ticket question > you stated > the ticket was tied to the IP address. > > I had brought a notebook along that has WRQ software installed. I had > obtained a ticket at my office network connection(DHCP). I put > the machine > in standby when I went to FCC, and connected to the network in the > conference room.. This means I obtained a DHCP address in the > subnet there. > > At FCC the Kerberos ticket was still vaild. > > Is the ticket tied to the hardware address rather than the IP? > > John > > > From kreymer@fnal.gov Thu Aug 3 11:41:18 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA05156 for ; Thu, 3 Aug 2000 11:41:18 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00ERC6CT55@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 11:41:17 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000409A4@listserv.fnal.gov>; Thu, 03 Aug 2000 11:41:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46298 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 11:41:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000409A3@listserv.fnal.gov>; Thu, 03 Aug 2000 11:41:17 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00ETZ6CS4Z@smtp.fnal.gov>; Thu, 03 Aug 2000 11:41:16 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA25195; Thu, 03 Aug 2000 11:41:16 -0500 (CDT) Date: Thu, 03 Aug 2000 11:41:16 -0500 From: Matt Crawford Subject: Re: Kerberos clarification In-reply-to: "03 Aug 2000 10:26:16 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: John Urish , Kerberos Pilot List , OSS Department Message-id: <200008031641.LAA25195@gungnir.fnal.gov> Content-id: <25191.965320876.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 393 It's permitted to request a ticket with no addresses. The KDC is permitted to disallow that, but ours is not configured to do so. A ticket with no addresses in it can be used from anywhere. From kreymer@fnal.gov Thu Aug 3 13:24:39 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA05497 for ; Thu, 3 Aug 2000 13:24:39 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KBSB53DS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 13:24:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040A8E@listserv.fnal.gov>; Thu, 03 Aug 2000 13:24:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46544 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 13:24:39 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040A8D@listserv.fnal.gov>; Thu, 03 Aug 2000 13:24:39 -0500 Received: from sapphire.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KBSB52LI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 Aug 2000 13:24:38 -0500 (CDT) Received: from localhost (timm@localhost) by sapphire.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA01977 for ; Thu, 03 Aug 2000 13:24:38 -0500 Date: Thu, 03 Aug 2000 13:24:38 -0500 (CDT) From: Steven Timm Subject: Replacing /bin/login Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: sapphire.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 394 I've replaced /bin/login on my Linux workstation. However, at the login for the graphical Linux console (X) it still asks for my AFS password, not my kerberos password. Is that what it's supposed to do? It means that it is possible for me to get kerberos V tickets without ever typing my kerberos password. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Central Systems Support Group--Computing Farms Operations From kreymer@fnal.gov Thu Aug 3 13:28:46 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA05501 for ; Thu, 3 Aug 2000 13:28:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00LAYBBX20@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 13:28:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040AA5@listserv.fnal.gov>; Thu, 03 Aug 2000 13:28:45 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46569 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 13:28:45 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040AA4@listserv.fnal.gov>; Thu, 03 Aug 2000 13:28:45 -0500 Received: from sapphire.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KCABBXS6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 Aug 2000 13:28:45 -0500 (CDT) Received: from localhost (timm@localhost) by sapphire.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA01984 for ; Thu, 03 Aug 2000 13:28:45 -0500 Date: Thu, 03 Aug 2000 13:28:45 -0500 (CDT) From: Steven Timm Subject: Kerberos and NFS mounted product areas: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: sapphire.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 395 Will the kerberos product install correctly on a group of nodes all of whom are sharing the same NFS product area? Will NIS master list of users have to be changed to "!" in each password field once the node is kerberized? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Central Systems Support Group--Computing Farms Operations From kreymer@fnal.gov Thu Aug 3 13:30:52 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA05507 for ; Thu, 3 Aug 2000 13:30:52 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KCXBFFLI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 13:30:51 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040AB5@listserv.fnal.gov>; Thu, 03 Aug 2000 13:30:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46586 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 13:30:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040AB4@listserv.fnal.gov>; Thu, 03 Aug 2000 13:30:51 -0500 Received: from CUERVO ([131.225.82.175]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0FYQ00KCNBFEZ5@smtp.fnal.gov>; Thu, 03 Aug 2000 13:30:51 -0500 (CDT) Date: Thu, 03 Aug 2000 13:30:50 -0500 From: "Mark O. Kaletka" Subject: RE: Replacing /bin/login In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm , kerberos-pilot@fnal.gov Cc: Linux Users Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 396 Yes, I've had the same problem, only it wants my local password 'cause I'm not AFS. So, if you log in through the graphical interface, it still takes a kinit to get Kerberos 5 tickets. I haven't delved into the code, but I assume the graphical interface isn't invoking /bin/login but something else. I'm going to cc linux-users on the hope someone there knows what the graphical login interface is doing. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > Sent: Thursday, August 03, 2000 1:25 PM > To: kerberos-pilot@fnal.gov > Subject: Replacing /bin/login > > > I've replaced /bin/login on my Linux workstation. However, at > the login for the graphical Linux console (X) it still asks > for my AFS password, not my kerberos password. Is that what it's > supposed to do? It means that it is possible for me to > get kerberos V tickets without ever typing my kerberos password. > > Steve > > > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Central Systems Support Group--Computing Farms Operations > > From kreymer@fnal.gov Thu Aug 3 13:44:51 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA05526 for ; Thu, 3 Aug 2000 13:44:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KEJC2CMW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 13:44:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040AEB@listserv.fnal.gov>; Thu, 03 Aug 2000 13:44:37 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46646 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 13:44:37 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040AE9@listserv.fnal.gov>; Thu, 03 Aug 2000 13:44:37 -0500 Received: from null.cc.uic.edu ([128.248.76.23]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00LAHC2C2N@smtp.fnal.gov>; Thu, 03 Aug 2000 13:44:36 -0500 (CDT) Received: from localhost (seva@localhost) by null.cc.uic.edu (8.9.3/8.9.3) with ESMTP id NAA15406; Thu, 03 Aug 2000 13:44:36 -0500 Date: Thu, 03 Aug 2000 13:44:36 -0500 (CDT) From: Simon Epsteyn Subject: RE: Replacing /bin/login In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: seva@null.cc.uic.edu To: "Mark O. Kaletka" Cc: Steven Timm , kerberos-pilot@fnal.gov, Linux Users Message-id: Organization: SV Technologies Corp. MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Foo: Bar X-Authentication-warning: null.cc.uic.edu: seva owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 397 I am guessing you are interested in PAM. For example /etc/pam.d/xdm: #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nullok auth required /lib/security/pam_nologin.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session optional /lib/security/pam_console.so /Simon -- Integrated Systems Development Fermi National Accelerator Laboratory On Thu, 3 Aug 2000, Mark O. Kaletka wrote: > Yes, I've had the same problem, only it wants my local password 'cause I'm > not AFS. So, if you log in through the graphical interface, it still takes a > kinit to get Kerberos 5 tickets. I haven't delved into the code, but I > assume the graphical interface isn't invoking /bin/login but something else. > > I'm going to cc linux-users on the hope someone there knows what the > graphical login interface is doing. > > -- Mark K. > > > -----Original Message----- > > From: owner-kerberos-pilot@listserv.fnal.gov > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > > Sent: Thursday, August 03, 2000 1:25 PM > > To: kerberos-pilot@fnal.gov > > Subject: Replacing /bin/login > > > > > > I've replaced /bin/login on my Linux workstation. However, at > > the login for the graphical Linux console (X) it still asks > > for my AFS password, not my kerberos password. Is that what it's > > supposed to do? It means that it is possible for me to > > get kerberos V tickets without ever typing my kerberos password. > > > > Steve > > > > > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Central Systems Support Group--Computing Farms Operations > > > > > From kreymer@fnal.gov Thu Aug 3 13:48:25 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA05532 for ; Thu, 3 Aug 2000 13:48:25 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00LBGC8O2N@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 13:48:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040AFB@listserv.fnal.gov>; Thu, 03 Aug 2000 13:48:24 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46664 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 13:48:24 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040AFA@listserv.fnal.gov>; Thu, 03 Aug 2000 13:48:24 -0500 Received: from thebrain.fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KJRC8NMW@smtp.fnal.gov>; Thu, 03 Aug 2000 13:48:23 -0500 (CDT) Received: from fnal.gov (localhost.localdomain [127.0.0.1]) by thebrain.fnal.gov (8.10.2/8.10.2) with ESMTP id e73ImM208810; Thu, 03 Aug 2000 13:48:22 -0500 Date: Thu, 03 Aug 2000 13:48:22 -0500 From: Troy Dawson Subject: Re: Replacing /bin/login Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: Steven Timm , kerberos-pilot@fnal.gov, Linux Users Message-id: <3989BE76.827A79B6@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 398 The graphical login on Linux for KDE uses the PAM modules, but not the login one. If you are using Gnome, it uses gdm (or possibly xdm, it's been a while since I checked). KDE uses the kde one. You are also going to have problems with your screen savers, which use yet again, a different pam module checking scheme. Troy "Mark O. Kaletka" wrote: > > Yes, I've had the same problem, only it wants my local password 'cause I'm > not AFS. So, if you log in through the graphical interface, it still takes a > kinit to get Kerberos 5 tickets. I haven't delved into the code, but I > assume the graphical interface isn't invoking /bin/login but something else. > > I'm going to cc linux-users on the hope someone there knows what the > graphical login interface is doing. > > -- Mark K. > > > -----Original Message----- > > From: owner-kerberos-pilot@listserv.fnal.gov > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > > Sent: Thursday, August 03, 2000 1:25 PM > > To: kerberos-pilot@fnal.gov > > Subject: Replacing /bin/login > > > > > > I've replaced /bin/login on my Linux workstation. However, at > > the login for the graphical Linux console (X) it still asks > > for my AFS password, not my kerberos password. Is that what it's > > supposed to do? It means that it is possible for me to > > get kerberos V tickets without ever typing my kerberos password. > > > > Steve > > > > > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Central Systems Support Group--Computing Farms Operations > > > > -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS CSS Group __________________________________________________ From kreymer@fnal.gov Thu Aug 3 13:48:38 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA05539 for ; Thu, 3 Aug 2000 13:48:38 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KFPC90S6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 13:48:37 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B04@listserv.fnal.gov>; Thu, 03 Aug 2000 13:48:36 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46676 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 13:48:36 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B03@listserv.fnal.gov>; Thu, 03 Aug 2000 13:48:36 -0500 Received: from sapphire.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KH6C90LI@smtp.fnal.gov>; Thu, 03 Aug 2000 13:48:36 -0500 (CDT) Received: from localhost (timm@localhost) by sapphire.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA02182; Thu, 03 Aug 2000 13:48:36 -0500 Date: Thu, 03 Aug 2000 13:48:36 -0500 (CDT) From: Steven Timm Subject: RE: Replacing /bin/login In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: kerberos-pilot@fnal.gov, Linux Users Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 399 > Yes, I've had the same problem, only it wants my local password 'cause I'm > not AFS. So, if you log in through the graphical interface, it still takes a > kinit to get Kerberos 5 tickets. I haven't delved into the code, but I > assume the graphical interface isn't invoking /bin/login but something else. The solution has been posted elsewhere...but one important correction to what you said above...with my AFS password I *do* get kerberos tickets right away at login without having to kinit. Steve > > I'm going to cc linux-users on the hope someone there knows what the > graphical login interface is doing. > > -- Mark K. > > > -----Original Message----- > > From: owner-kerberos-pilot@listserv.fnal.gov > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > > Sent: Thursday, August 03, 2000 1:25 PM > > To: kerberos-pilot@fnal.gov > > Subject: Replacing /bin/login > > > > > > I've replaced /bin/login on my Linux workstation. However, at > > the login for the graphical Linux console (X) it still asks > > for my AFS password, not my kerberos password. Is that what it's > > supposed to do? It means that it is possible for me to > > get kerberos V tickets without ever typing my kerberos password. > > > > Steve > > > > > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Central Systems Support Group--Computing Farms Operations > > > > > > > From kreymer@fnal.gov Thu Aug 3 13:54:28 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA05663 for ; Thu, 3 Aug 2000 13:54:28 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KFHCISQG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 13:54:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B1B@listserv.fnal.gov>; Thu, 03 Aug 2000 13:54:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46704 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 13:54:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B1A@listserv.fnal.gov>; Thu, 03 Aug 2000 13:54:28 -0500 Received: from sapphire.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00LB3CISSR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 Aug 2000 13:54:28 -0500 (CDT) Received: from localhost (timm@localhost) by sapphire.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA02205 for ; Thu, 03 Aug 2000 13:54:28 -0500 Date: Thu, 03 Aug 2000 13:54:28 -0500 (CDT) From: Steven Timm Subject: Problems with kcroninit Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 400 I have tried to run kcroninit several times and keep getting the following error: Are you on a secure channel? (default = y): y What is your kerberos principal (default = timm@PILOT.FNAL.GOV): Enter the password for timm@PILOT.FNAL.GOV: Now adding principal timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... add_principal: Principal or policy already exists while creating "timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV". Now creating empty keytab file for timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... Now writing temporary keytab for timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... Temporary keytab created. Now transferring temporary keytab file contents... ERROR transferring keytab file contents; ABORT. All done. ---------------- what's the error that is happening that is causing the "ERROR transferring keytab file contents, ABORT" Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Central Systems Support Group--Computing Farms Operations From kreymer@fnal.gov Thu Aug 3 14:07:50 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA09308 for ; Thu, 3 Aug 2000 14:07:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00LG1D512N@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 14:07:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B3E@listserv.fnal.gov>; Thu, 03 Aug 2000 14:07:50 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46740 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 14:07:50 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B3D@listserv.fnal.gov>; Thu, 03 Aug 2000 14:07:50 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KL6D51HF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 Aug 2000 14:07:49 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.10.2/8.10.2) with SMTP id e73J7n825238; Thu, 03 Aug 2000 14:07:49 -0500 (CDT) Date: Thu, 03 Aug 2000 14:07:49 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Problems with kcroninit Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200008031907.e73J7n825238@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 401 Try "kcroninit -d" (for more verbose debugging output). -- lauri On Thursday 3 August 2000, our friend Steven Timm spaketh thusly: > I have tried to run kcroninit several times and keep getting the > following error: > > > Are you on a secure channel? (default = y): y > What is your kerberos principal (default = timm@PILOT.FNAL.GOV): > Enter the password for timm@PILOT.FNAL.GOV: > Now adding principal timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > add_principal: Principal or policy already exists while creating > "timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV". > Now creating empty keytab file for > timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > Now writing temporary keytab for > timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > Temporary keytab created. > Now transferring temporary keytab file contents... > ERROR transferring keytab file contents; ABORT. > All done. > > ---------------- > > what's the error that is happening that is causing the > "ERROR transferring keytab file contents, ABORT" > > > Steve > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Central Systems Support Group--Computing Farms Operations From kreymer@fnal.gov Thu Aug 3 14:11:35 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA09314 for ; Thu, 3 Aug 2000 14:11:35 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00LE5DBBWI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 14:11:35 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B49@listserv.fnal.gov>; Thu, 03 Aug 2000 14:11:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46752 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 14:11:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B48@listserv.fnal.gov>; Thu, 03 Aug 2000 14:11:35 -0500 Received: from sapphire.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00LJ3DBA74@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 Aug 2000 14:11:34 -0500 (CDT) Received: from localhost (timm@localhost) by sapphire.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA02398; Thu, 03 Aug 2000 14:11:34 -0500 Date: Thu, 03 Aug 2000 14:11:34 -0500 (CDT) From: Steven Timm Subject: re: Problems with kcroninit In-reply-to: <200008031907.e73J7n825238@fsui03.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 402 This is the output from kcronint -d. Does this tell anyone anything? Temporary keytab created. into doKeytab, realKeytabFile = >/var/adm/krb5/3xWqfjXOdMncXOBDmAYHgg<, tempKeytabFile = >/tmp/2377/timm< Now transferring temporary keytab file contents... now doing copy: tempKeytabFile = >/tmp/2377/timm<, realKeytabFile = >/var/adm/krb5/3xWqfjXOdMncXOBDmAYHgg< ERROR transferring keytab file contents; ABORT. cleaning up, removing >/tmp/2377< All done. ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Central Systems Support Group--Computing Farms Operations On Thu, 3 Aug 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > Try "kcroninit -d" (for more verbose debugging output). > > -- lauri > > On Thursday 3 August 2000, > our friend Steven Timm spaketh thusly: > > > I have tried to run kcroninit several times and keep getting the > > following error: > > > > > > Are you on a secure channel? (default = y): y > > What is your kerberos principal (default = timm@PILOT.FNAL.GOV): > > Enter the password for timm@PILOT.FNAL.GOV: > > Now adding principal timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > > add_principal: Principal or policy already exists while creating > > "timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV". > > Now creating empty keytab file for > > timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > > Now writing temporary keytab for > > timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > > Temporary keytab created. > > Now transferring temporary keytab file contents... > > ERROR transferring keytab file contents; ABORT. > > All done. > > > > ---------------- > > > > what's the error that is happening that is causing the > > "ERROR transferring keytab file contents, ABORT" > > > > > > Steve > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Central Systems Support Group--Computing Farms Operations > > From kreymer@fnal.gov Thu Aug 3 14:23:40 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA09328 for ; Thu, 3 Aug 2000 14:23:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00LK8DVG20@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 14:23:40 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B5E@listserv.fnal.gov>; Thu, 03 Aug 2000 14:23:40 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46774 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 14:23:40 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B5D@listserv.fnal.gov>; Thu, 03 Aug 2000 14:23:40 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KIEDVFX1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 Aug 2000 14:23:39 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.10.2/8.10.2) with SMTP id e73JNdW25626; Thu, 03 Aug 2000 14:23:39 -0500 (CDT) Date: Thu, 03 Aug 2000 14:23:39 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Problems with kcroninit Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: "Laurelin of Middle Earth, 630-840-2214" , kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200008031923.e73JNdW25626@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 403 Look at the permissions on /var and /var/adm and /var/adm/krb5. They should "match" whatever is on (e.g.,) ossbud. If I recall correctly, there was a bug discovered in the kcroninit script (or, more accurately, one of the behind-the-scenes pieces it calls) which causes permissions to be set incorrectly IFF the kcroninit script creates /var (or /var/adm ?) for the first time. If your node is a "typical" Fermi Linux box, this is quite likely the case. -- lauri On Thursday 3 August 2000, our friend Steven Timm spaketh thusly: > This is the output from kcronint -d. Does this tell anyone anything? > > > Temporary keytab created. > into doKeytab, realKeytabFile = >/var/adm/krb5/3xWqfjXOdMncXOBDmAYHgg<, > tempKeytabFile = >/tmp/2377/timm< > Now transferring temporary keytab file contents... > now doing copy: tempKeytabFile = >/tmp/2377/timm<, realKeytabFile = > >/var/adm/krb5/3xWqfjXOdMncXOBDmAYHgg< > ERROR transferring keytab file contents; ABORT. > cleaning up, removing >/tmp/2377< > All done. > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Central Systems Support Group--Computing Farms Operations > On Thu, 3 Aug 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > > > Try "kcroninit -d" (for more verbose debugging output). > > > > -- lauri > > > > On Thursday 3 August 2000, > > our friend Steven Timm spaketh thusly: > > > > > I have tried to run kcroninit several times and keep getting the > > > following error: > > > > > > > > > Are you on a secure channel? (default = y): y > > > What is your kerberos principal (default = timm@PILOT.FNAL.GOV): > > > Enter the password for timm@PILOT.FNAL.GOV: > > > Now adding principal timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > > > add_principal: Principal or policy already exists while creating > > > "timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV". > > > Now creating empty keytab file for > > > timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > > > Now writing temporary keytab for > > > timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > > > Temporary keytab created. > > > Now transferring temporary keytab file contents... > > > ERROR transferring keytab file contents; ABORT. > > > All done. > > > > > > ---------------- > > > > > > what's the error that is happening that is causing the > > > "ERROR transferring keytab file contents, ABORT" > > > > > > > > > Steve > > > > > > > > > ------------------------------------------------------------------ > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > Fermilab Computing Division/Operating Systems Support > > > Central Systems Support Group--Computing Farms Operations > > > > > From kreymer@fnal.gov Thu Aug 3 14:28:38 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA09340 for ; Thu, 3 Aug 2000 14:28:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00LHRE3PC3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 14:28:37 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B76@listserv.fnal.gov>; Thu, 03 Aug 2000 14:28:37 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46801 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 14:28:37 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040B75@listserv.fnal.gov>; Thu, 03 Aug 2000 14:28:37 -0500 Received: from sapphire.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KLFE3PZ5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 Aug 2000 14:28:37 -0500 (CDT) Received: from localhost (timm@localhost) by sapphire.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA02541; Thu, 03 Aug 2000 14:28:37 -0500 Date: Thu, 03 Aug 2000 14:28:36 -0500 (CDT) From: Steven Timm Subject: re: Problems with kcroninit In-reply-to: <200008031923.e73JNdW25626@fsui03.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 404 Yes, that works. had to change /var/adm to 775 permisson. Thanks Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Central Systems Support Group--Computing Farms Operations On Thu, 3 Aug 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > Look at the permissions on /var and /var/adm and /var/adm/krb5. > They should "match" whatever is on (e.g.,) ossbud. > > If I recall correctly, there was a bug discovered in the kcroninit > script (or, more accurately, one of the behind-the-scenes pieces it > calls) which causes permissions to be set incorrectly IFF the > kcroninit script creates /var (or /var/adm ?) for the first time. > If your node is a "typical" Fermi Linux box, this is quite likely > the case. > > -- lauri > > On Thursday 3 August 2000, > our friend Steven Timm spaketh thusly: > > > This is the output from kcronint -d. Does this tell anyone anything? > > > > > > Temporary keytab created. > > into doKeytab, realKeytabFile = >/var/adm/krb5/3xWqfjXOdMncXOBDmAYHgg<, > > tempKeytabFile = >/tmp/2377/timm< > > Now transferring temporary keytab file contents... > > now doing copy: tempKeytabFile = >/tmp/2377/timm<, realKeytabFile = > > >/var/adm/krb5/3xWqfjXOdMncXOBDmAYHgg< > > ERROR transferring keytab file contents; ABORT. > > cleaning up, removing >/tmp/2377< > > All done. > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Central Systems Support Group--Computing Farms Operations > > On Thu, 3 Aug 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > > Try "kcroninit -d" (for more verbose debugging output). > > > > > > -- lauri > > > > > > On Thursday 3 August 2000, > > > our friend Steven Timm spaketh thusly: > > > > > > > I have tried to run kcroninit several times and keep getting the > > > > following error: > > > > > > > > > > > > Are you on a secure channel? (default = y): y > > > > What is your kerberos principal (default = timm@PILOT.FNAL.GOV): > > > > Enter the password for timm@PILOT.FNAL.GOV: > > > > Now adding principal timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > > > > add_principal: Principal or policy already exists while creating > > > > "timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV". > > > > Now creating empty keytab file for > > > > timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > > > > Now writing temporary keytab for > > > > timm/cron/sapphire.fnal.gov@PILOT.FNAL.GOV... > > > > Temporary keytab created. > > > > Now transferring temporary keytab file contents... > > > > ERROR transferring keytab file contents; ABORT. > > > > All done. > > > > > > > > ---------------- > > > > > > > > what's the error that is happening that is causing the > > > > "ERROR transferring keytab file contents, ABORT" > > > > > > > > > > > > Steve > > > > > > > > > > > > ------------------------------------------------------------------ > > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > > Fermilab Computing Division/Operating Systems Support > > > > Central Systems Support Group--Computing Farms Operations > > > > > > > > > > From kreymer@fnal.gov Thu Aug 3 14:53:41 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA09384 for ; Thu, 3 Aug 2000 14:53:41 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00KP2F9HDS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 14:53:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040BB6@listserv.fnal.gov>; Thu, 03 Aug 2000 14:53:41 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46869 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 14:53:41 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040BB5@listserv.fnal.gov>; Thu, 03 Aug 2000 14:53:41 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0FYQ00LKLF9HWI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 Aug 2000 14:53:41 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id OAA04031; Thu, 03 Aug 2000 14:53:40 -0500 Date: Thu, 03 Aug 2000 14:53:40 -0500 From: Glenn Cooper Subject: Re: Kerberos and NFS mounted product areas: In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 405 Hi Steve, > Will the kerberos product install correctly on a group of nodes > all of whom are sharing the same NFS product area? Yes, we do this all the time. However, I had to comment out the line: # FileTest(${UPS_PROD_DIR}/${KRB_REL_SRC}, -w, "You must be able to write into the product directory to perform this action.") from the table file. The ups install step tries to write into the kerberos area to test something (I forget what). It can't do that in our NFS-mounted products area, and that makes the whole script abort. Commenting out the line skips the test, and the rest of the install goes fine. > Will NIS master list of users have to be changed to "!" in > each password field once the node is kerberized? This is obviously a policy question; I'll leave that up to the security czars. Hope this helps, Glenn From kreymer@fnal.gov Thu Aug 3 15:33:51 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09480 for ; Thu, 3 Aug 2000 15:33:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00LP6H4FSR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 15:33:51 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040C14@listserv.fnal.gov>; Thu, 03 Aug 2000 15:33:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46967 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 15:33:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040C13@listserv.fnal.gov>; Thu, 03 Aug 2000 15:33:51 -0500 Received: from sapphire.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00LR0H4EWI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 Aug 2000 15:33:50 -0500 (CDT) Received: from localhost (timm@localhost) by sapphire.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA03122 for ; Thu, 03 Aug 2000 15:33:50 -0500 Date: Thu, 03 Aug 2000 15:33:50 -0500 (CDT) From: Steven Timm Subject: Problems with kerberized ftp Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: sapphire.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 406 As far as I can tell, I am using a kerberized ftp client on my kerberized desktop and bldlinux61 appears to be running a kerberized ftp daemon. However, I get the following error: sapphire.timm:~> ftp bldlinux61 Connected to bldlinux61.fnal.gov. 220 bldlinux61.fnal.gov FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI authentication succeeded Name (bldlinux61:timm): 530 User timm access denied. Login failed. Remote system type is UNIX. Using binary mode to transfer files. ftp> quit 221 Goodbye. ------------------------ Why is access denied? My kerberos tickets are good. The same thing happens in reverse when I try to ftp from bldlinux61 to sapphire. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Central Systems Support Group--Computing Farms Operations From kreymer@fnal.gov Thu Aug 3 15:49:58 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09503 for ; Thu, 3 Aug 2000 15:49:58 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ0034LHVAKJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 15:49:58 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040C34@listserv.fnal.gov>; Thu, 03 Aug 2000 15:49:58 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 47001 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 15:49:58 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040C33@listserv.fnal.gov>; Thu, 03 Aug 2000 15:49:58 -0500 Received: from sapphire.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ00337HV9TK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 Aug 2000 15:49:58 -0500 (CDT) Received: from localhost (timm@localhost) by sapphire.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA03143 for ; Thu, 03 Aug 2000 15:49:57 -0500 Date: Thu, 03 Aug 2000 15:49:57 -0500 (CDT) From: Steven Timm Subject: Kerberized ssh? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: sapphire.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 407 Did I hear Mark Kaletka say at the training session that the ssh that Wayne announced earlier this week is busted? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Central Systems Support Group--Computing Farms Operations From kreymer@fnal.gov Thu Aug 3 16:12:47 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA09526 for ; Thu, 3 Aug 2000 16:12:47 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ0033VIL9TS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 Aug 2000 16:05:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040C6A@listserv.fnal.gov>; Thu, 03 Aug 2000 16:05:34 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 47056 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 Aug 2000 16:05:33 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00040C69@listserv.fnal.gov>; Thu, 03 Aug 2000 16:05:33 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYQ0040GIL9WQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 Aug 2000 16:05:33 -0500 (CDT) Date: Thu, 03 Aug 2000 16:05:32 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: Kerberized ssh? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 408 On Thu, 3 Aug 2000, Steven Timm wrote: > > Did I hear Mark Kaletka say at the training session that the ssh > that Wayne announced earlier this week is busted? The kerberos5 code isn't actually turned on... Wayne will be fixing it early next week when he gets back. Marc From kreymer@fnal.gov Fri Aug 4 08:31:11 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA20165 for ; Fri, 4 Aug 2000 08:31:11 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYR00G67S7ZIE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 04 Aug 2000 08:31:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000412C1@listserv.fnal.gov>; Fri, 04 Aug 2000 08:31:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 48784 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 04 Aug 2000 08:31:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000412C0@listserv.fnal.gov>; Fri, 04 Aug 2000 08:31:11 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYR00FBTS7YIN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 04 Aug 2000 08:31:10 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA07060; Fri, 04 Aug 2000 08:31:10 -0500 (CDT) Date: Fri, 04 Aug 2000 08:31:10 -0500 From: Matt Crawford Subject: Re: Kerberos and NFS mounted product areas: In-reply-to: "03 Aug 2000 13:28:45 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200008041331.IAA07060@gungnir.fnal.gov> Content-id: <7056.965395870.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 409 > Will the kerberos product install correctly on a group of nodes > all of whom are sharing the same NFS product area? It should. It's been tested. If it's brokn now (I don't think so) it will be fixed. Note, though, that the intended mode of use does not assume "setup kerberos" has been done -- the necessary files go into /usr/krb5 on each system. This is to make krb services available if there\s an NFS failure. > Will NIS master list of users have to be changed to "!" in > each password field once the node is kerberized? It's expected that you will eventually do that, but it's not required. In fact, any user who will need to log in at the console when the network is disconnected will need a valid password field. From kreymer@fnal.gov Mon Aug 7 15:04:43 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA18209 for ; Mon, 7 Aug 2000 15:04:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYX003JWUFURM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 07 Aug 2000 15:04:42 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00043573@listserv.fnal.gov>; Mon, 07 Aug 2000 15:04:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 58016 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 07 Aug 2000 15:04:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00043572@listserv.fnal.gov>; Mon, 07 Aug 2000 15:04:42 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FYX001SGUFUWL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT KERBEROS-PILOT@fnal.gov); Mon, 07 Aug 2000 15:04:42 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA11974; Mon, 07 Aug 2000 15:04:41 -0500 (CDT) Date: Mon, 07 Aug 2000 15:04:41 -0500 From: Matt Crawford Subject: Re: Setting DISPLAY When Using Kerberos? In-reply-to: "07 Aug 2000 09:50:11 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: rgwcdf@anl.gov Cc: KERBEROS-PILOT@fnal.gov Message-id: <200008072004.PAA11974@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 410 Bob, You sent your message to kerberos-pilot-request instead of kerberos-pilot@fnal.gov, so it only reached me. That may be fine, but note the correction if you want to reach a wider audience. > Up to now, I've been using ssh to make connections and one is not > supposed to setenv DISPLAY. I noted when trying to use xemacs for the > first time with the kerberized connection that no emacs window pops up > since DISPLAY is not set. When I telnet to fcdfsgi2, I do wind up with DISPLAY set: gungnir 368% echo $DISPLAY :0.0 gungnir 369% telnet fcdfsgi2 Trying 131.225.240.129... Connected to fcdfsgi2.fnal.gov (131.225.240.129). Escape character is '^]'. NOTICE TO USERS {{ suppressing the DOE banner }} [ Kerberos V5 accepts you as ``crawdad@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] [[ the banner pops up yet again }} ********** Downtime 8:30-9:30 Tuesday ******************************* fcdfsgi2 will be down Tuesday, August 8, from 8:30-9:30 a.m. to restore access to the /cdf/data01 and /cdf/data02 filesystems. Sorry for the inconvenience. *********************************************************************** Terminal type is xterm There are no available articles. fcdfsgi2 100% echo $DISPLAY gungnir.fnal.gov:0.0 > My question is: When using kerberos, is one supposed to return to > the practice of using setenv DISPLAY, or am I missing a further > setup that will handle DISPLAY similar to the ssh method? I bet the problem is that your fcdfsgi2 process isn't automatically given access to your X display, as it is when you use ssh. It's the same for me: fcdfsgi2 101% xdpyinfo Xlib: connection to "gungnir.fnal.gov:0.0" refused by server Xlib: Client is not authorized to connect to Server xdpyinfo: unable to open display "gungnir.fnal.gov:0.0". But if I give access with xauth, then it works: fcdfsgi2 102% xauth add $DISPLAY MIT-MAGIC-COOKIE-1 1d7c640122240f702414405752647b3e fcdfsgi2 103% xdpyinfo name of display: gungnir.fnal.gov:0.0 version number: 11.0 vendor string: Sun Microsystems, Inc. vendor release number: 3510 maximum request size: 262140 bytes motion buffer size: 256 {{ etc etc }} Alternatively "xhost +fcdfsgi2.fnal.gov" would have given access, but it's considerably less safe -- a hypothetical badguy on that host would have access to my screen and keyboard. There are two ways to make this more convenient for you. First, a Kerberized ssh should be available from the Fermi software products repository soon. Second, you could create yourself an alias or shell script that sends over your "xauth" magic cookie (or performs an "xhost +remotenodename" locally, if you use xhost) before starting telnet. Something along the lines of cat > kxtelnet << EOF #!/bin/sh if [ $# != 2 ]; then echo "usage: kxtelnet RemoteHostName RemoteUserName" 1&>2 exit 1 fi case "$DISPLAY" in :*) disp=`hostname`$DISPLAY;; *) disp=$DISPLAY;; esac /usr/krb5/bin/rsh -n -x -l $2 $1 xauth add `xauth list $disp` exec /usr/krb5/bin/telnet -f -x -l $2 $1 EOF chmod 755 kxtelnet I haven't tested the above, but I use something a lot like it. From kreymer@fnal.gov Wed Aug 9 21:25:36 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id VAA23467 for ; Wed, 9 Aug 2000 21:25:36 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZ2003L91ENUY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 09 Aug 2000 21:25:35 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004A413@listserv.fnal.gov>; Wed, 09 Aug 2000 21:25:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 87654 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 09 Aug 2000 21:25:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004A410@listserv.fnal.gov>; Wed, 09 Aug 2000 21:25:34 -0500 Received: from imapserver3.fnal.gov ([131.225.9.17]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZ2003NL1EMM8@smtp.fnal.gov>; Wed, 09 Aug 2000 21:25:34 -0500 (CDT) Received: from SMTP ([131.225.9.17]) by imapserver3.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 1009; Wed, 09 Aug 2000 21:25:33 -0500 Received: from imapserver3.fnal.gov ([64.193.127.13]) by 131.225.9.17 (Norton AntiVirus for Internet Email Gateways 1.0) ; Thu, 10 Aug 2000 02:25:32 +0000 (GMT) Date: Wed, 09 Aug 2000 21:25:30 -0500 From: "Robert M. Harris" Subject: CDF Software and Kerberos Installation Sender: owner-kerberos-pilot@listserv.fnal.gov To: cdf_code_management@fnal.gov, cdfsys@fnal.gov, kerberos-pilot@fnal.gov Cc: rharris@fnal.gov Message-id: <3992129A.9726902E@imapserver3.fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (X11; I; Linux 2.2.14-1.3.0f2 i686) Content-type: multipart/mixed; boundary=------------0F24F41F7CD997C9C435068A X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 411 This is a multi-part message in MIME format. --------------0F24F41F7CD997C9C435068A Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------0F24F41F7CD997C9C435068A Content-Type: text/plain; charset=us-ascii; name="kerberos_install_notes.txt" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="kerberos_install_notes.txt" I'd like to congratulate cdf_code_management, cdfsys and kerberos-pilot on making it pretty trivial to install both the CDF environment and kerberos on a home linux pc. Below are some of my notes on the process, with a few minor suggestions for improving the CDF web documentation on the kerberos install at http://www-cdf.fnal.gov/offline/runii/fcdfsgi2/krb5_quickstart.html Notes: A) I am running Fermi Red Hat 6.1.1 which was installed by the CDF task force. B) First I installed version 3.7.0 of the cdf software off of a compact disk which I borrowed from Art Kreymer, to avoid copying the software over my modem. This took around 20 minutes and went flawlessly. Congratulations Art. C) Following the instructions at http://www-cdf.fnal.gov/offline/runii/fcdfsgi2/krb5_quickstart.html I did the folowing 1.Login as root. 2.source ~cdfsoft/cdf2.shrc (the instructions should read source, not Source). I then needed to do a "setup upd", which should be in the instructions, before I could attempt a 3. upd install kerberos -G"-c" At first this failed, as the instructions implied, because I had not registered yet for access to fnkits.fnal.gov. The instructions did not teach me how to register, which they should. All I needed to do was fill out the simple form at http://www.fnal.gov/cd/forms/upd_registration.html, and the next day my node was registered to receive access to fnkits. After that, the command worked fine. Finally, I installed kerberos in my system areas with 4. ups install-keep-ssh kerberos and answered no as instructed. This succesfully completed the installation, and after that I was able to login as myself, setup kerberos, do my kinit, and telnet to fcdfsgi2 and work in the secure realm. Below is the rather complicated output that steps 3. and 4. produced, just for the record. Overall, I'm rather impressed with how easy it was. Thanks, Robert --------------------------------------------------------------------------- Output from Step 3. [root@rharris /tmp]# upd install kerberos -G"-c" informational: installed gtools v2_2. *********************************************************************** You should login as root and execute the command ups installAsRoot krb5conf v0_6a on each node using this copy of krb5conf to complete the installation. (This will happen automatically as part of the kerberos installation). You will need to be able to write into the /etc directory. *********************************************************************** informational: installed krb5conf v0_6a. informational: installed kcommon v1_0. informational: installed kcroninit v0_6. *********************************************************************** You should login as root and execute the command ups install kerberos v0_6 (or one of the other similar kerberos installation commands) on each node using this copy of kerberos to complete the installation. See the README.INSTALL file for documentation on the installation options. *********************************************************************** *********************************************************************** You should login as root and execute the command ups install kerberos v0_6 (or one of the other similar kerberos installation commands) on each node using this copy of kerberos to complete the installation. See the README.INSTALL file for documentation on the installation options. *********************************************************************** informational: installed kerberos v0_6. informational: product gtools has an INSTALL_NOTE; you should read /home/cdfsoft/products/gtools/v2_2/Linux+2/ups/INSTALL_NOTE. informational: product kerberos has an INSTALL_NOTE; you should read /home/cdfsoft/products/kerberos/v0_6/Linux+2.2/ups/INSTALL_NOTE. upd install succeeded. ------------------------------------------------------------------------------- Output from Step 4. root@rharris /tmp]# ups install-keep-ssh kerberos Beginning installation of kerberos v0_6 into /usr/krb5. Do you have the passwords to enable the ftp and host services? (y/n, default y) n You must have the passwords in order to enable the ftp and host services. Preparing to configure krb5conf on this node... Beginning installation of krb5conf v0_6a on rharris. No previous /etc/krb5.conf exists, create initial version... Logging the installation in /home/cdfsoft/products/krb5conf/v0_6a/NULL/ups/rharris.log... Reminder!!!! You must perform this installation on each node that shares this copy of krb5conf. Installation of krb5conf v0_6a (without afs) on rharris complete. krb5conf configuration complete. Preparing to configure service/byname on this node... Reading template file /home/cdfsoft/products/kerberos/v0_6/Linux+2.2/ups/services.template... Updating /etc/services file... Saving backup copy of /etc/services... service/byname configuration complete. Preparing to configure host keys on this node... /home/cdfsoft/products/kerberos/v0_6/Linux+2.2/./sbin/kadmin: option requires an argument -- w Usage: kadmin [-r realm] [-p principal] [-q query] [clnt|local args] clnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]] local args: [-d dbname] [-e "enc:salt ..."] [-m] ERROR: could not add principal ftp/rharris.telocity.com to keytab file. /home/cdfsoft/products/kerberos/v0_6/Linux+2.2/./sbin/kadmin: option requires an argument -- w Usage: kadmin [-r realm] [-p principal] [-q query] [clnt|local args] clnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]] local args: [-d dbname] [-e "enc:salt ..."] [-m] ERROR: could not add principal host/rharris.telocity.com to keytab file. Preparing to configure inetd on this node... Reading template file /home/cdfsoft/products/kerberos/v0_6/Linux+2.2/ups/inetd.conf.template... Updating /etc/inetd.conf file... Saving backup copy of /etc/inetd.conf... Sending HUP to inetd... Sorry, I can't find the inetd process. You'll have to restart it by hand via 'kill -HUP'. inetd configuration complete. Preparing to reconfigure sshd on this node... Reading template file /home/cdfsoft/products/kerberos/v0_6/Linux+2.2/ups/sshd_config.weak.template... Updating /etc/sshd_config file... No changes to /etc/sshd_config are required. sshd configuration complete. Automated installation of kerberos complete. IMPORTANT: 1) /etc/krb5.keytab configuration of service "ftp/rharris.telocity.com" was not completed successfully. 2) /etc/krb5.keytab configuration of service "host/rharris.telocity.com" was not completed successfully. 3) inetd daemon 'kill -HUP' was not completed successfully. These steps should be performed for a complete installation of kerberos. Optional: you may choose to replace /bin/login with the kerberized version via: ups install-login kerberos (not necessary on IRIX platforms). --------------0F24F41F7CD997C9C435068A-- From kreymer@fnal.gov Thu Aug 10 09:32:59 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA12125 for ; Thu, 10 Aug 2000 09:32:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZ200FCZZ2YBI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 10 Aug 2000 09:32:58 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004A8AD@listserv.fnal.gov>; Thu, 10 Aug 2000 09:32:58 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 88929 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 10 Aug 2000 09:32:58 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004A8AC@listserv.fnal.gov>; Thu, 10 Aug 2000 09:32:58 -0500 Received: from CUERVO ([131.225.82.175]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0FZ200FCPZ2X7E@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 10 Aug 2000 09:32:58 -0500 (CDT) Date: Thu, 10 Aug 2000 09:32:57 -0500 From: "Mark O. Kaletka" Subject: FW: WRQ Reflection Sender: owner-kerberos-pilot@listserv.fnal.gov To: Kerberos Pilot List Cc: Cele Bruce Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 412 Most excellent news about WRQ OpenGL 3D capabilities! Our thanks to Jeff for testing this! -- Mark K. -----Original Message----- From: jeffk@smtp.fnal.gov [mailto:jeffk@smtp.fnal.gov]On Behalf Of Jeff Kallenbach Sent: Thursday, August 10, 2000 9:14 AM To: mcbride@fnal.gov; pcanal@fnal.gov; schmidt@fnal.gov; kaletka@fnal.gov Subject: WRQ Reflection I had a look yesterday at WRQ Reflection, the Windows X server product which may replace Exceed. Using the basic package, I was able to run an OpenGL application on IRIX and display it on the PC using Reflection. So it seems that this has the 3D capability that we need. -- Cheers, Jeff ====================================================================== Jeff Kallenbach |Fermi National Accelerator Lab|Physics Analysis Tools V: (630)840-2210| jeffk@fnal.gov | F: (630)840-2783 ====================================================================== From kreymer@fnal.gov Mon Aug 14 13:44:12 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA13447 for ; Mon, 14 Aug 2000 13:44:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZA007UTPDOZH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 14 Aug 2000 13:44:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004ED2D@listserv.fnal.gov>; Mon, 14 Aug 2000 13:44:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 108087 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 14 Aug 2000 13:44:12 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004ED2C@listserv.fnal.gov>; Mon, 14 Aug 2000 13:44:12 -0500 Received: from fnal.gov ([131.225.233.158]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZA007UGPDNFL@smtp.fnal.gov>; Mon, 14 Aug 2000 13:44:11 -0500 (CDT) Date: Mon, 14 Aug 2000 13:44:11 -0500 From: Doug Benjamin Subject: problems using WRQ kerberos software Sender: owner-kerberos-pilot@listserv.fnal.gov To: KERBEROS-PILOT@listserv.fnal.gov, dcd_security_team@fnal.gov Message-id: <39983DFB.2E4A1A9E@fnal.gov> Organization: Duke University MIME-version: 1.0 X-Mailer: Mozilla 4.6 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 413 Hello, I am writing this message to ask for help using the Reflection Kerberos Manager. I apologize in advance if some of you get this message twice. I have been following the instructions exactly as found on the web URL: http://www.fnal.gov/docs/strongauth/html/strong_auth.5.html When I use the Reflection Kerberos Manager to authenticate my principle benjamin@PILOT.FNAL.GOV, I get the following error message "Client principal not found in Kerberos database (KDC006)" The realm is PILOT.FNAL.GOV. The KDC list is krb-pilot-1.fnal.gov Kadmin Server krb-pilot-1.fnal.gov. I know that my principal name is good because I can use it on fcdfsgi2. As a test I using an ssh program to connect to cdfsga from my PC (dukpc01.fnal.gov) in the cdf trailers. I then use ssh to connect from cdfsga to fcdfsgi2. Once on fcdfsgi2 I issue the kinit command and give it my kerberos password. I then issue the klist command and get this response > klist -f Ticket cache: /tmp/krb5cc_1284 Default principal: benjamin@PILOT.FNAL.GOV Valid starting Expires Service principal 08/14/00 13:23:50 08/15/00 15:23:50 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Flags: FIA Thank you in advance for any and all help that I receive and for your time. Respectfully, Doug Benjamin From kreymer@fnal.gov Mon Aug 14 14:00:02 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA13473 for ; Mon, 14 Aug 2000 14:00:02 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZA007THQ41GT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 14 Aug 2000 14:00:02 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004ED6E@listserv.fnal.gov>; Mon, 14 Aug 2000 14:00:01 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 108156 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 14 Aug 2000 14:00:01 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004ED6D@listserv.fnal.gov>; Mon, 14 Aug 2000 14:00:01 -0500 Received: from CUERVO ([131.225.82.16]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0FZA00D3AQ40ML@smtp.fnal.gov>; Mon, 14 Aug 2000 14:00:01 -0500 (CDT) Date: Mon, 14 Aug 2000 14:00:00 -0500 From: "Mark O. Kaletka" Subject: RE: problems using WRQ kerberos software In-reply-to: <39983DFB.2E4A1A9E@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Doug Benjamin , KERBEROS-PILOT@listserv.fnal.gov, dcd_security_team@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 414 Looks like a typo in your WRQ config; the kdc is logging: kdc.log:Aug 14 12:54:46 i-krb-2.fnal.gov krb5kdc[8337]: AS_REQ 131.225.233.158(88): CLIENT_NOT_FOUND: benjamin@PILOT.FNAL..GOV for k rbtgt/PILOT.FNAL..GOV@PILOT.FNAL..GOV, Client not found in Kerberos database There's two periods between the FNAL and the GOV, where there should only be one. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Doug > Benjamin > Sent: Monday, August 14, 2000 1:44 PM > To: KERBEROS-PILOT@listserv.fnal.gov; dcd_security_team@fnal.gov > Subject: problems using WRQ kerberos software > > > Hello, > > I am writing this message to ask for help using the Reflection > Kerberos Manager. I apologize in advance if some of you get this > message twice. > > I have been following the instructions exactly as found on the web > > URL: http://www.fnal.gov/docs/strongauth/html/strong_auth.5.html > > When I use the Reflection Kerberos Manager to authenticate my > principle benjamin@PILOT.FNAL.GOV, I get the following error > message > > "Client principal not found in Kerberos database (KDC006)" > > The realm is PILOT.FNAL.GOV. The KDC list is krb-pilot-1.fnal.gov > Kadmin Server krb-pilot-1.fnal.gov. > > I know that my principal name is good because I can use it on > fcdfsgi2. As a test I using an ssh program to connect to > cdfsga from my PC (dukpc01.fnal.gov) in the cdf trailers. > I then use ssh to connect from cdfsga to fcdfsgi2. Once on > fcdfsgi2 I issue the kinit command and give it my kerberos password. > I then issue the klist command and get this response > > > klist -f > Ticket cache: /tmp/krb5cc_1284 > Default principal: benjamin@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 08/14/00 13:23:50 08/15/00 15:23:50 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > Flags: FIA > > Thank you in advance for any and all help that I receive and for your > time. > > Respectfully, > > Doug Benjamin > > From kreymer@fnal.gov Mon Aug 14 14:10:43 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA13502 for ; Mon, 14 Aug 2000 14:10:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZA00E0JQLUKR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 14 Aug 2000 14:10:42 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004ED85@listserv.fnal.gov>; Mon, 14 Aug 2000 14:10:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 108182 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 14 Aug 2000 14:10:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004ED84@listserv.fnal.gov>; Mon, 14 Aug 2000 14:10:42 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZA007XXQLTRP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT KERBEROS-PILOT@fnal.gov); Mon, 14 Aug 2000 14:10:42 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA29491; Mon, 14 Aug 2000 14:10:41 -0500 (CDT) Date: Mon, 14 Aug 2000 14:10:41 -0500 From: Matt Crawford Subject: Re: problems using WRQ kerberos software In-reply-to: "14 Aug 2000 13:44:11 CDT." <39983DFB.2E4A1A9E@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Doug Benjamin Cc: KERBEROS-PILOT@fnal.gov Message-id: <200008141910.OAA29491@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 415 > When I use the Reflection Kerberos Manager to authenticate my > principal benjamin@PILOT.FNAL.GOV, I get the following error > message > > "Client principal not found in Kerberos database (KDC006)" The KDC log file shows several errors like this: Aug 14 12:54:46 i-krb-2.fnal.gov krb5kdc[8337]: AS_REQ 131.225.233.158(88): CLIENT_NOT_FOUND: benjamin@PILOT.FNAL..GOV for krbtgt/PILOT.FNAL..GOV@PILOT.FNAL..GOV, Client not found in Kerberos database so please re-check your "Realm" setting for an extra dot. From kreymer@fnal.gov Mon Aug 14 23:06:59 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id XAA18275 for ; Mon, 14 Aug 2000 23:06:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZB0022XFFM7J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 14 Aug 2000 23:06:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004F186@listserv.fnal.gov>; Mon, 14 Aug 2000 23:06:58 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 109261 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 14 Aug 2000 23:06:58 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0004F185@listserv.fnal.gov>; Mon, 14 Aug 2000 23:06:58 -0500 Received: from fnal.gov ([131.225.233.158]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZB00IT2FFMW5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 14 Aug 2000 23:06:58 -0500 (CDT) Date: Mon, 14 Aug 2000 23:06:58 -0500 From: Doug Benjamin Subject: thank you for your help. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" , Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3998C1E2.95812BD8@fnal.gov> Organization: Duke University MIME-version: 1.0 X-Mailer: Mozilla 4.6 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 416 Dear Mark and Matt, I removed the extra dot and am having no troubles. Thank you very much. Doug Benjamin From kreymer@fnal.gov Wed Aug 16 15:23:13 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06685 for ; Wed, 16 Aug 2000 15:23:13 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZE0071PJAMOF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 16 Aug 2000 15:23:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00050837@listserv.fnal.gov>; Wed, 16 Aug 2000 15:23:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 115434 for CPPM_REG_SYSADMINS@LISTSERV.FNAL.GOV; Wed, 16 Aug 2000 15:23:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00050836@listserv.fnal.gov>; Wed, 16 Aug 2000 15:23:11 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZE003N5JAM79@smtp.fnal.gov> for cppm_reg_sysadmins@listserv.fnal.gov (ORCPT cppm_reg_sysadmins@fnal.gov); Wed, 16 Aug 2000 15:23:10 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA13609 for ; Wed, 16 Aug 2000 15:23:10 -0500 (CDT) Date: Wed, 16 Aug 2000 15:23:10 -0500 From: Matt Crawford Subject: Patch, of a sort, for IRIX telnetd vulnerability Sender: owner-cppm_reg_sysadmins@listserv.fnal.gov To: cppm_reg_sysadmins@fnal.gov Message-id: <200008162023.PAA13609@gungnir.fnal.gov> Content-id: <13597.966457290.0@gungnir.fnal.gov> MIME-version: 1.0 Content-type: multipart/mixed; boundary="----- =_aaaaaaaaaa0" Status: RO X-Status: X-Keywords: X-UID: 417 ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <13597.966457290.1@gungnir.fnal.gov> Randy Herber has provided an effective but cumbersome-to-apply patch for the IRIX telnetd buffer overflow. ------- =_aaaaaaaaaa0 MIME-Version: 1.0 Content-Type: message/rfc822 Replied: Wed, 16 Aug 2000 14:44:22 -0500 Replied: "Randolph J. Herber" Return-Path: owner-computer_security@listserv.fnal.gov Delivery-Date: Wed, 16 Aug 2000 14:26:11 -0500 Return-Path: owner-computer_security@listserv.fnal.gov Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA13265 for ; Wed, 16 Aug 2000 14:26:11 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZE002I4GNML5@smtp.fnal.gov> for crawdad@gungnir.fnal.gov (ORCPT CRAWDAD@FNAL.GOV); Wed, 16 Aug 2000 14:26:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005077F@listserv.fnal.gov>; Wed, 16 Aug 2000 14:26:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 115230 for COMPUTER_SECURITY@LISTSERV.FNAL.GOV; Wed, 16 Aug 2000 14:26:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005077E@listserv.fnal.gov>; Wed, 16 Aug 2000 14:26:11 -0500 Received: from dcdrjh.fnal.gov ([131.225.232.66]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZE002N3GNM1S@smtp.fnal.gov> for computer_security@listserv.fnal.gov (ORCPT computer_security@fnal.fnal.gov) ; Wed, 16 Aug 2000 14:26:10 -0500 (CDT) Received: (from herber@localhost) by dcdrjh.fnal.gov (8.11.0.Beta1/8.11.0.Beta1) id e7GJQ0n21934 for computer_security@fnal.fnal.gov; Wed, 16 Aug 2000 14:26:00 -0500 (CDT) Date: Wed, 16 Aug 2000 14:26:00 -0500 (CDT) From: "Randolph J. Herber" Subject: Re the recent SGI telnetd exploit Sender: owner-computer_security@listserv.fnal.gov To: computer_security@fnal.gov Reply-to: "Randolph J. Herber" Message-id: <200008161926.e7GJQ0n21934@dcdrjh.fnal.gov> I wrote a small program to patch the necessary format string in telnetd in SGI Irix. Yes, I know that the program is not the easiest program to use. Hints (for the csh users, echo $? becomes echo $status): ./telnetfix < /usr/etc/telnetd > /tmp/telnetd echo $? # NOTE: "echo $status" for csh users cmp -l /usr/etc/telnetd /tmp/telnetd mv /usr/etc/telnetd /usr/etc/telnetd.200008; cp /tmp/telnetd /usr/etc/telnetd chown root.sys /usr/etc/telnetd chmod 755 /usr/etc/telnetd echo $? should return a 0;; if it does not, then DO NOT PROCEED FURTHER! The cmp output should resemble: $ cmp -l /usr/etc/telnetd.20000815 /usr/etc/telnetd 36911 45 151 36912 56 156 36913 63 166 36914 62 141 36915 163 154 36916 54 151 36917 45 144 36918 56 55 36919 61 141 36920 62 162 36921 70 147 IF IT DOES NOT RESEMBLE, EXCEPT FOR OFFSETS, THEN DO NOT PROCEED FURTHER! The program: static char buffer[1<<24]; static char find[] = "ignored attempt to setenv(%.32s,%.128s)"; static char repl[] = "ignored attempt to setenv(invalid-args)"; int main(int argc, char **argv) { int size = read(0,buffer,sizeof(buffer)); if(size > 0 && size < sizeof(buffer)) { char *t; int i, n = size - (sizeof(find)-1); for(i = 0, t = buffer; i < n; ++i, ++t) { if(memcmp(t,find,sizeof(find)-1)==0) { int j; for(j=0; j<(sizeof(repl)-1); ++j) { t[j] = repl[j]; } i += (sizeof(repl)-2); t += (sizeof(repl)-2); } } if(write(1,buffer,size) != size) { write(2,"incomplete\n",11); return 1; } return 0; } return 2; } Randolph J. Herber, herber@dcdrjh.fnal.gov, +1 630 840 2966, CD/CDFTF PK-149F, Mail Stop 318, Fermilab, Kirk & Pine Rds., PO Box 500, Batavia, IL 60510-0500, USA. (Speaking for myself and not for US, US DOE, FNAL nor URA.) (Product, trade, or service marks herein belong to their respective owners.) ------- =_aaaaaaaaaa0-- From kreymer@fnal.gov Tue Aug 22 15:49:38 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA20442 for ; Tue, 22 Aug 2000 15:49:38 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZP00J8FOIPYV@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 22 Aug 2000 15:49:37 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00053E11@listserv.fnal.gov>; Tue, 22 Aug 2000 15:49:37 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 130331 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 22 Aug 2000 15:49:37 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00053E10@listserv.fnal.gov>; Tue, 22 Aug 2000 15:49:37 -0500 Received: from ncdf30.fnal.gov ([131.225.233.153]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZP00J7HOIPWW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 22 Aug 2000 15:49:37 -0500 (CDT) Received: from ts.infn.it (localhost.localdomain [127.0.0.1]) by ncdf30.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA10185; Tue, 22 Aug 2000 15:50:20 -0500 Date: Tue, 22 Aug 2000 15:50:20 -0500 From: Stefano Belforte Subject: changing user Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <39A2E78C.6138895@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 418 I just thought of a question. Sometimes it happens that I need to use a different username then my "standard" one ("belforte", namely). The way I uderstand the future is that I login as belforte on my entry system (e.g. the console of my PC here in the CDF trailers, or my PC in Italy), and then just rlogin to any fnal machine without ever typing any password any more. What then if I want to log on machine X as user Y ? Often it happens that special user names have to be setup and shared among peole for specific tasks (I know you do not like, me neither, but life is compromises, as a stupid example maintanace of Fermi ktis software usually calls for a dedicated "products" user and CDF offline code then calls for anoterh "cdfsoft" one) and so, I will not have user's Y cryptocard. Now that I think of it... what about root ? Will "su" work ? Will local CDF trailer system manager still be able to log in as root on my PC and do system maintenance while I work at the console ? Will I be able to log in as root from Italy to administer the system myself should that be somehow usefull (it is not my favorite model of work, just hypothetical question) ? Stefano -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte at Fermilab: CDF trailers 169-N tel: (630)840-8698 From kreymer@fnal.gov Tue Aug 22 15:58:35 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA20456 for ; Tue, 22 Aug 2000 15:58:35 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZP00K7XOXMCB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 22 Aug 2000 15:58:34 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00053E44@listserv.fnal.gov>; Tue, 22 Aug 2000 15:58:34 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 130389 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 22 Aug 2000 15:58:34 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00053E43@listserv.fnal.gov>; Tue, 22 Aug 2000 15:58:34 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0FZP00K7WOXLA8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 22 Aug 2000 15:58:34 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id PAA28226; Tue, 22 Aug 2000 15:58:31 -0500 Date: Tue, 22 Aug 2000 15:58:31 -0500 From: Glenn Cooper Subject: Re: changing user In-reply-to: <39A2E78C.6138895@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 419 Hi Stefano, The kerberos analogue of the .shosts file is .k5login. For example, the .k5login file in the "products" account's home directory on our central machines contains the line: gcooper@PILOT.FNAL.GOV When I have logged in as myself, using Kerberos authentication, I can then type "ksu products", and that will start a new shell where my real and effective uid's are those for the products account. So the idea is that you make .k5login files for each of the specialized accounts, and the trusted users listed in each file can become that user. Cheers, Glenn On Tue, 22 Aug 2000, Stefano Belforte wrote: > I just thought of a question. > Sometimes it happens that I need to use a different username > then my "standard" one ("belforte", namely). > The way I uderstand the future is that I login as belforte on > my entry system (e.g. the console of my PC here in the CDF > trailers, or my PC in Italy), and then just rlogin to any > fnal machine without ever typing any password any more. > What then if I want to log on machine X as user Y ? > Often it happens that special user names have to be setup > and shared among peole for specific tasks (I know you do not like, > me neither, but life is compromises, as a stupid example maintanace > of Fermi ktis software usually calls for a dedicated "products" user > and CDF offline code then calls for anoterh "cdfsoft" one) and so, > I will not have user's Y cryptocard. > > Now that I think of it... what about root ? > Will "su" work ? > Will local CDF trailer system manager still be able to log in as > root on my PC and do system maintenance while I work at the console ? > Will I be able to log in as root from Italy to administer the > system myself should that be somehow usefull (it is not my favorite > model of work, just hypothetical question) ? > > Stefano > > -- > Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) > Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it > 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte > at Fermilab: CDF trailers 169-N tel: (630)840-8698 > From kreymer@fnal.gov Tue Aug 22 16:11:29 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA20485 for ; Tue, 22 Aug 2000 16:11:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZP00JDJPJ4KI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 22 Aug 2000 16:11:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00053E84@listserv.fnal.gov>; Tue, 22 Aug 2000 16:11:29 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 130465 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 22 Aug 2000 16:11:29 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00053E83@listserv.fnal.gov>; Tue, 22 Aug 2000 16:11:29 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FZP00KAIPJ4CB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 22 Aug 2000 16:11:28 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA23258; Tue, 22 Aug 2000 16:11:26 -0500 (CDT) Date: Tue, 22 Aug 2000 16:11:26 -0500 From: Matt Crawford Subject: Re: changing user In-reply-to: "22 Aug 2000 15:50:20 CDT." <39A2E78C.6138895@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov Message-id: <200008222111.QAA23258@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 420 > The way I uderstand the future is that I login as belforte on > my entry system (e.g. the console of my PC here in the CDF > trailers, or my PC in Italy), and then just rlogin to any > fnal machine without ever typing any password any more. > What then if I want to log on machine X as user Y ? On any system where your local user name does not match the name of your Kerberos principal, create a .k5login file in the home directory of that account containing your kerberos principal, in full: cat > $HOME/.k5login << EOF belforte@PILOT.FNAL.GOV EOF Then connect to that system (using kerberos rsh, rlogin, telnet) with the flags "-l Y", Y being the local username referred to in your question. (I note you don't have a Kerberos principal "belforte" yet, but I presume you'll be getting one soon.) > Often it happens that special user names have to be setup > and shared among peole for specific tasks (I know you do not like, > me neither, but life is compromises, as a stupid example maintanace > of Fermi ktis software usually calls for a dedicated "products" user > and CDF offline code then calls for anoterh "cdfsoft" one) and so, In this case, do as above. Create a .k5login in the home directory of products or cdfsoft listing all the principals authorized to log in to that account. An advantage of this scheme is you never have to change the password of the shared account (it will be an "xx" or a "*" in the password file) and notify all the authorized users of it. > I will not have user's Y cryptocard. Ah, that points out a possible lacking feature in the implementation. Do you have a *requirement* to be able to log in directly to a shared account with vanilla telnet client and a cryptocard? Bear in mind the following: > Now that I think of it... what about root ? > Will "su" work ? Again, list the principals authorized to be "root" in a .k5login in root's home directory. Then login in over the net with "-l root" or use the "ksu" command. If you have logged in as belforte with a cryptocard you will have a Kerberos ticket cached. Then if root's .k5login includes belforte@PILOT.FNAL.GOV, you can ksu to root. (Or products, or cdfsoft, or wherever a .k5login gives access.) > Will local CDF trailer system manager still be able to log in as > root on my PC and do system maintenance while I work at the console ? > Will I be able to log in as root from Italy to administer the > system myself should that be somehow usefull (it is not my favorite > model of work, just hypothetical question) ? With an appropriate .k5login, yes and yes. Matt From kreymer@fnal.gov Tue Aug 29 11:46:16 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA25757 for ; Tue, 29 Aug 2000 11:46:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0200KJSBX360@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 29 Aug 2000 11:46:15 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00058BF5@listserv.fnal.gov>; Tue, 29 Aug 2000 11:46:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 151208 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 29 Aug 2000 11:46:15 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00058BF4@listserv.fnal.gov>; Tue, 29 Aug 2000 11:46:15 -0500 Received: from CUERVO ([131.225.80.193]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G0200JHVBX2R6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 29 Aug 2000 11:46:15 -0500 (CDT) Date: Tue, 29 Aug 2000 11:46:14 -0500 From: "Mark O. Kaletka" Subject: RE: WRQ Problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: krull@fnal.gov Cc: Kerberos Pilot List Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 421 > -----Original Message----- > From: Richard A. Krull [mailto:krull@fnal.gov] > Sent: Monday, August 28, 2000 11:08 AM > To: kaletka@fnal.gov > Subject: WRQ Problems > > > Mark, > Here are the 2 problems that I have. > > One is the changing of the password using the Reflections > Kerberos Manager. > The error is (Connection aborted (KRB029) Check that the servers are set correctly in the Reflection Kerberos Manager: Open the Reflection Kerberos Manager application. Pull down the "Configuration" menu item to "Configure realms..." (or press F3). Select the "Configuration" tab, highlight "PILOT.FNAL.GOV" and press the "Properties..." button. Select the "KDC" tab. The servers should look like: KDC list: krb-pilot-1.fnal.gov krb-pilot-2.fnal.gov Kadmin Server: krb-pilot-admin.fnal.gov The two KDC's should be listed in the correct order because password changes are immediately updated on the primary KDC but there is a delay in propagating them to the secondary KDC's. If you have a secondary KDC listed first, your new password won't immediately work. Hmmm, I see our online document doesn't specify the kadmin server...but it seems to default to the first entry in the KDC list, which should work. If this doesn't cure it, let me know. > > The other is when I try to run the Reflection X Client Manager I get Dr. > Watson. > The error is ( rx.exe - Exception: privileged instruction > (0xc0000096), Address: 0x6952451a Hmmm. I don't get a Dr. Watson, I get a blue-screen-of-death. I swear, this used to work and I didn't change a thing (well, not more than a few dozen things). :-) > > > > Rich > > > From kreymer@fnal.gov Wed Aug 30 16:24:32 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA01954 for ; Wed, 30 Aug 2000 16:24:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0400J3NJGVDY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 30 Aug 2000 16:24:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00059D78@listserv.fnal.gov>; Wed, 30 Aug 2000 16:24:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 155930 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 30 Aug 2000 16:24:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00059D77@listserv.fnal.gov>; Wed, 30 Aug 2000 16:24:31 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0400J4LJGVED@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 30 Aug 2000 16:24:31 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id e7ULOSO27507 for ; Wed, 30 Aug 2000 16:24:29 -0500 (CDT) Date: Wed, 30 Aug 2000 16:24:15 -0500 From: aheavey@fnal.gov Subject: new html version of manual Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200008302124.e7ULOSO27507@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 422 I've reconverted the source document for Strong Authentication at Fermilab to html using a better tool than I had before. URL hasn't changed: http://www.fnal.gov/docs/strongauth/ The output looks somewhat nicer, but the main improvement is that it now has an index online. I've also incorporated the updates listed at http://www.fnal.gov/docs/strongauth/misc/updates.html. -- Anne Anne Heavey Fermilab Computing Division Phone: 630-840-8039 Location: Wilson Hall 8.18 (NE corner) MS: 120 From kreymer@fnal.gov Thu Aug 31 18:12:09 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA04790 for ; Thu, 31 Aug 2000 18:12:09 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G060057CJ48NU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 31 Aug 2000 18:12:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005ACBE@listserv.fnal.gov>; Thu, 31 Aug 2000 18:12:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 160046 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 31 Aug 2000 18:12:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005ACBD@listserv.fnal.gov>; Thu, 31 Aug 2000 18:12:08 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G06003FAJ48NU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal); Thu, 31 Aug 2000 18:12:08 -0500 (CDT) Date: Thu, 31 Aug 2000 18:12:08 -0500 (CDT) From: Dane Skow Subject: reinstalling kerberos on a desktop Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 423 I have a scenario that may not yet be addressed: I'm reinstalling Linux from the distribution server on an existing machine (with the previous install partition intact). I take this approach a) to test the installation service and b) to protect my previous install in case of troubles with the upgrade. So, from the Kerberos UPS install point of view, this is a new machine installation. However, I have the old identity of the machine and presumeably can just copy over the appropriate secrets from the previous partition (or backup). Is this the recommended practice or would we be treating it as a new machine and reissue the initial passwords ? How would this work at 2AM on Sunday when in response to a hard machine crash ? I'm off to RTFM, but since I haven't seen this thread, I thought I'd ask (BTW, is somebody archiving this list for a FAQ generation?) Should we (and make it public) ? I think I've saved all the mail I've seen actually, but I was off the list for a little while. Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Sep 4 09:50:56 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA03144 for ; Mon, 4 Sep 2000 09:50:56 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0D00LI1AKVSP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 04 Sep 2000 09:50:56 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005ED9D@listserv.fnal.gov>; Mon, 04 Sep 2000 09:50:55 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 177217 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 04 Sep 2000 09:50:55 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005ED9C@listserv.fnal.gov>; Mon, 04 Sep 2000 09:50:55 -0500 Received: from ts.infn.it ([140.105.6.150]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G0D00LJ2AKUS1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 04 Sep 2000 09:50:55 -0500 (CDT) Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Mon, 04 Sep 2000 16:50 +0100 (CET) Date: Mon, 04 Sep 2000 16:50:50 +0200 From: Stefano Belforte Subject: installing kerberos on satellite Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: gomezel@ts.infn.it Message-id: <39B3B6CA.A5D26DE@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 424 I would like to install keberos on my desktop workstation, an Alpha running OSF1 v4.0. That workstation is a satellite in a Unix cluster, i.e. most system directories are kept on a common disk on a bigger server and mounted by several satellite nodes, /usr e.g. In order to know if and what problems my arise when running install from root account possibly affecting common areas, we would like a list of which modifications to the system files are done by the kerberos install procedure. Thanks Stefano -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Mon Sep 4 10:44:01 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA03165 for ; Mon, 4 Sep 2000 10:44:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0D00LMXD1DVX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 04 Sep 2000 10:44:01 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005EDBE@listserv.fnal.gov>; Mon, 04 Sep 2000 10:44:01 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 177251 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 04 Sep 2000 10:44:01 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005EDBD@listserv.fnal.gov>; Mon, 04 Sep 2000 10:44:01 -0500 Received: from ts.infn.it ([140.105.6.150]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G0D00LLUD1BKL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 04 Sep 2000 10:44:00 -0500 (CDT) Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Mon, 04 Sep 2000 17:43 +0100 (CET) Date: Mon, 04 Sep 2000 17:43:56 +0200 From: Stefano Belforte Subject: problems with upd install kerberos/perl Sender: owner-kerberos-pilot@listserv.fnal.gov To: helpdesk@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <39B3C33C.46A63826@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 425 Dear helpdesk, I just had a strange problem when trying to upd install kerberos from fnkits. Let's start from the error message: [quark] ~ > upd install kerberos -G "-c" informational: gtools v2_2 already exists on local node, skipping. informational: beginning install of perl. Unable to create ftp connection error: can't transfer /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 from fnkits to /diskcdf7/products/prd/perl/v5_005/OSF1+V4 informational: Starting remove of /diskcdf7/products/prd/perl/v5_005/OSF1+V4 in background upd install failed. So the problem is not kerberos. Upd finds out that it has to install first newer versions of gtools and then of perl, I had installed earlier perl v5_004, now it wants v5_005 (I guess I am going to need more disk space then I ever thought...). I tried upd -vvv but it gives not further explanation: updcmd_install - informational: beginning install of perl. upduti_split_archive_file - split ftp://fnkits/ftp/products/perl/v5_005/OS\ upduti_split_archive_file F1+V4/perl_v5_005_OSF1+V4.tar into ftp|fnkits|\ upduti_split_archive_file |/ftp/products/perl/v5_005/OSF1+V4|perl_v5_005\ upduti_split_archive_file _OSF1+V4|tar|| updxfr_dir - updxfr_dir(fnkits,/ftp/products/perl/v5_005/OSF1+V4,perl_v5_0\ updxfr_dir 05_OSF1+V4,/diskcdf7/products/prd/perl/v5_005/OSF1+V4 updxfr_dir - HASH(0x140373208), tar) updxfr_dir - arch_type is tar login_and_cwd - args node fnkits dir /ftp/products/perl/v5_005/OSF1+V4 login_and_cwd - Unable to create ftp connection updxfr_dir - error: can't transfer /ftp/products/perl/v5_005/OSF1+V4/perl_\ updxfr_dir v5_005_OSF1+V4 from fnkits to /diskcdf7/products/prd/perl\ updxfr_dir /v5_005/OSF1+V4 updxfr_dir - returns 0 updcmd_split_cleanup - Cleaning up... updcmd_split_cleanup - informational: Starting remove of /diskcdf7/products\ updcmd_split_cleanup /prd/perl/v5_005/OSF1+V4 in background cmdline_execute - upd install failed. If I connect manually to fnkits via anonymous ftp I seem to be able to get the needed files with no problem: ftp> ls /ftp/products/perl/v5_005/OSF1+V4 200 PORT command successful. 150 Opening ASCII mode data connection for file list. /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.tar /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.ups.tar /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.table /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.table.old 226 Transfer complete. ftp> ftp> ls -l 200 PORT command successful. 150 Opening ASCII mode data connection for directory listing. total 68794 drwxrwx--- 3 updadmin upd 512 Mar 16 2000 perl_v5_005_OSF1+V4 -rw-rw-r-- 1 updadmin upd 1245 Mar 23 2000 perl_v5_005_OSF1+V4.table -rwxrwx--- 1 updadmin upd 1078 Aug 10 1999 perl_v5_005_OSF1+V4.table.old -rw-rw---- 1 updadmin upd 24729600 Mar 16 2000 perl_v5_005_OSF1+V4.tar -rwxrwx--- 1 updadmin upd 10445824 Apr 10 2000 perl_v5_005_OSF1+V4.ups.tar 226 Transfer complete. ftp> get perl_v5_005_OSF1+V4.tar 200 PORT command successful. 150 Opening BINARY mode data connection for perl_v5_005_OSF1+V4.tar (24729600 bytes). 226 Transfer complete. 24729600 bytes received in 1.1e+02 seconds (2.2e+02 Kbytes/s) ftp> get perl_v5_005_OSF1+V4.ups.tar 200 PORT command successful. 150 Opening BINARY mode data connection for perl_v5_005_OSF1+V4.ups.tar (10445824 bytes). 226 Transfer complete. 10445824 bytes received in 47 seconds (2.2e+02 Kbytes/s) ftp> But I have no idea how to tell upd that these files are there. I tried from a Solaris machine. There upd install kerberos went smootly, installing perl v5_005 as well, but when i tried to use the Solaris machine to fetch the OSF version of perl, I got the same problem: [stsa11] ~ > upd install perl v5_005 -f OSF1+V4 informational: beginning install of perl. Unable to create ftp connection error: can't transfer /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 from fnkits to /home/products/prd/perl/v5_005/OSF1+V4 informational: Starting remove of /home/products/prd/perl/v5_005/OSF1+V4 in background upd install failed. [stsa11] ~ > I seem to be in a no-way-out situation. Any suggesion will be appreciated. Thanks Stefano -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Mon Sep 4 13:13:52 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA03209 for ; Mon, 4 Sep 2000 13:13:52 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0D0050FJZ40H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 04 Sep 2000 13:13:52 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005EE35@listserv.fnal.gov>; Mon, 04 Sep 2000 13:13:52 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 177375 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 04 Sep 2000 13:13:52 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005EE34@listserv.fnal.gov>; Mon, 04 Sep 2000 13:13:52 -0500 Received: from ts.infn.it ([140.105.6.150]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G0D0040RJZ2WA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 04 Sep 2000 13:13:51 -0500 (CDT) Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Mon, 04 Sep 2000 20:13 +0100 (CET) Date: Mon, 04 Sep 2000 20:13:48 +0200 From: Stefano Belforte Subject: confused about principals Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov, rharris@fnal.gov Message-id: <39B3E65C.7901656A@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 426 The strong authorization guide http://www.fnal.gov/docs/strongauth/html/unixadmin.html has the following pre-requisite for kerberos installation on a remote node: 4.1.3 Obtain Host and FTP Passwords Contact your Computing Division liaison to request host-specific principals (plus initial passwords) for the machine on which you plan to install kerberos. The liaison will need to provide to the Kerberos administrators the full hostname of the node and arrange a means of getting you the initial passwords securely. The principal names are of the form host/ and ftp/ (e.g., host/mynode.fnal.gov and ftp/mynode.fnal.gov). Does that mean that I have to get from Fermilab another principal in addition to belforte@pilot.fnal.gov that I just got ? Notice also that my machines (I paln to kerberise more then one) is of course in ts.infn.it, not in fnal.gov ... There is nothing in this direction on Robert's quick guide in http://www-cdf.fnal.gov/offline/runii/fcdfsgi2/krb5_quickstart.html Can you clarify ? I guess I will try, but before I lock myself out of my system... Also the following from the strong authentication guide is a bit unclear : 4.4.1 The /etc/hosts File In the /etc/hosts file, make sure that the localhost names include .fnal.gov. How does this apply to my node in ts.infn.it ? What do you mean by localhost names ? I have an almost empty /etc/hosts file as I rely on nameserver, here is my /etc/hosts, which modification do you suggest ? # 127.0.0.1 localhost 140.105.6.101 quark.ts.infn.it quark 140.105.6.163 axts12.ts.infn.it axts12 140.105.6.100 afs1.ts.infn.it afs1 140.105.48.16 dns.univ.trieste.it Thanks Stefano -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Tue Sep 5 11:18:26 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA10230 for ; Tue, 5 Sep 2000 11:18:26 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F001J197E2L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 11:16:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FA29@listserv.fnal.gov>; Tue, 05 Sep 2000 11:16:26 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 180684 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 11:16:26 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FA28@listserv.fnal.gov>; Tue, 05 Sep 2000 11:16:26 -0500 Received: from dot.phys.unm.edu ([198.59.169.98]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F000H597DV7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 11:16:25 -0500 (CDT) Received: from higgs.phys.unm.edu (IDENT:gold@localhost [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id KAA03474; Tue, 05 Sep 2000 10:16:24 -0600 Date: Tue, 05 Sep 2000 10:16:24 -0600 From: Michael Gold Subject: change of address Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: gold@dot.phys.unm.edu Message-id: <200009051616.KAA03474@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.0.3 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 427 my machine has been changed from dot.phys.unm.edu to higgs.phys.unm.edu 198.59.169.98 please modify my kerberos account accordingly -- Michael Gold Department of Physics and Astronomy University of New Mexico Albuquerque, NM 87131 phone: 505-277-2086, 505-277-3604 fax: 505-277-1520 email: mgold@unm.edu From kreymer@fnal.gov Tue Sep 5 11:19:22 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA10234 for ; Tue, 5 Sep 2000 11:19:22 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F001D29C7EY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 11:19:19 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FA38@listserv.fnal.gov>; Tue, 05 Sep 2000 11:19:19 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 180700 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 11:19:19 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FA37@listserv.fnal.gov>; Tue, 05 Sep 2000 11:19:19 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G0F00MJ19C6CA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 11:19:18 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id LAA07267; Tue, 05 Sep 2000 11:19:16 -0500 Date: Tue, 05 Sep 2000 11:19:16 -0500 From: Glenn Cooper Subject: Re: confused about principals In-reply-to: <39B3E65C.7901656A@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov, rharris@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 428 Hi Stefano, I think this is just a confusion between your "user" kerberos principal, which you already have, and host/ftp "service" principals, which you need for each node. So yes, you need to get other principal(s) if you want to be able to log in to your local node(s) using kerberized services; but you would still use the same user principal belforte@PILOT.FNAL.GOV . Your machines can be part of the PILOT.FNAL.GOV kerberos realm even though they're not in the fnal.gov network domain--we have several such machines already. I will need to add a line to our local configuration file here for your domain, so let me know when you are ready. Hope this helps, Glenn On Mon, 4 Sep 2000, Stefano Belforte wrote: > The strong authorization guide > http://www.fnal.gov/docs/strongauth/html/unixadmin.html > has the following pre-requisite > for kerberos installation on a remote node: > > 4.1.3 Obtain Host and FTP Passwords > > Contact your Computing Division liaison to request host-specific > principals (plus initial passwords) for the machine on > which you plan to install kerberos. The liaison will need to provide > to the Kerberos administrators the full hostname of > the node and arrange a means of getting you the initial passwords > securely. The principal names are of the form > host/ and ftp/ (e.g., > host/mynode.fnal.gov and > ftp/mynode.fnal.gov). > > > Does that mean that I have to get from Fermilab another principal > in addition to belforte@pilot.fnal.gov that I just got ? > Notice also that my machines (I paln to kerberise more then one) > is of course in ts.infn.it, not in fnal.gov ... > There is nothing in this direction on Robert's quick guide > in > http://www-cdf.fnal.gov/offline/runii/fcdfsgi2/krb5_quickstart.html > > Can you clarify ? > > I guess I will try, but before I lock myself out of my system... > > Also the following from the strong authentication guide is > a bit unclear : > > 4.4.1 The /etc/hosts File > > In the /etc/hosts file, make sure that the localhost names include > .fnal.gov. > > How does this apply to my node in ts.infn.it ? What do you mean by > localhost names ? I have an almost empty /etc/hosts file as I rely > on nameserver, here is my /etc/hosts, which modification do you > suggest ? > # > 127.0.0.1 localhost > 140.105.6.101 quark.ts.infn.it quark > 140.105.6.163 axts12.ts.infn.it axts12 > 140.105.6.100 afs1.ts.infn.it afs1 > 140.105.48.16 dns.univ.trieste.it > > > Thanks > Stefano > -- > Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) > Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it > 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte > From kreymer@fnal.gov Tue Sep 5 11:24:29 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA10242 for ; Tue, 5 Sep 2000 11:24:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F00MKD9KNCA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 11:24:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FA4B@listserv.fnal.gov>; Tue, 05 Sep 2000 11:24:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 180719 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 11:24:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FA4A@listserv.fnal.gov>; Tue, 05 Sep 2000 11:24:23 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G0F00MX69KM9D@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 11:24:23 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id LAA07278; Tue, 05 Sep 2000 11:24:20 -0500 Date: Tue, 05 Sep 2000 11:24:20 -0500 From: Glenn Cooper Subject: Re: problems with upd install kerberos/perl In-reply-to: <39B3C33C.46A63826@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: helpdesk@fnal.gov, kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 429 Hi Stefano, This is just a guess, but the errors you got suggest to me that your node quark may not be registered to use upd. If not, you can register by filling out the form at: http://www.fnal.gov/cd/forms/upd_registration.html\ If you've already done that, then obviously my guess is wrong! Maybe others will have a better idea in that case. Cheers, Glenn On Mon, 4 Sep 2000, Stefano Belforte wrote: > Dear helpdesk, > I just had a strange problem when trying to upd install > kerberos from fnkits. > Let's start from the error message: > > [quark] ~ > upd install kerberos -G "-c" > informational: gtools v2_2 already exists on local node, skipping. > informational: beginning install of perl. > Unable to create ftp connection > error: can't transfer > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 > from fnkits to > /diskcdf7/products/prd/perl/v5_005/OSF1+V4 > informational: Starting remove of > /diskcdf7/products/prd/perl/v5_005/OSF1+V4 in background > upd install failed. > > So the problem is not kerberos. Upd finds out that it has to install > first newer versions of gtools and then of perl, I had installed earlier > perl v5_004, now it wants v5_005 (I guess I am going to need more disk > space then I ever thought...). > I tried upd -vvv but it gives not further explanation: > > updcmd_install - informational: beginning install of perl. > upduti_split_archive_file - split > ftp://fnkits/ftp/products/perl/v5_005/OS\ > upduti_split_archive_file F1+V4/perl_v5_005_OSF1+V4.tar into > ftp|fnkits|\ > upduti_split_archive_file > |/ftp/products/perl/v5_005/OSF1+V4|perl_v5_005\ > upduti_split_archive_file _OSF1+V4|tar|| > updxfr_dir - > updxfr_dir(fnkits,/ftp/products/perl/v5_005/OSF1+V4,perl_v5_0\ > updxfr_dir 05_OSF1+V4,/diskcdf7/products/prd/perl/v5_005/OSF1+V4 > updxfr_dir - HASH(0x140373208), tar) > updxfr_dir - arch_type is tar > login_and_cwd - args node fnkits dir > /ftp/products/perl/v5_005/OSF1+V4 > login_and_cwd - Unable to create ftp connection > updxfr_dir - error: can't transfer > /ftp/products/perl/v5_005/OSF1+V4/perl_\ > updxfr_dir v5_005_OSF1+V4 > from fnkits to > /diskcdf7/products/prd/perl\ > updxfr_dir /v5_005/OSF1+V4 > updxfr_dir - returns 0 > updcmd_split_cleanup - Cleaning up... > updcmd_split_cleanup - informational: Starting remove of > /diskcdf7/products\ > updcmd_split_cleanup /prd/perl/v5_005/OSF1+V4 in background > cmdline_execute - upd install failed. > > > > If I connect manually to fnkits via anonymous ftp I seem to be able to > get the needed files with no problem: > ftp> ls /ftp/products/perl/v5_005/OSF1+V4 > 200 PORT command successful. > 150 Opening ASCII mode data connection for file list. > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.tar > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.ups.tar > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.table > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.table.old > 226 Transfer complete. > ftp> > ftp> ls -l > 200 PORT command successful. > 150 Opening ASCII mode data connection for directory listing. > total 68794 > drwxrwx--- 3 updadmin upd 512 Mar 16 2000 > perl_v5_005_OSF1+V4 > -rw-rw-r-- 1 updadmin upd 1245 Mar 23 2000 > perl_v5_005_OSF1+V4.table > -rwxrwx--- 1 updadmin upd 1078 Aug 10 1999 > perl_v5_005_OSF1+V4.table.old > -rw-rw---- 1 updadmin upd 24729600 Mar 16 2000 > perl_v5_005_OSF1+V4.tar > -rwxrwx--- 1 updadmin upd 10445824 Apr 10 2000 > perl_v5_005_OSF1+V4.ups.tar > 226 Transfer complete. > ftp> get perl_v5_005_OSF1+V4.tar > 200 PORT command successful. > 150 Opening BINARY mode data connection for perl_v5_005_OSF1+V4.tar > (24729600 bytes). > 226 Transfer complete. > 24729600 bytes received in 1.1e+02 seconds (2.2e+02 Kbytes/s) > ftp> get perl_v5_005_OSF1+V4.ups.tar > 200 PORT command successful. > 150 Opening BINARY mode data connection for perl_v5_005_OSF1+V4.ups.tar > (10445824 bytes). > 226 Transfer complete. > 10445824 bytes received in 47 seconds (2.2e+02 Kbytes/s) > ftp> > > > But I have no idea how to tell upd that these files are there. > > I tried from a Solaris machine. > There upd install kerberos went smootly, installing perl v5_005 as > well, but when i tried to use the Solaris machine to fetch the > OSF version of perl, I got the same problem: > > [stsa11] ~ > upd install perl v5_005 -f OSF1+V4 > informational: beginning install of perl. > Unable to create ftp connection > error: can't transfer > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 > from fnkits to > /home/products/prd/perl/v5_005/OSF1+V4 > informational: Starting remove of /home/products/prd/perl/v5_005/OSF1+V4 > in background > upd install failed. > [stsa11] ~ > > > I seem to be in a no-way-out situation. > > Any suggesion will be appreciated. > Thanks > Stefano > > -- > Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) > Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it > 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte > From kreymer@fnal.gov Tue Sep 5 11:35:19 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA10258 for ; Tue, 5 Sep 2000 11:35:19 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F00MN5A2UCA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 11:35:18 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FA6A@listserv.fnal.gov>; Tue, 05 Sep 2000 11:35:18 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 180751 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 11:35:18 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FA69@listserv.fnal.gov>; Tue, 05 Sep 2000 11:35:18 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G0F000O8A2T2W@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 11:35:17 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id LAA07296; Tue, 05 Sep 2000 11:35:15 -0500 Date: Tue, 05 Sep 2000 11:35:15 -0500 From: Glenn Cooper Subject: Re: installing kerberos on satellite In-reply-to: <39B3B6CA.A5D26DE@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov, gomezel@ts.infn.it Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 430 Hi Stefano, Note that there are actually two steps to installing kerberos using UPS/UPD: 1) upd install kerberos v0_6 -G -c done as user products 2) ups install kerberos done as user root Step 1) changes files only in your products area, /usr/products or whatever you use. Step 2) modifies or adds: - the entire /usr/krb5 area (used only by the kerberos stuff) - /etc/krb5.conf - /etc/krb5.keytab - /etc/inetd.conf - /etc/services - /etc/sshd_config Optionally, you can do 3) ups install-login kerberos which modifies the /bin/login executable so that you get a ticket when you log in at the console. Hope this helps, Glenn On Mon, 4 Sep 2000, Stefano Belforte wrote: > I would like to install keberos on my desktop workstation, > an Alpha running OSF1 v4.0. That workstation is a satellite > in a Unix cluster, i.e. most system directories are kept > on a common disk on a bigger server and mounted by several > satellite nodes, /usr e.g. > In order to know if and what problems my arise when running > install from root account possibly affecting common > areas, we would like a list of which modifications to the > system files are done by the kerberos install procedure. > Thanks > Stefano > -- > Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) > Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it > 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte > From kreymer@fnal.gov Tue Sep 5 11:55:10 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA10297 for ; Tue, 5 Sep 2000 11:55:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F001OSAZY2L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 11:55:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FABF@listserv.fnal.gov>; Tue, 05 Sep 2000 11:55:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 180846 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 11:55:10 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FABE@listserv.fnal.gov>; Tue, 05 Sep 2000 11:55:10 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F00MQZAZX8O@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 11:55:09 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA07893; Tue, 05 Sep 2000 11:55:06 -0500 (CDT) Date: Tue, 05 Sep 2000 11:55:06 -0500 From: Matt Crawford Subject: Re: installing kerberos on satellite In-reply-to: "04 Sep 2000 16:50:50 +0200." <39B3B6CA.A5D26DE@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov, gomezel@ts.infn.it Message-id: <200009051655.LAA07893@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 431 > In order to know if and what problems my arise when running > install from root account possibly affecting common > areas, we would like a list of which modifications to the > system files are done by the kerberos install procedure. Sure. All files which are modified (as opposed to created from nothing) have their previous versions backed up to a new neame formed by appending a period and the date of the Kerberos installation. Those files are /etc/inetd.conf /etc/services /etc/sshd_config (if present) Also, if this is a repeat installation then /etc/krb5.conf may be modified (and the old version saved). Besides this file, one other new file is created in /etc, and that is /etc/krb5.keytab and it is readable only by root. A set of new directories is created under /usr/krb5. If you use the "kcron" features, some files will be created under /var/adm/krb5 as well. From kreymer@fnal.gov Tue Sep 5 12:00:16 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA10303 for ; Tue, 5 Sep 2000 12:00:15 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F00MS8B8BCA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 12:00:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FAC7@listserv.fnal.gov>; Tue, 05 Sep 2000 12:00:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 180854 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 12:00:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FAC6@listserv.fnal.gov>; Tue, 05 Sep 2000 12:00:11 -0500 Received: from dot.phys.unm.edu ([198.59.169.100]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F00MO6B8AG9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 12:00:10 -0500 (CDT) Received: from dot.phys.unm.edu (IDENT:gold@localhost.localdomain [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id LAA28715; Tue, 05 Sep 2000 11:59:22 -0500 Date: Tue, 05 Sep 2000 11:59:22 -0500 From: Michael Gold Subject: new machine Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: gold@fnal.gov Message-id: <200009051659.LAA28715@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.1.1 10/15/1999 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 432 i don't know if my previous email got thru, but my machine is now "higgs@phys.unm.edu" can you add set up kerberos so that I can connect from this machine? From kreymer@fnal.gov Tue Sep 5 12:10:07 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA10378 for ; Tue, 5 Sep 2000 12:10:07 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F000R1BOUV7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 12:10:06 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FAE1@listserv.fnal.gov>; Tue, 05 Sep 2000 12:10:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 180882 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 12:10:06 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FAE0@listserv.fnal.gov>; Tue, 05 Sep 2000 12:10:06 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F0033UBOUTS@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 12:10:06 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA07997; Tue, 05 Sep 2000 12:10:03 -0500 (CDT) Date: Tue, 05 Sep 2000 12:10:03 -0500 From: Matt Crawford Subject: Re: problems with upd install kerberos/perl In-reply-to: "04 Sep 2000 17:43:56 +0200." <39B3C33C.46A63826@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: helpdesk@fnal.gov, kerberos-pilot@fnal.gov Message-id: <200009051710.MAA07997@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 433 Helpdesk: please direct this to the products-maintenance people or to the maintainer of perl in particular. I suspect that the problem lies in the fact that upd is trying to use this URL as the source of the perl package: > ftp://fnkits/ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.tar And "fnkits" should be "fnkits.fnal.gov" to allow users outside fnal.gov to do the install. Stefano, if my guess is right, here's a possible workaround until upd is fixed. Try editing /etc/resolv.conf to modify or add a line searchlist ts.infn.it infn.it fnal.gov This has nothign to do with kerberos, but it will cause all name lookups to try those three domains in order. > Dear helpdesk, > I just had a strange problem when trying to upd install > kerberos from fnkits. > Let's start from the error message: > > [quark] ~ > upd install kerberos -G "-c" > informational: gtools v2_2 already exists on local node, skipping. > informational: beginning install of perl. > Unable to create ftp connection > error: can't transfer > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 > from fnkits to > /diskcdf7/products/prd/perl/v5_005/OSF1+V4 > informational: Starting remove of > /diskcdf7/products/prd/perl/v5_005/OSF1+V4 in background > upd install failed. > > So the problem is not kerberos. Upd finds out that it has to install > first newer versions of gtools and then of perl, I had installed earlier > perl v5_004, now it wants v5_005 (I guess I am going to need more disk > space then I ever thought...). > I tried upd -vvv but it gives not further explanation: > > updcmd_install - informational: beginning install of perl. > upduti_split_archive_file - split > ftp://fnkits/ftp/products/perl/v5_005/OS\ > upduti_split_archive_file F1+V4/perl_v5_005_OSF1+V4.tar into > ftp|fnkits|\ > upduti_split_archive_file > |/ftp/products/perl/v5_005/OSF1+V4|perl_v5_005\ > upduti_split_archive_file _OSF1+V4|tar|| > updxfr_dir - > updxfr_dir(fnkits,/ftp/products/perl/v5_005/OSF1+V4,perl_v5_0\ > updxfr_dir 05_OSF1+V4,/diskcdf7/products/prd/perl/v5_005/OSF1+V4 > updxfr_dir - HASH(0x140373208), tar) > updxfr_dir - arch_type is tar > login_and_cwd - args node fnkits dir > /ftp/products/perl/v5_005/OSF1+V4 > login_and_cwd - Unable to create ftp connection > updxfr_dir - error: can't transfer > /ftp/products/perl/v5_005/OSF1+V4/perl_\ > updxfr_dir v5_005_OSF1+V4 > from fnkits to > /diskcdf7/products/prd/perl\ > updxfr_dir /v5_005/OSF1+V4 > updxfr_dir - returns 0 > updcmd_split_cleanup - Cleaning up... > updcmd_split_cleanup - informational: Starting remove of > /diskcdf7/products\ > updcmd_split_cleanup /prd/perl/v5_005/OSF1+V4 in background > cmdline_execute - upd install failed. > > > > If I connect manually to fnkits via anonymous ftp I seem to be able to > get the needed files with no problem: > ftp> ls /ftp/products/perl/v5_005/OSF1+V4 > 200 PORT command successful. > 150 Opening ASCII mode data connection for file list. > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.tar > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.ups.tar > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.table > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.table.old > 226 Transfer complete. > ftp> > ftp> ls -l > 200 PORT command successful. > 150 Opening ASCII mode data connection for directory listing. > total 68794 > drwxrwx--- 3 updadmin upd 512 Mar 16 2000 > perl_v5_005_OSF1+V4 > -rw-rw-r-- 1 updadmin upd 1245 Mar 23 2000 > perl_v5_005_OSF1+V4.table > -rwxrwx--- 1 updadmin upd 1078 Aug 10 1999 > perl_v5_005_OSF1+V4.table.old > -rw-rw---- 1 updadmin upd 24729600 Mar 16 2000 > perl_v5_005_OSF1+V4.tar > -rwxrwx--- 1 updadmin upd 10445824 Apr 10 2000 > perl_v5_005_OSF1+V4.ups.tar > 226 Transfer complete. > ftp> get perl_v5_005_OSF1+V4.tar > 200 PORT command successful. > 150 Opening BINARY mode data connection for perl_v5_005_OSF1+V4.tar > (24729600 bytes). > 226 Transfer complete. > 24729600 bytes received in 1.1e+02 seconds (2.2e+02 Kbytes/s) > ftp> get perl_v5_005_OSF1+V4.ups.tar > 200 PORT command successful. > 150 Opening BINARY mode data connection for perl_v5_005_OSF1+V4.ups.tar > (10445824 bytes). > 226 Transfer complete. > 10445824 bytes received in 47 seconds (2.2e+02 Kbytes/s) > ftp> > > > But I have no idea how to tell upd that these files are there. > > I tried from a Solaris machine. > There upd install kerberos went smootly, installing perl v5_005 as > well, but when i tried to use the Solaris machine to fetch the > OSF version of perl, I got the same problem: > > [stsa11] ~ > upd install perl v5_005 -f OSF1+V4 > informational: beginning install of perl. > Unable to create ftp connection > error: can't transfer > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 > from fnkits to > /home/products/prd/perl/v5_005/OSF1+V4 > informational: Starting remove of /home/products/prd/perl/v5_005/OSF1+V4 > in background > upd install failed. > [stsa11] ~ > > > I seem to be in a no-way-out situation. > > Any suggesion will be appreciated. > Thanks > Stefano > > -- > Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) > Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it > 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Tue Sep 5 13:00:00 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA10438 for ; Tue, 5 Sep 2000 13:00:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F00MTGDZZL3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 12:59:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FB4C@listserv.fnal.gov>; Tue, 05 Sep 2000 12:59:59 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 180997 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 12:59:59 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FB4B@listserv.fnal.gov>; Tue, 05 Sep 2000 12:59:59 -0500 Received: from CUERVO ([131.225.82.38]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G0F001NUDZY95@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 12:59:59 -0500 (CDT) Date: Tue, 05 Sep 2000 12:59:58 -0500 From: "Mark O. Kaletka" Subject: RE: problems with upd install kerberos/perl In-reply-to: <200009051710.MAA07997@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford , Stefano Belforte Cc: helpdesk@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 434 Actually, this was resolved as due to a problem in the product declaration for perl in the OSF flavor but not re-posted to the kerberos-pilot list. Here's a copy of the trouble ticket report: From: owner-csi-help@listserv.fnal.gov on behalf of ARSystem [helpdesk@fnal.gov] Sent: Tuesday, September 05, 2000 11:57 AM To: 'csi-help@fnal.gov' Subject: NAYMOLA, STAN #13926 Resolved. Thank you for your assistance. Help Desk ticket #000000000013926 has been resolved on 9/5/00 11:52:31 AM Resolution Timestamp: : 9/5/00 11:52:07 AM Solution Category : System Configuration Error Problem Category : Software Type : Products Item : upd Short Description : problems with upd install kerberos/perl Solution : There was a problem with the declaration for the OSF1+V4 instance of perl v5_005 on fnkits, where its tarfile was listed as: ftp://fnkits/products/perl/v5_005/... instead of ftp://fnkits.fnal.gov/products/perl/v5_005 so, in lacking the full domainname, it was probably trying to reach fnkits.infn.it or some such silliness, but this of course did not work. The declaration has been corrected to list the full domain name in the URL, and installs should now work from off-site. >...snip...< From kreymer@fnal.gov Tue Sep 5 13:20:12 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA10452 for ; Tue, 5 Sep 2000 13:20:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F005C3EXN38@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 13:20:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FB79@listserv.fnal.gov>; Tue, 05 Sep 2000 13:20:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 181043 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 13:20:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FB78@listserv.fnal.gov>; Tue, 05 Sep 2000 13:20:11 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F004BTEXMUF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 13:20:10 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA08429; Tue, 05 Sep 2000 13:20:08 -0500 (CDT) Date: Tue, 05 Sep 2000 13:20:08 -0500 From: Matt Crawford Subject: Re: confused about principals In-reply-to: "04 Sep 2000 20:13:48 +0200." <39B3E65C.7901656A@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov, rharris@fnal.gov Message-id: <200009051820.NAA08429@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 435 > Contact your Computing Division liaison to request host-specific > principals (plus initial passwords) for the machine on > which you plan to install kerberos. ... > > Does that mean that I have to get from Fermilab another principal > in addition to belforte@pilot.fnal.gov that I just got ? Any machine that is to be *reachable* by Kerberos must have these "service principals" and their associated keys. That's so that the KDC can construct a message which is decipherable only by the service (the host) itself which will prove that the presenter of the credentials has been verified to be belforte@PILOT.FNAL.GOV. If you'll use the machine as your desktop and log in with your Unix (or Windows) password only, and then do kinit and access Kerberos services elsewhere, you do not need to do this step. But to use Kerberos for access into the machine, you must. > Notice also that my machines (I paln to kerberise more then one) > is of course in ts.infn.it, not in fnal.gov ... > There is nothing in this direction on Robert's quick guide > in http://www-cdf.fnal.gov/offline/runii/fcdfsgi2/krb5_quickstart.html > > Can you clarify ? Yes. Use the full domain name of your system, whether it ends with "fnal.gov" or not. So if you need the host & ftp service principals described above, they will be host/quark.ts.infn.it@PILOT.FNAL.GOV and ftp/quark.ts.infn.it@PILOT.FNAL.GOV. Here's one more catch -- after you install Kerberos on quark, then if you try to connect to quark with Kerberos, the application needs to be told that the proper Kerberos realm is PILOT.FNAL.GOV. The krb5.conf file we distribute now includes just one rule: [domain_realm] .fnal.gov = PILOT.FNAL.GOV telling applications that any hostname ending in ".fnal.gov" should be assumed to be in Kerberos realm PILOT.FNAL.GOV. To inform rsh, rlogin, telnet or ftp that quark is in that realm, there are two choices: we can add a rule like ".ts.infn.it = PILOT.FNAL.GOV" to the configuration file, or you can add "-k PILOT.FNAL.GOV" to the command line, as in telnet -x -k PILOT.FNAL.GOV quark.ts.infn.it Or, more likely, you can use the second method until the first is in place. > Also the following from the strong authentication guide is > a bit unclear : > > 4.4.1 The /etc/hosts File > > In the /etc/hosts file, make sure that the localhost names include > .fnal.gov. > > How does this apply to my node in ts.infn.it ? What do you mean by > localhost names ? We'll have to fix the wording. It ought to say something like make sure that the "official" (first-listed) host name is the full name, including the domain. > I have an almost empty /etc/hosts file as I rely > on nameserver, here is my /etc/hosts, which modification do you > suggest ? > # > 127.0.0.1 localhost > 140.105.6.101 quark.ts.infn.it quark > 140.105.6.163 axts12.ts.infn.it axts12 > 140.105.6.100 afs1.ts.infn.it afs1 > 140.105.48.16 dns.univ.trieste.it It's fine as it is. From kreymer@fnal.gov Tue Sep 5 13:34:44 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA10459 for ; Tue, 5 Sep 2000 13:34:44 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F00711FLVDQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 13:34:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FB9B@listserv.fnal.gov>; Tue, 05 Sep 2000 13:34:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 181077 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 13:34:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0005FB9A@listserv.fnal.gov>; Tue, 05 Sep 2000 13:34:43 -0500 Received: from sapphire.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F004FCFLULB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 13:34:43 -0500 (CDT) Received: from localhost (timm@localhost) by sapphire.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA29281 for ; Tue, 05 Sep 2000 13:34:42 -0500 Date: Tue, 05 Sep 2000 13:34:42 -0500 (CDT) From: Steven Timm Subject: Changing a node name Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: sapphire.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 436 If a kerberized node is going to change its name to some other name, does the host principal have to change too, or do you just get a new host principal? What are the steps that would have to be taken to make that change on the node in question? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Tue Sep 5 15:43:24 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA10587 for ; Tue, 5 Sep 2000 15:43:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F009K4LKBKA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 15:43:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000602AC@listserv.fnal.gov>; Tue, 05 Sep 2000 15:43:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 182926 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 15:43:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000602AB@listserv.fnal.gov>; Tue, 05 Sep 2000 15:43:23 -0500 Received: from mailserver.pi.infn.it ([192.84.133.222]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F009I0LK9M6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 15:43:23 -0500 (CDT) Received: from ts.infn.it (slipcl5.pi.infn.it [192.135.9.172]) by mailserver.pi.infn.it (8.8.8/8.8.8) with ESMTP id WAA02260; Tue, 05 Sep 2000 22:37:55 +0200 Date: Tue, 05 Sep 2000 22:46:17 +0200 From: Stefano Belforte Subject: Re: Help Desk Ticket 13926 Has Been Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: kerberos-pilot@fnal.gov Message-id: <39B55B99.8915CEAB@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.72 [en] (Win98; I) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <318CC3D38BE0D211BB1200105A093F760EA792@csdserver2.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 437 It works now indeed, and I just installed perl v5_005 for OSF on my system. Thanks a lot, it was a very fast and effective response Stefano ARSystem wrote: > > We have received a resolution from our support staff. If you find the > resolution inadequate in any way, please contact us. > If we do not hear from you within 14 days, we will close the problem. > However, the report can easily be re-opened if necessary. > > Short Description : problems with upd install kerberos/perl > Solution : > There was a problem with the declaration for the OSF1+V4 instance > of perl v5_005 on fnkits, where its tarfile was listed as: > ftp://fnkits/products/perl/v5_005/... > instead of > ftp://fnkits.fnal.gov/products/perl/v5_005 > so, in lacking the full domainname, it was probably trying > to reach fnkits.infn.it or some such silliness, but this of course > did not work. > > The declaration has been corrected to list the full domain name > in the URL, and installs should now work from off-site. > Problem Description : Dear helpdesk, > I just had a strange problem when trying to upd install > kerberos from fnkits. > Let's start from the error message: > > [quark] ~ > upd install kerberos -G "-c" > informational: gtools v2_2 already exists on local node, skipping. > informational: beginning install of perl. > Unable to create ftp connection > error: can't transfer > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 > from fnkits to > /diskcdf7/products/prd/perl/v5_005/OSF1+V4 > informational: Starting remove of > /diskcdf7/products/prd/perl/v5_005/OSF1+V4 in background > upd install failed. > > So the problem is not kerberos. Upd finds out that it has to install > first newer versions of gtools and then of perl, I had installed > earlier > perl v5_004, now it wants v5_005 (I guess I am going to need more > disk > space then I ever thought...). > I tried upd -vvv but it gives not further explanation: > > updcmd_install - informational: beginning install of perl. > upduti_split_archive_file - split > ftp://fnkits/ftp/products/perl/v5_005/OS\ > upduti_split_archive_file F1+V4/perl_v5_005_OSF1+V4.tar into > ftp|fnkits|\ > upduti_split_archive_file > |/ftp/products/perl/v5_005/OSF1+V4|perl_v5_005\ > upduti_split_archive_file _OSF1+V4|tar|| > updxfr_dir - > updxfr_dir(fnkits,/ftp/products/perl/v5_005/OSF1+V4,perl_v5_0\ > updxfr_dir > 05_OSF1+V4,/diskcdf7/products/prd/perl/v5_005/OSF1+V4 > updxfr_dir - HASH(0x140373208), tar) > updxfr_dir - arch_type is tar > login_and_cwd - args node fnkits dir > /ftp/products/perl/v5_005/OSF1+V4 > login_and_cwd - Unable to create ftp connection > updxfr_dir - error: can't transfer > /ftp/products/perl/v5_005/OSF1+V4/perl_\ > updxfr_dir v5_005_OSF1+V4 > from fnkits to > /diskcdf7/products/prd/perl\ > updxfr_dir /v5_005/OSF1+V4 > updxfr_dir - returns 0 > updcmd_split_cleanup - Cleaning up... > updcmd_split_cleanup - informational: Starting remove of > /diskcdf7/products\ > updcmd_split_cleanup /prd/perl/v5_005/OSF1+V4 in background > cmdline_execute - upd install failed. > > > > If I connect manually to fnkits via anonymous ftp I seem to be able > to > get the needed files with no problem: > ftp> ls /ftp/products/perl/v5_005/OSF1+V4 > 200 PORT command successful. > 150 Opening ASCII mode data connection for file list. > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.tar > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.ups.tar > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.table > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4.table.old > 226 Transfer complete. > ftp> > ftp> ls -l > 200 PORT command successful. > 150 Opening ASCII mode data connection for directory listing. > total 68794 > drwxrwx--- 3 updadmin upd 512 Mar 16 2000 > perl_v5_005_OSF1+V4 > -rw-rw-r-- 1 updadmin upd 1245 Mar 23 2000 > perl_v5_005_OSF1+V4.table > -rwxrwx--- 1 updadmin upd 1078 Aug 10 1999 > perl_v5_005_OSF1+V4.table.old > -rw-rw---- 1 updadmin upd 24729600 Mar 16 2000 > perl_v5_005_OSF1+V4.tar > -rwxrwx--- 1 updadmin upd 10445824 Apr 10 2000 > perl_v5_005_OSF1+V4.ups.tar > 226 Transfer complete. > ftp> get perl_v5_005_OSF1+V4.tar > 200 PORT command successful. > 150 Opening BINARY mode data connection for perl_v5_005_OSF1+V4.tar > (24729600 bytes). > 226 Transfer complete. > 24729600 bytes received in 1.1e+02 seconds (2.2e+02 Kbytes/s) > ftp> get perl_v5_005_OSF1+V4.ups.tar > 200 PORT command successful. > 150 Opening BINARY mode data connection for > perl_v5_005_OSF1+V4.ups.tar > (10445824 bytes). > 226 Transfer complete. > 10445824 bytes received in 47 seconds (2.2e+02 Kbytes/s) > ftp> > > > But I have no idea how to tell upd that these files are there. > > I tried from a Solaris machine. > There upd install kerberos went smootly, installing perl v5_005 as > well, but when i tried to use the Solaris machine to fetch the > OSF version of perl, I got the same problem: > > [stsa11] ~ > upd install perl v5_005 -f OSF1+V4 > informational: beginning install of perl. > Unable to create ftp connection > error: can't transfer > /ftp/products/perl/v5_005/OSF1+V4/perl_v5_005_OSF1+V4 > from fnkits to > /home/products/prd/perl/v5_005/OSF1+V4 > informational: Starting remove of > /home/products/prd/perl/v5_005/OSF1+V4 > in background > upd install failed. > [stsa11] ~ > > > I seem to be in a no-way-out situation. > > Any suggesion will be appreciated. > Thanks > Stefano > > -- > Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: > 375-6258) > Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it > 34012 TRIESTE TS - Italy Web : > http://www.ts.infn.it/~belforte > From kreymer@fnal.gov Tue Sep 5 15:48:49 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA10612 for ; Tue, 5 Sep 2000 15:48:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F00B86LTCU9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 15:48:48 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00060319@listserv.fnal.gov>; Tue, 05 Sep 2000 15:48:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 183035 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 15:48:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00060318@listserv.fnal.gov>; Tue, 05 Sep 2000 15:48:49 -0500 Received: from mailserver.pi.infn.it ([192.84.133.222]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F009N0LTB35@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 15:48:48 -0500 (CDT) Received: from ts.infn.it (slipcl5.pi.infn.it [192.135.9.172]) by mailserver.pi.infn.it (8.8.8/8.8.8) with ESMTP id WAA02274; Tue, 05 Sep 2000 22:43:21 +0200 Date: Tue, 05 Sep 2000 22:51:43 +0200 From: Stefano Belforte Subject: Re: confused about principals Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov, rharris@fnal.gov Message-id: <39B55CDF.8EFF08C4@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.72 [en] (Win98; I) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200009051820.NAA08429@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 438 Thanks Matt, I think I understand now. I will start with simply my node able to log to fnal.gov nodes and not receive incoming logins from fermilab other then the "second method" you indicate. Once everything is working, and I have some experience and a clear indication of needs we will talk about adding ts.infn.it to your configuration and what if any implications are for other non-cdf machines/kerberos. Stefano Matt Crawford wrote: > > > Contact your Computing Division liaison to request host-specific > > principals (plus initial passwords) for the machine on > > which you plan to install kerberos. ... > > > > Does that mean that I have to get from Fermilab another principal > > in addition to belforte@pilot.fnal.gov that I just got ? > > Any machine that is to be *reachable* by Kerberos must have these > "service principals" and their associated keys. That's so that the > KDC can construct a message which is decipherable only by the service > (the host) itself which will prove that the presenter of the > credentials has been verified to be belforte@PILOT.FNAL.GOV. > > If you'll use the machine as your desktop and log in with your Unix > (or Windows) password only, and then do kinit and access Kerberos > services elsewhere, you do not need to do this step. But to use > Kerberos for access into the machine, you must. > > > Notice also that my machines (I paln to kerberise more then one) > > is of course in ts.infn.it, not in fnal.gov ... > > There is nothing in this direction on Robert's quick guide > > in http://www-cdf.fnal.gov/offline/runii/fcdfsgi2/krb5_quickstart.html > > > > Can you clarify ? > > Yes. Use the full domain name of your system, whether it ends with > "fnal.gov" or not. So if you need the host & ftp service principals > described above, they will be host/quark.ts.infn.it@PILOT.FNAL.GOV > and ftp/quark.ts.infn.it@PILOT.FNAL.GOV. > > Here's one more catch -- after you install Kerberos on quark, then if > you try to connect to quark with Kerberos, the application needs to > be told that the proper Kerberos realm is PILOT.FNAL.GOV. The > krb5.conf file we distribute now includes just one rule: > > [domain_realm] > .fnal.gov = PILOT.FNAL.GOV > > telling applications that any hostname ending in ".fnal.gov" should > be assumed to be in Kerberos realm PILOT.FNAL.GOV. To inform rsh, > rlogin, telnet or ftp that quark is in that realm, there are two > choices: we can add a rule like ".ts.infn.it = PILOT.FNAL.GOV" to the > configuration file, or you can add "-k PILOT.FNAL.GOV" to the command > line, as in > > telnet -x -k PILOT.FNAL.GOV quark.ts.infn.it > > Or, more likely, you can use the second method until the first is in > place. > > > Also the following from the strong authentication guide is > > a bit unclear : > > > > 4.4.1 The /etc/hosts File > > > > In the /etc/hosts file, make sure that the localhost names include > > .fnal.gov. > > > > How does this apply to my node in ts.infn.it ? What do you mean by > > localhost names ? > > We'll have to fix the wording. It ought to say something like > > make sure that the "official" (first-listed) host name is the > full name, including the domain. > > > I have an almost empty /etc/hosts file as I rely > > on nameserver, here is my /etc/hosts, which modification do you > > suggest ? > > # > > 127.0.0.1 localhost > > 140.105.6.101 quark.ts.infn.it quark > > 140.105.6.163 axts12.ts.infn.it axts12 > > 140.105.6.100 afs1.ts.infn.it afs1 > > 140.105.48.16 dns.univ.trieste.it > > It's fine as it is. From kreymer@fnal.gov Tue Sep 5 16:09:40 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA10634 for ; Tue, 5 Sep 2000 16:09:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F00AM2MRI7X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 16:09:18 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000604BA@listserv.fnal.gov>; Tue, 05 Sep 2000 16:09:18 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 183453 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 16:09:18 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000604B9@listserv.fnal.gov>; Tue, 05 Sep 2000 16:09:18 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F009S5MRHMR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 16:09:17 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA09323; Tue, 05 Sep 2000 16:09:16 -0500 (CDT) Date: Tue, 05 Sep 2000 16:09:16 -0500 From: Matt Crawford Subject: Re: change of address In-reply-to: "05 Sep 2000 10:16:24 MDT." <200009051616.KAA03474@dot.phys.unm.edu> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Gold Cc: kerberos-pilot@fnal.gov, gold@dot.phys.unm.edu Message-id: <200009052109.QAA09323@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 439 > my machine has been changed from dot.phys.unm.edu > to higgs.phys.unm.edu 198.59.169.98 > > please modify my kerberos account accordingly Would you please contact compdiv@fnal.gov and hask for host and ftp keys for the new hostname? And if the change of name has already been completed, ask to have the old ones (host/dot.phys.unm.edu and ftp/dot.phys.unm.edu) deleted. Wait a minute ... there is no host or ftp principal for any machine in unm.edu. What is it you think you need done? There shouldn't be anything required at all, except that if you also changed IP addresses you have to delete or ignore all old credentials and get new ones with "kinit". Judging by the KDC log, it looks as if everything is working fine for you already. From kreymer@fnal.gov Tue Sep 5 16:28:46 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA10656 for ; Tue, 5 Sep 2000 16:28:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F00DETNNXKE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Sep 2000 16:28:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00060673@listserv.fnal.gov>; Tue, 05 Sep 2000 16:28:45 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 183903 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Sep 2000 16:28:45 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00060672@listserv.fnal.gov>; Tue, 05 Sep 2000 16:28:45 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0F00CLENNW6P@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Sep 2000 16:28:44 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA09452; Tue, 05 Sep 2000 16:28:44 -0500 (CDT) Date: Tue, 05 Sep 2000 16:28:44 -0500 From: Matt Crawford Subject: Re: Changing a node name In-reply-to: "05 Sep 2000 13:34:42 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200009052128.QAA09452@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 440 > If a kerberized node is going to change its name to some other name, > does the host principal have to change too, or do you just get > a new host principal? What are the steps that would have to be > taken to make that change on the node in question? The host (and ftp, if you run ftpd) principals do have to change. There's no "rename" function on the pricipal database so a new one has to be created and the old one deleted. You can avoid interruptions of service during the name change if you want to prepare in advance. The steps would be Send a request to compdiv@fnal.gov for creation of the new principal(s) host/newname.domain and ftp/newname.domain. With the assigned password(s) in hand, do this as root # /usr/krb5/sbin/kadmin -p host/newname.domain Enter password: kadmin: ktadd host/newname.domain kadmin: exit # /usr/krb5/sbin/kadmin -p ftp/newname.domain Enter password: kadmin: ktadd ftp/newname.domain kadmin: exit Now change the nodename when ready. Presumably this involves a reboot, although I don't think that's relevant to Kerberos. When the name has been changed, you may delete the now-useless old host & ftp keys from the keytab as follows: # /usr/krb5/sbin/ktutil ktutil: rkt /etc/krb5.keytab ktutil: list slot KVNO Principal ---- ---- ------------------------------------------------- 1 2 host/oldname.domain@PILOT.FNAL.GOV 2 2 ftp/oldname.domain@PILOT.FNAL.GOV 3 2 host/newname.domain@PILOT.FNAL.GOV 4 2 ftp/newname.domain@PILOT.FNAL.GOV ktutil: delent 2 ktutil: delent 1 # !!! Note, delete 2 before 1 because # they all drop down a slot after delent ktutil: wkt /etc/krb5.keytab.new ktutil: quit # mv /etc/krb5.keytab.new /etc/krb5.keytab If you don't mind an interruption, it's probably easier to simply get the new principal(s), change the hostname, delete /etc/krb5.keytab and do # ups install-hostkeys kerberos and provide the new password(s) when asked. From kreymer@fnal.gov Tue Sep 12 15:01:01 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA00444 for ; Tue, 12 Sep 2000 15:01:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0S00KOKI9PCX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Sep 2000 15:01:01 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00077232@listserv.fnal.gov>; Tue, 12 Sep 2000 15:01:01 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 278428 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 12 Sep 2000 15:01:01 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00077231@listserv.fnal.gov>; Tue, 12 Sep 2000 15:01:01 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0S00KNEI9O5G@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 12 Sep 2000 15:01:00 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA05442 for ; Tue, 12 Sep 2000 15:01:00 -0500 Date: Tue, 12 Sep 2000 15:00:59 -0500 (CDT) From: Steven Timm Subject: Linux kerberized ftp servers Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 441 I have two Linux nodes, snowball and boxer, which do not respond to requests for kerberized ftp properly. The errors that happen are either: GSSAPI error: acquiring credentials GSSAPI ADAT failed GSSAPI authentication failed or GSSAPI error major: Miscellaneous failure GSSAPI error minor: Wrong principal in request GSSAPI error: accepting context GSSAPI ADAT failed It doesn't work on bldlinux61 either. Can someone please check this out? Kerberized ftp outbound to non-linux nodes seems to work fine. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Tue Sep 12 15:27:30 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA00459 for ; Tue, 12 Sep 2000 15:27:30 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0S00KQSJHTVY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Sep 2000 15:27:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007726E@listserv.fnal.gov>; Tue, 12 Sep 2000 15:27:29 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 278494 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 12 Sep 2000 15:27:29 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007726D@listserv.fnal.gov>; Tue, 12 Sep 2000 15:27:29 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0S00KR0JHSS3@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 12 Sep 2000 15:27:28 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA19829; Tue, 12 Sep 2000 15:27:28 -0500 (CDT) Date: Tue, 12 Sep 2000 15:27:28 -0500 From: Matt Crawford Subject: Re: Linux kerberized ftp servers In-reply-to: "12 Sep 2000 15:00:59 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200009122027.PAA19829@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 442 I suspect that your machines snowball and boxer do not believe that their official, full hostname includes the ".fnal.gov" suffix, and their expecting the client to present a ticket for, e.g., "ftp/snowball@PILOT.FNAL.GOV" instead of the "ftp/snowball.fnal.gov@PILOT.FNAL.GOV" which is actually presented. Check /etc/hosts (or your NIS equivalent) and make sure each machine's own host table entry for itself looks like 131.225.80.1 gungnir.fnal.gov gungnir and not like 131.225.80.1 gungnir gungnir.fnal.gov From kreymer@fnal.gov Tue Sep 12 15:27:50 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA00463 for ; Tue, 12 Sep 2000 15:27:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0S0020MJIDJT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Sep 2000 15:27:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00077270@listserv.fnal.gov>; Tue, 12 Sep 2000 15:27:50 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 278496 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 12 Sep 2000 15:27:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007726F@listserv.fnal.gov>; Tue, 12 Sep 2000 15:27:49 -0500 Received: from CUERVO ([131.225.82.38]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G0S00205JICS5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 12 Sep 2000 15:27:49 -0500 (CDT) Date: Tue, 12 Sep 2000 15:27:48 -0500 From: "Mark O. Kaletka" Subject: RE: WRQ Problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: krull@fnal.gov Cc: Kerberos Pilot List Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: multipart/mixed; boundary="----=_NextPart_000_0000_01C01CCE.01E995A0" Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 443 This is a multi-part message in MIME format. ------=_NextPart_000_0000_01C01CCE.01E995A0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Argghh, I totally spaced this one until Matt reminded me. This should fix the password-changing problem. WRQ (for whatever reason) expects the service on a different port. Modify %systemroot%\system32\drivers\etc\services (using a text editor) by commenting out these lines: kpasswd 464/tcp # Kerberos (v5) kpasswd 464/udp # Kerberos (v5) kerberos-adm 749/tcp #Kerberos administration kerberos-adm 749/udp #Kerberos administration and adding these lines: kerberos-adm 464/tcp # Kerberos (v5) (used by WRQ) kerberos-adm 464/udp # Kerberos (v5) (used by WRQ) Or, use the attached services file (from my system). -- Mark K. > -----Original Message----- > From: Richard A. Krull [mailto:krull@fnal.gov] > Sent: Monday, August 28, 2000 11:08 AM > To: kaletka@fnal.gov > Subject: WRQ Problems > > > Mark, > Here are the 2 problems that I have. > > One is the changing of the password using the Reflections > Kerberos Manager. > The error is (Connection aborted (KRB029) > > The other is when I try to run the Reflection X Client Manager I get Dr. > Watson. > The error is ( rx.exe - Exception: privileged instruction > (0xc0000096), Address: 0x6952451a > > > > Rich > > > ------=_NextPart_000_0000_01C01CCE.01E995A0 Content-Type: application/octet-stream; name="services" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="services" # Copyright (c) 1993-1999 Microsoft Corp. # # This file contains port numbers for well-known services defined by = IANA # # Format: # # / [aliases...] [#] # echo 7/tcp echo 7/udp discard 9/tcp sink null discard 9/udp sink null systat 11/tcp users #Active users systat 11/tcp users #Active users daytime 13/tcp daytime 13/udp qotd 17/tcp quote #Quote of the day qotd 17/udp quote #Quote of the day chargen 19/tcp ttytst source #Character generator chargen 19/udp ttytst source #Character generator ftp-data 20/tcp #FTP, data ftp 21/tcp #FTP. control telnet 23/tcp smtp 25/tcp mail #Simple Mail = Transfer Protocol time 37/tcp timserver time 37/udp timserver rlp 39/udp resource #Resource Location = Protocol nameserver 42/tcp name #Host Name Server nameserver 42/udp name #Host Name Server nicname 43/tcp whois domain 53/tcp #Domain Name Server domain 53/udp #Domain Name Server bootps 67/udp dhcps #Bootstrap Protocol = Server bootpc 68/udp dhcpc #Bootstrap Protocol = Client tftp 69/udp #Trivial File = Transfer gopher 70/tcp finger 79/tcp http 80/tcp www www-http #World Wide Web kerberos 88/tcp krb5 kerberos-sec #Kerberos kerberos 88/udp krb5 kerberos-sec #Kerberos hostname 101/tcp hostnames #NIC Host Name = Server iso-tsap 102/tcp #ISO-TSAP Class 0 rtelnet 107/tcp #Remote Telnet = Service pop2 109/tcp postoffice #Post Office = Protocol - Version 2 pop3 110/tcp #Post Office = Protocol - Version 3 sunrpc 111/tcp rpcbind portmap #SUN Remote = Procedure Call sunrpc 111/udp rpcbind portmap #SUN Remote = Procedure Call auth 113/tcp ident tap #Identification = Protocol uucp-path 117/tcp nntp 119/tcp usenet #Network News = Transfer Protocol ntp 123/udp #Network Time = Protocol epmap 135/tcp loc-srv #DCE endpoint = resolution epmap 135/udp loc-srv #DCE endpoint = resolution netbios-ns 137/tcp nbname #NETBIOS Name = Service netbios-ns 137/udp nbname #NETBIOS Name = Service netbios-dgm 138/udp nbdatagram #NETBIOS Datagram = Service netbios-ssn 139/tcp nbsession #NETBIOS Session = Service imap 143/tcp imap4 #Internet Message = Access Protocol pcmail-srv 158/tcp #PCMail Server snmp 161/udp #SNMP snmptrap 162/udp snmp-trap #SNMP trap print-srv 170/tcp #Network PostScript bgp 179/tcp #Border Gateway = Protocol irc 194/tcp #Internet Relay Chat = Protocol =20 ipx 213/udp #IPX over IP ldap 389/tcp #Lightweight = Directory Access Protocol https 443/tcp MCom https 443/udp MCom microsoft-ds 445/tcp microsoft-ds 445/udp #kpasswd 464/tcp # Kerberos (v5) #kpasswd 464/udp # Kerberos (v5) kerberos-adm 464/tcp # Kerberos (v5) = (used by WRQ) kerberos-adm 464/udp # Kerberos (v5) = (used by WRQ) isakmp 500/udp ike #Internet Key = Exchange exec 512/tcp #Remote Process = Execution biff 512/udp comsat login 513/tcp #Remote Login who 513/udp whod cmd 514/tcp shell syslog 514/udp printer 515/tcp spooler talk 517/udp ntalk 518/udp efs 520/tcp #Extended File Name = Server router 520/udp route routed timed 525/udp timeserver tempo 526/tcp newdate courier 530/tcp rpc conference 531/tcp chat netnews 532/tcp readnews netwall 533/udp #For emergency = broadcasts uucp 540/tcp uucpd klogin 543/tcp #Kerberos login kshell 544/tcp krcmd #Kerberos remote = shell new-rwho 550/udp new-who remotefs 556/tcp rfs rfs_server rmonitor 560/udp rmonitord monitor 561/udp ldaps 636/tcp sldap #LDAP over TLS/SSL doom 666/tcp #Doom Id Software doom 666/udp #Doom Id Software #kerberos-adm 749/tcp #Kerberos = administration #kerberos-adm 749/udp #Kerberos = administration kerberos-iv 750/udp #Kerberos version IV kpop 1109/tcp #Kerberos POP phone 1167/udp #Conference calling ms-sql-s 1433/tcp = #Microsoft-SQL-Server=20 ms-sql-s 1433/udp = #Microsoft-SQL-Server=20 ms-sql-m 1434/tcp = #Microsoft-SQL-Monitor ms-sql-m 1434/udp = #Microsoft-SQL-Monitor =20 wins 1512/tcp #Microsoft Windows = Internet Name Service wins 1512/udp #Microsoft Windows = Internet Name Service ingreslock 1524/tcp ingres l2tp 1701/udp #Layer Two Tunneling = Protocol pptp 1723/tcp #Point-to-point = tunnelling protocol radius 1812/udp #RADIUS = authentication protocol radacct 1813/udp #RADIUS accounting = protocol nfsd 2049/udp nfs #NFS server knetd 2053/tcp #Kerberos = de-multiplexor man 9535/tcp #Remote Man Server ------=_NextPart_000_0000_01C01CCE.01E995A0-- From kreymer@fnal.gov Tue Sep 12 16:00:18 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA00517 for ; Tue, 12 Sep 2000 16:00:18 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0S00LUSL0HIT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Sep 2000 16:00:17 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000772DA@listserv.fnal.gov>; Tue, 12 Sep 2000 16:00:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 278628 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 12 Sep 2000 16:00:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000772D9@listserv.fnal.gov>; Tue, 12 Sep 2000 16:00:17 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0S00324L0GHK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 12 Sep 2000 16:00:16 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA05605; Tue, 12 Sep 2000 16:00:16 -0500 Date: Tue, 12 Sep 2000 16:00:16 -0500 (CDT) From: Steven Timm Subject: Re: Linux kerberized ftp servers In-reply-to: <200009122027.PAA19829@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 444 > I suspect that your machines snowball and boxer do not believe > that their official, full hostname includes the ".fnal.gov" > suffix, and their expecting the client to present a ticket > for, e.g., "ftp/snowball@PILOT.FNAL.GOV" instead of the > "ftp/snowball.fnal.gov@PILOT.FNAL.GOV" which is actually > presented. > > Check /etc/hosts (or your NIS equivalent) and make sure each > machine's own host table entry for itself looks like > > 131.225.80.1 gungnir.fnal.gov gungnir > > and not like > > 131.225.80.1 gungnir gungnir.fnal.gov > > Making this fix solves part of the problem. But now I get the following: snowball.timm:~> klist Ticket cache: /tmp/krb5cc_2904 Default principal: timm@PILOT.FNAL.GOV Valid starting Expires Service principal 09/12/00 14:55:19 09/13/00 16:55:19 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 09/12/00 14:55:19 09/13/00 16:55:19 afs/fnal.gov@PILOT.FNAL.GOV 09/12/00 15:58:14 09/13/00 16:55:19 ftp/boxer.fnal.gov@PILOT.FNAL.GOV snowball.timm:~> ftp boxer Connected to boxer.fnal.gov. 220 boxer.fnal.gov FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI authentication succeeded Name (boxer:timm): 530 User timm access denied. Login failed. Remote system type is UNIX. Using binary mode to transfer files. ------------------------------- Note this is the same thing that happens when I try to ftp to bldlinux61. I do have accounts on, and can kerberos-telnet to, both machines. Steve From kreymer@fnal.gov Tue Sep 12 16:10:23 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA00539 for ; Tue, 12 Sep 2000 16:10:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0S001FVLHBXX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Sep 2000 16:10:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00077303@listserv.fnal.gov>; Tue, 12 Sep 2000 16:10:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 278686 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 12 Sep 2000 16:10:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00077302@listserv.fnal.gov>; Tue, 12 Sep 2000 16:10:22 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0S0029WLHASD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 12 Sep 2000 16:10:22 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA20058; Tue, 12 Sep 2000 16:10:22 -0500 (CDT) Date: Tue, 12 Sep 2000 16:10:21 -0500 From: Matt Crawford Subject: Re: Linux kerberized ftp servers In-reply-to: "12 Sep 2000 16:00:16 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200009122110.QAA20058@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 445 GSSAPI accepted as authentication type GSSAPI authentication succeeded Name (boxer:timm): 530 User timm access denied. Login failed. Now I would guess you're being refused for a more mundane reason, like having a shell which is not listed in /etc/shells, or whatever Linux may use for that purpose. > Note this is the same thing that happens when I try to ftp to bldlinux61. > I do have accounts on, and can kerberos-telnet to, both machines. I can ftp to bldlinux61. I see that my shell is listed in /etc/shells there and yours is not. bldlinux61 71% finger timm Login: timm Name: Steven Timm Directory: /afs/fnal.gov/files/home/room1/timm Shell: /usr/local/bin/tcsh Never logged in. No mail. Plan: Steven C. Timm Fermilab Computing Division Operating Systems Support Dept. Central Systems Support Group Working on farms support 630-840-8525 Office: Feynman 252k bldlinux61 72% more /etc/shells /bin/bash /bin/sh /bin/ash /bin/bsh /bin/ksh /bin/tcsh /bin/csh bldlinux61 73% finger crawdad Login: crawdad Name: Matt Crawford Directory: /afs/fnal.gov/files/home/room2/crawdad Shell: /bin/csh On since Tue Sep 12 16:07 (CDT) on ttyp0 from gungnir Mail forwarded to crawdad@fnal.gov No mail. No Plan. bldlinux61 74% ls -l /bin/tcsh -rwxr-xr-x 1 root root 262152 Sep 25 1999 /bin/tcsh bldlinux61 75% ls -l /usr/local/bin/tcsh -rwxr-xr-x 1 root root 268236 Mar 14 2000 /usr/local/bin/tcsh I suggest use of chsh or request the build cluster admin to add your shell to the list. From kreymer@fnal.gov Tue Sep 12 16:21:00 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA00551 for ; Tue, 12 Sep 2000 16:21:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0S00KM0LWQEU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Sep 2000 16:19:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00077326@listserv.fnal.gov>; Tue, 12 Sep 2000 16:19:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 278721 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 12 Sep 2000 16:19:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00077325@listserv.fnal.gov>; Tue, 12 Sep 2000 16:19:38 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0S00386LWQ7D@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 12 Sep 2000 16:19:38 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA05750; Tue, 12 Sep 2000 16:19:37 -0500 Date: Tue, 12 Sep 2000 16:19:37 -0500 (CDT) From: Steven Timm Subject: Re: Linux kerberized ftp servers In-reply-to: <200009122110.QAA20058@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 446 Thanks... it works now. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 12 Sep 2000, Matt Crawford wrote: > GSSAPI accepted as authentication type > GSSAPI authentication succeeded > Name (boxer:timm): > 530 User timm access denied. > Login failed. > > Now I would guess you're being refused for a more mundane reason, > like having a shell which is not listed in /etc/shells, or whatever > Linux may use for that purpose. > > > Note this is the same thing that happens when I try to ftp to bldlinux61. > > I do have accounts on, and can kerberos-telnet to, both machines. > > I can ftp to bldlinux61. I see that my shell is listed in > /etc/shells there and yours is not. > > bldlinux61 71% finger timm > Login: timm Name: Steven Timm > Directory: /afs/fnal.gov/files/home/room1/timm Shell: /usr/local/bin/tcsh > Never logged in. > No mail. > Plan: > Steven C. Timm > > Fermilab Computing Division > Operating Systems Support Dept. > Central Systems Support Group > > > Working on farms support > > 630-840-8525 > > Office: Feynman 252k > > bldlinux61 72% more /etc/shells > /bin/bash > /bin/sh > /bin/ash > /bin/bsh > /bin/ksh > /bin/tcsh > /bin/csh > bldlinux61 73% finger crawdad > Login: crawdad Name: Matt Crawford > Directory: /afs/fnal.gov/files/home/room2/crawdad Shell: /bin/csh > On since Tue Sep 12 16:07 (CDT) on ttyp0 from gungnir > Mail forwarded to crawdad@fnal.gov > No mail. > No Plan. > bldlinux61 74% ls -l /bin/tcsh > -rwxr-xr-x 1 root root 262152 Sep 25 1999 /bin/tcsh > bldlinux61 75% ls -l /usr/local/bin/tcsh > -rwxr-xr-x 1 root root 268236 Mar 14 2000 /usr/local/bin/tcsh > > I suggest use of chsh or request the build cluster admin to add your > shell to the list. > > From kreymer@fnal.gov Fri Sep 15 06:10:17 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id GAA08034 for ; Fri, 15 Sep 2000 06:10:17 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0X00BQEDP45B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Sep 2000 06:10:16 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00078FCF@listserv.fnal.gov>; Fri, 15 Sep 2000 06:10:16 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 286633 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Sep 2000 06:10:16 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00078FCE@listserv.fnal.gov>; Fri, 15 Sep 2000 06:10:16 -0500 Received: from ts.infn.it ([140.105.6.150]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G0X00EAWDP2WL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Sep 2000 06:10:15 -0500 (CDT) Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Fri, 15 Sep 2000 13:10 +0100 (CET) Date: Fri, 15 Sep 2000 13:10:11 +0200 From: Stefano Belforte Subject: first pilot.fnal.gov in Italy Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <39C20393.BB6E6EC6@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 447 2 weeks ago we "kerberised" my desktop OSF workstation, node axts12.ts.infn.it. I noticed no problems since then, and since both AFS keeps working and kinit does what it is supposed to do, I think we can declare it working. We had one only problem: the telnetd daemon installed by kerberos was letting every user (other then root) log in without password on axts12. My system manager commented out both old and new instances of telnetd from /etc/inted.conf and now we are happy. ssh is the only means to reach the machine. Local experts recognise this login-without-password as a consequence of our system implementing something they call C2, i.e. an improved password handling mechanism that removes the cripted passwords from the password file. This requires normally a specific versions of telnetd. Apparently the telnetd in the kerberos kit we istalled does not interoperate correctely with C2. I have no problem with the current configuration (no telnet at all to axts12.ts.intn.it), but wanted to report the situation in case you are interested. I will be away for the next 2 weeks, if you feel you want more details before then, you can write directely to Roberto Gomezel, gomezel@ts.infn.it. I have just one curiosity, should the kerberos provided telnetd have worked, it would have meant that the machine would operate in portal mode so I could use the cryptocard to log into axts12 ? -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Fri Sep 15 07:34:06 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA10260 for ; Fri, 15 Sep 2000 07:34:06 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0X00I0FHKUBK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Sep 2000 07:34:06 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007903D@listserv.fnal.gov>; Fri, 15 Sep 2000 07:34:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 286750 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Sep 2000 07:34:06 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007903C@listserv.fnal.gov>; Fri, 15 Sep 2000 07:34:06 -0500 Received: from ts.infn.it ([140.105.6.150]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G0X00I0EHKSBH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Sep 2000 07:34:05 -0500 (CDT) Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Fri, 15 Sep 2000 14:34 +0100 (CET) Date: Fri, 15 Sep 2000 14:34:01 +0200 From: Stefano Belforte Subject: rlogin to axts12.ts.infn.it Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-pilot@fnal.gov, gomezel@ts.infn.it Message-id: <39C21739.5685DBF9@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 448 Glenn Cooper wrote: > > Have you tried using the kerberized rlogin, rsh, rcp? I would > guess that they have the same problem as telnet, but since it > is different code, I'm not sure. > No we hadn't. Now I just tried rlogin and it seems to "just work", i.e. I type rlogin axts12.ts.infn.it -l belforte on a remote node and it lets me log in using my normal local NIS/AFS password. Unless rlogin encrypts the password (I do not know) it looks like a "glitch". I was exepcting all accesses other then ssh to have been either disabled or put in "portal mode". It looks strange since rlogind is apparently commented out in /etc/inted.conf: belforte@axts12.ts.infn.it/belforte> grep rlo /etc/inetd.conf #login stream tcp nowait root /usr/sbin/rlogind rlogind Still I have a rlogind daemon running.. I have never used rsh/rcp before, so I will leave them aside for a while Stefano From kreymer@fnal.gov Fri Sep 15 08:42:13 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA10449 for ; Fri, 15 Sep 2000 08:42:13 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0X00I8ZKQDBV@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Sep 2000 08:42:13 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000790B8@listserv.fnal.gov>; Fri, 15 Sep 2000 08:42:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 286882 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Sep 2000 08:42:13 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000790B7@listserv.fnal.gov>; Fri, 15 Sep 2000 08:42:13 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0X00I5BKQCBA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Sep 2000 08:42:12 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA12689; Fri, 15 Sep 2000 08:42:10 -0500 (CDT) Date: Fri, 15 Sep 2000 08:42:09 -0500 From: Matt Crawford Subject: Re: first pilot.fnal.gov in Italy In-reply-to: "15 Sep 2000 13:10:11 +0200." <39C20393.BB6E6EC6@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov Message-id: <200009151342.IAA12689@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 449 > Local experts recognise this login-without-password as a consequence > of our system implementing something they call C2, ... There are comments in the code about DEC's ... err, Compaq's C2 security option, so I'll look into this. Can you sent the exact OS version you're running, in case it matters? > I have just one curiosity, should the kerberos provided telnetd > have worked, it would have meant that the machine would operate > in portal mode so I could use the cryptocard to log into axts12 ? Yes -- as long as your hosts's internet path to FNAL was intact. From kreymer@fnal.gov Fri Sep 15 10:41:51 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA10636 for ; Fri, 15 Sep 2000 10:41:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0X00039Q9RYU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Sep 2000 10:41:51 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000792C8@listserv.fnal.gov>; Fri, 15 Sep 2000 10:41:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 287470 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Sep 2000 10:41:50 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000792C7@listserv.fnal.gov>; Fri, 15 Sep 2000 10:41:50 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G0X00122Q9Q94@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Sep 2000 10:41:50 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA13515; Fri, 15 Sep 2000 10:41:47 -0500 (CDT) Date: Fri, 15 Sep 2000 10:41:47 -0500 From: Matt Crawford Subject: Re: rlogin to axts12.ts.infn.it In-reply-to: "15 Sep 2000 14:34:01 +0200." <39C21739.5685DBF9@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: gcooper@fnal.gov, kerberos-pilot@fnal.gov, gomezel@ts.infn.it Message-id: <200009151541.KAA13515@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 450 > No we hadn't. Now I just tried rlogin and it seems to "just work", > i.e. I type rlogin axts12.ts.infn.it -l belforte on a remote node > and it lets me log in using my normal local NIS/AFS password. The Kerberos rlogin, as configured by the Fermi installation procedure, won't let you type a password at all. I did a quick probe of axts12.ts.infn.it and found that you have both the kerberos and the ordinary rlogin servers running. Likewise kerberos and ordinary rsh servers. Probably there was no SIGHUP sent to your inetd. But there's a further caveat -- you can't log into your node with kerberos rsh, rlogin or telnet yet because you don't have a "host principal" created. Contact Yolanda Valadez for that. When you get a "host and ftp" password from her, run ups install-hostkeys kerberos as root. This won't affect which services are running, but it will install the required service keys in /etc/krb5.keytab. From kreymer@fnal.gov Thu Sep 21 14:07:29 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA15584 for ; Thu, 21 Sep 2000 14:07:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1900JEM3SGBI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Sep 2000 14:07:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007C89F@listserv.fnal.gov>; Thu, 21 Sep 2000 14:07:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 302251 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 21 Sep 2000 14:07:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007C89E@listserv.fnal.gov>; Thu, 21 Sep 2000 14:07:28 -0500 Received: from fsgi02.fnal.gov ([131.225.68.15]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1900M0I3SF8G@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 21 Sep 2000 14:07:27 -0500 (CDT) Received: from localhost (garzogli@localhost) by fsgi02.fnal.gov (8.11.0/8.11.0) with ESMTP id e8LJ7SP26032 for ; Thu, 21 Sep 2000 14:07:28 -0500 (CDT) Date: Thu, 21 Sep 2000 14:07:27 -0500 From: Gabriele Garzoglio Subject: kcroninit and kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi02.fnal.gov: garzogli owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 451 Hello, I have sucessfully installed kerberos on fndapq and changed my password. Now I'm dealing with kcroninit: I get an error and I didn't find the documentation on errors anywhere. You may have seen this before: > setup kcroninit > kcroninit Are you on a secure channel? (default = y): What is your kerberos principal (default = garzogli@PILOT.FNAL.GOV): Enter the password for garzogli@PILOT.FNAL.GOV: Now adding principal garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV... add_principal: Principal or policy already exists while creating "garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV". Now creating empty keytab file for garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV... Now writing temporary keytab for garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV...Temporary keytab created. Now transferring temporary keytab file contents... ERROR transferring keytab file contents; ABORT. All done. Then the cron jobs don't work... of course. Can someone give me a hint? Thank you. Gabriele ----------------------------------------------------------------------- > Gabriele Garzoglio < > < > Home : 441 S. Batavia ave. +1-(630)-482-9113 < > Batavia (IL), 60510, U.S.A. < > Work : FERMILAB-P.O.Box 500, MS 341 +1-(630)-840-3685 < > Batavia (IL), 60510, U.S.A. +1-(630)-840-3867 (Fax) < > +1-(630)-218-9562 (Pager) < ----------------------------------------------------------------------- From kreymer@fnal.gov Mon Sep 25 12:56:33 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA21682 for ; Mon, 25 Sep 2000 12:56:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1G006MPF68NA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Sep 2000 12:56:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007E5E2@listserv.fnal.gov>; Mon, 25 Sep 2000 12:56:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 310550 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 25 Sep 2000 12:56:32 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007E5E1@listserv.fnal.gov>; Mon, 25 Sep 2000 12:56:32 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1G005TDF67U0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 25 Sep 2000 12:56:32 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA09997; Mon, 25 Sep 2000 12:56:31 -0500 (CDT) Date: Mon, 25 Sep 2000 12:56:31 -0500 From: Matt Crawford Subject: Re: kcroninit and kerberos In-reply-to: "21 Sep 2000 14:07:27 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Gabriele Garzoglio Cc: kerberos-pilot@fnal.gov Message-id: <200009251756.MAA09997@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 452 > garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV...Temporary keytab created. > Now transferring temporary keytab file contents... > ERROR transferring keytab file contents; ABORT. > All done. > > Then the cron jobs don't work... of course. > Can someone give me a hint? It seems from the log file that you tried this five times in a half-hour period, and the transcript you sent clearly wasn't from the first instance. Could you possibly have tried it as root the first time? That would stop you from writing to the file later as a non-root user. To fix it, since you are the only person who has tried kcroninit on fndapq (so far), become root and delete all the plain files (not directories) from /var/adm/krb5: # /var/adm/krb5/* # ls -lAR /var/adm/krb5 then try kcroninit again. From kreymer@fnal.gov Mon Sep 25 13:49:08 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA22004 for ; Mon, 25 Sep 2000 13:49:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1G00D2YHLV6X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Sep 2000 13:49:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007E647@listserv.fnal.gov>; Mon, 25 Sep 2000 13:49:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 310656 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 25 Sep 2000 13:49:07 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007E646@listserv.fnal.gov>; Mon, 25 Sep 2000 13:49:07 -0500 Received: from fsgi02.fnal.gov ([131.225.68.15]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1G00C47HLVN7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 25 Sep 2000 13:49:07 -0500 (CDT) Received: from localhost (garzogli@localhost) by fsgi02.fnal.gov (8.11.0/8.11.0) with ESMTP id e8PIn7g27082; Mon, 25 Sep 2000 13:49:07 -0500 (CDT) Date: Mon, 25 Sep 2000 13:49:06 -0500 From: Gabriele Garzoglio Subject: Re: kcroninit and kerberos In-reply-to: <200009251756.MAA09997@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov, James_Amundson Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi02.fnal.gov: garzogli owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 453 > Could you possibly have tried it as root the first > time? That would stop you from writing to the file later as a > non-root user. Actually I don't think this was the case. As root, I have deleted the only file in /var/adm/krb5/: it was a file owned by garzogli. Then I've tried kcroninit in 2 scenarios: with and without setting up kerberos; I get 2 different errors: 1) > setup kerberos > setup kcroninit > kcroninit Are you on a secure channel? (default = y): What is your kerberos principal (default = garzogli@PILOT.FNAL.GOV): Enter the password for garzogli@PILOT.FNAL.GOV: Now adding principal garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV... add_principal: Principal or policy already exists while creating "garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV". Now creating empty keytab file for garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV... kcron-create: Unable to create directory /var/adm/krb5 ERROR creating empty keytab file via 'kcron-create'; ABORT. All done. 2)> setup kcroninit > kcroninit Are you on a secure channel? (default = y): What is your kerberos principal (default = garzogli@PILOT.FNAL.GOV): Enter the password for garzogli@PILOT.FNAL.GOV: Now adding principal garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV... add_principal: Principal or policy already exists while creating "garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV". Now creating empty keytab file for garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV... Now writing temporary keytab for garzogli/cron/fndapq.fnal.gov@PILOT.FNAL.GOV...Temporary keytab created. Now transferring temporary keytab file contents... ERROR transferring keytab file contents; ABORT. All done. Then it creates a file that looks like the one that I have deleted as root at the beginning. [root@fndapq /root]# ls -lAR /var/adm/krb5/ /var/adm/krb5/: total 0 -rw------- 1 garzogli g023 0 Sep 25 13:30 98HoukuOrjO_STBYqJxTqw At this point, even if I own the file, I cannot write into it: > cat >> /var/adm/krb5/98HoukuOrjO_STBYqJxTqw /var/adm/krb5/98HoukuOrjO_STBYqJxTqw: Permission denied. Is kerberos trying to do something like this? Any other suggestions? If you think that meeting would help, I'm available. Thank you Gabriele From kreymer@fnal.gov Tue Sep 26 08:00:37 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA03535 for ; Tue, 26 Sep 2000 08:00:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1H006JEW50OC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Sep 2000 08:00:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007EE5B@listserv.fnal.gov>; Tue, 26 Sep 2000 08:00:36 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 312894 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 26 Sep 2000 08:00:36 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007EE5A@listserv.fnal.gov>; Tue, 26 Sep 2000 08:00:36 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1H006HWW4ZCH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 26 Sep 2000 08:00:36 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA14550; Tue, 26 Sep 2000 08:00:35 -0500 (CDT) Date: Tue, 26 Sep 2000 08:00:35 -0500 From: Matt Crawford Subject: Re: kcroninit and kerberos In-reply-to: "25 Sep 2000 16:51:27 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Gabriele Garzoglio Cc: James_Amundson , kerberos-pilot@fnal.gov Message-id: <200009261300.IAA14550@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 454 > > It still looks like a permissions problem. What are the permissions > > on /var, /var/adm, /var/adm/krb5, /var/adm/krb5/tmp ? > drwxr-xr-x 19 root root 4096 Sep 19 18:11 var > drwx-----x 3 root g023 4096 Sep 19 18:11 adm > drwx--s--x 2 root root 4096 Sep 25 13:30 krb5 Ah, there's your problem. You have very strange permissions on /var/adm itself. Everyone has 'x' ("search") permission *except* group g023. And from your earlier mail, you seem to be a member of that group. I suggest "chmod 711 /var/adm" > What are the typical permissions in other kerberized machines? I can retry > kcroninit after chmod'ing them. # ls -ld /var /var/adm /var/adm/krb5 /var/adm/krb5/tmp drwxr-sr-x 20 root sys 512 Jan 3 1997 /var drwxr-sr-x 9 root sys 1024 Sep 26 04:05 /var/adm drwx--s--x 3 root root 512 Sep 19 15:10 /var/adm/krb5 drwx-wx-wt 2 root other 512 Sep 19 15:10 /var/adm/krb5/tmp From kreymer@fnal.gov Tue Sep 26 14:06:14 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA05602 for ; Tue, 26 Sep 2000 14:06:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1I00IRKD2DM6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Sep 2000 14:06:13 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007F344@listserv.fnal.gov>; Tue, 26 Sep 2000 14:06:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 314272 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 26 Sep 2000 14:06:13 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007F343@listserv.fnal.gov>; Tue, 26 Sep 2000 14:06:13 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1I00KLID2C03@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 26 Sep 2000 14:06:13 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA30897 for ; Tue, 26 Sep 2000 14:06:12 -0500 Date: Tue, 26 Sep 2000 14:06:12 -0500 (CDT) From: Steven Timm Subject: kerberized ssh? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 455 Is there any plan to make the kerberized ssh/scp that is currently on the build cluster available in kits so other kerberized nodes can take advantage of it? Will there be an update procedure for those who have already installed kerberos? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Tue Sep 26 17:07:10 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA05741 for ; Tue, 26 Sep 2000 17:07:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1I003YHLFXAO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Sep 2000 17:07:09 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007F590@listserv.fnal.gov>; Tue, 26 Sep 2000 17:07:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 314934 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 26 Sep 2000 17:07:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0007F58F@listserv.fnal.gov>; Tue, 26 Sep 2000 17:07:09 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1I002N8LFXBV@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 26 Sep 2000 17:07:09 -0500 (CDT) Date: Tue, 26 Sep 2000 17:07:07 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: kerberized ssh? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 456 On Tue, 26 Sep 2000, Steven Timm wrote: > Is there any plan to make the kerberized ssh/scp that is currently on > the build cluster available in kits so other kerberized nodes can > take advantage of it? Will there be an update procedure for those > who have already installed kerberos? It actually is (already was) in kits, I flagged it current today. Marc From kreymer@fnal.gov Mon Oct 2 10:33:36 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA10165 for ; Mon, 2 Oct 2000 10:33:36 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1T0034377ZNB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Oct 2000 10:33:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00082267@listserv.fnal.gov>; Mon, 02 Oct 2000 10:33:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 5072 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Oct 2000 10:33:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00082265@listserv.fnal.gov>; Mon, 02 Oct 2000 10:33:35 -0500 Received: from CUERVO ([131.225.82.38]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G1T0035A77ZCI@smtp.fnal.gov>; Mon, 02 Oct 2000 10:33:35 -0500 (CDT) Date: Mon, 02 Oct 2000 10:33:35 -0500 From: "Mark O. Kaletka" Subject: FW: ssh v1_2_27 released as current Sender: owner-kerberos-pilot@listserv.fnal.gov To: Kerberos Pilot List , ssh-users@fnal.gov Cc: Computer Security Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 457 -----Original Message----- From: owner-csi-group@listserv.fnal.gov [mailto:owner-csi-group@listserv.fnal.gov]On Behalf Of Marc Mengel Sent: Tuesday, September 26, 2000 5:07 PM To: csi-group@fnal.gov Subject: ssh v1_2_27 released as current Product ssh version v1_2_27 has been reelased as current for flavors IRIX+6, Linux+2, OSF1+V4, and SunOS+5. This release is built with kerberos 5 ticket forwarding for users using systems in the Fermilab Strong Authentication project. It is available for distribution on the upd distribution node, fnkits.fnal.gov a.k.a ftp.fnal.gov. From kreymer@fnal.gov Mon Oct 2 10:36:18 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA10173 for ; Mon, 2 Oct 2000 10:36:18 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1T0029J7CHPU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Oct 2000 10:36:18 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00082270@listserv.fnal.gov>; Mon, 02 Oct 2000 10:36:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 5082 for SSH-USERS@LISTSERV.FNAL.GOV; Mon, 02 Oct 2000 10:36:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0008226F@listserv.fnal.gov>; Mon, 02 Oct 2000 10:36:17 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1T002C57CHFY@smtp.fnal.gov>; Mon, 02 Oct 2000 10:36:17 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA11410; Mon, 02 Oct 2000 10:36:17 -0500 Date: Mon, 02 Oct 2000 10:36:17 -0500 (CDT) From: Steven Timm Subject: Re: FW: ssh v1_2_27 released as current In-reply-to: Sender: owner-ssh-users@listserv.fnal.gov To: "Mark O. Kaletka" Cc: Kerberos Pilot List , ssh-users@fnal.gov, Computer Security Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 458 Does this mean that we don't have to re-install or update our kerberos product to use the kerberos-capable ssh? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Mon, 2 Oct 2000, Mark O. Kaletka wrote: > -----Original Message----- > From: owner-csi-group@listserv.fnal.gov > [mailto:owner-csi-group@listserv.fnal.gov]On Behalf Of Marc Mengel > Sent: Tuesday, September 26, 2000 5:07 PM > To: csi-group@fnal.gov > Subject: ssh v1_2_27 released as current > > > Product ssh version v1_2_27 has been reelased as current for > flavors IRIX+6, Linux+2, OSF1+V4, and SunOS+5. > > This release is built with kerberos 5 ticket forwarding for > users using systems in the Fermilab Strong Authentication > project. > > It is available for distribution on the upd distribution node, > fnkits.fnal.gov a.k.a ftp.fnal.gov. > > From kreymer@fnal.gov Mon Oct 2 12:08:06 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA10244 for ; Mon, 2 Oct 2000 12:08:06 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1T004EVBLHA7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Oct 2000 12:08:06 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0008242E@listserv.fnal.gov>; Mon, 02 Oct 2000 12:08:05 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 5556 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Oct 2000 12:08:05 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0008242C@listserv.fnal.gov>; Mon, 02 Oct 2000 12:08:05 -0500 Received: from fnal.gov ([131.225.84.114]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1T00729BLHPP@smtp.fnal.gov>; Mon, 02 Oct 2000 12:08:05 -0500 (CDT) Date: Mon, 02 Oct 2000 12:08:05 -0500 From: Margaret Votava Subject: Re: FW: ssh v1_2_27 released as current Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: Kerberos Pilot List , ssh-users@fnal.gov, Computer Security , mengel@fnal.gov Message-id: <39D8C0F5.282CA504@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 459 Hi, The ssh releases with linux get me confused. I thought that there was some issue with linux ssh and afs. Troy, didn't you make a special ssh/afs version? What should us Linux user really install and via what distribution mechanism? Upd or rpm or can we get the same version through both? Thanks, Margaret [root@odsmev /tmp]# rpm -qa | grep ssh ssh-afs-1.2.26-1 "Mark O. Kaletka" wrote: > > - > -----Original Message----- > From: owner-csi-group@listserv.fnal.gov > [mailto:owner-csi-group@listserv.fnal.gov]On Behalf Of Marc Mengel > Sent: Tuesday, September 26, 2000 5:07 PM > To: csi-group@fnal.gov > Subject: ssh v1_2_27 released as current > > Product ssh version v1_2_27 has been reelased as current for > flavors IRIX+6, Linux+2, OSF1+V4, and SunOS+5. > > This release is built with kerberos 5 ticket forwarding for > users using systems in the Fermilab Strong Authentication > project. > > It is available for distribution on the upd distribution node, > fnkits.fnal.gov a.k.a ftp.fnal.gov. -- Margaret Votava votava@fnal.gov Computing Division/Online and Database Systems 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Mon Oct 2 14:06:49 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA10371 for ; Mon, 2 Oct 2000 14:06:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1T008LUH3CXO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Oct 2000 14:06:49 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000825E2@listserv.fnal.gov>; Mon, 02 Oct 2000 14:06:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 6032 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Oct 2000 14:06:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000825E1@listserv.fnal.gov>; Mon, 02 Oct 2000 14:06:49 -0500 Received: from fsgi02.fnal.gov ([131.225.68.15]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1T009EAH3CUU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Oct 2000 14:06:48 -0500 (CDT) Received: from localhost (garzogli@localhost) by fsgi02.fnal.gov (8.11.0/8.11.0) with ESMTP id e92J6mY25887; Mon, 02 Oct 2000 14:06:48 -0500 (CDT) Date: Mon, 02 Oct 2000 14:06:47 -0500 From: Gabriele Garzoglio Subject: Re: kcroninit and kerberos In-reply-to: <200009261300.IAA14550@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: James_Amundson , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi02.fnal.gov: garzogli owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 460 Dear Matt Crawfor, thank you for your assistance: changing the permission as you suggested let me kcroninit. Now I can get my ticket renewed by cron: >kinit: Ticket expired renewing tgt Yet, cron cannot write on my afs area: the crontable does a > /usr/krb5/bin/kcron /bin/date > ~garzogli/cron/test but I get errors like >/bin/sh: /afs/fnal.gov/files/home/room2/garzogli/cron/test: Permission denied Is this a config problem again or there's something I miss? Thank you Gabriele ----------------------------------------------------------------------- > Gabriele Garzoglio < > < > Home : 441 S. Batavia ave. +1-(630)-482-9113 < > Batavia (IL), 60510, U.S.A. < > Work : FERMILAB-P.O.Box 500, MS 341 +1-(630)-840-3685 < > Batavia (IL), 60510, U.S.A. +1-(630)-840-3867 (Fax) < > +1-(630)-218-9562 (Pager) < ----------------------------------------------------------------------- On Tue, 26 Sep 2000, Matt Crawford wrote: > > > It still looks like a permissions problem. What are the permissions > > > on /var, /var/adm, /var/adm/krb5, /var/adm/krb5/tmp ? > > drwxr-xr-x 19 root root 4096 Sep 19 18:11 var > > drwx-----x 3 root g023 4096 Sep 19 18:11 adm > > drwx--s--x 2 root root 4096 Sep 25 13:30 krb5 > > Ah, there's your problem. You have very strange permissions on > /var/adm itself. Everyone has 'x' ("search") permission *except* > group g023. And from your earlier mail, you seem to be a member of > that group. I suggest "chmod 711 /var/adm" > > > What are the typical permissions in other kerberized machines? I can retry > > kcroninit after chmod'ing them. > > # ls -ld /var /var/adm /var/adm/krb5 /var/adm/krb5/tmp > drwxr-sr-x 20 root sys 512 Jan 3 1997 /var > drwxr-sr-x 9 root sys 1024 Sep 26 04:05 /var/adm > drwx--s--x 3 root root 512 Sep 19 15:10 /var/adm/krb5 > drwx-wx-wt 2 root other 512 Sep 19 15:10 /var/adm/krb5/tmp > > From kreymer@fnal.gov Mon Oct 2 15:35:33 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA10416 for ; Mon, 2 Oct 2000 15:35:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1T009V9L78V7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Oct 2000 15:35:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00082745@listserv.fnal.gov>; Mon, 02 Oct 2000 15:35:33 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 6408 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Oct 2000 15:35:33 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00082744@listserv.fnal.gov>; Mon, 02 Oct 2000 15:35:33 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1T00BSHL786V@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Oct 2000 15:35:32 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA03199; Mon, 02 Oct 2000 15:35:28 -0500 (CDT) Date: Mon, 02 Oct 2000 15:35:28 -0500 From: Matt Crawford Subject: Re: kcroninit and kerberos In-reply-to: "02 Oct 2000 14:06:47 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Gabriele Garzoglio Cc: James_Amundson , kerberos-pilot@fnal.gov Message-id: <200010022035.PAA03199@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 461 > Yet, cron cannot write on my afs area: the crontable does a > > /usr/krb5/bin/kcron /bin/date > ~garzogli/cron/test > but I get errors like > >/bin/sh: /afs/fnal.gov/files/home/room2/garzogli/cron/test: Permission > denied > > Is this a config problem again or there's something I miss? There's a unix subtlety at work against you. With the command you've written above, the shell is trying to open the output file before executing any of the command on the left of the ">". Well, at that point in time you have no Kerberos ticket and no AFS token. Here's what works: 28 15 2 10 * /usr/krb5/bin/kcron "date > /afs/fnal.gov/files/home/room2/crawdad/cronout" You can't use the "~" notation for your home directory because the command in quotes is parsed by the Bourne shell. You could do 28 15 2 10 * /usr/krb5/bin/kcron "csh -c '/bin/date > ~garzogli/cron/test'" or 28 15 2 10 * /usr/krb5/bin/kcron "/bin/date > $HOME/cron/test" Or put you command(s), including output redirection, in a shell script and run that. From kreymer@fnal.gov Thu Oct 5 14:17:50 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA17500 for ; Thu, 5 Oct 2000 14:17:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1Z00J901LP7U@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Oct 2000 14:17:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00084A4F@listserv.fnal.gov>; Thu, 05 Oct 2000 14:17:50 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 16120 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 05 Oct 2000 14:17:50 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00084A4E@listserv.fnal.gov>; Thu, 05 Oct 2000 14:17:50 -0500 Received: from postal1.lbl.gov ([128.3.7.82]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1Z00IE21LPDZ@smtp.fnal.gov> for KERBEROS-PILOT@listserv.fnal.gov; Thu, 05 Oct 2000 14:17:49 -0500 (CDT) Received: from SpamWall.lbl.gov (localhost [127.0.0.1]) by postal1.lbl.gov (8.9.3/8.9.3) with ESMTP id MAA27110 for ; Thu, 05 Oct 2000 12:14:26 -0700 (PDT) Received: from lbl.gov (annwm.lbl.gov [128.3.11.59]) by SpamWall.lbl.gov (8.9.3/8.9.3) with ESMTP id MAA27105 for ; Thu, 05 Oct 2000 12:14:26 -0700 (PDT) Date: Thu, 05 Oct 2000 12:14:26 -0700 From: Charles Leggett Subject: Implications of installing FNAL kerberos on Linux Sender: owner-kerberos-pilot@listserv.fnal.gov To: FNAL Kerberos-Pilot list Message-id: <39DCD312.12327FE7@lbl.gov> Organization: Lawrence Berkeley National Laboratory MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.14-5.0 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 462 I'm considering installing the FNAL version of kerberos (strengthened mode with ssh) on my offsite LINUX box. However, I'm worried about the implications. According to the guide put out by compdiv, installing this ups kit will "disable all other [non-ssh] non-kerberized means of accessing the node". This seems to imply that it will remove su/login/etc, which would require root access. Does this mean that the ups kit will put stuff in places other than the standard /fnal/ups area, and will also require to be installed as root? This goes against the whole idea of ups/upd. Also, once installed, is it possible to un-install? regards, Charles. -- +---------------------------------------------------------------------+ | Charles Leggett | CGLeggett@lbl.gov | | Lawrence Berkeley National Lab | HCG / NERSC : Atlas / D0 | | 1 Cyclotron Road, MS 50B-3238 | | | Berkeley, CA 94720 | Eagles may soar, but weasels don't | | (510) 495-2930 room: 50B-3201 | get sucked into jet engines. | +------------------- http://annwm.lbl.gov/~leggett -------------------+ From kreymer@fnal.gov Thu Oct 5 15:30:16 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA17591 for ; Thu, 5 Oct 2000 15:30:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1Z00IMY4YFL9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Oct 2000 15:30:15 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00084B82@listserv.fnal.gov>; Thu, 05 Oct 2000 15:30:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 16464 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 05 Oct 2000 15:30:15 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00084B81@listserv.fnal.gov>; Thu, 05 Oct 2000 15:30:15 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G1Z0000L4YFIZ@smtp.fnal.gov> for KERBEROS-PILOT@listserv.fnal.gov; Thu, 05 Oct 2000 15:30:15 -0500 (CDT) Date: Thu, 05 Oct 2000 15:30:14 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: Implications of installing FNAL kerberos on Linux In-reply-to: <39DCD312.12327FE7@lbl.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Charles Leggett Cc: FNAL Kerberos-Pilot list Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 463 On Thu, 5 Oct 2000, Charles Leggett wrote: > I'm considering installing the FNAL version of kerberos (strengthened > mode with ssh) on my offsite LINUX box. However, I'm worried about > the implications. According to the guide put out by compdiv, installing > this ups kit will "disable all other [non-ssh] non-kerberized means of > accessing the node". This seems to imply that it will remove su/login/etc, > which would require root access. Does this mean that the ups kit will > put stuff in places other than the standard /fnal/ups area, and will > also require to be installed as root? This goes against the whole > idea of ups/upd. Simply installing the kerberos product does not make any of these changes, there is a separate step to have changes made to your system's configuration. Documentation on this is on the web, at http://www.fnal.gov/docs/products/kerberos/ and while most of it discusses installation for systems internal to the "strengthened realm" at Fermilab, the page http://www.fnal.gov/docs/products/kerberos/README.INSTALL.DETAILS discusses several other options for configuring your system. Similarly there is a separate InstallAsRoot action for the ssh product to put its files in the system config directories on your system. Marc Mengel From kreymer@fnal.gov Fri Oct 6 16:08:30 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA12467 for ; Fri, 6 Oct 2000 16:08:30 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G21006M71E5EZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Oct 2000 16:08:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00085760@listserv.fnal.gov>; Fri, 06 Oct 2000 16:08:29 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 19715 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 06 Oct 2000 16:08:29 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0008575F@listserv.fnal.gov>; Fri, 06 Oct 2000 16:08:29 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G21004N01E50U@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 06 Oct 2000 16:08:29 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id QAA12651 for ; Fri, 06 Oct 2000 16:08:28 -0500 Date: Fri, 06 Oct 2000 16:08:28 -0500 From: Glenn Cooper Subject: Keberized ssh on non-AFS systems Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 464 Hi folks, We've tried the kerberized ssh v1_2_27, and it works fine, except... When I connect I get this message: -- ssh b0rv11 Last login: Fri Oct 6 11:34:02 2000 [DOE warning snipped] aklog: can't get afs configuration (afsconf_Open(/usr/vice/etc)) [another DOE warning; I know, I know] [login messages, etc.] -- I'm logged in just fine, but before I run this on a big machine I would like to get rid of the AFS message--otherwise we'll have a whole bunch of worried users. We don't use AFS. Is there an easy way to get rid of the message? Thanks, Glenn From kreymer@fnal.gov Mon Oct 9 09:02:01 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA15378 for ; Mon, 9 Oct 2000 09:02:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G26000FO1NCBM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Oct 2000 09:02:00 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0008670D@listserv.fnal.gov>; Mon, 09 Oct 2000 09:02:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 24005 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Oct 2000 09:02:00 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0008670C@listserv.fnal.gov>; Mon, 09 Oct 2000 09:02:00 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G26001B11NB8Q@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Oct 2000 09:01:59 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.10.2/8.10.2) with SMTP id e99E20V03257; Mon, 09 Oct 2000 09:02:00 -0500 (CDT) Date: Mon, 09 Oct 2000 09:02:00 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Keberized ssh on non-AFS systems Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200010091402.e99E20V03257@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 465 Look in the /etc/krb5.conf file. Part of the installation of kerberos on b0rv11 should have written a krb5.conf file that either turns aklog ON or OFF (true or false in the file). I forget how it determines whether or not you're running AFS... ... and it may be that the ssh portion ignores these lines (the kerberized ssh was a local modification which may need updating)... If the krb5.conf file is wrong, then you should be able to fix things by just editing that file. In that case, somebody should look at the krb5 configuration scripts and figure out why it thought that b0rv11 was running kerberos (and fix it). If the krb5.conf file is correct, then I suspect the kerberized ssh stuff needs to be tweaked... -- lauri On Friday 6 October 2000, our friend Glenn Cooper spaketh thusly: > Hi folks, > > We've tried the kerberized ssh v1_2_27, and it works fine, except... > When I connect I get this message: > > -- > ssh b0rv11 > Last login: Fri Oct 6 11:34:02 2000 > > [DOE warning snipped] > > aklog: can't get afs configuration (afsconf_Open(/usr/vice/etc)) > > [another DOE warning; I know, I know] > [login messages, etc.] > > > -- > > I'm logged in just fine, but before I run this on a big machine I > would like to get rid of the AFS message--otherwise we'll have a > whole bunch of worried users. We don't use AFS. Is there an easy > way to get rid of the message? > > Thanks, > Glenn From kreymer@fnal.gov Mon Oct 9 09:08:10 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA15390 for ; Mon, 9 Oct 2000 09:08:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G26001971XMQR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Oct 2000 09:08:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0008671F@listserv.fnal.gov>; Mon, 09 Oct 2000 09:08:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 24023 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Oct 2000 09:08:10 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0008671E@listserv.fnal.gov>; Mon, 09 Oct 2000 09:08:10 -0500 Received: from fsui03.fnal.gov ([131.225.68.24]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G26003241XLF3@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Oct 2000 09:08:09 -0500 (CDT) Received: from localhost (lauri@localhost) by fsui03.fnal.gov (8.10.2/8.10.2) with SMTP id e99E8A103484; Mon, 09 Oct 2000 09:08:10 -0500 (CDT) Date: Mon, 09 Oct 2000 09:08:10 -0500 From: lauri@fnal.gov (Laurelin of Middle Earth, 630-840-2214) Subject: re: Keberized ssh on non-AFS systems Sender: owner-kerberos-pilot@listserv.fnal.gov To: lauri@fnal.gov Cc: gcooper@fnal.gov, kerberos-pilot@fnal.gov Reply-to: lauri@fnal.gov Message-id: <200010091408.e99E8A103484@fsui03.fnal.gov> X-Authentication-warning: fsui03.fnal.gov: lauri@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 466 On Monday 9 October 2000, our friend Laurelin of Middle Earth, 630-840-2214 spaketh thusly: > ... > If the krb5.conf file is wrong, then you should be able to fix > things by just editing that file. In that case, somebody should > look at the krb5 configuration scripts and figure out why it thought > that b0rv11 was running kerberos (and fix it). Of course, I meant to figure out why it thought that b0rv11 was running AFS .... too early in the morning... -- l. From kreymer@fnal.gov Mon Oct 9 11:12:00 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA15891 for ; Mon, 9 Oct 2000 11:11:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G26005FC7NZK1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Oct 2000 11:11:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00086C0C@listserv.fnal.gov>; Mon, 09 Oct 2000 11:11:59 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 25482 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Oct 2000 11:11:59 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00086C0A@listserv.fnal.gov>; Mon, 09 Oct 2000 11:11:58 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G260084T7NY03@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Oct 2000 11:11:58 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA19701; Mon, 09 Oct 2000 11:11:43 -0500 (CDT) Date: Mon, 09 Oct 2000 11:11:43 -0500 From: Matt Crawford Subject: Re: Keberized ssh on non-AFS systems In-reply-to: "06 Oct 2000 16:08:28 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <200010091611.LAA19701@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 467 > aklog: can't get afs configuration (afsconf_Open(/usr/vice/etc)) Try adding AFSRunAklog no to /etc/sshd_config and restarting sshd. Let me know if that does it. From kreymer@fnal.gov Mon Oct 9 11:16:48 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA15900 for ; Mon, 9 Oct 2000 11:16:48 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G26007M17VZ8X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Oct 2000 11:16:47 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00086C1B@listserv.fnal.gov>; Mon, 09 Oct 2000 11:16:47 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 25498 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Oct 2000 11:16:47 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00086C1A@listserv.fnal.gov>; Mon, 09 Oct 2000 11:16:47 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G26006GO7VY2A@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Oct 2000 11:16:46 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id LAA18468; Mon, 09 Oct 2000 11:16:46 -0500 Date: Mon, 09 Oct 2000 11:16:46 -0500 From: Glenn Cooper Subject: re: Keberized ssh on non-AFS systems In-reply-to: <200010091402.e99E20V03257@fsui03.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 468 Thanks, Lauri. Here are the relevant portions of my krb5.conf file: -- # krb5conf v0_6 (without afs) on node b0rv11 automatic update 06Jun2000 ... [instancemapping] afs = { cron = "" cron/* = "" } ... [appdefaults] ... login = { krb5_run_aklog = false krb5_get_tickets = true krb4_get_tickets = false krb4_convert = false } -- The krb5.conf file wasn't changed when I installed ssh v1_2_27. Note also that the /etc/sshd_config file contains: -- # AFSRunAklog yes # AFSSetpag yes -- So it appears that the aklog lines in krb5.conf are correct (no AFS), and either the kerberized ssh needs a change to actually read them, or perhaps the AFS lines in sshd_config should be un-commented (and "yes" changed to "no")? Cheers, Glenn On Mon, 9 Oct 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > Look in the /etc/krb5.conf file. Part of the installation of > kerberos on b0rv11 should have written a krb5.conf file that either > turns aklog ON or OFF (true or false in the file). I forget how it > determines whether or not you're running AFS... > > ... and it may be that the ssh portion ignores these lines (the > kerberized ssh was a local modification which may need updating)... > > If the krb5.conf file is wrong, then you should be able to fix > things by just editing that file. In that case, somebody should > look at the krb5 configuration scripts and figure out why it thought > that b0rv11 was running kerberos (and fix it). > > If the krb5.conf file is correct, then I suspect the kerberized ssh > stuff needs to be tweaked... > > -- lauri > > On Friday 6 October 2000, > our friend Glenn Cooper spaketh thusly: > > > Hi folks, > > > > We've tried the kerberized ssh v1_2_27, and it works fine, except... > > When I connect I get this message: > > > > -- > > ssh b0rv11 > > Last login: Fri Oct 6 11:34:02 2000 > > > > [DOE warning snipped] > > > > aklog: can't get afs configuration (afsconf_Open(/usr/vice/etc)) > > > > [another DOE warning; I know, I know] > > [login messages, etc.] > > > > > > -- > > > > I'm logged in just fine, but before I run this on a big machine I > > would like to get rid of the AFS message--otherwise we'll have a > > whole bunch of worried users. We don't use AFS. Is there an easy > > way to get rid of the message? > > > > Thanks, > > Glenn > From kreymer@fnal.gov Mon Oct 9 11:21:14 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA15907 for ; Mon, 9 Oct 2000 11:21:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G260089683D5B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Oct 2000 11:21:14 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00086C32@listserv.fnal.gov>; Mon, 09 Oct 2000 11:21:14 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 25521 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Oct 2000 11:21:14 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00086C31@listserv.fnal.gov>; Mon, 09 Oct 2000 11:21:13 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G26005HR83DK1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Oct 2000 11:21:13 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id LAA18569; Mon, 09 Oct 2000 11:21:13 -0500 Date: Mon, 09 Oct 2000 11:21:13 -0500 From: Glenn Cooper Subject: Re: Keberized ssh on non-AFS systems In-reply-to: <200010091611.LAA19701@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 469 Thanks, Matt, that did it. (Ignore the message I just sent--your reply came in while I was typing the previous one.) Cheers, Glenn On Mon, 9 Oct 2000, Matt Crawford wrote: > > aklog: can't get afs configuration (afsconf_Open(/usr/vice/etc)) > > Try adding > > AFSRunAklog no > > to /etc/sshd_config and restarting sshd. Let me know if that does it. > From kreymer@fnal.gov Tue Oct 10 08:52:32 2000 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA06784 for ; Tue, 10 Oct 2000 08:52:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G2700E2AVVJYG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Oct 2000 08:52:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00087B0F@listserv.fnal.gov>; Tue, 10 Oct 2000 08:52:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 29527 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 10 Oct 2000 08:52:31 -0500 Received: from gungnir.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00087B0E@listserv.fnal.gov>; Tue, 10 Oct 2000 08:52:31 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA23031; Tue, 10 Oct 2000 08:52:15 -0500 (CDT) Date: Tue, 10 Oct 2000 08:52:15 -0500 From: Matt Crawford Subject: Re: Implications of installing FNAL kerberos on Linux In-reply-to: "05 Oct 2000 12:14:26 PDT." <39DCD312.12327FE7@lbl.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Charles Leggett Cc: FNAL Kerberos-Pilot list Message-id: <200010101352.IAA23031@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 470 > I'm considering installing the FNAL version of kerberos (strengthened > mode with ssh) on my offsite LINUX box. However, I'm worried about > the implications. According to the guide put out by compdiv, installing > this ups kit will "disable all other [non-ssh] non-kerberized means of > accessing the node". This seems to imply that it will remove su/login/etc, > which would require root access. The quoted words should have a "network" thrown in the middle, since installation does not touch su, nor does it touch login unless you perform an additional, optional step. But yes, the last phase of a complete installation must be done as root and it does + create a new directory /usr/krb5 and things beneath + add some service (port) definitions to /etc/services if they aren't already present + add new files /etc/krb5.conf and /etc/krb5.keytab + alter /etc/inetd.conf to enable kerberized services and disable non-kerberized ones, then send SIGHUP to inetd + if "keep-ssh" isn't chosen, /etc/sshd_config is also altered > Does this mean that the ups kit will > put stuff in places other than the standard /fnal/ups area, and will > also require to be installed as root? Yes. > This goes against the whole idea of ups/upd. No, not the whole idea. There are other products that have to have at least some portion of their installtion done as root. Believe me, a lot of people considered for a long time the question of where and how the kerberos programs would be installed. > Also, once installed, is it possible to un-install? The 2 or 3 (depending on options) altered files in /etc are saved. Moving the saved copies back to the original names has the effect of removing the Kerberos product. Deleting the new files may then be done safely if desired. From kreymer@fnal.gov Mon Oct 30 16:06:33 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA04921 for ; Mon, 30 Oct 2000 16:06:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3900HR4K2W45@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 30 Oct 2000 16:06:33 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00096228@listserv.fnal.gov>; Mon, 30 Oct 2000 16:06:32 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 92880 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 30 Oct 2000 16:06:32 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00096227@listserv.fnal.gov>; Mon, 30 Oct 2000 16:06:32 -0600 Received: from oss56304 ([129.57.8.36]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G3900HUBK2WFM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 30 Oct 2000 16:06:32 -0600 (CST) Date: Mon, 30 Oct 2000 16:06:50 -0600 From: Dane Skow Subject: RSSAPI error KDC038 Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: Dane Skow Message-id: <003301c042bd$b41b15e0$f8703981@oss56304> Organization: Fermilab MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 471 I am getting this error from my WRQ client programs (telnet and ftp) when I try to connect to fully strengthened FNAL systems from here are JLAB. I am using their DHCP server to get a network address, but I do not understand that this should block the service (it should be transmitting my Kerberos ticket regardless of the node name, I thought). I verified that this problem was reproduceable on both unferth and D0mino, both of which I had been successful connecting to from the same machine/client on the FNAL LAN (using a DHCP address there too). The exact error message is: Incorrect Network Address (KDC038) Sounds like there may be a misconfiguration of my machine, a problem with the JLab firewall, some sort of address lookup failure, or a bug. Any ideas on how to track it down ? dane From kreymer@fnal.gov Mon Oct 30 16:24:58 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA04931 for ; Mon, 30 Oct 2000 16:24:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3900ILYKXLD4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 30 Oct 2000 16:24:58 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009627D@listserv.fnal.gov>; Mon, 30 Oct 2000 16:24:57 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 92979 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 30 Oct 2000 16:24:57 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009627C@listserv.fnal.gov>; Mon, 30 Oct 2000 16:24:57 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3900IP4KXLE5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 30 Oct 2000 16:24:57 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA11732; Mon, 30 Oct 2000 16:24:56 -0600 (CST) Date: Mon, 30 Oct 2000 16:24:56 -0600 From: Matt Crawford Subject: Re: RSSAPI error KDC038 In-reply-to: "30 Oct 2000 16:06:50 CST." <003301c042bd$b41b15e0$f8703981@oss56304> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov Message-id: <200010302224.QAA11732@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 472 > Incorrect Network Address (KDC038) I can't find any sign that you obtained any Kerberos credential yesterday or today, nor can I find any request for a service ticket for unferth yesterday or today. When did this happen? And what IP address does your laptop think it is using? My first suspicion is that jlab is doing NAT and if I am right, then in your place I would shout loudly and belligerently (and uselessly) at everyone within earshot. From kreymer@fnal.gov Mon Oct 30 16:36:51 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA04938 for ; Mon, 30 Oct 2000 16:36:51 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3900JDRLGK6R@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 30 Oct 2000 16:36:20 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000962A0@listserv.fnal.gov>; Mon, 30 Oct 2000 16:36:20 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 93016 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 30 Oct 2000 16:36:20 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009629F@listserv.fnal.gov>; Mon, 30 Oct 2000 16:36:20 -0600 Received: from CUERVO ([131.225.82.57]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G3900HQLLGJMO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 30 Oct 2000 16:36:20 -0600 (CST) Date: Mon, 30 Oct 2000 16:36:20 -0600 From: "Mark O. Kaletka" Subject: RE: RSSAPI error KDC038 In-reply-to: <003301c042bd$b41b15e0$f8703981@oss56304> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 473 JLAB uses network address translation (NAT) in their firewall to "hide" their internal addresses, i.e. your address to the outside world is different from the address your machine thinks it has. This security feature makes a number of things just about impossible (including Kerberos). Basically the error you're getting is saying the address the ticket was requested for (the address your machine actually has internally) doesn't match the address the request was actually sent from (the address NAT gives to the external world). -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Dane Skow > Sent: Monday, October 30, 2000 4:07 PM > To: kerberos-pilot@fnal.gov > Subject: RSSAPI error KDC038 > > > I am getting this error from my WRQ client programs (telnet and > ftp) when I > try > to connect to fully strengthened FNAL systems from here are JLAB. > I am using > their DHCP server to get a network address, but I do not understand that > this should > block the service (it should be transmitting my Kerberos ticket regardless > of the > node name, I thought). > > I verified that this problem was reproduceable on both unferth and D0mino, > both > of which I had been successful connecting to from the same > machine/client on > the > FNAL LAN (using a DHCP address there too). > > The exact error message is: > > Incorrect Network Address (KDC038) > > Sounds like there may be a misconfiguration of my machine, a problem with > the > JLab firewall, some sort of address lookup failure, or a bug. Any ideas on > how to > track it down ? > > dane > > From kreymer@fnal.gov Tue Oct 31 08:18:09 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA07089 for ; Tue, 31 Oct 2000 08:18:09 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3A00BNVT289G@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 31 Oct 2000 08:18:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00096734@listserv.fnal.gov>; Tue, 31 Oct 2000 08:18:08 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94253 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 31 Oct 2000 08:18:08 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00096733@listserv.fnal.gov>; Tue, 31 Oct 2000 08:18:08 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3A00BLHT27A9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 31 Oct 2000 08:18:08 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA13823; Tue, 31 Oct 2000 08:18:07 -0600 (CST) Date: Tue, 31 Oct 2000 08:18:07 -0600 From: Matt Crawford Subject: Re: RSSAPI error KDC038 In-reply-to: "30 Oct 2000 16:36:20 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: Dane Skow , kerberos-pilot@fnal.gov Message-id: <200010311418.IAA13823@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 474 > JLAB uses network address translation (NAT) in their firewall to "hide" > their internal addresses, i.e. your address to the outside world is > different from the address your machine thinks it has. This security feature > makes a number of things just about impossible (including Kerberos). NAT is not a security feature. I could make a good case that it isn't a "feature" of any sort. Why is it not a security feature? Consider the machines being "hidden" by the NAT. Case 1: consider a host not offering a given service Case 1a: There's no "external" address that translates to the "internal" address of this host. Then this is just the same as a host screened by a simple border router filter. No more, no less. Case 1b: Some external address is translated to the host's internal address. A badguy can then get some packets to the host. Since the host ignore or reject packets addressed to that service, this is the same as if no address translation had been done. Case 2: a host which does offer some particular service Case 2a: No external address translates to this internal address. Same as case 1a. Effectively, the service is only offered internal to the site. Case 2b: Some external address does translate to the host's internal address. The packet reaches the host, and the host processes it according to its own access controls. What is gained? The only positive value I can see to NAT is to share a small supply of globally-routable IP addresses among a larger number of end systems. Shortage of global addresses is to a large degree artificial, induced by panicky tight-fisted controls imposed by ARIN on ISPs. I do not believe for a moment this shortage affects an institution such as Jefferson lab. > Basically the error you're getting is saying the address the ticket was > requested for (the address your machine actually has internally) doesn't > match the address the request was actually sent from (the address NAT gives > to the external world). But if it is indeed NAT that Dane is suffering from, this is the reason why Kerberos logins fail. From kreymer@fnal.gov Tue Oct 31 09:22:26 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA07316 for ; Tue, 31 Oct 2000 09:22:26 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3A00FD0VV6EQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 31 Oct 2000 09:18:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000967FD@listserv.fnal.gov>; Tue, 31 Oct 2000 09:18:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94468 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 31 Oct 2000 09:18:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000967FC@listserv.fnal.gov>; Tue, 31 Oct 2000 09:18:42 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3A00G7BVV621@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 31 Oct 2000 09:18:42 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (980427.SGI.8.8.8/980728.SGI.AUTOCF) via SMTP id JAA31195 for ; Tue, 31 Oct 2000 09:18:43 -0600 (CST) Date: Tue, 31 Oct 2000 09:18:42 -0600 (CST) From: "David J. Fagan" Subject: Re: RSSAPI error KDC038 Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200010311518.JAA31195@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Tue, 31 Oct 2000 08:18:07 CST.) <200010311418.IAA13823@gungnir.fnal.gov> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id JAA07316 Status: RO X-Status: X-Keywords: X-UID: 475 Dane, Mark, etc I think everyones on Kerberos-pilot and doesn't need several copies. I did get proxy gateways to work w/ NAT on my DSL but only have built the code for SGI. So far this gets you in but doesn't forward the right principals for the proxy'd machine. I actually think I can make that work too but I'm not sure it's worth it. I'll just use my home machine for point of origin or kinit. I have to agree that NAT is somewhat evil but I have no choice and if your trying with NT, 3 months you could do it maybe 6 months to do it right. ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Tuesday, Matt Crawford: > > JLAB uses network address translation (NAT) in their firewall to "hide" > > their internal addresses, i.e. your address to the outside world is > > different from the address your machine thinks it has. This security feature > > makes a number of things just about impossible (including Kerberos). > > NAT is not a security feature. I could make a good case that it > isn't a "feature" of any sort. > > Why is it not a security feature? Consider the machines being > "hidden" by the NAT. > > Case 1: consider a host not offering a given service > Case 1a: There's no "external" address that translates to the > "internal" address of this host. > Then this is just the same as a host screened by a simple > border router filter. No more, no less. > Case 1b: Some external address is translated to the host's > internal address. > A badguy can then get some packets to the host. Since the > host ignore or reject packets addressed to that service, this > is the same as if no address translation had been done. > Case 2: a host which does offer some particular service > Case 2a: No external address translates to this internal address. > Same as case 1a. Effectively, the service is only offered > internal to the site. > Case 2b: Some external address does translate to the host's > internal address. > The packet reaches the host, and the host processes it > according to its own access controls. What is gained? > > The only positive value I can see to NAT is to share a small supply > of globally-routable IP addresses among a larger number of end > systems. Shortage of global addresses is to a large degree > artificial, induced by panicky tight-fisted controls imposed by ARIN > on ISPs. I do not believe for a moment this shortage affects an > institution such as Jefferson lab. > > > Basically the error you're getting is saying the address the ticket was > > requested for (the address your machine actually has internally) doesn't > > match the address the request was actually sent from (the address NAT gives > > to the external world). > > But if it is indeed NAT that Dane is suffering from, this is the > reason why Kerberos logins fail. From kreymer@fnal.gov Tue Oct 31 10:41:29 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA07376 for ; Tue, 31 Oct 2000 10:41:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3A00GRMZP43F@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 31 Oct 2000 10:41:28 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00096985@listserv.fnal.gov>; Tue, 31 Oct 2000 10:41:28 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94905 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 31 Oct 2000 10:41:28 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00096984@listserv.fnal.gov>; Tue, 31 Oct 2000 10:41:28 -0600 Received: from oss56304 ([129.57.112.248]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G3A00FQEZP3EQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 31 Oct 2000 10:41:27 -0600 (CST) Date: Tue, 31 Oct 2000 10:41:50 -0600 From: Dane Skow Subject: Re: RSSAPI error KDC038 Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Reply-to: Dane Skow Message-id: <003e01c04359$77a31260$f8703981@oss56304> Organization: Fermilab MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: <200010302224.QAA11732@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 476 ----- Original Message ----- From: "Matt Crawford" To: "Dane Skow" Cc: Sent: Monday, October 30, 2000 4:24 PM Subject: Re: RSSAPI error KDC038 > > Incorrect Network Address (KDC038) > > I can't find any sign that you obtained any Kerberos credential > yesterday or today, nor can I find any request for a service ticket > for unferth yesterday or today. When did this happen? And what IP > address does your laptop think it is using? My first suspicion is > that jlab is doing NAT and if I am right, then in your place I would > shout loudly and belligerently (and uselessly) at everyone within > earshot. I just authenticated again to the PILOT.FNAL.GOV domain and got a tgt in the WRQ display. The time is 10:35 CST. It is supposed to be valid until 11:33PM Oct 31. My local network information is: IP address 129.57.112.248 Subnet mask 255.255.255.0 Default Gateway: 129.57.112.1 Hmm. The plot thickens: now when I try to telnet to D0mino the WRQ client asks me for my KRB password (when I had a valid ticket from the Kerberos Manager in WRQ -- I thought it should take that ?) and then I can login (just did it). Looks like NAT isn't the end of the story. dane > > From kreymer@fnal.gov Tue Oct 31 10:55:33 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA07386 for ; Tue, 31 Oct 2000 10:55:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3B00HM105CBR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 31 Oct 2000 10:51:13 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000969B8@listserv.fnal.gov>; Tue, 31 Oct 2000 10:51:12 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94959 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 31 Oct 2000 10:51:12 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000969B7@listserv.fnal.gov>; Tue, 31 Oct 2000 10:51:12 -0600 Received: from oss56304 ([129.57.112.248]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G3B00JDC05C9M@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 31 Oct 2000 10:51:12 -0600 (CST) Date: Tue, 31 Oct 2000 10:51:34 -0600 From: Dane Skow Subject: Re: RSSAPI error KDC038 Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow , Matt Crawford Cc: kerberos-pilot@fnal.gov Reply-to: Dane Skow Message-id: <004401c0435a$d3fc0340$f8703981@oss56304> Organization: Fermilab MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: <200010302224.QAA11732@gungnir.fnal.gov> <003e01c04359$77a31260$f8703981@oss56304> Status: RO X-Status: X-Keywords: X-UID: 477 ----- Original Message ----- From: "Dane Skow" To: "Matt Crawford" Cc: Sent: Tuesday, October 31, 2000 10:41 AM Subject: Re: RSSAPI error KDC038 > ----- Original Message ----- > From: "Matt Crawford" > To: "Dane Skow" > Cc: > Sent: Monday, October 30, 2000 4:24 PM > Subject: Re: RSSAPI error KDC038 > > > > > Incorrect Network Address (KDC038) > > > > I can't find any sign that you obtained any Kerberos credential > > yesterday or today, nor can I find any request for a service ticket > > for unferth yesterday or today. When did this happen? And what IP > > address does your laptop think it is using? My first suspicion is > > that jlab is doing NAT and if I am right, then in your place I would > > shout loudly and belligerently (and uselessly) at everyone within > > earshot. > > I just authenticated again to the PILOT.FNAL.GOV domain and got a tgt in > the WRQ display. The time is 10:35 CST. It is supposed to be valid until > 11:33PM Oct 31. > > My local network information is: > IP address 129.57.112.248 > Subnet mask 255.255.255.0 > Default Gateway: 129.57.112.1 > > Hmm. The plot thickens: now when I try to telnet to D0mino the WRQ client > asks me for my KRB password (when I had a valid ticket from the Kerberos > Manager in WRQ -- I thought it should take that ?) and then I can login > (just > did it). Looks like NAT isn't the end of the story. Now everything is working properly. I think the root problem was that had two instances of my dane@PILOT.FNAL.GOV principal defined in the WRQ Kerberos Manager (don't ask me how). Evidently, credentials obtained by one of these instances were not available to the default principal. If I deleted the non-default principal and cleared all the tickets and regot them, both telnet and ftp are working fine for me now. I can't explain how any of this would be related to the address error I saw yesterday. dane > > dane > > > > > > > > From kreymer@fnal.gov Tue Oct 31 11:09:15 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA07397 for ; Tue, 31 Oct 2000 11:09:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3B00L2I0VA2M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 31 Oct 2000 11:06:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000969FC@listserv.fnal.gov>; Tue, 31 Oct 2000 11:06:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 95033 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 31 Oct 2000 11:06:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000969FB@listserv.fnal.gov>; Tue, 31 Oct 2000 11:06:46 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3B00HKS0VAC9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 31 Oct 2000 11:06:46 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA14514; Tue, 31 Oct 2000 11:06:46 -0600 (CST) Date: Tue, 31 Oct 2000 11:06:45 -0600 From: Matt Crawford Subject: Re: RSSAPI error KDC038 In-reply-to: "31 Oct 2000 10:51:34 CST." <004401c0435a$d3fc0340$f8703981@oss56304> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov Message-id: <200010311706.LAA14514@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 478 > Now everything is working properly. I think the root problem was > that had two instances of my dane@PILOT.FNAL.GOV principal defined > in the WRQ Kerberos Manager (don't ask me how). Evidently, > credentials obtained by one of these instances were not available > to the default principal. If I deleted the non-default principal > and cleared all the tickets and regot them, both telnet and ftp are > working fine for me now. > > I can't explain how any of this would be related to the address error I saw > yesterday. Um, DHCP changed your address in between getting tickets for one "dane" any attempting to use them? We may never know, as I still can't find a thing about "dane" in any KDC log file. From kreymer@fnal.gov Tue Oct 31 11:16:59 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA07405 for ; Tue, 31 Oct 2000 11:16:59 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3B00JM91A1D8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 31 Oct 2000 11:15:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00096A17@listserv.fnal.gov>; Tue, 31 Oct 2000 11:15:37 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 95061 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 31 Oct 2000 11:15:37 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00096A16@listserv.fnal.gov>; Tue, 31 Oct 2000 11:15:37 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3B00JHU1A08F@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 31 Oct 2000 11:15:37 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA14584; Tue, 31 Oct 2000 11:15:36 -0600 (CST) Date: Tue, 31 Oct 2000 11:15:36 -0600 From: Matt Crawford Subject: Re: RSSAPI error KDC038 In-reply-to: "31 Oct 2000 10:51:34 CST." <004401c0435a$d3fc0340$f8703981@oss56304> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov Message-id: <200010311715.LAA14584@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 479 And *now* I find your log entries. You're using the slave KDC exclusively *and* it hadn't been rolling over to the current week's log file for the last 11 weeks, because its logging configuration is different from the master KDC. There are no "incorrect net address" errors in the log and it shows all your requests coming form the same address as you said your laptop thinks it has. It must have all been due to the two-dane phenomenon. I'm glad I don't have to put down the JLab folks as a bunch of NATtering nabobs of nihilism. From kreymer@fnal.gov Tue Nov 7 14:19:31 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA28024 for ; Tue, 7 Nov 2000 14:19:30 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3O00IIM8G8IZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Tue, 07 Nov 2000 14:19:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009C765@listserv.fnal.gov>; Tue, 07 Nov 2000 14:19:17 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120737 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Tue, 07 Nov 2000 14:19:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009C763@listserv.fnal.gov>; Tue, 07 Nov 2000 14:19:17 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3O00IL48G5CO@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Tue, 07 Nov 2000 14:19:17 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA07508 for ; Tue, 07 Nov 2000 14:19:16 -0600 (CST) Date: Tue, 07 Nov 2000 14:19:16 -0600 From: Matt Crawford Subject: Cryptocards available ! Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200011072019.OAA07508@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 480 After many tribulations, I can again offer Cryptocards. I will begin initializing those for the people who have been on the list longest, to minimize delays picking them up, but if you are on the list at all and show up in person, I'll prepare your card next. Reminder: you'll have to present your ID and the name of your Kerberos principal. If you haven't sent it already (and most of you *have*), I need to record your Kerberos principal Fermi ID number Name Institution & Experiment (for employees, division or section) The place: FCC 336 -- east side of Feynman Center, 3rd floor, not far from the elevator. The times: Tuesday 11/7 now until 4:30 PM Wednesday 11/8 4:00 - 5:00 PM Thursday 11/9 9:00 - 10:00 AM and 2:00 - 4:00 PM and more times to be announced later. From kreymer@fnal.gov Tue Nov 7 15:44:29 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28107 for ; Tue, 7 Nov 2000 15:44:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3O000CSCE38N@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 07 Nov 2000 15:44:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009C918@listserv.fnal.gov>; Tue, 07 Nov 2000 15:44:27 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121232 for CDF_COMP_UPG@LISTSERV.FNAL.GOV; Tue, 07 Nov 2000 15:44:27 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009C917@listserv.fnal.gov>; Tue, 07 Nov 2000 15:44:27 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G3O00ML3CE33U@smtp.fnal.gov> for cdf_comp_upg@listserv.fnal.gov (ORCPT cdf_comp_upg@fnal.gov); Tue, 07 Nov 2000 15:44:27 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id PAA08744 for ; Tue, 07 Nov 2000 15:44:26 -0600 Date: Tue, 07 Nov 2000 15:44:26 -0600 From: Glenn Cooper Subject: How to obtain a CryptoCard Sender: owner-cdf_comp_upg@listserv.fnal.gov To: cdf_comp_upg@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 481 CryptoCards are now available for those who need one (typically if you need to use nodes that do not/cannot have Kerberos soft- ware installed, to connect to Kerberized nodes like fcdfsgi2). To request a card, please send the following information: Kerberos principal (normally your username at Fermilab) Fermi ID number Name Institution & Experiment (for Fermilab employees, division or section) to cdfsys@fnal.gov. We will forward the information, and you should be notified within a few days. If you are at Fermilab, you can pick up your card in person (please bring your lab ID card). If you are not at the lab, we can mail your card to you--be sure to indicate this in your request. We have a reasonable but not infinite supply, so please request a card only if you have a specific use in mind for it. Thanks, Glenn ---------- Forwarded message ---------- Date: Fri, 27 Oct 2000 16:20:56 -0500 From: Glenn Cooper Reply-To: gcooper@fnal.gov To: cdf_comp_upg@fnal.gov, cdf_exec_board@fnal.gov Newsgroups: fnal.cdf.cdf, fnal.cdf.comp_upg Subject: Next steps in Kerberos implementation Dear Colleagues, As many of you know, the laboratory is in the middle of a plan to improve computer security. One component of this will use the Kerberos authentication protocol for access to central computers, and eventually to all CDF nodes at Fermilab. This note is to outline how this will work for Fermilab machines, and also to describe the plan's implications for computers at remote institutions. Access to the central Run II analysis servers fcdfsgi2 and fcdfsun1 will be restricted to only Kerberos authentication beginning Monday, November 27. This means that the current alternate route, using ssh through cdfsga, will no longer work--so everyone will need access to a Kerberos-aware client or to a CryptoCard (described below). We'll comment here on a few frequently-asked questions. See: http://www-cdf.fnal.gov/offline/runii/fcdfsgi2/krb5_quickstart.html for examples and more details. Installation ============ The best/easiest way to use Kerberos methods is to have the needed software installed on your desktop computer. For Linux or other Unix systems, the needed software goes under /usr/krb5; if this directory exists on your machine, then the needed software has almost certainly been installed. For Windows systems, the lab recommends the WRQ Reflection package; again, if your machine has this, you are probably ready to go. If the Kerberos client software is not yet on your workstation, see the URL above for installation instructions for Unix systems. (Most workstations in the CDF trailers already have Kerberos software installed. If yours doesn't, send mail to cdfsys@fnal.gov to request installation on nodes that are managed by the CDF Task Force.) For Windows systems, please see: http://www.fnal.gov/docs/strongauth/html/winadmin.html Must my university machine be fully kerberized? =============================================== In short, no, if "fully kerberized" means "allowing access only with Kerberos authentication". The policy of the Fermilab security team is that offsite nodes using Kerberos client software to connect to Fermilab nodes should not allow anyone to log in using insecure (i.e., unencrypted) methods. The point is that if someone logs in using an unencrypted link, then types his/her Kerberos password to get a ticket, the password could be exposed. So ssh is OK, and Kerberos is OK, but old-style telnet or rlogin access should be turned off on those nodes. What changes will kerberos installation make to system areas? ============================================================= Installing the kerberos client programs (so you can go from your desktop or university machine to an FNAL machine) adds files under the new area /usr/krb5, and modifies the /etc/inetd.conf and /etc/services files to allow only kerberos or ssh access. This should be transparent except for shutting down the insecure login methods, if they were not already disabled. What if I use an X-terminal, or a VMS machine, or...? ===================================================== >From any station that does not have Kerberos client software installed, you can use a CryptoCard along with, e.g., the old clear-text telnet program. A CryptoCard is the size of a credit card, and functions as a very specialized calculator. See http://www-cdf.fnal.gov/offline/runii/fcdfsgi2/krb5_quickstart.html#CryptoCard for more details, and for information on obtaining a CryptoCard. But ssh has many nice features I don't want to give up. ======================================================= Fermilab now has available a Kerberos-aware ssh. With a valid Kerberos ticket, you'll be able to use this ssh to log in to Kerberos-only nodes, and still get ssh's encryption modes, X tunneling, and so forth. The current version is ssh v1_2_27 (not 1_2_27_tcp), available through UPD. I've forgotten my Kerberos password. ==================================== Send mail to compdiv@fnal.gov and ask to have it reset. If you have any questions, please send mail to cdfsys@fnal.gov. The CDF Computing and Analysis Department From kreymer@fnal.gov Tue Nov 7 15:50:17 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28119 for ; Tue, 7 Nov 2000 15:50:17 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3O001AACNS57@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 07 Nov 2000 15:50:16 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009C930@listserv.fnal.gov>; Tue, 07 Nov 2000 15:50:16 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121260 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 07 Nov 2000 15:50:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009C92F@listserv.fnal.gov>; Tue, 07 Nov 2000 15:50:16 -0600 Received: from physics.ucla.edu ([169.232.152.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3O000CRCNRTQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 07 Nov 2000 15:50:16 -0600 (CST) Received: from [128.97.22.48] (benn.physics.ucla.edu [128.97.22.48]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id NAA18686 for ; Tue, 07 Nov 2000 13:44:38 -0800 (PST) Date: Tue, 07 Nov 2000 13:49:54 -0800 From: Benn Tannenbaum Subject: Kerberos on Suns Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 482 I've done some poking around on my Sun machine here at UCLA. I see that it comes with K4 installed in some fashion. How hard would it be for me to get connectivity from here to FNAL using this software? Is there a K5 release for Sun? -Benn From kreymer@fnal.gov Tue Nov 7 15:53:25 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28141 for ; Tue, 7 Nov 2000 15:53:25 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3O00MMZCT03U@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 07 Nov 2000 15:53:24 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009C942@listserv.fnal.gov>; Tue, 07 Nov 2000 15:53:24 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121278 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 07 Nov 2000 15:53:24 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009C941@listserv.fnal.gov>; Tue, 07 Nov 2000 15:53:24 -0600 Received: from b0sun01.fnal.gov ([131.225.232.72]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3O000K6CSZCZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 07 Nov 2000 15:53:23 -0600 (CST) Date: Tue, 07 Nov 2000 15:53:23 -0600 (CST) From: Stephan Lammel Subject: Re: Kerberos on Suns In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 483 Hallo Benn, there is a Sun of the Fermilab kerberos package version in the upd database. I have it installed on my desktop and use it all the time. Take a look at the installation instructions and give it a try... cheers, Stephan From kreymer@fnal.gov Wed Nov 8 21:39:41 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id VAA15323 for ; Wed, 8 Nov 2000 21:39:41 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3Q00IRDNI4N6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 08 Nov 2000 21:39:40 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009DC0D@listserv.fnal.gov>; Wed, 08 Nov 2000 21:39:40 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 126520 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 08 Nov 2000 21:39:40 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009DC0C@listserv.fnal.gov>; Wed, 08 Nov 2000 21:39:40 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G3Q00KH7NI32G@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 08 Nov 2000 21:39:39 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id VAA12640 for ; Wed, 08 Nov 2000 21:39:39 -0600 Date: Wed, 08 Nov 2000 21:39:39 -0600 From: Glenn Cooper Subject: "Cannot contact any KDC for requested realm" error Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 484 Hi folks, A CDF collaborator tried installing the Fermi kerberos product on his Linux (FRHL 6.1.1) box at CERN, hostname scpc41.unige.ch. The upd/ups installs apparently went fine, and his krb5.conf file looks fine to me--at least, it's very similar to files on nodes here at the lab. When he tries to kinit, he gets the message shown below. Any idea what's wrong? (I'll leave the rest of his message in case it has any more clues, but I think the key part is the error at the start.) Thanks, Glenn On Wed, 8 Nov 2000, Yanwen Liu wrote: > Hi, > > I have some complains: > > 1) I followed the "Quick Start for Kerberos..". I expected at least the > client has been ready. But, I always get > -------- > [yliu@scpc41 yliu]$ kinit > Password for yliu@PILOT.FNAL.GOV: > kinit: Cannot contact any KDC for requested realm while getting initial > credentials > --------- > I don't know what is wrong. > > On a node at the trailors, where exists a working example, I found an > extra securred file /etc/krb5.keytab. I am wondering where it's from, > whether that is the reason ... > > 2)After the "installation"(which is just a black box to me, I only > executed the commands suggested by the guide) , I noticed that source > code was also installed at > /usr/products/kerberos/v0_6/Linux+2.2/src/ > I tried to compile it myself because I found that there are a lot of > things missing according to the guide(krb5kdc, by example). But never > succeeded. I suspect that the source codes are just for Unix.( I > concluded that because of the file > /usr/products/kerberos/v0_6/Linux+2.2/src/afs/aklog_main.c: around line > 76....) > > Shortly speaking, I am confused... > I mean, the kerberos is something completely new to me. It is quite > silly to see that after the "blind" installation, the /etc/inetd.conf is > modified such that the 'classic' ftpd,telnetd are disabled, the kerberos > doesn't behave as indicated in the guide, I can not even compile the > source at hand... > > What would you suggest? Thanks, > > > Yanwen > > ---- > For the installation, I did the following(following the "Quick > Start..."): > hostname : scpc41.unige.ch > as user products: > upd install kerberos -G "-c" > as root: > ups install-keep-ssh kerberos > From kreymer@fnal.gov Thu Nov 9 14:01:33 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA02614 for ; Thu, 9 Nov 2000 14:01:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3R00HSHWXB9B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 09 Nov 2000 14:00:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009E3DE@listserv.fnal.gov>; Thu, 09 Nov 2000 14:00:47 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 2140 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 09 Nov 2000 14:00:47 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009E3DD@listserv.fnal.gov>; Thu, 09 Nov 2000 14:00:47 -0600 Received: from fnal.gov ([131.225.80.179]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3R00M0FWXABD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 09 Nov 2000 14:00:46 -0600 (CST) Date: Thu, 09 Nov 2000 14:00:46 -0600 From: Joseph Boyd Subject: rdist and kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A0B026E.F5F9C0A3@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 485 I can't get rdist to work with the kerberos clients/servers. Just a real simple test fails when I use /usr/krb5/bin/rsh but works when I use /usr/bsd/rsh. It looks like the rdist/rdistd programs aren't getting stdin/stdout or something??? Any suggestions? joe PS: I did the timeout of 30 seconds just so I didn't have to wait to send this mail. If I leave the default 900 second timeout it fails exactly the same. d0test 1:58pm ~ 23 > cat rdist_test_file HOSTS = ( boyd@d0mino ) FILES = ( /tmp/boyd ) ${FILES} -> ${HOSTS} install -oremove,chknfs /tmp/boyd; d0test 1:58pm ~ 24 > rdist -f rdist_test_file -P /usr/bsd/rsh -t 30 boyd@d0mino: updating host d0mino boyd@d0mino: /tmp/boyd/joe: installing boyd@d0mino: updating of boyd@d0mino finished d0test 1:58pm ~ 25 > rdist -f rdist_test_file -P /usr/krb5/bin/rsh -t 30 boyd@d0mino: updating host d0mino boyd@d0mino: LOCAL ERROR: Response time out boyd@d0mino: updating of boyd@d0mino finished From kreymer@fnal.gov Fri Nov 10 10:01:13 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA19302 for ; Fri, 10 Nov 2000 10:01:13 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3T00LAKGI0V1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 10 Nov 2000 10:01:12 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009EDB0@listserv.fnal.gov>; Fri, 10 Nov 2000 10:01:12 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 4843 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 10 Nov 2000 10:01:12 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009EDAF@listserv.fnal.gov>; Fri, 10 Nov 2000 10:01:12 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3T00LDNGHZVH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 10 Nov 2000 10:01:11 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA15279; Fri, 10 Nov 2000 10:01:02 -0600 (CST) Date: Fri, 10 Nov 2000 10:01:02 -0600 From: Matt Crawford Subject: Re: Kerberos on Suns In-reply-to: "07 Nov 2000 13:49:54 PST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-pilot@fnal.gov Message-id: <200011101601.KAA15279@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 486 > I've done some poking around on my Sun machine here at UCLA. I see that it > comes with K4 installed in some fashion. How hard would it be for me to get > connectivity from here to FNAL using this software? I don't think you could really do it. There's a Kerberos v4 compatibility feature, but it's geared toward letting a v5 user get access to v4 services -- the opposite of what you want. > Is there a K5 release for Sun? You could download straight MIT Kerberos (http://web.mit.edu/kerberos/www) and copy our configuration file, or install our software, which is especially easy if you have UPS/UPD already. I believe Solaris 2.8 may come with Keberos v5, but I haven't checked. From kreymer@fnal.gov Fri Nov 10 10:57:55 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA22436 for ; Fri, 10 Nov 2000 10:57:55 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3T00L9QJ4JUY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 10 Nov 2000 10:57:55 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009EE3E@listserv.fnal.gov>; Fri, 10 Nov 2000 10:57:55 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 4996 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 10 Nov 2000 10:57:55 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009EE3D@listserv.fnal.gov>; Fri, 10 Nov 2000 10:57:55 -0600 Received: from physics.ucla.edu ([169.232.152.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3T00LOEJ4IVG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 10 Nov 2000 10:57:54 -0600 (CST) Received: from [128.97.22.48] (benn.physics.ucla.edu [128.97.22.48]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id IAA00115; Fri, 10 Nov 2000 08:52:15 -0800 (PST) Date: Fri, 10 Nov 2000 08:57:45 -0800 From: Benn Tannenbaum Subject: Re: Kerberos on Suns In-reply-to: <200011101601.KAA15279@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 487 on 10/11/00 8:01 AM, Matt Crawford spake thusly: >> Is there a K5 release for Sun? > > You could download straight MIT Kerberos > (http://web.mit.edu/kerberos/www) and copy our configuration file, or > install our software, which is especially easy if you have UPS/UPD > already. I did that a few days back. There's a problem though. Our machines are part of a departmental cluster. I have root access on my machine, except to /usr/local. As you know, that's where the binaries, libraries, etc go for Kerberos. So... I can't install them in the proper location. The binaries have hard wired paths in them to find the needed libraries, and thus can't find the libraries. Our system manager is hesitant to put in the new executables, since he's not sure what that will do to other, non-Kerberized, users. Our (UCLA) temporary solution is to use a gateway machine here. We connect to it via ssh and then use Kerberos to connect from it to the machines at FNAL. We can connect just fine. There's one problem, however. We cannot use X, and here's why. To connect from my deskside Sun, I use ssh. That tunnels my X connection just fine. To connect from the local Kerberized machine to the machines at FNAL, I use Kerberized telnet. I can connect, but my display is not forwarded. That means that to open a window on my local host I have to setenv DISPLAY machine.physics.ucla.edu:0, and do an xhost +fcdfsgi2.fnal.gov. That's not really acceptable, since it opens up a whole new set of security holes. What's the best solution for this? Is there a kerberized ssh? Thanks.... -Benn From kreymer@fnal.gov Fri Nov 10 16:51:52 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA23066 for ; Fri, 10 Nov 2000 16:51:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3T00BGAZI7LS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 10 Nov 2000 16:51:43 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009F2D2@listserv.fnal.gov>; Fri, 10 Nov 2000 16:51:44 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 6293 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 10 Nov 2000 16:51:44 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009F2D1@listserv.fnal.gov>; Fri, 10 Nov 2000 16:51:44 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3T00E3VZI7JF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 10 Nov 2000 16:51:43 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA16839; Fri, 10 Nov 2000 16:51:42 -0600 (CST) Date: Fri, 10 Nov 2000 16:51:42 -0600 From: Matt Crawford Subject: Re: "Cannot contact any KDC for requested realm" error In-reply-to: "08 Nov 2000 21:39:39 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov, yliu@flan.gov Cc: kerberos-pilot@fnal.gov Message-id: <200011102251.QAA16839@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 488 > kinit: Cannot contact any KDC for requested realm while getting initial > credentials I suspect that some sort of firewall or packet-filtering rule at CERN has blocked your traffic. Our KDCs never saw any traffic from your IP address. (129.194.50.70) From kreymer@fnal.gov Sun Nov 12 18:29:45 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA05002 for ; Sun, 12 Nov 2000 18:29:45 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3X00GBSTD6K5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sun, 12 Nov 2000 18:29:30 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009FDDB@listserv.fnal.gov>; Sun, 12 Nov 2000 18:29:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 9386 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sun, 12 Nov 2000 18:29:30 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0009FDDA@listserv.fnal.gov>; Sun, 12 Nov 2000 18:29:30 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3X00DNPTD6PJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sun, 12 Nov 2000 18:29:30 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id SAA20198; Sun, 12 Nov 2000 18:29:29 -0600 (CST) Date: Sun, 12 Nov 2000 18:29:28 -0600 From: Matt Crawford Subject: Re: Kerberos on Suns In-reply-to: "10 Nov 2000 08:57:45 PST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-pilot@fnal.gov Message-id: <200011130029.SAA20198@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 489 > I did that a few days back. There's a problem though. Our machines are part > of a departmental cluster. I have root access on my machine, except to > /usr/local. As you know, that's where the binaries, libraries, etc go for > Kerberos. Actually, no. Right from the start we ran into clusters that were sharing a /usr/local among different CPU types, so we made the Kerberos stuff go into a new directory /usr/krb5. MIT sources can be configured to go anywhere. > Our (UCLA) temporary solution is to use a gateway machine here. We connect > to it via ssh and then use Kerberos to connect from it to the machines at > FNAL. We can connect just fine. There's one problem, however. We cannot use > X, and here's why. To connect from my deskside Sun, I use ssh. That tunnels > my X connection just fine. To connect from the local Kerberized machine to > the machines at FNAL, I use Kerberized telnet. I can connect, but my display > is not forwarded. That means that to open a window on my local host I have > to setenv DISPLAY machine.physics.ucla.edu:0, and do an xhost > +fcdfsgi2.fnal.gov. That's not really acceptable, since it opens up a whole > new set of security holes. You can use "magic cookie" authentication instead of xhost style, but... > What's the best solution for this? Is there a kerberized ssh? Yes. The "v1_2_27" revision of ssh in Fermi kits does Kerberos authentication. You'd have to see whether it has been installed on the Fermi machines of interest to you, since it's an independent product. From kreymer@fnal.gov Mon Nov 13 09:39:08 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA02377 for ; Mon, 13 Nov 2000 09:39:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3Y001RFZGMMH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Mon, 13 Nov 2000 09:38:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A0258@listserv.fnal.gov>; Mon, 13 Nov 2000 09:38:43 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 10695 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Mon, 13 Nov 2000 09:38:43 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A0256@listserv.fnal.gov>; Mon, 13 Nov 2000 09:38:43 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3Y003HRZGIFU@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Mon, 13 Nov 2000 09:38:42 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA01516; Mon, 13 Nov 2000 09:38:39 -0600 (CST) Date: Mon, 13 Nov 2000 09:38:39 -0600 From: Matt Crawford Subject: Many Cryptocards are ready Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Cc: jhentges@fnal.gov, gcooper@fnal.gov, fagan@fnal.gov Message-id: <200011131538.JAA01516@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 490 I'll be away for two days now, so the cards ready to give out are with E. Judy Hentges in the Computing Division office in the Feynman Center first floor, west end. (That's the farther end if you drive in to the lot.) If you pick up your own card, she will give you the PIN and an instruction sheet. If you pick up a card for someone else from your institution and experiment, the PIN will be emailed to that person. Not every request has been filled yet, although I'm most of the way caught up. A list of all cards done since the new order came in is below, although most of those have been picked up and a few cards made for the D0 collaboration meeting 11 October which have not yet been picked up are not listed below. William Hamish Bell FNAL/PPD Gavin Hesketh Manchester/D0 Mikhail Merkine MGU/D0 Vladimir Korablev IHEP/D0 Elizabeth Gallas FNAL/CD Igor Sfiligoi INFN-Frascati/CDF J. Frederick Bartlett FNAL/PPD Edward Boos MGU/D0 Sharon Hagopian FSU/D0 Vladimir Sirotenko FNAL/PPD Geoff Savage FNAL/PPD Alexei Koubarovsky MGU/D0 Willem van Leeuwen NIKHEF/ Elemer Nagy CPPM/D0 Iain Bertram Lancaster/D0 Eric Kajfasz FNAL/PPD Sebastian Grinstein FNAL/PPD Maris Abolins MSU/D0 Andrew White UTA/D0 Richard Jesik Indiana/D0 Roberto Carosi INFN-Pisa/CDF Marian Zdrazil SUNYSB/D0 Wyatt Merritt FNAL/CD Julie Trumbo FNAL/CD William D. Shephard ND/D0 Merina Albert FNAL/CD Christophe Royon Saclay/D0 Bruno Thooris Saclay/D0 Francesco Palmonari FNAL/PPD Simona Rolli Tufts/D0 David Sachs FNAL/CD Alan Jonckheere FNAL/PPD J. Andrew Green ISU/D0 Guennadi Alexeev JINR-Dubna/D0 Nikolai Skatchkov JINR-Dubna/D0 Alexandre Lobodenko PNPI StP/D0 Karen Shepelak FNAL/CD Igor Mandrichenko FNAL/CD Slawek Tkaczyk FNAL/PPD Douglas Benjamin Duke/CDF Yen-Chu Chen Academia Sinica/CDF Zunjian Ke FNAL/PPD Yuji Takeuchi FNAL/PPD Xiaonan Li FNAL/PPD Alexandre Kalinine JINR-Dubna/D0 Barbro Asman Stockholm/D0 Michel Jaffre LAL-Orsay/D0 Maurizio Iori Roma/CDF Joseph Kaiser FNAL/CD Martin Vondermey UCLA/CDF Brian Connoly FSU/D0 Margaret Greaney FNAL/CD Vladislav Simak FZU-Prague/D0 Milos Lokajicek IP-Prague/D0 Karel Soustruznik CU-Prague/D0 Patrick Lukens FNAL/PPD Laurent Chevalier Saclay/D0 Huishun Mao FNAL/PPD Neal Cason ND/D0 Anna Goussiou SUNYSB/D0 Philippe Canal FNAL/CD Julie Torborg ND/D0 Robert Blair ANL/CDF Alvin Laasanen Purdue/CDF Wendy Wood UMD/D0 Ricardo Piegaia Buenos Aires/D0 Monica Lynker ND/D0 Mike Martens FNAL/BD Isard Dunietz INFN-Pisa/CDF Yuyi Guo FNAL/CD Dhiman Chakraborty SUNYSB/D0 Nirmalya Parua ISN-Grenoble/D0 Manas Maity BU/D0 Franco Spinella INFN-Pisa/D0 Hideki Takano FNAL/PPD Patrice Lebrun IPNL/D0 Morgan Lethmuillier Lyon/D0 Ursula Bassler LPHNE/D0 Gregorio Bernardi LPHNE/D0 Dmitri Bandourine JINR-Dubna/D0 Kyoung Hee Kim ISU/D0 Thomas Lecompte ANL/CDF Yan Song UTA/D0 Douglas G. Fong UMD/D0 Muriel Pivk LPHNE/D0 Bob Olivier IN2P3/D0 Evelyne Lebreton IN2P3/D0 Guy Muanza IPNL/D0 A. Jean Slaughter Yale/CDF Alan Sill TTU/CDF Konstantinos Papageorgiou UIC/D0 Florencia Canelli Rochester/D0 Bob Hirosky UVA/D0 Brian Winer OSU/CDF Kaushik De UTA/D0 Davod Toback TAMU/CDF Hugh Montgomery FNAL/PPD Evgueni Zverev MGU/D0 Xin Wu Geneva/CDF Pierre Petroff LAL-Orsay/D0 Frank Chlebana FNAL/PPD Daniela Bortoletto Purdue/CDF Reinhard Schwienhorst MSU/D0 Horst Wahl FSU/D0 Petra Merkel FNAL/PPD Michael Strang UTA/D0 Benn Tannenbaum UCLA/CDF David Dagenhart Brandeis/CDF Yanwen Liu Geneva/CDF Miroslav Siket FNAL/CD Carla Grosso-Pilcher UChicago/CDF Al Ito FNAL/PPD Lee Lueking FNAL/CD Dennis Shpakov NEU/D0 James Linneman MSU/D0 Hyunsoo Kim UIUC/CDF Carter Hall Harvard/CDF Tomothy Matthew Jones Penn/CDF Lorenzo Moneta Geneva/CDF William Lee FSU/D0 Craig Blocker Brandeis/CDF Matthew Martin Oxford/CDF Stephen Kuhlmann ANL/CDF Agnes Taffard Liverpool/CDF Fotis Ptohos INFN-Frascati/CDF Simone Donati INFN-Pisa/CDF So, to repeat, if your name is listed above, either your Cryptocard has already been picked up, or it is with Judy Hentges on FCC 1W. From kreymer@fnal.gov Mon Nov 13 11:07:14 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA02627 for ; Mon, 13 Nov 2000 11:07:14 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3Z004V13H9YX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Mon, 13 Nov 2000 11:05:41 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A0482@listserv.fnal.gov>; Mon, 13 Nov 2000 11:05:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 11307 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Mon, 13 Nov 2000 11:05:30 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A0480@listserv.fnal.gov>; Mon, 13 Nov 2000 11:05:30 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G3Z008653H6OE@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Mon, 13 Nov 2000 11:05:30 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA01989 for ; Mon, 13 Nov 2000 11:05:26 -0600 (CST) Date: Mon, 13 Nov 2000 11:05:26 -0600 From: Matt Crawford Subject: Next Cryptocard "office hours" Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200011131705.LAA01989@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 491 Next "office hours" (FCC 336): Wednesday 15 November 2:00 - 3:00 PM Thursday 16 November 9:00 - 10:00 AM If you receive email that your card is ready, you can come outside those hours, but not before Wednesday 1:30 PM, please, as I'll be away. By the end of the week I hope to be able to issue Palm software tokens again, which a number of you are requesting. Remember, if requesting a Cryptocard by email, send your Kerberos account name (should be the same as your FNAL email name), Fermi ID number full name and affilitation (FNAL div/sec or home institution plus experiment). And once again, cards that are already prepared are with Judy Hentges on FCC 1W. From kreymer@fnal.gov Wed Nov 15 11:41:32 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA23195 for ; Wed, 15 Nov 2000 11:41:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4200CPUUH7Y9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 15 Nov 2000 11:41:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A23A9@listserv.fnal.gov>; Wed, 15 Nov 2000 11:41:32 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 20061 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 15 Nov 2000 11:41:32 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A23A7@listserv.fnal.gov>; Wed, 15 Nov 2000 11:41:31 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4200DHTUH7ES@smtp.fnal.gov>; Wed, 15 Nov 2000 11:41:31 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id LAA08587; Wed, 15 Nov 2000 11:41:30 -0600 Date: Wed, 15 Nov 2000 11:41:30 -0600 From: Glenn Cooper Subject: Re: Problem installing kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: Ivan Vila Alvarez Cc: kerberos-pilot@fnal.gov, cdfsys@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 492 Hi, I don't know what went wrong, so I am forwarding your mail to the experts on the kerberos-pilot list. Can any of you Kerberos and/or UPD experts help? Thanks, Glenn ---------- Forwarded message ---------- Date: Wed, 15 Nov 2000 11:24:27 -0600 From: Ivan Vila Alvarez To: cdfsys@fnal.gov Subject: installing kerberos Hello , After following your steps, specified in your page "Quick start for kerberos user", for installing kerberos, the installation failed in the step upd install kerberos -G "c" when retrieving the software from the UPS/UPD server. dist_archive_file = "ftp://fnkits.fnal.gov/ftp/products/kcommon/v1_0/N L/kcommon_v1_0_NULL.tar" dist_database = "/ftp/upsdb" dist_prod_dir = "/ftp/products/kcommon/v1_0/NULL/kcommon_v1_0_NULL" dist_table_dir = "/ftp/products/kcommon/v1_0/NULL" dist_table_file = "kcommon_v1_0_NULL.table" dist_ups_dir = "/ftp/products/kcommon/v1_0/NULL/kcommon_v1_0_NULL/ups" flavor_dash = "NULL" foundby = "current" modified = "2000-05-19 18.54.19 GMT:2000-05-19 18.54.19 GMT" origin = "" prod_dir = "kcommon/v1_0" propriety = "HASH(0x8576870)" qualifiers_dash = "" table_file = "kcommon.table" unwind_prod_dir = "/kcommon/v1_0" unwind_table_dir = "/kcommon/v1_0/ups" unwind_ups_dir = "/kcommon/v1_0/ups" ups_dir = "ups" Warning: need to declare chain for product, but it doesn't exist. product name = "kcroninit" version = "v0_6" flavor = "NULL" qualifiers = "" @prod_dir = "/ftp/products/kcroninit/v0_6/NULL/kcroninit_v0_6_NULL" @table_file = "/ftp/products/kcroninit/v0_6/NULL/kcroninit_v0_6_NULL.t le" @ups_dir = "/ftp/products/kcroninit/v0_6/NULL/kcroninit_v0_6_NULL/ups" _upd_overlay = "" base_flavor = "NULL" description = "" dist_archive_file = "ftp://fnkits.fnal.gov/ftp/products/kcroninit/v0_6 ULL/kcroninit_v0_6_NULL.tar" dist_database = "/ftp/upsdb" dist_prod_dir = "/ftp/products/kcroninit/v0_6/NULL/kcroninit_v0_6_NULL dist_table_dir = "/ftp/products/kcroninit/v0_6/NULL" dist_table_file = "kcroninit_v0_6_NULL.table" dist_ups_dir = "/ftp/products/kcroninit/v0_6/NULL/kcroninit_v0_6_NULL/ s" flavor_dash = "NULL" foundby = "current" modified = "2000-05-25 16.14.13 GMT:2000-05-23 15.38.24 GMT" origin = "" prod_dir = "kcroninit/v0_6" propriety = "HASH(0x8578074)" qualifiers_dash = "" table_file = "kcroninit.table" unwind_prod_dir = "/kcroninit/v0_6" unwind_table_dir = "/kcroninit/v0_6/ups" unwind_ups_dir = "/kcroninit/v0_6/ups" ups_dir = "ups" upd install failed. Then I tried again and now setup upd also failed (during the first try it was okay ) and the error message that I've got are: ERROR: No instance matches were made between the version file (/usr/products/upsdb/perl/v5_005.version) and the table file (perl.table) for flavor (Linux+2) and qualifiers () ERROR: Possible UPS database (/usr/products/upsdb) corruption in product 'perl'. ERROR: No instance matches were made between the chain file (/usr/products/upsdb/perl/current.chain) and the version file (v5_005.version) ERROR: Possible UPS database (/usr/products/upsdb) corruption in product 'perl'. ERROR: No instance matches were made between the version file (/usr/products/upsdb/perl/v5_005.version) and the table file (perl.table) for flavor (Linux+2) and qualifiers () ERROR: Possible UPS database (/usr/products/upsdb) corruption in product 'perl'. ERROR: No instance matches were made between the chain file (/usr/products/upsdb/perl/current.chain) and the version file (v5_005.version) ERROR: Possible UPS database (/usr/products/upsdb) corruption in product 'perl'. It seems that after trying to install kerberos the perl package broke. Any idea about what is going wrong? Thanks, Ivan From kreymer@fnal.gov Wed Nov 15 11:42:18 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA23199 for ; Wed, 15 Nov 2000 11:42:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4200CNRUIIWK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 15 Nov 2000 11:42:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A23AF@listserv.fnal.gov>; Wed, 15 Nov 2000 11:42:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 20067 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 15 Nov 2000 11:42:18 -0600 Received: from hycppc05.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A23AE@listserv.fnal.gov>; Wed, 15 Nov 2000 11:42:18 -0600 Received: from localhost (chenyc@localhost) by hycppc05.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA03449 for ; Wed, 15 Nov 2000 11:42:17 -0600 Date: Wed, 15 Nov 2000 11:42:17 -0600 (EST) From: Yen-Chu Chen Subject: can't renew a ticket Sender: owner-kerberos-pilot@listserv.fnal.gov To: FNAL Kerberos-Pilot list Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: hycppc05.fnal.gov: chenyc owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 493 Hi, I tried to renew a ticket which I created minutes before I issued the command. I got the following error. ======================================================================== [chenyc@ipas01 ~/test]# klist Ticket cache: /tmp/krb5cc_1949 Default principal: chenyc@PILOT.FNAL.GOV Valid starting Expires Service principal 11/15/00 11:06:24 11/16/00 13:06:24 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 11/15/00 11:08:24 11/16/00 13:06:24 host/fcdfsgi2.fnal.gov@PILOT.FNAL.GOV [chenyc@ipas01 ~/test]# kinit -R kinit: KDC can't fulfill requested option renewing tgt [chenyc@ipas01 ~/test]# ======================================================================== Is there a time limitation on when one can renew the ticket? Or is there something wrong with what I am doing? This is part of my test toward batch job submission. Best regards, Yen-Chu Chen chenyc@fnal.gov Office: (630) 840-3225, FAX: (630) 840-3867 (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) From kreymer@fnal.gov Wed Nov 15 11:54:33 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA23218 for ; Wed, 15 Nov 2000 11:54:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4200DJQV2VLM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 15 Nov 2000 11:54:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A23FE@listserv.fnal.gov>; Wed, 15 Nov 2000 11:54:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 20155 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 15 Nov 2000 11:54:31 -0600 Received: from b0rv11.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A23FD@listserv.fnal.gov>; Wed, 15 Nov 2000 11:54:31 -0600 Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id LAA08620; Wed, 15 Nov 2000 11:54:30 -0600 Date: Wed, 15 Nov 2000 11:54:30 -0600 From: Glenn Cooper Subject: Re: can't renew a ticket In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Yen-Chu Chen Cc: FNAL Kerberos-Pilot list Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 494 Hi, If you want to use the -R option to renew a ticket, you have to explicitly request a "renewable" ticket with the -r option. For example: -- kinit -r 7d Password for gcooper@PILOT.FNAL.GOV: klist Ticket cache: /tmp/krb5cc_6045 Default principal: gcooper@PILOT.FNAL.GOV Valid starting Expires Service principal 11/15/00 11:52:46 11/16/00 13:52:46 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 11/22/00 11:52:41 kinit -R klist Ticket cache: /tmp/krb5cc_6045 Default principal: gcooper@PILOT.FNAL.GOV Valid starting Expires Service principal 11/15/00 11:53:10 11/16/00 13:53:10 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 11/22/00 11:52:41 -- Hope this helps, Glenn On Wed, 15 Nov 2000, Yen-Chu Chen wrote: > Hi, > > I tried to renew a ticket which I created minutes before I issued the > command. I got the following error. > > ======================================================================== > > [chenyc@ipas01 ~/test]# klist > Ticket cache: /tmp/krb5cc_1949 > Default principal: chenyc@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 11/15/00 11:06:24 11/16/00 13:06:24 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > 11/15/00 11:08:24 11/16/00 13:06:24 > host/fcdfsgi2.fnal.gov@PILOT.FNAL.GOV > [chenyc@ipas01 ~/test]# kinit -R > kinit: KDC can't fulfill requested option renewing tgt > [chenyc@ipas01 ~/test]# > > ======================================================================== > > Is there a time limitation on when one can renew the ticket? Or is there > something wrong with what I am doing? > > This is part of my test toward batch job submission. > > Best regards, Yen-Chu Chen > chenyc@fnal.gov > Office: (630) 840-3225, FAX: (630) 840-3867 > (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) > From kreymer@fnal.gov Wed Nov 15 14:19:19 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA23428 for ; Wed, 15 Nov 2000 14:19:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4300IPI1S5XO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 15 Nov 2000 14:19:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A26E5@listserv.fnal.gov>; Wed, 15 Nov 2000 14:19:17 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 20964 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 15 Nov 2000 14:19:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A26E3@listserv.fnal.gov>; Wed, 15 Nov 2000 14:19:17 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4300LGN1S4C9@smtp.fnal.gov>; Wed, 15 Nov 2000 14:19:16 -0600 (CST) Date: Wed, 15 Nov 2000 14:19:12 -0600 (CST) From: "Marc W. Mengel" Subject: Re: Problem installing kerberos In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: Ivan Vila Alvarez , kerberos-pilot@fnal.gov, cdfsys@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 495 On Wed, 15 Nov 2000, Glenn Cooper wrote: > > Hello , > > After following your steps, specified in your page "Quick start for > kerberos user", for installing kerberos, the > installation failed in the step upd install kerberos -G "c" when > retrieving the software from the UPS/UPD server. That's upd install kerberos -G "-c" ^ note the dash But now that you've done it the other way, we'll have to declare the pieces in question current by hand: ups declare -c kcommon v1_0 -f NULL ups declare -c kcroninit v0_6 -f NULL Marc From kreymer@fnal.gov Wed Nov 15 15:40:17 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA23471 for ; Wed, 15 Nov 2000 15:40:17 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G43001E15J4SC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 15 Nov 2000 15:40:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A288D@listserv.fnal.gov>; Wed, 15 Nov 2000 15:40:17 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 21405 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 15 Nov 2000 15:40:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A288B@listserv.fnal.gov>; Wed, 15 Nov 2000 15:40:17 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G43003575J4TQ@smtp.fnal.gov>; Wed, 15 Nov 2000 15:40:16 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id PAA09055; Wed, 15 Nov 2000 15:40:15 -0600 Date: Wed, 15 Nov 2000 15:40:15 -0600 From: Glenn Cooper Subject: Re: Problem installing kerberos In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: Ivan Vila Alvarez , kerberos-pilot@fnal.gov, cdfsys@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 496 Thanks, Marc. Actually I think the "c" was just a typo in the mail message. It turned out that there were several problems, the first being that the system disk filled up in the middle of the install, and continuing on to installing into the wrong UPS database, etc. I think it's all straightened out now. Sorry to take up bandwidth for the whole list. On Wed, 15 Nov 2000, Marc W. Mengel wrote: > On Wed, 15 Nov 2000, Glenn Cooper wrote: > > > > > Hello , > > > > After following your steps, specified in your page "Quick start for > > kerberos user", for installing kerberos, the > > installation failed in the step upd install kerberos -G "c" when > > retrieving the software from the UPS/UPD server. > > That's > upd install kerberos -G "-c" > ^ note the dash > > But now that you've done it the other way, we'll have to declare > the pieces in question current by hand: > ups declare -c kcommon v1_0 -f NULL > ups declare -c kcroninit v0_6 -f NULL > > Marc > > From kreymer@fnal.gov Wed Nov 15 16:47:06 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA23515 for ; Wed, 15 Nov 2000 16:47:06 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G43001PV8LSVB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 15 Nov 2000 16:46:41 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2A47@listserv.fnal.gov>; Wed, 15 Nov 2000 16:46:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 21890 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 15 Nov 2000 16:46:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2A46@listserv.fnal.gov>; Wed, 15 Nov 2000 16:46:41 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G43002M38LSYB@smtp.fnal.gov>; Wed, 15 Nov 2000 16:46:40 -0600 (CST) Date: Wed, 15 Nov 2000 16:46:39 -0600 (CST) From: Dane Skow Subject: Re: Subject: Kerberos access to D0 central systems - how and when. (fwd) Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: ups@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by patnt2.fnal.gov id QAA23515 Status: RO X-Status: X-Keywords: X-UID: 497 This theme comes up repeatedly. Do we have (or can we readily provide) instructions on how to ftp down a UPS tarball, extract the relevant executables and translate the setup file ? I'm sure this is all in the UPS manual, but might be a useful HOWTO. Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 ---------- Forwarded message ---------- Date: Wed, 15 Nov 2000 17:38:28 -0500 From: Meenakshi Narain To: David J. Fagan Cc: Frank Filthaut , d0linux-users@fnal.gov, d0-nt_users@fnal.gov, d0rug@fnal.gov, John Womersley , Harry Weerts Subject: Re: Subject: Kerberos access to D0 central systems - how and when. And what if I want to install it on a UNIX machine where I do not want to carry the extra baggage provided by ups/upd. It is a pity, that just to login to d0mino from a machine from my institution that I have to convince my system managers to install ups/upd for me. Is there a way for getting kerberized-ssh which I can install without ups/upd on my unix host? Thanks, meenakshi "David J. Fagan" wrote: > On Wednesday, > Frank Filthaut: > > > Hi Wyatt, > > > > As an offsite user I can accept getting myself a Cryptocard - for the time > > being. However, I hope you don't think this is a reasonable long-term > > solution. Therefore, let me repeat my request to you from a couple of > > weeks ago: can you please make sure we get clear indications on how to > > reasonably setup/modify our system such that we have a "trusted" machine > > to connect to FNAL from? I'd be really grateful if we can avoid everyone > > having to find this out for him/herself. > > > > Regards, > > Frank > > > > http://www.fnal.gov/docs/strongauth/ > > Chapter 4. > > If your going to, off site I would suspect, keep ssh access. You do > not need a host/ftp principals if you are going to use ssh for access > to the machine. > > ups install-keep-ssh kerberos ... > > ------------------------------------------------------------------------------- > David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) > SGI-liaison | Liaison Requests use SGI-liaison@fnal > Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 > ------------------------------------------------------------------------------- From kreymer@fnal.gov Wed Nov 15 16:47:06 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA23517 for ; Wed, 15 Nov 2000 16:47:06 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G43001PV8LSVB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 15 Nov 2000 16:46:41 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2A48@listserv.fnal.gov>; Wed, 15 Nov 2000 16:46:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 21892 for UPS@LISTSERV.FNAL.GOV; Wed, 15 Nov 2000 16:46:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2A46@listserv.fnal.gov>; Wed, 15 Nov 2000 16:46:41 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G43002M38LSYB@smtp.fnal.gov>; Wed, 15 Nov 2000 16:46:40 -0600 (CST) Date: Wed, 15 Nov 2000 16:46:39 -0600 (CST) From: Dane Skow Subject: Re: Subject: Kerberos access to D0 central systems - how and when. (fwd) Sender: owner-ups@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: ups@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by patnt2.fnal.gov id QAA23517 Status: RO X-Status: X-Keywords: X-UID: 498 This theme comes up repeatedly. Do we have (or can we readily provide) instructions on how to ftp down a UPS tarball, extract the relevant executables and translate the setup file ? I'm sure this is all in the UPS manual, but might be a useful HOWTO. Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 ---------- Forwarded message ---------- Date: Wed, 15 Nov 2000 17:38:28 -0500 From: Meenakshi Narain To: David J. Fagan Cc: Frank Filthaut , d0linux-users@fnal.gov, d0-nt_users@fnal.gov, d0rug@fnal.gov, John Womersley , Harry Weerts Subject: Re: Subject: Kerberos access to D0 central systems - how and when. And what if I want to install it on a UNIX machine where I do not want to carry the extra baggage provided by ups/upd. It is a pity, that just to login to d0mino from a machine from my institution that I have to convince my system managers to install ups/upd for me. Is there a way for getting kerberized-ssh which I can install without ups/upd on my unix host? Thanks, meenakshi "David J. Fagan" wrote: > On Wednesday, > Frank Filthaut: > > > Hi Wyatt, > > > > As an offsite user I can accept getting myself a Cryptocard - for the time > > being. However, I hope you don't think this is a reasonable long-term > > solution. Therefore, let me repeat my request to you from a couple of > > weeks ago: can you please make sure we get clear indications on how to > > reasonably setup/modify our system such that we have a "trusted" machine > > to connect to FNAL from? I'd be really grateful if we can avoid everyone > > having to find this out for him/herself. > > > > Regards, > > Frank > > > > http://www.fnal.gov/docs/strongauth/ > > Chapter 4. > > If your going to, off site I would suspect, keep ssh access. You do > not need a host/ftp principals if you are going to use ssh for access > to the machine. > > ups install-keep-ssh kerberos ... > > ------------------------------------------------------------------------------- > David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) > SGI-liaison | Liaison Requests use SGI-liaison@fnal > Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 > ------------------------------------------------------------------------------- From kreymer@fnal.gov Wed Nov 15 17:19:40 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA23542 for ; Wed, 15 Nov 2000 17:19:40 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G43001XPA4RJP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 15 Nov 2000 17:19:40 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2AD1@listserv.fnal.gov>; Wed, 15 Nov 2000 17:19:40 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 22055 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 15 Nov 2000 17:19:40 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2AD0@listserv.fnal.gov>; Wed, 15 Nov 2000 17:19:40 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G43004QWA4R46@smtp.fnal.gov>; Wed, 15 Nov 2000 17:19:39 -0600 (CST) Date: Wed, 15 Nov 2000 17:19:37 -0600 (CST) From: "Marc W. Mengel" Subject: Re: Subject: Kerberos access to D0 central systems - how and when. (fwd) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov, ups@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 499 On Wed, 15 Nov 2000, Dane Skow wrote: > This theme comes up repeatedly. Do we have (or can we readily provide) > instructions on how to ftp down a UPS tarball, extract the relevant > executables and translate the setup file ? I'm sure this is all in > the UPS manual, but might be a useful HOWTO. No, we don't have such a discussion, 'cause its much longer a process than it sounds (product dependencies, and all that). Much easier is to install the "test" ups bootstrap configuration (which goes under /tmp) use that to install the software somewhere, and then remove the database from under /tmp. Marc From kreymer@fnal.gov Wed Nov 15 18:35:05 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA23579 for ; Wed, 15 Nov 2000 18:35:05 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G43007C6DMG5K@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 15 Nov 2000 18:35:05 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2B69@listserv.fnal.gov>; Wed, 15 Nov 2000 18:35:04 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 22220 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 15 Nov 2000 18:35:04 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2B68@listserv.fnal.gov>; Wed, 15 Nov 2000 18:35:04 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G430087MDMGTO@smtp.fnal.gov>; Wed, 15 Nov 2000 18:35:04 -0600 (CST) Date: Wed, 15 Nov 2000 18:35:03 -0600 (CST) From: Dane Skow Subject: Re: Subject: Kerberos access to D0 central systems - how and when. (fwd) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: kerberos-pilot@fnal.gov, ups@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 500 On Wed, 15 Nov 2000, Marc W. Mengel wrote: > On Wed, 15 Nov 2000, Dane Skow wrote: > > This theme comes up repeatedly. Do we have (or can we readily provide) > > instructions on how to ftp down a UPS tarball, extract the relevant > > executables and translate the setup file ? I'm sure this is all in > > the UPS manual, but might be a useful HOWTO. > > No, we don't have such a discussion, 'cause its much longer a process > than it sounds (product dependencies, and all that). > > Much easier is to install the "test" ups bootstrap configuration (which > goes under /tmp) use that to install the software somewhere, and then > remove the database from under /tmp. Is that process described anywhere online ? > > Marc > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Wed Nov 15 22:40:36 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id WAA04907 for ; Wed, 15 Nov 2000 22:40:35 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4300E33OZN04@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 15 Nov 2000 22:40:35 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2C8D@listserv.fnal.gov>; Wed, 15 Nov 2000 22:40:35 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 22530 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 15 Nov 2000 22:40:35 -0600 Received: from hycppc05.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2C8C@listserv.fnal.gov>; Wed, 15 Nov 2000 22:40:35 -0600 Received: from localhost (chenyc@localhost) by hycppc05.fnal.gov (8.9.3/8.9.3) with ESMTP id WAA03827 for ; Wed, 15 Nov 2000 22:40:34 -0600 Date: Wed, 15 Nov 2000 22:40:34 -0600 (EST) From: Yen-Chu Chen Subject: problem in 'startx' after installation of kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: FNAL Kerberos-Pilot list Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: hycppc05.fnal.gov: chenyc owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 501 Hi, It has been few days that I can't do 'startx' on my notebook after I installed kerberos on it from kits. During the installation everything went OK, except that I don't have the password for ftp and host, so when I was prompt to enter the password, I typed return. Right now after I entered 'startx', the responce is "Authentication failed, ... perhapes you don't have console ownership." If I tried to do 'xhost + localhost', it first prompt me with "Can't open display to "" ". So I tried to 'setenv DISPLAY localhost:0.0' but it started to show a lot of X11 errors. I could stop it only with '^c'. Tried to do it with root, same thing. Does anyone know what to do? Best regards, Yen-Chu Chen chenyc@fnal.gov Office: (630) 840-3225, FAX: (630) 840-3867 (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) From kreymer@fnal.gov Thu Nov 16 06:18:27 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id GAA01489 for ; Thu, 16 Nov 2000 06:18:26 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4400EOJA6PYO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 16 Nov 2000 06:18:26 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2F26@listserv.fnal.gov>; Thu, 16 Nov 2000 06:18:25 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 23255 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 16 Nov 2000 06:18:25 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A2F25@listserv.fnal.gov>; Thu, 16 Nov 2000 06:18:25 -0600 Received: from othello.physics.gla.ac.uk ([130.209.204.200]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4400FQKA6O6S@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 16 Nov 2000 06:18:25 -0600 (CST) Received: from a5.ph.gla.ac.uk ([130.209.45.103]) by othello.physics.gla.ac.uk with esmtp (Exim 3.13 #1) id 13wNzk-0003UN-00; Thu, 16 Nov 2000 12:18:24 +0000 Received: from localhost (thompson@localhost) by a5.ph.gla.ac.uk (8.8.8/8.8.8) with ESMTP id MAA28829; Thu, 16 Nov 2000 12:18:23 +0000 (GMT) Date: Thu, 16 Nov 2000 12:18:23 +0000 (GMT) From: "A. Stan Thompson" Subject: X access problems In-reply-to: <200005161711.MAA02152@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: gcooper@fnal.gov Reply-to: A.S.Thompson@physics.gla.ac.uk Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 502 Hello, I am having problems getting x access when using kerberos to log onto fcdfsgi2.fnal.gov from a machine in Glasgow. The machine in Glasgow is running fermi flavour Linux RH6.2 and is setup with kerberos v5. The setup went without problems and I could log into fcdfsgi2 also without problem after I had obtained my kerbers principal. However, I cannot get an x-window back. After looking at the message logs I modified the hosts.allow file and then the /etc/services file such that I see no more error messages in the log, but still no x-access and still getting: Error: Can't open display: lf6.ph.gla.ac.uk:0.0 I note that xhost shows the line INET:fcdfsgi2.fnal.gov and the xhost man page indicate a option krb option is available but I am told this hasn't been implemented yet. Also the ssh compliant kerberos won't be available for some months, this would be useful and might solve these x problems anyway. Can anybody give some advice on this please. thanks, Stan Thompson From kreymer@fnal.gov Thu Nov 16 08:58:43 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA17129 for ; Thu, 16 Nov 2000 08:58:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4400N71HKP0W@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 16 Nov 2000 08:58:01 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A315F@listserv.fnal.gov>; Thu, 16 Nov 2000 08:58:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 23921 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 16 Nov 2000 08:58:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A315E@listserv.fnal.gov>; Thu, 16 Nov 2000 08:58:01 -0600 Received: from pcl4.hep.anl.gov ([146.139.180.71]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4400N6EHKO0C@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 16 Nov 2000 08:58:00 -0600 (CST) Received: from localhost (rgwcdf@localhost) by pcl4.hep.anl.gov (8.9.3/8.9.3) with ESMTP id IAA21228; Thu, 16 Nov 2000 08:59:11 -0600 Date: Thu, 16 Nov 2000 08:59:11 -0600 (CST) From: "Robert G. Wagner (ANL) 630-252-6321" Subject: Re: X access problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: A.S.Thompson@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov, gcooper@fnal.gov Reply-to: rgwcdf@anl.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 503 Stan, I had the same problem when I started using kerberos. Glenn Cooper helped me figure out how to make things work. You need to forward Xauthority to fcdfsgi2. To do this, issue the following command prior to logging into fcdfsgi2 (I put this and the telnet(ssh) in a script to pop up an xterm window and log me in). /usr/kerberos/bin/rsh -n -x -l YOURUSERNAME fcdfsgi2.fnal.gov \ xauth add `xauth list $DISPLAY` Regards, Bob Wagner On Thu, 16 Nov 2000, A. Stan Thompson wrote: > Hello, > I am having problems getting x access when using kerberos to log > onto fcdfsgi2.fnal.gov from a machine in Glasgow. > The machine in Glasgow is running fermi flavour Linux RH6.2 and is setup > with kerberos v5. The setup went without problems and I could log into > fcdfsgi2 also without problem after I had obtained my kerbers > principal. > However, I cannot get an x-window back. After looking at the message logs > I modified the hosts.allow file and then the /etc/services file such that > I see no more error messages in the log, but still no x-access and still > getting: > Error: Can't open display: lf6.ph.gla.ac.uk:0.0 > > I note that xhost shows the line > INET:fcdfsgi2.fnal.gov > and the xhost man page indicate a option krb option is available but I am > told this hasn't been implemented yet. Also the ssh compliant kerberos > won't be available for some months, this would be useful and might solve > these x problems anyway. > Can anybody give some advice on this please. > > thanks, Stan Thompson > From kreymer@fnal.gov Thu Nov 16 09:24:37 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA17142 for ; Thu, 16 Nov 2000 09:24:36 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4400NCNIT00X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 16 Nov 2000 09:24:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A31AB@listserv.fnal.gov>; Thu, 16 Nov 2000 09:24:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 24004 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 16 Nov 2000 09:24:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A31AA@listserv.fnal.gov>; Thu, 16 Nov 2000 09:24:36 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4400NC2ISZ1D@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 16 Nov 2000 09:24:35 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id JAA11457; Thu, 16 Nov 2000 09:24:29 -0600 Date: Thu, 16 Nov 2000 09:24:29 -0600 From: Glenn Cooper Subject: Re: X access problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: rgwcdf@anl.gov Cc: A.S.Thompson@physics.gla.ac.uk, kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 504 Bob is very gracious to give me some credit, but the xauth part is entirely his work. This looks great, Bob; thanks! Stan, please let me know whether this works for you. We have had several other users with similar X-related problems; I will ask them to try this, too. Glenn On Thu, 16 Nov 2000, Robert G. Wagner (ANL) 630-252-6321 wrote: > Stan, > > I had the same problem when I started using kerberos. Glenn > Cooper helped me figure out how to make things work. You need to forward > Xauthority to fcdfsgi2. To do this, issue the following command prior to > logging into fcdfsgi2 (I put this and the telnet(ssh) in a script to pop > up an xterm window and log me in). > > /usr/kerberos/bin/rsh -n -x -l YOURUSERNAME fcdfsgi2.fnal.gov \ > xauth add `xauth list $DISPLAY` > > Regards, > > Bob Wagner > > > On Thu, 16 Nov 2000, A. Stan Thompson wrote: > > > Hello, > > I am having problems getting x access when using kerberos to log > > onto fcdfsgi2.fnal.gov from a machine in Glasgow. > > The machine in Glasgow is running fermi flavour Linux RH6.2 and is setup > > with kerberos v5. The setup went without problems and I could log into > > fcdfsgi2 also without problem after I had obtained my kerbers > > principal. > > However, I cannot get an x-window back. After looking at the message logs > > I modified the hosts.allow file and then the /etc/services file such that > > I see no more error messages in the log, but still no x-access and still > > getting: > > Error: Can't open display: lf6.ph.gla.ac.uk:0.0 > > > > I note that xhost shows the line > > INET:fcdfsgi2.fnal.gov > > and the xhost man page indicate a option krb option is available but I am > > told this hasn't been implemented yet. Also the ssh compliant kerberos > > won't be available for some months, this would be useful and might solve > > these x problems anyway. > > Can anybody give some advice on this please. > > > > thanks, Stan Thompson > > > From kreymer@fnal.gov Thu Nov 16 10:36:15 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA17185 for ; Thu, 16 Nov 2000 10:36:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G440050OM4F9J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 16 Nov 2000 10:36:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A334D@listserv.fnal.gov>; Thu, 16 Nov 2000 10:36:15 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 24434 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 16 Nov 2000 10:36:15 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A334C@listserv.fnal.gov>; Thu, 16 Nov 2000 10:36:15 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4400NRWM4E1B@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 16 Nov 2000 10:36:14 -0600 (CST) Date: Thu, 16 Nov 2000 10:36:12 -0600 (CST) From: "Marc W. Mengel" Subject: Re: X access problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: A.S.Thompson@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov, gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 505 Just a brief note: On Thu, 16 Nov 2000, A. Stan Thompson wrote: > Also the ssh compliant kerberos > won't be available for some months, this would be useful and might solve > these x problems anyway. The kerberos-aware (kerberized? kerberosified?) ssh version is the current one available for distribution from fnkits, although unfortunately we don't have paperwork yet to be able to distribute it out of country. So it is available to U.S. sites, and will let you ssh in using your kerberos tickets, and give you the usual ssh 'tunnel' for X windows. Marc Mengel From kreymer@fnal.gov Thu Nov 16 10:55:49 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA17200 for ; Thu, 16 Nov 2000 10:55:48 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4400550MY3IQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 16 Nov 2000 10:54:04 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A33B4@listserv.fnal.gov>; Thu, 16 Nov 2000 10:54:03 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 24555 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 16 Nov 2000 10:54:03 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A33B3@listserv.fnal.gov>; Thu, 16 Nov 2000 10:54:03 -0600 Received: from othello.physics.gla.ac.uk ([130.209.204.200]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G440053RMY2JL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 16 Nov 2000 10:54:03 -0600 (CST) Received: from a5.ph.gla.ac.uk ([130.209.45.103]) by othello.physics.gla.ac.uk with esmtp (Exim 3.13 #1) id 13wSIU-0000lx-00; Thu, 16 Nov 2000 16:54:02 +0000 Received: from localhost (thompson@localhost) by a5.ph.gla.ac.uk (8.8.8/8.8.8) with ESMTP id QAA31884; Thu, 16 Nov 2000 16:54:01 +0000 (GMT) Date: Thu, 16 Nov 2000 16:54:01 +0000 (GMT) From: "A. Stan Thompson" Subject: Re: X access problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: rgwcdf@anl.gov Cc: kerberos-pilot@fnal.gov, gcooper@fnal.gov Reply-to: A.S.Thompson@physics.gla.ac.uk Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 506 Hello Bob, thanks for the help, it didn't work but I feel I'm not using it quite right. I tried the command below and then telnet fcdfsgi2.fnal.gov and this didn't allow x-access. I did note that using rsh directly didn't set up the DISPLAY variable so in the command below I put it in explicitly. Also I don't have a prior installation of kerberos, so I am using /usr/kbr5/bin/rsh. please let me know if you any other ideas. thanks, Stan On Thu, 16 Nov 2000, Robert G. Wagner (ANL) 630-252-6321 wrote: > Stan, > > I had the same problem when I started using kerberos. Glenn > Cooper helped me figure out how to make things work. You need to forward > Xauthority to fcdfsgi2. To do this, issue the following command prior to > logging into fcdfsgi2 (I put this and the telnet(ssh) in a script to pop > up an xterm window and log me in). > > /usr/kerberos/bin/rsh -n -x -l YOURUSERNAME fcdfsgi2.fnal.gov \ > xauth add `xauth list $DISPLAY` > > Regards, > > Bob Wagner > > > On Thu, 16 Nov 2000, A. Stan Thompson wrote: > > > Hello, > > I am having problems getting x access when using kerberos to log > > onto fcdfsgi2.fnal.gov from a machine in Glasgow. > > The machine in Glasgow is running fermi flavour Linux RH6.2 and is setup > > with kerberos v5. The setup went without problems and I could log into > > fcdfsgi2 also without problem after I had obtained my kerbers > > principal. > > However, I cannot get an x-window back. After looking at the message logs > > I modified the hosts.allow file and then the /etc/services file such that > > I see no more error messages in the log, but still no x-access and still > > getting: > > Error: Can't open display: lf6.ph.gla.ac.uk:0.0 > > > > I note that xhost shows the line > > INET:fcdfsgi2.fnal.gov > > and the xhost man page indicate a option krb option is available but I am > > told this hasn't been implemented yet. Also the ssh compliant kerberos > > won't be available for some months, this would be useful and might solve > > these x problems anyway. > > Can anybody give some advice on this please. > > > > thanks, Stan Thompson > > > > From kreymer@fnal.gov Thu Nov 16 14:21:46 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA17350 for ; Thu, 16 Nov 2000 14:21:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G44009HKWKAZW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 16 Nov 2000 14:21:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A37C8@listserv.fnal.gov>; Thu, 16 Nov 2000 14:21:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 25674 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 16 Nov 2000 14:21:46 -0600 Received: from gungnir.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A37C7@listserv.fnal.gov>; Thu, 16 Nov 2000 14:21:46 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA23369; Thu, 16 Nov 2000 14:21:37 -0600 (CST) Date: Thu, 16 Nov 2000 14:21:37 -0600 From: Matt Crawford Subject: Re: can't renew a ticket In-reply-to: "15 Nov 2000 11:42:17 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Yen-Chu Chen Cc: FNAL Kerberos-Pilot list Message-id: <200011162021.OAA23369@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 507 > I tried to renew a ticket which I created minutes before I issued the > command. I got the following error. > [...] > [chenyc@ipas01 ~/test]# kinit -R > kinit: KDC can't fulfill requested option renewing tgt For the ticket to be renewable, you have to request that. For example, "kinit -r 60h" will give you a ticket renewable for 60 hours. From kreymer@fnal.gov Thu Nov 16 14:23:13 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA17354 for ; Thu, 16 Nov 2000 14:23:13 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4400BF7WMN73@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 16 Nov 2000 14:23:11 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A37D0@listserv.fnal.gov>; Thu, 16 Nov 2000 14:23:11 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 25682 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 16 Nov 2000 14:23:11 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A37CF@listserv.fnal.gov>; Thu, 16 Nov 2000 14:23:11 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4400BACWMM50@smtp.fnal.gov>; Thu, 16 Nov 2000 14:23:10 -0600 (CST) Date: Thu, 16 Nov 2000 14:23:10 -0600 (CST) From: "Marc W. Mengel" Subject: Re: Subject: Kerberos access to D0 central systems - how and when. (fwd) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov, ups@fnal.gov, aheavey@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 508 On Wed, 15 Nov 2000, Dane Skow wrote: > > > > Much easier is to install the "test" ups bootstrap configuration (which > > goes under /tmp) use that to install the software somewhere, and then > > remove the database from under /tmp. > > Is that process described anywhere online ? Not all in one place... I'm copying Anne Heavey on this so she can put it with things-to-add-to-the-ups-manuals. (I can put this up on the web, too if folks would like.) I shall give a detailed example here, and it is relatively straightforward, it just needs some scratch disk temporarily (maybe 50M). The procedure would be the following. You would download the "stage1.sh" script and "test" config file from ftp://ftp.fnal.gov/products/bootstrap/v2_0/index.html page, and then do: sh stage1.sh test This takes between 3-10 minutes, (depending on your network speed) and gives you a ups/upd/perl installation under /tmp/ups. If you don't have enough room in /tmp, (this takes about 50MB) you can edit the "test" config file and change all occurances of "/tmp" to somewhere else, and use that instead of /tmp in the following. Then you would use that /tmp/ups/ products area to do some installs; . /tmp/ups/etc/setups.sh # or 'source /tmp/ups/etc/setups.csh' setup upd upd install -G -c kerberos # the following as 'root' ups install-weak kerberos # or install-keep-ssh or whatever If you are on-site and can therefore get at our ssh binaries, you can also then upd install -G -c ssh ups InstallAsRoot ssh to get the kerberos-aware ssh in /usr/krb5 as well. You can then blow away /tmp/ups entirely if you want, the kerberos (and optionaly ssh) binaries have all been put into /usr/krb5. If you want to keep the whole kerberos, ssh, whatever product somewhere but lose the rest of the ups/upd stuff, you can do: upd install -G -c kerberos -r /some/other/place/ssh upd install -G -c ssh -r /some/other/place/kerberos and upd will put the files /some/other/place, and when you blow away the /tmp/ups stuff you'll still have a copy. Marc From kreymer@fnal.gov Thu Nov 16 15:42:03 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA17514 for ; Thu, 16 Nov 2000 15:42:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4500F4I0A1YO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 16 Nov 2000 15:42:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A38CC@listserv.fnal.gov>; Thu, 16 Nov 2000 15:42:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 25950 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 16 Nov 2000 15:42:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A38C9@listserv.fnal.gov>; Thu, 16 Nov 2000 15:42:02 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4500G220A07N@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 16 Nov 2000 15:42:01 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 16 Nov 2000 15:42:00 -0600 Content-return: allowed Date: Thu, 16 Nov 2000 15:41:59 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15085 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76109DC4@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 509 15085 has been updated by trb. Short Description : problem with WRQ kerberos access: Encryption type not supported (KRB023) New Work Log Entry : From: "Tim Doody" To: "ARSystem" Cc: "Mark O. Kaletka" Subject: Re: DOODY, TIM AR ticket 15085 Has Been Updated. Date: Thursday, November 16, 2000 3:20 PM i have inquired about WRQ help. hedi and all future help requests about WRQ should be routed to kerberos-pilot@fnal.gov this is a mail list to assist the fermilab users of the WRQ product. the user should also be told that it is recommended that the user subscribe to the list as well as they might benefit from ongoing discussions of the product. tim ------------< Re-assigned AR ticket. From kreymer@fnal.gov Thu Nov 16 15:42:05 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA17518 for ; Thu, 16 Nov 2000 15:42:04 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4500F4I0A1YO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 16 Nov 2000 15:42:04 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A38CD@listserv.fnal.gov>; Thu, 16 Nov 2000 15:42:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 25952 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 16 Nov 2000 15:42:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A38CA@listserv.fnal.gov>; Thu, 16 Nov 2000 15:42:02 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4500F4Q0A0WF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 16 Nov 2000 15:42:01 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 16 Nov 2000 15:42:00 -0600 Content-return: allowed Date: Thu, 16 Nov 2000 15:41:58 -0600 From: ARSystem Subject: 000000000015085 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76109DC3@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain; charset=iso-8859-1 Status: RO X-Status: X-Keywords: X-UID: 510 CRAWFORD, MATT, Help Desk Ticket #000000000015085 has been assigned to you. It is a(n) Medium priority Software/Utilities /Other type of problem. Short description: problem with WRQ kerberos access: Encryption type not supported (KRB023) Badge # (+) : 03622V First Name : HEIDI Last Name (+) : SCHELLMAN Phone : 3266 E-Mail Address : SCHELLMAN@FNAL.GOV Incident Time : 11/9/00 2:36:01 PM System Name : Urgency : Medium Public Work Log : 11/9/00 3:22:59 PM trb Greg, can you assist Heidi ? 11/9/00 4:02:46 PM trb From: "Greg Cisko" To: "ARSystem" ; Cc: ; "David J Fagan" ; Subject: Re: 000000000015085 Assigned to CISKO, GREG. Date: Thursday, November 09, 2000 3:38 PM I believe this is a laboratory supported product and as such there should be someone in the CD that can provide expertise. I do not have any expertise (other than installing the product on my workstation) with this product. Thanks, Greg The following was e-mailed to the Requester: Heidi, What Operating System are you running on your PC ? 11/9/00 4:05:05 PM trb From: "Heidi Schellman" To: "Greg Cisko" Cc: "ARSystem" ; ; ; "David J Fagan" ; Subject: Re: 000000000015085 Assigned to CISKO, GREG. Date: Thursday, November 09, 2000 3:47 PM This should go to PC support or security group. Heidi -----------------< Re-assigned AR ticket as directed. Tim, can your group help ? 11/9/00 4:07:05 PM trb From: "Heidi Schellman" To: "Greg Cisko" ; "ARSystem" ; ; ; "David J Fagan" ; Subject: Re: 000000000015085 Assigned to CISKO, GREG. Date: Thursday, November 09, 2000 3:56 PM WRQ x access working again for me - I did nothing in between to kerberos or WRQ setup. THis is bad - there is some flakyness in the system. 11/10/00 7:18:40 AM trb From: "Heidi Schellman" To: "ARSystem" Subject: Re: Additional info for 000000000015085 Date: Thursday, November 09, 2000 5:04 PM I'm running Win98 - and I was testing it from a remote site to see that WRQ worked for remote access. IP 24.178.21.178:0 Heidi 11/10/00 8:29:07 AM trb From: "Alan M Jonckheere" To: "ARSystem" Cc: Subject: Re: Note to requester has been sent - 000000000015085 Date: Thursday, November 09, 2000 8:26 PM WRQ runs only on NT. ARSystem wrote: > > The following note has been sent to the requester: SCHELLMAN, HEIDI > > Short Description : problem with WRQ kerberos access: Encryption type > not supported (KRB023) > Notes to Requester : Heidi, > > What Operating System are you running on your PC ? 11/10/00 9:44:41 AM trb From: "Greg Cisko" To: "ARSystem" Cc: Subject: Re: Note to requester has been sent - 000000000015085 Date: Friday, November 10, 2000 9:10 AM She is using NT as her OS, but that isn't the issue at all. She is using WRQ Reflections which is a laboratory supported product and presumably will have appropriate support. 11/13/00 2:27:06 PM trb From: "Tim Doody" To: "ARSystem" Subject: Re: DOODY, TIM AR ticket 15085 Has Been Updated. Date: Monday, November 13, 2000 9:42 AM if it is working for her then i suppose we should consider this closed. tim -------------< Tim, Heidi states: "WRQ x access working again for me - I did nothing in between to kerberos or WRQ setup. THis is bad - there is some flakyness in the system." Can we ensure WRQ access is working as expected ? 11/13/00 4:23:47 PM richt From: "Tim Doody" To: "ARSystem" Subject: Re: DOODY, TIM, Reminder for 15085 Date: Monday, November 13, 2000 1:57 PM i believe we saw a message from hedi that this was working again. we consider this closed/resolved. tim The following was e-mailed to the Requester: Hi Heidi, We have received notification that your problem has been resolved. May we close this ticket? Thanks, Rich Thompson 11/15/00 9:18:15 AM blomberg From: "Heidi Schellman" To: "ARSystem" Subject: Re: Help Desk Ticket 15085 is actively being worked on.. Date: Monday, November 13, 2000 8:15 PM More info - I found the log feature in XRQ it shows: Error 11/13/00 20:11:23.280 Telnet in RTELReadBlock. return code = 65. Error 11/13/00 20:11:21.580 KRB5 Encryption type is not supported (KRB023) Error 11/13/00 20:10:41.710 Telnet in RTELReadBlock. return code = 65. Error 11/13/00 20:10:31.600 KRB5 Encryption type is not supported (KRB023) Error 11/13/00 20:10:18.750 Telnet in RTELReadBlock. return code = 65. Error 11/13/00 20:10:15.670 KRB5 Failure to read password (KRB072) Error 11/13/00 20:09:57.270 Telnet in RTELReadBlock. return code = 65. Error 11/13/00 20:09:41.620 KRB5 Encryption type is not supported (KRB023) As before, plain telnet works fine, the x application fails. Strange but not unexpected in costly commercial software. I'm used to fermi products which actually work most of the time. Heidi 11/15/00 9:19:07 AM blomberg From: "Heidi Schellman" To: "ARSystem" Subject: Re: Additional info for 000000000015085 Date: Monday, November 13, 2000 9:03 PM I can't tell which one that is and I don't think I have an account on cdserver1 so it won't let me in. 11/15/00 10:04:03 AM trb From: "Heidi Schellman" To: "Help Desk" Subject: Re: Help Desk Ticket 15085 is actively being worked on.. Date: Wednesday, November 15, 2000 9:33 AM Thanks, I think the problem with the ticket was that a db was down yesterday so the normal tracking access was not available. THe problem with WRQ has surfaced again and gone away again - I think this really is something flakey either in the software itself or in the kerberos implementation. WRQ has a log feature which shows details - next time I have problems I will have full logging turned on and will be able to give a more detailed dump. Maybe we should wait until I catch this thing in the act again. Heidi 11/16/00 2:47:12 PM trb From: "Heidi Schellman" To: "ARSystem" Subject: Re: Additional info for 000000000015085 Date: Thursday, November 16, 2000 2:07 PM I managed to get a debug log of the failure. In this case, I show the session I had this morning at home followed by an attempt at x login from dhcp at fermilab - X fails, telnet works. Same error as before You can find the failures by Error in first line Heidi Info 11/15/00 21:38:31.260 Reflection X Socket error: select failed (RX2489). Info 11/16/00 06:35:09.960 Reflection X Starting server 'D:\PROGRAM FILES\REFLECTIONS\RX.EXE' (RX271). Info 11/16/00 06:35:09.960 Reflection X Server startup command line parameters: '-c "D:\Program Files\Reflection\User\d0minoxterm.rxc" -s "config"' (RX280). Info 11/16/00 06:35:10.340 Reflection X << Executable Information >> (RX2002). Info 11/16/00 06:35:10.340 Reflection X Program name: Reflection X (LSL) for Windows 98 (RX2003). Info 11/16/00 06:35:10.340 Reflection X Program version: Version 7.20 (RX2004). Info 11/16/00 06:35:10.340 Reflection X Program UPI: RMUL-0770-RSX333333 (RX2005). Info 11/16/00 06:35:10.340 Reflection X Program creation date: Wednesday, April 14, 1999 (RX2006). Info 11/16/00 06:35:13.030 Reflection X << System and Network Information >> (RX2008). Info 11/16/00 06:35:13.030 Reflection X System CPU: Pentium processor (RX2009). Info 11/16/00 06:35:13.090 Reflection X System OS: Windows 98 Version 4.10 (build 1998) (RX2010). Info 11/16/00 06:35:13.090 Reflection X Current display driver: NeoMagic MagicMedia 256AV Version 4.0 (RX2011). Info 11/16/00 06:35:13.090 Reflection X Current screen resolution: 1024 x 768 (RX2012). Info 11/16/00 06:35:13.090 Reflection X Current screen pixel depth: 16 (RX2013). Info 11/16/00 06:35:13.090 Reflection X Current Network stack: Microsoft wsock32.dll, ver2.2, 32bit of Apr 28 1998, at 19:33:24. (RX2014). Info 11/16/00 06:35:13.090 Reflection X Available transports: TCP/IP (RX2015). Info 11/16/00 06:35:13.090 Reflection X Local IP address: 24.178.21.178 (RX2016). Info 11/16/00 06:35:13.090 Reflection X Local DECNET node: Not applicable (RX2017). Info 11/16/00 06:35:13.420 Reflection X Client startup is initializing (RX5006). Info 11/16/00 06:35:13.530 Reflection X Client startup processing myterm (RX5129). Info 11/16/00 06:35:13.690 Telnet Rwin event logging has started. Debug 11/16/00 06:35:13.800 Localization Directory for RSK5_EN.nlr found in registry: C:\Program Files\Reflection\NLR Debug 11/16/00 06:35:13.800 KRB5 Event Logging Started Debug 11/16/00 06:35:13.800 KRB5 rsCfgStartup Debug 11/16/00 06:35:13.800 KRB5 Common Defaults Started Debug 11/16/00 06:35:13.860 KRB5 Add Cache: Name d:\program files\reflection\user\schellma@PILOT.FNAL.GOV.cch, Principal schellma, Realm PILOT.FNAL.GOV, Media 2 Debug 11/16/00 06:35:13.860 KRB5 Cache list event thread created Debug 11/16/00 06:35:13.860 KRB5 Cache list started Debug 11/16/00 06:35:13.860 KRB5 Config change thread started Debug 11/16/00 06:35:13.860 KRB5 Starting, Count: 1 Info 11/16/00 06:35:13.860 Telnet Loading, Current Process Id: 0xfffc98f9. Info 11/16/00 06:35:14.240 Telnet Host connection by name complete. Info 11/16/00 06:35:14.350 Telnet We are still trying to establish a connection. Info 11/16/00 06:35:14.740 Telnet Telnet Option Negotiation: Src:Remote, Option:Auth, StIn:No , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:Will . Debug 11/16/00 06:35:14.960 KRB5 k5CtxInit: useCache=True, princ=, realm=, media=0, cache= Debug 11/16/00 06:35:15.010 KRB5 Searching for credential: Flags0x00000021 Debug 11/16/00 06:35:15.010 KRB5 MatchCred : Ticket Flags 0x00000000 Debug 11/16/00 06:35:15.010 KRB5 MatchCred : Client principal schellma@PILOT.FNAL.GOV, Service Principal host/d0mino.fnal.gov@PILOT.FNAL.GOV Debug 11/16/00 06:35:15.010 KRB5 MatchCred (GMT): from Time 19691231180000Z, until time 19691231180000Z, renew time 19691231180000Z Debug 11/16/00 06:35:15.010 KRB5 Credential Found Debug 11/16/00 06:35:15.010 KRB5 FoundCred : Ticket Flags 0x00200000 Debug 11/16/00 06:35:15.010 KRB5 FoundCred : Client principal schellma@PILOT.FNAL.GOV, Service Principal host/d0mino.fnal.gov@PILOT.FNAL.GOV Debug 11/16/00 06:35:15.010 KRB5 FoundCred (GMT): from Time 19691231180000Z, until time 20001116091503Z, renew time 19691231180000Z Debug 11/16/00 06:35:15.070 RSCrypto BDES40.DLL: Dll Process Attach Debug 11/16/00 06:35:15.070 RSCrypto DESAUTH.DLL: Dll Process Attach Debug 11/16/00 06:35:15.070 RSCrypto CDesCbcCrc: Constructed Debug 11/16/00 06:35:15.070 RSCrypto CDesCBC: Constructed Debug 11/16/00 06:35:15.070 RSCrypto CDes: Constructed Debug 11/16/00 06:35:15.070 RSCrypto CCRC32: Constructed Debug 11/16/00 06:35:15.070 RSCrypto CDes: Destroyed Debug 11/16/00 06:35:15.070 RSCrypto CDesCBC: Destroyed Debug 11/16/00 06:35:15.070 RSCrypto CCRC32: Destructed Debug 11/16/00 06:35:15.070 RSCrypto CDesCbcCrc: Destroyed Debug 11/16/00 06:35:15.070 KRB5 AP_REQ: KDC Options 0x00000000 Debug 11/16/00 06:35:15.070 KRB5 AP_REQ CheckSum Type: 7 Debug 11/16/00 06:35:15.070 RSCrypto CMD5: Constructed Debug 11/16/00 06:35:15.070 RSCrypto CMD5: Destructed Debug 11/16/00 06:35:15.070 KRB5 AP_REQ Enc Type: 1 Debug 11/16/00 06:35:15.070 RSCrypto CDesCbcCrc: Constructed Debug 11/16/00 06:35:15.070 RSCrypto CDesCBC: Constructed Debug 11/16/00 06:35:15.070 RSCrypto CDes: Constructed Debug 11/16/00 06:35:15.070 RSCrypto CCRC32: Constructed Debug 11/16/00 06:35:15.070 RSCrypto CDes: Constructed Debug 11/16/00 06:35:15.070 RSCrypto CDes: Destroyed Debug 11/16/00 06:35:15.070 RSCrypto CDes: Destroyed Debug 11/16/00 06:35:15.070 RSCrypto CDesCBC: Destroyed Debug 11/16/00 06:35:15.070 RSCrypto CCRC32: Destructed Debug 11/16/00 06:35:15.070 RSCrypto CDesCbcCrc: Destroyed Info 11/16/00 06:35:15.340 Telnet Telnet Option Negotiation: Src:Remote, Option:Encr, StIn:Disabled, CmdIn:Will , Target:Him, StOut:Disabled, CmdOut:Don't . Info 11/16/00 06:35:15.340 Telnet Telnet Option Negotiation: Src:Remote, Option:Encr, StIn:Disabled, CmdIn:Do , Target:Us , StOut:Disabled, CmdOut:Won't . Info 11/16/00 06:35:15.340 Telnet Telnet Option Negotiation: Src:Remote, Option:Term, StIn:No , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:Will . Info 11/16/00 06:35:15.340 Telnet Telnet Option Negotiation: Src:Remote, Option:Sped, StIn:Disabled, CmdIn:Do , Target:Us , StOut:Disabled, CmdOut:Won't . Info 11/16/00 06:35:15.340 Telnet Telnet Option Negotiation: Src:Remote, Option:XDsp, StIn:Disabled, CmdIn:Do , Target:Us , StOut:Disabled, CmdOut:Won't . Info 11/16/00 06:35:15.340 Telnet Telnet Option Negotiation: Src:Remote, Option:NEnv, StIn:No , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:Will . Info 11/16/00 06:35:15.340 Telnet Telnet Option Negotiation: Src:Remote, Option:OEnv, StIn:Disabled, CmdIn:Do , Target:Us , StOut:Disabled, CmdOut:Won't . Info 11/16/00 06:35:15.830 Telnet Telnet Option Negotiation: Src:Remote, Option:SGA , StIn:No , CmdIn:Will , Target:Him, StOut:Yes , CmdOut:Do . Info 11/16/00 06:35:15.830 Telnet Telnet Option Negotiation: Src:Remote, Option:Echo, StIn:Disabled, CmdIn:Do , Target:Us , StOut:Disabled, CmdOut:Won't . Info 11/16/00 06:35:15.830 Telnet Telnet Option Negotiation: Src:Remote, Option:NAWS, StIn:No , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:Will . Info 11/16/00 06:35:15.830 Telnet Telnet Option Negotiation: Src:Remote, Option:Stat, StIn:Disabled, CmdIn:Will , Target:Him, StOut:Disabled, CmdOut:Don't . Info 11/16/00 06:35:15.830 Telnet Telnet Option Negotiation: Src:Remote, Option:Flow, StIn:Disabled, CmdIn:Do , Target:Us , StOut:Disabled, CmdOut:Won't . Info 11/16/00 06:35:16.050 Telnet Telnet Option Negotiation: Src:Remote, Option:Echo, StIn:No , CmdIn:Will , Target:Him, StOut:Yes , CmdOut:Do . Info 11/16/00 06:40:45.990 Reflection X Client startup is closing down (RX5007). Info 11/16/00 06:40:45.990 Telnet Unloading, Current Process Id: 0xfffc98f9. Debug 11/16/00 06:40:46.490 RSCrypto DESAUTH.DLL: Dll Process Detach Debug 11/16/00 06:40:46.540 RSCrypto DESB40.DLL: Dll Process Detach Debug 11/16/00 06:40:46.870 KRB5 Closing, Count: 0 Debug 11/16/00 06:40:46.870 KRB5 rsConfigShutdown Debug 11/16/00 06:40:46.870 KRB5 Common Defaults Shutdown Debug 11/16/00 06:40:46.870 KRB5 Terminating cache list thread Debug 11/16/00 06:40:46.870 KRB5 Terminating config change thread Debug 11/16/00 06:40:46.870 KRB5 Cache list shutdown Info 11/16/00 06:48:51.420 Reflection X Resetting server: generation 2 (RX2001). Debug 11/16/00 06:50:50.230 Localization Directory for RSK5_EN.nlr found in registry: C:\Program Files\Reflection\NLR Debug 11/16/00 06:50:50.230 KRB5 Event Logging Started Debug 11/16/00 06:50:50.230 KRB5 rsCfgStartup Debug 11/16/00 06:50:50.230 KRB5 Common Defaults Started Debug 11/16/00 06:50:50.230 KRB5 Add Cache: Name d:\program files\reflection\user\schellma@PILOT.FNAL.GOV.cch, Principal schellma, Realm PILOT.FNAL.GOV, Media 2 Debug 11/16/00 06:50:50.280 KRB5 Cache list event thread created Debug 11/16/00 06:50:50.280 KRB5 Cache list started Debug 11/16/00 06:50:50.280 KRB5 Config change thread started Debug 11/16/00 06:50:50.280 KRB5 Starting, Count: 1 Debug 11/16/00 06:50:50.280 KRB5 Closing, Count: 0 Debug 11/16/00 06:50:50.280 KRB5 rsConfigShutdown Debug 11/16/00 06:50:50.280 KRB5 Common Defaults Shutdown Debug 11/16/00 06:50:50.280 KRB5 Terminating cache list thread Debug 11/16/00 06:50:50.280 KRB5 Terminating config change thread Debug 11/16/00 06:50:50.280 KRB5 Cache list shutdown Info 11/16/00 06:50:57.640 Reflection X Socket error: select failed (RX2489). Info 11/16/00 13:58:14.660 Reflection X Starting server 'D:\PROGRAM FILES\REFLECTIONS\RX.EXE' (RX271). Info 11/16/00 13:58:14.660 Reflection X Server startup command line parameters: '-c "D:\Program Files\Reflection\User\d0minoxterm.rxc" -s "config"' (RX280). Info 11/16/00 13:58:15.050 Reflection X << Executable Information >> (RX2002). Info 11/16/00 13:58:15.050 Reflection X Program name: Reflection X (LSL) for Windows 98 (RX2003). Info 11/16/00 13:58:15.100 Reflection X Program version: Version 7.20 (RX2004). Info 11/16/00 13:58:15.100 Reflection X Program UPI: RMUL-0770-RSX333333 (RX2005). Info 11/16/00 13:58:15.100 Reflection X Program creation date: Wednesday, April 14, 1999 (RX2006). Info 11/16/00 13:58:17.800 Reflection X << System and Network Information >> (RX2008). Info 11/16/00 13:58:17.800 Reflection X System CPU: Pentium processor (RX2009). Info 11/16/00 13:58:17.800 Reflection X System OS: Windows 98 Version 4.10 (build 1998) (RX2010). Info 11/16/00 13:58:17.800 Reflection X Current display driver: NeoMagic MagicMedia 256AV Version 4.0 (RX2011). Info 11/16/00 13:58:17.800 Reflection X Current screen resolution: 1024 x 768 (RX2012). Info 11/16/00 13:58:17.800 Reflection X Current screen pixel depth: 16 (RX2013). Info 11/16/00 13:58:17.800 Reflection X Current Network stack: Microsoft wsock32.dll, ver2.2, 32bit of Apr 28 1998, at 19:33:24. (RX2014). Info 11/16/00 13:58:17.800 Reflection X Available transports: TCP/IP (RX2015). Info 11/16/00 13:58:17.850 Reflection X Local IP address: 131.225.82.62 (RX2016). Info 11/16/00 13:58:17.850 Reflection X Local DECNET node: Not applicable (RX2017). Info 11/16/00 13:58:18.130 Reflection X Client startup is initializing (RX5006). Info 11/16/00 13:58:18.180 Reflection X Client startup processing myterm (RX5129). Info 11/16/00 13:58:18.340 Telnet Rwin event logging has started. Debug 11/16/00 13:58:18.340 Localization Directory for RSK5_EN.nlr found in registry: C:\Program Files\Reflection\NLR Debug 11/16/00 13:58:18.340 KRB5 Event Logging Started Debug 11/16/00 13:58:18.400 KRB5 rsCfgStartup Debug 11/16/00 13:58:18.400 KRB5 Common Defaults Started Debug 11/16/00 13:58:18.400 KRB5 Add Cache: Name d:\program files\reflection\user\schellma@PILOT.FNAL.GOV.cch, Principal schellma, Realm PILOT.FNAL.GOV, Media 2 Debug 11/16/00 13:58:18.400 KRB5 Cache list event thread created Debug 11/16/00 13:58:18.400 KRB5 Cache list started Debug 11/16/00 13:58:18.400 KRB5 Config change thread started Debug 11/16/00 13:58:18.400 KRB5 Starting, Count: 1 Info 11/16/00 13:58:18.400 Telnet Loading, Current Process Id: 0xfff5fb05. Info 11/16/00 13:58:18.400 Reflection X Client startup processing myterm (RX5129). Info 11/16/00 13:58:18.730 Telnet Host connection by name complete. Info 11/16/00 13:58:18.730 Telnet We are still trying to establish a connection. Info 11/16/00 13:58:19.000 Telnet Telnet Option Negotiation: Src:Remote, Option:Auth, StIn:No , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:Will . Debug 11/16/00 13:58:19.220 KRB5 k5CtxInit: useCache=True, princ=, realm=, media=0, cache= Info 11/16/00 13:58:19.280 Telnet Host connection by name complete. Info 11/16/00 13:58:19.280 Telnet We are still trying to establish a connection. Info 11/16/00 13:58:19.550 Telnet Telnet Option Negotiation: Src:Remote, Option:Auth, StIn:No , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:Will . Debug 11/16/00 13:58:19.830 KRB5 k5CtxInit: useCache=True, princ=, realm=, media=0, cache= Debug 11/16/00 13:58:25.980 KRB5 k5Init: KDC Options 0x00000000 Debug 11/16/00 13:58:25.980 KRB5 k5Init: Client principal schellma@PILOT.FNAL.GOV, Service Principal krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Debug 11/16/00 13:58:25.980 KRB5 k5Init (GMT): from Time 19691231180000Z, until time 20001117025820Z, renew time 19691231180000Z Debug 11/16/00 13:58:25.980 KRB5 k5Init requested Enc Type: 3 Debug 11/16/00 13:58:25.980 KRB5 k5Init requested Enc Type: 1 Debug 11/16/00 13:58:25.980 KRB5 k5Init requested PA Type: 2 Error 11/16/00 13:58:25.980 KRB5 Encryption type is not supported (KRB023) Error 11/16/00 13:58:43.280 KRB5 Failure to read password (KRB072) Error 11/16/00 13:58:46.300 Telnet in RTELReadBlock. return code = 65. Error 11/16/00 13:58:49.430 Telnet in RTELReadBlock. return code = 65. Info 11/16/00 13:58:51.900 Reflection X Client startup processing myterm (RX5129). Info 11/16/00 13:58:51.900 Telnet Host connection by name complete. Info 11/16/00 13:58:51.900 Telnet We are still trying to establish a connection. Info 11/16/00 13:58:52.230 Telnet Telnet Option Negotiation: Src:Remote, Option:Auth, StIn:No , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:Will . Debug 11/16/00 13:58:52.450 KRB5 k5CtxInit: useCache=True, princ=, realm=, media=0, cache= Debug 11/16/00 13:59:02.180 KRB5 k5Init: KDC Options 0x00000000 Debug 11/16/00 13:59:02.180 KRB5 k5Init: Client principal schellma@PILOT.FNAL.GOV, Service Principal krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Debug 11/16/00 13:59:02.180 KRB5 k5Init (GMT): from Time 19691231180000Z, until time 20001117025902Z, renew time 19691231180000Z Debug 11/16/00 13:59:02.180 KRB5 k5Init requested Enc Type: 3 Debug 11/16/00 13:59:02.180 KRB5 k5Init requested Enc Type: 1 Debug 11/16/00 13:59:02.180 KRB5 k5Init requested PA Type: 2 Error 11/16/00 13:59:02.180 KRB5 Encryption type is not supported (KRB023) Error 11/16/00 13:59:04.980 Telnet in RTELReadBlock. return code = 65. Debug 11/16/00 13:59:11.070 Localization Directory for RSK5_EN.nlr found in registry: C:\Program Files\Reflection\NLR Debug 11/16/00 13:59:11.130 KRB5 Event Logging Started Debug 11/16/00 13:59:11.130 KRB5 rsCfgStartup Debug 11/16/00 13:59:11.130 KRB5 Common Defaults Started Debug 11/16/00 13:59:11.130 KRB5 Cache list event thread created Debug 11/16/00 13:59:11.130 KRB5 Cache list started Debug 11/16/00 13:59:11.130 KRB5 Config change thread started Debug 11/16/00 13:59:11.130 KRB5 Starting, Count: 2 Debug 11/16/00 13:59:11.130 KRB5 Closing, Count: 1 Debug 11/16/00 13:59:11.130 KRB5 rsConfigShutdown Debug 11/16/00 13:59:11.130 KRB5 Common Defaults Shutdown Debug 11/16/00 13:59:11.130 KRB5 Terminating cache list thread Debug 11/16/00 13:59:11.130 KRB5 Terminating config change thread Debug 11/16/00 13:59:11.130 KRB5 Cache list shutdown Debug 11/16/00 13:59:17.060 Localization Directory for rnlog_EN.nlr found in registry: d:\Program Files\Reflections\NLR Info 11/16/00 13:59:52.980 Telnet Rwin event logging has started. Debug 11/16/00 13:59:52.980 Localization Directory for RSK5_EN.nlr found in registry: C:\Program Files\Reflection\NLR Debug 11/16/00 13:59:52.980 KRB5 Event Logging Started Debug 11/16/00 13:59:52.980 KRB5 rsCfgStartup Debug 11/16/00 13:59:52.980 KRB5 Common Defaults Started Debug 11/16/00 13:59:52.980 KRB5 Cache list event thread created Debug 11/16/00 13:59:52.980 KRB5 Cache list started Debug 11/16/00 13:59:52.980 KRB5 Config change thread started Debug 11/16/00 13:59:52.980 KRB5 Starting, Count: 2 Info 11/16/00 13:59:53.040 Telnet Loading, Current Process Id: 0xfff25edd. Info 11/16/00 13:59:53.150 Telnet Host connection by name complete. Info 11/16/00 13:59:53.150 Telnet We are still trying to establish a connection. Info 11/16/00 13:59:53.260 Telnet Telnet Option Negotiation: Src:Local , Option:SGA , StIn:No , CmdIn:Will , Target:Us , StOut:WantYes , CmdOut:Will . Info 11/16/00 13:59:53.260 Telnet Telnet Option Negotiation: Src:Local , Option:NAWS, StIn:No , CmdIn:Will , Target:Us , StOut:WantYes , CmdOut:Will . Info 11/16/00 13:59:53.260 Telnet Telnet Option Negotiation: Src:Local , Option:SGA , StIn:No , CmdIn:Do , Target:Him, StOut:WantYes , CmdOut:Do . Info 11/16/00 13:59:53.260 Telnet Telnet Option Negotiation: Src:Local , Option:Echo, StIn:No , CmdIn:Do , Target:Him, StOut:WantYes , CmdOut:Do . Info 11/16/00 13:59:53.750 Telnet Telnet Option Negotiation: Src:Remote, Option:Auth, StIn:No , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:Will . Info 11/16/00 13:59:53.750 Telnet Telnet Option Negotiation: Src:Remote, Option:SGA , StIn:WantYes , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:None . Info 11/16/00 13:59:53.750 Telnet Telnet Option Negotiation: Src:Remote, Option:NAWS, StIn:WantYes , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:None . Info 11/16/00 13:59:53.750 Telnet Telnet Option Negotiation: Src:Remote, Option:SGA , StIn:WantYes , CmdIn:Will , Target:Him, StOut:Yes , CmdOut:None . Info 11/16/00 13:59:53.750 Telnet Telnet Option Negotiation: Src:Remote, Option:Echo, StIn:WantYes , CmdIn:Will , Target:Him, StOut:Yes , CmdOut:None . Debug 11/16/00 13:59:53.810 KRB5 k5CtxInit: useCache=True, princ=, realm=, media=0, cache= Debug 11/16/00 13:59:59.790 KRB5 k5Init: KDC Options 0x00000000 Debug 11/16/00 13:59:59.790 KRB5 k5Init: Client principal schellma@PILOT.FNAL.GOV, Service Principal krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Debug 11/16/00 13:59:59.790 KRB5 k5Init (GMT): from Time 19691231180000Z, until time 20001117025959Z, renew time 19691231180000Z Debug 11/16/00 13:59:59.790 KRB5 k5Init requested Enc Type: 3 Debug 11/16/00 13:59:59.790 KRB5 k5Init requested Enc Type: 1 Debug 11/16/00 13:59:59.790 KRB5 k5Init requested PA Type: 2 Debug 11/16/00 13:59:59.790 RSCrypto BDES40.DLL: Dll Process Attach Debug 11/16/00 13:59:59.790 RSCrypto DESAUTH.DLL: Dll Process Attach Debug 11/16/00 13:59:59.790 RSCrypto CDesCbcMd5: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CMD5: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CMD5: Destructed Debug 11/16/00 13:59:59.790 RSCrypto CDesCbcMd5: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CDesCbcMd5: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CMD5: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDesCbcCksum: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CRawDesCbc: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CRawDesCbc: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CDesCbcCksum: Destructed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CMD5: Destructed Debug 11/16/00 13:59:59.790 RSCrypto CDesCbcMd5: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CDesCbcCrc: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CCRC32: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.790 RSCrypto CCRC32: Destructed Debug 11/16/00 13:59:59.790 RSCrypto CDesCbcCrc: Destroyed Debug 11/16/00 13:59:59.850 KRB5 Packet sent to KDC: host 131.225.110.7, port 88, protocol UDP Debug 11/16/00 13:59:59.900 KRB5 Message received, type=11 Debug 11/16/00 13:59:59.900 KRB5 AS_REP Enc Type: 3 Debug 11/16/00 13:59:59.900 RSCrypto CDesCbcMd5: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CMD5: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CMD5: Destructed Debug 11/16/00 13:59:59.900 RSCrypto CDesCbcMd5: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CDesCbcMd5: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CMD5: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDesCbcCksum: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CRawDesCbc: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CRawDesCbc: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CDesCbcCksum: Destructed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CMD5: Destructed Debug 11/16/00 13:59:59.900 RSCrypto CDesCbcMd5: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CDesCbcMd5: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CMD5: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CMD5: Destructed Debug 11/16/00 13:59:59.900 RSCrypto CDesCbcMd5: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CDesCbcMd5: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CMD5: Constructed Debug 11/16/00 13:59:59.900 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.900 RSCrypto CMD5: Destructed Debug 11/16/00 13:59:59.900 RSCrypto CDesCbcMd5: Destroyed Debug 11/16/00 13:59:59.900 KRB5 AS_REP : Ticket Flags 0x00600000 Debug 11/16/00 13:59:59.900 KRB5 AS_REP : Client principal schellma@PILOT.FNAL.GOV, Service Principal krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Debug 11/16/00 13:59:59.900 KRB5 AS_REP (GMT): from Time 20001116140000Z, until time 20001117025959Z, renew time 19691231180000Z Debug 11/16/00 13:59:59.900 KRB5 Credential Stored Debug 11/16/00 13:59:59.900 KRB5 TGT Enc Type: 1 Debug 11/16/00 13:59:59.960 KRB5 Searching for credential: Flags0x00000021 Debug 11/16/00 13:59:59.960 KRB5 MatchCred : Ticket Flags 0x00000000 Debug 11/16/00 13:59:59.960 KRB5 MatchCred : Client principal schellma@PILOT.FNAL.GOV, Service Principal host/d0mino.fnal.gov@PILOT.FNAL.GOV Debug 11/16/00 13:59:59.960 KRB5 MatchCred (GMT): from Time 19691231180000Z, until time 19691231180000Z, renew time 19691231180000Z Debug 11/16/00 13:59:59.960 KRB5 Credential not found in cache. Debug 11/16/00 13:59:59.960 KRB5 Searching for credential: Flags0x00000040 Debug 11/16/00 13:59:59.960 KRB5 MatchCred : Ticket Flags 0x00000000 Debug 11/16/00 13:59:59.960 KRB5 MatchCred : Client principal schellma@PILOT.FNAL.GOV, Service Principal krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Debug 11/16/00 13:59:59.960 KRB5 MatchCred (GMT): from Time 19691231180000Z, until time 19691231180000Z, renew time 19691231180000Z Debug 11/16/00 13:59:59.960 RSCrypto CDesCbcCrc: Constructed Debug 11/16/00 13:59:59.960 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.960 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.960 RSCrypto CCRC32: Constructed Debug 11/16/00 13:59:59.960 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.960 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.960 RSCrypto CCRC32: Destructed Debug 11/16/00 13:59:59.960 RSCrypto CDesCbcCrc: Destroyed Debug 11/16/00 13:59:59.960 KRB5 TGS_REQ: KDC Options 0x00000000 Debug 11/16/00 13:59:59.960 KRB5 TGS_REQ : Client principal @, Service Principal host/d0mino.fnal.gov@PILOT.FNAL.GOV Debug 11/16/00 13:59:59.960 KRB5 TGS_REQ (GMT): from Time 20001116140000Z, until time 20001117025959Z, renew time 19691231180000Z Debug 11/16/00 13:59:59.960 RSCrypto CMD5: Constructed Debug 11/16/00 13:59:59.960 RSCrypto CMD5: Destructed Debug 11/16/00 13:59:59.960 KRB5 TGS_REQ CheckSum Type: 7 Debug 11/16/00 13:59:59.960 KRB5 TGS_REQ Enc Type: 1 Debug 11/16/00 13:59:59.960 RSCrypto CDesCbcCrc: Constructed Debug 11/16/00 13:59:59.960 RSCrypto CDesCBC: Constructed Debug 11/16/00 13:59:59.960 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.960 RSCrypto CCRC32: Constructed Debug 11/16/00 13:59:59.960 RSCrypto CDes: Constructed Debug 11/16/00 13:59:59.960 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.960 RSCrypto CDes: Destroyed Debug 11/16/00 13:59:59.960 RSCrypto CDesCBC: Destroyed Debug 11/16/00 13:59:59.960 RSCrypto CCRC32: Destructed Debug 11/16/00 13:59:59.960 RSCrypto CDesCbcCrc: Destroyed Debug 11/16/00 13:59:59.960 KRB5 Packet sent to KDC: host 131.225.110.7, port 88, protocol UDP Debug 11/16/00 14:00:00.010 RSCrypto CDesCbcCrc: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDesCBC: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CDesCBC: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Destructed Debug 11/16/00 14:00:00.010 RSCrypto CDesCbcCrc: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CDesCbcCrc: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDesCBC: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CDesCBC: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Destructed Debug 11/16/00 14:00:00.010 RSCrypto CDesCbcCrc: Destroyed Debug 11/16/00 14:00:00.010 KRB5 TGS_REP : Ticket Flags 0x00200000 Debug 11/16/00 14:00:00.010 KRB5 TGS_REP : Client principal schellma@PILOT.FNAL.GOV, Service Principal host/d0mino.fnal.gov@PILOT.FNAL.GOV Debug 11/16/00 14:00:00.010 KRB5 TGS_REP (GMT): from Time 19691231180000Z, until time 20001117025959Z, renew time 19691231180000Z Debug 11/16/00 14:00:00.010 KRB5 Credential Stored Debug 11/16/00 14:00:00.010 RSCrypto CDesCbcCrc: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDesCBC: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CDesCBC: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Destructed Debug 11/16/00 14:00:00.010 RSCrypto CDesCbcCrc: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CDes40CbcCrc: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40CBC: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40: Destructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40CBC: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Destructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40CbcCrc: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CDes40CbcCrc: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40CBC: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40: Destructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40: Destructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40: Destructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40CBC: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Destructed Debug 11/16/00 14:00:00.010 RSCrypto CDes40CbcCrc: Destroyed Debug 11/16/00 14:00:00.010 KRB5 AP_REQ: KDC Options 0x20000001 Debug 11/16/00 14:00:00.010 KRB5 AP_REQ CheckSum Type: 7 Debug 11/16/00 14:00:00.010 RSCrypto CMD5: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CMD5: Destructed Debug 11/16/00 14:00:00.010 KRB5 AP_REQ Enc Type: 1 Debug 11/16/00 14:00:00.010 RSCrypto CDesCbcCrc: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDesCBC: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes: Constructed Debug 11/16/00 14:00:00.010 RSCrypto CDes: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CDes: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CDesCBC: Destroyed Debug 11/16/00 14:00:00.010 RSCrypto CCRC32: Destructed Debug 11/16/00 14:00:00.010 RSCrypto CDesCbcCrc: Destroyed Debug 11/16/00 14:00:00.120 RSCrypto CDesCbcCrc: Constructed Debug 11/16/00 14:00:00.120 RSCrypto CDesCBC: Constructed Debug 11/16/00 14:00:00.120 RSCrypto CDes: Constructed Debug 11/16/00 14:00:00.120 RSCrypto CCRC32: Constructed Debug 11/16/00 14:00:00.120 RSCrypto CDes: Destroyed Debug 11/16/00 14:00:00.120 RSCrypto CDesCBC: Destroyed Debug 11/16/00 14:00:00.120 RSCrypto CCRC32: Destructed Debug 11/16/00 14:00:00.120 RSCrypto CDesCbcCrc: Destroyed Debug 11/16/00 14:00:00.120 RSCrypto CDesCbcCrc: Constructed Debug 11/16/00 14:00:00.120 RSCrypto CDesCBC: Constructed Debug 11/16/00 14:00:00.120 RSCrypto CDes: Constructed Debug 11/16/00 14:00:00.120 RSCrypto CCRC32: Constructed Debug 11/16/00 14:00:00.120 RSCrypto CDes: Destroyed Debug 11/16/00 14:00:00.120 RSCrypto CDesCBC: Destroyed Debug 11/16/00 14:00:00.120 RSCrypto CCRC32: Destructed Debug 11/16/00 14:00:00.120 RSCrypto CDesCbcCrc: Destroyed Debug 11/16/00 14:00:00.120 KRB5 Verify AP_REP returns: 0 Info 11/16/00 14:00:00.180 Telnet Telnet Option Negotiation: Src:Remote, Option:Encr, StIn:No , CmdIn:Will , Target:Him, StOut:Yes , CmdOut:Do . Debug 11/16/00 14:00:00.180 RSCrypto CDes40Cfb: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40: Destructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40Cfb: Destroyed Debug 11/16/00 14:00:00.180 RSCrypto CDes40Ofb: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40: Destructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40Ofb: Destroyed Info 11/16/00 14:00:00.180 Telnet Telnet Option Negotiation: Src:Remote, Option:Encr, StIn:Yes , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:None . Info 11/16/00 14:00:00.180 Telnet Telnet Option Negotiation: Src:Remote, Option:Term, StIn:No , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:Will . Info 11/16/00 14:00:00.180 Telnet Telnet Option Negotiation: Src:Remote, Option:Sped, StIn:Disabled, CmdIn:Do , Target:Us , StOut:Disabled, CmdOut:Won't . Info 11/16/00 14:00:00.180 Telnet Telnet Option Negotiation: Src:Remote, Option:XDsp, StIn:Disabled, CmdIn:Do , Target:Us , StOut:Disabled, CmdOut:Won't . Info 11/16/00 14:00:00.180 Telnet Telnet Option Negotiation: Src:Remote, Option:NEnv, StIn:No , CmdIn:Do , Target:Us , StOut:Yes , CmdOut:Will . Info 11/16/00 14:00:00.180 Telnet Telnet Option Negotiation: Src:Remote, Option:OEnv, StIn:Disabled, CmdIn:Do , Target:Us , StOut:Disabled, CmdOut:Won't . Debug 11/16/00 14:00:00.180 RSCrypto CDes40Cfb: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40: Destructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40Cfb: Destroyed Debug 11/16/00 14:00:00.180 RSCrypto CDes40Cfb: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40Cfb: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40: Destructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40Cfb: Destroyed Debug 11/16/00 14:00:00.180 RSCrypto CDes40Cfb: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes40: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDesCbcMd5: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDesCBC: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CMD5: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes: Constructed Debug 11/16/00 14:00:00.180 RSCrypto CDes: Destroyed Debug 11/16/00 14:00:00.180 RSCrypto CDes: Destroyed Debug 11/16/00 14:00:00.180 RSCrypto CDesCBC: Destroyed Debug 11/16/00 14:00:00.180 RSCrypto CMD5: Destructed Debug 11/16/00 14:00:00.180 RSCrypto CDesCbcMd5: Destroyed Info 11/16/00 14:00:00.230 Telnet Telnet Option Negotiation: Src:Remote, Option:Echo, StIn:Disabled, CmdIn:Do , Target:Us , StOut:Disabled, CmdOut:Won't . Info 11/16/00 14:00:00.230 Telnet Telnet Option Negotiation: Src:Remote, Option:Stat, StIn:Disabled, CmdIn:Will , Target:Him, StOut:Disabled, CmdOut:Don't . Info 11/16/00 14:00:00.230 Telnet Telnet Option Negotiation: Src:Remote, Option:Flow, StIn:Disabled, CmdIn:Do , Target:Us , StOut:Disabled, CmdOut:Won't 11/16/00 3:38:02 PM trb From: "Tim Doody" To: "ARSystem" Cc: "Mark O. Kaletka" Subject: Re: DOODY, TIM AR ticket 15085 Has Been Updated. Date: Thursday, November 16, 2000 3:20 PM i have inquired about WRQ help. hedi and all future help requests about WRQ should be routed to kerberos-pilot@fnal.gov this is a mail list to assist the fermilab users of the WRQ product. the user should also be told that it is recommended that the user subscribe to the list as well as they might benefit from ongoing discussions of the product. tim ------------< Re-assigned AR ticket. Problem Description : I set up WRQ on my PC and was able to start x connections. I then tried the FTP access and crashed my PC as reported by Harry Melanson yesterday. Now I cannot start x connections and get the following error: Encryption type not supported(KRB023) I can still access the same machine via WRQ's telnet facility so it is not a problem with the ticket. I'm trying to write this up for the D0 collaboration as an endorsement with FAQ's so any help I can get in finding the solution to this problem would be useful. Heidi Schellman From kreymer@fnal.gov Thu Nov 16 22:15:35 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id WAA23655 for ; Thu, 16 Nov 2000 22:15:34 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4500LFPIHYV6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 16 Nov 2000 22:15:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A3B9F@listserv.fnal.gov>; Thu, 16 Nov 2000 22:15:34 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 26753 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 16 Nov 2000 22:15:34 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A3B9E@listserv.fnal.gov>; Thu, 16 Nov 2000 22:15:34 -0600 Received: from [131.225.235.117] by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4500KIKIHXZB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 16 Nov 2000 22:15:33 -0600 (CST) Date: Thu, 16 Nov 2000 22:15:30 -0600 From: Benn Tannenbaum Subject: kerberizing macs: easy! Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 511 Hi Folks, For anyone interested, I seem to have successfully Kerberized my Mac ( (Powerbook G3 Wallstreet). It's quite simple-- I'm happy to help anyone else who wants to do it. Basically, go to the Kerberos for Mac page , download the software, follow the installation instructions. I then edited the Kerberos Preferences file by removing what was in there and pasting the /etc/krb5.conf from what was on fcdfsgi2.fnal.gov. Using ResEdit I then added PILOT.FNAL.GOV to the proper resource (following what was on the web page), although I'm not sure if that was necessary. Then copied the kerberos telnet plugin (available in the same web page), put that in the Better Telnet folder (the only telnet tool that works with Kerberos on the Mac), restarted, and viola! I could enter my kerberos password and telnet to fcdfsgi2. I still need to try this from offsite, but it works with on-site DHCP fine. -Benn From kreymer@fnal.gov Fri Nov 17 08:59:44 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA08432 for ; Fri, 17 Nov 2000 08:59:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G46008ISCBIQX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 08:59:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A3E8B@listserv.fnal.gov>; Fri, 17 Nov 2000 08:59:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 27567 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 08:59:42 -0600 Received: from gungnir.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A3E8A@listserv.fnal.gov>; Fri, 17 Nov 2000 08:59:42 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA27676; Fri, 17 Nov 2000 08:59:32 -0600 (CST) Date: Fri, 17 Nov 2000 08:59:32 -0600 From: Matt Crawford Subject: Re: problem in 'startx' after installation of kerberos In-reply-to: "15 Nov 2000 22:40:34 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Yen-Chu Chen Cc: FNAL Kerberos-Pilot list Message-id: <200011171459.IAA27676@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 512 Well, the CD does not support notebooks, or so I'm told, but I'll try to think about your problem if you supply some missing information. 1. What OS are you running on it? 2. What command did you use to install Kerberos? 3. Which optional steps did you perform afterward? 4. Maybe you could also show the result of "sh -x /usr/bin/X11/startx" (or whatever the path is). From kreymer@fnal.gov Fri Nov 17 09:09:45 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA09081 for ; Fri, 17 Nov 2000 09:09:44 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G46008M1CPYRF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 09:08:22 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A3EC8@listserv.fnal.gov>; Fri, 17 Nov 2000 09:08:22 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 27628 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 09:08:22 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A3EC7@listserv.fnal.gov>; Fri, 17 Nov 2000 09:08:22 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G46008GXCPXRT@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 17 Nov 2000 09:08:21 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA27892; Fri, 17 Nov 2000 09:08:08 -0600 (CST) Date: Fri, 17 Nov 2000 09:08:07 -0600 From: Matt Crawford Subject: Re: X access problems In-reply-to: "16 Nov 2000 12:18:23 GMT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: A.S.Thompson@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov, gcooper@fnal.gov Message-id: <200011171508.JAA27892@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 513 Since I can reach lf6.ph.gla.ac.uk by ping telnet and ssh, but I cannot connect to the X-server on port 6000, I'm guessing some sort of a firewall or packet filter is blocking inbound port 6000 on your end. Can you check? By the way, I'm told in one ear that the Kerberos SSH product is ready, and in the other ear that there are problems with it. I gave it a short tryout and it worked for me. From kreymer@fnal.gov Fri Nov 17 10:15:12 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA12099 for ; Fri, 17 Nov 2000 10:15:12 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600E7FFTBQE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 10:15:12 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A40BD@listserv.fnal.gov>; Fri, 17 Nov 2000 10:15:12 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28165 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 10:15:12 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A40BC@listserv.fnal.gov>; Fri, 17 Nov 2000 10:15:12 -0600 Received: from othello.physics.gla.ac.uk ([130.209.204.200]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600EA0FTA3X@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 17 Nov 2000 10:15:11 -0600 (CST) Received: from a5.ph.gla.ac.uk ([130.209.45.103]) by othello.physics.gla.ac.uk with esmtp (Exim 3.13 #1) id 13woAQ-0002ZH-00; Fri, 17 Nov 2000 16:15:10 +0000 Received: from localhost (thompson@localhost) by a5.ph.gla.ac.uk (8.8.8/8.8.8) with ESMTP id QAA13541; Fri, 17 Nov 2000 16:15:10 +0000 (GMT) Date: Fri, 17 Nov 2000 16:15:09 +0000 (GMT) From: "A. Stan Thompson" Subject: Re: X access problems In-reply-to: <200011171508.JAA27892@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: A.S.Thompson@physics.gla.ac.uk, kerberos-pilot@fnal.gov, gcooper@fnal.gov Reply-to: A.S.Thompson@physics.gla.ac.uk Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 514 Hello Matt, yes thats it, the network guys in Glasgow have given us an exception for fcdfsgi2 and I get a window back now. ssh would have avoided these problems and it would be good if the situation with kerberised ssh could be clarified, also given the mail from Marc saying that the paperwork for sites outwith the US wasn't ready yet. thanks for your help Stan On Fri, 17 Nov 2000, Matt Crawford wrote: > Since I can reach lf6.ph.gla.ac.uk by ping telnet and ssh, but I > cannot connect to the X-server on port 6000, I'm guessing some sort > of a firewall or packet filter is blocking inbound port 6000 on your > end. Can you check? > > By the way, I'm told in one ear that the Kerberos SSH product is > ready, and in the other ear that there are problems with it. I gave > it a short tryout and it worked for me. > From kreymer@fnal.gov Fri Nov 17 11:19:22 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA12124 for ; Fri, 17 Nov 2000 11:19:22 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600FGZIS9JY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 11:19:22 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A41A3@listserv.fnal.gov>; Fri, 17 Nov 2000 11:19:22 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28408 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 11:19:22 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A41A2@listserv.fnal.gov>; Fri, 17 Nov 2000 11:19:22 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600EP3IS9M4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 17 Nov 2000 11:19:21 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA29174; Fri, 17 Nov 2000 11:19:11 -0600 (CST) Date: Fri, 17 Nov 2000 11:19:10 -0600 From: Matt Crawford Subject: Re: kerberizing macs: easy! In-reply-to: "16 Nov 2000 22:15:30 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-pilot@fnal.gov Message-id: <200011171719.LAA29174@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 515 Great work, Benn! Do you know whether you get the choice of encrypting the resulting telnet session? And... > I still need to try this from offsite, but it works with on-site DHCP fine. One thing you will almost certainly discover eventually is that if your DHCP-assigned address changes, any tickets you acquired before the change won't work after the change. You will probably have to do the password step over again. From kreymer@fnal.gov Fri Nov 17 11:28:37 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA12142 for ; Fri, 17 Nov 2000 11:28:37 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600EV9J7HM4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 11:28:30 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A41BA@listserv.fnal.gov>; Fri, 17 Nov 2000 11:28:29 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28432 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 11:28:29 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A41B9@listserv.fnal.gov>; Fri, 17 Nov 2000 11:28:29 -0600 Received: from [131.225.235.117] by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600FMGJ7HHO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 17 Nov 2000 11:28:29 -0600 (CST) Date: Fri, 17 Nov 2000 11:28:29 -0600 From: Benn Tannenbaum Subject: Re: kerberizing macs: easy! In-reply-to: <200011171719.LAA29174@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 516 on 17/11/00 11:19 AM, Matt Crawford spake thusly: > Great work, Benn! Do you know whether you get the choice of > encrypting the resulting telnet session? > > And... > >> I still need to try this from offsite, but it works with on-site DHCP fine. > > One thing you will almost certainly discover eventually is that if > your DHCP-assigned address changes, any tickets you acquired before > the change won't work after the change. You will probably have to do > the password step over again. Hi Matt, One does have the choice of encrypting the telnet session. I've tried it only with the session encrypted and that seems to work fine. So far, as long as I stay connected (about 14 hours so far) I seem to be okay. I'm a little puzzled, since I see this: 76 ~/work % klist Ticket cache: /tmp/krb5cc_p4577687 Default principal: tannenba@PILOT.FNAL.GOV Valid starting Expires Service principal 11/16/00 22:09:33 11/17/00 07:57:26 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 77 ~/work % date Fri Nov 17 11:27:04 CST 2000 and I can still work on fcdfsgi2.... Also, at present the maximum live time for a ticket is 10 hours. I'll try to see if I can up that so it's closer to the FNAL standard of 24 (?) hours. -Benn From kreymer@fnal.gov Fri Nov 17 12:50:25 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA12276 for ; Fri, 17 Nov 2000 12:50:24 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600L23N0075@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 12:50:24 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A4254@listserv.fnal.gov>; Fri, 17 Nov 2000 12:50:24 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28591 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 12:50:24 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A4253@listserv.fnal.gov>; Fri, 17 Nov 2000 12:50:24 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600GRGMZZ63@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 17 Nov 2000 12:50:23 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA00241; Fri, 17 Nov 2000 12:50:09 -0600 (CST) Date: Fri, 17 Nov 2000 12:50:09 -0600 From: Matt Crawford Subject: Re: kerberizing macs: easy! In-reply-to: "17 Nov 2000 11:28:29 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-pilot@fnal.gov Message-id: <200011171850.MAA00241@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 517 > One does have the choice of encrypting the telnet session. I've tried it > only with the session encrypted and that seems to work fine. Good, good. > Valid starting Expires Service principal > 11/16/00 22:09:33 11/17/00 07:57:26 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > 77 ~/work % date > Fri Nov 17 11:27:04 CST 2000 > > and I can still work on fcdfsgi2.... That's right, a connection is not terminated when the ticket that authenticated it expires. You just can't start any new sessions with an expired ticket. > Also, at present the maximum live time for a ticket is 10 hours. I'll try to > see if I can up that so it's closer to the FNAL standard of 24 (?) hours. What you get is the minimum of four things: 1. an overall limit for the realm 2. a limit for the user 3. a limit for the service (eg, krbtgt/REALM or host/hostname) 4. the lifetime you request. You say you copied krb5.conf from d0mino, which has the 26 hour lifetime value. Maybe it needs to be fed into some Mac resource somewhere. From kreymer@fnal.gov Fri Nov 17 13:14:35 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA12286 for ; Fri, 17 Nov 2000 13:14:35 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600FSAO4ADT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 13:14:35 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A429B@listserv.fnal.gov>; Fri, 17 Nov 2000 13:14:35 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28667 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 13:14:35 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A429A@listserv.fnal.gov>; Fri, 17 Nov 2000 13:14:35 -0600 Received: from fnal.gov ([131.225.80.78]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600L1EO4ARK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 17 Nov 2000 13:14:34 -0600 (CST) Date: Fri, 17 Nov 2000 13:14:34 -0600 From: Gerald Guglielmo Subject: cannot get kcron to work on system Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: gug@fnal.gov Message-id: <3A15839A.284C4CAC@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 518 Hi, I have been trying to get kcron to work on my linux system and have been unsuccessful so far. I used KSu to become root and then tried the kcroninit command which appeared to succeed (below is the ouptut from the second attempt): [root@fndapg gug]# setup kcroninit [root@fndapg gug]# kcroninit ************************************************************************* * * * NOTE: You will be required to enter your kerberos password. * * * * YOU MUST BE ON A SECURE CHANNEL (e.g., you must be running * * this script on your local machine, or you must be connected * * via an encrypted session). * * * * IF YOU ARE NOT ON A SECURE CHANNEL, DO NOT CONTINUE! * * * ************************************************************************* Are you on a secure channel? (default = y): y What is your kerberos principal (default = gug@PILOT.FNAL.GOV): Enter the password for gug@PILOT.FNAL.GOV: Now adding principal gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... add_principal: Principal or policy already exists while creating "gug/cron/fndap g.fnal.gov@PILOT.FNAL.GOV". Now creating empty keytab file for gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... Now writing temporary keytab for gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... Temporary keytab created. Now transferring temporary keytab file contents... Transfer complete. Then under my account I setup a cron job for testing writing to afs space: * * * * * /usr/krb5/bin/kcron touch /afs/fnal.gov/files/home/room1/gug/aaa Which generates the follwoing email message log: ------------------------------------------------ kinit: Permission denied while getting initial credentials touch: /afs/fnal.gov/files/home/room1/gug/aaa: Permission denied kdestroy: No credentials cache file found while destroying cache Ticket cache NOT destroyed! I also notice that if I just invoke kcron from the command line I get the same complaint from kinit, but the touch works since it must be getting the ticket from my shell. --------------------------------- fndapg}(g023) /usr/krb5/bin/kcron touch a.a kinit: Permission denied while getting initial credentials kdestroy: No credentials cache file found while destroying cache Ticket cache NOT destroyed! I normally get an initial ticket with kinit -r 7d and have another cron job do kinit -R. I did try kinit -r 7d -f but that didn't help. Any ideas why the kinit step is failing in kcron? -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Fri Nov 17 13:15:32 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA12290 for ; Fri, 17 Nov 2000 13:15:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600JDWO5V99@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 13:15:31 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A429D@listserv.fnal.gov>; Fri, 17 Nov 2000 13:15:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28669 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 13:15:31 -0600 Received: from hycppc05.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A429C@listserv.fnal.gov>; Fri, 17 Nov 2000 13:15:31 -0600 Received: from localhost (chenyc@localhost) by hycppc05.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA05179; Fri, 17 Nov 2000 13:15:30 -0600 Date: Fri, 17 Nov 2000 13:15:30 -0600 (EST) From: Yen-Chu Chen Subject: Re: problem in 'startx' after installation of kerberos In-reply-to: <200011171459.IAA27676@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: FNAL Kerberos-Pilot list Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: hycppc05.fnal.gov: chenyc owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 519 Dear Matt, Thanks for spending your time on this while CD doesn't support notebook! 8-) Somehow the problem went away after I upgraded the OS from RH 6.0 to FNAL RH 6.1.1. Just in case you are still interested in what happened, here are the answers to the questions that you asked. > > 1. What OS are you running on it? It was Red Hat Linux 6.0. Yesterday I upgraded it to FNAL RH 6.1.1 using CD. > 2. What command did you use to install Kerberos? upd install kerberos -G "-c" It took a long time to get it since I was using 24 kb/s link. > 3. Which optional steps did you perform afterward? There were instructions to install/activate the kerberos after the package was pulled over. I did simply copy and past to get it done. There was no error message except that I didn't have password for ftp and host. So the program complained about them and claimed that the procedure was incomplete. > 4. Maybe you could also show the result of "sh -x /usr/bin/X11/startx" > (or whatever the path is). > Since the problem went away, I thought that this is not a useful test anymore. Best regards, Yen-Chu Chen chenyc@fnal.gov Office: (630) 840-3225, FAX: (630) 840-3867 (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) From kreymer@fnal.gov Fri Nov 17 14:01:17 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA12323 for ; Fri, 17 Nov 2000 14:01:17 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600KJ4QA43I@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 14:01:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A430E@listserv.fnal.gov>; Fri, 17 Nov 2000 14:01:17 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28792 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 14:01:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A430D@listserv.fnal.gov>; Fri, 17 Nov 2000 14:01:17 -0600 Received: from CUERVO ([131.225.82.57]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4600KIWQ9YNN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 17 Nov 2000 14:01:16 -0600 (CST) Date: Fri, 17 Nov 2000 14:01:11 -0600 From: "Mark O. Kaletka" Subject: RE: cannot get kcron to work on system In-reply-to: <3A15839A.284C4CAC@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: gug@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 520 Hmmm, I think the problem was the "ksu root" you did before running kcroninit. Was there a reason you thought you needed to do that? kcroninit is intended to run under your normal user id. I suspect your hidden keytab file is now owned by root and can't be read by your normal user id. The easiest fixup is probably to ksu root again and go to /var/adm/krb5. This is where kcroninit places the keytab file used by kcron. Assuming there is only one file there, and it is owned by root, remove it. Then, run kcroninit again as yourself. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Gerald > Guglielmo > Sent: Friday, November 17, 2000 1:15 PM > To: kerberos-pilot@fnal.gov > Subject: cannot get kcron to work on system > > > Hi, > I have been trying to get kcron to work on my linux system and have > been unsuccessful so far. I used KSu to become root and then tried the > kcroninit command which appeared to succeed (below is the ouptut from > the second attempt): > > [root@fndapg gug]# setup kcroninit > [root@fndapg gug]# kcroninit > > > ************************************************************************* > * > * > * NOTE: You will be required to enter your kerberos password. > * > * > * > * YOU MUST BE ON A SECURE CHANNEL (e.g., you must be running > * > * this script on your local machine, or you must be connected > * > * via an encrypted session). > * > * > * > * IF YOU ARE NOT ON A SECURE CHANNEL, DO NOT CONTINUE! > * > * > * > > ************************************************************************* > > Are you on a secure channel? (default = y): y > What is your kerberos principal (default = gug@PILOT.FNAL.GOV): > Enter the password for gug@PILOT.FNAL.GOV: > Now adding principal gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... > add_principal: Principal or policy already exists while creating > "gug/cron/fndap > g.fnal.gov@PILOT.FNAL.GOV". > Now creating empty keytab file for > gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... > Now writing temporary keytab for > gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... > Temporary keytab created. > Now transferring temporary keytab file contents... > Transfer complete. > > Then under my account I setup a cron job for testing writing to afs > space: > * * * * * /usr/krb5/bin/kcron touch > /afs/fnal.gov/files/home/room1/gug/aaa > > Which generates the follwoing email message log: > ------------------------------------------------ > kinit: Permission denied while getting initial credentials > touch: /afs/fnal.gov/files/home/room1/gug/aaa: Permission denied > kdestroy: No credentials cache file found while destroying cache > Ticket cache NOT destroyed! > > > I also notice that if I just invoke kcron from the command line I get > the same complaint from kinit, but the touch works since it must be > getting the ticket from my shell. > --------------------------------- > fndapg}(g023) /usr/krb5/bin/kcron touch a.a > kinit: Permission denied while getting initial credentials > kdestroy: No credentials cache file found while destroying cache > Ticket cache NOT destroyed! > > I normally get an initial ticket with kinit -r 7d and have another cron > job do kinit -R. I did try kinit -r 7d -f but that didn't help. Any > ideas why the kinit step is failing in kcron? > > -- > -Jerry-> > gug@fnal.gov > Pepe's Theory of everything: "Under the right circumstances, things > happen." > > From kreymer@fnal.gov Fri Nov 17 15:02:14 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA12467 for ; Fri, 17 Nov 2000 15:02:14 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G460023WT3PMN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 15:02:13 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A43BA@listserv.fnal.gov>; Fri, 17 Nov 2000 15:02:13 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28982 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 15:02:13 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A43B9@listserv.fnal.gov>; Fri, 17 Nov 2000 15:02:13 -0600 Received: from fnal.gov ([131.225.80.78]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4600LTDT3O75@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 17 Nov 2000 15:02:12 -0600 (CST) Date: Fri, 17 Nov 2000 15:02:12 -0600 From: Gerald Guglielmo Subject: Re: cannot get kcron to work on system Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: kerberos-pilot@fnal.gov Reply-to: gug@fnal.gov Message-id: <3A159CD4.F52D00F9@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 521 Hi, I tried it as root since it was failing under my normal account: Are you on a secure channel? (default = y): y What is your kerberos principal (default = gug@PILOT.FNAL.GOV): Enter the password for gug@PILOT.FNAL.GOV: Now adding principal gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... add_principal: Principal or policy already exists while creating "gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV". Now creating empty keytab file for gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... Now writing temporary keytab for gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... Temporary keytab created. Now transferring temporary keytab file contents... ERROR transferring keytab file contents; ABORT. All done. Then an empty file is created: [root@fndapg gug]# ls -l /var/adm/krb5/ total 0 -rw------- 1 gug g023 0 Nov 17 15:00 d4OnyUUqK8J3C8P3jBZ3dg This is why I thought maybe I needed to be root. "Mark O. Kaletka" wrote: > > Hmmm, I think the problem was the "ksu root" you did before running > kcroninit. Was there a reason you thought you needed to do that? kcroninit > is intended to run under your normal user id. I suspect your hidden keytab > file is now owned by root and can't be read by your normal user id. > > The easiest fixup is probably to ksu root again and go to /var/adm/krb5. > This is where kcroninit places the keytab file used by kcron. Assuming there > is only one file there, and it is owned by root, remove it. Then, run > kcroninit again as yourself. > > -- Mark K. > > > -----Original Message----- > > From: owner-kerberos-pilot@listserv.fnal.gov > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Gerald > > Guglielmo > > Sent: Friday, November 17, 2000 1:15 PM > > To: kerberos-pilot@fnal.gov > > Subject: cannot get kcron to work on system > > > > > > Hi, > > I have been trying to get kcron to work on my linux system and have > > been unsuccessful so far. I used KSu to become root and then tried the > > kcroninit command which appeared to succeed (below is the ouptut from > > the second attempt): > > > > [root@fndapg gug]# setup kcroninit > > [root@fndapg gug]# kcroninit > > > > > > ************************************************************************* > > * > > * > > * NOTE: You will be required to enter your kerberos password. > > * > > * > > * > > * YOU MUST BE ON A SECURE CHANNEL (e.g., you must be running > > * > > * this script on your local machine, or you must be connected > > * > > * via an encrypted session). > > * > > * > > * > > * IF YOU ARE NOT ON A SECURE CHANNEL, DO NOT CONTINUE! > > * > > * > > * > > > > ************************************************************************* > > > > Are you on a secure channel? (default = y): y > > What is your kerberos principal (default = gug@PILOT.FNAL.GOV): > > Enter the password for gug@PILOT.FNAL.GOV: > > Now adding principal gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... > > add_principal: Principal or policy already exists while creating > > "gug/cron/fndap > > g.fnal.gov@PILOT.FNAL.GOV". > > Now creating empty keytab file for > > gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... > > Now writing temporary keytab for > > gug/cron/fndapg.fnal.gov@PILOT.FNAL.GOV... > > Temporary keytab created. > > Now transferring temporary keytab file contents... > > Transfer complete. > > > > Then under my account I setup a cron job for testing writing to afs > > space: > > * * * * * /usr/krb5/bin/kcron touch > > /afs/fnal.gov/files/home/room1/gug/aaa > > > > Which generates the follwoing email message log: > > ------------------------------------------------ > > kinit: Permission denied while getting initial credentials > > touch: /afs/fnal.gov/files/home/room1/gug/aaa: Permission denied > > kdestroy: No credentials cache file found while destroying cache > > Ticket cache NOT destroyed! > > > > > > I also notice that if I just invoke kcron from the command line I get > > the same complaint from kinit, but the touch works since it must be > > getting the ticket from my shell. > > --------------------------------- > > fndapg}(g023) /usr/krb5/bin/kcron touch a.a > > kinit: Permission denied while getting initial credentials > > kdestroy: No credentials cache file found while destroying cache > > Ticket cache NOT destroyed! > > > > I normally get an initial ticket with kinit -r 7d and have another cron > > job do kinit -R. I did try kinit -r 7d -f but that didn't help. Any > > ideas why the kinit step is failing in kcron? > > > > -- > > -Jerry-> > > gug@fnal.gov > > Pepe's Theory of everything: "Under the right circumstances, things > > happen." > > > > -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Fri Nov 17 18:59:54 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA13045 for ; Fri, 17 Nov 2000 18:59:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G46001KZZDIFM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 17:17:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A4513@listserv.fnal.gov>; Fri, 17 Nov 2000 17:17:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 29346 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 17:17:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A4512@listserv.fnal.gov>; Fri, 17 Nov 2000 17:17:42 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G46002JBZDH52@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 17 Nov 2000 17:17:41 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA01733; Fri, 17 Nov 2000 17:17:31 -0600 (CST) Date: Fri, 17 Nov 2000 17:17:31 -0600 From: Matt Crawford Subject: fix for encrypted rsh stdout/stderr problem Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: boyd@fnal.gov, fagan@fnal.gov Message-id: <200011172317.RAA01733@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 522 The builds are going slowly, but some flavors are already available in kits. It's kerberos version "v0_7", declared as "test" for now. Would someone care to give it a try before I make it current? Do "upd list -aK+ kerberos v0_7" to see if your favorite flavor is there yet. More are appearing in the list by and by. The client-side rsh program is the only change. From kreymer@fnal.gov Fri Nov 17 18:59:54 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA13051 for ; Fri, 17 Nov 2000 18:59:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G46003G1WXOMK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 16:25:01 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A448F@listserv.fnal.gov>; Fri, 17 Nov 2000 16:25:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 29209 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 16:25:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A448E@listserv.fnal.gov>; Fri, 17 Nov 2000 16:25:01 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G46002JIWXNIG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 17 Nov 2000 16:25:00 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 17 Nov 2000 16:25:00 -0600 Content-return: allowed Date: Fri, 17 Nov 2000 16:24:58 -0600 From: ARSystem Subject: 000000000015251 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76109EA2@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 523 CRAWFORD, MATT, Help Desk Ticket #000000000015251 has been assigned to you. It is a(n) Medium priority Software/Utilities /Other type of problem. Short description: kerberos Badge # (+) : 12343N First Name : SERGUEI Last Name (+) : BOUROV Phone : 5008 E-Mail Address : BOUROV@FNAL.GOV Incident Time : 11/17/00 3:31:04 PM System Name : Urgency : Medium Public Work Log : Problem Description : Could you help or know who can , we have a problem to install the kerberos on the SGI ( no probelm for PC with Linux 6.1 ). The b0dau02 is CDF online computer, OS IRIX 6.5 what we have : ======================================================== b0dau02.fnal.gov > ups install-keep-ssh kerberos Beginning installation of kerberos v0_6 ................... Preparing to configure krb5conf on this node... Beginning installation of krb5conf v0_6a on b0dau02. Config file /etc/krb5.conf is up-to-date, no change necessary. Reminder!!!! You must perform this installation on each node that shares this copy of krb5conf. Installation of krb5conf v0_6a (without afs) on b0dau02 complete. krb5conf configuration complete. Preparing to configure service/byname on this node... Reading template file /cdf/code-IRIX64-6.5/products/kerberos/v0_6/ups/services.template... Updating /etc/services file... No changes to /etc/services are required. service/byname configuration complete. Preparing to configure host keys on this node... kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal ftp/b0dau02.fnal.gov to keytab file. kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal host/b0dau02.fnal.gov to keytab file. Preparing to configure inetd on this node... ................... Automated installation of kerberos complete. IMPORTANT: 1) /etc/krb5.keytab configuration of service "ftp/b0dau02.fnal.gov" was not completed successfully. 2) /etc/krb5.keytab configuration of service "host/b0dau02.fnal.gov" was not completed successfully. 3) sshd daemon restart was not completed successfully. These steps must be performed for a complete installation of kerberos. ====================================================================== Thanks , Best regards, Sergei. PPD/CDF online group. From kreymer@fnal.gov Fri Nov 17 18:59:54 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA13055 for ; Fri, 17 Nov 2000 18:59:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G46003IYY4LZM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 17 Nov 2000 16:50:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A44C9@listserv.fnal.gov>; Fri, 17 Nov 2000 16:50:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 29269 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 17 Nov 2000 16:50:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A44C8@listserv.fnal.gov>; Fri, 17 Nov 2000 16:50:46 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G46003KUY4L14@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 17 Nov 2000 16:50:45 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA01624; Fri, 17 Nov 2000 16:50:35 -0600 (CST) Date: Fri, 17 Nov 2000 16:50:35 -0600 From: Matt Crawford Subject: Re: cannot get kcron to work on system In-reply-to: "17 Nov 2000 15:02:12 CST." <3A159CD4.F52D00F9@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: gug@fnal.gov Cc: "Mark O. Kaletka" , kerberos-pilot@fnal.gov Message-id: <200011172250.QAA01624@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 524 The last time we ran into this problem, the permissions on /var/adm were really goofy: 701. > > drwx-----x 3 root g023 4096 Sep 19 18:11 /var/adm Here are more typical permission settings. The the ls command (as root) and see how yours compare) # ls -ld /var /var/adm /var/adm/krb5 /var/adm/krb5/tmp drwxr-sr-x 20 root sys 512 Jan 3 1997 /var drwxr-sr-x 9 root sys 1024 Sep 26 04:05 /var/adm drwx--s--x 3 root root 512 Sep 19 15:10 /var/adm/krb5 drwx-wx-wt 2 root other 512 Sep 19 15:10 /var/adm/krb5/tmp From kreymer@fnal.gov Sun Nov 19 17:59:21 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA05134 for ; Sun, 19 Nov 2000 17:59:21 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4A005M8QMW63@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sun, 19 Nov 2000 17:59:21 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A5028@listserv.fnal.gov>; Sun, 19 Nov 2000 17:59:20 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 32490 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sun, 19 Nov 2000 17:59:20 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A5027@listserv.fnal.gov>; Sun, 19 Nov 2000 17:59:20 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4A005GBQMWC8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sun, 19 Nov 2000 17:59:20 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id RAA19129; Sun, 19 Nov 2000 17:59:18 -0600 Date: Sun, 19 Nov 2000 17:59:18 -0600 From: Glenn Cooper Subject: "error 403" from upd install step Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: ALBERTO RUIZ JIMENO Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 525 Marc, or anyone, a CDF member in Spain has been trying to install the client part of Kerberos, but the upd install fails as shown below. Note that he did register his node for UPD distribution--in fact, he did so a while ago, and then re-registered just now to make sure. Any guidance on what this error means would be appreciated. Thanks, Glenn ---------- Forwarded message ---------- Date: Sat, 18 Nov 2000 00:22:05 +0100 (MET) From: ALBERTO RUIZ JIMENO To: gcooper@fnal.gov, Glenn Cooper Cc: ALBERTO RUIZ JIMENO Subject: Re: Next steps in Kerberos implementation Hi, Glenn, bad lucky I got registered with the following mail: The host gaepc15.ifca.unican.es has been registered for upd and ftp access on fnkits.fnal.gov. Sincerely, the "addkits" script But, when I try to install Kerberos, I got the following result: upd install kerberos -G "-c" Received HTTP error (403), Forbidden failed to run 'ups list -K _upd_overlay:archive_file:database:description:flavor:prod_dir:prod_dir_prefix:table_dir:table_file:ups_dir:version kerberos -g current -q "" -H Linux+2.2' error output is: ERROR: ups list returned an error Could not find specified product on server, stopped at /usr/products/upd/v4_5_2/NULL/bin/upd line 626. Alberto Quoting Glenn Cooper : > OK, thanks. Let me know whether registering helps. > > Glenn > > > On Mon, 13 Nov 2000, ALBERTO RUIZ JIMENO wrote: > > > Hi, Glenn, I got the message > > > > Received HTTP error (403), Forbidden > > > > So, it seems that I am not registered > > > > Alberto > > > > > > Quoting Glenn Cooper : > > > > > Hi Alberto, > > > > > > Well, I'm not sure. I think that once should have been enough, > > > but I guess it's possible that your computer got left out at > > > some point. I would try: > > > > > > > setup upd > > > > upd list -a kerberos > > > > > > If that works (returns a list of kerberos versions, rather than > > > an error message), then maybe try installing a small product, > > > for example: > > > > > > > upd install rcs -G -c > > > > > > If that works (reports "installation succeeded"), then I really > > > don't know what is wrong, and I'll have to check with someone > > > who knows more about UPD. If you still get the same error, > > > then I would go ahead and try (re-)registering your computer, > > > wait until you're notified, and try the kerberos install again. > > > > > > Please let me know what you find out--I'm sure other people > > > will run into the same problems. > > > > > > Cheers, > > > Glenn > > > > > > > > > ----------------------------------------------------- > > ==== IFCA mail system. Trailer stamp. ==== > > > > ALBERTO ----------------------------------------------------- ==== IFCA mail system. Trailer stamp. ==== From kreymer@fnal.gov Sun Nov 19 20:04:23 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id UAA05208 for ; Sun, 19 Nov 2000 20:04:23 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4A005KVWADI4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sun, 19 Nov 2000 20:01:26 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A50AF@listserv.fnal.gov>; Sun, 19 Nov 2000 20:01:25 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 32631 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sun, 19 Nov 2000 20:01:25 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A50AE@listserv.fnal.gov>; Sun, 19 Nov 2000 20:01:25 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4A005NFWAD4C@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sun, 19 Nov 2000 20:01:25 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id UAA05187; Sun, 19 Nov 2000 20:01:25 -0600 Date: Sun, 19 Nov 2000 20:01:25 -0600 (CST) From: Art Kreymer Subject: Re: "error 403" from upd install step, gaepc15.ifca.unican.es In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-pilot@fnal.gov, ALBERTO RUIZ JIMENO Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 526 gaepc15.ifca.unican.es is not registered with kits.fnal.gov : GAEPC15 > ftp kits.fnal.gov Connected to fnkits.fnal.gov. 220 fnkits.fnal.gov FTP server (Version wu-2.6.1(10) Mon Oct 2 11:54:21 CDT 2000) ready. Name (kits.fnal.gov:cdfsoft): ftp 331 Guest login ok, send your complete e-mail address as password. Password: 230-This is the FTP service for FTP.FNAL.GOV. 230-Use is for authorized purposes only. 230- 230-The purpose of this service is to provide access to the 230-following categories of files: 230- - The FermiTools area: publicly available software under the 230- /pub directory (all users). 230- - The products area: This provides alternate access to files 230- normally accessed via the upd program. (registered users) 230- - The KITS area provides a backwards-compatable file tree for 230- scripts, etc. used to the old upd directory layout. It is NOT 230- reccomended for browsing for files. 230- 230-This server allows for on-the-fly compression and uncompression 230-of files retrieved. It also allows you to tar up entire directory 230-structures. 230- 230- 230-You are NOT registered to retrieve files from the UNIX kits area. 230- 230-Retrieve the "registration" file is you want to become registered. 230- 230-You MAY retrieve files from the FermiTools area under /pub. These 230-files are available to the general public. 230- 230 Guest login ok, access restrictions apply. ... From kreymer@fnal.gov Mon Nov 20 09:01:28 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA00620 for ; Mon, 20 Nov 2000 09:01:28 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4B00L5PWCT19@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 20 Nov 2000 09:00:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A56BE@listserv.fnal.gov>; Mon, 20 Nov 2000 09:00:29 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 34309 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 20 Nov 2000 09:00:29 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A56BD@listserv.fnal.gov>; Mon, 20 Nov 2000 09:00:29 -0600 Received: from fnal.gov ([131.225.80.78]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4B00L3EWCT23@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 20 Nov 2000 09:00:29 -0600 (CST) Date: Mon, 20 Nov 2000 09:00:28 -0600 From: Gerald Guglielmo Subject: Re: cannot get kcron to work on system Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: "Mark O. Kaletka" , kerberos-pilot@fnal.gov Reply-to: gug@fnal.gov Message-id: <3A193C8C.BD7B3FC7@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200011172250.QAA01624@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 527 Hi, I managed to get kcron to at least allow me to touch a file in afs space by deleting (actually used mv) the /var/adm/krb5 directory and then rerunning kcroninit. I guessed maybe it was a permissions problem, but I was suprised that worked. fndapg}(g023) ls -ld /var /var/adm /var/adm/krb5 /var/adm/krb5/tmp ls: /var/adm/krb5/tmp: No such file or directory drwxr-xr-x 20 root root 4096 Nov 17 16:01 /var drwx-----x 3 root root 4096 Nov 17 15:54 /var/adm drwx--s--x 2 root root 4096 Nov 17 15:54 /var/adm/krb5 Matt Crawford wrote: > > The last time we ran into this problem, the permissions on > /var/adm were really goofy: 701. > > > > drwx-----x 3 root g023 4096 Sep 19 18:11 /var/adm > > Here are more typical permission settings. The the ls command (as > root) and see how yours compare) > > # ls -ld /var /var/adm /var/adm/krb5 /var/adm/krb5/tmp > drwxr-sr-x 20 root sys 512 Jan 3 1997 /var > drwxr-sr-x 9 root sys 1024 Sep 26 04:05 /var/adm > drwx--s--x 3 root root 512 Sep 19 15:10 /var/adm/krb5 > drwx-wx-wt 2 root other 512 Sep 19 15:10 /var/adm/krb5/tmp -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Mon Nov 20 12:07:18 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA02777 for ; Mon, 20 Nov 2000 12:07:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4C003KG4V26Y@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 20 Nov 2000 12:04:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A604F@listserv.fnal.gov>; Mon, 20 Nov 2000 12:04:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 36860 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 20 Nov 2000 12:04:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A604E@listserv.fnal.gov>; Mon, 20 Nov 2000 12:04:14 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4C003OG4UU37@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 20 Nov 2000 12:04:14 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 20 Nov 2000 12:04:04 -0600 Content-return: allowed Date: Mon, 20 Nov 2000 12:03:58 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 15085 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76109FD1@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 528 This reminder created on 11/20/00 12:03:24 PM Ticket 15085 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Work In Progress First Name : HEIDI Last Name (+) : SCHELLMAN Phone : 3266 E-Mail Address : SCHELLMAN@FNAL.GOV Incident Time : 11/9/00 2:36:01 PM System Name : Problem Category : Software Type : Utilities Item : Other Urgency : Medium Short Description : problem with WRQ kerberos access: Encryption type not supported (KRB023) Problem Description : I set up WRQ on my PC and was able to start x connections. I then tried the FTP access and crashed my PC as reported by Harry Melanson yesterday. Now I cannot start x connections and get the following error: Encryption type not supported(KRB023) I can still access the same machine via WRQ's telnet facility so it is not a problem with the ticket. I'm trying to write this up for the D0 collaboration as an endorsement with FAQ's so any help I can get in finding the solution to this problem would be useful. Heidi Schellman From kreymer@fnal.gov Mon Nov 20 12:56:21 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA02813 for ; Mon, 20 Nov 2000 12:56:21 -0600 Received: from boxer.ifca.unican.es ([193.144.183.119]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4C0080977CRC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Mon, 20 Nov 2000 12:54:49 -0600 (CST) Received: (from nobody@localhost) by boxer.ifca.unican.es (8.9.3/8.9.1) id UAA23240; Mon, 20 Nov 2000 20:01:00 +0100 (MET) Date: Mon, 20 Nov 2000 20:01:00 +0100 (MET) From: ALBERTO RUIZ JIMENO Subject: Re: "error 403" from upd install step, gaepc15.ifca.unican.es In-reply-to: X-Originating-IP: 131.225.232.108 To: Art Kreymer Cc: gcooper@fnal.gov, kerberos-pilot@fnal.gov, ALBERTO RUIZ JIMENO Message-id: <974746860.3a1974ec6e0ce@boxer.ifca.unican.es> MIME-version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8bit User-Agent: IMP/PHP IMAP webmail program 2.2.0 X-WebMail-Company: IFCA (CSIC-UNICAN) References: Status: RO X-Status: X-Keywords: X-UID: 529 What I have to do to get registered? Alberto Quoting Art Kreymer : > gaepc15.ifca.unican.es is not registered with kits.fnal.gov : > > GAEPC15 > ftp kits.fnal.gov > Connected to fnkits.fnal.gov. > 220 fnkits.fnal.gov FTP server (Version wu-2.6.1(10) Mon Oct 2 11:54:21 > CDT > 2000) ready. > Name (kits.fnal.gov:cdfsoft): ftp > 331 Guest login ok, send your complete e-mail address as password. > Password: > 230-This is the FTP service for FTP.FNAL.GOV. > 230-Use is for authorized purposes only. > 230- > 230-The purpose of this service is to provide access to the > 230-following categories of files: > 230- - The FermiTools area: publicly available software under the > 230- /pub directory (all users). > 230- - The products area: This provides alternate access to files > 230- normally accessed via the upd program. (registered users) > 230- - The KITS area provides a backwards-compatable file tree for > 230- scripts, etc. used to the old upd directory layout. It is NOT > 230- reccomended for browsing for files. > 230- > 230-This server allows for on-the-fly compression and uncompression > 230-of files retrieved. It also allows you to tar up entire directory > 230-structures. > 230- > 230- > 230-You are NOT registered to retrieve files from the UNIX kits area. > 230- > 230-Retrieve the "registration" file is you want to become registered. > 230- > 230-You MAY retrieve files from the FermiTools area under /pub. These > 230-files are available to the general public. > 230- > 230 Guest login ok, access restrictions apply. > ... > > ALBERTO ----------------------------------------------------- ==== IFCA mail system. Trailer stamp. ==== From kreymer@fnal.gov Mon Nov 20 13:03:20 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA02845 for ; Mon, 20 Nov 2000 13:03:20 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4C0078D7LIVL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 20 Nov 2000 13:03:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A63CB@listserv.fnal.gov>; Mon, 20 Nov 2000 13:03:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 37766 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 20 Nov 2000 13:03:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A63CA@listserv.fnal.gov>; Mon, 20 Nov 2000 13:03:18 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4C0082W7LHX4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 20 Nov 2000 13:03:17 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA02841; Mon, 20 Nov 2000 13:03:15 -0600 Date: Mon, 20 Nov 2000 13:03:15 -0600 (CST) From: Art Kreymer Subject: Re: "error 403" from upd install step, gaepc15.ifca.unican.es In-reply-to: <974746860.3a1974ec6e0ce@boxer.ifca.unican.es> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ALBERTO RUIZ JIMENO Cc: gcooper@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 530 See http://www.fnal.gov/cd/forms/upd_registration.html From kreymer@fnal.gov Mon Nov 20 14:16:37 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA03043 for ; Mon, 20 Nov 2000 14:16:37 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4C007RQAYYUG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 20 Nov 2000 14:16:11 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A67A7@listserv.fnal.gov>; Mon, 20 Nov 2000 14:16:10 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 38789 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 20 Nov 2000 14:16:10 -0600 Received: from gungnir.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A67A6@listserv.fnal.gov>; Mon, 20 Nov 2000 14:16:10 -0600 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA04172; Mon, 20 Nov 2000 14:15:57 -0600 (CST) Date: Mon, 20 Nov 2000 14:15:57 -0600 From: Matt Crawford Subject: Re: problem in 'startx' after installation of kerberos In-reply-to: "17 Nov 2000 13:15:30 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Yen-Chu Chen Cc: FNAL Kerberos-Pilot list Message-id: <200011202015.OAA04172@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 531 > Somehow the problem went away after I upgraded the OS from RH 6.0 > to FNAL RH 6.1.1. Just in case you are still interested in what happened, > here are the answers to the questions that you asked. I'm going to guess that the list of devices that are to be chown()'d to the new userid upon login (the list in in /etc/fbtab, I think) wasn't right before the upgrade and was right afterward. From kreymer@fnal.gov Tue Nov 21 08:08:06 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA27940 for ; Tue, 21 Nov 2000 08:08:05 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4D00B3GOKO7T@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 21 Nov 2000 08:07:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A95B0@listserv.fnal.gov>; Tue, 21 Nov 2000 08:07:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 50746 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 21 Nov 2000 08:07:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A95AF@listserv.fnal.gov>; Tue, 21 Nov 2000 08:07:36 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4D007HMOKNOR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 21 Nov 2000 08:07:36 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA08885; Tue, 21 Nov 2000 08:07:20 -0600 (CST) Date: Tue, 21 Nov 2000 08:07:20 -0600 From: Matt Crawford Subject: Re: cannot get kcron to work on system In-reply-to: "20 Nov 2000 09:00:28 CST." <3A193C8C.BD7B3FC7@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: gug@fnal.gov Cc: "Mark O. Kaletka" , kerberos-pilot@fnal.gov Message-id: <200011211407.IAA08885@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 532 > fndapg}(g023) ls -ld /var /var/adm /var/adm/krb5 /var/adm/krb5/tmp > ls: /var/adm/krb5/tmp: No such file or directory > drwxr-xr-x 20 root root 4096 Nov 17 16:01 /var > drwx-----x 3 root root 4096 Nov 17 15:54 /var/adm > drwx--s--x 2 root root 4096 Nov 17 15:54 /var/adm/krb5 There it is again! Permission 701 on /var/adm. I checked again and actually the last 2 out of 2 times this kcron problem was reported, it was (a) a mode 701 /var/adm and (b) on the fnda* cluster. From kreymer@fnal.gov Tue Nov 21 08:47:04 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA00334 for ; Tue, 21 Nov 2000 08:47:04 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4D009JRQEESR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 21 Nov 2000 08:47:03 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A9621@listserv.fnal.gov>; Tue, 21 Nov 2000 08:47:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 50864 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 21 Nov 2000 08:47:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A9620@listserv.fnal.gov>; Tue, 21 Nov 2000 08:47:02 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4D009JIQEESP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 21 Nov 2000 08:47:02 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA09211; Tue, 21 Nov 2000 08:47:01 -0600 (CST) Date: Tue, 21 Nov 2000 08:47:01 -0600 From: Matt Crawford Subject: Re: 000000000015251 Assigned to CRAWFORD, MATT. In-reply-to: "17 Nov 2000 16:24:58 CST." <318CC3D38BE0D211BB1200105A093F76109EA2@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200011211447.IAA09211@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 533 Preparing to configure host keys on this node... kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal ftp/b0dau02.fnal.gov to keytab file. kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal host/b0dau02.fnal.gov to keytab file. There are two possible causes for this error 1. Wrong password 2. System clock is off by more than five minutes The following quick test points to cause #2: gungnir 25% date;telnet b0dau02 smtp Tue Nov 21 08:43:09 CST 2000 Trying 131.225.236.58... Connected to b0dau02.fnal.gov (131.225.236.58). Escape character is '^]'. 220 ESMTP b0dau02.fnal.gov Sendmail 980427.SGI.8.8.8/980728.SGI.AUTOCF ready at Tue, 21 Nov 2000 08:52:26 -0600 (CST) QUIT 221 b0dau02.fnal.gov closing connection (My own clock turns out to be off by 13 seconds, so b0dau02's is off by at least 9 min 04 sec.) From kreymer@fnal.gov Tue Nov 21 08:58:46 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA00728 for ; Tue, 21 Nov 2000 08:58:45 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4D00BCSQWC7T@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 21 Nov 2000 08:57:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A9648@listserv.fnal.gov>; Tue, 21 Nov 2000 08:57:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 50904 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 21 Nov 2000 08:57:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000A9647@listserv.fnal.gov>; Tue, 21 Nov 2000 08:57:49 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4D00B60QWBRK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 21 Nov 2000 08:57:48 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 21 Nov 2000 08:57:47 -0600 Content-return: allowed Date: Tue, 21 Nov 2000 08:57:47 -0600 From: ARSystem Subject: CRAWFORD, MATT #15251 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7610A135@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 534 Thank you for your assistance. Help Desk ticket #000000000015251 has been resolved on 11/21/00 8:54:20 AM Resolution Timestamp: : 11/21/00 8:47:10 AM Solution Category : Information Request Problem Category : Software Type : Utilities Item : Other Short Description : kerberos Solution : Per the analyst: "Preparing to configure host keys on this node... kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal ftp/b0dau02.fnal.gov to keytab file. kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal host/b0dau02.fnal.gov to keytab file. There are two possible causes for this error 1. Wrong password 2. System clock is off by more than five minutes The following quick test points to cause #2: gungnir 25% date;telnet b0dau02 smtp Tue Nov 21 08:43:09 CST 2000 Trying 131.225.236.58... Connected to b0dau02.fnal.gov (131.225.236.58). Escape character is '^]'. 220 ESMTP b0dau02.fnal.gov Sendmail 980427.SGI.8.8.8/980728.SGI.AUTOCF ready at Tue, 21 Nov 2000 08:52:26 -0600 (CST) QUIT 221 b0dau02.fnal.gov closing connection (My own clock turns out to be off by 13 seconds, so b0dau02's is off by at least 9 min 04 sec.)" Problem Description : Could you help or know who can , we have a problem to install the kerberos on the SGI ( no probelm for PC with Linux 6.1 ). The b0dau02 is CDF online computer, OS IRIX 6.5 what we have : ======================================================== b0dau02.fnal.gov > ups install-keep-ssh kerberos Beginning installation of kerberos v0_6 ................... Preparing to configure krb5conf on this node... Beginning installation of krb5conf v0_6a on b0dau02. Config file /etc/krb5.conf is up-to-date, no change necessary. Reminder!!!! You must perform this installation on each node that shares this copy of krb5conf. Installation of krb5conf v0_6a (without afs) on b0dau02 complete. krb5conf configuration complete. Preparing to configure service/byname on this node... Reading template file /cdf/code-IRIX64-6.5/products/kerberos/v0_6/ups/services.template... Updating /etc/services file... No changes to /etc/services are required. service/byname configuration complete. Preparing to configure host keys on this node... kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal ftp/b0dau02.fnal.gov to keytab file. kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal host/b0dau02.fnal.gov to keytab file. Preparing to configure inetd on this node... ................... Automated installation of kerberos complete. IMPORTANT: 1) /etc/krb5.keytab configuration of service "ftp/b0dau02.fnal.gov" was not completed successfully. 2) /etc/krb5.keytab configuration of service "host/b0dau02.fnal.gov" was not completed successfully. 3) sshd daemon restart was not completed successfully. These steps must be performed for a complete installation of kerberos. ====================================================================== Thanks , Best regards, Sergei. PPD/CDF online group. From kreymer@fnal.gov Tue Nov 21 12:54:27 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA05138 for ; Tue, 21 Nov 2000 12:54:27 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4D00J32ZV7XY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 21 Nov 2000 12:11:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AA201@listserv.fnal.gov>; Tue, 21 Nov 2000 12:11:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 53936 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 21 Nov 2000 12:11:31 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AA200@listserv.fnal.gov>; Tue, 21 Nov 2000 12:11:31 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4D00JA0ZV534@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 21 Nov 2000 12:11:30 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 21 Nov 2000 12:11:30 -0600 Content-return: allowed Date: Tue, 21 Nov 2000 12:11:29 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15251 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7610A174@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 535 15251 has been updated by blomberg. Short Description : kerberos New Work Log Entry : From: "Serguei Bourov" To: "ARSystem" Subject: Re: Help Desk Ticket 15251 Has Been Resolved. Date: Tuesday, November 21, 2000 11:53 AM Thanks, it's OK now. The problem was the system clock is off by 9 min Sergei. From kreymer@fnal.gov Tue Nov 21 18:00:15 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA05514 for ; Tue, 21 Nov 2000 18:00:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4E003GMEYFXH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Tue, 21 Nov 2000 17:37:35 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB00B@listserv.fnal.gov>; Tue, 21 Nov 2000 17:37:25 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 57647 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Tue, 21 Nov 2000 17:37:25 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB009@listserv.fnal.gov>; Tue, 21 Nov 2000 17:37:24 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4E004H5EYBCE@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Tue, 21 Nov 2000 17:37:24 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA12961; Tue, 21 Nov 2000 17:37:23 -0600 (CST) Date: Tue, 21 Nov 2000 17:37:23 -0600 From: Matt Crawford Subject: Kerberos rsh problem: mixes stdout & stderr Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Cc: helpdesk@fnal.gov Message-id: <200011212337.RAA12961@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 536 Fermi Kerberos versions up to v0_6 inclusive have an obscure bug in the rsh program -- the client, not the server -- which causes them to mix up the stdout and stderr streams under heavy traffic. (This bug is also present in all MIT Kerberos 1.0.X releases.) Version v0_7 is now in kits, as "test", and has this bug fixed. This was the only change between v0_6 and v0_7 so I expect to mark it "current" very soon. If you're in way too big a hurry, you can find the fixed rsh program alone in /afs/fnal.gov/files/home/room2/crawdad/kerberos-rsh-fixed/$FLAVOR Kudos to Joe Boyd for providing sufficient information to diagnose the problem. From kreymer@fnal.gov Wed Nov 22 10:56:41 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA03811 for ; Wed, 22 Nov 2000 10:56:41 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4F00M7MR2H0Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 22 Nov 2000 10:56:41 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB5F0@listserv.fnal.gov>; Wed, 22 Nov 2000 10:56:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 59299 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 22 Nov 2000 10:56:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB5ED@listserv.fnal.gov>; Wed, 22 Nov 2000 10:56:40 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4F00M68R2EL6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 22 Nov 2000 10:56:40 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 22 Nov 2000 10:56:39 -0600 Content-return: allowed Date: Wed, 22 Nov 2000 10:56:30 -0600 From: ARSystem Subject: 000000000015334 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7610A217@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 537 CRAWFORD, MATT, Help Desk Ticket #000000000015334 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: can't install kerberos v0_7 from kits Badge # (+) : 12754N First Name : JOE Last Name (+) : BOYD Phone : 8275 E-Mail Address : BOYD@FNAL.GOV Incident Time : 11/21/00 6:00:07 PM System Name : Urgency : Medium Public Work Log : Problem Description : I'm trying to install kerberos v0_7 from kits into my local products database. Here is the command and error: d02ka.fnal.gov# upd install kerberos v0_7 informational: gtools v2_2 already exists on local node, skipping. informational: perl v5_005 already exists on local node, skipping. informational: krb5conf v0_6a already exists on local node, skipping. informational: kcommon v1_0 already exists on local node, skipping. informational: kcroninit v0_6 already exists on local node, skipping. Timeout at /usr/products/perl/v5_005/IRIX-6/lib/site_perl/5.005/IP22-irix/Net/FTP.p m line 356 tar: tape blocksize error d02ka.fnal.gov# I don't know if the problem is with the fnkits.fnal.gov machine or if the problem is with the kerberos v0_7 package. I've tried pulling it down twice from 5-6PM on Nov 21st and it failed the same way both times. Thanks, joe From kreymer@fnal.gov Wed Nov 22 11:22:28 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA03856 for ; Wed, 22 Nov 2000 11:22:27 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4F00MEMS9CEQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 22 Nov 2000 11:22:25 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB681@listserv.fnal.gov>; Wed, 22 Nov 2000 11:22:25 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 59457 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 22 Nov 2000 11:22:24 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB67F@listserv.fnal.gov>; Wed, 22 Nov 2000 11:22:24 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4F00MEIS9B89@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 22 Nov 2000 11:22:24 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 22 Nov 2000 11:22:23 -0600 Content-return: allowed Date: Wed, 22 Nov 2000 11:22:18 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15334 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7610A236@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 538 15334 has been updated by blomberg. Short Description : can't install kerberos v0_7 from kits New Work Log Entry : From: "Joseph Boyd" To: "ARSystem" Subject: Re: Help Desk Ticket 000000000015334 Date: Wednesday, November 22, 2000 11:17 AM I highly doubt this was Matt Crawfords problem. I just copied him to let him know it was happening. It should have been a problem with fnkits.fnal.gov but I'm not sure if it has been fixed yet or not since I haven't had a chance today to try to reinstall things. joe From kreymer@fnal.gov Wed Nov 22 11:22:28 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA03859 for ; Wed, 22 Nov 2000 11:22:28 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4F00MEMS9CEQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 22 Nov 2000 11:22:26 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB683@listserv.fnal.gov>; Wed, 22 Nov 2000 11:22:25 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 59459 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 22 Nov 2000 11:22:25 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB682@listserv.fnal.gov>; Wed, 22 Nov 2000 11:22:25 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4F00MF9S9B0Q@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 22 Nov 2000 11:22:24 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 22 Nov 2000 11:22:23 -0600 Content-return: allowed Date: Wed, 22 Nov 2000 11:22:18 -0600 From: ARSystem Subject: 000000000015338 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7610A235@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 539 CRAWFORD, MATT, Help Desk Ticket #000000000015338 has been assigned to you. It is a(n) Medium priority Software/Utilities /Other type of problem. Short description: authentication error with reflection Badge # (+) : 05524N First Name : CARMENITA Last Name (+) : MOORE Phone : 2288 E-Mail Address : CARMENITA@FNAL.GOV Incident Time : 11/21/00 5:21:39 PM System Name : Urgency : Medium Public Work Log : Problem Description : I have modified Reflection Kerberos Manager to have moore as the principle. I've double checked the installation instructions against what I did - still when I authenticate, I get Client Principle not found in kerberos database (KDC006). This is on my win2k laptop. I read that the system you were on had to have user name that matched the kerberos principle. Does that apply to win2k systems too ? Just in case, I created a "moore" account on my laptop but couldn't authenticate from it either - same message as above. I was able to kpasswd and change my kerberos password for moore. It couldn't find carmenita which I also find curious as Yolanda created a "carmenita" principle for me also - since that's my mail server name. help. -Carmenita- Matt Crawford wrote: > > When I try to authenticate I get: > > > > Client Principle not found in kerberos database (KDC006) > > > > I have had the account by yolanda had to reset the password for me - > > which she did today... > > There's no Kerberos principal "carmenita", or even "carmenit", so > yours must be "moore". (The mail server knows you as both, which I'm > sure will continue to cause a bit of confusion, but since your Unix > username seems to be moore, it sholdn't be too bad.) You'll have to > make sure you have that filled in in the Reflection Kerberos Manager. > > I see where you ran into a "password expired" problem on Spe 10, Oct > 16, Nov 6 and Nov 14 and some other error on Nov 17. Right now I see > that your password was changed by valadez on Nov 20. Give it a try > with the new password, would you? > > And I have your Cryptocard request in the queue and I'll be working > on the backlog today. > Matt From kreymer@fnal.gov Wed Nov 22 11:34:53 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA03865 for ; Wed, 22 Nov 2000 11:34:53 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4F00MI6SU4EQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 22 Nov 2000 11:34:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB6CB@listserv.fnal.gov>; Wed, 22 Nov 2000 11:34:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 59540 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 22 Nov 2000 11:34:52 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB6CA@listserv.fnal.gov>; Wed, 22 Nov 2000 11:34:52 -0600 Received: from CUERVO ([131.225.82.57]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4F00ME5SU3RC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 22 Nov 2000 11:34:52 -0600 (CST) Date: Wed, 22 Nov 2000 11:34:51 -0600 From: "Mark O. Kaletka" Subject: WRQ Reflection 8.0.2 Installation Sender: owner-kerberos-pilot@listserv.fnal.gov To: Kerberos Pilot List Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 540 This is intended for PC administrators on this list who are installing WRQ... The installation for WRQ Reflection Suite for X 8.0.2 uses the new(er) Windows 2000 installer interface and therefore the set of options is somewhat more complicated than the previous version. However, we've found that simply choosing a "Typical" install does the right things. The interim installation instructions are: Once the installer for Suite for X is launched, after clicking through the initial screens, license agreement, and user info: a. On "Destination Folder", leave the default C:\Program Files\Reflection; b. On "Select Installation Type", choose "Typical". This bypasses all the subsequent installation screens, and installs all the right features. You don't get prompted again until the installation is completed. This vastly simplifies the process. The WRQ Signature software is still at the older 7.0.2 version and the installation is substantially unchanged. However, to enable the Kerberos Manager to change Kerberos passwords, the Windows NT services file must be updated. The easiest way to do this is, as Administrator, execute the file \\Pckits\WRQ\services.bat, which will make a backup copy of the original services file and copy a modified version from pckits. Anne Heavey is updating the online documentation, which will include a more complete description. -- Mark K. From kreymer@fnal.gov Wed Nov 22 14:51:42 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA04262 for ; Wed, 22 Nov 2000 14:51:41 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4G004JW1Y5X0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 22 Nov 2000 14:51:41 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB932@listserv.fnal.gov>; Wed, 22 Nov 2000 14:51:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 60221 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 22 Nov 2000 14:51:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AB931@listserv.fnal.gov>; Wed, 22 Nov 2000 14:51:41 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4G005KS1Y422@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 22 Nov 2000 14:51:40 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 22 Nov 2000 14:51:41 -0600 Content-return: allowed Date: Wed, 22 Nov 2000 14:51:36 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15338 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7610A276@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 541 15338 has been updated by blomberg. Short Description : authentication error with reflection New Work Log Entry : From: "Matt Crawford" To: "Carmenita Moore" Cc: ; Subject: Re: authentication error with reflection Date: Wednesday, November 22, 2000 2:47 PM Ah, I see something new in the log. You seem to have your Kerberos realm name configured as pilot.fnal.gov (lower case). I has to be all upper case. Also, there is no Kerberos principal carmenita (or carmenit), just moore. But having a Windows account with a matching name is not important. Having your unix account match your Kerberos account is a big convenience, although not strictly essential either. From kreymer@fnal.gov Wed Nov 22 16:11:59 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA04346 for ; Wed, 22 Nov 2000 16:11:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4G005MN5JZPE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Wed, 22 Nov 2000 16:09:43 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ABA4A@listserv.fnal.gov>; Wed, 22 Nov 2000 16:09:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 60547 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Wed, 22 Nov 2000 16:09:32 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ABA48@listserv.fnal.gov>; Wed, 22 Nov 2000 16:09:32 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4G008E95JV9Q@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Wed, 22 Nov 2000 16:09:31 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA20673 for ; Wed, 22 Nov 2000 16:09:31 -0600 (CST) Date: Wed, 22 Nov 2000 16:09:31 -0600 From: Matt Crawford Subject: kerberos v0_7 now "current" in fnkits Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200011222209.QAA20673@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 542 After multiple successful installations and tests, kerberos v0_7 has been declared "current" in kits. From kreymer@fnal.gov Wed Nov 22 16:54:35 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA04497 for ; Wed, 22 Nov 2000 16:54:35 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4G006OB7MYR6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 22 Nov 2000 16:54:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ABB44@listserv.fnal.gov>; Wed, 22 Nov 2000 16:54:35 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 60825 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 22 Nov 2000 16:54:34 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ABB43@listserv.fnal.gov>; Wed, 22 Nov 2000 16:54:34 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4G00A887MXOX@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 22 Nov 2000 16:54:33 -0600 (CST) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id eAMMsWN24714; Wed, 22 Nov 2000 16:54:32 -0600 (CST) Date: Wed, 22 Nov 2000 16:54:32 -0600 From: aheavey@fnal.gov Subject: strong auth manual Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: helpdesk@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200011222254.eAMMsWN24714@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 543 The information for kerberizing a PC has been updated and that for a Mac has been added. See the usual URL: http://www.fnal.gov/docs/strongauth/index.html -- Anne Anne Heavey Fermilab Computing Division Phone: 630-840-8039 Location: Wilson Hall 8.18 (NE corner) MS: 120 From kreymer@fnal.gov Mon Nov 27 11:03:25 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA15950 for ; Mon, 27 Nov 2000 11:03:25 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P001JY0POLT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 27 Nov 2000 11:03:25 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD1E7@listserv.fnal.gov>; Mon, 27 Nov 2000 11:03:25 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 67089 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 27 Nov 2000 11:03:25 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD1E6@listserv.fnal.gov>; Mon, 27 Nov 2000 11:03:25 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P001PU0PONS@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 27 Nov 2000 11:03:24 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA13010; Mon, 27 Nov 2000 11:03:24 -0600 (CST) Date: Mon, 27 Nov 2000 11:03:24 -0600 From: Matt Crawford Subject: Re: [Fwd: kerberos] In-reply-to: "22 Nov 2000 10:51:50 CST." <3A1BF9A6.6DF3E331@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Joseph Boyd Cc: kerberos-pilot@fnal.gov Message-id: <200011271703.LAA13010@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 544 > HI Matt, > I think I got these "No such file or directory" errors when I > installed v0_6 too. Is this something wrong in the sgi version of the > kits product that should be fixed or should I just ignore it? > > > > d0chb 23# upd install kerberos v0_7 > > [...] > > informational: beginning install of kerberos. > > Cannot access libdb.a: No such file or directory > > Cannot access libkadm5clnt.a: No such file or directory > > Cannot access libdyn.a: No such file or directory > > Cannot access libgssrpc.a: No such file or directory > > Cannot access libkadm5srv.a: No such file or directory These don't matter. What happened is that in the process of compiling, certain libraries were created in the directories where their source was, and symbolic links were created in the top level "src/lib" directory. When the installation kit is built, these libraries (except for libdb.a, which doesn't get installed) are gathered up for installation into /usr/krb5/lib and the originals are deleted from the source tree, but the symlinks aren't deleted. I'll fix up the "make clean" step so they are deleted and these messages will cease in a future release. From kreymer@fnal.gov Mon Nov 27 12:13:19 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA15981 for ; Mon, 27 Nov 2000 12:13:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P006E63NXBN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 27 Nov 2000 12:07:25 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD374@listserv.fnal.gov>; Mon, 27 Nov 2000 12:07:23 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 67501 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 27 Nov 2000 12:07:23 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD373@listserv.fnal.gov>; Mon, 27 Nov 2000 12:07:23 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P0077L3NR0T@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 27 Nov 2000 12:07:22 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 27 Nov 2000 12:07:02 -0600 Content-return: allowed Date: Mon, 27 Nov 2000 12:06:56 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 15085 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76113EFC@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 545 This reminder created on 11/27/00 12:03:36 PM Ticket 15085 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Work In Progress First Name : HEIDI Last Name (+) : SCHELLMAN Phone : 3266 E-Mail Address : SCHELLMAN@FNAL.GOV Incident Time : 11/9/00 2:36:01 PM System Name : Problem Category : Software Type : Utilities Item : Other Urgency : Medium Short Description : problem with WRQ kerberos access: Encryption type not supported (KRB023) Problem Description : I set up WRQ on my PC and was able to start x connections. I then tried the FTP access and crashed my PC as reported by Harry Melanson yesterday. Now I cannot start x connections and get the following error: Encryption type not supported(KRB023) I can still access the same machine via WRQ's telnet facility so it is not a problem with the ticket. I'm trying to write this up for the D0 collaboration as an endorsement with FAQ's so any help I can get in finding the solution to this problem would be useful. Heidi Schellman From kreymer@fnal.gov Mon Nov 27 12:13:19 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA15984 for ; Mon, 27 Nov 2000 12:13:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P0075L3NGG5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 27 Nov 2000 12:06:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD2F2@listserv.fnal.gov>; Mon, 27 Nov 2000 12:06:52 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 67364 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 27 Nov 2000 12:06:52 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD2F0@listserv.fnal.gov>; Mon, 27 Nov 2000 12:06:52 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P007773NC62@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 27 Nov 2000 12:06:52 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 27 Nov 2000 12:06:48 -0600 Content-return: allowed Date: Mon, 27 Nov 2000 12:06:46 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 15338 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7610A394@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 546 This reminder created on 11/27/00 12:03:06 PM Ticket 15338 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : CARMENITA Last Name (+) : MOORE Phone : 2288 E-Mail Address : CARMENITA@FNAL.GOV Incident Time : 11/21/00 5:21:39 PM System Name : Problem Category : Software Type : Utilities Item : Other Urgency : Medium Short Description : authentication error with reflection Problem Description : I have modified Reflection Kerberos Manager to have moore as the principle. I've double checked the installation instructions against what I did - still when I authenticate, I get Client Principle not found in kerberos database (KDC006). This is on my win2k laptop. I read that the system you were on had to have user name that matched the kerberos principle. Does that apply to win2k systems too ? Just in case, I created a "moore" account on my laptop but couldn't authenticate from it either - same message as above. I was able to kpasswd and change my kerberos password for moore. It couldn't find carmenita which I also find curious as Yolanda created a "carmenita" principle for me also - since that's my mail server name. help. -Carmenita- Matt Crawford wrote: > > When I try to authenticate I get: > > > > Client Principle not found in kerberos database (KDC006) > > > > I have had the account by yolanda had to reset the password for me - > > which she did today... > > There's no Kerberos principal "carmenita", or even "carmenit", so > yours must be "moore". (The mail server knows you as both, which I'm > sure will continue to cause a bit of confusion, but since your Unix > username seems to be moore, it sholdn't be too bad.) You'll have to > make sure you have that filled in in the Reflection Kerberos Manager. > > I see where you ran into a "password expired" problem on Spe 10, Oct > 16, Nov 6 and Nov 14 and some other error on Nov 17. Right now I see > that your password was changed by valadez on Nov 20. Give it a try > with the new password, would you? > > And I have your Cryptocard request in the queue and I'll be working > on the backlog today. > Matt From kreymer@fnal.gov Mon Nov 27 12:13:19 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA15986 for ; Mon, 27 Nov 2000 12:13:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P0075L3NGG5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 27 Nov 2000 12:06:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD2F7@listserv.fnal.gov>; Mon, 27 Nov 2000 12:06:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 67368 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 27 Nov 2000 12:06:53 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD2F4@listserv.fnal.gov>; Mon, 27 Nov 2000 12:06:53 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P0077B3NCFO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 27 Nov 2000 12:06:52 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 27 Nov 2000 12:06:49 -0600 Content-return: allowed Date: Mon, 27 Nov 2000 12:06:46 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 15334 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7610A397@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 547 This reminder created on 11/27/00 12:03:07 PM Ticket 15334 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : JOE Last Name (+) : BOYD Phone : 8275 E-Mail Address : BOYD@FNAL.GOV Incident Time : 11/21/00 6:00:07 PM System Name : Problem Category : Software Type : Utilities Item : Kerberos Urgency : Medium Short Description : can't install kerberos v0_7 from kits Problem Description : I'm trying to install kerberos v0_7 from kits into my local products database. Here is the command and error: d02ka.fnal.gov# upd install kerberos v0_7 informational: gtools v2_2 already exists on local node, skipping. informational: perl v5_005 already exists on local node, skipping. informational: krb5conf v0_6a already exists on local node, skipping. informational: kcommon v1_0 already exists on local node, skipping. informational: kcroninit v0_6 already exists on local node, skipping. Timeout at /usr/products/perl/v5_005/IRIX-6/lib/site_perl/5.005/IP22-irix/Net/FTP.p m line 356 tar: tape blocksize error d02ka.fnal.gov# I don't know if the problem is with the fnkits.fnal.gov machine or if the problem is with the kerberos v0_7 package. I've tried pulling it down twice from 5-6PM on Nov 21st and it failed the same way both times. Thanks, joe From kreymer@fnal.gov Mon Nov 27 14:12:22 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA16200 for ; Mon, 27 Nov 2000 14:12:22 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P00D0A9FZWK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 27 Nov 2000 14:12:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD6A8@listserv.fnal.gov>; Mon, 27 Nov 2000 14:11:59 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 68337 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 27 Nov 2000 14:11:59 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD6A7@listserv.fnal.gov>; Mon, 27 Nov 2000 14:11:59 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4P007RH9FY1S@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 27 Nov 2000 14:11:58 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id OAA19827 for ; Mon, 27 Nov 2000 14:11:58 -0600 Date: Mon, 27 Nov 2000 14:11:58 -0600 From: Glenn Cooper Subject: Kerberos principal without Fermi ID? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 548 Hi folks, A CDF member asks about getting accounts for people who don't have Fermi IDs. This might include engineers, secretaries, etc., at home institutions. These folks may never come to Fermilab, and certainly won't for some time. In the past, I thought the recommended solution was to get an XID, and use that for computer accounts. However, Yolanda tells me that we are not issuing Kerberos principals for XIDs. If that's the case, then what is the recommended solution for users who can't come to Fermilab in person? Thanks, Glenn ---------- Forwarded message ---------- Date: Mon, 27 Nov 2000 15:01:17 -0500 From: Terry Watts To: cdfsys@fnal.gov Cc: watts@physics.rutgers.edu, jacques@physics.rutgers.edu Subject: kerberos principal request Hello, Dr Pieter Jacques is at Rutgers and has an account on the CDF computers, e.g. cdfsga and fcdfsgi2. This access was at my request some time ago. He does not have a Fermi ID and is not a member of CDF, but works on CDF software (e.g. some Data Handling software). Pieter is a staff member at Rutgers. Can he get a kerberos principal? Cheers, Terry Watts From kreymer@fnal.gov Mon Nov 27 14:49:52 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA16220 for ; Mon, 27 Nov 2000 14:49:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P00D9CB729J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 27 Nov 2000 14:49:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD757@listserv.fnal.gov>; Mon, 27 Nov 2000 14:49:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 68519 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 27 Nov 2000 14:49:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD755@listserv.fnal.gov>; Mon, 27 Nov 2000 14:49:50 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P00DCIB711G@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 27 Nov 2000 14:49:50 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 27 Nov 2000 14:49:50 -0600 Content-return: allowed Date: Mon, 27 Nov 2000 14:49:48 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15338 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76113FAF@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 549 15338 has been updated by trb. Short Description : authentication error with reflection New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Subject: Re: CRAWFORD, MATT, Reminder for 15338 Date: Monday, November 27, 2000 2:08 PM I sent you back a message to the effect that her "pilot.fnal.gov" realm entry needed to be in upper case. Did you pass that along? ---------------< I don't see the info entered in the Diary field. Will pass it along to the user. From kreymer@fnal.gov Mon Nov 27 14:49:53 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA16224 for ; Mon, 27 Nov 2000 14:49:53 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P00D9CB729J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 27 Nov 2000 14:49:52 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD75A@listserv.fnal.gov>; Mon, 27 Nov 2000 14:49:51 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 68523 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 27 Nov 2000 14:49:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD758@listserv.fnal.gov>; Mon, 27 Nov 2000 14:49:50 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P00E7LB713S@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 27 Nov 2000 14:49:50 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 27 Nov 2000 14:49:50 -0600 Content-return: allowed Date: Mon, 27 Nov 2000 14:49:48 -0600 From: ARSystem Subject: Note to requester has been sent - 000000000015338 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76113FB1@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 550 The following note has been sent to the requester: MOORE, CARMENITA Short Description : authentication error with reflection Notes to Requester : Carmenita, per the analyst: "your pilot.fnal.gov" realm entry needs to be in upper case." Please give it a try letting us know if we can provide any other assistance. Thank you, HelpDesk Tom Bozonelos From kreymer@fnal.gov Mon Nov 27 16:09:39 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA16314 for ; Mon, 27 Nov 2000 16:09:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P00DM3EPMNC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 27 Nov 2000 16:05:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD854@listserv.fnal.gov>; Mon, 27 Nov 2000 16:05:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 68789 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 27 Nov 2000 16:05:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD853@listserv.fnal.gov>; Mon, 27 Nov 2000 16:05:46 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4P00DOGEPLWK@smtp.fnal.gov>; Mon, 27 Nov 2000 16:05:45 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id QAA20054; Mon, 27 Nov 2000 16:05:44 -0600 Date: Mon, 27 Nov 2000 16:05:44 -0600 From: Glenn Cooper Subject: CVS commands fail with Kerberized ssh client Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: cdfsys@fnal.gov, cdf_code_management@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 551 Hi folks, I have installed the Kerberos-aware ssh v1_2_27 on fcdfsgi2 (but see below for where it is). The ssh and slogin commands work fine for ordinary uses: my Kerberos ticket is recognized and used on systems running the kerberized sshd (fcdfsgi2, b0rv11), and I can also log in to systems running the non-Kerberized sshd. However, the kerberized clients don't seem to recognize .shosts or authorized keys--I have had to enter my password each time, even though I don't need a password when using the non-kerberized ssh. The biggest problem this causes is that this prevents access to our CVS repository, which uses ssh to confirm users. Here is the error: -- setenv PATH /usr/krb5/bin/ssh:$PATH which ssh /usr/krb5/bin/ssh/ssh cvs -n update cdfcvs@cdfcvs.fnal.gov's password: Permission denied. cvs [update aborted]: end of file from server (consult above messages if any) -- That is, it prompts for a password, even though I'm in the .shosts file for the account that runs the CVS repository on cdfsga; and this disrupts the rest of the CVS command. The same command works fine when I leave the kerberized ssh out of my path, so that I'm using the old un-kerberized ssh. Because of this, I have moved the ssh files out of the /usr/krb5/bin directory, and down one level to /usr/krb5/bin/ssh/ so that users will not get the kerberized version by default. (That's why I added this to the front of my PATH in the test above.) Is this a bug, or a feature? Thanks, Glenn P.S. Dave Fagan had already warned me that the kerberized sshd (server) does not work on a machine hosting a CVS repository, because it doesn't keep the REMOTE_USER variable that's used for access control and logging. This is a separate (though probably related) problem from the above, since our CVS repository is on a different node--cdfsga--and I'm only using the kerberized client ssh, not the kerberized sshd. From kreymer@fnal.gov Mon Nov 27 17:47:56 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA16527 for ; Mon, 27 Nov 2000 17:47:56 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P00JCJJBTGA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 27 Nov 2000 17:45:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD9FB@listserv.fnal.gov>; Mon, 27 Nov 2000 17:45:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 69251 for CDF_CODE_MANAGEMENT@LISTSERV.FNAL.GOV; Mon, 27 Nov 2000 17:45:30 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AD9FA@listserv.fnal.gov>; Mon, 27 Nov 2000 17:45:30 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P00HPCJBTOZ@smtp.fnal.gov>; Mon, 27 Nov 2000 17:45:29 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA16509; Mon, 27 Nov 2000 17:45:29 -0600 Date: Mon, 27 Nov 2000 17:45:29 -0600 (CST) From: Art Kreymer Subject: Re: CVS commands fail with Kerberized ssh client In-reply-to: Sender: owner-cdf_code_management@listserv.fnal.gov To: gcooper@fnal.gov Cc: "David J. Fagan" , kerberos-pilot@fnal.gov, cdfsys@fnal.gov, cdf_code_management@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 552 Thanks for catching an fixing this, Glenn. This is one reason we are urging people to start using authorized keys for access to CVS (rather than user@node registered in .shosts), as described in http://www-cdf.fnal.gov/offline/code_management/Dist/doc/agent.txt Of course, we should add kerberos principal based access as soon as an appropriate server can be configured. From kreymer@fnal.gov Mon Nov 27 20:31:39 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id UAA16612 for ; Mon, 27 Nov 2000 20:31:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P0010RR0QZ0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 27 Nov 2000 20:31:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ADAC3@listserv.fnal.gov>; Mon, 27 Nov 2000 20:31:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 69470 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 27 Nov 2000 20:31:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ADAC2@listserv.fnal.gov>; Mon, 27 Nov 2000 20:31:38 -0600 Received: from physics.ucla.edu ([169.232.152.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4P00JQPR0QC2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 27 Nov 2000 20:31:38 -0600 (CST) Received: from [128.97.22.48] (benn.physics.ucla.edu [128.97.22.48]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id SAA08281 for ; Mon, 27 Nov 2000 18:25:45 -0800 (PST) Date: Mon, 27 Nov 2000 18:31:08 -0800 From: Benn Tannenbaum Subject: Re: ssh v1_2_27 released as current In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Kerberos Pilot List Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 553 Is there some way for me to get this to my computer without using ups? I have Kerborized my Sun by getting the source distribution from MIT. I'd like to install ssh now, but I don't have ups/upd installed. I don't want to install ups. I had a colleague who does have ups installed try to get the package for me, but he got a message saying that the install had failed. I tried to ftp to the site but didn't have read privs for the tarball. Help! on 2/10/00 5:33 PM, Mark O. Kaletka spake thusly: > -----Original Message----- > From: owner-csi-group@listserv.fnal.gov > [mailto:owner-csi-group@listserv.fnal.gov]On Behalf Of Marc Mengel > Sent: Tuesday, September 26, 2000 5:07 PM > To: csi-group@fnal.gov > Subject: ssh v1_2_27 released as current > > > Product ssh version v1_2_27 has been reelased as current for > flavors IRIX+6, Linux+2, OSF1+V4, and SunOS+5. > > This release is built with kerberos 5 ticket forwarding for > users using systems in the Fermilab Strong Authentication > project. > > It is available for distribution on the upd distribution node, > fnkits.fnal.gov a.k.a ftp.fnal.gov. -Benn From kreymer@fnal.gov Tue Nov 28 02:01:23 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id CAA20376 for ; Tue, 28 Nov 2000 02:01:23 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q002JH6A90D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 02:01:22 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ADC28@listserv.fnal.gov>; Tue, 28 Nov 2000 02:01:22 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 69843 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 02:01:22 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ADC27@listserv.fnal.gov>; Tue, 28 Nov 2000 02:01:22 -0600 Received: from janus.physics.ox.ac.uk ([163.1.244.140]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q0049W6A8LW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 02:01:21 -0600 (CST) Received: from amavis by janus.physics.ox.ac.uk with scanned-ok (Exim 3.16 #6) id 140fhX-0005w5-00 for kerberos-pilot@fnal.gov; Tue, 28 Nov 2000 08:01:19 +0000 Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by janus.physics.ox.ac.uk with smtp (Exim 3.16 #6) id 140fhX-0005um-00 for kerberos-pilot@fnal.gov; Tue, 28 Nov 2000 08:01:19 +0000 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 140fhW-0000nM-00 for kerberos-pilot@fnal.gov; Tue, 28 Nov 2000 08:01:18 +0000 Date: Tue, 28 Nov 2000 08:01:18 +0000 (GMT) From: "Todd Huffman (CDF/ATLAS)" Subject: Kerberos principle without ID Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-AVtransport: scanmails_remote X-AVwrapper: AMaViS (http://www.amavis.org/) X-AVscanner: Sophos sweep (http://www.sophos.com/) Status: RO X-Status: X-Keywords: X-UID: 554 Hi, This issue that Glenn brought up is one that definately needs addressing. Especially since there are policy statements in the new security policy that have implications for remote system managers, most of whom will never come to FNAL. I think Glenn's point is that Kerberos makes it more likely that this class of people at some stage will need access to the strengthened realm, but should not have to make a physical trip to FNAL to get an account. Cheers, Todd ************************************************* ~ Dr. B. Todd Huffman ~ ~ Particle and Nuclear Physics ~ ~ University of Oxford ~ ~ Rm 631 ~ ~ Keble Rd ~ ~ Oxford OX1 3RH UK ~ ~ ~ ~ Phone: 44 - 1865 - 273402 ~ ~ LMH: 44 - 1865 - 274307 ~ ~ FAX: 44 - 1865 - 273418 ~ ~ Home: 44 - 1865 - 450240 ~ ~ URL of my home page: ~ ~ http://www-pnp.physics.ox.ac.uk/~huffman/ ************************************************* From kreymer@fnal.gov Tue Nov 28 02:34:48 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id CAA04677 for ; Tue, 28 Nov 2000 02:34:48 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q003JQ7TZ0C@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 02:34:48 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ADC56@listserv.fnal.gov>; Tue, 28 Nov 2000 02:34:48 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 69891 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 02:34:47 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ADC55@listserv.fnal.gov>; Tue, 28 Nov 2000 02:34:47 -0600 Received: from janus.physics.ox.ac.uk ([163.1.243.65]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q002ND7TY72@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 02:34:47 -0600 (CST) Received: from amavis by janus.physics.ox.ac.uk with scanned-ok (Exim 3.16 #5) id 140gDt-0007et-00 for kerberos-pilot@fnal.gov; Tue, 28 Nov 2000 08:34:45 +0000 Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by janus.physics.ox.ac.uk with smtp (Exim 3.16 #5) id 140gDt-0007da-00 for kerberos-pilot@fnal.gov; Tue, 28 Nov 2000 08:34:45 +0000 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 140gDs-0000qU-00 for kerberos-pilot@fnal.gov; Tue, 28 Nov 2000 08:34:44 +0000 Date: Tue, 28 Nov 2000 08:34:44 +0000 (GMT) From: "Todd Huffman (CDF/ATLAS)" Subject: A question about Farms Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-AVtransport: scanmails_remote X-AVwrapper: AMaViS (http://www.amavis.org/) X-AVscanner: Sophos sweep (http://www.sophos.com/) Status: RO X-Status: X-Keywords: X-UID: 555 Hi, I'm going to be setting up a farm of Intel based PC's which will run Linux mainly as a MonteCarlo engine for CDF analysis work. This farm will be located in the UK. I'm wondering whether or not it would make sense to try to put this into the strengthened realm. I'm really confused though as to how Kerberos could possibly work with a farm of PC's, since each PC has it's own IP address within the LAN it seems to me that the whole ticketing system of Kerberos would just not work with a farm. Is there a work-around? I'm at the information gathering stage at the moment so any place you could point me to help me understand the problems would be great. Thanks, Todd ************************************************* ~ Dr. B. Todd Huffman ~ ~ Particle and Nuclear Physics ~ ~ University of Oxford ~ ~ Rm 631 ~ ~ Keble Rd ~ ~ Oxford OX1 3RH UK ~ ~ ~ ~ Phone: 44 - 1865 - 273402 ~ ~ LMH: 44 - 1865 - 274307 ~ ~ FAX: 44 - 1865 - 273418 ~ ~ Home: 44 - 1865 - 450240 ~ ~ URL of my home page: ~ ~ http://www-pnp.physics.ox.ac.uk/~huffman/ ************************************************* From kreymer@fnal.gov Tue Nov 28 08:12:17 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA05181 for ; Tue, 28 Nov 2000 08:12:13 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q00B50NB0KU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 08:09:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ADEAB@listserv.fnal.gov>; Tue, 28 Nov 2000 08:09:00 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 70536 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 08:09:00 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000ADEAA@listserv.fnal.gov>; Tue, 28 Nov 2000 08:09:00 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q00B3WNAZKY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 08:08:59 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA16050; Tue, 28 Nov 2000 08:08:57 -0600 Date: Tue, 28 Nov 2000 08:08:57 -0600 (CST) From: Steven Timm Subject: Re: A question about Farms In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 556 Todd, We are currently working with the process of putting the PC's of the main CDF reconstruction farm here at Feynman into the strengthened realm. There is no particular reason why the ticketing system of kerberos can't work with a farm. The real challenge is a slightly different one...namely how long can you keep the tickets alive while your jobs are running. What we are doing here is the following (and most of the work has actually been done by the FCS group, Igor Mandrichenko in particular): Instead of having each job on the farm run with the ticket-granting credentials of the user who submitted it, we are using a special-purpose principal. This is similar to the principal which is used in kcron. We request one of these special principals for each user. It comes with a one-time password which is used to create a keytab file. Then at any point during the job it is possible for the job to kinit using that keytab file and obtain a credential which is limited only to certain machines and functions--in this case to rcp only into one certain directory on one machine. As implemented in FBSNG v1_2, the launcher process, which runs as root, authenticates the job with those credentials at the beginning of the job and then it is the user's responsibility to renew the tickets over the lifetime of the job. But if a way could be found (and this is not easy) to give root control at the end of the job to do this kinit, then jobs could theoretically run indefinitely and the credentials would be obtained only when needed. It is important that these keytab files be only readable by root because they are effectively like a file that contains a password and should be treated as such. If you are interested, we can give you more details. We have a test implementation of this right now on our prototype farms. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 28 Nov 2000, Todd Huffman (CDF/ATLAS) wrote: > Hi, > > I'm going to be setting up a farm of Intel based PC's > which will run Linux mainly as a MonteCarlo engine for > CDF analysis work. This farm will be located in the UK. > I'm wondering whether or not it would make sense to > try to put this into the strengthened realm. > > I'm really confused though as to how Kerberos could > possibly work with a farm of PC's, since each PC has > it's own IP address within the LAN it seems to me > that the whole ticketing system of Kerberos would > just not work with a farm. > > Is there a work-around? > > I'm at the information gathering stage at the moment > so any place you could point me to help me understand > the problems would be great. > > Thanks, > Todd > > ************************************************* > ~ Dr. B. Todd Huffman ~ > ~ Particle and Nuclear Physics ~ > ~ University of Oxford ~ > ~ Rm 631 ~ > ~ Keble Rd ~ > ~ Oxford OX1 3RH UK ~ > ~ ~ > ~ Phone: 44 - 1865 - 273402 ~ > ~ LMH: 44 - 1865 - 274307 ~ > ~ FAX: 44 - 1865 - 273418 ~ > ~ Home: 44 - 1865 - 450240 ~ > ~ URL of my home page: ~ > ~ http://www-pnp.physics.ox.ac.uk/~huffman/ > ************************************************* > > From kreymer@fnal.gov Tue Nov 28 09:45:43 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA13641 for ; Tue, 28 Nov 2000 09:45:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q00BO1RS6K1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 09:45:43 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE007@listserv.fnal.gov>; Tue, 28 Nov 2000 09:45:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 70932 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 09:45:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE006@listserv.fnal.gov>; Tue, 28 Nov 2000 09:45:42 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q00BI3RS6KI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 09:45:42 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA20140; Tue, 28 Nov 2000 09:45:40 -0600 (CST) Date: Tue, 28 Nov 2000 09:45:39 -0600 From: Matt Crawford Subject: Re: A question about Farms In-reply-to: "28 Nov 2000 08:34:44 GMT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: kerberos-pilot@fnal.gov Message-id: <200011281545.JAA20140@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 557 > I'm really confused though as to how Kerberos could > possibly work with a farm of PC's, since each PC has > it's own IP address within the LAN it seems to me > that the whole ticketing system of Kerberos would > just not work with a farm. I don't see where it would break down. Is there to be some sort of connection-interceptor box in the way that takes a packet directed to some generic address and redirects it to a particular farm node? That might screw up mutual authentication between client and server. (Although the client side can choose not to authenticate the server and thereby avoid such a problem.) Also, you can make the whole farm provide a generic service and share they keytab file among all the nodes, so that in contrast to the service host/specific-nodename.physics.ox.ac.uk@REALM that you would use to log in to specific-nodename, the job-submission client client could authenticate to batch-service/monte-carlo-farm@REALM or some such thing. > I'm at the information gathering stage at the moment > so any place you could point me to help me understand > the problems would be great. The tricky bit is as Steve Timm already described: how to have a long-running job authenticate itself to some outside host so it can deliver results. A simple way is to use its host/specific-nodename principal, but then + You'd have to list every farm node in the ACL (.k5login) where the data is to be delivered, and + You could not make distinctions among different users or user groups sharing the same farm. The scheme Steve, Igor and I set up here uses a three-part principal to address those deficiencies in the simple scheme. They are of the form "username/farmname/farm@REALM" where username designates a group doing a particaulr task, like "cdfprod0", and farmname specifies a particular farm (e.g., cdf, d0, prototype) and farm is the literal word farm. (OK, four parts including the realm. Sue me.) Then the .k5login for, say, the unix account cdfprod0 on fcdfsgi2, can simply list cdfprod0/cdf/farm@PILOT.FNAL.GOV to receive data from any node in the cdf farm which has a copy of the keytab for that principal. We rely on the integrity of the batch system not to give access to that keytab to a job submitted by some other user community on the same farm. And as you can see, even if that integrity is breached, the exposure is sharply limited. From kreymer@fnal.gov Tue Nov 28 10:07:36 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA14200 for ; Tue, 28 Nov 2000 10:07:36 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q00G37SSORH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 10:07:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE065@listserv.fnal.gov>; Tue, 28 Nov 2000 10:07:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 71034 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 10:07:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE064@listserv.fnal.gov>; Tue, 28 Nov 2000 10:07:36 -0600 Received: from CUERVO ([131.225.82.57]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4Q00BRUSSLK1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 10:07:35 -0600 (CST) Date: Tue, 28 Nov 2000 10:07:34 -0600 From: "Mark O. Kaletka" Subject: RE: ssh v1_2_27 released as current In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum , Kerberos Pilot List Cc: MARC W MENGEL Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 558 There are two problems: 1) Our product distribution relies on ups so it's not necssarily easy to install Fermi products without ups. Marc Mengel recently posted, I believe, instructions on how to temporarily install ups to install Kerberos and ssh, then remove ups. (Of course now I can't find the email, Marc can you repost the instructions?) 2) However, we don't yet have permissions to allow export ssh, which explains why you couldn't simply ftp the tarball. If you're in the US, however, we can arrange to get you a copy. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Benn > Tannenbaum > Sent: Monday, November 27, 2000 8:31 PM > To: Kerberos Pilot List > Subject: Re: ssh v1_2_27 released as current > > > Is there some way for me to get this to my computer without using ups? I > have Kerborized my Sun by getting the source distribution from > MIT. I'd like > to install ssh now, but I don't have ups/upd installed. I don't want to > install ups. > > I had a colleague who does have ups installed try to get the > package for me, > but he got a message saying that the install had failed. > > I tried to ftp to the site but didn't have read privs for the tarball. > > Help! > > on 2/10/00 5:33 PM, Mark O. Kaletka spake thusly: > > > -----Original Message----- > > From: owner-csi-group@listserv.fnal.gov > > [mailto:owner-csi-group@listserv.fnal.gov]On Behalf Of Marc Mengel > > Sent: Tuesday, September 26, 2000 5:07 PM > > To: csi-group@fnal.gov > > Subject: ssh v1_2_27 released as current > > > > > > Product ssh version v1_2_27 has been reelased as current for > > flavors IRIX+6, Linux+2, OSF1+V4, and SunOS+5. > > > > This release is built with kerberos 5 ticket forwarding for > > users using systems in the Fermilab Strong Authentication > > project. > > > > It is available for distribution on the upd distribution node, > > fnkits.fnal.gov a.k.a ftp.fnal.gov. > > > -Benn > > From kreymer@fnal.gov Tue Nov 28 10:22:46 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA14227 for ; Tue, 28 Nov 2000 10:22:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q00G9FTHWT6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 10:22:44 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE0D0@listserv.fnal.gov>; Tue, 28 Nov 2000 10:22:44 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 71152 for CDF_CODE_MANAGEMENT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 10:22:44 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE0CF@listserv.fnal.gov>; Tue, 28 Nov 2000 10:22:44 -0600 Received: from CUERVO ([131.225.82.57]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4Q00G93THVEG@smtp.fnal.gov>; Tue, 28 Nov 2000 10:22:44 -0600 (CST) Date: Tue, 28 Nov 2000 10:22:43 -0600 From: "Mark O. Kaletka" Subject: RE: CVS commands fail with Kerberized ssh client In-reply-to: Sender: owner-cdf_code_management@listserv.fnal.gov To: gcooper@fnal.gov, "David J. Fagan" Cc: kerberos-pilot@fnal.gov, cdfsys@fnal.gov, cdf_code_management@fnal.gov, MARC W MENGEL Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 559 No, the fact the Kerberos-aware client is NOT setuid is deliberate! The claim by the ssh developer is that the Kerberos libraries are not known to be free of buffer overflows, therefore the Kerberos-aware client should not be made setuid, since this could introduce other security problems. So you can have Kerberos or .shosts but not both in the same client. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Glenn Cooper > Sent: Monday, November 27, 2000 4:28 PM > To: David J. Fagan > Cc: kerberos-pilot@fnal.gov; cdfsys@fnal.gov; > cdf_code_management@fnal.gov > Subject: Re: CVS commands fail with Kerberized ssh client > > > Aaargh, as usual, asking about the problem made me realize > what the problem was--soon after I sent the question. The > problem was the old-fashioned one that the ssh1 executable > needs to be setuid root, and it wasn't. When I changed that, > a test CVS command worked fine. I guess this step should > be added to the ups install process? > > Dave's notes apply to when we start running a Kerberized > sshd on the node with the CVS repository (right?) Thanks > for those, I'll save the comments. > > Sorry to waste everyone's time otherwise. > Glenn > > > On Mon, 27 Nov 2000, David J. Fagan wrote: > > > The sshd for the cvs problem was fixed in the latest release, however > > cvs uses the cvsuser account (doesn't need a principal) but EVERYONE > > needs to be in the .k5login (or better yet the .k5user if on can figure > > out exactly what's it's doing) > > From kreymer@fnal.gov Tue Nov 28 10:22:46 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA14229 for ; Tue, 28 Nov 2000 10:22:46 -0600 Received: from CUERVO ([131.225.82.57]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4Q00G93THVEG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Tue, 28 Nov 2000 10:22:45 -0600 (CST) Date: Tue, 28 Nov 2000 10:22:44 -0600 From: "Mark O. Kaletka" Subject: RE: CVS commands fail with Kerberized ssh client In-reply-to: To: Art Kreymer , gcooper@fnal.gov Cc: "David J. Fagan" , kerberos-pilot@fnal.gov, cdfsys@fnal.gov, cdf_code_management@fnal.gov, MARC W MENGEL Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 560 Art correctly remembers the early discussions of this issue in the pilot. This is the "endorsed" approach we discussed. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Art Kreymer > Sent: Monday, November 27, 2000 5:45 PM > To: gcooper@fnal.gov > Cc: David J. Fagan; kerberos-pilot@fnal.gov; cdfsys@fnal.gov; > cdf_code_management@fnal.gov > Subject: Re: CVS commands fail with Kerberized ssh client > > > Thanks for catching an fixing this, Glenn. > > This is one reason we are urging people to start using authorized keys > for access to CVS (rather than user@node registered in .shosts), > as described in > > http://www-cdf.fnal.gov/offline/code_management/Dist/doc/agent.txt > > Of course, we should add kerberos principal based access > as soon as an appropriate server can be configured. > > From kreymer@fnal.gov Tue Nov 28 11:39:21 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA14292 for ; Tue, 28 Nov 2000 11:39:21 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q00GJ0X1ARH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 11:39:11 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE212@listserv.fnal.gov>; Tue, 28 Nov 2000 11:39:10 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 71500 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 11:39:10 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE211@listserv.fnal.gov>; Tue, 28 Nov 2000 11:39:10 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q00HIKX1AYJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 11:39:10 -0600 (CST) Date: Tue, 28 Nov 2000 11:39:09 -0600 (CST) From: "Marc W. Mengel" Subject: RE: ssh v1_2_27 released as current In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: Benn Tannenbaum , Kerberos Pilot List Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 561 On Tue, 28 Nov 2000, Mark O. Kaletka wrote: > > 1) Our product distribution relies on ups so it's not necssarily easy to > install Fermi products without ups. Marc Mengel recently posted, I believe, > instructions on how to temporarily install ups to install Kerberos and ssh, > then remove ups. (Of course now I can't find the email, Marc can you repost > the instructions?) I put the instructions up at: http://www.fnal.gov/docs/products/bootstrap/TemporaryInstall.html Marc From kreymer@fnal.gov Tue Nov 28 11:50:05 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA14305 for ; Tue, 28 Nov 2000 11:50:05 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q00L1RXJGQA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 11:50:05 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE247@listserv.fnal.gov>; Tue, 28 Nov 2000 11:50:04 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 71557 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 11:50:04 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE246@listserv.fnal.gov>; Tue, 28 Nov 2000 11:50:04 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q00HL0XJGTO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 11:50:04 -0600 (CST) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id eASHnvg24097; Tue, 28 Nov 2000 11:49:57 -0600 (CST) Date: Tue, 28 Nov 2000 11:49:57 -0600 From: Anne Heavey Subject: Re: ssh v1_2_27 released as current In-reply-to: "Your message of Tue, 28 Nov 2000 11:39:09 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: "Mark O. Kaletka" , Benn Tannenbaum , Kerberos Pilot List , aheavey@fsui02.fnal.gov Message-id: <200011281749.eASHnvg24097@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 562 I'll put a link to this on both the UPS/UPD page and the Strong Authentication page. -- Anne > On Tue, 28 Nov 2000, Mark O. Kaletka wrote: > > > > > 1) Our product distribution relies on ups so it's not necssarily easy to > > install Fermi products without ups. Marc Mengel recently posted, I believe, > > instructions on how to temporarily install ups to install Kerberos and ssh, > > then remove ups. (Of course now I can't find the email, Marc can you repost > > the instructions?) > > I put the instructions up at: > http://www.fnal.gov/docs/products/bootstrap/TemporaryInstall.html > > Marc -- Anne Anne Heavey Fermilab Computing Division Phone: 630-840-8039 Location: Wilson Hall 8.18 (NE corner) MS: 120 From kreymer@fnal.gov Tue Nov 28 13:05:24 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14364 for ; Tue, 28 Nov 2000 13:05:24 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R00MEF10Z7R@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 13:05:24 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE3DF@listserv.fnal.gov>; Tue, 28 Nov 2000 13:05:24 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 71973 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 13:05:24 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE3DE@listserv.fnal.gov>; Tue, 28 Nov 2000 13:05:23 -0600 Received: from physics.ucla.edu ([169.232.152.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R0006D10YLQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 13:05:23 -0600 (CST) Received: from [128.97.22.48] (benn.physics.ucla.edu [128.97.22.48]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id KAA19690 for ; Tue, 28 Nov 2000 10:59:28 -0800 (PST) Date: Tue, 28 Nov 2000 11:04:51 -0800 From: Benn Tannenbaum Subject: preferred node for clock syning? In-reply-to: <200011281749.eASHnvg24097@fsui02.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Kerberos Pilot List Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 563 Here's a thought... what node should I be using to sync my clock? Clearly a node at FNAL would be best. Is there a clockserver there I can use? I have presently been using cdfsga, but that's not the best solution.... -Benn From kreymer@fnal.gov Tue Nov 28 13:44:31 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14385 for ; Tue, 28 Nov 2000 13:44:31 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R0025R2U67Z@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 13:44:31 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE47E@listserv.fnal.gov>; Tue, 28 Nov 2000 13:44:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 72137 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 13:44:31 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE47D@listserv.fnal.gov>; Tue, 28 Nov 2000 13:44:31 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R000CY2U6XW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 13:44:30 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14381; Tue, 28 Nov 2000 13:44:19 -0600 Date: Tue, 28 Nov 2000 13:44:19 -0600 (CST) From: Art Kreymer Subject: Re: preferred node for clock syning? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: Kerberos Pilot List Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 564 This was discussed at some length in the linux-users group last July. To vastly oversimplify, I think the conlusion was : Use broadcast xntp packets if available. They should be available anywhere at Fermilab. It may take request to DataCommunications to get them enabled in your subnet. or Use 131.225.8.200 and/or 131.225.17.200 as servers. Do not use the 131.225.8.120 or 131.225.17.150 name servers for xntp. I think that Fermilab is sync'd to within a second of UTC, so you can use any reliable local time source offsite. From kreymer@fnal.gov Tue Nov 28 14:33:40 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA14544 for ; Tue, 28 Nov 2000 14:33:40 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R000O653YXW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 14:33:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE55C@listserv.fnal.gov>; Tue, 28 Nov 2000 14:33:34 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 72366 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 14:33:34 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE55B@listserv.fnal.gov>; Tue, 28 Nov 2000 14:33:34 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R0045253XFK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 14:33:33 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA16922 for ; Tue, 28 Nov 2000 14:33:33 -0600 Date: Tue, 28 Nov 2000 14:33:33 -0600 (CST) From: Steven Timm Subject: kerberos 0.7 Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 565 Has the block size error in the upd install of kerberos 0_7 been fixed as yet? Thanks Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Tue Nov 28 15:01:50 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA14565 for ; Tue, 28 Nov 2000 15:01:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R001PO6DDJ8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 15:00:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE5B8@listserv.fnal.gov>; Tue, 28 Nov 2000 15:00:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 72466 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 15:00:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE5B7@listserv.fnal.gov>; Tue, 28 Nov 2000 15:00:50 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R0064T6DDB7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 15:00:49 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA22419; Tue, 28 Nov 2000 15:00:36 -0600 (CST) Date: Tue, 28 Nov 2000 15:00:36 -0600 From: Matt Crawford Subject: Re: preferred node for clock syning? In-reply-to: "28 Nov 2000 11:04:51 PST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: Kerberos Pilot List Message-id: <200011282100.PAA22419@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 566 > Here's a thought... what node should I be using to sync my clock? Clearly a > node at FNAL would be best. Is there a clockserver there I can use? I have > presently been using cdfsga, but that's not the best solution.... On site the routers broadcast NTP which you can pick up easily. But they won't serve an off-site client. I'd say the first place to check is with your ISP, then perhaps for some public server at NIST or elsewhere. The NTP protocol is very robust and it shouldn't matter who you take time from. Otherwise, if cdfsga is working for you now, might as well stick with it. From kreymer@fnal.gov Tue Nov 28 15:35:23 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA14688 for ; Tue, 28 Nov 2000 15:35:23 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R0068M7YY49@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 15:35:23 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE615@listserv.fnal.gov>; Tue, 28 Nov 2000 15:35:23 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 72568 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 15:35:23 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE614@listserv.fnal.gov>; Tue, 28 Nov 2000 15:35:23 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R004M37YY4R@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 15:35:22 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA22645; Tue, 28 Nov 2000 15:35:22 -0600 (CST) Date: Tue, 28 Nov 2000 15:35:21 -0600 From: Matt Crawford Subject: Re: kerberos 0.7 In-reply-to: "28 Nov 2000 14:33:33 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200011282135.PAA22645@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 567 > Has the block size error in the upd install of kerberos 0_7 > been fixed as yet? Some say yes, that a mismatch in half-duplex/full-duplex setting for the fnkits network interface was found last night. I haven't seen a clear statement from one of the two people who had the problem, though. From kreymer@fnal.gov Tue Nov 28 16:53:21 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA14786 for ; Tue, 28 Nov 2000 16:53:21 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R005PHB69MF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 16:44:33 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE760@listserv.fnal.gov>; Tue, 28 Nov 2000 16:44:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 72932 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 16:44:33 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE75F@listserv.fnal.gov>; Tue, 28 Nov 2000 16:44:33 -0600 Received: from physics.ucla.edu ([169.232.152.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R006RZB68B7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 16:44:32 -0600 (CST) Received: from [128.97.22.48] (benn.physics.ucla.edu [128.97.22.48]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id OAA25321 for ; Tue, 28 Nov 2000 14:38:38 -0800 (PST) Date: Tue, 28 Nov 2000 14:44:18 -0800 From: Benn Tannenbaum Subject: kerberos from behind a firewall In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 568 Yesterday I finally Kerberized my Sun workstation. Quite simple, except that I still don't have ssh access. But that's another problem. Today I started to Kerberize some of the other nodes in our Sun cluster. Code installs fine, but when I try to do a kinit, I get the message "kinit(5): Cannot contact any KDC for requested realm while getting credentials." I've checked the clock and that's fine. Here's what I think the problem is: my machine (hepsun18.physics.ucla.edu) is not behind a firewall. This other machine (hepsun14.physics.ucla.edu) is. I have tried doing kinit -V but get /no/ information at all, so I cannot test this theory.... Is this a possible problem? If it is, what sort of packets do I need to tell our system admin to allow? -Benn From kreymer@fnal.gov Tue Nov 28 17:20:38 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA14994 for ; Tue, 28 Nov 2000 17:20:38 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R009C3CUEB6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 17:20:38 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE7D4@listserv.fnal.gov>; Tue, 28 Nov 2000 17:20:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 73063 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 17:20:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE7D3@listserv.fnal.gov>; Tue, 28 Nov 2000 17:20:38 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R008IKCUD74@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 28 Nov 2000 17:20:37 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA23294; Tue, 28 Nov 2000 17:20:36 -0600 (CST) Date: Tue, 28 Nov 2000 17:20:35 -0600 From: Matt Crawford Subject: Re: kerberos from behind a firewall In-reply-to: "28 Nov 2000 14:44:18 PST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-pilot@fnal.gov Message-id: <200011282320.RAA23294@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 569 > but when I try to do a kinit, I get the message "kinit(5): Cannot contact > any KDC for requested realm while getting credentials." I've checked the > clock and that's fine. That wouldn't be a clock problem. Any of Wrong realm Wrong KDCs listed for the realm All KDCs are unreachable due to DNS or network failure > Here's what I think the problem is: my machine (hepsun18.physics.ucla.edu) > is not behind a firewall. This other machine (hepsun14.physics.ucla.edu) is. Firewalls can be considered as a form of network failure, yes. > I have tried doing kinit -V but get /no/ information at all, so I cannot > test this theory.... I don't know of a "-V' option to kinit. > Is this a possible problem? If it is, what sort of packets do I > need to tell our system admin to allow? To get tickets, including UDP port 88 the initial TGT To change your password TCP port 749 from unix/linux To change your password TCP&UDP port 464 with WRQ s/w for windows If you need AFS tokens UDP ports 749 & 4444 with your kerberos tickets All those ports are ones the KDC(s) at our end are listening on, and if it matters, they are in the network block 131.225.0.0/16. From kreymer@fnal.gov Tue Nov 28 18:34:21 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA15032 for ; Tue, 28 Nov 2000 18:34:21 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R00C0BG97UL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 18:34:20 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE881@listserv.fnal.gov>; Tue, 28 Nov 2000 18:34:19 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 73247 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 18:34:19 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE87F@listserv.fnal.gov>; Tue, 28 Nov 2000 18:34:19 -0600 Received: from astro.phys.unm.edu ([198.59.169.10]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R00BBBG966W@smtp.fnal.gov>; Tue, 28 Nov 2000 18:34:19 -0600 (CST) Received: (from rekovic@localhost) by astro.phys.unm.edu (8.9.1/8.9.1) id RAA29798; Tue, 28 Nov 2000 17:34:17 -0700 (MST) Date: Tue, 28 Nov 2000 17:34:16 -0700 (MST) From: Vladimir Rekovic Subject: kerberose principle(passwd) Sender: owner-kerberos-pilot@listserv.fnal.gov To: cdfsys@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 570 Hi, My user name on fcdfsgi2 is rekovic I am trying to setup a kerberos connection to fcdfsgi2 from my university machine. I have kerberos installed on my university machine, I just need the principle now. Thanks Vladimir Rekovic University of New Mexico From kreymer@fnal.gov Tue Nov 28 21:35:04 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id VAA15207 for ; Tue, 28 Nov 2000 21:35:04 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4R00DFGOMFKG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 28 Nov 2000 21:35:03 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE991@listserv.fnal.gov>; Tue, 28 Nov 2000 21:35:03 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 73545 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 28 Nov 2000 21:35:03 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AE98F@listserv.fnal.gov>; Tue, 28 Nov 2000 21:35:03 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4R00CILOMETG@smtp.fnal.gov>; Tue, 28 Nov 2000 21:35:03 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id VAA24096; Tue, 28 Nov 2000 21:34:59 -0600 Date: Tue, 28 Nov 2000 21:34:59 -0600 From: Glenn Cooper Subject: Re: kerberose principle(passwd) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Vladimir Rekovic Cc: cdfsys@fnal.gov, kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 571 Hi Vladimir, Actually you have a Kerberos principal, created along with your fcdfsgi2 account. The password has expired, though. Please contact Yolanda Valadez at x8118 or compdiv@fnal.gov to get it reset. Cheers, Glenn On Tue, 28 Nov 2000, Vladimir Rekovic wrote: > Hi, > > My user name on fcdfsgi2 is rekovic > I am trying to setup a kerberos connection to fcdfsgi2 from my university > machine. > I have kerberos installed on my university machine, I just need the principle > now. > > Thanks > > Vladimir Rekovic > University of New Mexico From kreymer@fnal.gov Wed Nov 29 10:03:05 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA12724 for ; Wed, 29 Nov 2000 10:03:05 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4S003KDN94I6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 29 Nov 2000 10:03:05 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AEEB0@listserv.fnal.gov>; Wed, 29 Nov 2000 10:03:04 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 74937 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 29 Nov 2000 10:03:04 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AEEAF@listserv.fnal.gov>; Wed, 29 Nov 2000 10:03:04 -0600 Received: from fnal.gov ([131.225.84.42]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4S004F8N94KE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 29 Nov 2000 10:03:04 -0600 (CST) Date: Wed, 29 Nov 2000 10:03:07 -0600 From: "J.Trumbo" Subject: [Fwd: [Fwd: request for some new appversions and a new file storage areaforMcc99_3]] Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A2528BB.1B25FE82@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (WinNT; U) Content-type: multipart/mixed; boundary=------------4FADE062D3AB84F26A2216D8 X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 572 This is a multi-part message in MIME format. --------------4FADE062D3AB84F26A2216D8 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit --------------4FADE062D3AB84F26A2216D8 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mozilla-Status2: 00000000 Message-ID: <3A251997.845DFF24@fnal.gov> Date: Wed, 29 Nov 2000 08:58:31 -0600 From: "J.Trumbo" X-Mailer: Mozilla 4.7 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Ruth Pordes Subject: [Fwd: request for some new appversions and a new file storage areaforMcc99_3] Content-Type: multipart/mixed; boundary="------------AC956F2ACD704AC292F67737" This is a multi-part message in MIME format. --------------AC956F2ACD704AC292F67737 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Ruth, Reflection/kerberos support is becoming an issue. Developers need at certain times to log into machines not as themselves(jtrumbo), but as an adminstrative type user, products or oracle. Currently, a principal is not being given to an admin type user, as the true identity of the logon cannot be determined when logged on. However, we need to logon to kerberized machines as these admin types often. I did some work on this issue this week. Machine fcdfora1 is where the dbas need to work as user oracle for the CDF offline database. This machine is kerberized. Right now we connect to this machine as oracle by sshing to ncdf58, kinit, and telnet -l to fcdfora1. This is not a good solution as ncdf58 is R.Jetton's linux box and does not have a guaranteed uptime. Thus, if his box is unavailable, we cannot get to fcdfora1 to do oracle work. The solution Richard would like to see is to have user jtrumbo use her security to get to fcdfora1, but then log into fcdfora1 as oracle, not jtrumbo. He would prefer jtrumbo, as a unix user, not have access to fcdfora1 at all. I could not seem to get this solution to work. I called M.Crawford for assistance. He told me he did not know about Reflections on Windows, that I should call M.Kaletka, but Mark is not the official support of Reflections for Windows, so he was not sure how much support I would be given. M.Kaletka suggested that jtrumbo does log into fcdfora1, but then ksu to oracle. When I tried this it did not work. I emailed R.Jetton with the error. His response is attached. He does not want people using ksu for some understandable reasons. There is also a problem with 'su' ing to user oracle and getting the correct environment variables. So, in conclusion, 1. We do not seem to have official Reflection support for Windows. 2. We do not have a solution to using administrative logons on kerberized machines effectively. 3. Today, if R.Jetton's linux box is unavailable, the ods dbas cannot get to the cdf offline database for support. --------------AC956F2ACD704AC292F67737 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from SMTP ([131.225.9.17]) by imapserver3.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 1165; Thu, 22 Jun 2000 09:49:13 -0500 Received: from heffalump ([131.225.9.20]) by 131.225.9.17 (Norton AntiVirus for Internet Email Gateways 1.0) ; Thu, 22 Jun 2000 14:49:11 0000 (GMT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWK006EY95ZM0@smtp.fnal.gov>; Thu, 22 Jun 2000 09:49:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00026FE4@listserv.fnal.gov>; Thu, 22 Jun 2000 09:49:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 56210 for SAM-DESIGN@LISTSERV.FNAL.GOV; Thu, 22 Jun 2000 09:49:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00026FE3@listserv.fnal.gov>; Thu, 22 Jun 2000 09:49:11 -0500 Received: from smtp-out1.bellatlantic.net ([199.45.39.156]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0FWK006F495YM3@smtp.fnal.gov> for sam-design@listserv.fnal.gov (ORCPT sam-design@fnal.gov); Thu, 22 Jun 2000 09:49:10 -0500 (CDT) Received: from it (client-151-200-124-140.bellatlantic.net [151.200.124.140]) by smtp-out1.bellatlantic.net (8.9.1/8.9.1) with SMTP id KAA23164; Thu, 22 Jun 2000 10:48:59 -0400 (EDT) Date: Thu, 22 Jun 2000 10:44:54 -0700 From: Vicky White Subject: Re: request for some new appversions and a new file storage area forMcc99_3 Sender: owner-sam-design@listserv.fnal.gov To: Heidi Schellman , sam-design@fnal.gov, ggraham@fnal.gov, diesburg@fnal.gov Cc: wyatt@fnal.gov Message-id: <002001bfdc71$951d3e00$36d1fea9@it> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V4.72.3155.0 X-Mailer: Microsoft Outlook Express 4.72.3155.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Heidi, Do we really need to store this new data tier type rtpl in sam right now? Firstly, as you know, we do not have full support for tracking the parentage of all such files. That design is still being worked on. Secondly, people will presumably use ROOT to look at these root-tuples and there is no documented interface yet between your ROOT processes and sam. We will get people hacking together shell scripts of various sorts to fetch these files from sam, starting projects without stopping them, etc. etc. Does someone have a good, documented, example script for this? Will there be standard projects created, as for the reco files? They don't take up much space on disk and surely are going to be transient and throw-away things are they not? Much as I am in favor of getting people into using sam and forcing access through sam, in this particular case it seems counter-productive until we have more of the cataloging issues and ROOT access issues sorted out. How were you planning on cataloging them in sam? apart from declaring them as type "rtpl" (is roottuple too much of mouthful?) Vicky -----Original Message----- From: Heidi Schellman To: sam-design@fnal.gov ; ggraham@fnal.gov ; diesburg@fnal.gov Date: Thursday, June 22, 2000 5:24 AM Subject: request for some new appversions and a new file storage area forMcc99_3 >I am sending this to sam-design instead of sam-admin as the rtpl and new pnfs >are more than just adding a new version. > >Can we please get the following 3 things in prd: > >a new data tier called rtpl, this is similar to thumbnail but is for the root >ntuple outputs we are producing. > >d0reco application versions >t01.01.00 >t01.02.00 >t01.03.00 >t01.04.00 >t01.05.00 >t01.06.00 >t01.07.00 >t01.08.00 >t01.09.00 > >and new pnfs directory which d0farm can write into > >/pnfs/sam-mammoth/mcc99_3/d0farm/reco >/pnfs/sam-mammoth/mcc99_3/d0farm/rtpl > >Thanks, Heidi > > --------------AC956F2ACD704AC292F67737-- --------------4FADE062D3AB84F26A2216D8-- From kreymer@fnal.gov Wed Nov 29 11:01:44 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA12765 for ; Wed, 29 Nov 2000 11:01:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4S00B0XPYV38@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 29 Nov 2000 11:01:43 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AEF9A@listserv.fnal.gov>; Wed, 29 Nov 2000 11:01:43 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 75201 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 29 Nov 2000 11:01:43 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AEF99@listserv.fnal.gov>; Wed, 29 Nov 2000 11:01:43 -0600 Received: from fnal.gov ([131.225.84.42]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4S005Q0PYUQ0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 29 Nov 2000 11:01:42 -0600 (CST) Date: Wed, 29 Nov 2000 11:01:45 -0600 From: "J.Trumbo" Subject: [Fwd: fcdfora1] Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov, Ruth Pordes , j trumbo Message-id: <3A253679.A68791A7@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.7 [en] (WinNT; U) Content-type: multipart/mixed; boundary=------------6E4EA078311708FFE81C089B X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 573 This is a multi-part message in MIME format. --------------6E4EA078311708FFE81C089B Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I apologize...my mail on the kerberos issues attached an incorrect mail. The following is the mail from R.Jetton explaining why he does not want to use ksu. Please ignore attachement in previous mail. --------------6E4EA078311708FFE81C089B Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from SMTP ([131.225.9.17]) by imapserver3.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 486 for ; Tue, 28 Nov 2000 09:58:03 -0600 Received: from heffalump ([131.225.9.20]) by 131.225.9.17 (Norton AntiVirus for Internet Email Gateways 1.0) ; Tue, 28 Nov 2000 15:58:02 0000 (GMT) Received: from ncdf58.fnal.gov ([131.225.235.27]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Q00BORSCQKI@smtp.fnal.gov> for jtrumbo@imapserver3.fnal.gov (ORCPT jtrumbo@fnal.gov); Tue, 28 Nov 2000 09:58:03 -0600 (CST) Received: from ncdf58.fnal.gov (rjetton@localhost) by ncdf58.fnal.gov (8.11.0/8.11.0) with ESMTP id eASFw2L12456 for ; Tue, 28 Nov 2000 09:58:02 -0600 Date: Tue, 28 Nov 2000 09:58:02 -0600 From: Richard Jetton Subject: Re: fcdfora1 In-reply-to: "Your message of Mon, 27 Nov 2000 15:58:14 CST." <3A22D8F6.AB9253F4@fnal.gov> To: "J.Trumbo" Message-id: <200011281558.eASFw2L12456@ncdf58.fnal.gov> The path to all Kerberos client applications, including ksu, is /usr/krb5/bin. Here are a couple of reasons why I don't use ksu (or su). 1. You do not get a login shell with ksu. Therefore, your environment is the same after the ksu as it was just before the ksu. Even if you then sourced the new ID's .profile (or .login for csh), you will most likely have a mixture of the two environments. For instance, any environment variable that set itself with semantics like "VAR=new_stuff:$VAR" will likely not be set cleanly. 2. Take a look at this login session for user rjetton, starting with a telnet to fcdfora1 (as rjetton). ncdf58:~$ telnet fcdfora1 Trying 131.225.240.14... Connected to fcdfora1.fnal.gov (131.225.240.14). Escape character is '^]'. [ Kerberos V5 accepts you as ``rjetton@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Last login: Tue Nov 28 09:38:42 from ncdf58 fcdfora1:~$ who am i rjetton pts/4 Nov 28 09:39 (ncdf58) fcdfora1:~$ /usr/krb5/bin/ksu Authenticated rjetton@PILOT.FNAL.GOV Account root: authorization for rjetton@PILOT.FNAL.GOV successful Changing uid to root (0) \h:\w\$ who am i rjetton pts/4 Nov 28 09:39 (ncdf58) This is the stuff that really bothers me. The real and effective user IDs don't match. This is also true for both regular "su" and "su -" so it may not be an issue to you. Things are important to me when I am working as root. I don't know whether they are an issue for you when working as oracle, but I did want to be sure to mention them. Also, did you notice the setup instruction for Reflections on the CD Security web site? http://www.fnal.gov/docs/strongauth/html_nov00/winadmin.html In section 5.6.1, it mentions turning on encryption for the telnet data stream and the reasons for doing so from a client that cannot forward tickets (such as Reflections). -- Richard --------------6E4EA078311708FFE81C089B-- From kreymer@fnal.gov Wed Nov 29 11:18:14 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA12774 for ; Wed, 29 Nov 2000 11:18:14 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4S007GPQNLM7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 29 Nov 2000 11:16:33 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AEFEF@listserv.fnal.gov>; Wed, 29 Nov 2000 11:16:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 75298 for UPS@LISTSERV.FNAL.GOV; Wed, 29 Nov 2000 11:16:33 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AEFEE@listserv.fnal.gov>; Wed, 29 Nov 2000 11:16:33 -0600 Received: from physics.ucla.edu ([169.232.152.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4S00B1UQNKOB@smtp.fnal.gov> for ups@listserv.fnal.gov (ORCPT ups@fnal.gov); Wed, 29 Nov 2000 11:16:33 -0600 (CST) Received: from hepsun18.ucla.edu (hepsun18 [128.97.23.89]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id JAA11655; Wed, 29 Nov 2000 09:10:38 -0800 (PST) Received: from localhost by hepsun18.ucla.edu (8.9.1b+Sun/SMI-SVR4) id JAA22221; Wed, 29 Nov 2000 09:16:37 -0800 (PST) Date: Wed, 29 Nov 2000 09:16:37 -0800 (PST) From: Benn Tannenbaum Subject: Re: problems installing temporary ups In-reply-to: Sender: owner-ups@listserv.fnal.gov X-Sender: benn@hepsun18 To: "Marc W. Mengel" Cc: ups@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 574 Hi Marc, I was able to get the files I needed (Kerberized ssh) directly and don't need ups now. Thanks! -Benn On Wed, 29 Nov 2000, Marc W. Mengel wrote: > > It looks like you were having the problem of not having a gunzip > binary that works on your machine... I'm working on fixing that > in the v2_1 bootstrap code; in the interim if you still want to try it > you could grab > ftp://ftp.fnal.gov/products/bootstrap/tarfiles/gunzip.SunOS+5 > rename it gunzip, make it executable, put it in your PATH, and > get going. > > On Tue, 28 Nov 2000, Benn Tannenbaum wrote: > > > I am trying to do a temporary install of ups so I can install kerberized > > ssh on my local machine (I work on CDF). I'm following the directions on > > www.fnal.gov/docs/products/bootstrap/TemporaryInstall.html > > and get a message like this: > > > > 252 /space/benn/kerberos % sh stage1.sh test > > 100% complete > > Bootstrap failed. please mail /space/benn/temp/bootups.log to > > ups@fnal.gov > > > > > > So... here you go.... > From kreymer@fnal.gov Wed Nov 29 11:24:38 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA12780 for ; Wed, 29 Nov 2000 11:24:38 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4S00ABCQWYC8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 29 Nov 2000 11:22:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AF001@listserv.fnal.gov>; Wed, 29 Nov 2000 11:22:10 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 75316 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 29 Nov 2000 11:22:10 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AF000@listserv.fnal.gov>; Wed, 29 Nov 2000 11:22:10 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4S00B2QQWXOB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 29 Nov 2000 11:22:10 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (980427.SGI.8.8.8/980728.SGI.AUTOCF) via SMTP id LAA20945; Wed, 29 Nov 2000 11:22:10 -0600 (CST) Date: Wed, 29 Nov 2000 11:22:10 -0600 (CST) From: "David J. Fagan" Subject: Re: [Fwd: fcdfora1] Sender: owner-kerberos-pilot@listserv.fnal.gov To: "J.Trumbo" Cc: kerberos-pilot@fnal.gov, Ruth Pordes Message-id: <200011291722.LAA20945@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Wed, 29 Nov 2000 11:01:45 CST.) <3A253679.A68791A7@fnal.gov> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id LAA12780 Status: RO X-Status: X-Keywords: X-UID: 575 Key item.... > Here are a couple of reasons why I don't use ksu (or su). I didn't read anywhere about that you couldn't use it or he would or COULD stop you even if he wanted to. I disagree with not giving group accounts principals in the first place but that's entirely a different arguement. Additionally I'm not sure not using ksu is an option unless you plan to always work on a console terminal. telnet knows root is special but you would never use it, does kerberos ssh also know root is special? ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Wednesday, "J.Trumbo": > This is a multi-part message in MIME format. > --------------6E4EA078311708FFE81C089B > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > > I apologize...my mail on the kerberos issues attached an incorrect > mail. The following is the mail from R.Jetton explaining why he does > not want to use ksu. Please ignore attachement in previous mail. > > --------------6E4EA078311708FFE81C089B > Content-Type: message/rfc822 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > Return-Path: > Received: from SMTP ([131.225.9.17]) by imapserver3.fnal.gov > (Netscape Messaging Server 3.62) with SMTP id 486 > for ; > Tue, 28 Nov 2000 09:58:03 -0600 > Received: from heffalump ([131.225.9.20]) by 131.225.9.17 > (Norton AntiVirus for Internet Email Gateways 1.0) ; > Tue, 28 Nov 2000 15:58:02 0000 (GMT) > Received: from ncdf58.fnal.gov ([131.225.235.27]) > by smtp.fnal.gov (PMDF V6.0-24 #44770) > with ESMTP id <0G4Q00BORSCQKI@smtp.fnal.gov> for jtrumbo@imapserver3.fnal.gov > (ORCPT jtrumbo@fnal.gov); Tue, 28 Nov 2000 09:58:03 -0600 (CST) > Received: from ncdf58.fnal.gov (rjetton@localhost) > by ncdf58.fnal.gov (8.11.0/8.11.0) with ESMTP id eASFw2L12456 for > ; Tue, 28 Nov 2000 09:58:02 -0600 > Date: Tue, 28 Nov 2000 09:58:02 -0600 > From: Richard Jetton > Subject: Re: fcdfora1 > In-reply-to: "Your message of Mon, 27 Nov 2000 15:58:14 CST." > <3A22D8F6.AB9253F4@fnal.gov> > To: "J.Trumbo" > Message-id: <200011281558.eASFw2L12456@ncdf58.fnal.gov> > > The path to all Kerberos client applications, including ksu, is > /usr/krb5/bin. > > Here are a couple of reasons why I don't use ksu (or su). > > 1. You do not get a login shell with ksu. Therefore, your environment > is the same after the ksu as it was just before the ksu. Even if you > then sourced the new ID's .profile (or .login for csh), you will most > likely have a mixture of the two environments. For instance, any > environment variable that set itself with semantics like > "VAR=new_stuff:$VAR" will likely not be set cleanly. > > 2. Take a look at this login session for user rjetton, starting with > a telnet to fcdfora1 (as rjetton). > > ncdf58:~$ telnet fcdfora1 > Trying 131.225.240.14... > Connected to fcdfora1.fnal.gov (131.225.240.14). > Escape character is '^]'. > [ Kerberos V5 accepts you as ``rjetton@PILOT.FNAL.GOV'' ] > [ Kerberos V5 accepted forwarded credentials ] > Last login: Tue Nov 28 09:38:42 from ncdf58 > fcdfora1:~$ who am i > rjetton pts/4 Nov 28 09:39 (ncdf58) > fcdfora1:~$ /usr/krb5/bin/ksu > Authenticated rjetton@PILOT.FNAL.GOV > Account root: authorization for rjetton@PILOT.FNAL.GOV successful > Changing uid to root (0) > \h:\w\$ who am i > rjetton pts/4 Nov 28 09:39 (ncdf58) > > This is the stuff that really bothers me. The real and effective user > IDs don't match. This is also true for both regular "su" and "su -" > so it may not be an issue to you. > > Things are important to me when I am working as root. I don't know > whether they are an issue for you when working as oracle, but I did > want to be sure to mention them. > > Also, did you notice the setup instruction for Reflections on the CD > Security web site? > > http://www.fnal.gov/docs/strongauth/html_nov00/winadmin.html > > In section 5.6.1, it mentions turning on encryption for the telnet > data stream and the reasons for doing so from a client that cannot > forward tickets (such as Reflections). > > > -- > Richard > > > > --------------6E4EA078311708FFE81C089B-- From kreymer@fnal.gov Wed Nov 29 16:42:40 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA13235 for ; Wed, 29 Nov 2000 16:42:40 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4T00JTC5R4LB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 29 Nov 2000 16:42:40 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AF395@listserv.fnal.gov>; Wed, 29 Nov 2000 16:42:40 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 76295 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 29 Nov 2000 16:42:40 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000AF394@listserv.fnal.gov>; Wed, 29 Nov 2000 16:42:40 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4T00L8Y5R3WO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 29 Nov 2000 16:42:39 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA29473; Wed, 29 Nov 2000 16:42:39 -0600 (CST) Date: Wed, 29 Nov 2000 16:42:38 -0600 From: Matt Crawford Subject: Re: [Fwd: fcdfora1] In-reply-to: "29 Nov 2000 11:01:45 CST." <3A253679.A68791A7@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "J.Trumbo" Cc: kerberos-pilot@fnal.gov, Ruth Pordes , rjetton@fnal.gov Message-id: <200011292242.QAA29473@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 576 > fcdfora1:~$ who am i > rjetton pts/4 Nov 28 09:39 (ncdf58) > fcdfora1:~$ /usr/krb5/bin/ksu > Authenticated rjetton@PILOT.FNAL.GOV > Account root: authorization for rjetton@PILOT.FNAL.GOV successful > Changing uid to root (0) > \h:\w\$ who am i > rjetton pts/4 Nov 28 09:39 (ncdf58) > > This is the stuff that really bothers me. The real and effective user > IDs don't match. This is also true for both regular "su" and "su -" > so it may not be an issue to you. Whoa! "who am i" has nothing to do with real and effective userid. It shows the utmp record for the user logged in on the current terminal device. And none of the su family changes that. Here's how to see the real and effective user and group ids: gungnir 455% ps -o user,ruser,group,rgroup,uid,ruid,gid,rgid,pid,comm -p $$ USER RUSER GROUP RGROUP UID RUID GID RGID PID COMMAND crawdad crawdad dcg dcg 2303 2303 1750 1750 1536 csh gungnir 456% ksu Authenticated crawdad@PILOT.FNAL.GOV Account root: authorization for crawdad@PILOT.FNAL.GOV successful Changing uid to root (0) gungnir# ps -o user,ruser,group,rgroup,uid,ruid,gid,rgid,pid,comm -p $$ USER RUSER GROUP RGROUP UID RUID GID RGID PID COMMAND root root other other 0 0 1 1 28989 /usr/bin/csh Glenn was just in here telling me about some "cmd adduser" function that didn't work after a "ksu compdiv". I don't know if it does work after "su - compdiv" but if it does, there's some key environment variable that ksu isn't setting. There seems to already exist a beta version of reflection s/w that does forward tickets and that does allow you to specify a target user for telnet that differs from your principal name, so that will eliminate a lot of the need for ksu. From kreymer@fnal.gov Fri Dec 1 08:27:55 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA05868 for ; Fri, 1 Dec 2000 08:27:55 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W0047Q86H0Z@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 01 Dec 2000 08:27:54 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B0595@listserv.fnal.gov>; Fri, 01 Dec 2000 08:27:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 81270 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 01 Dec 2000 08:27:53 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B0593@listserv.fnal.gov>; Fri, 01 Dec 2000 08:27:53 -0600 Received: from hrothgar.private.network ([64.193.131.117]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W0047E86G1K@smtp.fnal.gov>; Fri, 01 Dec 2000 08:27:52 -0600 (CST) Date: Fri, 01 Dec 2000 08:27:51 -0600 (CST) From: "Dane D. Skow" Subject: English lessons: Kerberos username proposal take 2 (fwd) Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: dane@hrothgar.private.network To: cd-dh-ah-gl@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 577 Below is the proposed recommendation on how to choose a Kerberos principal. It is intended to give immediate guidance to Yolanda as people try to reconcile their various identities at FNAL. It is VERY desireable that people have ONE (1) identity in the strong realm. However, this will certainly have educational requirements and perhaps technical difficulties as well. Judy, etal, could you please edit this as necessary to make it understandable English ? Everyone else, could you comment on the text and suggest improvements ? I think kerberos-pilot is the right discussion list for this. Thanks, dane ******************** Fermilab is currently deploying a Kerberos Strong Authentication system in support of the Run II computing systems. This is expected to expand to include many other systems across the site and be a unique, sitewide identification method for individuals using Fermilab computing resources. Toward that end, one needs to choose a unique username. There are significant conveniences if that username is the same as one's login name. The recommendation on choosing a Kerberos principal (username) is a follows: 0) New usernames should be chosen to be 8 or fewer characters. 1) If your email address (username@fnal.gov) is 8 or fewer characters, and you use this as your system login name (Unix and/or NT), then you should use this as your Kerberos principal. 1.5) If your primary system login name (Unix or NT) is 8 or fewer characters and that name is not used by someone else as their FNAL email address (username@fnal.gov), then you should use that name as your Kerberos principal and the username will be reserved for you as an email name whether you use it or not. 2) If your email address is longer than 8 characters, you should use use your Unix or NT username. If either of those is used by another person as an their email address on the email gateway, you may not use that username as your Kerberos principal and will have to relinquish that username as the Unix and NT systems are Kerberized. That is: If John Doe is "jack@fnal.gov" and "johndoe" on d0mino and NT and, John Dinklemeister is "dinklemeister@fnal.gov" and on NT and "jack" on cdfsgi2, then; John Doe may use "jack" or "johndoe" as his Kerberos principal (provided there is no other johndoe@fnal.gov). John Dinklemeister may not use "jack" as his Kerberos principal and will have to stop using "jack" on cdfsgi2 when that machine joins the Strong Authentication realm. If John rarely uses Unix, then using "dinklemeister" as the Kerberos principal and the CryptoCard for Unix would be a reasonable choice. 3) If non of the above are workable solutions, then you should either a)get a completely new, common username for all systems or b)go ahead and use the longer than 8 character username. The difficulties are: a) means you will have to move or rename your current accounts and files. b) means you will very likely have difficulty (often of an difficult to diagnose type) using Unix resources. For example, Solaris does not accept user names longer than 8 characters for login, currently. *** Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Fri Dec 1 09:41:28 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA10490 for ; Fri, 1 Dec 2000 09:41:28 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W004N1BKS1G@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 01 Dec 2000 09:41:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B0669@listserv.fnal.gov>; Fri, 01 Dec 2000 09:41:16 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 81509 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 01 Dec 2000 09:41:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B0667@listserv.fnal.gov>; Fri, 01 Dec 2000 09:41:16 -0600 Received: from pcl4.hep.anl.gov ([146.139.180.71]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W004QZBKR1B@smtp.fnal.gov>; Fri, 01 Dec 2000 09:41:16 -0600 (CST) Received: from localhost (rgwcdf@localhost) by pcl4.hep.anl.gov (8.9.3/8.9.3) with ESMTP id JAA06912; Fri, 01 Dec 2000 09:42:04 -0600 Date: Fri, 01 Dec 2000 09:42:04 -0600 (CST) From: "Robert G. Wagner (ANL) 630-252-6321" Subject: Re: English lessons: Kerberos username proposal take 2 (fwd) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Dane D. Skow" Cc: cd-dh-ah-gl@fnal.gov, kerberos-pilot@fnal.gov Reply-to: rgwcdf@anl.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 578 Hello Everyone, It would seem to me that changing a username on UNIX or NT is a much more involved process than having someone change the name on an e-mail address. People doing analysis typically have not only accounts on several machines but file directories spread throughout disks served by each machine. I've never had to do such a change, but is it difficult to change directory names and file ownerships throughout system(s) to reflect the new username? I would think changing an e-mail name would simply require changing the username for the fnal.gov node where we login to handle e-mail name, mailing lists, etc. This seems much simpler. I'm posing this as a question since I don't really know which involves more work and/or pain. The answer to this question would also answer: Should we require that a person with an e-mail name the same as that of another user's UNIX or NT username, change the e-mail name rather than the other way around? Regards, Bob Wagner (ANL) On Fri, 1 Dec 2000, Dane D. Skow wrote: > Below is the proposed recommendation on how to choose a Kerberos > principal. It is intended to give immediate guidance to Yolanda > as people try to reconcile their various identities at FNAL. It is > VERY desireable that people have ONE (1) identity in the strong > realm. However, this will certainly have educational requirements > and perhaps technical difficulties as well. > > Judy, etal, could you please edit this as necessary to make it > understandable English ? Everyone else, could you comment on > the text and suggest improvements ? I think kerberos-pilot is > the right discussion list for this. > > Thanks, > > dane > > > ******************** > > Fermilab is currently deploying a Kerberos Strong Authentication system in > support of the Run II computing systems. This is expected to expand to > include many other systems across the site and be a unique, sitewide > identification method for individuals using Fermilab computing resources. > Toward that end, one needs to choose a unique username. There are > significant conveniences if that username is the same as one's login name. > > The recommendation on choosing a Kerberos principal (username) is a > follows: > > 0) New usernames should be chosen to be 8 or fewer characters. > > 1) If your email address (username@fnal.gov) is 8 or fewer characters, > and you use this > as your system login > name (Unix and/or NT), then you should use this as your Kerberos > principal. > > 1.5) If your primary system login name (Unix or NT) is 8 or fewer > characters and that name is not used by someone else as their FNAL > email address (username@fnal.gov), then you should use that name as your > Kerberos principal and the username will be reserved for you as an > email name whether you use it or not. > > 2) If your email address is longer than 8 characters, you should use > use your Unix or NT username. If either of those is used by another > person as an their email address on the email gateway, you may not > use that username as your Kerberos principal and will have to relinquish > that username as the Unix and NT systems are Kerberized. > > That is: If John Doe is "jack@fnal.gov" and "johndoe" on d0mino and NT > and, > John Dinklemeister is "dinklemeister@fnal.gov" and on NT and > "jack" on cdfsgi2, then; > John Doe may use "jack" or "johndoe" as his Kerberos principal > (provided there is no other johndoe@fnal.gov). > John Dinklemeister may not use "jack" as his Kerberos principal > and will have to stop using "jack" on cdfsgi2 when that > machine joins the Strong Authentication realm. If John > rarely uses Unix, then using "dinklemeister" as the > Kerberos principal and the CryptoCard for Unix would be a > reasonable choice. > > 3) If non of the above are workable solutions, then you should either > a)get a completely new, common username for all systems or b)go ahead and > use the longer than 8 character username. The difficulties are: > > a) means you will have to move or rename your current accounts > and files. > b) means you will very likely have difficulty (often of an > difficult to diagnose type) using Unix resources. For example, Solaris > does not accept user names longer than 8 characters for login, currently. > > *** > > Dane Skow, > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > From kreymer@fnal.gov Fri Dec 1 10:58:02 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA11074 for ; Fri, 1 Dec 2000 10:58:02 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W009AVF4PU0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 01 Dec 2000 10:58:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B076F@listserv.fnal.gov>; Fri, 01 Dec 2000 10:58:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 81781 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 01 Dec 2000 10:58:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B076D@listserv.fnal.gov>; Fri, 01 Dec 2000 10:58:01 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W008E1F4OZR@smtp.fnal.gov>; Fri, 01 Dec 2000 10:58:00 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA23855; Fri, 01 Dec 2000 10:58:00 -0600 Date: Fri, 01 Dec 2000 10:58:00 -0600 (CST) From: Steven Timm Subject: interactive use of special principals Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: farm-admin@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 579 In the kerberos implementation we are developing for the CDF/D0 farms, we have the following situation currently: 1) Each user of the farm has a special principal--for instance on the farms mine is timm/prototype/farm@PILOT.FNAL.GOV 2) This principal is used to create a keytab file in /var/adm/krb5 3) At the beginning of any job starting in FBSNG v1_2, the launcher process, running as root on the worker node, does kinit -k -t /var/adm/krb5/timm.keytab -p \ timm/prototype/farm@PILOT.FNAL.GOV 4) It is also possible for root interactively to run this kinit command and get the credential in question. 5) My question...is there any way that we could have a root-like process so that the user would be able to test the various features of this special principal interactively? Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Fri Dec 1 12:44:42 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA16771 for ; Fri, 1 Dec 2000 12:44:42 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W00ARFK2H1R@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 01 Dec 2000 12:44:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B088C@listserv.fnal.gov>; Fri, 01 Dec 2000 12:44:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 82081 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 01 Dec 2000 12:44:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B088B@listserv.fnal.gov>; Fri, 01 Dec 2000 12:44:41 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W00CJ0K2H0E@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 01 Dec 2000 12:44:41 -0600 (CST) Date: Fri, 01 Dec 2000 12:44:40 -0600 (CST) From: Dane Skow Subject: Re: English lessons: Kerberos username proposal take 2 (fwd) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: rgwcdf@anl.gov Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 580 On Fri, 1 Dec 2000, Robert G. Wagner (ANL) 630-252-6321 wrote: > Hello Everyone, > > It would seem to me that changing a username on UNIX or NT is a > much more involved process than having someone change the name on an > e-mail address. People doing analysis typically have not only accounts on > several machines but file directories spread throughout disks served by > each machine. I've never had to do such a change, but is it difficult to > change directory names and file ownerships throughout system(s) to reflect > the new username? I would think changing an e-mail name would simply > require changing the username for the fnal.gov node where we login to > handle e-mail name, mailing lists, etc. This seems much simpler. I'm > posing this as a question since I don't really know which involves more > work and/or pain. The answer to this question would also answer: > > Should we require that a person with an e-mail name the same as > that of another user's UNIX or NT username, change the e-mail > name rather than the other way around? My belief and concern is that if a user has an email name 8 characters or less, then they likely have a login account with the same name. Since there is no master registry for NT usernames for the site, (nor was it strictly enforced in the early days of the Unix uid registry) there is no easy way to find out how many such cases there are. Something has to be the master template from which we start (or we start over with something else and have another first come first served) and the email list is the only thing with sitewide scope. The technical act of changing the email name is easy. The bigger problem is that that user has to advertise the new address to everyone (s)he's ever sent mail to. Furthermore the new user is likely to get mail mistakenly sent to the old address for some lengthy time. dane > > Regards, > > Bob Wagner (ANL) > > > > On Fri, 1 Dec 2000, Dane D. Skow wrote: > > > Below is the proposed recommendation on how to choose a Kerberos > > principal. It is intended to give immediate guidance to Yolanda > > as people try to reconcile their various identities at FNAL. It is > > VERY desireable that people have ONE (1) identity in the strong > > realm. However, this will certainly have educational requirements > > and perhaps technical difficulties as well. > > > > Judy, etal, could you please edit this as necessary to make it > > understandable English ? Everyone else, could you comment on > > the text and suggest improvements ? I think kerberos-pilot is > > the right discussion list for this. > > > > Thanks, > > > > dane > > > > > > ******************** > > > > Fermilab is currently deploying a Kerberos Strong Authentication system in > > support of the Run II computing systems. This is expected to expand to > > include many other systems across the site and be a unique, sitewide > > identification method for individuals using Fermilab computing resources. > > Toward that end, one needs to choose a unique username. There are > > significant conveniences if that username is the same as one's login name. > > > > The recommendation on choosing a Kerberos principal (username) is a > > follows: > > > > 0) New usernames should be chosen to be 8 or fewer characters. > > > > 1) If your email address (username@fnal.gov) is 8 or fewer characters, > > and you use this > > as your system login > > name (Unix and/or NT), then you should use this as your Kerberos > > principal. > > > > 1.5) If your primary system login name (Unix or NT) is 8 or fewer > > characters and that name is not used by someone else as their FNAL > > email address (username@fnal.gov), then you should use that name as your > > Kerberos principal and the username will be reserved for you as an > > email name whether you use it or not. > > > > 2) If your email address is longer than 8 characters, you should use > > use your Unix or NT username. If either of those is used by another > > person as an their email address on the email gateway, you may not > > use that username as your Kerberos principal and will have to relinquish > > that username as the Unix and NT systems are Kerberized. > > > > That is: If John Doe is "jack@fnal.gov" and "johndoe" on d0mino and NT > > and, > > John Dinklemeister is "dinklemeister@fnal.gov" and on NT and > > "jack" on cdfsgi2, then; > > John Doe may use "jack" or "johndoe" as his Kerberos principal > > (provided there is no other johndoe@fnal.gov). > > John Dinklemeister may not use "jack" as his Kerberos principal > > and will have to stop using "jack" on cdfsgi2 when that > > machine joins the Strong Authentication realm. If John > > rarely uses Unix, then using "dinklemeister" as the > > Kerberos principal and the CryptoCard for Unix would be a > > reasonable choice. > > > > 3) If non of the above are workable solutions, then you should either > > a)get a completely new, common username for all systems or b)go ahead and > > use the longer than 8 character username. The difficulties are: > > > > a) means you will have to move or rename your current accounts > > and files. > > b) means you will very likely have difficulty (often of an > > difficult to diagnose type) using Unix resources. For example, Solaris > > does not accept user names longer than 8 characters for login, currently. > > > > *** > > > > Dane Skow, > > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > > > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Fri Dec 1 14:17:49 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA17904 for ; Fri, 1 Dec 2000 14:17:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W00FJ0ODI4B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 01 Dec 2000 14:17:45 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B0A00@listserv.fnal.gov>; Fri, 01 Dec 2000 14:17:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 82490 for CDF_CODE_MANAGEMENT@LISTSERV.FNAL.GOV; Fri, 01 Dec 2000 14:17:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B09FC@listserv.fnal.gov>; Fri, 01 Dec 2000 14:17:42 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W00H2PODHJ1@smtp.fnal.gov>; Fri, 01 Dec 2000 14:17:41 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA17892; Fri, 01 Dec 2000 14:17:41 -0600 Date: Fri, 01 Dec 2000 14:17:41 -0600 (CST) From: Art Kreymer Subject: init_ssh upgraded to provide kerberos Sender: owner-cdf_code_management@listserv.fnal.gov To: cdf_hosts@fnal.gov Cc: cdfsys@fnal.gov, cdf_comp_upg@fnal.gov, kerberos-pilot@fnal.gov, cdf_code_management@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 581 I have upgraded our init_ssh script to build kerberized ssh when the necessary files are present in /usr/krb5 or /usr/kerberos. ftp://cdfkits.fnal.gov/init_ssh ( If you have previously run init_ssh to install non-kerberos ssh, you can run the new script to upgrade to kerberized ssh. ) CDF has been using init_ssh for non-USA installation of ssh. ( init_ssh avoids export restrictions by copying the source tarfile from Finland, building ssh locally. ) From kreymer@fnal.gov Fri Dec 1 15:15:44 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA17989 for ; Fri, 1 Dec 2000 15:15:44 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W00HL5R252X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 01 Dec 2000 15:15:43 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B0B47@listserv.fnal.gov>; Fri, 01 Dec 2000 15:15:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 82840 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 01 Dec 2000 15:15:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B0B45@listserv.fnal.gov>; Fri, 01 Dec 2000 15:15:42 -0600 Received: from b0sun01.fnal.gov ([131.225.232.72]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W00GNOR25R6@smtp.fnal.gov>; Fri, 01 Dec 2000 15:15:41 -0600 (CST) Date: Fri, 01 Dec 2000 15:15:41 -0600 (CST) From: Stephan Lammel Subject: Re: English lessons: Kerberos username proposal take 2 (fwd) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Dane D. Skow" Cc: cd-dh-ah-gl@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 582 Hallo Dane, may be we should mention upper/lower case and add a list of valid characters, [a-z,0-9]. cheers, Stephan From kreymer@fnal.gov Fri Dec 1 16:23:47 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA18336 for ; Fri, 1 Dec 2000 16:23:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W00LCMU7M7Z@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 01 Dec 2000 16:23:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B0C4D@listserv.fnal.gov>; Fri, 01 Dec 2000 16:23:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 83110 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 01 Dec 2000 16:23:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B0C4B@listserv.fnal.gov>; Fri, 01 Dec 2000 16:23:46 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4W00HT8U7LN6@smtp.fnal.gov>; Fri, 01 Dec 2000 16:23:46 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA13719; Fri, 01 Dec 2000 16:23:45 -0600 (CST) Date: Fri, 01 Dec 2000 16:23:45 -0600 From: Matt Crawford Subject: Re: interactive use of special principals In-reply-to: "01 Dec 2000 10:58:00 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov, farm-admin@fnal.gov Message-id: <200012012223.QAA13719@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 583 If you have /dev/fd/* support in your OS I can tell you a way to do it. Otherwise you have to figure out a way to make the right unix id, and only the right id, have access to the keytab file. From kreymer@fnal.gov Sat Dec 2 09:21:11 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA18395 for ; Sat, 2 Dec 2000 09:21:10 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Y00A9S5B9EO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 02 Dec 2000 09:21:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B105B@listserv.fnal.gov>; Sat, 02 Dec 2000 09:21:09 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 84214 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sat, 02 Dec 2000 09:21:09 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B1059@listserv.fnal.gov>; Sat, 02 Dec 2000 09:21:09 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Y00C065B8G8@smtp.fnal.gov>; Sat, 02 Dec 2000 09:21:08 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA18387; Sat, 02 Dec 2000 09:21:08 -0600 Date: Sat, 02 Dec 2000 09:21:08 -0600 (CST) From: Art Kreymer Subject: Re: Solaris 8 Certification, ssh on bldsunos28 In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kaletka@fnal.gov, fue-wg@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 584 Logins from kerberized ssh clients to unkerberized ssh servers can fail : > NT2> ssh bldsunos28.fnal.gov > kreymer@PILOT.FNAL.GOV@bldsunos28.fnal.gov's password: > Permission denied. This can be worked around by explicitly giving the username ssh -l kreymer bldsunos28.fnal.gov This is likely to come up frequently, as we are pushing hard to install kerberized clients on all RunII systems. From kreymer@fnal.gov Sat Dec 2 10:23:54 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA22079 for ; Sat, 2 Dec 2000 10:23:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Y00A9Y87SPT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 02 Dec 2000 10:23:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B1085@listserv.fnal.gov>; Sat, 02 Dec 2000 10:23:52 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 84259 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sat, 02 Dec 2000 10:23:52 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B1083@listserv.fnal.gov>; Sat, 02 Dec 2000 10:23:52 -0600 Received: from ivmh ([131.225.105.234]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G4Y00B7T87OJ3@smtp.fnal.gov>; Sat, 02 Dec 2000 10:23:52 -0600 (CST) Date: Sat, 02 Dec 2000 10:24:01 -0600 From: "Igor V. Mandrichenko" Subject: Re: interactive use of special principals Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov, Steven Timm Cc: Maciej Przybycien , farm-admin@fnal.gov, mirsi@fnal.gov Reply-to: "Igor V. Mandrichenko" Message-id: <000f01c05c7c$4a2f7c60$ea69e183@fnal.gov> Organization: FNAL MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: Status: RO X-Status: X-Keywords: X-UID: 585 In fact, such a tool already exists. It is called FBSNG. On the Prototype farm, try this: fnpcb> setup fbsng fnpcb> fbs exec -I -q KrbQ /bin/tcsh -f Job 4562 [Connected to process #1] > source /fnal/ups/etc/setups.csh > setup kerberos > hostname fnpc107 > klist Ticket cache: /tmp/.fbs_k5cc_4562.Exec.1 Default principal: ivm/prototype/farm@PILOT.FNAL.GOV Valid starting Expires Service principal 12/02/00 10:19:37 12/03/00 12:19:37 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 12/06/00 10:19:37 > env | grep FBS FBS_PROC_POOLS= FBS_JOB_SIZE=1 FBS_SHM_KEY=/tmp/.fbsng_shmkey_4562.Exec.1 FBS_SECTION_NAME=Exec FBS_PROC_STDERR=/home/ivm/./FBS_4562.Exec.1.err FBS_PROC_STDOUT=/home/ivm/./FBS_4562.Exec.1.out FBS_CONFIG=/home/farms/fbsng_root/cfg/fbs.cfg FBS_PROC_NO=1 FBS_FARM_CONFIG=/home/farms/fbsng_root/cfg/farm.cfg FBS_JOB_ID=4562 FBS_SECT_POOLS= FBS_HOSTS=fnpc107 FBS_SCRATCH=/tmp/fbs_scratch/4562.Exec.1 > ----- Original Message ----- From: "Steven Timm" To: Cc: Sent: Friday, December 01, 2000 10:58 AM Subject: interactive use of special principals > In the kerberos implementation we are developing for the CDF/D0 farms, > we have the following situation currently: > > 1) Each user of the farm has a special principal--for instance > on the farms mine is timm/prototype/farm@PILOT.FNAL.GOV > > 2) This principal is used to create a keytab file in /var/adm/krb5 > > 3) At the beginning of any job starting in FBSNG v1_2, the > launcher process, running as root on the worker node, > does > > kinit -k -t /var/adm/krb5/timm.keytab -p \ > timm/prototype/farm@PILOT.FNAL.GOV > > 4) It is also possible for root interactively to run this > kinit command and get the credential in question. > > 5) My question...is there any way that we could have a root-like > process so that the user would be able to test the various > features of this special principal interactively? > > Steve Timm > > > > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > From kreymer@fnal.gov Sat Dec 2 12:12:12 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA22224 for ; Sat, 2 Dec 2000 12:12:12 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Y009JQD8AM0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 02 Dec 2000 12:12:12 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B10AD@listserv.fnal.gov>; Sat, 02 Dec 2000 12:12:11 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 84301 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sat, 02 Dec 2000 12:12:11 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B10AB@listserv.fnal.gov>; Sat, 02 Dec 2000 12:12:11 -0600 Received: from fnal.gov ([24.178.21.178]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G4Y00C6HD89GL@smtp.fnal.gov>; Sat, 02 Dec 2000 12:12:10 -0600 (CST) Date: Sat, 02 Dec 2000 12:12:09 -0600 From: Heidi Schellman Subject: Re: English lessons: Kerberos username proposal take 2 (fwd) Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Dane D. Skow" Cc: cd-dh-ah-gl@fnal.gov, kerberos-pilot@fnal.gov Message-id: <3A293B79.32EE30AA@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (Win98; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 586 D0 is recommending that people use their (<9 character) d0mino name as a principal. Is this consistent! Thanks, Heidi "Dane D. Skow" wrote: > > Below is the proposed recommendation on how to choose a Kerberos > principal. It is intended to give immediate guidance to Yolanda > as people try to reconcile their various identities at FNAL. It is > VERY desireable that people have ONE (1) identity in the strong > realm. However, this will certainly have educational requirements > and perhaps technical difficulties as well. > > Judy, etal, could you please edit this as necessary to make it > understandable English ? Everyone else, could you comment on > the text and suggest improvements ? I think kerberos-pilot is > the right discussion list for this. > > Thanks, > > dane > > ******************** > > Fermilab is currently deploying a Kerberos Strong Authentication system in > support of the Run II computing systems. This is expected to expand to > include many other systems across the site and be a unique, sitewide > identification method for individuals using Fermilab computing resources. > Toward that end, one needs to choose a unique username. There are > significant conveniences if that username is the same as one's login name. > > The recommendation on choosing a Kerberos principal (username) is a > follows: > > 0) New usernames should be chosen to be 8 or fewer characters. > > 1) If your email address (username@fnal.gov) is 8 or fewer characters, > and you use this > as your system login > name (Unix and/or NT), then you should use this as your Kerberos > principal. > > 1.5) If your primary system login name (Unix or NT) is 8 or fewer > characters and that name is not used by someone else as their FNAL > email address (username@fnal.gov), then you should use that name as your > Kerberos principal and the username will be reserved for you as an > email name whether you use it or not. > > 2) If your email address is longer than 8 characters, you should use > use your Unix or NT username. If either of those is used by another > person as an their email address on the email gateway, you may not > use that username as your Kerberos principal and will have to relinquish > that username as the Unix and NT systems are Kerberized. > > That is: If John Doe is "jack@fnal.gov" and "johndoe" on d0mino and NT > and, > John Dinklemeister is "dinklemeister@fnal.gov" and on NT and > "jack" on cdfsgi2, then; > John Doe may use "jack" or "johndoe" as his Kerberos principal > (provided there is no other johndoe@fnal.gov). > John Dinklemeister may not use "jack" as his Kerberos principal > and will have to stop using "jack" on cdfsgi2 when that > machine joins the Strong Authentication realm. If John > rarely uses Unix, then using "dinklemeister" as the > Kerberos principal and the CryptoCard for Unix would be a > reasonable choice. > > 3) If non of the above are workable solutions, then you should either > a)get a completely new, common username for all systems or b)go ahead and > use the longer than 8 character username. The difficulties are: > > a) means you will have to move or rename your current accounts > and files. > b) means you will very likely have difficulty (often of an > difficult to diagnose type) using Unix resources. For example, Solaris > does not accept user names longer than 8 characters for login, currently. > > *** > > Dane Skow, > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Dec 4 08:08:45 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA10313 for ; Mon, 4 Dec 2000 08:08:45 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5100CINR9ZEK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 04 Dec 2000 08:08:24 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B1B25@listserv.fnal.gov>; Mon, 04 Dec 2000 08:08:23 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 87156 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 04 Dec 2000 08:08:23 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B1B24@listserv.fnal.gov>; Mon, 04 Dec 2000 08:08:23 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5100G37R9ZFP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 04 Dec 2000 08:08:23 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA25225; Mon, 04 Dec 2000 08:08:22 -0600 (CST) Date: Mon, 04 Dec 2000 08:08:22 -0600 From: Matt Crawford Subject: MIT makes their Kerberos source available to the world Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: Denise.Heagerty@cern.ch Message-id: <200012041408.IAA25225@gungnir.fnal.gov> Content-id: <25216.975938854.0@gungnir.fnal.gov> MIME-version: 1.0 Content-type: multipart/mixed; boundary="----- =_aaaaaaaaaa0" Status: RO X-Status: X-Keywords: X-UID: 587 ------- =_aaaaaaaaaa0 Content-Type: text/plain; charset="us-ascii" Content-ID: <25216.975938854.1@gungnir.fnal.gov> We knew that this was in the works, but it was a long time coming. Since the Fermi Kerberos product is already available to any UPS/UPD host in the world, this development has little direct impact on us, but I'm sure some will find it useful. Matt ------- =_aaaaaaaaaa0 MIME-Version: 1.0 Content-Type: message/rfc822 Return-Path: cryptography-owner@c2.net Date: Fri, 01 Dec 2000 00:48:57 -0500 From: Marc Horowitz Subject: Cryptography Publishing Project makes MIT Kerberos V5 release 1.2.1 available Sender: owner-cryptography@c2.net To: kerberos@mit.edu, cryptography@c2.net Message-id: MIME-version: 1.0 Content-type: text/plain; charset=us-ascii User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.3 Lines: 14 In order to provide people outside the US with access to open source cryptography, the Cryptography Publishing Project is making MIT Kerberos V5 release 1.2.1 available without restriction, in compliance with the changes in US export regulations since January, 2000. The Project was started to make open source cryptographic software freely available in situations where it difficult to obtain the software from its original authors. Please visit the web site at if you wish to download Kerberos or if you have suggestions for other software for us to host. Marc ------- =_aaaaaaaaaa0-- From kreymer@fnal.gov Mon Dec 4 12:18:47 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA19925 for ; Mon, 4 Dec 2000 12:18:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G52001DH2V96M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 04 Dec 2000 12:18:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B2038@listserv.fnal.gov>; Mon, 04 Dec 2000 12:18:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 88547 for FUE-WG@LISTSERV.FNAL.GOV; Mon, 04 Dec 2000 12:18:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B2037@listserv.fnal.gov>; Mon, 04 Dec 2000 12:18:46 -0600 Received: from CUERVO ([131.225.82.57]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G520018Z2V9PT@smtp.fnal.gov>; Mon, 04 Dec 2000 12:18:45 -0600 (CST) Date: Mon, 04 Dec 2000 12:18:45 -0600 From: "Mark O. Kaletka" Subject: RE: Solaris 8 Certification, ssh on bldsunos28 In-reply-to: Sender: owner-fue-wg@listserv.fnal.gov To: fue-wg@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 588 Art -- I'm not making this fail: which ssh /fnal/ups/prd/ssh/v1_2_27/SunOS-5/bin/ssh ssh bldsunos28.fnal.gov kaletka@bldsunos28.fnal.gov's password: Last login: Mon Dec 4 12:01:57 2000 from fsui02.fnal.gov Can you send the verbose output? Thanks. > -----Original Message----- > From: Art Kreymer [mailto:kreymer@fnal.gov] > Sent: Saturday, December 02, 2000 9:21 AM > To: kaletka@fnal.gov; fue-wg@fnal.gov; kerberos-pilot@fnal.gov > Subject: Re: Solaris 8 Certification, ssh on bldsunos28 > > > Logins from kerberized ssh clients > to unkerberized ssh servers can fail : > > > NT2> ssh bldsunos28.fnal.gov > > kreymer@PILOT.FNAL.GOV@bldsunos28.fnal.gov's password: > > Permission denied. > > This can be worked around by explicitly giving the username > > ssh -l kreymer bldsunos28.fnal.gov > > This is likely to come up frequently, > as we are pushing hard to install kerberized clients on all RunII systems. > > > > From kreymer@fnal.gov Mon Dec 4 14:01:46 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20103 for ; Mon, 4 Dec 2000 14:01:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G52004G47MXQL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 04 Dec 2000 14:01:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B2228@listserv.fnal.gov>; Mon, 04 Dec 2000 14:01:45 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 89075 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 04 Dec 2000 14:01:45 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B2226@listserv.fnal.gov>; Mon, 04 Dec 2000 14:01:45 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G52007127MWM7@smtp.fnal.gov>; Mon, 04 Dec 2000 14:01:44 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20095; Mon, 04 Dec 2000 14:01:44 -0600 Date: Mon, 04 Dec 2000 14:01:44 -0600 (CST) From: Art Kreymer Subject: RE: Solaris 8 Certification, ssh on bldsunos28 In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: fue-wg@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 589 The ssh username failures only seem to occur on connections from kerberized ssh client to unkerberized ssh server and using the kerberized ssh client I've build from the sources, via init_ssh. It does not happen with the kits version of ssh, kerberized or not. Since bldsunos28.fnal.gov has unkerberized kerberos all around, you will not see the problem. I mention the problem because we are not permitted to expert kits ssh to many of our important non-USA systems, so they must use init_ssh. Here's an example, going from bldlinux61 to bldsunos28, using /afs/fnal.gov/files/home/room1/kreymer/ssh1 build by init_ssh from the Finland sources. $ ~kreymer/ssh1 -l kreymer bldsunos28.fnal.gov pwd /afs/fnal.gov/files/home/room1/kreymer $ ~kreymer/ssh1 -v bldsunos28.fnal.gov pwd SSH Version 1.2.27 [i686-unknown-linux], protocol version 1.5. Standard version. Does not use RSAREF. bldlinux61.fnal.gov: Reading configuration data /etc/ssh_config bldlinux61.fnal.gov: ssh_connect: getuid 1060 geteuid 1060 anon 1 bldlinux61.fnal.gov: Connecting to bldsunos28.fnal.gov [131.225.80.173] port 22. bldlinux61.fnal.gov: Connection established. bldlinux61.fnal.gov: Remote protocol version 1.5, remote software version 1.2.26 bldlinux61.fnal.gov: Waiting for server public key. bldlinux61.fnal.gov: Received server public key (768 bits) and host key (1024 bits). bldlinux61.fnal.gov: Host 'bldsunos28.fnal.gov' is known and matches the host key. bldlinux61.fnal.gov: Initializing random; seed file /afs/fnal.gov/files/home/room1/kreymer/.ssh/random_seed bldlinux61.fnal.gov: Encryption type: idea bldlinux61.fnal.gov: Sent encrypted session key. bldlinux61.fnal.gov: Installing crc compensation attack detector. bldlinux61.fnal.gov: Received encrypted confirmation. bldlinux61.fnal.gov: Trying Kerberos V5 TGT passing. bldlinux61.fnal.gov: Kerberos V5 TGT passing failed. bldlinux61.fnal.gov: Trying Kerberos V5 authentication. bldlinux61.fnal.gov: Kerberos V5 authentication failed. bldlinux61.fnal.gov: No agent. bldlinux61.fnal.gov: Trying RSA authentication with key 'kreymer@pspxt6.fnal.gov' bldlinux61.fnal.gov: Server refused our key. bldlinux61.fnal.gov: Doing password authentication. kreymer@PILOT.FNAL.GOV@bldsunos28.fnal.gov's password: Permission denied. From kreymer@fnal.gov Mon Dec 4 17:40:21 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA20547 for ; Mon, 4 Dec 2000 17:40:21 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5200DCPHR8YI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 04 Dec 2000 17:40:20 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B2596@listserv.fnal.gov>; Mon, 04 Dec 2000 17:40:20 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 90042 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 04 Dec 2000 17:40:20 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B2595@listserv.fnal.gov>; Mon, 04 Dec 2000 17:40:20 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5200DDHHR7QZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 04 Dec 2000 17:40:19 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA20543 for ; Mon, 04 Dec 2000 17:40:19 -0600 Date: Mon, 04 Dec 2000 17:40:19 -0600 (CST) From: Art Kreymer Subject: init-keep-ssh problems Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 590 I have recently installed kerberos v0_7 on to Linux systems, cdfpcb.fnal.gov and c549185-a.wheaton1.il.home.com . Both can kinit just fine. But ups install-keep-ssh kerberos seems to have a problem writing the keytab files : On cdfpcb: kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal ftp/cdfpcb.fnal.gov to keytab file. kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal host/cdfpcb.fnal.gov to keytab file. On c549185-a : kadmin: Client not found in Kerberos database while initializing kadmin interface ERROR: could not add principal ftp/C549185-A.wheaton1.il.home.com to keytab file. kadmin: Client not found in Kerberos database while initializing kadmin interface ERROR: could not add principal host/C549185-A.wheaton1.il.home.com to keytab file. The password is cut/pasted from today's email, I've also typed it manually. I've checked the clocks: On c549185-a : > date ; rdate fnsrv0.fnal.gov Mon Dec 4 17:31:19 CST 2000 [fnsrv0.fnal.gov] Mon Dec 4 17:31:20 2000 On cdfpcb: >> date ; rdate fnsrv0.fnal.gov Mon Dec 4 17:34:24 CST 2000 [fnsrv0.fnal.gov] Mon Dec 4 17:34:25 2000 Any ideas ? From kreymer@fnal.gov Mon Dec 4 17:51:25 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA20648 for ; Mon, 4 Dec 2000 17:51:25 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5200CG8I9PYW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Mon, 04 Dec 2000 17:51:25 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA28570; Mon, 04 Dec 2000 17:51:25 -0600 (CST) Date: Mon, 04 Dec 2000 17:51:25 -0600 From: Matt Crawford Subject: Re: init-keep-ssh problems In-reply-to: "04 Dec 2000 17:40:19 CST." Sender: crawdad@gungnir.fnal.gov To: Art Kreymer Cc: kerberos-pilot@fnal.gov Message-id: <200012042351.RAA28570@gungnir.fnal.gov> Status: RO X-Status: A X-Keywords: X-UID: 591 > On cdfpcb: > > kadmin: Preauthentication failed while initializing kadmin interface > ERROR: could not add principal ftp/cdfpcb.fnal.gov to keytab file. > kadmin: Preauthentication failed while initializing kadmin interface > ERROR: could not add principal host/cdfpcb.fnal.gov to keytab file. I was about to say "check your system clock", but I have a hunch that's not it this time. Instead, I bet Lauri created your host and ftp principals ages ago -- like last April -- and you recently asked Yolanda to create them, and she created something else instead and gave you that password. So you need the password reset for those two principals. > On c549185-a : > > kadmin: Client not found in Kerberos database while initializing kadmin interface > ERROR: could not add principal ftp/C549185-A.wheaton1.il.home.com to keytab file. > kadmin: Client not found in Kerberos database while initializing kadmin interface > ERROR: could not add principal host/C549185-A.wheaton1.il.home.com to keytab file. A little case-sensitivity problem. The host & ftp principals in the database are ftp/c549185-a.wheaton1.il.home.com@PILOT.FNAL.GOV host/c549185-a.wheaton1.il.home.com@PILOT.FNAL.GOV and your system is calling itself with a big C and a big A and everything else lowercase. Pick one: get your system to change its idea of its hostname to be all lower, or ask for new principals, calling attention to the mixed case. > The password is cut/pasted from today's email, I've also typed it manually. The "today" part of that suggests my cdfpcb hunch is right. > I've checked the clocks: Very wise. That, as I said, was my first guess too. From kreymer@fnal.gov Tue Dec 5 16:33:00 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA07320 for ; Tue, 5 Dec 2000 16:33:00 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54004749AZ2Y@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Dec 2000 16:33:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3377@listserv.fnal.gov>; Tue, 05 Dec 2000 16:33:00 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94006 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Dec 2000 16:33:00 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3376@listserv.fnal.gov>; Tue, 05 Dec 2000 16:33:00 -0600 Received: from ncdf58.fnal.gov ([131.225.235.27]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54002CV9AZR7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Dec 2000 16:32:59 -0600 (CST) Received: from ncdf58.fnal.gov (rjetton@localhost) by ncdf58.fnal.gov (8.11.0/8.11.0) with ESMTP id eB5MWwb23702; Tue, 05 Dec 2000 16:32:59 -0600 Date: Tue, 05 Dec 2000 16:32:58 -0600 From: Richard Jetton Subject: Re: 000000000015525 Assigned to CRAWFORD, MATT. In-reply-to: Message from ARSystem "of Tue, 05 Dec 2000 16:22:43 CST." <318CC3D38BE0D211BB1200105A093F76114672@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200012052232.eB5MWwb23702@ncdf58.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 592 Hello everyone, Maybe I can help a little here and save everyone else some time. Node fcdfsgi2 only allows access through Kerberized clients. We suspect that the user is still using an un-Kerberized version of the ssh client. There is a new ssh version available via UPS/UPD that has this capability. -- Richard Jetton From kreymer@fnal.gov Tue Dec 5 16:46:21 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA07339 for ; Tue, 5 Dec 2000 16:46:21 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003DB9X8CW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Dec 2000 16:46:21 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B33C2@listserv.fnal.gov>; Tue, 05 Dec 2000 16:46:21 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94082 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Dec 2000 16:46:21 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B33C1@listserv.fnal.gov>; Tue, 05 Dec 2000 16:46:21 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54004A49X85G@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Dec 2000 16:46:20 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA06321; Tue, 05 Dec 2000 16:46:19 -0600 (CST) Date: Tue, 05 Dec 2000 16:46:19 -0600 From: Matt Crawford Subject: Re: 000000000015525 Assigned to CRAWFORD, MATT. In-reply-to: "05 Dec 2000 16:22:43 CST." <318CC3D38BE0D211BB1200105A093F76114672@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200012052246.QAA06321@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 593 CDF has gone Kerberos-only on their central analysis sytem while D0 has not yet done so. I presume you're using a non-kerberos ssh. There's a kerberos ssh in kits, v1_2_27. It should work to fcdfsgi2 with no password, I think. From kreymer@fnal.gov Tue Dec 5 16:56:19 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA07582 for ; Tue, 5 Dec 2000 16:56:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003KZADU5G@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Dec 2000 16:56:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B33FF@listserv.fnal.gov>; Tue, 05 Dec 2000 16:56:19 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94150 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Dec 2000 16:56:19 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B33FE@listserv.fnal.gov>; Tue, 05 Dec 2000 16:56:18 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003E3ADQMQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Dec 2000 16:56:18 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 05 Dec 2000 16:56:15 -0600 Content-return: allowed Date: Tue, 05 Dec 2000 16:55:58 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15525 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114677@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 594 15525 has been updated by blomberg. Short Description : Problem using ssh New Work Log Entry : From: "Richard Jetton" To: "ARSystem" Cc: Subject: Re: 000000000015525 Assigned to CRAWFORD, MATT. Date: Tuesday, December 05, 2000 4:32 PM Hello everyone, Maybe I can help a little here and save everyone else some time. Node fcdfsgi2 only allows access through Kerberized clients. We suspect that the user is still using an un-Kerberized version of the ssh client. There is a new ssh version available via UPS/UPD that has this capability. -- Richard Jetton From kreymer@fnal.gov Tue Dec 5 16:56:20 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA07586 for ; Tue, 5 Dec 2000 16:56:20 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003KZADU5G@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Dec 2000 16:56:19 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3401@listserv.fnal.gov>; Tue, 05 Dec 2000 16:56:19 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94152 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Dec 2000 16:56:19 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3400@listserv.fnal.gov>; Tue, 05 Dec 2000 16:56:19 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003E3ADQMQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Dec 2000 16:56:18 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 05 Dec 2000 16:56:15 -0600 Content-return: allowed Date: Tue, 05 Dec 2000 16:56:06 -0600 From: ARSystem Subject: Note to requester has been sent - 000000000015525 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114679@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 595 The following note has been sent to the requester: TOBACK, DAVID Short Description : Problem using ssh Notes to Requester : Hello everyone, Maybe I can help a little here and save everyone else some time. Node fcdfsgi2 only allows access through Kerberized clients. We suspect that the user is still using an un-Kerberized version of the ssh client. There is a new ssh version available via UPS/UPD that has this capability. From kreymer@fnal.gov Tue Dec 5 16:56:22 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA07594 for ; Tue, 5 Dec 2000 16:56:22 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003FJADYKT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Dec 2000 16:56:22 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3403@listserv.fnal.gov>; Tue, 05 Dec 2000 16:56:22 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94154 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Dec 2000 16:56:22 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3402@listserv.fnal.gov>; Tue, 05 Dec 2000 16:56:22 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G540049YADXQC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Dec 2000 16:56:21 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA07590; Tue, 05 Dec 2000 16:56:21 -0600 Date: Tue, 05 Dec 2000 16:56:21 -0600 (CST) From: Art Kreymer Subject: Re: 000000000015525 Assigned to CRAWFORD, MATT. In-reply-to: <318CC3D38BE0D211BB1200105A093F76114672@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 596 txpc2.fnal.gov does not have kerberized ssh installed. This is because ssh is installed via 'rpm' there, and we do not yet have a kerberized ssh rpm available. Temporarily, for testing only, I have copied a kerberized ssh1 binary to txpc2.fnal.gov:~cdfsoft/ssh1 This seems to work, for example : [cdfsoft@txpc2 ~]$ ~cdfsoft/ssh1 -l kreymer fcdfsgi2 pwd /cdf/home/kreymer From kreymer@fnal.gov Tue Dec 5 16:23:24 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA07314 for ; Tue, 5 Dec 2000 16:23:24 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54004278ULQC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Dec 2000 16:23:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B334A@listserv.fnal.gov>; Tue, 05 Dec 2000 16:23:10 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 93959 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Dec 2000 16:23:10 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3349@listserv.fnal.gov>; Tue, 05 Dec 2000 16:23:10 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54002AP8UDR7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Dec 2000 16:23:09 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 05 Dec 2000 16:22:57 -0600 Content-return: allowed Date: Tue, 05 Dec 2000 16:22:43 -0600 From: ARSystem Subject: 000000000015525 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114672@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: A X-Keywords: X-UID: 597 CRAWFORD, MATT, Help Desk Ticket #000000000015525 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Problem using ssh Badge # (+) : 06670V First Name : DAVID Last Name (+) : TOBACK Phone : 2120 E-Mail Address : TOBACK@FNAL.GOV Incident Time : 12/5/00 4:08:07 PM System Name : TXPC2 Urgency : Medium Public Work Log : 12/5/00 4:22:31 PM blomberg Can you assist? Problem Description : I'm still getting the kerberos stuff set up here, and I seem to have a problem when I work on txpc2.fnal.gov. If I do a kinit on txpc2, I can get kerberized, and I seem fine. I can then telnet into fcdfsgi2 (it doesn't ask for a passwd). However if I try ssh it tells me permission denied. If I do a telnet to d0mino.fnal.gov I get in fine (no password request), and if I do an ssh, I have to give a password, but then I do get in. Is this how things are supposed to be? Thanks, From kreymer@fnal.gov Tue Dec 5 17:01:52 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA07619 for ; Tue, 5 Dec 2000 17:01:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003MRAN35G@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Dec 2000 17:01:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3420@listserv.fnal.gov>; Tue, 05 Dec 2000 17:01:51 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94184 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Dec 2000 17:01:51 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B341E@listserv.fnal.gov>; Tue, 05 Dec 2000 17:01:51 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003H6AN25P@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Dec 2000 17:01:50 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 05 Dec 2000 17:01:51 -0600 Content-return: allowed Date: Tue, 05 Dec 2000 17:01:39 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15525 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611467A@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 598 15525 has been updated by blomberg. Short Description : Problem using ssh New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: 000000000015525 Assigned to CRAWFORD, MATT. Date: Tuesday, December 05, 2000 4:46 PM CDF has gone Kerberos-only on their central analysis sytem while D0 has not yet done so. I presume you're using a non-kerberos ssh. There's a kerberos ssh in kits, v1_2_27. It should work to fcdfsgi2 with no password, I think. From: "David J. Fagan" To: "ARSystem" Subject: Re: 000000000015525 Assigned to CRAWFORD, MATT. Date: Tuesday, December 05, 2000 4:48 PM yes, CDF is all kerberos D0 is not, ssh still goes both ways until the 18th. Upgrade to the latest ssh on the machine and it will use kerberos at both experiments. Of course so will your deamon then be on your machine and unless you come from a kerberos node you will need a cryptocard. This is however how all Run II machine are required to be installed. (Kerberos only) ------------------------------------------------------------------------ ------- David J. Fagan | The Silicon Sorcerer? | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------ ------- From kreymer@fnal.gov Tue Dec 5 17:01:52 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA07623 for ; Tue, 5 Dec 2000 17:01:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003MRAN35G@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Dec 2000 17:01:52 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3421@listserv.fnal.gov>; Tue, 05 Dec 2000 17:01:51 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94186 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Dec 2000 17:01:51 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B341F@listserv.fnal.gov>; Tue, 05 Dec 2000 17:01:51 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003HRAMYLT@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Dec 2000 17:01:50 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 05 Dec 2000 17:01:47 -0600 Content-return: allowed Date: Tue, 05 Dec 2000 17:01:39 -0600 From: ARSystem Subject: Note to requester has been sent - 000000000015525 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611467C@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 599 The following note has been sent to the requester: TOBACK, DAVID Short Description : Problem using ssh Notes to Requester : CDF is all kerberos D0 is not, ssh still goes both ways until the 18th. Upgrade to the latest ssh on the machine and it will use kerberos at both experiments. Of course so will your deamon then be on your machine and unless you come from a kerberos node you will need a cryptocard. This is however how all Run II machine are required to be installed. (Kerberos only) From kreymer@fnal.gov Tue Dec 5 17:02:38 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA07631 for ; Tue, 5 Dec 2000 17:02:38 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003HRAODF4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Dec 2000 17:02:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3425@listserv.fnal.gov>; Tue, 05 Dec 2000 17:02:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94190 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 05 Dec 2000 17:02:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3424@listserv.fnal.gov>; Tue, 05 Dec 2000 17:02:38 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G54003HZAO8LT@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 05 Dec 2000 17:02:37 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 05 Dec 2000 17:02:18 -0600 Content-return: allowed Date: Tue, 05 Dec 2000 17:01:47 -0600 From: ARSystem Subject: CRAWFORD, MATT #15525 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114680@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 600 Thank you for your assistance. Help Desk ticket #000000000015525 has been resolved on 12/5/00 4:59:26 PM Resolution Timestamp: : 12/5/00 4:56:20 PM Solution Category : Service Request Problem Category : Software Type : Utilities Item : Kerberos Short Description : Problem using ssh Solution : txpc2.fnal.gov does not have kerberized ssh installed. This is because ssh is installed via 'rpm' there, and we do not yet have a kerberized ssh rpm available. Temporarily, for testing only, I have copied a kerberized ssh1 binary to txpc2.fnal.gov:~cdfsoft/ssh1 This seems to work, for example : [cdfsoft@txpc2 ~]$ ~cdfsoft/ssh1 -l kreymer fcdfsgi2 pwd /cdf/home/kreymer Problem Description : I'm still getting the kerberos stuff set up here, and I seem to have a problem when I work on txpc2.fnal.gov. If I do a kinit on txpc2, I can get kerberized, and I seem fine. I can then telnet into fcdfsgi2 (it doesn't ask for a passwd). However if I try ssh it tells me permission denied. If I do a telnet to d0mino.fnal.gov I get in fine (no password request), and if I do an ssh, I have to give a password, but then I do get in. Is this how things are supposed to be? Thanks, From kreymer@fnal.gov Wed Dec 6 08:24:33 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA04980 for ; Wed, 6 Dec 2000 08:24:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5500L4UH6INC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 06 Dec 2000 08:20:43 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B39F4@listserv.fnal.gov>; Wed, 06 Dec 2000 08:20:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 95791 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 06 Dec 2000 08:20:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B39F3@listserv.fnal.gov>; Wed, 06 Dec 2000 08:20:42 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5500HOJH6I66@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 06 Dec 2000 08:20:42 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 06 Dec 2000 08:20:43 -0600 Content-return: allowed Date: Wed, 06 Dec 2000 08:20:42 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15525 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611469A@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 601 15525 has been updated by trb. Short Description : Problem using ssh New Work Log Entry : From: "Dave Toback" To: "ARSystem" Cc: "David Toback" ; "Vyacheslav Krutelyov" Subject: Re: Help Desk Ticket 15525 Has Been Resolved. Date: Tuesday, December 05, 2000 5:51 PM Hi, Thanks. How soon till we get a kerberized ssh rpm? Dave ************************************************************************ ****** Dave Toback toback@fnal.gov Texas A&M University CDF Collaboration 630-840-2120 ************************************************************************ ****** ------------------> From: "Dave Toback" To: "ARSystem" Cc: "David Toback" ; "Maxwell Chertok" ; "Vyacheslav Krutelyov" ; "Teruki Kamon" Subject: Re: Help Desk Ticket 15525 Has Been Resolved. Date: Tuesday, December 05, 2000 5:59 PM Hi, Can we put this temporary binary on txpc1 as well? Dave ************************************************************************ ****** From kreymer@fnal.gov Wed Dec 6 11:55:17 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA05528 for ; Wed, 6 Dec 2000 11:55:17 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G55004KCR44TI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 06 Dec 2000 11:55:16 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3D89@listserv.fnal.gov>; Wed, 06 Dec 2000 11:55:16 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 96782 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 06 Dec 2000 11:55:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3D88@listserv.fnal.gov>; Wed, 06 Dec 2000 11:55:16 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G55002OXR44CZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 06 Dec 2000 11:55:16 -0600 (CST) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id eB6HtE417724 for ; Wed, 06 Dec 2000 11:55:14 -0600 (CST) Date: Wed, 06 Dec 2000 11:55:13 -0600 From: aheavey@fnal.gov Subject: X clients on Mac Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200012061755.eB6HtE417724@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 602 Can anyone provide me information on how to run X windows on a Mac when connecting to kerberized host? This is for purposes of documentation. I don't use a Mac and I need to know things like: -Which clients work -Are there special things along the lines of xauth or xhost that need to be done Thanks. -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Wed Dec 6 12:47:13 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA05552 for ; Wed, 6 Dec 2000 12:47:13 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5500A0RTIOES@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 06 Dec 2000 12:47:13 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3E6A@listserv.fnal.gov>; Wed, 06 Dec 2000 12:47:13 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 97009 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 06 Dec 2000 12:47:13 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B3E69@listserv.fnal.gov>; Wed, 06 Dec 2000 12:47:13 -0600 Received: from admin.itol.com ([209.83.58.2]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G55004SUTIMG3@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 06 Dec 2000 12:47:12 -0600 (CST) Received: from [209.83.76.147] (fc-16.itol.com [209.83.76.147]) by admin.itol.com (8.10.1/8.9.3) with ESMTP id eB6Il7G27940; Wed, 06 Dec 2000 12:47:07 -0600 Date: Wed, 06 Dec 2000 12:47:06 -0600 From: Benn Tannenbaum Subject: Re: X clients on Mac In-reply-to: <200012061755.eB6HtE417724@fsui02.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: aheavey@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 603 Hi Anne, I use Xoftware, but that's a little out of date. I tend to just leave my xhost open, so anyone can connect. That's not the most secure thing, but it works. I can also setup a list of hosts can used, or simply demand that each and every connect be verified manually. Macs are a little harder to hack since they don't have a command line, so some of the security issues are there that are with other platforms. All someone can intercept are X packets, and if no insecure information is sent that way, then it's not a problem. I only use Paw & ROOT & things like that where I don't type in a password.... Hope this helps... on 6/12/00 11:55 AM, aheavey@fnal.gov spake thusly: > Can anyone provide me information on how to run X windows on a Mac > when connecting to kerberized host? This is for purposes of documentation. > I don't use a Mac and I need to know things like: > -Which clients work > -Are there special things along the lines of xauth or xhost that > need to be done > Thanks. -Benn From kreymer@fnal.gov Wed Dec 6 14:43:30 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA05633 for ; Wed, 6 Dec 2000 14:43:30 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5500F1FYWG8R@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 06 Dec 2000 14:43:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B40DC@listserv.fnal.gov>; Wed, 06 Dec 2000 14:43:29 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 97652 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 06 Dec 2000 14:43:29 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B40DA@listserv.fnal.gov>; Wed, 06 Dec 2000 14:43:29 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5500CDCYWENV@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 06 Dec 2000 14:43:28 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 06 Dec 2000 14:43:27 -0600 Content-return: allowed Date: Wed, 06 Dec 2000 14:43:25 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15525 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114781@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 604 15525 has been updated by trb. Short Description : Problem using ssh New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Subject: Re: CRAWFORD, MATT AR ticket 15525 Has Been Updated. Date: Wednesday, December 06, 2000 2:08 PM > Thanks. How soon till we get a kerberized ssh rpm? I have no idea who creates such things. Connie Sieh/Troy Dawson??? > Can we put this temporary binary on txpc1 as well? That's up to txpc1 admins. From kreymer@fnal.gov Wed Dec 6 15:04:20 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA05659 for ; Wed, 6 Dec 2000 15:04:20 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5500F55ZV3GJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 06 Dec 2000 15:04:16 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B4130@listserv.fnal.gov>; Wed, 06 Dec 2000 15:04:16 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 97743 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 06 Dec 2000 15:04:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B412F@listserv.fnal.gov>; Wed, 06 Dec 2000 15:04:16 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5500CIOZV33S@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 06 Dec 2000 15:04:15 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA11872; Wed, 06 Dec 2000 15:04:04 -0600 (CST) Date: Wed, 06 Dec 2000 15:04:04 -0600 From: Matt Crawford Subject: Re: X clients on Mac In-reply-to: "06 Dec 2000 12:47:06 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: aheavey@fnal.gov, kerberos-pilot@fnal.gov Message-id: <200012062104.PAA11872@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 605 > I use Xoftware, but that's a little out of date. I tend to just leave my > xhost open, so anyone can connect. That's not the most secure thing, This statement could be strengthened. Tools already in the hands of the script-kiddies will let them connect to your X server port and request a copy of every keypress event. From kreymer@fnal.gov Wed Dec 6 15:19:17 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA05668 for ; Wed, 6 Dec 2000 15:19:17 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5600APG0K0XF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Wed, 06 Dec 2000 15:19:13 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 06 Dec 2000 15:19:13 -0600 Content-return: allowed Date: Wed, 06 Dec 2000 15:19:11 -0600 From: ARSystem Subject: KREYMER, ART AR ticket 15525 Has Been Updated. To: "'kreymer@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114791@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 606 15525 has been updated by trb. Short Description : Problem using ssh New Work Log Entry : ReOpened AR ticket seeking assistance from Art Kreymer. Ticket ReOpened the Previous Solution was :txpc2.fnal.gov does not have kerberized ssh installed. This is because ssh is installed via 'rpm' there, and we do not yet have a kerberized ssh rpm available. Temporarily, for testing only, I have copied a kerberized ssh1 binary to txpc2.fnal.gov:~cdfsoft/ssh1 This seems to work, for example : [cdfsoft@txpc2 ~]$ ~cdfsoft/ssh1 -l kreymer fcdfsgi2 pwd /cdf/home/kreymer From kreymer@fnal.gov Wed Dec 6 15:19:17 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA05673 for ; Wed, 6 Dec 2000 15:19:17 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5600F6X0K1TS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 06 Dec 2000 15:19:14 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B414F@listserv.fnal.gov>; Wed, 06 Dec 2000 15:19:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 97775 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 06 Dec 2000 15:19:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B414E@listserv.fnal.gov>; Wed, 06 Dec 2000 15:19:14 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5600G210K0K1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 06 Dec 2000 15:19:13 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 06 Dec 2000 15:19:13 -0600 Content-return: allowed Date: Wed, 06 Dec 2000 15:19:11 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15525 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611478F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 607 15525 has been updated by trb. Short Description : Problem using ssh New Work Log Entry : From: "Dave Toback" To: "ARSystem" Cc: "Maxwell Chertok" ; "David Toback" ; "Teruki Kamon" ; "Vyacheslav Krutelyov" Subject: Re: Additional info for 000000000015525 Date: Wednesday, December 06, 2000 3:06 PM Hi, Kreymer put the last one on txpc2, so we don't know how to do it. Would it be easier if txpc1 and 2 were administered full time by Fermilab? That way transitions like this to Kerberos would go more smoothly. Thanks, Dave ************************************************************************ ****** Dave Toback toback@fnal.gov Texas A&M University CDF Collaboration 630-840-2120 ************************************************************************ ****** From kreymer@fnal.gov Wed Dec 6 15:44:36 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA05691 for ; Wed, 6 Dec 2000 15:44:36 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5600FF91QC33@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 06 Dec 2000 15:44:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B4190@listserv.fnal.gov>; Wed, 06 Dec 2000 15:44:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 97843 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 06 Dec 2000 15:44:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B418F@listserv.fnal.gov>; Wed, 06 Dec 2000 15:44:36 -0600 Received: from admin.itol.com ([209.83.58.2]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5600H111Q9TT@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 06 Dec 2000 15:44:35 -0600 (CST) Received: from [209.83.76.175] (fc-44.itol.com [209.83.76.175]) by admin.itol.com (8.10.1/8.9.3) with ESMTP id eB6LiNG21418 for ; Wed, 06 Dec 2000 15:44:24 -0600 Date: Wed, 06 Dec 2000 15:44:20 -0600 From: Benn Tannenbaum Subject: Re: X clients on Mac In-reply-to: <200012062104.PAA11872@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 608 on 6/12/00 3:04 PM, Matt Crawford spake thusly: >> I use Xoftware, but that's a little out of date. I tend to just leave my >> xhost open, so anyone can connect. That's not the most secure thing, > > This statement could be strengthened. Tools already in the hands of > the script-kiddies will let them connect to your X server port and > request a copy of every keypress event. Is that really true? I think it's only true for keypress events sent to an X client. If everything is an X client, that that's a problem. But if I only use X to display things, is there a problem? -Benn From kreymer@fnal.gov Wed Dec 6 15:57:46 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA05721 for ; Wed, 6 Dec 2000 15:57:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5600G8Y2C9XE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 06 Dec 2000 15:57:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B41CA@listserv.fnal.gov>; Wed, 06 Dec 2000 15:57:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 97903 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 06 Dec 2000 15:57:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B41C9@listserv.fnal.gov>; Wed, 06 Dec 2000 15:57:46 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5600G8J2C9SM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 06 Dec 2000 15:57:45 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA05717; Wed, 06 Dec 2000 15:57:40 -0600 Date: Wed, 06 Dec 2000 15:57:40 -0600 (CST) From: Art Kreymer Subject: Re: X clients on Mac In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 609 Note that xhosts based access is entirely unauthenticated. If nothing else, you are wide open to a Denial of Service attack, overloading your server system so as to make it useless. It's only a matter of time 'till they get you. From kreymer@fnal.gov Wed Dec 6 16:59:18 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA05811 for ; Wed, 6 Dec 2000 16:59:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5600HFX56UMA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 06 Dec 2000 16:59:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B4338@listserv.fnal.gov>; Wed, 06 Dec 2000 16:59:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 98294 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 06 Dec 2000 16:59:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B4337@listserv.fnal.gov>; Wed, 06 Dec 2000 16:59:18 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5600HJG56T94@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 06 Dec 2000 16:59:17 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA12852; Wed, 06 Dec 2000 16:59:11 -0600 (CST) Date: Wed, 06 Dec 2000 16:59:07 -0600 From: Matt Crawford Subject: Re: X clients on Mac In-reply-to: "06 Dec 2000 15:44:20 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-pilot@fnal.gov Message-id: <200012062259.QAA12852@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 610 > Is that really true? I think it's only true for keypress events sent to an X > client. If everything is an X client, that that's a problem. But if I only > use X to display things, is there a problem? If you really mean only display and never type, then I guess you could be less unsafe, since the Mac (like Windows) gives you a separate desktop environment as well. But the general operation of X is that clients register with the server which classes of events they want, and the keyboard snooping client asks for all keypress events. From kreymer@fnal.gov Thu Dec 7 08:34:05 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA04227 for ; Thu, 7 Dec 2000 08:34:05 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5700B3MCD8SW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Thu, 07 Dec 2000 08:32:06 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B4861@listserv.fnal.gov>; Thu, 07 Dec 2000 08:31:52 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99753 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Thu, 07 Dec 2000 08:31:52 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B485F@listserv.fnal.gov>; Thu, 07 Dec 2000 08:31:52 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5700B58CD4SN@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Thu, 07 Dec 2000 08:31:52 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA16435; Thu, 07 Dec 2000 08:31:51 -0600 (CST) Date: Thu, 07 Dec 2000 08:31:51 -0600 From: Matt Crawford Subject: Cryptocard status Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Cc: helpdesk@fnal.gov Message-id: <200012071431.IAA16435@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 611 The Computing Division office on WH 8E is now your one-stop source for both Kerberos principals and Cryptocards. CDF and D0 members should continue to work through established channels for their account requests. I am continuiing to work through the backlog of Cryptocard requests that accumulated in the last few weeks. I'm up to November 16 right now :-( Each user is being notified when their card is ready. Statistics: we have just over 1000 user principals now, 400 of them with Cryptocards, and just over 450 host principals. I will be away all next week (Dec 11-15). Anyone who wants the PalmOS version of the Cryptocard had best contact me *today* or wait until December 18. From kreymer@fnal.gov Fri Dec 8 10:41:07 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05859 for ; Fri, 8 Dec 2000 10:41:06 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G590062BD0IR1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Dec 2000 10:41:06 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5AEE@listserv.fnal.gov>; Fri, 08 Dec 2000 10:41:06 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105000 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 08 Dec 2000 10:41:06 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5AED@listserv.fnal.gov>; Fri, 08 Dec 2000 10:41:06 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G590062KD0GLZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Dec 2000 10:41:05 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 08 Dec 2000 10:41:04 -0600 Content-return: allowed Date: Fri, 08 Dec 2000 10:41:02 -0600 From: ARSystem Subject: 000000000015583 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761148AB@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 612 CRAWFORD, MATT, Help Desk Ticket #000000000015583 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Kerberos "principal" password. Badge # (+) : 02263N First Name : VICTORIA Last Name (+) : WHITE Phone : 3936 E-Mail Address : WHITE@FNAL.GOV Incident Time : 12/8/00 10:30:35 AM System Name : I-KRB-2 Urgency : Medium Public Work Log : 12/8/00 10:39:07 AM trb Matt, can you help ? Problem Description : I finally got around to getting my kerberos password reset by Yolanda. Now I am able to log in via telnet using my cryptocard again. However, when I try to reset the kerberos password from the one that Yolanda gave me (using kpasswd) I get the following error message after I enter the old password kpasswd: Changing password for white@PILOT.FNAL.GOV. Old password: kpasswd: Cannot establish a session with the Kerberos administrative server for realm PILOT.FNAL.GOV. Preauthentication failed. This was what unknowingly got me in trouble in the first place - not actually changing my password (which I didn't even know since I had not called Yolanda, but merely registered on the web page). But meanwhile I had been happily using my cryptocard, until one day it simply shut me out. Is this a transient error, or is there something more fundamental about my "principal" that is disabled? I think other users who receive cryptocards, and find that it works will get into the same trouble as I did 3 months down the road. Vicky From kreymer@fnal.gov Fri Dec 8 11:12:39 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA05884 for ; Fri, 8 Dec 2000 11:12:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G590076AEH2I7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Dec 2000 11:12:38 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5B58@listserv.fnal.gov>; Fri, 08 Dec 2000 11:12:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105115 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 08 Dec 2000 11:12:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5B57@listserv.fnal.gov>; Fri, 08 Dec 2000 11:12:38 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900812EH183@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Dec 2000 11:12:37 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA05880; Fri, 08 Dec 2000 11:12:37 -0600 Date: Fri, 08 Dec 2000 11:12:37 -0600 (CST) From: Art Kreymer Subject: Re: 000000000015583 Assigned to CRAWFORD, MATT. In-reply-to: <318CC3D38BE0D211BB1200105A093F761148AB@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" , white@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 613 The cryptocard does not encrypt anything, including passwords. All that you get is an unencrypted, sniffable, hijackable telnet connection to a system on which you are given a kerberos token which allows further authenticated logins and file accesses. You must never type a password during a cryptocard session. This includes resetting your initial kerberos password. This includes using or resetting normal or ssh passwords or passphrases. If you HAVE typed a password during a cryptocard session, you should immediately change it, because it could well have been sniffed on the network. ( But you must not change it using a cryptocard connection. ) From kreymer@fnal.gov Fri Dec 8 11:14:33 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA05888 for ; Fri, 8 Dec 2000 11:14:33 -0600 From: schellman@fnal.gov Received: from fnal.gov ([131.225.224.51]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G59003Q0EK84B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Fri, 08 Dec 2000 11:14:32 -0600 (CST) Date: Fri, 08 Dec 2000 11:14:58 -0600 Subject: Re: 000000000015583 Assigned to CRAWFORD, MATT. To: Art Kreymer Message-id: <3A311712.FDAF1B0B@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: A X-Keywords: X-UID: 614 So how the heck are people supposed to do a kinit? Sounds like we need to be using ssh rather than telnet with the cryptocard. Heidi Art Kreymer wrote: > > The cryptocard does not encrypt anything, including passwords. > > All that you get is an unencrypted, sniffable, hijackable telnet connection > to a system on which you are given a kerberos token > which allows further authenticated logins and file accesses. > > You must never type a password during a cryptocard session. > > This includes resetting your initial kerberos password. > This includes using or resetting normal or ssh passwords or passphrases. > > If you HAVE typed a password during a cryptocard session, > you should immediately change it, > because it could well have been sniffed on the network. > ( But you must not change it using a cryptocard connection. ) From kreymer@fnal.gov Fri Dec 8 11:27:08 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA05913 for ; Fri, 8 Dec 2000 11:27:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G59003V2F574B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Dec 2000 11:27:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5B7E@listserv.fnal.gov>; Fri, 08 Dec 2000 11:27:08 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105157 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 08 Dec 2000 11:27:08 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5B7D@listserv.fnal.gov>; Fri, 08 Dec 2000 11:27:07 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G59006C0F56R1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Dec 2000 11:27:07 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 08 Dec 2000 11:27:06 -0600 Content-return: allowed Date: Fri, 08 Dec 2000 11:26:56 -0600 From: ARSystem Subject: CRAWFORD, MATT #15583 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761148BD@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 615 Thank you for your assistance. Help Desk ticket #000000000015583 has been resolved on 12/8/00 11:23:39 AM Resolution Timestamp: : 12/8/00 11:12:31 AM Solution Category : Information Request Problem Category : Software Type : Utilities Item : Kerberos Short Description : Kerberos "principal" password. Solution : Per the expert: "The cryptocard does not encrypt anything, including passwords. All that you get is an unencrypted, sniffable, hijackable telnet connection to a system on which you are given a kerberos token which allows further authenticated logins and file accesses. You must never type a password during a cryptocard session. This includes resetting your initial kerberos password. This includes using or resetting normal or ssh passwords or passphrases. If you HAVE typed a password during a cryptocard session, you should immediately change it, because it could well have been sniffed on the network. ( But you must not change it using a cryptocard connection. )" Problem Description : I finally got around to getting my kerberos password reset by Yolanda. Now I am able to log in via telnet using my cryptocard again. However, when I try to reset the kerberos password from the one that Yolanda gave me (using kpasswd) I get the following error message after I enter the old password kpasswd: Changing password for white@PILOT.FNAL.GOV. Old password: kpasswd: Cannot establish a session with the Kerberos administrative server for realm PILOT.FNAL.GOV. Preauthentication failed. This was what unknowingly got me in trouble in the first place - not actually changing my password (which I didn't even know since I had not called Yolanda, but merely registered on the web page). But meanwhile I had been happily using my cryptocard, until one day it simply shut me out. Is this a transient error, or is there something more fundamental about my "principal" that is disabled? I think other users who receive cryptocards, and find that it works will get into the same trouble as I did 3 months down the road. Vicky From kreymer@fnal.gov Fri Dec 8 12:13:47 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA06050 for ; Fri, 8 Dec 2000 12:13:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G59006FYGSFLZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Dec 2000 12:02:40 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5BC1@listserv.fnal.gov>; Fri, 08 Dec 2000 12:02:39 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105227 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 08 Dec 2000 12:02:39 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5BC0@listserv.fnal.gov>; Fri, 08 Dec 2000 12:02:39 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G590095GGSE3M@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Dec 2000 12:02:39 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 08 Dec 2000 12:02:38 -0600 Content-return: allowed Date: Fri, 08 Dec 2000 12:02:35 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15583 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761148C1@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: A X-Keywords: X-UID: 616 15583 has been updated by blomberg. Short Description : Kerberos "principal" password. New Work Log Entry : From: "Vicky White" To: "ARSystem" Subject: Re: Help Desk Ticket 15583 Has Been Resolved. Date: Friday, December 08, 2000 11:52 AM I did not say that I tried to change my password from a cryptocard telnet session. I was actually logged in via ssh when trying to type kinit initially, and then change my password - but that will not be possible for much longer. I merely said that access via cryptocard was now working again - which it is. Access via ssh is also working, but shortly will not be. The matter is not resolved. Perhaps I have not read all the details, or perhaps I am doing something crazy, but let me repeat the problem. I log in to d0mino via ssh I type kpasswd I type in the password I was given I get the message I reported What was I supposed to do? What am I supposed to do? Vicky Ticket ReOpened the Previous Solution was :Per the expert: "The cryptocard does not encrypt anything, including passwords. All that you get is an unencrypted, sniffable, hijackable telnet connection to a system on which you are given a kerberos token which allows further authenticated logins and file accesses. You must never type a password during a cryptocard session. This includes resetting your initial kerberos password. This includes using or resetting normal or ssh passwords or passphrases. If you HAVE typed a password during a cryptocard session, you should immediately change it, because it could well have been sniffed on the network. ( But you must not change it using a cryptocard connection. )" From kreymer@fnal.gov Fri Dec 8 15:16:40 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06359 for ; Fri, 8 Dec 2000 15:16:40 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900ECUPRRFI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Dec 2000 15:16:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5E26@listserv.fnal.gov>; Fri, 08 Dec 2000 15:16:39 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105897 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 08 Dec 2000 15:16:39 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5E25@listserv.fnal.gov>; Fri, 08 Dec 2000 15:16:39 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900EDLPRQE6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Dec 2000 15:16:39 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 08 Dec 2000 15:16:39 -0600 Content-return: allowed Date: Fri, 08 Dec 2000 15:16:29 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15583 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611490A@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 617 15583 has been updated by trb. Short Description : Kerberos "principal" password. New Work Log Entry : From: "David J. Fagan" To: "Vicky White" Cc: ; Subject: Re: Fw: Help Desk Ticket 15583 Has Been Resolved. Date: Friday, December 08, 2000 3:09 PM I claim to have way to much and way to long mail to even read in a day, so I may be missing something here but I'll try. You cannot use a unkerberos ssh to access a machine and do a kpasswd without doing a kinit first. You must be previously authenticated to talk to the service to check your old password. access via kerberos telnet, or ssh (slogin) and kpasswd or access via ssh (nokerberos), kinit, kpasswd. ------------------------------------------------------------------------ ------- David J. Fagan | The Silicon Sorcerer? | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------ ------- From kreymer@fnal.gov Fri Dec 8 15:26:50 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06371 for ; Fri, 8 Dec 2000 15:26:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900F9HQ8P6K@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Dec 2000 15:26:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5E4C@listserv.fnal.gov>; Fri, 08 Dec 2000 15:26:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105941 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 08 Dec 2000 15:26:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5E4B@listserv.fnal.gov>; Fri, 08 Dec 2000 15:26:50 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900FB5Q8PMO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Dec 2000 15:26:49 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 08 Dec 2000 15:26:49 -0600 Content-return: allowed Date: Fri, 08 Dec 2000 15:26:41 -0600 From: ARSystem Subject: 000000000015528 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611490E@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 618 CRAWFORD, MATT, Help Desk Ticket #000000000015528 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Expired Kerberos password Badge # (+) : 04220N First Name : GREGORY Last Name (+) : CISKO Phone : 3998 E-Mail Address : CISKO@FNAL.GOV Incident Time : 12/5/00 4:46:23 PM System Name : Urgency : Medium Public Work Log : 12/6/00 8:57:07 AM trb From: "Yolanda Valadez" To: "ARSystem" Subject: Re: 000000000015528 Assigned to VALADEZ, YOLANDA. Date: Wednesday, December 06, 2000 8:49 AM close 15528 kerberos principal has been resetted and emailed... 12/7/00 3:48:20 PM blomberg From: "Greg Cisko" To: "ARSystem" Subject: Re: Help Desk Ticket 15528 Has Been Resolved. Date: Thursday, December 07, 2000 3:33 PM This has not been resolved yet. I left a voice message for Yolanda and so far have heard nothing back. Also, this cannot be the only means to recover an expired password. You must have a contingency plan of some sort. Greg 12/7/00 3:48:37 PM blomberg Ticket ReOpened the Previous Solution was :Per the Admin: "kerberos principal has been resetted and emailed..." 12/8/00 3:22:09 PM trb From: "Greg Cisko" To: "ARSystem" Subject: Re: Help Desk Ticket 15528 Has Been Resolved. Date: Friday, December 08, 2000 3:16 PM Yolanda has reset my kerberos password 3 times and I am still unable to log on. I keep getting a Reflection Kerberos Error: Invalid Tag (ASN008) Thanks, Greg ------------------< Re-assigning AR ticket to Matt seeking assistance. Problem Description : Apparently my password on pilot.fnal.gov has expired. Can you please have it reset? Thanks, Greg From kreymer@fnal.gov Fri Dec 8 15:26:51 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06375 for ; Fri, 8 Dec 2000 15:26:51 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900F9HQ8P6K@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Dec 2000 15:26:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5E4E@listserv.fnal.gov>; Fri, 08 Dec 2000 15:26:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105943 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 08 Dec 2000 15:26:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5E4D@listserv.fnal.gov>; Fri, 08 Dec 2000 15:26:50 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900FB5Q8PMO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Dec 2000 15:26:49 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 08 Dec 2000 15:26:49 -0600 Content-return: allowed Date: Fri, 08 Dec 2000 15:26:41 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15528 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611490F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 619 15528 has been updated by trb. Short Description : Expired Kerberos password New Work Log Entry : From: "Greg Cisko" To: "ARSystem" Subject: Re: Help Desk Ticket 15528 Has Been Resolved. Date: Friday, December 08, 2000 3:16 PM Yolanda has reset my kerberos password 3 times and I am still unable to log on. I keep getting a Reflection Kerberos Error: Invalid Tag (ASN008) Thanks, Greg ------------------< Re-assigning AR ticket to Matt seeking assistance. From kreymer@fnal.gov Fri Dec 8 15:58:02 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06417 for ; Fri, 8 Dec 2000 15:58:02 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900EJWROPW4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Dec 2000 15:58:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5EC3@listserv.fnal.gov>; Fri, 08 Dec 2000 15:58:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106069 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 08 Dec 2000 15:58:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5EC2@listserv.fnal.gov>; Fri, 08 Dec 2000 15:58:02 -0600 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900CQNROPWG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Dec 2000 15:58:01 -0600 (CST) Date: Fri, 08 Dec 2000 15:58:00 -0600 From: Troy Dawson Subject: Problems getting host and ftp principles Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A315968.33F2C4C9@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 620 Howdy, I recently kerberized three machines. I had gotten the password for the ftp and host principles from yolanda. She gave me one password for all three. I did a 'ups install-keep-ssh kerberos' on them. Everything worked for two of them, but not the third. The third machine (pinky) setup kerberos ok except for making the krb5.keytab. For both principles it gave the error. kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add pricipa host/pinky.fnal.gov to keytab file. My first thought was that I mistyped the password. So I tried adding these priciples by hand by using the kadmin. No luck, I got the same error. #] kadmin -p host/pinky.fnal.gov Enter password Enter password kadmin: Preauthentication failed while initializing kadmin interface #] I thought perhaps Yolanda might have missed that machine. She reset the password for pinky. I tried both kadmin, and completely removing the kerberos stuff then reinstalling it. No success at all, either on the ups install, or doing kadmin by hand. The machine is a Linux machine, with a Fermi Linux 6.1.1, and a 2.2.16-3 kernel. Is there some option I can do so that it will show me more in detail why it isn't able to get the authentication done? Or has someone seen this before? The UPD release I installed was v0.7 of kerberos. There might have been some lingering kerberos stuff from before because I upd installed the kerberos ssh, but I never ups installed it. But I did remove all the ups products starting with k from the machine before I reinstalled kerberos the second time. Any ideas? Troy -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Fri Dec 8 16:02:27 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA06429 for ; Fri, 8 Dec 2000 16:02:27 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900ELFRW2W4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Dec 2000 16:02:27 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5EDB@listserv.fnal.gov>; Fri, 08 Dec 2000 16:02:26 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106093 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 08 Dec 2000 16:02:26 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5EDA@listserv.fnal.gov>; Fri, 08 Dec 2000 16:02:26 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900CRXRW2WG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Dec 2000 16:02:26 -0600 (CST) Date: Fri, 08 Dec 2000 16:02:24 -0600 (CST) From: "Marc W. Mengel" Subject: Re: Problems getting host and ftp principles In-reply-to: <3A315968.33F2C4C9@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Troy Dawson Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 621 On Fri, 8 Dec 2000, Troy Dawson wrote: > The third machine (pinky) setup kerberos ok except for making the > krb5.keytab. For both principles it gave the error. > kadmin: Preauthentication failed while initializing kadmin interface > ERROR: could not add pricipa host/pinky.fnal.gov to keytab file. Maybe you need to do an ntpdate to get the clock synched? Marc From kreymer@fnal.gov Fri Dec 8 16:09:56 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA07330 for ; Fri, 8 Dec 2000 16:09:56 -0600 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900J1IS8KGT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Fri, 08 Dec 2000 16:09:56 -0600 (CST) Date: Fri, 08 Dec 2000 16:09:55 -0600 From: Troy Dawson Subject: Re: Problems getting host and ftp principles To: Art Kreymer Message-id: <3A315C33.126C60F5@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 622 Hi, Thank You, That worked. Troy Art Kreymer wrote: > > Check the clock. > Preauthentication can fail if the time is not right. -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Fri Dec 8 16:11:16 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA07336 for ; Fri, 8 Dec 2000 16:11:16 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900I4OSARS3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Dec 2000 16:11:16 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5EFD@listserv.fnal.gov>; Fri, 08 Dec 2000 16:11:16 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106129 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 08 Dec 2000 16:11:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B5EFC@listserv.fnal.gov>; Fri, 08 Dec 2000 16:11:16 -0600 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5900J0OSARN6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Dec 2000 16:11:15 -0600 (CST) Date: Fri, 08 Dec 2000 16:11:14 -0600 From: Troy Dawson Subject: Re: Problems getting host and ftp principles Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A315C82.EA4323CE@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 623 Hi, Art figured it out, my date was off. I restarted xntp, then tried it again, and everything worked like it was supposed to. Thanks Troy -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Sat Dec 9 11:32:15 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA08462 for ; Sat, 9 Dec 2000 11:32:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5B007AYA1QYF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 09 Dec 2000 11:32:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B659B@listserv.fnal.gov>; Sat, 09 Dec 2000 11:32:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 107949 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sat, 09 Dec 2000 11:32:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B659A@listserv.fnal.gov>; Sat, 09 Dec 2000 11:32:14 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5B00954A1QBZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sat, 09 Dec 2000 11:32:14 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA02253; Sat, 09 Dec 2000 11:32:13 -0600 (CST) Date: Sat, 09 Dec 2000 11:32:13 -0600 From: Matt Crawford Subject: Re: CRAWFORD, MATT AR ticket 15583 Has Been Updated. In-reply-to: "08 Dec 2000 12:02:35 CST." <318CC3D38BE0D211BB1200105A093F761148C1@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200012091732.LAA02253@gungnir.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 624 I log in to d0mino via ssh I type kpasswd I type in the password I was given I get the message I reported Ah, d0mino. Now I can actually look in the log file. I doubt that d0mino's clock is wrong. It looks like the wrong old password was used several times, the password for white was changed by valadez at 10:14 Dec 8, and again by white 23:36 Dec 8. I presume the case is now closed? From kreymer@fnal.gov Sat Dec 9 17:02:18 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA08607 for ; Sat, 9 Dec 2000 17:02:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5B009ORPBT73@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 09 Dec 2000 17:02:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B6779@listserv.fnal.gov>; Sat, 09 Dec 2000 17:02:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 108443 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sat, 09 Dec 2000 17:02:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B6778@listserv.fnal.gov>; Sat, 09 Dec 2000 17:02:18 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5B008RCPBTE9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sat, 09 Dec 2000 17:02:17 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA03708; Sat, 09 Dec 2000 17:02:17 -0600 (CST) Date: Sat, 09 Dec 2000 17:02:16 -0600 From: Matt Crawford Subject: Re: 000000000015528 Assigned to CRAWFORD, MATT. In-reply-to: "08 Dec 2000 15:26:41 CST." <318CC3D38BE0D211BB1200105A093F7611490E@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200012092302.RAA03708@gungnir.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 625 When a person's Kerberos password has expired, but they still know the old password, they can change it with the kpasswd command on unix or the password-changing function of WRQ. Only if they've forgotten the old password do they need compdiv's intercession. As for: > I keep getting a Reflection Kerberos Error: > Invalid Tag (ASN008) I would want a date & time and IP address of the client host that gave the error before I went diving into the logs to try to diagnose the problem. Maybe WRQ or someone ekse on the kerberos-pilot list has an idea ...? From kreymer@fnal.gov Sat Dec 9 17:03:46 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA08611 for ; Sat, 9 Dec 2000 17:03:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5B008QKPE9NS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 09 Dec 2000 17:03:45 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B6784@listserv.fnal.gov>; Sat, 09 Dec 2000 17:03:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 108455 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sat, 09 Dec 2000 17:03:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B6783@listserv.fnal.gov>; Sat, 09 Dec 2000 17:03:46 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5B009P8PE973@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sat, 09 Dec 2000 17:03:45 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA03726; Sat, 09 Dec 2000 17:03:44 -0600 (CST) Date: Sat, 09 Dec 2000 17:03:44 -0600 From: Matt Crawford Subject: Re: Problems getting host and ftp principles In-reply-to: "08 Dec 2000 15:58:00 CST." <3A315968.33F2C4C9@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Troy Dawson Cc: kerberos-pilot@fnal.gov Message-id: <200012092303.RAA03726@gungnir.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 626 > > kadmin: Preauthentication failed while initializing kadmin interface > Maybe you need to do an ntpdate to get the clock synched? What he said. From kreymer@fnal.gov Mon Dec 11 08:19:59 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA23978 for ; Mon, 11 Dec 2000 08:19:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E00AD9QH87X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 08:19:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7276@listserv.fnal.gov>; Mon, 11 Dec 2000 08:19:56 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 111511 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 08:19:56 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7275@listserv.fnal.gov>; Mon, 11 Dec 2000 08:19:56 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E008I7QH7LZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 08:19:56 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 11 Dec 2000 08:19:56 -0600 Content-return: allowed Date: Mon, 11 Dec 2000 08:19:50 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15528 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611494C@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 627 15528 has been updated by trb. Short Description : Expired Kerberos password New Work Log Entry : From: "Ruth Pordes" To: "ARSystem" ; ; "Matt Crawford" Subject: Re: 000000000015528 Assigned to CRAWFORD, MATT. Date: Friday, December 08, 2000 8:59 PM Hi Greg I got the error you report til made sure timesync ran and I configured my WRQ as per the document on the web. http://www.fnal.gov/docs/strongauth/html_nov00/winadmin.html If I had to guess what actually made the most difference it was changing the Realm Defaults Tab Pre-Authentication from None to Encrypted Timestamp as instructed by page 3 of the instructions.. hope this might help Ruth From kreymer@fnal.gov Mon Dec 11 08:19:59 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA23981 for ; Mon, 11 Dec 2000 08:19:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E00AD9QH87X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 08:19:58 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7278@listserv.fnal.gov>; Mon, 11 Dec 2000 08:19:57 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 111513 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 08:19:57 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7277@listserv.fnal.gov>; Mon, 11 Dec 2000 08:19:57 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E007MIQH7OM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 08:19:56 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 11 Dec 2000 08:19:56 -0600 Content-return: allowed Date: Mon, 11 Dec 2000 08:19:50 -0600 From: ARSystem Subject: Note to requester has been sent - 000000000015528 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611494E@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 628 The following note has been sent to the requester: CISKO, GREGORY Short Description : Expired Kerberos password Notes to Requester : Per Ruth: "Hi Greg I got the error you report til made sure timesync ran and I configured my WRQ as per the document on the web. http://www.fnal.gov/docs/strongauth/html_nov00/winadmin.html If I had to guess what actually made the most difference it was changing the Realm Defaults Tab Pre-Authentication from None to Encrypted Timestamp as instructed by page 3 of the instructions.. hope this might help." From kreymer@fnal.gov Mon Dec 11 08:35:23 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA24503 for ; Mon, 11 Dec 2000 08:35:21 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E008KYR6UQG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 08:35:19 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B729C@listserv.fnal.gov>; Mon, 11 Dec 2000 08:35:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 111552 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 08:35:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B729B@listserv.fnal.gov>; Mon, 11 Dec 2000 08:35:18 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E00C73R6T00@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 08:35:17 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 11 Dec 2000 08:35:17 -0600 Content-return: allowed Date: Mon, 11 Dec 2000 08:35:10 -0600 From: ARSystem Subject: CRAWFORD, MATT #15583 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611495B@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 629 Thank you for your assistance. Help Desk ticket #000000000015583 has been resolved on 12/11/00 8:33:59 AM Resolution Timestamp: : 12/11/00 11:38:41 AM Solution Category : Auto Resolve Problem Category : Software Type : Utilities Item : Kerberos Short Description : Kerberos "principal" password. Solution : Per Vicky: "Sorry, but I did do a kinit first; that was in my first mail to the helpdesk. The kinit worked and I entered my password. Then the kpasswd failed. I have just repeated all of this again - and amazingly it worked. Perhaps the server for the kerberos stuff really was down for a bit??" Problem Description : I finally got around to getting my kerberos password reset by Yolanda. Now I am able to log in via telnet using my cryptocard again. However, when I try to reset the kerberos password from the one that Yolanda gave me (using kpasswd) I get the following error message after I enter the old password kpasswd: Changing password for white@PILOT.FNAL.GOV. Old password: kpasswd: Cannot establish a session with the Kerberos administrative server for realm PILOT.FNAL.GOV. Preauthentication failed. This was what unknowingly got me in trouble in the first place - not actually changing my password (which I didn't even know since I had not called Yolanda, but merely registered on the web page). But meanwhile I had been happily using my cryptocard, until one day it simply shut me out. Is this a transient error, or is there something more fundamental about my "principal" that is disabled? I think other users who receive cryptocards, and find that it works will get into the same trouble as I did 3 months down the road. Vicky From kreymer@fnal.gov Mon Dec 11 08:35:23 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA24506 for ; Mon, 11 Dec 2000 08:35:21 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E008KYR6UQG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 08:35:19 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B729E@listserv.fnal.gov>; Mon, 11 Dec 2000 08:35:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 111554 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 08:35:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B729D@listserv.fnal.gov>; Mon, 11 Dec 2000 08:35:18 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E009HXR6TSQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 08:35:18 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 11 Dec 2000 08:35:17 -0600 Content-return: allowed Date: Mon, 11 Dec 2000 08:35:10 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15583 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611495C@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 630 15583 has been updated by trb. Short Description : Kerberos "principal" password. New Work Log Entry : From: "Vicky White" To: "ARSystem" Subject: Re: Help Desk Ticket 15583 is actively being worked on.. Date: Friday, December 08, 2000 11:39 PM This is fixed. I don't understand what was wrong, but I now appear to be able to change my password and I have done so. Vicky From kreymer@fnal.gov Mon Dec 11 08:45:28 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA24844 for ; Mon, 11 Dec 2000 08:45:28 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E008RWRNR7J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 08:45:27 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B72BB@listserv.fnal.gov>; Mon, 11 Dec 2000 08:45:27 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 111586 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 08:45:27 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B72BA@listserv.fnal.gov>; Mon, 11 Dec 2000 08:45:27 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E008O3RNQQG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 08:45:27 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 11 Dec 2000 08:45:27 -0600 Content-return: allowed Date: Mon, 11 Dec 2000 08:45:25 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15583 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611495F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 631 15583 has been updated by trb. Short Description : Kerberos "principal" password. New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Subject: Re: 000000000015583 Assigned to CRAWFORD, MATT. Date: Saturday, December 09, 2000 11:17 AM 1. The user is almost certainly using the wrong old-password in the "kpasswd" command. (The only other possibility is that the system clock is off, which cannot be the case if she logged into that system with a cryptocard.) 2. If this "kpasswd" is being done when logged in by cryptocardm then it is being done over an unencrypted link and the new password will be exposed to network snoopers! This is bad. Passwords should be chang locally on a desktop system or over an encrypted link. --------------> From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: CRAWFORD, MATT AR ticket 15583 Has Been Updated. Date: Saturday, December 09, 2000 11:32 AM I log in to d0mino via ssh I type kpasswd I type in the password I was given I get the message I reported Ah, d0mino. Now I can actually look in the log file. I doubt that d0mino's clock is wrong. It looks like the wrong old password was used several times, the password for white was changed by valadez at 10:14 Dec 8, and again by white 23:36 Dec 8. I presume the case is now closed? From kreymer@fnal.gov Mon Dec 11 08:50:40 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA25375 for ; Mon, 11 Dec 2000 08:50:40 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E008JNRWFZ7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 08:50:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B72C8@listserv.fnal.gov>; Mon, 11 Dec 2000 08:50:39 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 111598 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 08:50:39 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B72C6@listserv.fnal.gov>; Mon, 11 Dec 2000 08:50:39 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E008N5RWDLZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 08:50:38 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 11 Dec 2000 08:50:38 -0600 Content-return: allowed Date: Mon, 11 Dec 2000 08:50:31 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15528 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114960@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 632 15528 has been updated by trb. Short Description : Expired Kerberos password New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: 000000000015528 Assigned to CRAWFORD, MATT. Date: Saturday, December 09, 2000 5:02 PM When a person's Kerberos password has expired, but they still know the old password, they can change it with the kpasswd command on unix or the password-changing function of WRQ. Only if they've forgotten the old password do they need compdiv's intercession. As for: > I keep getting a Reflection Kerberos Error: > Invalid Tag (ASN008) I would want a date & time and IP address of the client host that gave the error before I went diving into the logs to try to diagnose the problem. Maybe WRQ or someone ekse on the kerberos-pilot list has an idea ...? From kreymer@fnal.gov Mon Dec 11 08:50:41 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA25379 for ; Mon, 11 Dec 2000 08:50:41 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E008JNRWFZ7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 08:50:40 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B72C9@listserv.fnal.gov>; Mon, 11 Dec 2000 08:50:39 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 111600 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 08:50:39 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B72C7@listserv.fnal.gov>; Mon, 11 Dec 2000 08:50:39 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5E009L8RWDSQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 08:50:38 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 11 Dec 2000 08:50:38 -0600 Content-return: allowed Date: Mon, 11 Dec 2000 08:50:31 -0600 From: ARSystem Subject: Note to requester has been sent - 000000000015528 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114962@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 633 The following note has been sent to the requester: CISKO, GREGORY Short Description : Expired Kerberos password Notes to Requester : Greg, Can you provide us with the date & time and IP address of the client host that gave the error ? This will help the analyst diagnose the Reflection Kerberos Error: Invalid Tag (ASN008). Thank you, HelpDesk Tom Bozonelos From kreymer@fnal.gov Mon Dec 11 15:04:08 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28826 for ; Mon, 11 Dec 2000 15:04:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F0050H96WFQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 15:04:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7A1D@listserv.fnal.gov>; Mon, 11 Dec 2000 15:04:08 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113624 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 15:04:08 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7A1C@listserv.fnal.gov>; Mon, 11 Dec 2000 15:04:08 -0600 Received: from fsgi03.fnal.gov ([131.225.68.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F0046196V76@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 15:04:07 -0600 (CST) Received: from localhost (timm@localhost) by fsgi03.fnal.gov (8.10.2/8.10.2) with ESMTP id eBBL48E1368231 for ; Mon, 11 Dec 2000 15:04:08 -0600 (CST) Date: Mon, 11 Dec 2000 15:04:08 -0600 From: Steven Timm Subject: WRQ problems Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi03.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 634 I have installed the WRQ X client and kerberos authenticator on my home PC. I am typing this message using a non-kerberized login with the reflection telnet client, so that is OK. When I try to connect to a kerberized host (and I have tried several), I get the message "Incorrect Network Address (KDC038). This is so, even though my Kerberos manager on the local PC shows that I have a normal krbtgt credential. Any Idea what could be going wrong here? Is this supposed to work on DHCP-based hosts such as mine which have a different IP number every time that we boot up? Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Mon Dec 11 15:28:48 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28881 for ; Mon, 11 Dec 2000 15:28:48 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F000SVABYEE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 15:28:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7A70@listserv.fnal.gov>; Mon, 11 Dec 2000 15:28:47 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113710 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 15:28:47 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7A6F@listserv.fnal.gov>; Mon, 11 Dec 2000 15:28:46 -0600 Received: from CUERVO ([131.225.82.57]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G5F00545ABXJ5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 15:28:46 -0600 (CST) Date: Mon, 11 Dec 2000 15:28:46 -0600 From: "Mark O. Kaletka" Subject: RE: WRQ problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 635 DHCP isn't a problem; could you be behind a network address translation (NAT) router? -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > Sent: Monday, December 11, 2000 3:04 PM > To: kerberos-pilot@fnal.gov > Subject: WRQ problems > > > I have installed the WRQ X client and kerberos authenticator > on my home PC. I am typing this message using a non-kerberized > login with the reflection telnet client, so that is OK. > > When I try to connect to a kerberized host (and I have tried several), > I get the message "Incorrect Network Address (KDC038). > This is so, even though my Kerberos manager on the local PC shows that I > have a normal krbtgt credential. > > Any Idea what could be going wrong here? Is this supposed to work > on DHCP-based hosts such as mine which have a different IP number > every time that we boot up? > > Steve Timm > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > From kreymer@fnal.gov Mon Dec 11 15:30:39 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28887 for ; Mon, 11 Dec 2000 15:30:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F003CVAF2YJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 15:30:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7A76@listserv.fnal.gov>; Mon, 11 Dec 2000 15:30:39 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113716 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 15:30:39 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7A75@listserv.fnal.gov>; Mon, 11 Dec 2000 15:30:39 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F0047GAF2SX@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 15:30:38 -0600 (CST) Date: Mon, 11 Dec 2000 15:30:37 -0600 (CST) From: Dane Skow Subject: Re: English lessons: Kerberos username proposal take 2 (fwd) In-reply-to: <200012051835.eB5IZYw03806@fsui02.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Anne Heavey Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 636 Anne, Sorry for the delay but one reason for the handoff last week was I was swamped. I believe you've got it. For Stephan's comments, I think Matt and Mark would have a better answer than I. On Tue, 5 Dec 2000, Anne Heavey wrote: > Dane -- I'm in the process of interpreting this, and plan to include > the recommendation in the manual (reworded). For choosing a > principal, this is what I'm understanding -- please check: > > 1. if email = primary login (UNIX and/or NT) and both < 8 char, -- choose > this as principal Yup. > > 2. if email>8 and prim.login<=8, choose prim. login (with email id caveat) Yup. > > 3. if both email and prim. login >8, then: > > 3a. Same as (2) (add caveat "some UNIX utilities may not recognize it...") > > -or- > > 3b. If you don't want to deal with the UNIX utilities problem, choose > different principal, then change login names on all systems to match. Yup. > > 4. if email<=8 and prim.login>8, then what? Choose principal to match > email and change login names to match, too? This is harder. Presumeably this case would be for someone who had a "vanity" email address and an algorithmic prim. login in the NT domain: say "boss@fnal.gov" was "witherell" in the FNAL domain. I guess my best advice would be to get the principal "witherell" and with the email caveat. This is likely to be the most useful for him. What I care most about is that there has to be some master list and I think the email name @ fnal.gov is the best option. Thus whoever "owns" the email name "owns" the principal whether they choose to use it or not. (might take parallels from the domain name market) > > Also, re: Stephan Lammel's comment, please verify: > > Principals can include both lower and upper case letters a-z and A-Z > as well as numbers 0-9? I don't believe there are problems associated with using the numbers, however, I would not recommend differentiation by letter cases. I believe Stephan is correct in saying that "boss@PILOT.FNAL.GOV" is different to Kerberos than "Boss@PILOT.FNAL.GOV" or "BOSS@PILOT.FNAL.GOV" but I think it would be foolish of us to assign those to different persons. The convention sofar has been to have the username lower case. I would recommend we keep that. Dane > > (snip) > > ******************** > > > > Fermilab is currently deploying a Kerberos Strong Authentication system in > > support of the Run II computing systems. This is expected to expand to > > include many other systems across the site and be a unique, sitewide > > identification method for individuals using Fermilab computing resources. > > Toward that end, one needs to choose a unique username. There are > > significant conveniences if that username is the same as one's login name. > > > > The recommendation on choosing a Kerberos principal (username) is a > > follows: > > > > 0) New usernames should be chosen to be 8 or fewer characters. > > > > 1) If your email address (username@fnal.gov) is 8 or fewer characters, > > and you use this > > as your system login > > name (Unix and/or NT), then you should use this as your Kerberos > > principal. > > > > 1.5) If your primary system login name (Unix or NT) is 8 or fewer > > characters and that name is not used by someone else as their FNAL > > email address (username@fnal.gov), then you should use that name as your > > Kerberos principal and the username will be reserved for you as an > > email name whether you use it or not. > > > > 2) If your email address is longer than 8 characters, you should use > > use your Unix or NT username. If either of those is used by another > > person as an their email address on the email gateway, you may not > > use that username as your Kerberos principal and will have to relinquish > > that username as the Unix and NT systems are Kerberized. > > > > That is: If John Doe is "jack@fnal.gov" and "johndoe" on d0mino and NT > > and, > > John Dinklemeister is "dinklemeister@fnal.gov" and on NT and > > "jack" on cdfsgi2, then; > > John Doe may use "jack" or "johndoe" as his Kerberos principal > > (provided there is no other johndoe@fnal.gov). > > John Dinklemeister may not use "jack" as his Kerberos principal > > and will have to stop using "jack" on cdfsgi2 when that > > machine joins the Strong Authentication realm. If John > > rarely uses Unix, then using "dinklemeister" as the > > Kerberos principal and the CryptoCard for Unix would be a > > reasonable choice. > > > > 3) If non of the above are workable solutions, then you should either > > a)get a completely new, common username for all systems or b)go ahead and > > use the longer than 8 character username. The difficulties are: > > > > a) means you will have to move or rename your current accounts > > and files. > > b) means you will very likely have difficulty (often of an > > difficult to diagnose type) using Unix resources. For example, Solaris > > does not accept user names longer than 8 characters for login, currently. > > > > *** > > > > Dane Skow, > > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > -- Anne > > Anne Heavey | Fermilab Computing Division | WWW Group > Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Dec 11 15:48:49 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28921 for ; Mon, 11 Dec 2000 15:48:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F00630B9CGH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 15:48:48 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7AB5@listserv.fnal.gov>; Mon, 11 Dec 2000 15:48:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113783 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 15:48:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7AB4@listserv.fnal.gov>; Mon, 11 Dec 2000 15:48:48 -0600 Received: from fsgi03.fnal.gov ([131.225.68.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F003CGB9COL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 15:48:48 -0600 (CST) Received: from localhost (timm@localhost) by fsgi03.fnal.gov (8.10.2/8.10.2) with ESMTP id eBBLmmx1380877; Mon, 11 Dec 2000 15:48:49 -0600 (CST) Date: Mon, 11 Dec 2000 15:48:48 -0600 From: Steven Timm Subject: RE: WRQ problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi03.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 637 It's quite unlikely. However, is there any test that could be done to check? For instance, should ping from Fermilab back to my host work? because it doesn't right now. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Mon, 11 Dec 2000, Mark O. Kaletka wrote: > DHCP isn't a problem; could you be behind a network address translation > (NAT) router? > > -- Mark K. > > > -----Original Message----- > > From: owner-kerberos-pilot@listserv.fnal.gov > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > > Sent: Monday, December 11, 2000 3:04 PM > > To: kerberos-pilot@fnal.gov > > Subject: WRQ problems > > > > > > I have installed the WRQ X client and kerberos authenticator > > on my home PC. I am typing this message using a non-kerberized > > login with the reflection telnet client, so that is OK. > > > > When I try to connect to a kerberized host (and I have tried several), > > I get the message "Incorrect Network Address (KDC038). > > This is so, even though my Kerberos manager on the local PC shows that I > > have a normal krbtgt credential. > > > > Any Idea what could be going wrong here? Is this supposed to work > > on DHCP-based hosts such as mine which have a different IP number > > every time that we boot up? > > > > Steve Timm > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > > > > > > From kreymer@fnal.gov Mon Dec 11 15:55:25 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28936 for ; Mon, 11 Dec 2000 15:55:25 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F003H5BKCYJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 15:55:25 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7AD1@listserv.fnal.gov>; Mon, 11 Dec 2000 15:55:25 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113813 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 15:55:25 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7AD0@listserv.fnal.gov>; Mon, 11 Dec 2000 15:55:25 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F001TNBKC8G@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 15:55:24 -0600 (CST) Date: Mon, 11 Dec 2000 15:55:24 -0600 (CST) From: Dane Skow Subject: RE: WRQ problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: "Mark O. Kaletka" , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 638 On Mon, 11 Dec 2000, Steven Timm wrote: > It's quite unlikely. However, is there any test that could be > done to check? For instance, should ping from Fermilab back > to my host work? because it doesn't right now. That might depend on how you have your local machine access controlls setup. I do a couple things to check on my path. 1) send a mail message to your FNAL account and read from an interal machine. Looking at full headers can give an interesting path for debugging. 2) if you get a DOS window (either from the Win9x program line or running cmd) then ipconfig (or ifconfig I never remember which) will show the machine address. This should match the address the ISP has given you and what you get from an nslookup here when you lookup your home machine name from FNAL. dane > > Steve > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Mon, 11 Dec 2000, Mark O. Kaletka wrote: > > > DHCP isn't a problem; could you be behind a network address translation > > (NAT) router? > > > > -- Mark K. > > > > > -----Original Message----- > > > From: owner-kerberos-pilot@listserv.fnal.gov > > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > > > Sent: Monday, December 11, 2000 3:04 PM > > > To: kerberos-pilot@fnal.gov > > > Subject: WRQ problems > > > > > > > > > I have installed the WRQ X client and kerberos authenticator > > > on my home PC. I am typing this message using a non-kerberized > > > login with the reflection telnet client, so that is OK. > > > > > > When I try to connect to a kerberized host (and I have tried several), > > > I get the message "Incorrect Network Address (KDC038). > > > This is so, even though my Kerberos manager on the local PC shows that I > > > have a normal krbtgt credential. > > > > > > Any Idea what could be going wrong here? Is this supposed to work > > > on DHCP-based hosts such as mine which have a different IP number > > > every time that we boot up? > > > > > > Steve Timm > > > > > > > > > ------------------------------------------------------------------ > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > Fermilab Computing Division/Operating Systems Support > > > Scientific Computing Support Group--Computing Farms Operations > > > > > > > > > > > > > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Dec 11 16:09:41 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA28959 for ; Mon, 11 Dec 2000 16:09:41 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F003HVC84NI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 16:09:41 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7AF8@listserv.fnal.gov>; Mon, 11 Dec 2000 16:09:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113855 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 16:09:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7AF7@listserv.fnal.gov>; Mon, 11 Dec 2000 16:09:41 -0600 Received: from fsgi03.fnal.gov ([131.225.68.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F00583C84FQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 16:09:40 -0600 (CST) Received: from localhost (timm@localhost) by fsgi03.fnal.gov (8.10.2/8.10.2) with ESMTP id eBBM9fS1385691; Mon, 11 Dec 2000 16:09:41 -0600 (CST) Date: Mon, 11 Dec 2000 16:09:40 -0600 From: Steven Timm Subject: RE: WRQ problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi03.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 639 > That might depend on how you have your local machine access controlls > setup. I do a couple things to check on my path. > > 1) send a mail message to your FNAL account and read from > an interal machine. Looking at full headers can give an > interesting path for debugging. u4o9w9.wedgewood.net, according to the headers, is where E-mail from my machine appears to originate from. This address is not nslookupable. Most of my logins to fnalu seem to be coming from a80.wedgewood.net, which nslookups to 209.247.234.80. My machine internally believes its IP to be 10.2.2.68 and sees our mail gateway mail.wedgewood.net at 10.1.1.4. The outside world views mail.wedgewood.net at 209.247.234.71. So, it would seem that there is some network address translation going on. Do you guys agree? If so, is there any way to get around it? Negotiating with the ISP for a fixed IP#, for instance? Steve > > 2) if you get a DOS window (either from the Win9x program line or > running cmd) then ipconfig (or ifconfig I never remember which) will > show the machine address. This should match the address the ISP > has given you and what you get from an nslookup here when you > lookup your home machine name from FNAL. > > dane > > > > > Steve > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > > > On Mon, 11 Dec 2000, Mark O. Kaletka wrote: > > > > > DHCP isn't a problem; could you be behind a network address translation > > > (NAT) router? > > > > > > -- Mark K. > > > > > > > -----Original Message----- > > > > From: owner-kerberos-pilot@listserv.fnal.gov > > > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > > > > Sent: Monday, December 11, 2000 3:04 PM > > > > To: kerberos-pilot@fnal.gov > > > > Subject: WRQ problems > > > > > > > > > > > > I have installed the WRQ X client and kerberos authenticator > > > > on my home PC. I am typing this message using a non-kerberized > > > > login with the reflection telnet client, so that is OK. > > > > > > > > When I try to connect to a kerberized host (and I have tried several), > > > > I get the message "Incorrect Network Address (KDC038). > > > > This is so, even though my Kerberos manager on the local PC shows that I > > > > have a normal krbtgt credential. > > > > > > > > Any Idea what could be going wrong here? Is this supposed to work > > > > on DHCP-based hosts such as mine which have a different IP number > > > > every time that we boot up? > > > > > > > > Steve Timm > > > > > > > > > > > > ------------------------------------------------------------------ > > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > > Fermilab Computing Division/Operating Systems Support > > > > Scientific Computing Support Group--Computing Farms Operations > > > > > > > > > > > > > > > > > > > > > > > Dane Skow, > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > > > > From kreymer@fnal.gov Mon Dec 11 16:24:09 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA28990 for ; Mon, 11 Dec 2000 16:24:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F005DNCW8J5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 16:24:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7B18@listserv.fnal.gov>; Mon, 11 Dec 2000 16:24:08 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113891 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 16:24:08 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7B17@listserv.fnal.gov>; Mon, 11 Dec 2000 16:24:08 -0600 Received: from fsgi03.fnal.gov ([131.225.68.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F004GZCW7QQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 16:24:07 -0600 (CST) Received: from localhost (timm@localhost) by fsgi03.fnal.gov (8.10.2/8.10.2) with ESMTP id eBBMO8r1390431 for ; Mon, 11 Dec 2000 16:24:08 -0600 (CST) Date: Mon, 11 Dec 2000 16:24:08 -0600 From: Steven Timm Subject: Re: WRQ problems Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi03.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 640 Would a firewall between me and Fermilab also explain why the WRQ X manager can't see any X displays and why all clients seem to exit immediately and never bring anything up on the display? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Mon Dec 11 16:34:32 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA29008 for ; Mon, 11 Dec 2000 16:34:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F005F8DDJJ5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 16:34:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7B2A@listserv.fnal.gov>; Mon, 11 Dec 2000 16:34:32 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113909 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 16:34:32 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7B29@listserv.fnal.gov>; Mon, 11 Dec 2000 16:34:32 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F004GEDDJSX@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 16:34:31 -0600 (CST) Date: Mon, 11 Dec 2000 16:34:31 -0600 (CST) From: Dane Skow Subject: Re: WRQ problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 641 On Mon, 11 Dec 2000, Steven Timm wrote: > Would a firewall between me and Fermilab also explain why the WRQ > X manager can't see any X displays and why all clients seem to exit > immediately and never bring anything up on the display? I'd follow the previous thread first that the NAT is mucking up the process. If they use NAT, then there needs to be some proxy process for getting the X screen back to your final machine. Since it appears to be the ISP who is running NAT "for" you, then I'd press their technical support people for a proposed solution. This should not be an exotic request (and if they can't handle it, speaks poorly for their competence). Basicly a simple request of how can you access your home machine from work should be a simple example of the access you want. Watch what your DISPLAY variable does as you hop through the process, that's a frequent point of failure for X displays. Like the ssh tunnel, the X display here has to point to some virtual screen on their proxy which maps onto your machine properly. dane > > Steve > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Dec 11 16:39:51 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA29012 for ; Mon, 11 Dec 2000 16:39:51 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F003MSDMEYJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 16:39:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7B32@listserv.fnal.gov>; Mon, 11 Dec 2000 16:39:51 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113917 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 16:39:51 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7B31@listserv.fnal.gov>; Mon, 11 Dec 2000 16:39:51 -0600 Received: from fsgi03.fnal.gov ([131.225.68.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F004IVDMEQQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 16:39:50 -0600 (CST) Received: from localhost (timm@localhost) by fsgi03.fnal.gov (8.10.2/8.10.2) with ESMTP id eBBMdpQ1391643; Mon, 11 Dec 2000 16:39:51 -0600 (CST) Date: Mon, 11 Dec 2000 16:39:50 -0600 From: Steven Timm Subject: Re: WRQ problems In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi03.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 642 Tech support confirms that there is indeed a firewall.. have left E-mail for the competent ones. Will see what happens. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Mon, 11 Dec 2000, Dane Skow wrote: > On Mon, 11 Dec 2000, Steven Timm wrote: > > > Would a firewall between me and Fermilab also explain why the WRQ > > X manager can't see any X displays and why all clients seem to exit > > immediately and never bring anything up on the display? > > I'd follow the previous thread first that the NAT is mucking up the > process. If they use NAT, then there needs to be some proxy process > for getting the X screen back to your final machine. Since it appears > to be the ISP who is running NAT "for" you, then I'd press their > technical support people for a proposed solution. This should not > be an exotic request (and if they can't handle it, speaks poorly for > their competence). Basicly a simple request of how can you access > your home machine from work should be a simple example of the access > you want. > > Watch what your DISPLAY variable does as you hop through the process, > that's a frequent point of failure for X displays. Like the ssh tunnel, > the X display here has to point to some virtual screen on their proxy > which maps onto your machine properly. > > dane > > > > > Steve > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > > > > > Dane Skow, > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > > From kreymer@fnal.gov Mon Dec 11 17:46:40 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA29186 for ; Mon, 11 Dec 2000 17:46:40 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F004P2GPRSX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Dec 2000 17:46:40 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7BAD@listserv.fnal.gov>; Mon, 11 Dec 2000 17:46:40 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 114045 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 11 Dec 2000 17:46:40 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7BAC@listserv.fnal.gov>; Mon, 11 Dec 2000 17:46:40 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5F003TWGPRYJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 11 Dec 2000 17:46:39 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA17055; Mon, 11 Dec 2000 17:46:39 -0600 (CST) Date: Mon, 11 Dec 2000 17:46:39 -0600 From: Matt Crawford Subject: Re: WRQ problems In-reply-to: "11 Dec 2000 16:09:40 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: Dane Skow , kerberos-pilot@fnal.gov Message-id: <200012112346.RAA17055@gungnir.fnal.gov> Content-id: <17051.976578399.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 643 > My machine internally believes its IP to be 10.2.2.68 and sees our That's NAT all right. It is completely independent of having a fixed vs. variable IP address. You could make a case that your so-called ISP is not giving you internet service at all, but something differnet, because they are not taking the packets you send and deliverying them to the other end. Sue their bits off. From kreymer@fnal.gov Tue Dec 12 08:55:16 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA31753 for ; Tue, 12 Dec 2000 08:55:16 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5G00M9LMS3GE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Dec 2000 08:55:16 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7FF7@listserv.fnal.gov>; Tue, 12 Dec 2000 08:55:15 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 115222 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 12 Dec 2000 08:55:15 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B7FF6@listserv.fnal.gov>; Tue, 12 Dec 2000 08:55:15 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5G00MAZMS3GK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 12 Dec 2000 08:55:15 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id IAA25116; Tue, 12 Dec 2000 08:55:14 -0600 (CST) Date: Tue, 12 Dec 2000 08:55:14 -0600 (CST) From: "David J. Fagan" Subject: Re: WRQ problems Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200012121455.IAA25116@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Mon, 11 Dec 2000 16:39:50 CST.) X-Authentication-warning: large.fnal.gov: fagan@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id IAA31753 Status: RO X-Status: X-Keywords: X-UID: 644 Tne only solution your provider can do is take you out of NAT or you could run a Linux (or any kind of Unix) box instead and set up a proxy gateway which is not configurable with WRQ. ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Monday, Steven Timm: > Tech support confirms that there is indeed a firewall.. have left > E-mail for the competent ones. Will see what happens. > > Steve > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Mon, 11 Dec 2000, Dane Skow wrote: > > > On Mon, 11 Dec 2000, Steven Timm wrote: > > > > > Would a firewall between me and Fermilab also explain why the WRQ > > > X manager can't see any X displays and why all clients seem to exit > > > immediately and never bring anything up on the display? > > > > I'd follow the previous thread first that the NAT is mucking up the > > process. If they use NAT, then there needs to be some proxy process > > for getting the X screen back to your final machine. Since it appears > > to be the ISP who is running NAT "for" you, then I'd press their > > technical support people for a proposed solution. This should not > > be an exotic request (and if they can't handle it, speaks poorly for > > their competence). Basicly a simple request of how can you access > > your home machine from work should be a simple example of the access > > you want. > > > > Watch what your DISPLAY variable does as you hop through the process, > > that's a frequent point of failure for X displays. Like the ssh tunnel, > > the X display here has to point to some virtual screen on their proxy > > which maps onto your machine properly. > > > > dane > > > > > > > > Steve > > > > > > > > > ------------------------------------------------------------------ > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > Fermilab Computing Division/Operating Systems Support > > > Scientific Computing Support Group--Computing Farms Operations > > > > > > > > > > Dane Skow, > > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > > > > From kreymer@fnal.gov Tue Dec 12 11:42:16 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA31874 for ; Tue, 12 Dec 2000 11:42:16 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5G005JKUIFBY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Dec 2000 11:42:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B82D4@listserv.fnal.gov>; Tue, 12 Dec 2000 11:42:15 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 116030 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 12 Dec 2000 11:42:15 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B82D3@listserv.fnal.gov>; Tue, 12 Dec 2000 11:42:15 -0600 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5G006BIUIEI7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 12 Dec 2000 11:42:14 -0600 (CST) Date: Tue, 12 Dec 2000 11:42:14 -0600 From: Troy Dawson Subject: ftp acess Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A366376.C0EDF635@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 645 Hello, I'm having problems ftping from one strengthened node to another. I can telnet from one node to another without any problems. But when I try to ftp to each other I get the following. bash-2.03$ which ftp /usr/krb5/bin/ftp bash-2.03$ which telnet /usr/krb5/bin/telnet bash-2.03$ ftp cob Connected to cob.fnal.gov. 220 cob.fnal.gov FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI authentication succeeded Name (cob:dawson): dawson 530 User dawson access denied. Login failed. Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 530 Please login with USER and PASS. Passive mode refused. Turning off passive mode. 200 PORT command successful. 530 Please login with USER and PASS. ftp> quit 221 Goodbye. bash-2.03$ klist Ticket cache: /tmp/krb5cc_6989 Default principal: dawson@PILOT.FNAL.GOV Valid starting Expires Service principal 12/12/00 11:26:31 12/13/00 13:26:31 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 12/12/00 11:26:31 12/13/00 13:26:31 afs/fnal.gov@PILOT.FNAL.GOV 12/12/00 11:30:15 12/13/00 13:26:31 host/cob.fnal.gov@PILOT.FNAL.GOV 12/12/00 11:30:24 12/13/00 13:26:31 ftp/cob.fnal.gov@PILOT.FNAL.GOV bash-2.03$ Any ideas? Both machines are running fresh installs of Fermi Linux 6.1.2, and both have fresh, untouched kerberos 'keep-ssh', installs, version 0.6. I have tried it with an 0.7 one as well, with the same results. I have also done the -v option, which has the exact same output. Thanks Troy -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Tue Dec 12 11:47:39 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA31894 for ; Tue, 12 Dec 2000 11:47:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5G005J0UREO1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Dec 2000 11:47:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B82FC@listserv.fnal.gov>; Tue, 12 Dec 2000 11:47:39 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 116072 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 12 Dec 2000 11:47:39 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B82FB@listserv.fnal.gov>; Tue, 12 Dec 2000 11:47:38 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5G005JLUREXX@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 12 Dec 2000 11:47:38 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA23302; Tue, 12 Dec 2000 11:47:38 -0600 (CST) Date: Tue, 12 Dec 2000 11:47:38 -0600 From: Matt Crawford Subject: Re: ftp acess In-reply-to: "12 Dec 2000 11:42:14 CST." <3A366376.C0EDF635@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Troy Dawson Cc: kerberos-pilot@fnal.gov Message-id: <200012121747.LAA23302@gungnir.fnal.gov> Content-id: <23298.976643257.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 646 I'm going to guess that this is the age-old problem of your shell not being listed in that magic file -- what is it, /etc shells? Check it out. From kreymer@fnal.gov Wed Dec 13 07:42:01 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA28757 for ; Wed, 13 Dec 2000 07:42:01 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00B57E20ZH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 07:42:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B90C8@listserv.fnal.gov>; Wed, 13 Dec 2000 07:42:00 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 119813 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 07:42:00 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B90C6@listserv.fnal.gov>; Wed, 13 Dec 2000 07:41:59 -0600 Received: from fnal.gov ([24.178.21.178]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00C69E1Y02@smtp.fnal.gov>; Wed, 13 Dec 2000 07:41:59 -0600 (CST) Date: Wed, 13 Dec 2000 07:41:57 -0600 From: Heidi Schellman Subject: kerberos authentication fails - cannot access time server either Sender: owner-kerberos-pilot@listserv.fnal.gov To: helpdesk@fnal.gov, d0-admin@fnal.gov, kerberos-pilot@fnal.gov Message-id: <3A377CA5.D5B3AB17@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (Win98; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 647 I'm trying to get kerberos authentication and failing through both UNIX and windows. Cryptocard access works but kinit and connection via kerberized telnet do not. Heidi Schellman - D0 Here are the details and error messages on d0mino: kinit Password for schellma@PILOT.FNAL.GOV: kinit: Preauthentication failed while getting initial credentials on a pc: >From WRQ v 7 (Win 98 IP 24.178.21.178 fixed) Preauthentication Failed (KDC024) on the pc: If I attempt a timesync with 131.225.8.200 or 131.235.17.200 I get ' the system clock could not be synchronized' ' could not communicate with NTP servers' Is anyone else reporting such errors? Is PILOT up? Is the time server up? Are PILOT and the time servers in synch with the rest of FNAL computing? From kreymer@fnal.gov Wed Dec 13 08:23:07 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA28778 for ; Wed, 13 Dec 2000 08:23:07 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00BC9FYIZC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 08:23:06 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9142@listserv.fnal.gov>; Wed, 13 Dec 2000 08:23:06 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 119947 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 08:23:06 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9141@listserv.fnal.gov>; Wed, 13 Dec 2000 08:23:06 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00CCFFYH02@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 08:23:06 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 13 Dec 2000 08:23:06 -0600 Content-return: allowed Date: Wed, 13 Dec 2000 08:23:04 -0600 From: ARSystem Subject: 000000000015664 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114BC2@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 648 CRAWFORD, MATT, Help Desk Ticket #000000000015664 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: kerberos authentication fails - cannot access time server either Badge # (+) : 03622V First Name : HEIDI Last Name (+) : SCHELLMAN Phone : 5221 E-Mail Address : SCHELLMAN@FNAL.GOV Incident Time : 12/13/00 7:41:15 AM System Name : D0MINO Urgency : Medium Public Work Log : Problem Description : I'm trying to get kerberos authentication and failing through both UNIX and windows. Cryptocard access works but kinit and connection via kerberized telnet do not. Heidi Schellman - D0 Here are the details and error messages on d0mino: kinit Password for schellma@PILOT.FNAL.GOV: kinit: Preauthentication failed while getting initial credentials on a pc: From WRQ v 7 (Win 98 IP 24.178.21.178 fixed) Preauthentication Failed (KDC024) on the pc: If I attempt a timesync with 131.225.8.200 or 131.235.17.200 I get ' the system clock could not be synchronized' ' could not communicate with NTP servers' Is anyone else reporting such errors? Is PILOT up? Is the time server up? Are PILOT and the time servers in synch with the rest of FNAL computing? From kreymer@fnal.gov Wed Dec 13 08:31:37 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA28784 for ; Wed, 13 Dec 2000 08:31:37 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00CDZGCP0B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 08:31:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9153@listserv.fnal.gov>; Wed, 13 Dec 2000 08:31:37 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 119964 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 08:31:37 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9152@listserv.fnal.gov>; Wed, 13 Dec 2000 08:31:36 -0600 Received: from fnal.gov ([24.178.21.178]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00CD9GCN0D@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 08:31:36 -0600 (CST) Date: Wed, 13 Dec 2000 08:31:34 -0600 From: Heidi Schellman Subject: Re: 000000000015664 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <3A378846.42E08370@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (Win98; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <318CC3D38BE0D211BB1200105A093F76114BC2@csdserver2.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 649 More details #1 Matt Crawford is on vacation #2 another user Melanson reports success with kinit from d0mino #3 NCSA http://www.ncsa.uiuc.edu/General/CC/kerberos/troubleshooting.html says this is normally due to: kinit: Preauthentication failed while getting initial credentials This happens when a user's principal has the "requires_preauth" flag and either one of three things occurs: 1.They enter their password incorrectly 2.They only have an AFS salted key in the KDC database. This will cause a "file not found" error in the KDC logs. 3.The clock skew on the system they are on is too large. This will be indicated in the KDC logs. but none of these seem to be the problem - although I can't look at the KDC logs. 1) I am using, as far as I can tell, my correct password. It is not expired or if it is, I can't change it. kinit Password for schellma@PILOT.FNAL.GOV: kinit: Preauthentication failed while getting initial credentials kpasswd kpasswd: Changing password for schellma@PILOT.FNAL.GOV. Old password: kpasswd: Cannot establish a session with the Kerberos administrative server for realm PILOT.FNAL.GOV. Preauthentication failed. 2) we don't use AFS 3) The fact that melanson can kinit from d0mino indicates that it is not a time synch problem with d0mino. Although the fact that I can't access the time servers is a bit worrysome. I apparently have a valid kerberos ticket on d0mino - I can telnet d0lxbld1 Trying 131.225.225.15... Connected to d0lxbld1.fnal.gov (131.225.225.15). Escape character is '^]'. [ Kerberos V5 accepts you as ``schellma@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] ARSystem wrote: > > CRAWFORD, MATT, Help Desk Ticket #000000000015664 > has been assigned to you. > > It is a(n) Medium priority Software/Utilities > /Kerberos type of problem. > Short description: kerberos authentication fails - cannot access time > server either > > Badge # (+) : 03622V > First Name : HEIDI > Last Name (+) : SCHELLMAN > Phone : 5221 > E-Mail Address : SCHELLMAN@FNAL.GOV > Incident Time : 12/13/00 7:41:15 AM > System Name : D0MINO > Urgency : Medium > Public Work Log : > Problem Description : I'm trying to get kerberos authentication and > failing through both UNIX > and windows. Cryptocard access works but kinit and connection via > kerberized telnet do not. > > Heidi Schellman - D0 > > Here are the details and error messages > > on d0mino: > kinit > Password for schellma@PILOT.FNAL.GOV: > kinit: Preauthentication failed while getting initial credentials > > on a pc: > From WRQ v 7 (Win 98 IP 24.178.21.178 fixed) > Preauthentication Failed (KDC024) > > on the pc: > If I attempt a timesync with 131.225.8.200 or 131.235.17.200 > I get ' the system clock could not be synchronized' > ' could not communicate with NTP servers' > > Is anyone else reporting such errors? > > Is PILOT up? > > Is the time server up? > > Are PILOT and the time servers in synch with the rest of FNAL > computing? From kreymer@fnal.gov Wed Dec 13 09:42:17 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA28870 for ; Wed, 13 Dec 2000 09:42:17 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00CS2JMG02@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 09:42:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9267@listserv.fnal.gov>; Wed, 13 Dec 2000 09:42:16 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120252 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 09:42:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9265@listserv.fnal.gov>; Wed, 13 Dec 2000 09:42:16 -0600 Received: from CUERVO ([131.225.82.7]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G5I00CTNJMF0C@smtp.fnal.gov>; Wed, 13 Dec 2000 09:42:15 -0600 (CST) Date: Wed, 13 Dec 2000 09:42:15 -0600 From: "Mark O. Kaletka" Subject: RE: kerberos authentication fails - cannot access time server either In-reply-to: <3A377CA5.D5B3AB17@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Heidi Schellman , helpdesk@fnal.gov, d0-admin@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 650 It seems to be working this moment -- I'm able to both time sync and authenticate (here on-site). "Preauthentication failed" can result from either system clock off by more than five minutes from ntp an incorrect password. You should be able to tell if the system clock is correct to within a few minutes, even without ntp. Otherwise the problem is in your password (which seems likely if it's failing on d0mino as well). The time sync problem from you (home?) pc may be an ISP-induced problem, you should check connectivity with the time servers (tracert or ping) and/or check whether your ISP provides an alternate time server. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Heidi > Schellman > Sent: Wednesday, December 13, 2000 7:42 AM > To: helpdesk@fnal.gov; d0-admin@fnal.gov; kerberos-pilot@fnal.gov > Subject: kerberos authentication fails - cannot access time server > either > > > I'm trying to get kerberos authentication and failing through both UNIX > and windows. Cryptocard access works but kinit and connection via > kerberized telnet do not. > > Heidi Schellman - D0 > > Here are the details and error messages > > on d0mino: > kinit > Password for schellma@PILOT.FNAL.GOV: > kinit: Preauthentication failed while getting initial credentials > > > on a pc: > From WRQ v 7 (Win 98 IP 24.178.21.178 fixed) > Preauthentication Failed (KDC024) > > on the pc: > If I attempt a timesync with 131.225.8.200 or 131.235.17.200 > I get ' the system clock could not be synchronized' > ' could not communicate with NTP servers' > > Is anyone else reporting such errors? > > Is PILOT up? > > Is the time server up? > > Are PILOT and the time servers in synch with the rest of FNAL computing? > > From kreymer@fnal.gov Wed Dec 13 10:10:22 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA28998 for ; Wed, 13 Dec 2000 10:10:22 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00I6AKX7OV@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 10:10:21 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B930C@listserv.fnal.gov>; Wed, 13 Dec 2000 10:10:19 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120420 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 10:10:19 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9308@listserv.fnal.gov>; Wed, 13 Dec 2000 10:10:19 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00I51KX6DH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 10:10:19 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 13 Dec 2000 10:10:19 -0600 Content-return: allowed Date: Wed, 13 Dec 2000 10:10:18 -0600 From: ARSystem Subject: CRAWFORD, MATT #15528 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114BED@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 651 Thank you for your assistance. Help Desk ticket #000000000015528 has been resolved on 12/13/00 10:09:51 AM Resolution Timestamp: : 12/13/00 9:34:24 AM Solution Category : Information Request Problem Category : Software Type : Utilities Item : Kerberos Short Description : Expired Kerberos password Solution : Per the analyst: "If I had to guess what actually made the most difference it was changing the Realm Defaults Tab Pre-Authentication from None to Encrypted Timestamp as instructed by page 3 of the instructions.." Problem Description : Apparently my password on pilot.fnal.gov has expired. Can you please have it reset? Thanks, Greg From kreymer@fnal.gov Wed Dec 13 11:25:49 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA29522 for ; Wed, 13 Dec 2000 11:25:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00JOCOF06M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 11:25:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9401@listserv.fnal.gov>; Wed, 13 Dec 2000 11:25:48 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120686 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 11:25:48 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B93FF@listserv.fnal.gov>; Wed, 13 Dec 2000 11:25:48 -0600 Received: from fnal.gov ([131.225.226.206]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00JF0OF0R2@smtp.fnal.gov>; Wed, 13 Dec 2000 11:25:48 -0600 (CST) Date: Wed, 13 Dec 2000 11:25:48 -0600 From: Michael Diesburg Subject: Re: kerberos authentication fails - cannot access time server either Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Heidi Schellman ." Cc: d0-admin@fnal.gov, kerberos-pilot@fnal.gov Message-id: <3A37B11C.88D50132@fnal.gov> Organization: Fermi National Accelerator Laboratory MIME-version: 1.0 X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3A377CA5.D5B3AB17@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 652 The time on d0mino appears to be correct and xntp has been running continuously since Nov 30, so I don't think this is a time sync problem (at least not on the d0mino end). The authorization log on d0mino shows a couple of successful kerberos telnet connections around the time you were connecting (one at 7:27 from oneil on clued0 and one at 7:48 from melanson on his laptop) so it looks like this is probably something peculiar to your account. Mike Heidi Schellman wrote: > > I'm trying to get kerberos authentication and failing through both UNIX > and windows. Cryptocard access works but kinit and connection via > kerberized telnet do not. > > Heidi Schellman - D0 > > Here are the details and error messages > > on d0mino: > kinit > Password for schellma@PILOT.FNAL.GOV: > kinit: Preauthentication failed while getting initial credentials > > on a pc: > From WRQ v 7 (Win 98 IP 24.178.21.178 fixed) > Preauthentication Failed (KDC024) > > on the pc: > If I attempt a timesync with 131.225.8.200 or 131.235.17.200 > I get ' the system clock could not be synchronized' > ' could not communicate with NTP servers' > > Is anyone else reporting such errors? > > Is PILOT up? > > Is the time server up? > > Are PILOT and the time servers in synch with the rest of FNAL computing? From kreymer@fnal.gov Wed Dec 13 11:31:41 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA29532 for ; Wed, 13 Dec 2000 11:31:41 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00IJTOOSP8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 11:31:41 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B941A@listserv.fnal.gov>; Wed, 13 Dec 2000 11:31:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120714 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 11:31:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9419@listserv.fnal.gov>; Wed, 13 Dec 2000 11:31:41 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00IRKOOSO9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 11:31:40 -0600 (CST) Date: Wed, 13 Dec 2000 11:31:38 -0600 (CST) From: "Marc W. Mengel" Subject: Re: 000000000015664 Assigned to CRAWFORD, MATT. In-reply-to: <3A378846.42E08370@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Heidi Schellman Cc: ARSystem , "'kerberos-pilot@fnal.gov'" Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 653 Another possibility is that /tmp is full... Marc From kreymer@fnal.gov Wed Dec 13 11:32:01 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA29536 for ; Wed, 13 Dec 2000 11:32:01 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00IJCOPCZ3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 11:32:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B941D@listserv.fnal.gov>; Wed, 13 Dec 2000 11:32:00 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120718 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 11:32:00 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B941B@listserv.fnal.gov>; Wed, 13 Dec 2000 11:32:00 -0600 Received: from d0nt43 ([131.225.231.10]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G5I00JIKOPBEA@smtp.fnal.gov>; Wed, 13 Dec 2000 11:31:59 -0600 (CST) Date: Wed, 13 Dec 2000 11:31:41 -0600 From: Wyatt Merritt Subject: RE: kerberos authentication fails - cannot access time server either In-reply-to: <3A37B11C.88D50132@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Diesburg Cc: d0-admin@fnal.gov, kerberos-pilot@fnal.gov, Heidi Schellman Reply-to: wyatt@fnal.gov Message-id: <07db01c0652a$8df1f4d0$0ae7e183@d0nt43.fnal.gov> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V4.72.2106.4 X-Mailer: Microsoft Outlook 8.5, Build 4.71.2173.0 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 654 Mike, I had one failure this morning as well - my sequence was: - log in to d0mino from WRQ on my desk, w/ Kerberos passwd - OK - telnet from d0mino to d0test, using CCard - OK - logout from d0test, returning to d0mino session - type kinit from d0mino session, use Kerberos password - **failed**, same error message as Heidi - exit d0mino session - log in to d0mino from putty on my desk,w/ Unix passwd - OK - type kinit from d0mino session - worked! - log out - log in to d0mino from WRQ on my desk - OK - type kinit from d0mino session, use Kerberos password - worked! Hope more info helps untangle this. Regards, Wyatt From kreymer@fnal.gov Wed Dec 13 11:55:10 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA29556 for ; Wed, 13 Dec 2000 11:55:10 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00INJPRWM9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 11:55:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9475@listserv.fnal.gov>; Wed, 13 Dec 2000 11:55:08 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120816 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 11:55:08 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9474@listserv.fnal.gov>; Wed, 13 Dec 2000 11:55:08 -0600 Received: from fnal.gov ([131.225.224.51]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00IQWPRVDH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 11:55:07 -0600 (CST) Date: Wed, 13 Dec 2000 11:54:52 -0600 From: schellman@fnal.gov Subject: Re: 000000000015664 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: ARSystem , "'kerberos-pilot@fnal.gov'" Message-id: <3A37B7EC.1F31938B@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 655 I checked on d0mino and it is 4% full. I also tried going to d0lxbld1 and got the same errors. It really is acting like my password has been changed. Wyatt Merritt reports getting the same error as me on a kinit this morning and then succeeding later when she retried. heidi "Marc W. Mengel" wrote: > > Another possibility is that /tmp is full... > > Marc From kreymer@fnal.gov Wed Dec 13 12:09:49 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA29568 for ; Wed, 13 Dec 2000 12:09:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00LK7QGC5W@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 12:09:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B949A@listserv.fnal.gov>; Wed, 13 Dec 2000 12:09:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120856 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 12:09:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9499@listserv.fnal.gov>; Wed, 13 Dec 2000 12:09:49 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00IS7QGCP8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 12:09:48 -0600 (CST) Received: from localhost (terekhov@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with ESMTP id eBDI9lm00234 for ; Wed, 13 Dec 2000 12:09:47 -0600 (CST) Date: Wed, 13 Dec 2000 12:09:47 -0600 (CST) From: Igor_Terekhov Subject: inetd kerberos daemons not working Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsui02.fnal.gov: terekhov owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 656 Hi, I have installed kerberos v0_7 on igor.fnal.gov (Fermi Redhat 5.2) using upd install -G"-c" kerberos and then (as root) ups install kerberos v0_7 I do have a working principal. I cannot however telnet or rsh into the machine: d0mino:~> /usr/krb5/bin/telnet igor\ > Trying 131.225.84.79... Connected to igor.fnal.gov (131.225.84.79). Escape character is '^]'. WARNING NOTICE! This is a United States Department of Energy computer system, which may be accessed and used only for official Government business by authorized personnel. Unauthorized access or use of this computer system may subject violators to criminal, civil, and/or administrative action. All information on this computer system may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes, including criminal investigations. Access or use of this computer system by any person, whether authorized or unauthorized, constitutes consent to these terms. The Fermilab Policy on Computing, including authorized use, may be found at http://www.fnal.gov/cd/main/cpolicy.html. [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Trying KERBEROS4 ... ] mk_req failed: You have no tickets cached [ Trying KERBEROS4 ... ] mk_req failed: You have no tickets cached d0mino:~> /usr/krb5/bin/rsh igor Couldn't authenticate to server: Server rejected authentication (during sendauth exchange) Server returned error code 60 (Generic error (see e-text)) Error text sent from server: No such file or directory rsh: kcmd to host igor failed - Server rejected authentication (during sendauth exchange) Thank you! -+-+-+-+-+-+-+-+-+- Igor Terekhov, Ph.D. Computing Division, ODS MS 120 Fermi National Accelerator Laboratory Phone: 630-840-8884 Fax: x2783 E-mail: terekhov@fnal.gov From kreymer@fnal.gov Wed Dec 13 12:13:51 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA29574 for ; Wed, 13 Dec 2000 12:13:51 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I0007PQN26Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 12:13:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B94A2@listserv.fnal.gov>; Wed, 13 Dec 2000 12:13:51 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120864 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 12:13:51 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B94A1@listserv.fnal.gov>; Wed, 13 Dec 2000 12:13:50 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00JQVQN2H6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 12:13:50 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA16588; Wed, 13 Dec 2000 12:13:50 -0600 Date: Wed, 13 Dec 2000 12:13:50 -0600 (CST) From: Steven Timm Subject: Re: inetd kerberos daemons not working In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Igor_Terekhov Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 657 Igor, did you do a kill -HUP on the inetd? You have to do that before it will see the daemons. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Wed, 13 Dec 2000, Igor_Terekhov wrote: > Hi, > > I have installed kerberos v0_7 on igor.fnal.gov (Fermi Redhat 5.2) > using > > upd install -G"-c" kerberos > and then (as root) > ups install kerberos v0_7 > > I do have a working principal. > > I cannot however telnet or rsh into the machine: > d0mino:~> /usr/krb5/bin/telnet igor\ > > > Trying 131.225.84.79... > Connected to igor.fnal.gov (131.225.84.79). > Escape character is '^]'. > > WARNING NOTICE! > > This is a United States Department of Energy computer system, which may be > accessed and used only for official Government business by authorized > personnel. Unauthorized access or use of this computer system may subject > violators to criminal, civil, and/or administrative action. > > All information on this computer system may be intercepted, recorded, > read, > copied, and disclosed by and to authorized personnel for official > purposes, > including criminal investigations. Access or use of this computer system > by > any person, whether authorized or unauthorized, constitutes consent to > these > terms. > > The Fermilab Policy on Computing, including authorized use, may be found > at > http://www.fnal.gov/cd/main/cpolicy.html. > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: No such file or directory ] > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: No such file or directory ] > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: No such file or directory ] > [ Trying KERBEROS4 ... ] > mk_req failed: You have no tickets cached > [ Trying KERBEROS4 ... ] > mk_req failed: You have no tickets cached > > d0mino:~> /usr/krb5/bin/rsh igor > Couldn't authenticate to server: Server rejected authentication (during > sendauth exchange) > Server returned error code 60 (Generic error (see e-text)) > Error text sent from server: No such file or directory > rsh: kcmd to host igor failed - Server rejected authentication (during > sendauth exchange) > > Thank you! > > -+-+-+-+-+-+-+-+-+- > Igor Terekhov, Ph.D. > Computing Division, ODS MS 120 > Fermi National Accelerator Laboratory > Phone: 630-840-8884 Fax: x2783 > E-mail: terekhov@fnal.gov > > From kreymer@fnal.gov Wed Dec 13 12:18:33 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA29585 for ; Wed, 13 Dec 2000 12:18:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I0010SQUCOP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 12:18:13 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B94C8@listserv.fnal.gov>; Wed, 13 Dec 2000 12:18:12 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120907 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 12:18:12 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B94C7@listserv.fnal.gov>; Wed, 13 Dec 2000 12:18:12 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00LMKQUC5W@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 12:18:12 -0600 (CST) Received: from localhost (terekhov@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with ESMTP id eBDIIBs01216; Wed, 13 Dec 2000 12:18:11 -0600 (CST) Date: Wed, 13 Dec 2000 12:18:11 -0600 (CST) From: Igor_Terekhov Subject: Re: inetd kerberos daemons not working In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsui02.fnal.gov: terekhov owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 658 Yup On Wed, 13 Dec 2000, Steven Timm wrote: > Igor, did you do a > kill -HUP on the inetd? > > You have to do that before it will see the daemons. > > > > Steve > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Wed, 13 Dec 2000, Igor_Terekhov wrote: > > > Hi, > > > > I have installed kerberos v0_7 on igor.fnal.gov (Fermi Redhat 5.2) > > using > > > > upd install -G"-c" kerberos > > and then (as root) > > ups install kerberos v0_7 > > > > I do have a working principal. > > > > I cannot however telnet or rsh into the machine: > > d0mino:~> /usr/krb5/bin/telnet igor\ > > > > > Trying 131.225.84.79... > > Connected to igor.fnal.gov (131.225.84.79). > > Escape character is '^]'. > > > > WARNING NOTICE! > > > > This is a United States Department of Energy computer system, which may be > > accessed and used only for official Government business by authorized > > personnel. Unauthorized access or use of this computer system may subject > > violators to criminal, civil, and/or administrative action. > > > > All information on this computer system may be intercepted, recorded, > > read, > > copied, and disclosed by and to authorized personnel for official > > purposes, > > including criminal investigations. Access or use of this computer system > > by > > any person, whether authorized or unauthorized, constitutes consent to > > these > > terms. > > > > The Fermilab Policy on Computing, including authorized use, may be found > > at > > http://www.fnal.gov/cd/main/cpolicy.html. > > > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > failed: No such file or directory ] > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > failed: No such file or directory ] > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > failed: No such file or directory ] > > [ Trying KERBEROS4 ... ] > > mk_req failed: You have no tickets cached > > [ Trying KERBEROS4 ... ] > > mk_req failed: You have no tickets cached > > > > d0mino:~> /usr/krb5/bin/rsh igor > > Couldn't authenticate to server: Server rejected authentication (during > > sendauth exchange) > > Server returned error code 60 (Generic error (see e-text)) > > Error text sent from server: No such file or directory > > rsh: kcmd to host igor failed - Server rejected authentication (during > > sendauth exchange) > > > > Thank you! > > > > -+-+-+-+-+-+-+-+-+- > > Igor Terekhov, Ph.D. > > Computing Division, ODS MS 120 > > Fermi National Accelerator Laboratory > > Phone: 630-840-8884 Fax: x2783 > > E-mail: terekhov@fnal.gov > > > > > > -+-+-+-+-+-+-+-+-+- Igor Terekhov, Ph.D. Computing Division, ODS MS 120 Fermi National Accelerator Laboratory Phone: 630-840-8884 Fax: x2783 E-mail: terekhov@fnal.gov From kreymer@fnal.gov Wed Dec 13 12:28:17 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA29591 for ; Wed, 13 Dec 2000 12:28:17 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I0020HRB42Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 12:28:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B94F9@listserv.fnal.gov>; Wed, 13 Dec 2000 12:28:16 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120958 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 12:28:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B94F8@listserv.fnal.gov>; Wed, 13 Dec 2000 12:28:16 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I0011LRB2TO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 12:28:15 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 13 Dec 2000 12:28:14 -0600 Content-return: allowed Date: Wed, 13 Dec 2000 12:28:14 -0600 From: ARSystem Subject: 000000000015670 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114C33@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 659 CRAWFORD, MATT, Help Desk Ticket #000000000015670 has been assigned to you. It is a(n) Medium priority Software/Utilities /Cryptocard type of problem. Short description: Can't use Cryptocard with regular telnet Badge # (+) : 04225V First Name : RICHARD Last Name (+) : PARTRIDGE Phone : 8702 E-Mail Address : PARTRIDGE@HEP.BROWN.EDU Incident Time : 12/13/00 12:07:44 PM System Name : Urgency : Medium Public Work Log : Problem Description : When I telnet to d0mino.fnal.gov from my PC with any of several different Telnet programs I get a "login:" prompt. If I type in either "partridge" or "partridge@PILOT.FNAL.GOV", I get a message "login incorrect" message. I thought this was how I was supposed to access these machines using a Cryptocard. What am I doing wrong. Please note that when I am at my normal desktop PC, I use a Kerberos client (Mink) to login and use a Kerberized Telnet (Hummingbird Exceed V7.0). This works fine except for some reason it has recently started prompting me for my Cryptocard response right after I enter my Kerberos password...I just cancel this and get my ticket OK. Thus, I don't always use the Cryptocard for logging in, only when I am not using my desktop computer. However, things seem to behave exactly the opposite of what would be expected (i.e., I get the Cryptocard challenge/response dialog when I try a Kerberos login, instead of when I use regular telnet). Thanks for your help. Regards, Richard Partridge From kreymer@fnal.gov Wed Dec 13 12:55:35 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA29613 for ; Wed, 13 Dec 2000 12:55:35 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I0015VSKMA9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 12:55:35 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B954E@listserv.fnal.gov>; Wed, 13 Dec 2000 12:55:34 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121046 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 12:55:34 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B954D@listserv.fnal.gov>; Wed, 13 Dec 2000 12:55:34 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00255SKL90@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 12:55:33 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA01423; Wed, 13 Dec 2000 12:55:33 -0600 (CST) Date: Wed, 13 Dec 2000 12:55:33 -0600 From: Matt Crawford Subject: Re: 000000000015664 Assigned to CRAWFORD, MATT. In-reply-to: "13 Dec 2000 08:31:34 CST." <3A378846.42E08370@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Heidi Schellman Cc: ARSystem , "'kerberos-pilot@fnal.gov'" Message-id: <200012131855.MAA01423@gungnir.fnal.gov> Content-id: <1419.976733733.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 660 > #1 Matt Crawford is on vacation Why does everyone keep saying this? I don't get vacations :-/ I'm at a meeting. > #2 another user Melanson reports success with kinit from d0mino So the d0mino clock is OK. Everyone would have noticed if it weren't. > #3 ... I don't think we've ever run into the AFS-salted-only problem because we didn't migrate any principals from the AFS cell to Kerberos5. The only reasonable explanation I can see is a wrong password. On the other hand, the KDC does show "No such file or directory - pa verify failure" for your kinit requests from d0mino. But it's not a case of AFS-only: Last password change: Fri Oct 13 07:40:47 CDT 2000 [...] Number of keys: 3 Key: vno 2, DES cbc mode with CRC-32, no salt Key: vno 2, DES cbc mode with CRC-32, Version 4 Key: vno 2, DES cbc mode with CRC-32, AFS version 3 Attributes: REQUIRES_PRE_AUTH The key types and ordering are the same for schellma as for everyone else. I just tried a kinit for myself on gungnir with a wrong password and the log looks the same as in your case. So I still think it's a bad-password problem. Could weird keyboard mappings be behind it? From kreymer@fnal.gov Wed Dec 13 13:06:34 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA29633 for ; Wed, 13 Dec 2000 13:06:34 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I000J0T2Y6Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 13:06:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9572@listserv.fnal.gov>; Wed, 13 Dec 2000 13:06:34 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121083 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 13:06:34 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9571@listserv.fnal.gov>; Wed, 13 Dec 2000 13:06:34 -0600 Received: from fnal.gov ([131.225.227.153]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I0016GT2XY0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 13:06:33 -0600 (CST) Date: Wed, 13 Dec 2000 13:06:33 -0600 From: Heidi Schellman Subject: Re: 000000000015664 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: ARSystem , "'kerberos-pilot@fnal.gov'" Message-id: <3A37C8B9.4DE59586@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (Win98; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200012131855.MAA01423@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 661 Yikes, I'm using the same keyboard/code as I was before. I was happily using this last night. Matt Crawford wrote: > > > #1 Matt Crawford is on vacation > > Why does everyone keep saying this? I don't get vacations :-/ I'm at > a meeting. > > > #2 another user Melanson reports success with kinit from d0mino > > So the d0mino clock is OK. Everyone would have noticed if it weren't. > > > #3 ... > > I don't think we've ever run into the AFS-salted-only problem because > we didn't migrate any principals from the AFS cell to Kerberos5. The > only reasonable explanation I can see is a wrong password. > > On the other hand, the KDC does show "No such file or directory - pa > verify failure" for your kinit requests from d0mino. But it's not a > case of AFS-only: > > Last password change: Fri Oct 13 07:40:47 CDT 2000 > [...] > Number of keys: 3 > Key: vno 2, DES cbc mode with CRC-32, no salt > Key: vno 2, DES cbc mode with CRC-32, Version 4 > Key: vno 2, DES cbc mode with CRC-32, AFS version 3 > Attributes: REQUIRES_PRE_AUTH > > The key types and ordering are the same for schellma as for everyone else. > I just tried a kinit for myself on gungnir with a wrong password and the > log looks the same as in your case. > > So I still think it's a bad-password problem. Could weird keyboard mappings > be behind it? From kreymer@fnal.gov Wed Dec 13 13:06:50 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA29637 for ; Wed, 13 Dec 2000 13:06:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I0023OT3DN1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 13:06:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9574@listserv.fnal.gov>; Wed, 13 Dec 2000 13:06:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121085 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 13:06:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9573@listserv.fnal.gov>; Wed, 13 Dec 2000 13:06:50 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I00323T3D42@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 13:06:49 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA01636; Wed, 13 Dec 2000 13:06:49 -0600 (CST) Date: Wed, 13 Dec 2000 13:06:49 -0600 From: Matt Crawford Subject: Re: inetd kerberos daemons not working In-reply-to: "13 Dec 2000 12:09:47 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Igor_Terekhov Cc: kerberos-pilot@fnal.gov Message-id: <200012131906.NAA01636@gungnir.fnal.gov> Content-id: <1632.976734408.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 662 I believe you have not yet done "ups install-host-keys kerberos". Note: once you do that, you will have to delete any tickets you already have cached for host/igor.fnal.gov. "kinit -R" or jujst "kinit" will purge them. From kreymer@fnal.gov Wed Dec 13 13:22:20 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA29652 for ; Wed, 13 Dec 2000 13:22:20 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I000G2TT6QL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 13:22:19 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9597@listserv.fnal.gov>; Wed, 13 Dec 2000 13:22:19 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121121 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 13:22:19 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9596@listserv.fnal.gov>; Wed, 13 Dec 2000 13:22:19 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I001ESTT60X@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 13:22:18 -0600 (CST) Received: from localhost (terekhov@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with ESMTP id eBDJMHR09825; Wed, 13 Dec 2000 13:22:17 -0600 (CST) Date: Wed, 13 Dec 2000 13:22:17 -0600 (CST) From: Igor_Terekhov Subject: Re: inetd kerberos daemons not working In-reply-to: <200012131906.NAA01636@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsui02.fnal.gov: terekhov owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 663 Matt, I would expect that to be a part of the "ups install kerberos" script. Anyway, I failed to exec the command explicitly: igor:~> ups install-host-keys kerberos INFORMATIONAL: There is no ACTION=install-host-keys section in this table file. I also tried: igor:~> /usr/krb5/bin/kinit -R kinit: No credentials cache file found renewing tgt Thanks! igor On Wed, 13 Dec 2000, Matt Crawford wrote: > I believe you have not yet done "ups install-host-keys kerberos". > Note: once you do that, you will have to delete any tickets you > already have cached for host/igor.fnal.gov. "kinit -R" or jujst > "kinit" will purge them. > -+-+-+-+-+-+-+-+-+- Igor Terekhov, Ph.D. Computing Division, ODS MS 120 Fermi National Accelerator Laboratory Phone: 630-840-8884 Fax: x2783 E-mail: terekhov@fnal.gov From kreymer@fnal.gov Wed Dec 13 13:34:01 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA29662 for ; Wed, 13 Dec 2000 13:34:01 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I0016VUCPOP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 13:34:01 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B95B4@listserv.fnal.gov>; Wed, 13 Dec 2000 13:34:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121153 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 13:34:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B95B3@listserv.fnal.gov>; Wed, 13 Dec 2000 13:34:01 -0600 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I001ECUCOGQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 13:34:00 -0600 (CST) Date: Wed, 13 Dec 2000 13:33:28 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: inetd kerberos daemons not working Sender: owner-kerberos-pilot@listserv.fnal.gov To: Igor_Terekhov Cc: kerberos-pilot@fnal.gov Message-id: <3A37CF08.51537A96@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 664 A few brainstorm ideas: a) I tried to telnet from d0mino (where I had credentials) to igor. (I don't know if I really have an account there or not, but what the heck.) Here's what I see: d0mino:/tmp> telnet igor.fnal.gov Trying 131.225.84.79... Connected to igor.fnal.gov (131.225.84.79). Escape character is '^]'. WARNING NOTICE! [...] [ Kerberos V5 accepts you as ``lauri@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Dan Yocum Red Hat Linux Release 5.2.1 (Charm) Kernel 2.0.36 on an i686 Login incorrect login: This makes me think that I do NOT have an account on igor (which is what I would have suspected) -- but note, Kerberos accepted my forwarded credentials. Igor, I think something else is going on here. Do you have credentials from the node whence you are coming? -- lauri Igor_Terekhov wrote: > > Hi, > > I have installed kerberos v0_7 on igor.fnal.gov (Fermi Redhat 5.2) > using > > upd install -G"-c" kerberos > and then (as root) > ups install kerberos v0_7 > > I do have a working principal. > > I cannot however telnet or rsh into the machine: > d0mino:~> /usr/krb5/bin/telnet igor\ > > > Trying 131.225.84.79... > Connected to igor.fnal.gov (131.225.84.79). > Escape character is '^]'. > > WARNING NOTICE! > > This is a United States Department of Energy computer system, which may be > accessed and used only for official Government business by authorized > personnel. Unauthorized access or use of this computer system may subject > violators to criminal, civil, and/or administrative action. > > All information on this computer system may be intercepted, recorded, > read, > copied, and disclosed by and to authorized personnel for official > purposes, > including criminal investigations. Access or use of this computer system > by > any person, whether authorized or unauthorized, constitutes consent to > these > terms. > > The Fermilab Policy on Computing, including authorized use, may be found > at > http://www.fnal.gov/cd/main/cpolicy.html. > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: No such file or directory ] > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: No such file or directory ] > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: No such file or directory ] > [ Trying KERBEROS4 ... ] > mk_req failed: You have no tickets cached > [ Trying KERBEROS4 ... ] > mk_req failed: You have no tickets cached > > d0mino:~> /usr/krb5/bin/rsh igor > Couldn't authenticate to server: Server rejected authentication (during > sendauth exchange) > Server returned error code 60 (Generic error (see e-text)) > Error text sent from server: No such file or directory > rsh: kcmd to host igor failed - Server rejected authentication (during > sendauth exchange) > > Thank you! > > -+-+-+-+-+-+-+-+-+- > Igor Terekhov, Ph.D. > Computing Division, ODS MS 120 > Fermi National Accelerator Laboratory > Phone: 630-840-8884 Fax: x2783 > E-mail: terekhov@fnal.gov From kreymer@fnal.gov Wed Dec 13 13:34:49 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA29666 for ; Wed, 13 Dec 2000 13:34:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I002D2UE02Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 13:34:48 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B95BE@listserv.fnal.gov>; Wed, 13 Dec 2000 13:34:48 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121163 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 13:34:48 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B95BD@listserv.fnal.gov>; Wed, 13 Dec 2000 13:34:48 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I0036OUE042@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 13:34:48 -0600 (CST) Received: from localhost (terekhov@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with ESMTP id eBDJYjg11291; Wed, 13 Dec 2000 13:34:47 -0600 (CST) Date: Wed, 13 Dec 2000 13:34:45 -0600 (CST) From: Igor_Terekhov Subject: Re: inetd kerberos daemons not working In-reply-to: <200012131906.NAA01636@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsui02.fnal.gov: terekhov owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 665 I have executed the recommended command; this time installation went w/o errors. However rsh still fails (see at the end). Thank you! igor:~> ups install-hostkeys kerberos Do you have the passwords to enable the ftp and host services? (y/n, default y) y Password for ftp/igor.fnal.gov service: Password for host/igor.fnal.gov service: (default is the same as the ftp/igor.fnal.gov password you just entered) Preparing to configure host keys on this node... Service ftp/igor.fnal.gov added to krb5.keytab. Service host/igor.fnal.gov added to krb5.keytab. Automated installation of kerberos complete. IMPORTANT: 1) krb5conf installation was not requested. 2) /etc/services configuration was not requested. 3) ypmaster configuration was not requested. 4) /etc/inetd.conf configuration was not requested. 5) inetd daemon 'kill -HUP' was not requested. 6) /etc/sshd_config file was not requested. 7) sshd daemon 'kill -HUP' was not requested. These steps should be performed for a complete installation of kerberos. Optional: you may choose to replace /bin/login with the kerberized version via: ups install-login kerberos (not necessary on IRIX platforms). igor:~> killall killall killall5 igor:~> killall -HUP inetd NOW TRYING TO USE IT: d0mino:~> rsh igor Couldn't authenticate to server: Server rejected authentication (during sendauth exchange) Server returned error code 60 (Generic error (see e-text)) Error text sent from server: Key version number for principal in key table is incorrect rsh: kcmd to host igor failed - Server rejected authentication (during sendauth exchange) On Wed, 13 Dec 2000, Matt Crawford wrote: > I believe you have not yet done "ups install-host-keys kerberos". > Note: once you do that, you will have to delete any tickets you > already have cached for host/igor.fnal.gov. "kinit -R" or jujst > "kinit" will purge them. > -+-+-+-+-+-+-+-+-+- Igor Terekhov, Ph.D. Computing Division, ODS MS 120 Fermi National Accelerator Laboratory Phone: 630-840-8884 Fax: x2783 E-mail: terekhov@fnal.gov From kreymer@fnal.gov Wed Dec 13 13:50:27 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA29678 for ; Wed, 13 Dec 2000 13:50:27 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I001GXV2ITO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 13:49:31 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B95EE@listserv.fnal.gov>; Wed, 13 Dec 2000 13:49:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121213 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 13:49:30 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B95ED@listserv.fnal.gov>; Wed, 13 Dec 2000 13:49:30 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I000IXV2IZ9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 13:49:30 -0600 (CST) Received: from localhost (terekhov@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with ESMTP id eBDJnTd13222; Wed, 13 Dec 2000 13:49:29 -0600 (CST) Date: Wed, 13 Dec 2000 13:49:29 -0600 (CST) From: Igor_Terekhov Subject: Re: inetd kerberos daemons not working In-reply-to: <3A37CF08.51537A96@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsui02.fnal.gov: terekhov owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 666 I am sorry I changed my kerperberos password in between. Once I re-kinit myself I was in fact able to get into igor. Thank you! PLEASE PLEASE PLEASE! Try to make error messages more meaningful! [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Key version number for principal in key table is incorrect ] previous one: > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > failed: No such file or directory ] On Wed, 13 Dec 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > A few brainstorm ideas: > > a) I tried to telnet from d0mino (where I had credentials) to igor. > (I don't know if I really have an account there or not, but what the > heck.) Here's what I see: > > d0mino:/tmp> telnet igor.fnal.gov > Trying 131.225.84.79... > Connected to igor.fnal.gov (131.225.84.79). > Escape character is '^]'. > > WARNING NOTICE! > [...] > > [ Kerberos V5 accepts you as ``lauri@PILOT.FNAL.GOV'' ] > [ Kerberos V5 accepted forwarded credentials ] > > Dan Yocum Red Hat Linux Release 5.2.1 (Charm) > Kernel 2.0.36 on an i686 > > Login incorrect > login: > > This makes me think that I do NOT have an account on igor (which is > what I would have suspected) -- but note, Kerberos accepted my forwarded > credentials. > > Igor, I think something else is going on here. Do you have credentials > from the node whence you are coming? > > -- lauri > > > Igor_Terekhov wrote: > > > > Hi, > > > > I have installed kerberos v0_7 on igor.fnal.gov (Fermi Redhat 5.2) > > using > > > > upd install -G"-c" kerberos > > and then (as root) > > ups install kerberos v0_7 > > > > I do have a working principal. > > > > I cannot however telnet or rsh into the machine: > > d0mino:~> /usr/krb5/bin/telnet igor\ > > > > > Trying 131.225.84.79... > > Connected to igor.fnal.gov (131.225.84.79). > > Escape character is '^]'. > > > > WARNING NOTICE! > > > > This is a United States Department of Energy computer system, which may be > > accessed and used only for official Government business by authorized > > personnel. Unauthorized access or use of this computer system may subject > > violators to criminal, civil, and/or administrative action. > > > > All information on this computer system may be intercepted, recorded, > > read, > > copied, and disclosed by and to authorized personnel for official > > purposes, > > including criminal investigations. Access or use of this computer system > > by > > any person, whether authorized or unauthorized, constitutes consent to > > these > > terms. > > > > The Fermilab Policy on Computing, including authorized use, may be found > > at > > http://www.fnal.gov/cd/main/cpolicy.html. > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > failed: No such file or directory ] > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > failed: No such file or directory ] > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > failed: No such file or directory ] > > [ Trying KERBEROS4 ... ] > > mk_req failed: You have no tickets cached > > [ Trying KERBEROS4 ... ] > > mk_req failed: You have no tickets cached > > > > d0mino:~> /usr/krb5/bin/rsh igor > > Couldn't authenticate to server: Server rejected authentication (during > > sendauth exchange) > > Server returned error code 60 (Generic error (see e-text)) > > Error text sent from server: No such file or directory > > rsh: kcmd to host igor failed - Server rejected authentication (during > > sendauth exchange) > > > > Thank you! > > > > -+-+-+-+-+-+-+-+-+- > > Igor Terekhov, Ph.D. > > Computing Division, ODS MS 120 > > Fermi National Accelerator Laboratory > > Phone: 630-840-8884 Fax: x2783 > > E-mail: terekhov@fnal.gov > -+-+-+-+-+-+-+-+-+- Igor Terekhov, Ph.D. Computing Division, ODS MS 120 Fermi National Accelerator Laboratory Phone: 630-840-8884 Fax: x2783 E-mail: terekhov@fnal.gov From kreymer@fnal.gov Wed Dec 13 14:36:11 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA02011 for ; Wed, 13 Dec 2000 14:36:11 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I001TMX8ATO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 14:36:11 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B96E2@listserv.fnal.gov>; Wed, 13 Dec 2000 14:36:10 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121492 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 14:36:10 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B96E1@listserv.fnal.gov>; Wed, 13 Dec 2000 14:36:10 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I001I8X89OP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 14:36:09 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA02512; Wed, 13 Dec 2000 14:36:09 -0600 (CST) Date: Wed, 13 Dec 2000 14:36:09 -0600 From: Matt Crawford Subject: Re: inetd kerberos daemons not working In-reply-to: "13 Dec 2000 13:34:45 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Igor_Terekhov Cc: kerberos-pilot@fnal.gov Message-id: <200012132036.OAA02512@gungnir.fnal.gov> Content-id: <2508.976739769.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 667 > d0mino:~> rsh igor > Couldn't authenticate to server: Server rejected authentication (during > sendauth exchange) > Server returned error code 60 (Generic error (see e-text)) > Error text sent from server: Key version number for principal in key table > is incorrect This is that gotcha I warend of in my previous message. You got a ticket for host/igor.fnal.gov back when the key for the server was based on a password assigned by Yolanda. The process of running install-hostkeys changes the service key to a new random value and bumped the "kvno" (key version number). You still have the old ticket, but the server only knows the new kvno. Solution: flush old tickets, by "kinit -R" or "kinit". From kreymer@fnal.gov Wed Dec 13 14:37:51 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA02450 for ; Wed, 13 Dec 2000 14:37:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I002PVXB12Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 14:37:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B96E9@listserv.fnal.gov>; Wed, 13 Dec 2000 14:37:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121500 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 14:37:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B96E8@listserv.fnal.gov>; Wed, 13 Dec 2000 14:37:50 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I000PTXB1Z9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 14:37:49 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA02538; Wed, 13 Dec 2000 14:37:49 -0600 (CST) Date: Wed, 13 Dec 2000 14:37:48 -0600 From: Matt Crawford Subject: Re: inetd kerberos daemons not working In-reply-to: "13 Dec 2000 13:49:29 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Igor_Terekhov Cc: kerberos-pilot@fnal.gov Message-id: <200012132037.OAA02538@gungnir.fnal.gov> Content-id: <2534.976739868.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 668 > PLEASE PLEASE PLEASE! Try to make error messages more meaningful! > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: Key version number for principal in key table is incorrect ] That message is perfectly precise (unlike the more common "preauthentiction failed"). The trouble is, it's not in a language the user needs to be acquainted with. From kreymer@fnal.gov Wed Dec 13 14:44:09 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA05072 for ; Wed, 13 Dec 2000 14:44:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I003FOXJNLB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 14:43:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9703@listserv.fnal.gov>; Wed, 13 Dec 2000 14:43:00 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121530 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 14:43:00 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9702@listserv.fnal.gov>; Wed, 13 Dec 2000 14:43:00 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5I001R5XJNMG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 14:42:59 -0600 (CST) Received: from localhost (terekhov@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with ESMTP id eBDKgwf23355; Wed, 13 Dec 2000 14:42:59 -0600 (CST) Date: Wed, 13 Dec 2000 14:42:58 -0600 (CST) From: Igor_Terekhov Subject: Re: inetd kerberos daemons not working In-reply-to: <200012132037.OAA02538@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsui02.fnal.gov: terekhov owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 669 Yes I agree. Being a developer I know how hard it is to write meaningful messages! On Wed, 13 Dec 2000, Matt Crawford wrote: > > PLEASE PLEASE PLEASE! Try to make error messages more meaningful! > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > failed: Key version number for principal in key table is incorrect ] > > That message is perfectly precise (unlike the more common "preauthentiction > failed"). The trouble is, it's not in a language the user needs to be > acquainted with. > -+-+-+-+-+-+-+-+-+- Igor Terekhov, Ph.D. Computing Division, ODS MS 120 Fermi National Accelerator Laboratory Phone: 630-840-8884 Fax: x2783 E-mail: terekhov@fnal.gov From kreymer@fnal.gov Wed Dec 13 16:28:18 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA08054 for ; Wed, 13 Dec 2000 16:28:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5J008G22DUF9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 16:27:30 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B980D@listserv.fnal.gov>; Wed, 13 Dec 2000 16:27:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121811 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 16:27:30 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B980C@listserv.fnal.gov>; Wed, 13 Dec 2000 16:27:30 -0600 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5J007FB2DTYR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 16:27:29 -0600 (CST) Date: Wed, 13 Dec 2000 16:27:29 -0600 From: Troy Dawson Subject: Re: ftp acess Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3A37F7D1.21D1480E@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200012121747.LAA23302@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 670 Hi Matt, Yep, that did it. I didn't even know it was an age old problem. I wonder if putting the /usr/local/bin/ shells in that file for an oss install would be a good idea. Thanks again Troy Matt Crawford wrote: > > I'm going to guess that this is the age-old problem of your > shell not being listed in that magic file -- what is it, > /etc shells? > > Check it out. -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Wed Dec 13 18:00:46 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA08515 for ; Wed, 13 Dec 2000 18:00:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5J00D376P952@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 18:00:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B98F7@listserv.fnal.gov>; Wed, 13 Dec 2000 18:00:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 122075 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 18:00:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B98F5@listserv.fnal.gov>; Wed, 13 Dec 2000 18:00:46 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5J007SC6P9ZC@smtp.fnal.gov>; Wed, 13 Dec 2000 18:00:45 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id SAA04358; Wed, 13 Dec 2000 18:00:44 -0600 (CST) Date: Wed, 13 Dec 2000 18:00:44 -0600 From: Matt Crawford Subject: Re: kerberos authentication fails - cannot access time server either In-reply-to: "13 Dec 2000 11:31:41 CST." <07db01c0652a$8df1f4d0$0ae7e183@d0nt43.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: wyatt@fnal.gov Cc: d0-admin@fnal.gov, kerberos-pilot@fnal.gov, Heidi Schellman Message-id: <200012140000.SAA04358@gungnir.fnal.gov> Content-id: <4354.976752044.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 671 > I had one failure this morning as well - my sequence was: Can we chalk a sngle failure bracketed by successes as an accidentally wrong password? From kreymer@fnal.gov Wed Dec 13 18:05:42 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA09837 for ; Wed, 13 Dec 2000 18:05:42 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5J00D0I6XHQL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 18:05:41 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B991C@listserv.fnal.gov>; Wed, 13 Dec 2000 18:05:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 122123 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 18:05:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B991B@listserv.fnal.gov>; Wed, 13 Dec 2000 18:05:41 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5J00BAM6XGQR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 18:05:40 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id SAA04400; Wed, 13 Dec 2000 18:05:40 -0600 (CST) Date: Wed, 13 Dec 2000 18:05:40 -0600 From: Matt Crawford Subject: Re: 000000000015670 Assigned to CRAWFORD, MATT. In-reply-to: "13 Dec 2000 12:28:14 CST." <318CC3D38BE0D211BB1200105A093F76114C33@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200012140005.SAA04400@gungnir.fnal.gov> Content-id: <4394.976752340.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 672 This seems to be a consequence of your 9-character username. I'll dive into the code to be sure, but if it is your only choices are a) have your account name change to something shorter all around, or b) wait for a software fix. From kreymer@fnal.gov Wed Dec 13 19:05:07 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id TAA11597 for ; Wed, 13 Dec 2000 19:05:07 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5J009NO9OHKI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 19:05:06 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9969@listserv.fnal.gov>; Wed, 13 Dec 2000 19:05:05 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 122209 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 19:05:05 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9968@listserv.fnal.gov>; Wed, 13 Dec 2000 19:05:05 -0600 Received: from fnal.gov ([24.178.21.178]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5J00E3V9OFEQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 19:05:04 -0600 (CST) Date: Wed, 13 Dec 2000 19:05:04 -0600 From: Heidi Schellman Subject: Re: 000000000015670 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: ARSystem , "'kerberos-pilot@fnal.gov'" Message-id: <3A381CC0.28FBD7E5@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (Win98; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200012140005.SAA04400@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 673 If this is addressed to me (schellma@d0mino, schellma@PILOT.FNAL.GOV, and only schellman on the mail server) I do have an 8 character name and I see no reason why, unless someone actively did something, my 9 character user name on a mail server should become a problem 2 months after I got my principal. Are we seriously suggesting that I inform everyone in the world that my email address has changed before I get my kerberos access back? Heidi Schellma(n) Matt Crawford wrote: > > This seems to be a consequence of your 9-character username. > I'll dive into the code to be sure, but if it is your only > choices are > a) have your account name change to something shorter all around, or > b) wait for a software fix. From kreymer@fnal.gov Wed Dec 13 21:50:42 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id VAA11815 for ; Wed, 13 Dec 2000 21:50:42 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5J00DNBHCI3N@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Dec 2000 21:50:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9A8C@listserv.fnal.gov>; Wed, 13 Dec 2000 21:50:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 122543 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 13 Dec 2000 21:50:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000B9A8B@listserv.fnal.gov>; Wed, 13 Dec 2000 21:50:42 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5J00EHHHCH9H@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 13 Dec 2000 21:50:41 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id VAA05558; Wed, 13 Dec 2000 21:50:41 -0600 (CST) Date: Wed, 13 Dec 2000 21:50:41 -0600 From: Matt Crawford Subject: Re: 000000000015670 Assigned to CRAWFORD, MATT. In-reply-to: "13 Dec 2000 19:05:04 CST." <3A381CC0.28FBD7E5@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Heidi Schellman Cc: ARSystem , "'kerberos-pilot@fnal.gov'" Message-id: <200012140350.VAA05558@gungnir.fnal.gov> Content-id: <5554.976765841.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 674 No, that was addressed to partridge. From kreymer@fnal.gov Thu Dec 14 09:52:32 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA10871 for ; Thu, 14 Dec 2000 09:52:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K004D2ERJGS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 09:52:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA08F@listserv.fnal.gov>; Thu, 14 Dec 2000 09:52:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 124299 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 09:52:31 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA08D@listserv.fnal.gov>; Thu, 14 Dec 2000 09:52:31 -0600 Received: from fnal.gov ([131.225.226.206]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K003OAERI3O@smtp.fnal.gov>; Thu, 14 Dec 2000 09:52:30 -0600 (CST) Date: Thu, 14 Dec 2000 09:52:30 -0600 From: Michael Diesburg Subject: Re: kerberos authentication fails - cannot access time server either Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: wyatt@fnal.gov, d0-admin@fnal.gov, kerberos-pilot@fnal.gov, Heidi Schellman Message-id: <3A38ECBE.67DEEDBF@fnal.gov> Organization: Fermi National Accelerator Laboratory MIME-version: 1.0 X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200012140000.SAA04358@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 675 I would oridnarily agree with you on this point, but I am starting to hear similar reports from several different directions. At least some of them are from people who had multiple failures. It may be that this is the natural screw-up that occur when things change ( like people forgetting and trying to authenticate with their old password rather than their kerberos password), but I wouldn't come to that conclusion yet. When problems are transient and go away within a few minutes we normally never hear about them. That's one reason I am suspicious there is a real problem here. So far I haven't been able to determine any obvious pattern to the failures. If kinit could be induced to log failures on our system it would help a great deal in tracking this down (or determining that there really is no problem). Mike Matt Crawford wrote: > > > I had one failure this morning as well - my sequence was: > > Can we chalk a sngle failure bracketed by successes as > an accidentally wrong password? From kreymer@fnal.gov Thu Dec 14 10:23:19 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA10898 for ; Thu, 14 Dec 2000 10:23:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K004MVG5QI2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 10:22:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA109@listserv.fnal.gov>; Thu, 14 Dec 2000 10:22:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 124440 for LINUX-USERS@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 10:22:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA108@listserv.fnal.gov>; Thu, 14 Dec 2000 10:22:38 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K0083HG5OKY@smtp.fnal.gov> for linux-users@listserv.fnal.gov (ORCPT linux-users@fnal.gov); Thu, 14 Dec 2000 10:22:37 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 14 Dec 2000 10:22:36 -0600 Content-return: allowed Date: Thu, 14 Dec 2000 10:22:34 -0600 From: ARSystem Subject: SIEH, CONNIE AR ticket 15611 Has Been Updated. Sender: owner-linux-users@listserv.fnal.gov To: "'linux-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114CD3@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 676 15611 has been updated by blomberg. Short Description : Question involving font size New Work Log Entry : From: "Connie Sieh" To: "ARSystem" Cc: Subject: Re: 000000000015611 Assigned to SIEH, CONNIE. Date: Thursday, December 14, 2000 1:59 AM Helpdesk, I have forwarded this question to the linux-users mailing list as they are better able to answer this question than me. -connie From kreymer@fnal.gov Thu Dec 14 11:08:43 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA10919 for ; Thu, 14 Dec 2000 11:08:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K004V8IAIDL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 11:08:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA19B@listserv.fnal.gov>; Thu, 14 Dec 2000 11:08:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 124596 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 11:08:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA19A@listserv.fnal.gov>; Thu, 14 Dec 2000 11:08:42 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00A1FIAG2Y@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 14 Dec 2000 11:08:41 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 14 Dec 2000 11:08:41 -0600 Content-return: allowed Date: Thu, 14 Dec 2000 11:08:40 -0600 From: ARSystem Subject: 000000000015693 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114CEC@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 677 CRAWFORD, MATT, Help Desk Ticket #000000000015693 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: fcdfsgi1 login fails Badge # (+) : 07847N First Name : MARGARET Last Name (+) : VOTAVA Phone : 2625 E-Mail Address : VOTAVA@FNAL.GOV Incident Time : 12/14/00 10:50:34 AM System Name : FCDFSGI1 Urgency : Medium Public Work Log : Problem Description : i'm trying to telnet into fcdfsgi1 using telnet from my linux box which is in the realm. i believe i have an account there and it looks like my credentials are accepted, but it won't let me in. thanks, margaret odsmev.fnal.gov % telnet fcdfsgi1 Trying 131.225.240.21... Connected to fcdfsgi1.fnal.gov (131.225.240.21). Escape character is '^]'. NOTICE TO USERS This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United States Government. It is for authorized use only. Users (autho- rized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copy- ing, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in admin- istrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMME- DIATELY if you do not agree to the conditions stated in this warning. Fermilab policy and rules for computing, including appropriate use, may be found at http://www.fnal.gov/cd/main/cpolicy.html [ Kerberos V5 accepts you as ``votava@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Login incorrect login: Margaret Votava votava@fnal.gov Computing Division/Online and Database Systems 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Thu Dec 14 11:20:03 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA10930 for ; Thu, 14 Dec 2000 11:20:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00A5TITE8U@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 11:20:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA1CC@listserv.fnal.gov>; Thu, 14 Dec 2000 11:20:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 124648 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 11:20:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA1CB@listserv.fnal.gov>; Thu, 14 Dec 2000 11:20:02 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K009AKITDF8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 14 Dec 2000 11:20:01 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA08658; Thu, 14 Dec 2000 11:20:01 -0600 (CST) Date: Thu, 14 Dec 2000 11:20:01 -0600 From: Matt Crawford Subject: Re: 000000000015693 Assigned to CRAWFORD, MATT. In-reply-to: "14 Dec 2000 11:08:40 CST." <318CC3D38BE0D211BB1200105A093F76114CEC@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200012141720.LAA08658@gungnir.fnal.gov> Content-id: <8654.976814401.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 678 "Kerberos does authentication, not authorization." Kerberos succesfully identified Margaret as "votava@REALM", and fcdfsgi1 decided she was not *authorized* to log in. Why? No account called votava is on the system: ************** Special purpose machine ****************** fcdfsgi1 is dedicated to data I/O. Please use fcdfsgi2 for general-purpose computing. *********************************************************** /cdf/code/cdfsoft/cdf2.cshrc - No such file or directory fcdfsgi1% finger votava Login name: votava In real life: ??? fcdfsgi1% logout Connection closed. From kreymer@fnal.gov Thu Dec 14 11:49:36 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA10949 for ; Thu, 14 Dec 2000 11:49:36 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00A6XK6NUY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 11:49:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA202@listserv.fnal.gov>; Thu, 14 Dec 2000 11:49:35 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 124706 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 11:49:35 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA201@listserv.fnal.gov>; Thu, 14 Dec 2000 11:49:35 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00ACJK6M05@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 14 Dec 2000 11:49:35 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 14 Dec 2000 11:49:34 -0600 Content-return: allowed Date: Thu, 14 Dec 2000 11:49:31 -0600 From: ARSystem Subject: CRAWFORD, MATT #15693 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114D00@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 679 Thank you for your assistance. Help Desk ticket #000000000015693 has been resolved on 12/14/00 11:49:18 AM Resolution Timestamp: : 12/14/00 11:20:50 AM Solution Category : Service Request Problem Category : Software Type : Utilities Item : Kerberos Short Description : fcdfsgi1 login fails Solution : Kerberos does authentication, not authorization." Kerberos succesfully identified Margaret as "votava@REALM", and fcdfsgi1 decided she was not *authorized* to log in. Why? No account called votava is on the system: ************** Special purpose machine ****************** fcdfsgi1 is dedicated to data I/O. Please use fcdfsgi2 for general-purpose computing. *********************************************************** /cdf/code/cdfsoft/cdf2.cshrc - No such file or directory fcdfsgi1% finger votava Login name: votava In real life: ??? fcdfsgi1% logout Connection closed. Problem Description : i'm trying to telnet into fcdfsgi1 using telnet from my linux box which is in the realm. i believe i have an account there and it looks like my credentials are accepted, but it won't let me in. thanks, margaret odsmev.fnal.gov % telnet fcdfsgi1 Trying 131.225.240.21... Connected to fcdfsgi1.fnal.gov (131.225.240.21). Escape character is '^]'. NOTICE TO USERS This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United States Government. It is for authorized use only. Users (autho- rized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copy- ing, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in admin- istrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMME- DIATELY if you do not agree to the conditions stated in this warning. Fermilab policy and rules for computing, including appropriate use, may be found at http://www.fnal.gov/cd/main/cpolicy.html [ Kerberos V5 accepts you as ``votava@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Login incorrect login: Margaret Votava votava@fnal.gov Computing Division/Online and Database Systems 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) From kreymer@fnal.gov Thu Dec 14 16:00:03 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA02167 for ; Thu, 14 Dec 2000 16:00:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00L0ZVRZVZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 16:00:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA59C@listserv.fnal.gov>; Thu, 14 Dec 2000 16:00:00 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125707 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 16:00:00 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA599@listserv.fnal.gov>; Thu, 14 Dec 2000 16:00:00 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00KB2VRY2F@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 14 Dec 2000 15:59:59 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 14 Dec 2000 15:59:58 -0600 Content-return: allowed Date: Thu, 14 Dec 2000 15:59:57 -0600 From: ARSystem Subject: 000000000015705 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114D6B@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 680 CRAWFORD, MATT, Help Desk Ticket #000000000015705 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Secure remote access? Badge # (+) : 07535V First Name : VYACHESLAV Last Name (+) : RUD Phone : 2409 E-Mail Address : RUD@FNAL.GOV Incident Time : 12/14/00 3:27:42 PM System Name : Urgency : Medium Public Work Log : 12/14/00 3:57:22 PM blomberg Could you assist? Problem Description : I heard a rumor that more secure remote access is implemented in Fermilab and it will be hard to access Fermilab from offsite. Because in 10 days I'm going back to Russia I would like to know whether I need to get some kerberos card or do something else to be prepared. Could you address that to experts please? Thank you in advance - Slava. From kreymer@fnal.gov Thu Dec 14 16:30:56 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA04636 for ; Thu, 14 Dec 2000 16:30:56 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00GQFX7GOX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 16:30:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA5F8@listserv.fnal.gov>; Thu, 14 Dec 2000 16:30:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125803 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 16:30:53 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA5F7@listserv.fnal.gov>; Thu, 14 Dec 2000 16:30:53 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00JMQX7F5Z@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 14 Dec 2000 16:30:52 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 14 Dec 2000 16:30:52 -0600 Content-return: allowed Date: Thu, 14 Dec 2000 16:30:48 -0600 From: ARSystem Subject: CRAWFORD, MATT #15705 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114D8B@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 681 Thank you for your assistance. Help Desk ticket #000000000015705 has been resolved on 12/14/00 4:30:14 PM Resolution Timestamp: : 12/14/00 4:20:55 PM Solution Category : Information Request Problem Category : Software Type : Utilities Item : Kerberos Short Description : Secure remote access? Solution : Slava, Yes, the goal is to expand the Kerberos authentication system beyond the Run II systems into the rest of FNAL offline in 2001. You can request a kerberos principal and cryptocard from Yolanda Valadez at on WH8 and this would be a good precaution. I think there are some concerns about making sure to not run out of cryptocards for the Run II users needs, but I think we're okay just now and you have a reasonable early user need. I found the user guides to be quite good and expect you'll be able to set yourself up reasonably well back home. Problem Description : I heard a rumor that more secure remote access is implemented in Fermilab and it will be hard to access Fermilab from offsite. Because in 10 days I'm going back to Russia I would like to know whether I need to get some kerberos card or do something else to be prepared. Could you address that to experts please? Thank you in advance - Slava. From kreymer@fnal.gov Thu Dec 14 16:56:35 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA05627 for ; Thu, 14 Dec 2000 16:56:35 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00MATYE9GV@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 16:56:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA641@listserv.fnal.gov>; Thu, 14 Dec 2000 16:56:34 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125885 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 16:56:34 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA640@listserv.fnal.gov>; Thu, 14 Dec 2000 16:56:34 -0600 Received: from fnal.gov ([131.225.224.51]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00M8BYE9B7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 14 Dec 2000 16:56:33 -0600 (CST) Date: Thu, 14 Dec 2000 16:56:17 -0600 From: schellman@fnal.gov Subject: Re: 000000000015705 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <3A395011.ED3FD90C@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <318CC3D38BE0D211BB1200105A093F76114D6B@csdserver2.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 682 If this person is on CDF or D0 this is a problem. If not, tell them to ask their experiment leader for instructions. ARSystem wrote: > > CRAWFORD, MATT, Help Desk Ticket #000000000015705 > has been assigned to you. > > It is a(n) Medium priority Software/Utilities > /Kerberos type of problem. > Short description: Secure remote access? > > Badge # (+) : 07535V > First Name : VYACHESLAV > Last Name (+) : RUD > Phone : 2409 > E-Mail Address : RUD@FNAL.GOV > Incident Time : 12/14/00 3:27:42 PM > System Name : > Urgency : Medium > Public Work Log : > 12/14/00 3:57:22 PM blomberg > Could you assist? > Problem Description : I heard a rumor that more secure > remote access is implemented in Fermilab > and it will be hard to access Fermilab from > offsite. > > Because in 10 days I'm going back to Russia I would > like to know whether I need to get some kerberos card > or do something else to be prepared. > > Could you address that to experts please? > > Thank you in advance - Slava. From kreymer@fnal.gov Thu Dec 14 17:06:46 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA09056 for ; Thu, 14 Dec 2000 17:06:45 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00M8SYTDGA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 17:05:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA65E@listserv.fnal.gov>; Thu, 14 Dec 2000 17:05:37 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125915 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 17:05:37 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA65D@listserv.fnal.gov>; Thu, 14 Dec 2000 17:05:37 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5K00N7SYTC2W@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 14 Dec 2000 17:05:36 -0600 (CST) Date: Thu, 14 Dec 2000 17:05:36 -0600 (CST) From: Dane Skow Subject: Re: 000000000015705 Assigned to CRAWFORD, MATT. In-reply-to: <3A395011.ED3FD90C@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: schellman@fnal.gov Cc: ARSystem , "'kerberos-pilot@fnal.gov'" Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 683 He's on E781 (at least) and I referred him to Yolanda to get an account. I hope the system can take one non-Run II person more without meltdown, though I understand we want to discourage extra users until the Run II rampup completes. I guess that means I volunteered to watch over that sheep... dane On Thu, 14 Dec 2000 schellman@fnal.gov wrote: > If this person is on CDF or D0 this is a problem. If not, tell > them to ask their experiment leader for instructions. > > ARSystem wrote: > > > > CRAWFORD, MATT, Help Desk Ticket #000000000015705 > > has been assigned to you. > > > > It is a(n) Medium priority Software/Utilities > > /Kerberos type of problem. > > Short description: Secure remote access? > > > > Badge # (+) : 07535V > > First Name : VYACHESLAV > > Last Name (+) : RUD > > Phone : 2409 > > E-Mail Address : RUD@FNAL.GOV > > Incident Time : 12/14/00 3:27:42 PM > > System Name : > > Urgency : Medium > > Public Work Log : > > 12/14/00 3:57:22 PM blomberg > > Could you assist? > > Problem Description : I heard a rumor that more secure > > remote access is implemented in Fermilab > > and it will be hard to access Fermilab from > > offsite. > > > > Because in 10 days I'm going back to Russia I would > > like to know whether I need to get some kerberos card > > or do something else to be prepared. > > > > Could you address that to experts please? > > > > Thank you in advance - Slava. > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Thu Dec 14 17:33:39 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA09886 for ; Thu, 14 Dec 2000 17:33:38 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5L00MDG041RJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 17:33:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA6B7@listserv.fnal.gov>; Thu, 14 Dec 2000 17:33:37 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 126020 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 17:33:37 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA6B6@listserv.fnal.gov>; Thu, 14 Dec 2000 17:33:37 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5L00KLT040Y3@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 14 Dec 2000 17:33:36 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA10894; Thu, 14 Dec 2000 17:33:36 -0600 (CST) Date: Thu, 14 Dec 2000 17:33:36 -0600 From: Matt Crawford Subject: Re: 000000000015705 Assigned to CRAWFORD, MATT. In-reply-to: "14 Dec 2000 15:59:57 CST." <318CC3D38BE0D211BB1200105A093F76114D6B@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200012142333.RAA10894@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 684 He should get a Kerberos principal (if he doesn't have one yet) and a cryptocard from Yolnda Valadez as soon as possible. From kreymer@fnal.gov Thu Dec 14 18:59:55 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA12993 for ; Thu, 14 Dec 2000 18:59:55 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5L002AK43UQU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 18:59:55 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA744@listserv.fnal.gov>; Thu, 14 Dec 2000 18:59:54 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 126165 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 18:59:54 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA743@listserv.fnal.gov>; Thu, 14 Dec 2000 18:59:54 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5L0028O43U8U@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 14 Dec 2000 18:59:54 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id SAA11374; Thu, 14 Dec 2000 18:59:53 -0600 (CST) Date: Thu, 14 Dec 2000 18:59:53 -0600 From: Matt Crawford Subject: Re: English lessons: Kerberos username proposal take 2 (fwd) In-reply-to: "11 Dec 2000 15:30:37 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: Anne Heavey , kerberos-pilot@fnal.gov Message-id: <200012150059.SAA11374@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 685 > Sorry for the delay but one reason for the handoff last week was I was > swamped. I believe you've got it. For Stephan's comments, I think Matt > and Mark would have a better answer than I. > > > Also, re: Stephan Lammel's comment, please verify: > > > > Principals can include both lower and upper case letters a-z and A-Z > > as well as numbers 0-9? > > I don't believe there are problems associated with using the numbers, > however, I would not recommend differentiation by letter cases. I believe > Stephan is correct in saying that "boss@PILOT.FNAL.GOV" is different to > Kerberos than "Boss@PILOT.FNAL.GOV" or "BOSS@PILOT.FNAL.GOV" but I think > it would be foolish of us to assign those to different persons. The > convention sofar has been to have the username lower case. I would > recommend we keep that. Lots of other characters can be in a principal name as well, although / and @ are problematic. But Dane is right that we'd be asking for a lot of pain if we asigned any that differed only in case, and a bit of pain if we used amix of cases at all. From kreymer@fnal.gov Thu Dec 14 19:34:50 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id TAA13042 for ; Thu, 14 Dec 2000 19:34:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5L00MQN5Q1GA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 19:34:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA776@listserv.fnal.gov>; Thu, 14 Dec 2000 19:34:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 126219 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 19:34:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA774@listserv.fnal.gov>; Thu, 14 Dec 2000 19:34:49 -0600 Received: from physics.ucla.edu ([169.232.152.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5L0041A5Q0W3@smtp.fnal.gov>; Thu, 14 Dec 2000 19:34:49 -0600 (CST) Received: from physics.ucla.edu (hepsun18 [128.97.23.89]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id RAA13575; Thu, 14 Dec 2000 17:28:40 -0800 (PST) Date: Thu, 14 Dec 2000 17:35:09 -0800 From: Benn Tannenbaum Subject: WRQ Reflections software Sender: owner-kerberos-pilot@listserv.fnal.gov To: cdlibrary@fnal.gov, kerberos-pilot@fnal.gov Cc: hauser@physics.ucla.edu Message-id: <3A39754D.21E3B1DD@physics.ucla.edu> Organization: University of California at Los Angeles, Department of Physics and Astronomy MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; SunOS 5.7 sun4u) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 686 Is there a FNAL license for Reflections? At UCLA we use Exceed by Hummingird, which does not support Kerberos (at least in the version we have). -Benn From kreymer@fnal.gov Thu Dec 14 20:20:51 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id UAA13077 for ; Thu, 14 Dec 2000 20:20:51 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5L003AO7UPJ5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Dec 2000 20:20:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA7C8@listserv.fnal.gov>; Thu, 14 Dec 2000 20:20:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 126317 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 14 Dec 2000 20:20:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BA7C6@listserv.fnal.gov>; Thu, 14 Dec 2000 20:20:49 -0600 Received: from fnal.gov ([24.178.21.178]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5L00NQE7UO2W@smtp.fnal.gov>; Thu, 14 Dec 2000 20:20:49 -0600 (CST) Date: Thu, 14 Dec 2000 20:20:46 -0600 From: Heidi Schellman Subject: Re: WRQ Reflections software Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: cdlibrary@fnal.gov, kerberos-pilot@fnal.gov, hauser@physics.ucla.edu Message-id: <3A397FFE.727D414A@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (Win98; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3A39754D.21E3B1DD@physics.ucla.edu> Status: RO X-Status: X-Keywords: X-UID: 687 You can check out the D0 commentary at www-d0.fnal.gov/computing/wrq.html I tried installing kerberized Exceed 7 and failed miserably but Rich Partridge succeeded. I don't know what CDF does Benn Tannenbaum wrote: > > Is there a FNAL license for Reflections? At UCLA we use Exceed by > Hummingird, which does not support Kerberos (at least in the version we > have). > > -Benn From kreymer@fnal.gov Fri Dec 15 06:59:57 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id GAA16170 for ; Fri, 15 Dec 2000 06:59:57 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00D2W1FWB6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 06:59:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAA11@listserv.fnal.gov>; Fri, 15 Dec 2000 06:59:56 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 126955 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 06:59:56 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAA10@listserv.fnal.gov>; Fri, 15 Dec 2000 06:59:56 -0600 Received: from mailserver.pi.infn.it ([192.84.133.222]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00D1B1FVKQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 06:59:56 -0600 (CST) Received: from ts.infn.it (suncdf2.pi.infn.it [192.135.9.105]) by mailserver.pi.infn.it (8.8.8/8.8.8) with ESMTP id OAA30058; Fri, 15 Dec 2000 14:00:13 +0100 Date: Fri, 15 Dec 2000 13:37:54 +0100 From: Stefano Belforte Subject: problems on Sun with v0_7 Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: coudl@ts.infn.it Message-id: <3A3A10A2.81D79E9A@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.5 [en] (X11; I; SunOS 5.5.1 sun4m) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 688 I installed kerberos v0_7 on a Sun machine in Pisa using ups/upd. I never used v0_7 before. I previosuly installed v0_4 on OSF and Linux. My host name is suncdf2.pi.infn.it It appears it went OK. But kinit does not work: belforte@suncdf2/~#8> kinit Password for belforte@PILOT.FNAL.GOV: kinit: Preauthentication failed while getting initial credentials belforte@suncdf2/~#9> What does that mean ? What is preauthentication ? Stefano Installation "log": I upd'ed kerberos v0_7 and declared it current with ups, I also ups-declared as current krb5conf v0_6a, (otherwise setup kerberso would not work). After that I do: # setup kerberos # ups install-keep-ssh kerberos Beginning installation of kerberos v0_7 into /usr/krb5. Do you have the passwords to enable the ftp and host services? (y/n, default y) n You must have the passwords in order to enable the ftp and host services. Preparing to configure krb5conf on this node... Beginning installation of krb5conf v0_6a on suncdf2. No previous /etc/krb5.conf exists, create initial version... Logging the installation in /export/fnal_products/products/prd/krb5confv0_6a/NULL/ups/suncdf2.log... Reminder!!!! You must perform this installation on each node that shares this copy of krb5conf. Installation of krb5conf v0_6a (without afs) on suncdf2 complete. krb5conf configuration complete. Preparing to configure service/byname on this node... Reading template file /export/fnal_products/products/prd/kerberos/v0_7/unOS+5/ups/services.template... Updating /etc/services file... Saving backup copy of /etc/services... service/byname configuration complete. Preparing to configure host keys on this node... /export/fnal_products/products/prd/kerberos/v0_7/SunOS+5/./sbin/kadmin: option equires an argument -- w Usage: kadmin [-r realm] [-p principal] [-q query] [clnt|local args] clnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]] local args: [-d dbname] [-e "enc:salt ..."] [-m] ERROR: could not add principal ftp/suncdf2.fnal.gov to keytab file. /export/fnal_products/products/prd/kerberos/v0_7/SunOS+5/./sbin/kadmin: option equires an argument -- w Usage: kadmin [-r realm] [-p principal] [-q query] [clnt|local args] clnt args: [-s admin_server[:port]] [[-c ccache]|[-k [-t keytab]]] local args: [-d dbname] [-e "enc:salt ..."] [-m] ERROR: could not add principal host/suncdf2.fnal.gov to keytab file. Preparing to configure inetd on this node... Reading template file /export/fnal_products/products/prd/kerberos/v0_7/unOS+5/ups/inetd.conf.template... Updating /etc/inetd.conf file... Saving backup copy of /etc/inetd.conf... Sending HUP to inetd... Sorry, I can't find the inetd process. You'll have to restart it by had via 'kill -HUP'. inetd configuration complete. Preparing to reconfigure sshd on this node... Reading template file /export/fnal_products/products/prd/kerberos/v0_7/unOS+5/ups/sshd_config.weak.template... Updating /etc/sshd_config file... No changes to /etc/sshd_config are required. sshd configuration complete. Automated installation of kerberos complete. IMPORTANT: 1) /etc/krb5.keytab configuration of service "ftp/suncdf2.fnal.gov" was not completed successfully. 2) /etc/krb5.keytab configuration of service "host/suncdf2.fnal.gov" was not completed successfully. 3) inetd daemon 'kill -HUP' was not completed successfully. These steps should be performed for a complete installation of kerberos. Optional: you may choose to replace /bin/login with the kerberized version via: ups install-login kerberos (not necessary on IRIX platforms). # /usr/ucb/ps auxw | grep inet root 131 0.0 0.6 1768 1164 ? S Dec 14 0:00 /usr/sbin/inetd -s # kill -HUP 131 From kreymer@fnal.gov Fri Dec 15 08:14:31 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA16227 for ; Fri, 15 Dec 2000 08:14:31 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00E654W72X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 08:14:31 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAA66@listserv.fnal.gov>; Fri, 15 Dec 2000 08:14:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127047 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 08:14:31 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAA65@listserv.fnal.gov>; Fri, 15 Dec 2000 08:14:31 -0600 Received: from mailserver.pi.infn.it ([192.84.133.222]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00E6Z4W42T@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 08:14:30 -0600 (CST) Received: from ts.infn.it (suncdf2.pi.infn.it [192.135.9.105]) by mailserver.pi.infn.it (8.8.8/8.8.8) with ESMTP id PAA30926; Fri, 15 Dec 2000 15:14:46 +0100 Date: Fri, 15 Dec 2000 15:12:07 +0100 From: Stefano Belforte Subject: Re: problems on Sun with v0_7 Sender: owner-kerberos-pilot@listserv.fnal.gov To: Heidi Schellman , gcooper@fnal.gov, kerberos-pilot@fnal.gov Message-id: <3A3A26B7.F1DE48A4@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.5 [en] (X11; I; SunOS 5.5.1 sun4m) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3A3A10A2.81D79E9A@ts.infn.it> <3A3A16F6.B4FE33B3@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 689 Indeed my system clock was off by about 40 minutes. After a bit of struggling with date command I managed to do the trick with date 12151454 and now kinit works. Heidi, the time does not have to be the same as US (apparently). Correct local time is good enough. Now I am wandering why I can not access my Sun via telnet in portal mode login: belforte login: No such file or directory while getting initial credentials Login incorrect The /etc/inetd.conf has the -Pa valid flag Do I need host/ftp principal for the portal mode ? I guess I do... can you confirm ? Stefano Glenn Cooper wrote: > > Hi Stefano, > > The "Preauthentication failed" message is the standard one that the > KDC (central Kerberos checking node) issues whenever it decides that > there is something wrong with the request. The most common causes > of this are: > > - Wrong password (typing mistakes, etc.) > > - Clock on your machine off by more than 5 minutes. > > I'd say check your system clock. If that's not the problem, let me > know, and I will check my notes for other possible causes. Or others > on the kerberos-pilot list may have the answer. > > Hope this helps, > Glenn From kreymer@fnal.gov Fri Dec 15 09:02:49 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA16284 for ; Fri, 15 Dec 2000 09:02:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00ECN6XG2M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 08:58:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAAB2@listserv.fnal.gov>; Fri, 15 Dec 2000 08:58:28 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127133 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 08:58:28 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAAB1@listserv.fnal.gov>; Fri, 15 Dec 2000 08:58:28 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00EFV6XE30@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 08:58:28 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 15 Dec 2000 08:58:26 -0600 Content-return: allowed Date: Fri, 15 Dec 2000 08:58:21 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15705 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114DB1@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 690 15705 has been updated by blomberg. Short Description : Secure remote access? New Work Log Entry : From: To: "ARSystem" Cc: Subject: Re: 000000000015705 Assigned to CRAWFORD, MATT. Date: Thursday, December 14, 2000 4:56 PM If this person is on CDF or D0 this is a problem. If not, tell them to ask their experiment leader for instructions. From kreymer@fnal.gov Fri Dec 15 09:24:31 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA16304 for ; Fri, 15 Dec 2000 09:24:31 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00EI584U29@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 09:24:31 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB26@listserv.fnal.gov>; Fri, 15 Dec 2000 09:24:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127259 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 09:24:30 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB24@listserv.fnal.gov>; Fri, 15 Dec 2000 09:24:30 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00EJE84T2M@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 09:24:30 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 15 Dec 2000 09:24:30 -0600 Content-return: allowed Date: Fri, 15 Dec 2000 09:24:23 -0600 From: ARSystem Subject: Note to requester has been sent - 000000000015705 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114DD3@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 691 The following note has been sent to the requester: RUD, VYACHESLAV Short Description : Secure remote access? Notes to Requester : Per the analyst: "From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: 000000000015705 Assigned to CRAWFORD, MATT. Date: Thursday, December 14, 2000 5:33 PM He should get a Kerberos principal (if he doesn't have one yet) and a cryptocard from Yolnda Valadez as soon as possible." From kreymer@fnal.gov Fri Dec 15 09:24:32 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA16308 for ; Fri, 15 Dec 2000 09:24:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00EI584U29@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 09:24:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB27@listserv.fnal.gov>; Fri, 15 Dec 2000 09:24:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127261 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 09:24:30 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB25@listserv.fnal.gov>; Fri, 15 Dec 2000 09:24:30 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00ELR84T30@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 09:24:30 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 15 Dec 2000 09:24:30 -0600 Content-return: allowed Date: Fri, 15 Dec 2000 09:24:23 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15705 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114DD1@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 692 15705 has been updated by trb. Short Description : Secure remote access? New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: 000000000015705 Assigned to CRAWFORD, MATT. Date: Thursday, December 14, 2000 5:33 PM He should get a Kerberos principal (if he doesn't have one yet) and a cryptocard from Yolnda Valadez as soon as possible. From kreymer@fnal.gov Fri Dec 15 09:24:33 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA16312 for ; Fri, 15 Dec 2000 09:24:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00EI584U29@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 09:24:33 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB29@listserv.fnal.gov>; Fri, 15 Dec 2000 09:24:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127263 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 09:24:31 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB28@listserv.fnal.gov>; Fri, 15 Dec 2000 09:24:31 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00EJE84T2M@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 09:24:30 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 15 Dec 2000 09:24:30 -0600 Content-return: allowed Date: Fri, 15 Dec 2000 09:24:23 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15705 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114DD0@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 693 15705 has been updated by trb. Short Description : Secure remote access? New Work Log Entry : From: "Dane Skow" To: Cc: "ARSystem" ; Subject: Re: 000000000015705 Assigned to CRAWFORD, MATT. Date: Thursday, December 14, 2000 5:05 PM He's on E781 (at least) and I referred him to Yolanda to get an account. I hope the system can take one non-Run II person more without meltdown, though I understand we want to discourage extra users until the Run II rampup completes. I guess that means I volunteered to watch over that sheep... dane From kreymer@fnal.gov Fri Dec 15 09:31:46 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA16318 for ; Fri, 15 Dec 2000 09:31:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00EJW8GX37@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 09:31:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB42@listserv.fnal.gov>; Fri, 15 Dec 2000 09:31:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127291 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 09:31:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB41@listserv.fnal.gov>; Fri, 15 Dec 2000 09:31:46 -0600 Received: from mailserver.pi.infn.it ([192.84.133.222]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00EIO8GW3A@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 09:31:45 -0600 (CST) Received: from ts.infn.it (suncdf2.pi.infn.it [192.135.9.105]) by mailserver.pi.infn.it (8.8.8/8.8.8) with ESMTP id QAA31743; Fri, 15 Dec 2000 16:32:02 +0100 Date: Fri, 15 Dec 2000 16:29:23 +0100 From: Stefano Belforte Subject: unrestricted telnet Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A3A38D3.6656F34E@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.5 [en] (X11; I; SunOS 5.5.1 sun4m) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 694 I have found again the situation when the telnetd server installed by fermi kerberos allow access without password to any user. Last summer this happened on my OSF machine in Trieste, was blamed on some fancier version of OSF password security file that we run here, we disabled all telnet and rlogin and "forgot". Now I installed kerberos on a Linux machine (pclx06.ts.infn.it). I also tried to install host/ftp principals using the password I got from compdiv@fnal.gov. It all went smootly. But the fermi telnet server allow any user to log in from the local lan without password. I.e.: telnet from offsite is disabled (I expected porta...): belforte@fcdfsgi2/~ > telnet pclx06.ts.infn.it Trying 140.105.221.15... Connected to pclx06.ts.infn.it (140.105.221.15). Escape character is '^]'. Connection closed by foreign host. telnet from the TS lan is an open door: belforte@quark.ts.infn.it/~> /usr/bin/telnet pclx06 -l gomezel Trying 140.105.221.15... Connected to pclx06.ts.infn.it. Escape character is '^]'. Red Hat Linux release 6.2 (Zoot) Kernel 2.2.16-3 on an i686 login: Client not found in Kerberos database while getting initial credentials You have new mail. [gomezel@pclx06 ~]$ [gomezel@pclx06 ~]$ who am i pclx06.ts.infn.it!gomezel ttyp1 Dec 15 16:09 [gomezel@pclx06 ~]$ [gomezel@pclx06 ~]$ ps auxw|grep telnet root 6681 0.0 0.6 1988 848 ? S 16:09 0:00 telnetd -Pa valid gomezel 6723 0.0 0.4 1360 516 ttyp1 S 16:12 0:00 grep telnet so it is really the -Pa valid, i.e. portal telnetd giving the problem. This is going to make user gomezel (my system manager by the way) VERY upset at me. If I specify an unexisting user name, the telnet attempt is closed with Login incorrect message. Ideas ? Please, tell me what to do.... I know I can remove telnetd etc. from /etc/inetd.conf, but I would like to be able to get INTO this machine somehow using kerberos tickets or cryptocard. Also, differently from OSF this is THE op.sys. I expect to use for Run2, so I DO care this time. Maybe the problem is my AFS local installation... Anyhow I think you should know that this things happen and may end up in being un-noticed for a while. I am using kerberos v0_6 flavor Linux+2.2 Stefano From kreymer@fnal.gov Fri Dec 15 09:37:05 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA16322 for ; Fri, 15 Dec 2000 09:37:05 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00EP38PR2D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 09:37:03 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB5C@listserv.fnal.gov>; Fri, 15 Dec 2000 09:37:03 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127321 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 09:37:03 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB5B@listserv.fnal.gov>; Fri, 15 Dec 2000 09:37:03 -0600 Received: from fnal.gov ([131.225.224.51]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00EJE8PQ32@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 09:37:02 -0600 (CST) Date: Fri, 15 Dec 2000 09:36:46 -0600 From: schellman@fnal.gov Subject: Re: problems on Sun with v0_7 Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: gcooper@fnal.gov, kerberos-pilot@fnal.gov Message-id: <3A3A3A8E.BDB08660@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3A3A10A2.81D79E9A@ts.infn.it> <3A3A16F6.B4FE33B3@fnal.gov> <3A3A26B7.F1DE48A4@ts.infn.it> Status: RO X-Status: X-Keywords: X-UID: 695 I think you need to have a host principal for the portal node. Yolanda Valadez at (630)840-8118 can get you one. But also your install log showed some errors at the bottom. I have not done a portal yet so I can not be of much help in fixing beyond the advice to get a host principal. heidi Stefano Belforte wrote: > > Indeed my system clock was off by about 40 minutes. > After a bit of struggling with date command I managed to do the > trick with date 12151454 and now kinit works. > > Heidi, the time does not have to be the same as US (apparently). Correct > local time is good enough. > > Now I am wandering why I can not access my Sun via telnet in portal mode > login: belforte > login: No such file or directory while getting initial credentials > Login incorrect > > The /etc/inetd.conf has the -Pa valid flag > > Do I need host/ftp principal for the portal mode ? > I guess I do... can you confirm ? > > Stefano > > Glenn Cooper wrote: > > > > Hi Stefano, > > > > The "Preauthentication failed" message is the standard one that the > > KDC (central Kerberos checking node) issues whenever it decides that > > there is something wrong with the request. The most common causes > > of this are: > > > > - Wrong password (typing mistakes, etc.) > > > > - Clock on your machine off by more than 5 minutes. > > > > I'd say check your system clock. If that's not the problem, let me > > know, and I will check my notes for other possible causes. Or others > > on the kerberos-pilot list may have the answer. > > > > Hope this helps, > > Glenn From kreymer@fnal.gov Fri Dec 15 09:40:43 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA16330 for ; Fri, 15 Dec 2000 09:40:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00EOU8VU2R@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 09:40:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB6B@listserv.fnal.gov>; Fri, 15 Dec 2000 09:40:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127339 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 09:40:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAB6A@listserv.fnal.gov>; Fri, 15 Dec 2000 09:40:42 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G5M00EMW8VT2X@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 09:40:41 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id JAA12984; Fri, 15 Dec 2000 09:40:38 -0600 Date: Fri, 15 Dec 2000 09:40:38 -0600 From: Glenn Cooper Subject: Re: unrestricted telnet In-reply-to: <3A3A38D3.6656F34E@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 696 Hi Stefano, I believe I found with an early version of Fermilab's Kerberos software that I needed to separate the -P and -a flags, so the line in inetd.conf looked like: telnet stream tcp nowait root /usr/krb5/sbin/telnetd telnetd -P -a valid instead of the "-Pa valid" that the ups install sets up. You might try that and see whether it helps. (However, we didn't see unrestricted access--it still prompted for a password if I didn't have a Kerberos ticket--so this may not be related to what you are seeing.) Glenn On Fri, 15 Dec 2000, Stefano Belforte wrote: > I have found again the situation when the telnetd server installed > by fermi kerberos allow access without password to any user. > > Last summer this happened on my OSF machine in Trieste, was blamed > on some fancier version of OSF password security file that we run here, > we disabled all telnet and rlogin and "forgot". > > Now I installed kerberos on a Linux machine (pclx06.ts.infn.it). > I also tried to install host/ftp principals using the password I got > from compdiv@fnal.gov. > It all went smootly. > > > But the fermi telnet server allow any user to log in from the local > lan without password. > > I.e.: > telnet from offsite is disabled (I expected porta...): > belforte@fcdfsgi2/~ > telnet pclx06.ts.infn.it > Trying 140.105.221.15... > Connected to pclx06.ts.infn.it (140.105.221.15). > Escape character is '^]'. > Connection closed by foreign host. > > telnet from the TS lan is an open door: > > belforte@quark.ts.infn.it/~> /usr/bin/telnet pclx06 -l gomezel > Trying 140.105.221.15... > Connected to pclx06.ts.infn.it. > Escape character is '^]'. > > Red Hat Linux release 6.2 (Zoot) > Kernel 2.2.16-3 on an i686 > > login: Client not found in Kerberos database while getting initial > credentials > You have new mail. > [gomezel@pclx06 ~]$ > [gomezel@pclx06 ~]$ who am i > pclx06.ts.infn.it!gomezel ttyp1 Dec 15 16:09 > [gomezel@pclx06 ~]$ > [gomezel@pclx06 ~]$ ps auxw|grep telnet > root 6681 0.0 0.6 1988 848 ? S 16:09 0:00 telnetd > -Pa valid > gomezel 6723 0.0 0.4 1360 516 ttyp1 S 16:12 0:00 grep > telnet > > so it is really the -Pa valid, i.e. portal telnetd giving the problem. > > This is going to make user gomezel (my system manager by the way) VERY > upset at me. > > If I specify an unexisting user name, the telnet attempt is closed with > Login incorrect message. > > Ideas ? Please, tell me what to do.... > I know I can remove telnetd etc. from /etc/inetd.conf, but I would like > to be able to get INTO this machine somehow using kerberos tickets or > cryptocard. Also, differently from OSF this is THE op.sys. I expect to > use for Run2, so I DO care this time. > > Maybe the problem is my AFS local installation... > Anyhow I think you should know that this things happen and may end up in > being un-noticed for a while. > > I am using kerberos v0_6 flavor Linux+2.2 > > Stefano > From kreymer@fnal.gov Fri Dec 15 10:20:43 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA16367 for ; Fri, 15 Dec 2000 10:20:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00ES4AQI38@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 10:20:43 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAC0F@listserv.fnal.gov>; Fri, 15 Dec 2000 10:20:43 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127522 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 10:20:43 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAC0E@listserv.fnal.gov>; Fri, 15 Dec 2000 10:20:43 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00K3ZAQI5S@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 10:20:42 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 15 Dec 2000 10:20:43 -0600 Content-return: allowed Date: Fri, 15 Dec 2000 10:20:41 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15705 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114DF7@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 697 15705 has been updated by trb. Short Description : Secure remote access? New Work Log Entry : From: "Rud Vyacheslav, x2409" To: "Dane Skow" Cc: ; "ARSystem" Subject: Re: 000000000015705 Assigned to CRAWFORD, MATT. Date: Friday, December 15, 2000 10:08 AM Thank you very much, Dane, for complete explanation! All the best, Slava. From kreymer@fnal.gov Fri Dec 15 10:21:21 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA16371 for ; Fri, 15 Dec 2000 10:21:21 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00J40ARKM3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 10:21:21 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAC11@listserv.fnal.gov>; Fri, 15 Dec 2000 10:21:20 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127524 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 10:21:20 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAC10@listserv.fnal.gov>; Fri, 15 Dec 2000 10:21:20 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00K1FARKGL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 10:21:20 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA14761; Fri, 15 Dec 2000 10:21:18 -0600 (CST) Date: Fri, 15 Dec 2000 10:21:17 -0600 From: Matt Crawford Subject: Re: problems on Sun with v0_7 In-reply-to: "15 Dec 2000 13:37:54 +0100." <3A3A10A2.81D79E9A@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov, coudl@ts.infn.it Message-id: <200012151621.KAA14761@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 698 > My host name is suncdf2.pi.infn.it > It appears it went OK. But kinit does not work: > > belforte@suncdf2/~#8> kinit > Password for belforte@PILOT.FNAL.GOV: > kinit: Preauthentication failed while getting initial credentials > belforte@suncdf2/~#9> > > What does that mean ? What is preauthentication ? Preauthentication means that you have to prove you know the key (which is a function of your password) before the KDC will deliver you a ticket to decrypt with the key. This prevents an offline brute force or dictionary attack against your password. The way it works is that your kinit program takes the password you enter, generates the key from it, and encrypts the current date/time with that, attaching the result to the authentication service request. So if it fails, then either your password or your system clock is incorrect. Usually it's the clock. An error of up to 5 minutes is tolerated. And it doesn't matter what time zone you're in, as the time is sent in UTC. From kreymer@fnal.gov Fri Dec 15 10:24:44 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA16395 for ; Fri, 15 Dec 2000 10:24:44 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00J7EAX8JH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 10:24:44 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAC19@listserv.fnal.gov>; Fri, 15 Dec 2000 10:24:44 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127534 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 10:24:44 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAC18@listserv.fnal.gov>; Fri, 15 Dec 2000 10:24:44 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00K3HAX76R@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 10:24:43 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA14787; Fri, 15 Dec 2000 10:24:41 -0600 (CST) Date: Fri, 15 Dec 2000 10:24:41 -0600 From: Matt Crawford Subject: Re: problems on Sun with v0_7 In-reply-to: "15 Dec 2000 15:12:07 +0100." <3A3A26B7.F1DE48A4@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: Heidi Schellman , gcooper@fnal.gov, kerberos-pilot@fnal.gov Message-id: <200012151624.KAA14787@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 699 > Indeed my system clock was off by about 40 minutes. That will almost teach me to read everything before I answer. > Now I am wandering why I can not access my Sun via telnet in portal mode > The /etc/inetd.conf has the -Pa valid flag > Do I need host/ftp principal for the portal mode ? > I guess I do... can you confirm ? Yes, exactly. Here's the reason. The credentials from the KDC have to be delivered in encrypted form to prevent an eavesdropper from stealing them. There are not enough bits in the cryptocard response to make a good encryption key (only 32 bits). So the response is combined with the host/your.node.name key. From kreymer@fnal.gov Fri Dec 15 11:24:32 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA16441 for ; Fri, 15 Dec 2000 11:24:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00KCEDOIDA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 11:24:21 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BACDD@listserv.fnal.gov>; Fri, 15 Dec 2000 11:24:19 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127739 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 11:24:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BACDB@listserv.fnal.gov>; Fri, 15 Dec 2000 11:24:18 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00KDDDOI6R@smtp.fnal.gov>; Fri, 15 Dec 2000 11:24:18 -0600 (CST) Date: Fri, 15 Dec 2000 11:24:18 -0600 (CST) From: Dane Skow Subject: Re: "Sharing" Kerberos tickets across multiple d0mino windows. In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Harry Melanson Cc: D0-RUG , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 700 On Fri, 15 Dec 2000, Harry Melanson wrote: > Hi D0Rug, > > I typically open multiple sessions on d0mino from my PC. I found that by > default I had to do "kinit" for each session. After asking around, it turns > out that the reason is the default "cache" for storing tickets was different > for different sessions. To get around this little annoyance, a user can > define where they want their cache to reside. For example, I include the > following in my .cshrc: > > # > # Set my Kerberos cache, so I can reuse any tickets I have > # > setenv KRB5CCNAME ~/.kcache > > I then only have to kinit in one of my windows, and all of the other ones > "see" the ticket. You'll want to make sure this directory is well protected and only readable (or writeable) by you as well. Otherwise people could hijack your tickets. > > Cheers, > > Harry > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Fri Dec 15 11:34:37 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA16447 for ; Fri, 15 Dec 2000 11:34:37 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00JIKE3SM3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 11:33:30 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BACF4@listserv.fnal.gov>; Fri, 15 Dec 2000 11:33:28 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127766 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 11:33:28 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BACF2@listserv.fnal.gov>; Fri, 15 Dec 2000 11:33:27 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00JOUE3RJH@smtp.fnal.gov>; Fri, 15 Dec 2000 11:33:27 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA15087; Fri, 15 Dec 2000 11:33:27 -0600 (CST) Date: Fri, 15 Dec 2000 11:33:26 -0600 From: Matt Crawford Subject: Re: "Sharing" Kerberos tickets across multiple d0mino windows. In-reply-to: "15 Dec 2000 11:24:18 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: Harry Melanson , D0-RUG , kerberos-pilot@fnal.gov Message-id: <200012151733.LAA15087@gungnir.fnal.gov> Content-id: <15083.976901606.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 701 > > setenv KRB5CCNAME ~/.kcache > > You'll want to make sure this directory is well protected and only > readable (or writeable) by you as well. Otherwise people could hijack your > tickets. And not exported by NFS or AFS or DFS or Samba or any other network file system! I suggest setenv KRB5CCNAME /tmp/.kcache-melanson or something like that. From kreymer@fnal.gov Fri Dec 15 13:27:42 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA16569 for ; Fri, 15 Dec 2000 13:27:42 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00LQPJE583@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 13:27:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAE26@listserv.fnal.gov>; Fri, 15 Dec 2000 13:27:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128097 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 13:27:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAE25@listserv.fnal.gov>; Fri, 15 Dec 2000 13:27:41 -0600 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M0034QJE46M@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 13:27:41 -0600 (CST) Date: Fri, 15 Dec 2000 13:26:57 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: scp: fails to some nodes, succeeds to others; why? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A3A7081.4B01F969@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 702 I'm using kerberos v0_7. I have credentials, recently renewed: d0ora3:> klist -f Ticket cache: /tmp/krb5cc_1275 Default principal: lauri@PILOT.FNAL.GOV Valid starting Expires Service principal 12/15/00 13:21:30 12/16/00 15:21:30 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 12/22/00 10:39:26, Flags: FRIA 12/15/00 13:23:02 12/16/00 15:21:30 host/d0mino.fnal.gov@PILOT.FNAL.GOV renew until 12/22/00 10:39:26, Flags: FRA I try to use scp (from the /usr/krb5/bin directory) to connect to various nodes I work on. Sometimes it works, sometimes not. Why? What's different? d0ora3:> scp .shrc d0mino:.shrc .shrc | 3 KB | 3.7 kB/s | ETA: 00:00:00 | 100% d0ora3:> scp .shrc ossbud:.shrc command-line line 0: Missing yes/no argument. lost connection d0ora3:> scp .shrc fsui03:.shrc command-line line 0: Missing yes/no argument. lost connection d0ora3:> which scp /usr/krb5/bin/scp d0ora3:> scp .shrc sameggs:.shrc command-line line 0: Missing yes/no argument. lost connection Nodes d0mino, sameggs and ossbud are kerberized; node fsui03 (last I knew) is not. ?!?!?!? -- lauri From kreymer@fnal.gov Fri Dec 15 13:31:10 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA16581 for ; Fri, 15 Dec 2000 13:31:10 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M001CEJJYQP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 13:31:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAE2F@listserv.fnal.gov>; Fri, 15 Dec 2000 13:31:10 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128107 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 13:31:10 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAE2E@listserv.fnal.gov>; Fri, 15 Dec 2000 13:31:10 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M00LRJJJX83@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 13:31:09 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA21369; Fri, 15 Dec 2000 13:31:09 -0600 Date: Fri, 15 Dec 2000 13:31:09 -0600 (CST) From: Steven Timm Subject: Re: scp: fails to some nodes, succeeds to others; why? In-reply-to: <3A3A7081.4B01F969@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 703 > I'm using kerberos v0_7. > > I have credentials, recently renewed: > > d0ora3:> klist -f > Ticket cache: /tmp/krb5cc_1275 > Default principal: lauri@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 12/15/00 13:21:30 12/16/00 15:21:30 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > renew until 12/22/00 10:39:26, Flags: FRIA > 12/15/00 13:23:02 12/16/00 15:21:30 host/d0mino.fnal.gov@PILOT.FNAL.GOV > renew until 12/22/00 10:39:26, Flags: FRA > > I try to use scp (from the /usr/krb5/bin directory) to > connect to various nodes I work on. Sometimes it works, > sometimes not. Why? What's different? > > d0ora3:> scp .shrc d0mino:.shrc > .shrc | 3 KB | 3.7 kB/s | ETA: 00:00:00 | 100% > > d0ora3:> scp .shrc ossbud:.shrc > command-line line 0: Missing yes/no argument. > lost connection > > d0ora3:> scp .shrc fsui03:.shrc > command-line line 0: Missing yes/no argument. > lost connection > > d0ora3:> which scp > /usr/krb5/bin/scp > > d0ora3:> scp .shrc sameggs:.shrc > command-line line 0: Missing yes/no argument. > lost connection > > Nodes d0mino, sameggs and ossbud are kerberized; node fsui03 > (last I knew) is not. ossbud is kerberized but not running the kerberized scp/sshd daemon as far as I can tell. This could be true of sameggs as well. fsui03, as you say, is not kerberized at all and thus shouldn't respond to a kerberized scp, which I presume this is. Use the tcp version of scp and put in a password and it will be fine. Steve > > ?!?!?!? > > -- lauri > > From kreymer@fnal.gov Fri Dec 15 13:31:46 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA16585 for ; Fri, 15 Dec 2000 13:31:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M0035WJKX90@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 13:31:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAE33@listserv.fnal.gov>; Fri, 15 Dec 2000 13:31:45 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128113 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 13:31:45 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAE30@listserv.fnal.gov>; Fri, 15 Dec 2000 13:31:45 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M0032KJKWQS@smtp.fnal.gov>; Fri, 15 Dec 2000 13:31:44 -0600 (CST) Date: Fri, 15 Dec 2000 13:31:44 -0600 (CST) From: Dane Skow Subject: Re: one users perspective In-reply-to: <200012142024.eBEKOK821179@fsgi02.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: melanson@fnal.gov, cjames@fnal.gov Cc: Karen Shepelak , oss-mgmt@fnal.gov, compdiv@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 704 Hi Cat, Karen forwarded your comments (thanks Karen) and I want to thank you for taking the time to be specific in your needs and frustrations. I'd like to press a bit more for feedback and have copied the groups who have been developing the documentation that exists. For Kerberos instructions is Harry aware of the information at http://www.fnal.gov/docs/strongauth/index.html ? Have these been rejected at too "manually" ? or do they not meet the usage needs you're referring to. On the ssh front, I think you are pointing out a current weakness. We have been brokering licenses FSecure SSH for user support groups to install. A number of groups have taken to using the freeware products (Teraterm or PuTTY). And the integration of all of this with the medium term migration to Kerberos authentication for Unix and NT is not clear. I think it's been harder than desired for users to "do the right thing", but partly that's been the cost of dealing with some of the other issues. We can certainly work to help get information out to the minos users. dane On Thu, 14 Dec 2000, Karen Shepelak wrote: > Hi Dane, Lisa, > > Thought I'd pass this along to you both. I think a lot of users > share the same sentiment as Cat James. > > ------- Forwarded Message > > > Date: Thu, 14 Dec 2000 13:46:03 -0600 > From: Cat James > Subject: ssh login and use information > To: Karen Shepelak > > Organization: FNAL > > > > Howdy. In general I am in favor of secure connections and such and don't > mind converting my habits. My comment today is more along the lines of > "user support", and you can feel free to disseminate my comments to those > who ought to be thinking about this. > > Specifically, there is next to no information on "how to" when a machine is > changed to ssh. Computing has what amounts to an ssh manual on the Web > pages, which reads, well, like a manual. What is needed right up front is a > simple example of how to now proceed with your login........spell it right > out, like "where you used to say telnet now type - - -" The manual online > dives right into the many parameters and ssh commands that most people are > never going to use, and it is not "user friendly". Next, there is NO > information AT ALL on what to do if your desktop is an NT work-station and > you've been using Exceed or some equivalent product. I just sent an email > around to the local minos1 users on my floor about how to deal with this > (using TeraTerm-Pro and TTSSH). I get grateful thank-yous from NT users and > the university guys who come in with NT laptops which they use as terminals > when visiting. Why can't Computing get out some information on how to use > products like this to make secure connections to fnal nodes from non-linux > platforms? > > And it looks like this same non-information habit is continuing with the use > of Kerberos. Again, installing Kerberos is not the issue, but instead > posting useful information about how to use it properly. My husband Harry > Melanson, reporting from D-Zero, tells me that using Kerberos is pretty > obvious when you are on one Linux box and want to connect to another Linux > box, but much less obvious when you are on an NT or Windows-2000 box and > need to connect to a Linux box. It is less obvious, and again there is NO > guidance from Computing as to how one should go about it. Computer-savvy > people like my husband ask around and figure it out, but many physicists, > while good at programming for their physics, are not real clued in to the > details of operating systems, networks, and secure channels. Harry comments > that a large part of the non-information problem is in the group most > responsible for moving us to Kerberos: they all sit in front of Linux boxes, > and thus make no thought for those who use some other platform as their > primary desktop. And don't say that we are all moving to Linux - Linux is > great for the serious computing, but until I can run all the Windows-type > software products I use for my daily work on a Linux box, the desktop for my > daily work will be Windows (and I'm talking way more than the Office > products). And what about all those people with Macs on their desks????? > Still seem to be quite a few of those here in NuMI-MINOS land, and they > still do physics computing on unix / linux machines. > > Please allocate some time and effort to create cook-book instructions for > connecting to Unix / Linux from Windows / Mac desktops, for those who just > want to keep doing their daily work. > Cat James > > > > ------- End of Forwarded Message > > > > > -- > Karen > SCS (Scientific Computing Support) > > > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Fri Dec 15 14:14:33 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA16707 for ; Fri, 15 Dec 2000 14:14:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M001LLLK8QP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 14:14:33 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAEF3@listserv.fnal.gov>; Fri, 15 Dec 2000 14:14:32 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128321 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 14:14:32 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAEF2@listserv.fnal.gov>; Fri, 15 Dec 2000 14:14:32 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M0046CLK7NC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 14:14:31 -0600 (CST) Date: Fri, 15 Dec 2000 14:14:31 -0600 (CST) From: "Marc W. Mengel" Subject: Re: scp: fails to some nodes, succeeds to others; why? In-reply-to: <3A3A7081.4B01F969@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 705 On Fri, 15 Dec 2000, Laurelin of Middle Earth, 630-840-2214 wrote: > Date: Fri, 15 Dec 2000 13:26:57 -0600 > From: "Laurelin of Middle Earth, 630-840-2214" > To: kerberos-pilot@fnal.gov > Subject: scp: fails to some nodes, succeeds to others; why? > > I'm using kerberos v0_7. > > I have credentials, recently renewed: > > d0ora3:> klist -f > Ticket cache: /tmp/krb5cc_1275 > Default principal: lauri@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 12/15/00 13:21:30 12/16/00 15:21:30 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > renew until 12/22/00 10:39:26, Flags: FRIA > 12/15/00 13:23:02 12/16/00 15:21:30 host/d0mino.fnal.gov@PILOT.FNAL.GOV > renew until 12/22/00 10:39:26, Flags: FRA > > I try to use scp (from the /usr/krb5/bin directory) to > connect to various nodes I work on. Sometimes it works, > sometimes not. Why? What's different? > > d0ora3:> scp .shrc d0mino:.shrc > .shrc | 3 KB | 3.7 kB/s | ETA: 00:00:00 | 100% > > d0ora3:> scp .shrc ossbud:.shrc > command-line line 0: Missing yes/no argument. > lost connection My guess is that d0ora3 doesn't have the kerberized sshd running. You get an error like this when the /usr/krb5/bin/ssh tries to fail down to /usr/krb5/bin/sshk4 under scp. Marc From kreymer@fnal.gov Fri Dec 15 14:25:29 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA16721 for ; Fri, 15 Dec 2000 14:25:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M003D0M2G6M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 14:25:28 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAF12@listserv.fnal.gov>; Fri, 15 Dec 2000 14:25:28 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128357 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 14:25:28 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAF10@listserv.fnal.gov>; Fri, 15 Dec 2000 14:25:28 -0600 Received: from melansonlaptop ([131.225.227.105]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G5M002L6M2FG0@smtp.fnal.gov>; Fri, 15 Dec 2000 14:25:27 -0600 (CST) Date: Fri, 15 Dec 2000 14:25:27 -0600 From: Harry Melanson Subject: RE: one users perspective In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow , cjames@fnal.gov Cc: Karen Shepelak , oss-mgmt@fnal.gov, compdiv@fnal.gov, kerberos-pilot@fnal.gov, Harry Melanson Reply-to: melanson@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 706 Hi Dane, My comments were made during the process (and at home at the end of the day)... The WRQ instructions are now straight forward. However, they changed over time. For example, I reported that version 7's FTP neighborhood didn't work. This seems to have initiated getting version 8. (BTW, I reported the problem to the help disk, and there was significant confusion as to who supported WRQ; see http://csdserver1.fnal.gov/ars/cgi-bin/arweb.exe?O=1&Form=entry&ID=17571&s=c sdserver1&S=CD%3aHelpDesk&WID=3&Ei=3 I'm guessing that the help desk now has a better idea about WRQ.) There is still a (known) bug with the FTP client and Irix. BTW, the WRQ instructions assume an FNAL domain user, but DZERO has it's own domain (e.g. no pckits). And then there was some confusion about who pays for WRQ. This got straightened out, and our current arrangement at DZERO is CD buys licenses for all FNAL DZERO employees, and universities pay their own way. But this wasn't clear at the beginning (at least to me). >From my perspective, the biggest problem we had out at DZERO was the perception that instructions / strategies were developed "on the fly". From my experience, it appeared that no one actually tried to go to WRQ/Kerberos on NT, and then really use it (e.g. the ftp problem was pretty obvious). Let me give you another example. If you are like me, you don't like the WRQ secure terminal window. I tried to change fonts, and then my ability to edit the command line in tcsh on d0mino somehow stopped working... (I assume more bugs.) So instead I decided to pop an xterm back using Kerberos telnet (just like how I used Exceed). However, now if I don't think things through, and type kinit in my xterm window, then I've broadcast my principle on the network. It turns out that I think I have a solution, but it's subtle. All of this stems from WRQ not forwarding your principle. And I don't think this usage pattern is discussed (yet) in the documentation. At this time, everything is working fine for me. However it seemed to me that the "pilot" program really didn't include "real" NT users, and I was experiencing what I imagined a user in a pilot program might do. That was where my personal frustration developed. Hope this is useful. Please let me know if I can clarify anything. Regards, Harry -----Original Message----- From: Dane Skow [mailto:dane@fnal.gov] Sent: Friday, December 15, 2000 1:32 PM To: melanson@fnal.gov; cjames@fnal.gov Cc: Karen Shepelak; oss-mgmt@fnal.gov; compdiv@fnal.gov; kerberos-pilot@fnal.gov Subject: Re: one users perspective Hi Cat, Karen forwarded your comments (thanks Karen) and I want to thank you for taking the time to be specific in your needs and frustrations. I'd like to press a bit more for feedback and have copied the groups who have been developing the documentation that exists. For Kerberos instructions is Harry aware of the information at http://www.fnal.gov/docs/strongauth/index.html ? Have these been rejected at too "manually" ? or do they not meet the usage needs you're referring to. On the ssh front, I think you are pointing out a current weakness. We have been brokering licenses FSecure SSH for user support groups to install. A number of groups have taken to using the freeware products (Teraterm or PuTTY). And the integration of all of this with the medium term migration to Kerberos authentication for Unix and NT is not clear. I think it's been harder than desired for users to "do the right thing", but partly that's been the cost of dealing with some of the other issues. We can certainly work to help get information out to the minos users. dane On Thu, 14 Dec 2000, Karen Shepelak wrote: > Hi Dane, Lisa, > > Thought I'd pass this along to you both. I think a lot of users > share the same sentiment as Cat James. > > ------- Forwarded Message > > > Date: Thu, 14 Dec 2000 13:46:03 -0600 > From: Cat James > Subject: ssh login and use information > To: Karen Shepelak > > Organization: FNAL > > > > Howdy. In general I am in favor of secure connections and such and don't > mind converting my habits. My comment today is more along the lines of > "user support", and you can feel free to disseminate my comments to those > who ought to be thinking about this. > > Specifically, there is next to no information on "how to" when a machine is > changed to ssh. Computing has what amounts to an ssh manual on the Web > pages, which reads, well, like a manual. What is needed right up front is a > simple example of how to now proceed with your login........spell it right > out, like "where you used to say telnet now type - - -" The manual online > dives right into the many parameters and ssh commands that most people are > never going to use, and it is not "user friendly". Next, there is NO > information AT ALL on what to do if your desktop is an NT work-station and > you've been using Exceed or some equivalent product. I just sent an email > around to the local minos1 users on my floor about how to deal with this > (using TeraTerm-Pro and TTSSH). I get grateful thank-yous from NT users and > the university guys who come in with NT laptops which they use as terminals > when visiting. Why can't Computing get out some information on how to use > products like this to make secure connections to fnal nodes from non-linux > platforms? > > And it looks like this same non-information habit is continuing with the use > of Kerberos. Again, installing Kerberos is not the issue, but instead > posting useful information about how to use it properly. My husband Harry > Melanson, reporting from D-Zero, tells me that using Kerberos is pretty > obvious when you are on one Linux box and want to connect to another Linux > box, but much less obvious when you are on an NT or Windows-2000 box and > need to connect to a Linux box. It is less obvious, and again there is NO > guidance from Computing as to how one should go about it. Computer-savvy > people like my husband ask around and figure it out, but many physicists, > while good at programming for their physics, are not real clued in to the > details of operating systems, networks, and secure channels. Harry comments > that a large part of the non-information problem is in the group most > responsible for moving us to Kerberos: they all sit in front of Linux boxes, > and thus make no thought for those who use some other platform as their > primary desktop. And don't say that we are all moving to Linux - Linux is > great for the serious computing, but until I can run all the Windows-type > software products I use for my daily work on a Linux box, the desktop for my > daily work will be Windows (and I'm talking way more than the Office > products). And what about all those people with Macs on their desks????? > Still seem to be quite a few of those here in NuMI-MINOS land, and they > still do physics computing on unix / linux machines. > > Please allocate some time and effort to create cook-book instructions for > connecting to Unix / Linux from Windows / Mac desktops, for those who just > want to keep doing their daily work. > Cat James > > > > ------- End of Forwarded Message > > > > > -- > Karen > SCS (Scientific Computing Support) > > > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Fri Dec 15 14:27:15 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA16733 for ; Fri, 15 Dec 2000 14:27:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M002JYM5EHX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 14:27:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAF23@listserv.fnal.gov>; Fri, 15 Dec 2000 14:27:15 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128377 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 14:27:15 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BAF22@listserv.fnal.gov>; Fri, 15 Dec 2000 14:27:15 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M002J2M5EYO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 14:27:14 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA16729; Fri, 15 Dec 2000 14:27:14 -0600 Date: Fri, 15 Dec 2000 14:27:14 -0600 (CST) From: Art Kreymer Subject: Re: scp: fails to some nodes, succeeds to others; why? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: "Laurelin of Middle Earth, 630-840-2214" , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 707 We have also had problems with this in CDF, trying to scp with a kerberos-enabled scp from cdfpca to a node which is probably not running the kerberized sshd. We CAN ssh between these nodes, both for logins, and to run commands. So I would consider this a bug, that scp is not falling back cleanly to non-kerberos mode when trying to reach nonkerberized nodes. We should be able to configure, on the command line or globally, not to try K4 connections. From kreymer@fnal.gov Fri Dec 15 15:41:26 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA16815 for ; Fri, 15 Dec 2000 15:41:26 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M002UJPL1YO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 15:41:26 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BB050@listserv.fnal.gov>; Fri, 15 Dec 2000 15:41:25 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128705 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 15:41:25 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BB04D@listserv.fnal.gov>; Fri, 15 Dec 2000 15:41:25 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M0085NPL070@smtp.fnal.gov>; Fri, 15 Dec 2000 15:41:24 -0600 (CST) Date: Fri, 15 Dec 2000 15:41:24 -0600 (CST) From: Dane Skow Subject: RE: one users perspective In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Harry Melanson Cc: cjames@fnal.gov, Karen Shepelak , oss-mgmt@fnal.gov, compdiv@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 708 On Fri, 15 Dec 2000, Harry Melanson wrote: > Hi Dane, > > My comments were made during the process (and at home at the end of the > day)... Understood. As I told Cat, I'm GLAD she sent that. Most people grumble locally only and either give up or get a local workaround. People that will put in the extra work to improve the global situation are the minority and valued (even though both sender and receiver have to remember this and swallow the bile sometimes). That said, you understand that the lab is explicitly scrimping on many areas (including user support staff) in order to weather the drought from Washington and get on with Run II. > > The WRQ instructions are now straight forward. However, they changed over > time. For example, I reported that version 7's FTP neighborhood didn't > work. This seems to have initiated getting version 8. (BTW, I reported the > problem to the help disk, and there was significant confusion as to who > supported WRQ; see > http://csdserver1.fnal.gov/ars/cgi-bin/arweb.exe?O=1&Form=entry&ID=17571&s=c > sdserver1&S=CD%3aHelpDesk&WID=3&Ei=3 I'm guessing that the help desk now > has a better idea about WRQ.) There is still a (known) bug with the FTP > client and Irix. BTW, the WRQ instructions assume an FNAL domain user, but > DZERO has it's own domain (e.g. no pckits). And then there was some > confusion about who pays for WRQ. This got straightened out, and our > current arrangement at DZERO is CD buys licenses for all FNAL DZERO > employees, and universities pay their own way. But this wasn't clear at the > beginning (at least to me). I'll take a look at the problem ticket. WRQ was chosen for a couple reasons: 1) because it was the only set of kerberized utilities that met the minimum requirements of telnet, ftp, and the other general utilities identified and 2) in hopes that the commercial product would come with better user help/ documentation/ support than could be provided by a local product (at least in the short term). I think the use of local clients vis a vis the CryptoCard access HAS changed over time. I think everyone has realized that the CryptoCard is required for "lowest common denominator" access and CD is covering the cost of those. The appeals for supplementary funds to implement the Kerberos system (in response to DOE requirements) have been denied so we're operating on a "share the pain" model. People tried hard and long to avoid that, hence the delay and confusion. > > From my perspective, the biggest problem we had out at DZERO was the > perception that instructions / strategies were developed "on the fly". From > my experience, it appeared that no one actually tried to go to WRQ/Kerberos > on NT, and then really use it (e.g. the ftp problem was pretty obvious). > > Let me give you another example. If you are like me, you don't like the WRQ > secure terminal window. I tried to change fonts, and then my ability to > edit the command line in tcsh on d0mino somehow stopped working... (I assume > more bugs.) So instead I decided to pop an xterm back using Kerberos telnet > (just like how I used Exceed). However, now if I don't think things > through, and type kinit in my xterm window, then I've broadcast my principle > on the network. It turns out that I think I have a solution, but it's > subtle. All of this stems from WRQ not forwarding your principle. And I > don't think this usage pattern is discussed (yet) in the documentation. > > At this time, everything is working fine for me. However it seemed to me > that the "pilot" program really didn't include "real" NT users, and I was > experiencing what I imagined a user in a pilot program might do. That was > where my personal frustration developed. I think you're pointing out the difference between the "can be done" evaluation of a pilot and the "realworld useability testing" of deployment documentation and advise. I can assure you that there certainly were tests done on WRQ as well as physicists selected to work through those issues. The deployment plan also called for supplemental effort to help the collaboration support groups to deal with just these issues. I can only relay that this was another casualty of budget tightening. I'd appreciate you continuing to relay the issues/solutions as you find them to kerberos-pilot so we can get the documentation and advise clarified for the later adopters. Yours, dane > > Hope this is useful. Please let me know if I can clarify anything. > > Regards, > > Harry > > > -----Original Message----- > From: Dane Skow [mailto:dane@fnal.gov] > Sent: Friday, December 15, 2000 1:32 PM > To: melanson@fnal.gov; cjames@fnal.gov > Cc: Karen Shepelak; oss-mgmt@fnal.gov; compdiv@fnal.gov; > kerberos-pilot@fnal.gov > Subject: Re: one users perspective > > > > Hi Cat, > > Karen forwarded your comments (thanks Karen) and I want to thank you > for taking the time to be specific in your needs and frustrations. I'd > like to press a bit more for feedback and have copied the groups who > have been developing the documentation that exists. > > For Kerberos instructions is Harry aware of the information at > http://www.fnal.gov/docs/strongauth/index.html ? Have these been rejected > at too "manually" ? or do they not meet the usage needs you're referring > to. > > On the ssh front, I think you are pointing out a current weakness. > We have been brokering licenses FSecure SSH for user support groups to > install. A number of groups have taken to using the freeware products > (Teraterm or PuTTY). And the integration of all of this with the > medium term migration to Kerberos authentication for Unix and NT is not > clear. I think it's been harder than desired for users to "do the right > thing", but partly that's been the cost of dealing with some of the > other issues. We can certainly work to help get information out to the > minos users. > > dane > > On Thu, 14 Dec 2000, Karen Shepelak wrote: > > > Hi Dane, Lisa, > > > > Thought I'd pass this along to you both. I think a lot of users > > share the same sentiment as Cat James. > > > > ------- Forwarded Message > > > > > > Date: Thu, 14 Dec 2000 13:46:03 -0600 > > From: Cat James > > Subject: ssh login and use information > > To: Karen Shepelak > > > > Organization: FNAL > > > > > > > > Howdy. In general I am in favor of secure connections and such and don't > > mind converting my habits. My comment today is more along the lines of > > "user support", and you can feel free to disseminate my comments to those > > who ought to be thinking about this. > > > > Specifically, there is next to no information on "how to" when a machine > is > > changed to ssh. Computing has what amounts to an ssh manual on the Web > > pages, which reads, well, like a manual. What is needed right up front is > a > > simple example of how to now proceed with your login........spell it right > > out, like "where you used to say telnet now type - - -" The manual online > > dives right into the many parameters and ssh commands that most people are > > never going to use, and it is not "user friendly". Next, there is NO > > information AT ALL on what to do if your desktop is an NT work-station and > > you've been using Exceed or some equivalent product. I just sent an email > > around to the local minos1 users on my floor about how to deal with this > > (using TeraTerm-Pro and TTSSH). I get grateful thank-yous from NT users > and > > the university guys who come in with NT laptops which they use as > terminals > > when visiting. Why can't Computing get out some information on how to use > > products like this to make secure connections to fnal nodes from non-linux > > platforms? > > > > And it looks like this same non-information habit is continuing with the > use > > of Kerberos. Again, installing Kerberos is not the issue, but instead > > posting useful information about how to use it properly. My husband Harry > > Melanson, reporting from D-Zero, tells me that using Kerberos is pretty > > obvious when you are on one Linux box and want to connect to another Linux > > box, but much less obvious when you are on an NT or Windows-2000 box and > > need to connect to a Linux box. It is less obvious, and again there is NO > > guidance from Computing as to how one should go about it. Computer-savvy > > people like my husband ask around and figure it out, but many physicists, > > while good at programming for their physics, are not real clued in to the > > details of operating systems, networks, and secure channels. Harry > comments > > that a large part of the non-information problem is in the group most > > responsible for moving us to Kerberos: they all sit in front of Linux > boxes, > > and thus make no thought for those who use some other platform as their > > primary desktop. And don't say that we are all moving to Linux - Linux is > > great for the serious computing, but until I can run all the Windows-type > > software products I use for my daily work on a Linux box, the desktop for > my > > daily work will be Windows (and I'm talking way more than the Office > > products). And what about all those people with Macs on their desks????? > > Still seem to be quite a few of those here in NuMI-MINOS land, and they > > still do physics computing on unix / linux machines. > > > > Please allocate some time and effort to create cook-book instructions for > > connecting to Unix / Linux from Windows / Mac desktops, for those who just > > want to keep doing their daily work. > > Cat James > > > > > > > > ------- End of Forwarded Message > > > > > > > > > > -- > > Karen > > SCS (Scientific Computing Support) > > > > > > > > > > Dane Skow, > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Fri Dec 15 15:42:57 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA16819 for ; Fri, 15 Dec 2000 15:42:57 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M005J7PNK7D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 15:42:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BB056@listserv.fnal.gov>; Fri, 15 Dec 2000 15:42:57 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128711 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 15:42:57 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BB055@listserv.fnal.gov>; Fri, 15 Dec 2000 15:42:57 -0600 Received: from CUERVO ([131.225.82.100]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G5M0092JPNJC0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 15:42:56 -0600 (CST) Date: Fri, 15 Dec 2000 15:42:56 -0600 From: "Mark O. Kaletka" Subject: RE: English lessons: Kerberos username proposal take 2 (fwd) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow , Anne Heavey Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 709 > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Dane Skow > Sent: Monday, December 11, 2000 3:31 PM > To: Anne Heavey > Cc: kerberos-pilot@fnal.gov > Subject: Re: English lessons: Kerberos username proposal take 2 (fwd) > > > Anne, > > Sorry for the delay but one reason for the handoff last week was I was > swamped. I believe you've got it. For Stephan's comments, I think Matt > and Mark would have a better answer than I. >...snip...< > I don't believe there are problems associated with using the numbers, > however, I would not recommend differentiation by letter cases. I believe > Stephan is correct in saying that "boss@PILOT.FNAL.GOV" is different to > Kerberos than "Boss@PILOT.FNAL.GOV" or "BOSS@PILOT.FNAL.GOV" but I think > it would be foolish of us to assign those to different persons. The > convention sofar has been to have the username lower case. I would > recommend we keep that. > > Dane >...snip...< Yes, I agree with Dane's statements, while technically possible it would be foolish to do it. The common convention is that the principal name is in all lower case and the realm name is in all UPPER CASE. -- Mark K. From kreymer@fnal.gov Fri Dec 15 15:49:59 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA16823 for ; Fri, 15 Dec 2000 15:49:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M004SIPZA2A@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 15:49:58 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BB077@listserv.fnal.gov>; Fri, 15 Dec 2000 15:49:58 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128745 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 15:49:58 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BB076@listserv.fnal.gov>; Fri, 15 Dec 2000 15:49:58 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M002STPZ9YH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 15:49:57 -0600 (CST) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id eBFLnnC21018; Fri, 15 Dec 2000 15:49:49 -0600 (CST) Date: Fri, 15 Dec 2000 15:49:49 -0600 From: Anne Heavey Subject: Re: English lessons: Kerberos username proposal take 2 (fwd) In-reply-to: "Your message of Fri, 15 Dec 2000 15:42:56 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" , kerberos-pilot@fnal.gov Cc: aheavey@fsui02.fnal.gov Message-id: <200012152149.eBFLnnC21018@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 710 > > Yes, I agree with Dane's statements, while technically possible it would be > foolish to do it. The common convention is that the principal name is in all > lower case and the realm name is in all UPPER CASE. > > -- Mark K. > How's this: New principals should be chosen to be 8 or fewer characters, and may include a variety of characters. We strongly recommend using only lowercase letters (and numbers, if convenient). The characters @ and / must be avoided in principal names. Or would you prefer that I say "use ONLY lowercase letters" or "use ONLY lowercase letters and numbers"? -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Fri Dec 15 16:05:37 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA16862 for ; Fri, 15 Dec 2000 16:05:37 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M007ARQP8ZH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Dec 2000 16:05:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BB0B0@listserv.fnal.gov>; Fri, 15 Dec 2000 16:05:32 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128803 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 15 Dec 2000 16:05:32 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BB0AF@listserv.fnal.gov>; Fri, 15 Dec 2000 16:05:32 -0600 Received: from b0sun01.fnal.gov ([131.225.232.72]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5M0089BQP770@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 15 Dec 2000 16:05:31 -0600 (CST) Date: Fri, 15 Dec 2000 16:05:31 -0600 (CST) From: Stephan Lammel Subject: Re: English lessons: Kerberos username proposal take 2 (fwd) In-reply-to: <200012152149.eBFLnnC21018@fsui02.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Anne Heavey Cc: "Mark O. Kaletka" , kerberos-pilot@fnal.gov, aheavey@fsui02.fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 711 I would vote for "use ONLY lowercase letters and numbers". It might be a bit restrictive but is the most safe approach. Stephan From kreymer@fnal.gov Mon Dec 18 08:35:18 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA26528 for ; Mon, 18 Dec 2000 08:35:17 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5R00N8KPUS3O@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Mon, 18 Dec 2000 08:35:16 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA28648; Mon, 18 Dec 2000 08:35:16 -0600 (CST) Date: Mon, 18 Dec 2000 08:35:16 -0600 From: Matt Crawford Subject: Re: scp: fails to some nodes, succeeds to others; why? In-reply-to: "15 Dec 2000 14:27:14 CST." Sender: crawdad@gungnir.fnal.gov To: Art Kreymer Cc: "Marc W. Mengel" , "Laurelin of Middle Earth, 630-840-2214" , kerberos-pilot@fnal.gov Message-id: <200012181435.IAA28648@gungnir.fnal.gov> Status: RO X-Status: A X-Keywords: X-UID: 712 Maybe the following is unsatisfactory from a "habits and education" point of view, but it's quite logical ... I see no reason to ever use a kerberized scp, since Kerberized rcp is safe in its authentication and leaves the encryption of the data optional rather than mandatory. But I don't see why we can't make it work. Is it a problem of preserving argv[] integrity, because scp constructs arguments with spaces? args[i++] = "-oFallBackToRsh no"; args[i++] = "-oClearAllForwardings yes"; // ... if (batchmode) args[i++] = "-oBatchMode yes"; and so on? From kreymer@fnal.gov Mon Dec 18 08:44:57 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA27025 for ; Mon, 18 Dec 2000 08:44:57 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5R00NAYQAW4M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Dec 2000 08:44:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BBEC8@listserv.fnal.gov>; Mon, 18 Dec 2000 08:44:56 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 132807 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 18 Dec 2000 08:44:56 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BBEC7@listserv.fnal.gov>; Mon, 18 Dec 2000 08:44:56 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5R00N9NQAW44@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 18 Dec 2000 08:44:56 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA27021; Mon, 18 Dec 2000 08:44:55 -0600 Date: Mon, 18 Dec 2000 08:44:54 -0600 (CST) From: Art Kreymer Subject: Re: scp: fails to some nodes, succeeds to others; why? In-reply-to: <200012181435.IAA28648@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: "Marc W. Mengel" , "Laurelin of Middle Earth, 630-840-2214" , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 713 Kerberized scp is needed because our scripts must work on systems which are not yet fully kerberized, but which are fully ssh'd. Many cannot be kerberized except at the client level. They are shared with other projects, and we do not have root access. From kreymer@fnal.gov Mon Dec 18 09:01:09 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA27761 for ; Mon, 18 Dec 2000 09:01:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5R00NCNR1V45@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Dec 2000 09:01:07 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BBEEC@listserv.fnal.gov>; Mon, 18 Dec 2000 09:01:07 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 132843 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 18 Dec 2000 09:01:07 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BBEEB@listserv.fnal.gov>; Mon, 18 Dec 2000 09:01:07 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5R00NF2R1U3T@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 18 Dec 2000 09:01:06 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 18 Dec 2000 09:01:07 -0600 Content-return: allowed Date: Mon, 18 Dec 2000 09:01:06 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15338 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76114EA6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 714 15338 has been updated by trb. Short Description : authentication error with reflection New Work Log Entry : From: "Carmenita Moore" To: "ARSystem" Subject: Re: HelpDesk Problem 000000000015338 - Information needed Date: Monday, December 18, 2000 8:25 AM please keep this ticket open. I have contacted Mark Kaletka, who already has WRQ running successfully from win2k for help - but a resolution to my problem is still pending. At present, I'm using ssh to log in. Thanks, -Carmenita- From kreymer@fnal.gov Mon Dec 18 12:13:29 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA30992 for ; Mon, 18 Dec 2000 12:13:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5R006M1ZLFL5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Dec 2000 12:05:40 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BC1FB@listserv.fnal.gov>; Mon, 18 Dec 2000 12:05:40 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 133676 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 18 Dec 2000 12:05:40 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BC1FA@listserv.fnal.gov>; Mon, 18 Dec 2000 12:05:39 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5R006KOZL8EH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 18 Dec 2000 12:05:39 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 18 Dec 2000 12:05:32 -0600 Content-return: allowed Date: Mon, 18 Dec 2000 12:05:20 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 15338 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611E929@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 715 This reminder created on 12/18/00 12:03:45 PM Ticket 15338 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Work In Progress First Name : CARMENITA Last Name (+) : MOORE Phone : 2288 E-Mail Address : CARMENITA@FNAL.GOV Incident Time : 11/21/00 5:21:39 PM System Name : Problem Category : Software Type : Utilities Item : Wrq/Reflections Urgency : Medium Short Description : authentication error with reflection Problem Description : I have modified Reflection Kerberos Manager to have moore as the principle. I've double checked the installation instructions against what I did - still when I authenticate, I get Client Principle not found in kerberos database (KDC006). This is on my win2k laptop. I read that the system you were on had to have user name that matched the kerberos principle. Does that apply to win2k systems too ? Just in case, I created a "moore" account on my laptop but couldn't authenticate from it either - same message as above. I was able to kpasswd and change my kerberos password for moore. It couldn't find carmenita which I also find curious as Yolanda created a "carmenita" principle for me also - since that's my mail server name. help. -Carmenita- Matt Crawford wrote: > > When I try to authenticate I get: > > > > Client Principle not found in kerberos database (KDC006) > > > > I have had the account by yolanda had to reset the password for me - > > which she did today... > > There's no Kerberos principal "carmenita", or even "carmenit", so > yours must be "moore". (The mail server knows you as both, which I'm > sure will continue to cause a bit of confusion, but since your Unix > username seems to be moore, it sholdn't be too bad.) You'll have to > make sure you have that filled in in the Reflection Kerberos Manager. > > I see where you ran into a "password expired" problem on Spe 10, Oct > 16, Nov 6 and Nov 14 and some other error on Nov 17. Right now I see > that your password was changed by valadez on Nov 20. Give it a try > with the new password, would you? > > And I have your Cryptocard request in the queue and I'll be working > on the backlog today. > Matt From kreymer@fnal.gov Mon Dec 18 12:13:29 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA30994 for ; Mon, 18 Dec 2000 12:13:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5R007FZZKVK1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Dec 2000 12:05:20 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BC1BD@listserv.fnal.gov>; Mon, 18 Dec 2000 12:05:20 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 133614 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 18 Dec 2000 12:05:20 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BC1BB@listserv.fnal.gov>; Mon, 18 Dec 2000 12:05:20 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5R006K4ZKPEH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 18 Dec 2000 12:05:19 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 18 Dec 2000 12:05:12 -0600 Content-return: allowed Date: Mon, 18 Dec 2000 12:05:08 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 15670 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611E8F7@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 716 This reminder created on 12/18/00 12:03:14 PM Ticket 15670 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : RICHARD Last Name (+) : PARTRIDGE Phone : 8702 E-Mail Address : PARTRIDGE@HEP.BROWN.EDU Incident Time : 12/13/00 12:07:44 PM System Name : Problem Category : Software Type : Utilities Item : Cryptocard Urgency : Medium Short Description : Can't use Cryptocard with regular telnet Problem Description : When I telnet to d0mino.fnal.gov from my PC with any of several different Telnet programs I get a "login:" prompt. If I type in either "partridge" or "partridge@PILOT.FNAL.GOV", I get a message "login incorrect" message. I thought this was how I was supposed to access these machines using a Cryptocard. What am I doing wrong. Please note that when I am at my normal desktop PC, I use a Kerberos client (Mink) to login and use a Kerberized Telnet (Hummingbird Exceed V7.0). This works fine except for some reason it has recently started prompting me for my Cryptocard response right after I enter my Kerberos password...I just cancel this and get my ticket OK. Thus, I don't always use the Cryptocard for logging in, only when I am not using my desktop computer. However, things seem to behave exactly the opposite of what would be expected (i.e., I get the Cryptocard challenge/response dialog when I try a Kerberos login, instead of when I use regular telnet). Thanks for your help. Regards, Richard Partridge From kreymer@fnal.gov Mon Dec 18 14:56:23 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31079 for ; Mon, 18 Dec 2000 14:56:23 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5S00CFL7HYUN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Dec 2000 14:56:23 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BC47C@listserv.fnal.gov>; Mon, 18 Dec 2000 14:56:23 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 134383 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 18 Dec 2000 14:56:23 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BC47B@listserv.fnal.gov>; Mon, 18 Dec 2000 14:56:23 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5S00CLC7HY5Z@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 18 Dec 2000 14:56:22 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA01884; Mon, 18 Dec 2000 14:56:22 -0600 (CST) Date: Mon, 18 Dec 2000 14:56:21 -0600 From: Matt Crawford Subject: Re: English lessons: Kerberos username proposal take 2 (fwd) In-reply-to: "15 Dec 2000 15:49:49 CST." <200012152149.eBFLnnC21018@fsui02.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Anne Heavey Cc: "Mark O. Kaletka" , kerberos-pilot@fnal.gov Message-id: <200012182056.OAA01884@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 717 I concur with the sentiment to recommend "lowercase US-ASCII letters and digits". Just because a bit more variety is possible doesn't mean we should encourage it. Sooner or later we'll hook into some system that chokes on other characters. In fact, a colon in a username would give Unix serious heartburn, and any of :[]!%+";' would be likely trouble for the mail server. I'm sure we could come up with even more examples, even without resorting to the non-printing characters, if we knocked our heads together. From kreymer@fnal.gov Mon Dec 18 15:15:09 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA31101 for ; Mon, 18 Dec 2000 15:15:09 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5S00BMN8D8WW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Dec 2000 15:15:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BC4E4@listserv.fnal.gov>; Mon, 18 Dec 2000 15:15:09 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 134505 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 18 Dec 2000 15:15:09 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BC4E3@listserv.fnal.gov>; Mon, 18 Dec 2000 15:15:09 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5S00CP18D8F5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 18 Dec 2000 15:15:08 -0600 (CST) Date: Mon, 18 Dec 2000 15:15:08 -0600 (CST) From: Dane Skow Subject: tcpwrapping kerberos services Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 718 It was pointed out during a recent OSS dept meeting that if services are present on a machine TCP wrappered but commented out, then the equivalent kerberized versions are enabled unwrapped by the current install. I think this is not the appropriate default but should it be: a) enabled but wrappered. or b) installed wrappered but commented out. I suspect that either would be a minor change to the next version. Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Tue Dec 19 08:49:09 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA09833 for ; Tue, 19 Dec 2000 08:49:09 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5T00D0ZL5V66@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Dec 2000 08:49:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCAD3@listserv.fnal.gov>; Tue, 19 Dec 2000 08:49:07 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 136166 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 19 Dec 2000 08:49:07 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCAD1@listserv.fnal.gov>; Tue, 19 Dec 2000 08:49:07 -0600 Received: from ncdf58.fnal.gov ([131.225.235.27]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5T00D0RL5U6M@smtp.fnal.gov>; Tue, 19 Dec 2000 08:49:06 -0600 (CST) Received: from ncdf58.fnal.gov (rjetton@localhost) by ncdf58.fnal.gov (8.11.0/8.11.0) with ESMTP id eBJEn6T03054; Tue, 19 Dec 2000 08:49:06 -0600 Date: Tue, 19 Dec 2000 08:49:06 -0600 From: Richard Jetton Subject: rcp problem Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: cdfsys@fnal.gov Message-id: <200012191449.eBJEn6T03054@ncdf58.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 719 Hello, We ran into an interesting problem yesterday when trying to move a large Oracle export file between two Solaris platforms. Here's a listing of the occurrence. fcdfora1:/cdf/dbs_bkup/export/cdfofint$ ls -l total 5403584 -rw-r--r-- 1 oracle dba 2765227008 Dec 18 11:13 exp_cdfofint_full_Mon.dmp -rw-r--r-- 1 oracle dba 32361 Dec 18 11:13 exp_cdfofint_full_Mon.log -rwxr-xr-x 1 oracle dba 476 Oct 10 09:45 full_export_cdfofint fcdfora1:/cdf/dbs_bkup/export/cdfofint$ /usr/krb5/bin/rcp exp_cdfofint_full_Mon.dmp fcdfora2:/tmp rcp: exp_cdfofint_full_Mon.dmp: Value too large for defined data type fcdfora1:/cdf/dbs_bkup/export/cdfofint$ My work-around for this was to use split to break the file into smaller (under 2GB) pieces, move them and then use cat to bring them back together on the second node. Of course, we probably could have compressed this particular file enough to move it, but that isn't always going to be the case. By the way, /usr/krb5/bin/ftp gave a similar error when we tried to move the single large file. I'll also mention that Solaris has a man page named "largefile" which states that the Solaris versions of rcp and ftp handle files of this size. -- Richard From kreymer@fnal.gov Tue Dec 19 10:26:37 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA13615 for ; Tue, 19 Dec 2000 10:26:37 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5T00DKDPOC6U@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Dec 2000 10:26:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCC7E@listserv.fnal.gov>; Tue, 19 Dec 2000 10:26:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 136644 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 19 Dec 2000 10:26:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCC7D@listserv.fnal.gov>; Tue, 19 Dec 2000 10:26:36 -0600 Received: from CUERVO ([131.225.82.100]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G5T00DIRPOB6O@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 19 Dec 2000 10:26:35 -0600 (CST) Date: Tue, 19 Dec 2000 10:26:35 -0600 From: "Mark O. Kaletka" Subject: How to get NON-forwardable tickets? Sender: owner-kerberos-pilot@listserv.fnal.gov To: Kerberos Pilot List Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 720 On a system with krb5.conf with: [appdefaults] >...snip...< forwardable = true how do I kinit and request NON-forwardable tickets? Without changing the krb5.conf file, that is. All I see in the man pages is kinit -f to request forwardable tickets; I'd like to override what's in [appdefaults]. -- Mark K. From kreymer@fnal.gov Tue Dec 19 10:52:16 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA13629 for ; Tue, 19 Dec 2000 10:52:16 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5T00DOMQV36M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Dec 2000 10:52:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCCFB@listserv.fnal.gov>; Tue, 19 Dec 2000 10:52:15 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 136785 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 19 Dec 2000 10:52:15 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCCFA@listserv.fnal.gov>; Tue, 19 Dec 2000 10:52:15 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G5T00DGAQV25Y@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 19 Dec 2000 10:52:15 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id KAA22184; Tue, 19 Dec 2000 10:52:14 -0600 Date: Tue, 19 Dec 2000 10:52:14 -0600 From: Glenn Cooper Subject: Re: How to get NON-forwardable tickets? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: Kerberos Pilot List Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 721 Looks like "kinit -F" will do it. Glenn On Tue, 19 Dec 2000, Mark O. Kaletka wrote: > On a system with krb5.conf with: > > [appdefaults] > > >...snip...< > > forwardable = true > > how do I kinit and request NON-forwardable tickets? Without changing the > krb5.conf file, that is. All I see in the man pages is kinit -f to request > forwardable tickets; I'd like to override what's in [appdefaults]. > > -- Mark K. > From kreymer@fnal.gov Tue Dec 19 11:12:48 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA13643 for ; Tue, 19 Dec 2000 11:12:48 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5T00DSQRLV67@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Dec 2000 11:08:20 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCD2F@listserv.fnal.gov>; Tue, 19 Dec 2000 11:08:20 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 136840 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 19 Dec 2000 11:08:20 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCD2E@listserv.fnal.gov>; Tue, 19 Dec 2000 11:08:20 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5T00DONRLV6T@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 19 Dec 2000 11:08:19 -0600 (CST) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id eBJH8IJ17238; Tue, 19 Dec 2000 11:08:18 -0600 (CST) Date: Tue, 19 Dec 2000 11:08:18 -0600 From: Anne Heavey Subject: Re: How to get NON-forwardable tickets? In-reply-to: "Your message of Tue, 19 Dec 2000 10:52:14 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: "Mark O. Kaletka" , Kerberos Pilot List Message-id: <200012191708.eBJH8IJ17238@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 722 Is there by any chance an -N option for kinit? I ask because the kerberized telnet has one that turns off forwarding (at least that's what I documented once upon a time!) --Anne > Looks like "kinit -F" will do it. > Glenn > > > On Tue, 19 Dec 2000, Mark O. Kaletka wrote: > > > On a system with krb5.conf with: > > > > [appdefaults] > > > > >...snip...< > > > > forwardable = true > > > > how do I kinit and request NON-forwardable tickets? Without changing the > > krb5.conf file, that is. All I see in the man pages is kinit -f to request > > forwardable tickets; I'd like to override what's in [appdefaults]. > > > > -- Mark K. > > -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Tue Dec 19 11:20:16 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA13656 for ; Tue, 19 Dec 2000 11:20:16 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5T00I5WS37IP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Dec 2000 11:18:44 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCD44@listserv.fnal.gov>; Tue, 19 Dec 2000 11:18:43 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 136865 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 19 Dec 2000 11:18:43 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCD43@listserv.fnal.gov>; Tue, 19 Dec 2000 11:18:43 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5T00I72S37O0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 19 Dec 2000 11:18:43 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA08028; Tue, 19 Dec 2000 11:18:42 -0600 (CST) Date: Tue, 19 Dec 2000 11:18:42 -0600 From: Matt Crawford Subject: Re: How to get NON-forwardable tickets? In-reply-to: "19 Dec 2000 10:26:35 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: Kerberos Pilot List Message-id: <200012191718.LAA08028@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 723 > On a system with krb5.conf with: > > [appdefaults] > >...snip...< > forwardable = true > > how do I kinit and request NON-forwardable tickets? Without changing the > krb5.conf file, that is. All I see in the man pages is kinit -f to request > forwardable tickets; I'd like to override what's in [appdefaults]. kinit -F Did that not make it into the man page? Damn, it didn't. Wow, it didn't even make it into the usage string. Lazy slipshod MIT hackers. I'll put it in. From kreymer@fnal.gov Tue Dec 19 13:05:24 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA13699 for ; Tue, 19 Dec 2000 13:05:24 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5T00IMFX0ZRX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Dec 2000 13:05:23 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCE62@listserv.fnal.gov>; Tue, 19 Dec 2000 13:05:23 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 137181 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 19 Dec 2000 13:05:23 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BCE61@listserv.fnal.gov>; Tue, 19 Dec 2000 13:05:23 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5T00JISX0YHT@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 19 Dec 2000 13:05:22 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA08817; Tue, 19 Dec 2000 13:05:22 -0600 (CST) Date: Tue, 19 Dec 2000 13:05:22 -0600 From: Matt Crawford Subject: Re: How to get NON-forwardable tickets? In-reply-to: "19 Dec 2000 11:08:18 CST." <200012191708.eBJH8IJ17238@fsui02.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Anne Heavey Cc: Kerberos Pilot List Message-id: <200012191905.NAA08817@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 724 > Is there by any chance an -N option for kinit? I ask because the > kerberized telnet has one that turns off forwarding (at least that's > what I documented once upon a time!) There's no -N. Maybe I should add it, as a synonym for -F, just for consistency with telnet? No, never mind, because telnet has a -F which will never be consistent with kinit's -F. From kreymer@fnal.gov Tue Dec 19 16:39:59 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA13810 for ; Tue, 19 Dec 2000 16:39:59 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5U002TH6YMGR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Dec 2000 16:39:59 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BD143@listserv.fnal.gov>; Tue, 19 Dec 2000 16:39:59 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 137966 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 19 Dec 2000 16:39:59 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BD13F@listserv.fnal.gov>; Tue, 19 Dec 2000 16:39:59 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5U001U66YKKV@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 19 Dec 2000 16:39:58 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 19 Dec 2000 16:39:57 -0600 Content-return: allowed Date: Tue, 19 Dec 2000 16:39:53 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15769 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611EAE6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 725 15769 has been updated by trb. Short Description : rsh and Rexec and FTP] New Work Log Entry : From: "Alan M Jonckheere" To: "ARSystem" Cc: ; "d0-admin" Subject: Re: Help Desk Ticket 15769 Has Been Resolved. Date: Tuesday, December 19, 2000 4:32 PM Oh *great*! That is definitely *not* what we were told when I went through the early "what if" sessions. Off site people need to do a *lot* more than just login! In my opinion, rsh and rcp have *got* to work in some fashion from a non-kerberos'd system. rexec would also be nice, but probably not crucial (rsh can do it's job I think). So, yes, reopen it and send it to Matt Crawford. Alan --------------< ReOpened AR ticket. Matt ? Ticket ReOpened the Previous Solution was :We have implemented in D0 what has been implemented in the Fermilab kerberos product. I don't know of any plans to kerberize rexecd. I don't know of any plans to have rsh fail over to cryptocard. There are plans to have ftp fail over to the cryptocard but the work hasn't been done yet. Whenever that work has been done and the kerberos product with the ftp failover feature is rolled out we will implement it. If this ticket was meant to ask for those new features, please re-open this ticket or open a new ticket and specifically ask that it be assigned to the security folks so that they can decide whether or not to implement those new features as that is out of the D0 task forces hands. joe From kreymer@fnal.gov Tue Dec 19 16:40:01 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA13816 for ; Tue, 19 Dec 2000 16:40:01 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5U002TH6YMGR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Dec 2000 16:40:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BD145@listserv.fnal.gov>; Tue, 19 Dec 2000 16:39:59 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 137970 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 19 Dec 2000 16:39:59 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BD140@listserv.fnal.gov>; Tue, 19 Dec 2000 16:39:59 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5U003KG6YLD2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 19 Dec 2000 16:39:58 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 19 Dec 2000 16:39:57 -0600 Content-return: allowed Date: Tue, 19 Dec 2000 16:39:53 -0600 From: ARSystem Subject: 000000000015769 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611EAE5@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain; charset=iso-8859-1 Status: RO X-Status: X-Keywords: X-UID: 726 CRAWFORD, MATT, Help Desk Ticket #000000000015769 has been assigned to you. It is a(n) Medium priority Operating System/Unix /Access type of problem. Short description: rsh and Rexec and FTP] Badge # (+) : 03000N First Name : ALAN Last Name (+) : JONCKHEERE Phone : 3158 E-Mail Address : JONCKHEERE@FNAL.GOV Incident Time : 12/19/00 9:57:20 AM System Name : D0MINO Urgency : Medium Public Work Log : 12/19/00 10:13:09 AM trb Joe, can you assist? 12/19/00 4:39:07 PM trb From: "Alan M Jonckheere" To: "ARSystem" Cc: ; "d0-admin" Subject: Re: Help Desk Ticket 15769 Has Been Resolved. Date: Tuesday, December 19, 2000 4:32 PM Oh *great*! That is definitely *not* what we were told when I went through the early "what if" sessions. Off site people need to do a *lot* more than just login! In my opinion, rsh and rcp have *got* to work in some fashion from a non-kerberos'd system. rexec would also be nice, but probably not crucial (rsh can do it's job I think). So, yes, reopen it and send it to Matt Crawford. Alan --------------< ReOpened AR ticket. Matt ? Ticket ReOpened the Previous Solution was :We have implemented in D0 what has been implemented in the Fermilab kerberos product. I don't know of any plans to kerberize rexecd. I don't know of any plans to have rsh fail over to cryptocard. There are plans to have ftp fail over to the cryptocard but the work hasn't been done yet. Whenever that work has been done and the kerberos product with the ftp failover feature is rolled out we will implement it. If this ticket was meant to ask for those new features, please re-open this ticket or open a new ticket and specifically ask that it be assigned to the security folks so that they can decide whether or not to implement those new features as that is out of the D0 task forces hands. joe Problem Description : From: "Alan M Jonckheere" To: ; "d0-admin" Subject: [Fwd: Re: rsh and Rexec and FTP] Date: Tuesday, December 19, 2000 9:57 AM I believe that rsh on d0mino and the other D0 machines is supposed to "failover" to use the cryptocard if you don't have a kerberos ticket. The same for ftp. Neither do. Only telnet seems to do that failover. Also, rexec doesn't appear to be kerberos'd. It just fails. Give the old "Permission denied" message trying to access .netrc (owned by root on our machines), and then connection refused. So it looks like it's shut off and no kerberos version has replaced it. Alan -------- Original Message -------- Subject: Re: rsh and Rexec and FTP Date: Tue, 19 Dec 2000 09:47:51 -0600 From: Alan M Jonckheere Organization: D0 at Fermilab To: "Dean Schamberger, SUNY at Stony Brook" CC: D0 Accounts , fagan@fnal.gov References: <001219094905.20200180@cusb.physics.sunysb.edu> rsh has been reenabled, if you have a kerberos ticket. But it doesn't failover to the cryptocard as I think it should. rexec doesn't appear to be kerberos'd. You'd have to ask the security guys about that one (dcd_security_team@fnal.gov). When they switched to the kerberos'd ftp they found a major problem, ie it didn't work. That is, it too didn't failover to the cryptocard. So Dave re-enabled the old (open) one. Working out bugs that couldn't be tested until the system was closed. Alan "Dean Schamberger, SUNY at Stony Brook" wrote: > > Hi Alan, > What is the state of Rsh and Rexec on D0mino? I thought they were going to > be "re-enabled" on Monday, but it looks like that was not done, right? When > will it happen? Also, I see that FTP is still OPEN access. Is there a > "schedule" for closing that security hole? > > Dean From kreymer@fnal.gov Thu Dec 21 07:47:37 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA05862 for ; Thu, 21 Dec 2000 07:47:37 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5X006877NBQD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Dec 2000 07:47:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BE217@listserv.fnal.gov>; Thu, 21 Dec 2000 07:47:35 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 142701 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 21 Dec 2000 07:47:35 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BE216@listserv.fnal.gov>; Thu, 21 Dec 2000 07:47:35 -0600 Received: from imapserver3.fnal.gov ([131.225.9.17]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5X0076K7NBBF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 21 Dec 2000 07:47:35 -0600 (CST) Received: from SMTP ([131.225.9.17]) by imapserver3.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 460; Thu, 21 Dec 2000 07:47:34 -0600 Received: from fnal.gov ([131.225.82.103]) by 131.225.9.17 (Norton AntiVirus for Internet Email Gateways 1.0) ; Thu, 21 Dec 2000 13:47:34 +0000 (GMT) Date: Thu, 21 Dec 2000 07:47:33 -0600 From: Al Lilianstrom Subject: ksu problem Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A4209F5.3A80222D@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 727 I installed kerberos on one of my Sun systems yesterday and all went well until I tried to ksu to root. bash-2.03$ klist Ticket cache: /tmp/krb5cc_2 Default principal: lilstrom@PILOT.FNAL.GOV Valid starting Expires Service principal 12/20/00 15:09:28 12/21/00 17:09:28 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV bash-2.03$ date Thu Dec 21 07:36:26 CST 2000 bash-2.03$ more /.k5login lilstrom@PILOT.FNAL.GOV bash-2.03$ ksu root ksu: Server not found in Kerberos database while geting credentials from kdc Authentication failed. There were no errors reported in the installation. I did this on a Linux system a couple of weeks ago and had no problems. Is this telling me I typed my machine principal password incorrectly during the install or ? al -- Al Lilianstrom lilianstrom@fnal.gov From kreymer@fnal.gov Thu Dec 21 08:09:02 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA06919 for ; Thu, 21 Dec 2000 08:09:02 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5X0078H8N13X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Dec 2000 08:09:01 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BE23B@listserv.fnal.gov>; Thu, 21 Dec 2000 08:09:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 142739 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 21 Dec 2000 08:09:00 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BE23A@listserv.fnal.gov>; Thu, 21 Dec 2000 08:09:00 -0600 Received: from ts.infn.it ([140.105.6.150]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G5X0069W8MZZJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 21 Dec 2000 08:09:00 -0600 (CST) Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Thu, 21 Dec 2000 15:08 +0100 (CET) Date: Thu, 21 Dec 2000 15:09:10 +0100 From: Stefano Belforte Subject: [Fwd: unrestricted telnet] Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A420F06.7C897146@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; OSF1 V4.0 alpha) Content-type: multipart/mixed; boundary=------------052C2C5641A971985C131897 X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 728 This is a multi-part message in MIME format. --------------052C2C5641A971985C131897 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit I still have no answer for this problem. We disabled the second inetd process on that machine that is used for AFS. No change. Is it possible that there was a problem with the /usr/krb5 installation (e.g. something realted to keys...) that was not flagged on the screen and causes the behavior I see ? I would have imagined that if there was an installation error it would just not work, not allow anybody in. I repeat, is not only that /usr/krb5/telnetd does not accept kerberos tickets nor prompts for cryptocard in portal mode, it just let any user in without asking for password after a simple login: Key table entry not found while getting initial credentials message. I understand it will be difficutl to get an answer before new year, but, please, do not forget this. I attach the /etc/krb5.conf file, in case it helps. Stefano -------- Original Message -------- Subject: unrestricted telnet Date: Fri, 15 Dec 2000 16:29:23 +0100 From: Stefano Belforte To: kerberos-pilot@fnal.gov I have found again the situation when the telnetd server installed by fermi kerberos allow access without password to any user. Last summer this happened on my OSF machine in Trieste, was blamed on some fancier version of OSF password security file that we run here, we disabled all telnet and rlogin and "forgot". Now I installed kerberos on a Linux machine (pclx06.ts.infn.it). I also tried to install host/ftp principals using the password I got from compdiv@fnal.gov. It all went smootly. But the fermi telnet server allow any user to log in from the local lan without password. I.e.: telnet from offsite is disabled (I expected porta...): belforte@fcdfsgi2/~ > telnet pclx06.ts.infn.it Trying 140.105.221.15... Connected to pclx06.ts.infn.it (140.105.221.15). Escape character is '^]'. Connection closed by foreign host. telnet from the TS lan is an open door: belforte@quark.ts.infn.it/~> /usr/bin/telnet pclx06 -l gomezel Trying 140.105.221.15... Connected to pclx06.ts.infn.it. Escape character is '^]'. Red Hat Linux release 6.2 (Zoot) Kernel 2.2.16-3 on an i686 login: Client not found in Kerberos database while getting initial credentials You have new mail. [gomezel@pclx06 ~]$ [gomezel@pclx06 ~]$ who am i pclx06.ts.infn.it!gomezel ttyp1 Dec 15 16:09 [gomezel@pclx06 ~]$ [gomezel@pclx06 ~]$ ps auxw|grep telnet root 6681 0.0 0.6 1988 848 ? S 16:09 0:00 telnetd -Pa valid gomezel 6723 0.0 0.4 1360 516 ttyp1 S 16:12 0:00 grep telnet so it is really the -Pa valid, i.e. portal telnetd giving the problem. This is going to make user gomezel (my system manager by the way) VERY upset at me. If I specify an unexisting user name, the telnet attempt is closed with Login incorrect message. Ideas ? Please, tell me what to do.... I know I can remove telnetd etc. from /etc/inetd.conf, but I would like to be able to get INTO this machine somehow using kerberos tickets or cryptocard. Also, differently from OSF this is THE op.sys. I expect to use for Run2, so I DO care this time. Maybe the problem is my AFS local installation... Anyhow I think you should know that this things happen and may end up in being un-noticed for a while. I am using kerberos v0_6 flavor Linux+2.2 Stefano --------------052C2C5641A971985C131897 Content-Type: text/plain; charset=us-ascii; name="krb5.conf" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="krb5.conf" # krb5conf v0_6a with afs on node pclx06.ts.infn.it automatic update 12Dec2000 [libdefaults] ticket_lifetime = 1560 default_realm = PILOT.FNAL.GOV checksum_type = 1 ccache_type = 2 default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc [realms] PILOT.FNAL.GOV = { kdc = krb-pilot-1.fnal.gov:88 kdc = krb-pilot-2.fnal.gov:88 admin_server = krb-pilot-admin.fnal.gov default_domain = fnal.gov } [domain_realm] .fnal.gov = PILOT.FNAL.GOV [logging] default = SYSLOG:ERR:AUTH [instancemapping] afs = { cron = "" cron/* = "" } [appdefaults] default_lifetime = 7d retain_ccache = false autologin = true forward = true forwardable = true renewable = true encrypt = true krb5_aklog_path = /usr/krb5/bin/aklog telnet = { } rcp = { forward = false encrypt = false allow_fallback = true } rsh = { allow_fallback = true } rlogin = { allow_fallback = false } login = { krb5_run_aklog = true krb5_get_tickets = true krb4_get_tickets = false krb4_convert = false } kinit = { krb5_run_aklog = true } rshd = { krb5_run_aklog = true } --------------052C2C5641A971985C131897-- From kreymer@fnal.gov Thu Dec 21 10:38:36 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA15061 for ; Thu, 21 Dec 2000 10:38:36 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5X00D6SFKBH5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Dec 2000 10:38:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BE3AA@listserv.fnal.gov>; Thu, 21 Dec 2000 10:38:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 143154 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 21 Dec 2000 10:38:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BE3A9@listserv.fnal.gov>; Thu, 21 Dec 2000 10:38:36 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5X00D83FKB3P@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 21 Dec 2000 10:38:35 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA32530 for ; Thu, 21 Dec 2000 10:38:35 -0600 Date: Thu, 21 Dec 2000 10:38:35 -0600 (CST) From: Steven Timm Subject: WRQ documentation Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 729 Is there any documentation about which Ethernet ports the WRQ Reflection software is using to make Kerberos connections and X connections? I am trying to convince the tech support of my ISP to allow these connections through the network address translation but I need a comprehensive summary of all the ports that would be used. Thanks Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Thu Dec 21 11:02:29 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA15196 for ; Thu, 21 Dec 2000 11:02:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5X00D94GO3KU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Dec 2000 11:02:28 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BE3E4@listserv.fnal.gov>; Thu, 21 Dec 2000 11:02:27 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 143218 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 21 Dec 2000 11:02:27 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BE3E3@listserv.fnal.gov>; Thu, 21 Dec 2000 11:02:27 -0600 Received: from CUERVO ([131.225.82.100]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G5X00CBJGO2WM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 21 Dec 2000 11:02:27 -0600 (CST) Date: Thu, 21 Dec 2000 11:02:27 -0600 From: "Mark O. Kaletka" Subject: RE: WRQ documentation In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 730 Check in \WINNT\SYSTEM32\DRIVERS\ETC\services for what looks Kerberos-related. WRQ uses the standard Kerberos ports except for admin functions (password changing), where the spec is at least a little fuzzy. Make sure you've grabbed the services file from \\pckits\WRQ to pick up this change. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > Sent: Thursday, December 21, 2000 10:39 AM > To: kerberos-pilot@fnal.gov > Subject: WRQ documentation > > > Is there any documentation about which Ethernet ports the > WRQ Reflection software is using to make Kerberos connections and > X connections? I am trying to convince the tech support of > my ISP to allow these connections through the network address translation > but I need a comprehensive summary of all the ports that would be used. > > Thanks > > Steve > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > From kreymer@fnal.gov Fri Dec 22 13:24:59 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA28138 for ; Fri, 22 Dec 2000 13:24:59 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5Z00KD2HXMOT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 22 Dec 2000 13:24:59 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BEF8D@listserv.fnal.gov>; Fri, 22 Dec 2000 13:24:59 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146581 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 22 Dec 2000 13:24:59 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BEF8C@listserv.fnal.gov>; Fri, 22 Dec 2000 13:24:59 -0600 Received: from cdfsga.fnal.gov ([131.225.232.108]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5Z00KC2HXMPN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 22 Dec 2000 13:24:58 -0600 (CST) Received: from localhost (simon@localhost) by cdfsga.fnal.gov (8.9.3/8.9.0) with ESMTP id NAA25575; Fri, 22 Dec 2000 13:25:29 -0600 (CST) Date: Fri, 22 Dec 2000 13:25:29 -0600 From: "Simone Dell'Agnello" Subject: secure FTP to/from fcdfsgi2 Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: votava@fnal.gov, belforte@ts.infn.it Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: cdfsga.fnal.gov: simon owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 731 Hi, I find it inconvenient that ftp access to fcdfsgi2 with the cryptocard (like for telnet) is not yet implemented. ftp to fcdfsgi2 is not allowed, while insecure ftp from fcdfsgi2 to remote nodes is allowed and I find this inconsistent with FNAL's concern about general security. I understand that files can be transferred from fcdfsgi2 to remote nodes securely but slowly via scp, which is not part of the strong pilot thing. Simone From kreymer@fnal.gov Fri Dec 22 14:22:49 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA28171 for ; Fri, 22 Dec 2000 14:22:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5Z00LHWKLO1H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 22 Dec 2000 14:22:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BEFDE@listserv.fnal.gov>; Fri, 22 Dec 2000 14:22:37 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146672 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 22 Dec 2000 14:22:37 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BEFDD@listserv.fnal.gov>; Fri, 22 Dec 2000 14:22:37 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5Z00KMYKLOGQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 22 Dec 2000 14:22:36 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id OAA11136; Fri, 22 Dec 2000 14:22:37 -0600 (CST) Date: Fri, 22 Dec 2000 14:22:37 -0600 (CST) From: "David J. Fagan" Subject: Re: secure FTP to/from fcdfsgi2 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Simone Dell'Agnello" Cc: votava@fnal.gov, belforte@ts.infn.it, kerberos-pilot@fnal.gov Message-id: <200012222022.OAA11136@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Fri, 22 Dec 2000 13:25:29 CST.) X-Authentication-warning: large.fnal.gov: fagan@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id OAA28171 Status: RO X-Status: X-Keywords: X-UID: 732 I don't know if Matt is still reading mail for the weekend.. The cryptocard FTP access should be available very shortly, last time I peeked in the door, Matt had that confident look in his eyes and said ask me again on Jan 2nd, so I expect this should be a short inconvenience. ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Friday, "Simone Dell'Agnello": > Hi, > I find it inconvenient that ftp access to fcdfsgi2 with the cryptocard > (like for telnet) is not yet implemented. ftp to fcdfsgi2 is not allowed, > while insecure ftp from fcdfsgi2 to remote nodes is allowed and I find > this inconsistent with FNAL's concern about general security. I understand > that files can be transferred from fcdfsgi2 to remote nodes securely > but slowly via scp, which is not part of the strong pilot thing. > > Simone From kreymer@fnal.gov Fri Dec 22 15:17:07 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28190 for ; Fri, 22 Dec 2000 15:17:07 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G5Z00LHQKYT2V@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 22 Dec 2000 14:30:30 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BEFE4@listserv.fnal.gov>; Fri, 22 Dec 2000 14:30:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146678 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 22 Dec 2000 14:30:30 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BEFE3@listserv.fnal.gov>; Fri, 22 Dec 2000 14:30:30 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G5Z00LGMKYTEC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 22 Dec 2000 14:30:29 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id OAA05356; Fri, 22 Dec 2000 14:30:28 -0600 Date: Fri, 22 Dec 2000 14:30:28 -0600 From: Glenn Cooper Subject: Re: secure FTP to/from fcdfsgi2 In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Simone Dell'Agnello" Cc: kerberos-pilot@fnal.gov, votava@fnal.gov, belforte@ts.infn.it Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 733 Hi Simone, Thank you for the feedback. I agree that we need ftp access when using a CryptoCard; I believe that is being worked on. (Same for rsh access with a CryptoCard.) Note that you can use scp (thus not exposing any unencrypted passwords), and at least reduce the overhead to a very small factor, by specifying the "blowfish" encryption scheme rather than the default. Example: scp -c blowfish file1.dat mynode.infn.it:file1.dat Hope this helps, Glenn On Fri, 22 Dec 2000, Simone Dell'Agnello wrote: > Hi, > I find it inconvenient that ftp access to fcdfsgi2 with the cryptocard > (like for telnet) is not yet implemented. ftp to fcdfsgi2 is not allowed, > while insecure ftp from fcdfsgi2 to remote nodes is allowed and I find > this inconsistent with FNAL's concern about general security. I understand > that files can be transferred from fcdfsgi2 to remote nodes securely > but slowly via scp, which is not part of the strong pilot thing. > > Simone > From kreymer@fnal.gov Mon Dec 25 12:08:54 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA09764 for ; Mon, 25 Dec 2000 12:08:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G64003CNYERU3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Dec 2000 12:08:52 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BFC97@listserv.fnal.gov>; Mon, 25 Dec 2000 12:08:51 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 150210 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 25 Dec 2000 12:08:51 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BFC92@listserv.fnal.gov>; Mon, 25 Dec 2000 12:08:51 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G64003F8YEMCO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 25 Dec 2000 12:08:50 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Dec 2000 12:08:46 -0600 Content-return: allowed Date: Mon, 25 Dec 2000 12:08:40 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 15670 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611EDAA@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 734 This reminder created on 12/25/00 12:03:30 PM Ticket 15670 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : RICHARD Last Name (+) : PARTRIDGE Phone : 8702 E-Mail Address : PARTRIDGE@HEP.BROWN.EDU Incident Time : 12/13/00 12:07:44 PM System Name : Problem Category : Software Type : Utilities Item : Cryptocard Urgency : Medium Short Description : Can't use Cryptocard with regular telnet Problem Description : When I telnet to d0mino.fnal.gov from my PC with any of several different Telnet programs I get a "login:" prompt. If I type in either "partridge" or "partridge@PILOT.FNAL.GOV", I get a message "login incorrect" message. I thought this was how I was supposed to access these machines using a Cryptocard. What am I doing wrong. Please note that when I am at my normal desktop PC, I use a Kerberos client (Mink) to login and use a Kerberized Telnet (Hummingbird Exceed V7.0). This works fine except for some reason it has recently started prompting me for my Cryptocard response right after I enter my Kerberos password...I just cancel this and get my ticket OK. Thus, I don't always use the Cryptocard for logging in, only when I am not using my desktop computer. However, things seem to behave exactly the opposite of what would be expected (i.e., I get the Cryptocard challenge/response dialog when I try a Kerberos login, instead of when I use regular telnet). Thanks for your help. Regards, Richard Partridge From kreymer@fnal.gov Mon Dec 25 12:08:54 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA09767 for ; Mon, 25 Dec 2000 12:08:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G64003CNYERU3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Dec 2000 12:08:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BFC98@listserv.fnal.gov>; Mon, 25 Dec 2000 12:08:52 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 150212 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 25 Dec 2000 12:08:52 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BFC91@listserv.fnal.gov>; Mon, 25 Dec 2000 12:08:51 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6400579YEFDK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 25 Dec 2000 12:08:50 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Dec 2000 12:08:39 -0600 Content-return: allowed Date: Mon, 25 Dec 2000 12:08:34 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 15769 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611ED8D@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 735 This reminder created on 12/25/00 12:03:17 PM Ticket 15769 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Work In Progress First Name : ALAN Last Name (+) : JONCKHEERE Phone : 3158 E-Mail Address : JONCKHEERE@FNAL.GOV Incident Time : 12/19/00 9:57:20 AM System Name : D0MINO Problem Category : Operating System Type : Unix Item : Access Urgency : Medium Short Description : rsh and Rexec and FTP] Problem Description : From: "Alan M Jonckheere" To: ; "d0-admin" Subject: [Fwd: Re: rsh and Rexec and FTP] Date: Tuesday, December 19, 2000 9:57 AM I believe that rsh on d0mino and the other D0 machines is supposed to "failover" to use the cryptocard if you don't have a kerberos ticket. The same for ftp. Neither do. Only telnet seems to do that failover. Also, rexec doesn't appear to be kerberos'd. It just fails. Give the old "Permission denied" message trying to access .netrc (owned by root on our machines), and then connection refused. So it looks like it's shut off and no kerberos version has replaced it. Alan -------- Original Message -------- Subject: Re: rsh and Rexec and FTP Date: Tue, 19 Dec 2000 09:47:51 -0600 From: Alan M Jonckheere Organization: D0 at Fermilab To: "Dean Schamberger, SUNY at Stony Brook" CC: D0 Accounts , fagan@fnal.gov References: <001219094905.20200180@cusb.physics.sunysb.edu> rsh has been reenabled, if you have a kerberos ticket. But it doesn't failover to the cryptocard as I think it should. rexec doesn't appear to be kerberos'd. You'd have to ask the security guys about that one (dcd_security_team@fnal.gov). When they switched to the kerberos'd ftp they found a major problem, ie it didn't work. That is, it too didn't failover to the cryptocard. So Dave re-enabled the old (open) one. Working out bugs that couldn't be tested until the system was closed. Alan "Dean Schamberger, SUNY at Stony Brook" wrote: > > Hi Alan, > What is the state of Rsh and Rexec on D0mino? I thought they were going to > be "re-enabled" on Monday, but it looks like that was not done, right? When > will it happen? Also, I see that FTP is still OPEN access. Is there a > "schedule" for closing that security hole? > > Dean From kreymer@fnal.gov Mon Dec 25 12:11:03 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA09773 for ; Mon, 25 Dec 2000 12:11:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G64004C7YF55X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Dec 2000 12:09:07 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BFCCF@listserv.fnal.gov>; Mon, 25 Dec 2000 12:09:06 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 150267 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 25 Dec 2000 12:09:06 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000BFCCB@listserv.fnal.gov>; Mon, 25 Dec 2000 12:09:06 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G64004C2YEX6X@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 25 Dec 2000 12:09:05 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Dec 2000 12:08:57 -0600 Content-return: allowed Date: Mon, 25 Dec 2000 12:08:45 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 15338 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611EDC9@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 736 This reminder created on 12/25/00 12:03:44 PM Ticket 15338 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Work In Progress First Name : CARMENITA Last Name (+) : MOORE Phone : 2288 E-Mail Address : CARMENITA@FNAL.GOV Incident Time : 11/21/00 5:21:39 PM System Name : Problem Category : Software Type : Utilities Item : Wrq/Reflections Urgency : Medium Short Description : authentication error with reflection Problem Description : I have modified Reflection Kerberos Manager to have moore as the principle. I've double checked the installation instructions against what I did - still when I authenticate, I get Client Principle not found in kerberos database (KDC006). This is on my win2k laptop. I read that the system you were on had to have user name that matched the kerberos principle. Does that apply to win2k systems too ? Just in case, I created a "moore" account on my laptop but couldn't authenticate from it either - same message as above. I was able to kpasswd and change my kerberos password for moore. It couldn't find carmenita which I also find curious as Yolanda created a "carmenita" principle for me also - since that's my mail server name. help. -Carmenita- Matt Crawford wrote: > > When I try to authenticate I get: > > > > Client Principle not found in kerberos database (KDC006) > > > > I have had the account by yolanda had to reset the password for me - > > which she did today... > > There's no Kerberos principal "carmenita", or even "carmenit", so > yours must be "moore". (The mail server knows you as both, which I'm > sure will continue to cause a bit of confusion, but since your Unix > username seems to be moore, it sholdn't be too bad.) You'll have to > make sure you have that filled in in the Reflection Kerberos Manager. > > I see where you ran into a "password expired" problem on Spe 10, Oct > 16, Nov 6 and Nov 14 and some other error on Nov 17. Right now I see > that your password was changed by valadez on Nov 20. Give it a try > with the new password, would you? > > And I have your Cryptocard request in the queue and I'll be working > on the backlog today. > Matt From kreymer@fnal.gov Tue Dec 26 08:54:04 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA17418 for ; Tue, 26 Dec 2000 08:54:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6600AIDK22W0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Dec 2000 08:54:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C00F0@listserv.fnal.gov>; Tue, 26 Dec 2000 08:54:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 151422 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 26 Dec 2000 08:54:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C00EF@listserv.fnal.gov>; Tue, 26 Dec 2000 08:54:02 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G66009M8K21V2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 26 Dec 2000 08:54:01 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA00340; Tue, 26 Dec 2000 08:54:01 -0600 (CST) Date: Tue, 26 Dec 2000 08:54:01 -0600 From: Matt Crawford Subject: Re: ksu problem In-reply-to: "21 Dec 2000 07:47:33 CST." <3A4209F5.3A80222D@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Al Lilianstrom Cc: kerberos-pilot@fnal.gov Message-id: <200012261454.IAA00340@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 737 Let me guess. This was on a host named woozle and there is a /etc/hosts file or an NIS database which gives its offical (first-listed) hostname as simply woozle rather than woozle.fnal.gov? That would do it. And then the message > ksu: Server not found in Kerberos database while geting credentials from kdc refers to the server named host/woozle@PILOT.FNAL.GOV, which does not exist, though host/woozle.fnal.gov@PILOT.FNAL.GOV does. I think this may now be the second most common obscure problem, behind system clock errors. From kreymer@fnal.gov Tue Dec 26 09:40:37 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21976 for ; Tue, 26 Dec 2000 09:40:36 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G66009PIM67V2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Dec 2000 09:39:44 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0130@listserv.fnal.gov>; Tue, 26 Dec 2000 09:39:43 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 151490 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 26 Dec 2000 09:39:43 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C012F@listserv.fnal.gov>; Tue, 26 Dec 2000 09:39:43 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6600BIYM67LI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 26 Dec 2000 09:39:43 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA00624; Tue, 26 Dec 2000 09:39:43 -0600 (CST) Date: Tue, 26 Dec 2000 09:39:42 -0600 From: Matt Crawford Subject: Re: WRQ documentation In-reply-to: "21 Dec 2000 10:38:35 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200012261539.JAA00624@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 738 > Is there any documentation about which Ethernet ports the > WRQ Reflection software is using to make Kerberos connections and > X connections? How many ethernet ports does your PC have? I rarely see a Windows box with more than one, although there's no intrinsic reason there can't be more. Your routing table, not WRQ software, determines which wire your packets go out. For a non-routing host the routing table is generally determined by the address and netmask of each interface plus one "default route" entry. > I am trying to convince the tech support of my ISP to allow these > connections through the network address translation but I need a > comprehensive summary of all the ports that would be used. Now this looks as if you're talking about something else entirely. Now do you mean UDP and TCP ports? If your so-called ISP is really doing NAT to you -- meaning translating the IP addresses you put in your packets into some other addresses -- you're fsck'ed. And if in addition they are blocking packets completely which contain certain UDP or TCP port numbers, they aren't providing "internet service" at all, but rather just "web and email" service or something of that sort. Sue their bits off for breach of implied contract. They can perfectly well go back to ARIN for enough addresses to provide you an unNATted service. I can list for you the ports the Kerberos services use, but if they are doing NAT at you, It Won't Help. From kreymer@fnal.gov Tue Dec 26 13:16:19 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA23511 for ; Tue, 26 Dec 2000 13:16:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6600DR9W7644@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Dec 2000 13:16:19 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0252@listserv.fnal.gov>; Tue, 26 Dec 2000 13:16:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 151791 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 26 Dec 2000 13:16:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0251@listserv.fnal.gov>; Tue, 26 Dec 2000 13:16:18 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6600H6IW75LZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 26 Dec 2000 13:16:17 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA01786; Tue, 26 Dec 2000 13:16:17 -0600 (CST) Date: Tue, 26 Dec 2000 13:16:17 -0600 From: Matt Crawford Subject: Re: 000000000015769 Assigned to CRAWFORD, MATT. In-reply-to: "19 Dec 2000 16:39:53 CST." <318CC3D38BE0D211BB1200105A093F7611EAE5@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200012261916.NAA01786@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 739 Alan's memory is faulty. There was never a plan to allow a cryptocarded rsh server, nor any sort of a Kerberos rexec server at all. It was made clear countless times that cryptocard access for telnet and ftp would be the full extent of the accommodation for non-Kerberos clients. The telnet access was delivered a year ago, and ftp will be soon. (And cryptocard-ssh may be added in the future.) > Oh *great*! That is definitely *not* what we were told when I went > through the early "what if" sessions. Off site people need to do a > *lot* > more than just login! In my opinion, rsh and rcp have *got* to > work in > some fashion from a non-kerberos'd system. rexec would also be > nice, but > probably not crucial (rsh can do it's job I think). > > So, yes, reopen it and send it to Matt Crawford. > > Alan > --------------< > ReOpened AR ticket. Matt ? > > Ticket ReOpened the Previous Solution was > > :We have implemented in D0 what has been implemented in the > Fermilab kerberos product. I don't know of any plans to kerberize > rexecd. I don't know of any plans to have rsh fail over to cryptocard. > There are plans to have ftp fail over to the cryptocard but the work > hasn't been done yet. > > Whenever that work has been done and the kerberos product with the > ftp failover feature is rolled out we will implement it. > > If this ticket was meant to ask for those new features, please > re-open this ticket or open a new ticket and specifically ask that it be > assigned to the security folks so that they can decide whether or not to > implement those new features as that is out of the D0 task forces hands. > > joe > Problem Description : From: "Alan M Jonckheere" > To: ; "d0-admin" > Subject: [Fwd: Re: rsh and Rexec and FTP] > Date: Tuesday, December 19, 2000 9:57 AM > > I believe that rsh on d0mino and the other D0 machines is supposed to > "failover" to use the cryptocard if you don't have a kerberos ticket. > The same for ftp. Neither do. Only telnet seems to do that failover. > > Also, rexec doesn't appear to be kerberos'd. It just fails. Give the > old > "Permission denied" message trying to access .netrc (owned by root on > our machines), and then connection refused. So it looks like it's > shut > off and no kerberos version has replaced it. > > Alan > > > -------- Original Message -------- > Subject: Re: rsh and Rexec and FTP > Date: Tue, 19 Dec 2000 09:47:51 -0600 > From: Alan M Jonckheere > Organization: D0 at Fermilab > To: "Dean Schamberger, SUNY at Stony Brook" > > CC: D0 Accounts , fagan@fnal.gov > References: <001219094905.20200180@cusb.physics.sunysb.edu> > > rsh has been reenabled, if you have a kerberos ticket. But it doesn't > failover to the cryptocard as I think it should. rexec doesn't appear > to > be kerberos'd. You'd have to ask the security guys about that one > (dcd_security_team@fnal.gov). When they switched to the kerberos'd > ftp > they found a major problem, ie it didn't work. That is, it too didn't > failover to the cryptocard. So Dave re-enabled the old (open) one. > > Working out bugs that couldn't be tested until the system was closed. > > Alan > > > "Dean Schamberger, SUNY at Stony Brook" wrote: > > > > Hi Alan, > > What is the state of Rsh and Rexec on D0mino? I thought they > were going to > > be "re-enabled" on Monday, but it looks like that was not done, > right? When > > will it happen? Also, I see that FTP is still OPEN access. Is > there a > > "schedule" for closing that security hole? > > > > Dean From kreymer@fnal.gov Tue Dec 26 13:30:31 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA23533 for ; Tue, 26 Dec 2000 13:30:31 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6600H9PWPIAI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Tue, 26 Dec 2000 13:27:28 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C03F0@listserv.fnal.gov>; Tue, 26 Dec 2000 13:27:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 152207 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Tue, 26 Dec 2000 13:27:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C03EE@listserv.fnal.gov>; Tue, 26 Dec 2000 13:27:14 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6600H8GWPD6O@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Tue, 26 Dec 2000 13:27:13 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA01883 for ; Tue, 26 Dec 2000 13:27:13 -0600 (CST) Date: Tue, 26 Dec 2000 13:27:13 -0600 From: Matt Crawford Subject: Is anyone using a Palm software "cryptocard" on a Palm V ? Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200012261927.NAA01883@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 740 Pardon the fact that this message is of no concern to most of you, but ... One user with a Palm V is having endless trouble with his software cryptocard. Nobody else, as far as I know, is having trouble. Is anyone else using it on a Palm V? That's just about the last variable left. From kreymer@fnal.gov Tue Dec 26 13:37:00 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA23537 for ; Tue, 26 Dec 2000 13:37:00 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6600GG4X5BAJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Dec 2000 13:36:48 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0415@listserv.fnal.gov>; Tue, 26 Dec 2000 13:36:48 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 152248 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 26 Dec 2000 13:36:48 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0410@listserv.fnal.gov>; Tue, 26 Dec 2000 13:36:47 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6600GE3X58H7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 26 Dec 2000 13:36:47 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 26 Dec 2000 13:36:44 -0600 Content-return: allowed Date: Tue, 26 Dec 2000 13:36:38 -0600 From: ARSystem Subject: CRAWFORD, MATT #15769 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611EED6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 741 Thank you for your assistance. Help Desk ticket #000000000015769 has been resolved on 12/26/00 1:34:48 PM Resolution Timestamp: : 12/26/00 1:16:27 PM Solution Category : Information Request Problem Category : Operating System Type : Unix Item : Access Short Description : rsh and Rexec and FTP] Solution : Per the analyst: "There was never a plan to allow a cryptocarded rsh server, nor any sort of a Kerberos rexec server at all. It was made clear countless times that cryptocard access for telnet and ftp would be the full extent of the accommodation for non-Kerberos clients. The telnet access was delivered a year ago, and ftp will be soon. (And cryptocard-ssh may be added in the future.)" Problem Description : From: "Alan M Jonckheere" To: ; "d0-admin" Subject: [Fwd: Re: rsh and Rexec and FTP] Date: Tuesday, December 19, 2000 9:57 AM I believe that rsh on d0mino and the other D0 machines is supposed to "failover" to use the cryptocard if you don't have a kerberos ticket. The same for ftp. Neither do. Only telnet seems to do that failover. Also, rexec doesn't appear to be kerberos'd. It just fails. Give the old "Permission denied" message trying to access .netrc (owned by root on our machines), and then connection refused. So it looks like it's shut off and no kerberos version has replaced it. Alan -------- Original Message -------- Subject: Re: rsh and Rexec and FTP Date: Tue, 19 Dec 2000 09:47:51 -0600 From: Alan M Jonckheere Organization: D0 at Fermilab To: "Dean Schamberger, SUNY at Stony Brook" CC: D0 Accounts , fagan@fnal.gov References: <001219094905.20200180@cusb.physics.sunysb.edu> rsh has been reenabled, if you have a kerberos ticket. But it doesn't failover to the cryptocard as I think it should. rexec doesn't appear to be kerberos'd. You'd have to ask the security guys about that one (dcd_security_team@fnal.gov). When they switched to the kerberos'd ftp they found a major problem, ie it didn't work. That is, it too didn't failover to the cryptocard. So Dave re-enabled the old (open) one. Working out bugs that couldn't be tested until the system was closed. Alan "Dean Schamberger, SUNY at Stony Brook" wrote: > > Hi Alan, > What is the state of Rsh and Rexec on D0mino? I thought they were going to > be "re-enabled" on Monday, but it looks like that was not done, right? When > will it happen? Also, I see that FTP is still OPEN access. Is there a > "schedule" for closing that security hole? > > Dean From kreymer@fnal.gov Tue Dec 26 21:14:39 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id VAA25752 for ; Tue, 26 Dec 2000 21:14:39 -0600 Received: from fndaub.fnal.gov ([131.225.80.191]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G670000AICELB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT ols-users@fndaub.fnal.gov); Tue, 26 Dec 2000 21:14:39 -0600 (CST) Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by fndaub.fnal.gov (8.10.2/8.10.2) with ESMTP id eBR3EQh417588 for ; Tue, 26 Dec 2000 21:14:26 -0600 (CST) Received: from fnal.gov ([131.225.81.142]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6700M7KIC17D@smtp.fnal.gov> for ols-users@fndaub.fnal.gov; Tue, 26 Dec 2000 21:14:25 -0600 (CST) Date: Tue, 26 Dec 2000 21:14:25 -0600 From: Maarten Litmaath Subject: [Fwd: ssh is basically not allowed in the secure realm.] To: ols-users@fndaub.fnal.gov Message-id: <3A495E91.F4B5BDC9@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: multipart/mixed; boundary=------------EEB68E8F7DC6EB1972122FB9 X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 742 This is a multi-part message in MIME format. --------------EEB68E8F7DC6EB1972122FB9 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit FYI. --------------EEB68E8F7DC6EB1972122FB9 Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline Return-Path: Received: from SMTP ([131.225.9.17]) by imapserver3.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 751; Tue, 26 Dec 2000 21:02:50 -0600 Received: from heffalump ([131.225.9.20]) by 131.225.9.17 (Norton AntiVirus for Internet Email Gateways 1.0) ; Wed, 27 Dec 2000 03:02:49 0000 (GMT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6700LAQHSPPI@smtp.fnal.gov>; Tue, 26 Dec 2000 21:02:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0692@listserv.fnal.gov>; Tue, 26 Dec 2000 21:02:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 152966 for ENSTORE@LISTSERV.FNAL.GOV; Tue, 26 Dec 2000 21:02:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0691@listserv.fnal.gov>; Tue, 26 Dec 2000 21:02:49 -0600 Received: from hppc.fnal.gov ([131.225.80.46]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6700M54HSOO3@smtp.fnal.gov> for enstore@listserv.fnal.gov (ORCPT enstore@fnal.gov); Tue, 26 Dec 2000 21:02:48 -0600 (CST) Received: from localhost (petravic@localhost) by hppc.fnal.gov (980427.SGI.8.8.8/970903.SGI.AUTOCF) via SMTP id VAA02800 for ; Tue, 26 Dec 2000 21:03:11 -0600 (CST) Date: Tue, 26 Dec 2000 21:03:11 -0600 (CST) From: "petravick@FNAL.GOV" Subject: ssh is basically not allowed in the secure realm. Sender: owner-enstore@listserv.fnal.gov To: enstore@fnal.gov Reply-to: petravick@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII per a conversation with Matt crawford. That is to say you can use ssh with kerberos authennnntication. You cannot use ther RSA encryption. Ther is a tool called dsniff which is used to implement man-in-the middle attachs against ssh. below is a snippet of a web page from http://www.monkey.org/~dugsong/dsniff/faq.html which has more information. --------------------- ------------------------------------------ 3.4. How do I sniff / hijack HTTPS / SSH connections? Although HTTPS and SSH are encrypted, they both rely on weakly bound public key certificates to identify servers and to establish security contexts for symmetric encryption. As the vast majority of users fail to comprehend the obtuse digital trust management PKI presents (e.g. is an X.509v3 DN really meaningful to you?), a simple monkey-in-the-middle attack works quite well in practice. Client traffic to a target server may be intercepted using dnsspoof and relayed to its intended destination using the sshmitm and webmitm proxies (which also happen to grep passwords in transit). For example, to sniff Hotmail webmail passwords, create a dnsspoof hosts file such as: 1.2.3.4 *.passport.com 1.2.3.4 *.hotmail.com where 1.2.3.4 is the IP address of your attacking machine. Local clients attempting to connect to Hotmail will be sent to your machine instead, where webmitm will present them with a self-signed certificate (with the appropriate X.509v3 distinguished name), and relay their sniffed traffic to the real Hotmail site. sshmitm is perhaps most effective at conference terminal rooms or webcafes as most travelling SSH users don't carry their server's key fingerprint around with them (only presented by the OpenSSH client, anyhow). Even sophisticated SSH users who insist on one-time passwords (e.g. S/Key), RSA authentication, etc. are still at risk, as sshmitm supports monitoring and hijacking of interactive sessions with its -I flag. --------------EEB68E8F7DC6EB1972122FB9-- From kreymer@fnal.gov Wed Dec 27 06:56:53 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id GAA27842 for ; Wed, 27 Dec 2000 06:56:53 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6800NN79AS3W@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 27 Dec 2000 06:56:52 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C08A3@listserv.fnal.gov>; Wed, 27 Dec 2000 06:56:52 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 153532 for CDF_CODE_MANAGEMENT@LISTSERV.FNAL.GOV; Wed, 27 Dec 2000 06:56:52 -0600 Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C08A2@listserv.fnal.gov>; Wed, 27 Dec 2000 06:56:52 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 153530 for CDFCODE@LISTSERV.FNAL.GOV; Wed, 27 Dec 2000 06:56:52 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C08A1@listserv.fnal.gov>; Wed, 27 Dec 2000 06:56:51 -0600 Received: from vortex ([131.225.82.69]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G68004439ARFV@smtp.fnal.gov> for cdfcode@listserv.fnal.gov (ORCPT cdfcode@fnal.gov); Wed, 27 Dec 2000 06:56:51 -0600 (CST) Date: Wed, 27 Dec 2000 06:56:53 -0600 From: Chuck DeBaun Subject: FW: ssh is basically not allowed in the secure realm. Sender: owner-cdf_code_management@listserv.fnal.gov To: cdfcode@fnal.gov Reply-to: debaun@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 743 FYI. This was actually email from Don Petravick. Chuck -----Original Message----- From: owner-enstore@listserv.fnal.gov [mailto:owner-enstore@listserv.fnal.gov]On Behalf Of petravick@FNAL.GOV Sent: Tuesday, December 26, 2000 9:03 PM To: enstore@fnal.gov Subject: ssh is basically not allowed in the secure realm. per a conversation with Matt crawford. That is to say you can use ssh with kerberos authennnntication. You cannot use ther RSA encryption. Ther is a tool called dsniff which is used to implement man-in-the middle attachs against ssh. below is a snippet of a web page from http://www.monkey.org/~dugsong/dsniff/faq.html which has more information. --------------------- ------------------------------------------ 3.4. How do I sniff / hijack HTTPS / SSH connections? Although HTTPS and SSH are encrypted, they both rely on weakly bound public key certificates to identify servers and to establish security contexts for symmetric encryption. As the vast majority of users fail to comprehend the obtuse digital trust management PKI presents (e.g. is an X.509v3 DN really meaningful to you?), a simple monkey-in-the-middle attack works quite well in practice. Client traffic to a target server may be intercepted using dnsspoof and relayed to its intended destination using the sshmitm and webmitm proxies (which also happen to grep passwords in transit). For example, to sniff Hotmail webmail passwords, create a dnsspoof hosts file such as: 1.2.3.4 *.passport.com 1.2.3.4 *.hotmail.com where 1.2.3.4 is the IP address of your attacking machine. Local clients attempting to connect to Hotmail will be sent to your machine instead, where webmitm will present them with a self-signed certificate (with the appropriate X.509v3 distinguished name), and relay their sniffed traffic to the real Hotmail site. sshmitm is perhaps most effective at conference terminal rooms or webcafes as most travelling SSH users don't carry their server's key fingerprint around with them (only presented by the OpenSSH client, anyhow). Even sophisticated SSH users who insist on one-time passwords (e.g. S/Key), RSA authentication, etc. are still at risk, as sshmitm supports monitoring and hijacking of interactive sessions with its -I flag. From kreymer@fnal.gov Wed Dec 27 09:00:07 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA05869 for ; Wed, 27 Dec 2000 09:00:07 -0600 Received: from fndaub.fnal.gov ([131.225.80.191]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G680011QF054T@smtp.fnal.gov> for kreymer@patnt2.fnal.gov; Wed, 27 Dec 2000 09:00:06 -0600 (CST) Received: from patnt2.fnal.gov (patnt2.fnal.gov [131.225.84.37]) by fndaub.fnal.gov (8.10.2/8.10.2) with ESMTP id eBREX2h386240 for ; Wed, 27 Dec 2000 08:33:02 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA05278; Wed, 27 Dec 2000 08:32:02 -0600 Date: Wed, 27 Dec 2000 08:32:01 -0600 (CST) From: Art Kreymer Subject: Re: [Fwd: ssh is basically not allowed in the secure realm.] In-reply-to: <3A495E91.F4B5BDC9@fnal.gov> To: Maarten Litmaath Cc: ols-users@fndaub.fnal.gov, cdfcode@fnal.gov, enstore@fnal.gov, crawdad@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 744 I think that you have misunderstood. CryptoCard sessions, which certainly are allowed in the secure realm, are not encrypted at all. They are pure, ordinary, old fashioned telnet. Is ssh less secure than telnet ? I think not. I have also heard no reports of actual real life SSH session hijacking. Do you have any reason to trust www.monkey.org ? See http://www.monkey.org/FAQ/ From kreymer@fnal.gov Wed Dec 27 09:35:53 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA07502 for ; Wed, 27 Dec 2000 09:35:53 -0600 Received: from fndaub.fnal.gov ([131.225.80.191]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G680016WGNS53@smtp.fnal.gov> for kreymer@patnt2.fnal.gov; Wed, 27 Dec 2000 09:35:53 -0600 (CST) Received: from buffalo.fnal.gov (buffalo.fnal.gov [131.225.84.156]) by fndaub.fnal.gov (8.10.2/8.10.2) with ESMTP id eBRFZkh461410 for ; Wed, 27 Dec 2000 09:35:46 -0600 (CST) Received: (from cgw@localhost) by buffalo.fnal.gov (8.8.7/8.8.7) id JAA14289; Wed, 27 Dec 2000 09:35:46 -0600 Date: Wed, 27 Dec 2000 09:35:45 -0600 (CST) From: Charles G Waldman X-Face: %OO~XPb`a}(s2it:MIMa&Ig&fbz)+h$L,2js]uXlS*7R#!#e{6W^.z~0blXY]guz@qdC;-s>BG`iu,HOP"j\nV_W)'})|,9C>&St4H"\l$&:V;8)"gsPRlH S6]sBPDb:f<,&ReiQS59nI;6P{w1kPMSR|`8L6EaC?SBb|ujr$V^C8A+G3Z#'>U.> Subject: Re: [Fwd: ssh is basically not allowed in the secure realm.] In-reply-to: To: Art Kreymer Cc: Maarten Litmaath Cc: ols-users@fndaub.fnal.gov, cdfcode@fnal.gov, enstore@fnal.gov, crawdad@fnal.gov Message-id: <14922.3153.902804.846504@buffalo.fnal.gov> MIME-version: 1.0 X-Mailer: VM 6.72 under 21.1 (patch 10) "Capitol Reef" XEmacs Lucid Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit References: <3A495E91.F4B5BDC9@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 745 Art Kreymer writes: > Do you have any reason to trust www.monkey.org ? > See > http://www.monkey.org/FAQ/ Forget about monkey.org. This subject (under the rubric "The End of SSH") has been getting a lot of discussion on Slashdot lately and this might be a better source of info than monkey.org. There's a lot of discussion and links at: http://slashdot.org/articles/00/12/25/1633254.shtml which is probably worthwhile reading for anybody interested in this topic. From kreymer@fnal.gov Wed Dec 27 10:44:32 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA09788 for ; Wed, 27 Dec 2000 10:44:32 -0600 Received: from fndaub.fnal.gov ([131.225.80.191]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G68001DSJU75N@smtp.fnal.gov> for kreymer@patnt2.fnal.gov; Wed, 27 Dec 2000 10:44:32 -0600 (CST) Received: from gungnir.fnal.gov (gungnir.fnal.gov [131.225.80.1]) by fndaub.fnal.gov (8.10.2/8.10.2) with ESMTP id eBRGiPh459223 for ; Wed, 27 Dec 2000 10:44:25 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA07137; Wed, 27 Dec 2000 10:44:24 -0600 (CST) Date: Wed, 27 Dec 2000 10:44:24 -0600 From: Matt Crawford Subject: Re: [Fwd: ssh is basically not allowed in the secure realm.] In-reply-to: "27 Dec 2000 08:32:01 CST." Sender: crawdad@gungnir.fnal.gov To: Art Kreymer Cc: Maarten Litmaath , ols-users@fndaub.fnal.gov, cdfcode@fnal.gov, enstore@fnal.gov Message-id: <200012271644.KAA07137@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 746 I've pored over the Slashdot, O'Reilly and Monkey sites, and CIAC's reactions as well, and I have found *not a single message* on this subject which doesn't include at least some wrong information. Yes, I've seen live interception of encrypted SSH connections. I've seen the side-effects of dsniff's arp redirection. But this man-in- the-middle attack, which was formerly a bit on the theoretical side but is now in the hands of the script-kiddies, is not the reason we passed over SSH in favor of Kerberos authentication, although some of the same reasons we chose Kerberos are factors which make this attack a credible threat. And no one can say that ssh is "more secure" or "less secure" then telnet without qualifying both ssh and telnet with the security and authentication options employed on the connection. Finally, let me offer as further anecdotal fuel on the fire, the fact that the original creator of SSH is advocating the use of Kerberos instead of public-key methods to establish trust and privacy between endpoints. (See ftp://ftp.ietf.org/draft-ietf-kink-ike-over-kkmp-00.txt) From kreymer@fnal.gov Wed Dec 27 11:00:52 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA09805 for ; Wed, 27 Dec 2000 11:00:52 -0600 Received: from fndaub.fnal.gov ([131.225.80.191]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G68001ERKLF4J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov; Wed, 27 Dec 2000 11:00:52 -0600 (CST) Received: from gungnir.fnal.gov (gungnir.fnal.gov [131.225.80.1]) by fndaub.fnal.gov (8.10.2/8.10.2) with ESMTP id eBRH0kh401056 for ; Wed, 27 Dec 2000 11:00:46 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA07284; Wed, 27 Dec 2000 11:00:45 -0600 (CST) Date: Wed, 27 Dec 2000 11:00:45 -0600 From: Matt Crawford Subject: correction Sender: crawdad@gungnir.fnal.gov To: enstore@fnal.gov, cdfcode@fnal.gov, litmaath@fnal.gov, kreymer@fnal.gov, ols-users@fndaub.fnal.gov Message-id: <200012271700.LAA07284@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 747 > Should be > ftp://ftp.ietf.org/internet-drafts/draft-ietf-kink-ike-over-kkmp-00.txt Oops, yeah. Thanks. Like I said, not a single message without some wrong information. :-/ From kreymer@fnal.gov Wed Dec 27 11:02:06 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA09811 for ; Wed, 27 Dec 2000 11:02:06 -0600 Received: from mayne.dyndns.org ([209.224.61.251]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G68001FWKNG5M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Wed, 27 Dec 2000 11:02:05 -0600 (CST) Received: (from wellner@localhost) by mayne.dyndns.org (8.9.3/8.9.3) id LAA12130; Wed, 27 Dec 2000 11:02:03 -0600 Date: Wed, 27 Dec 2000 11:02:03 -0600 From: Rich Wellner Subject: Re: [Fwd: ssh is basically not allowed in the secure realm.] In-reply-to: Matt Crawford's message of "Wed, 27 Dec 2000 10:44:24 -0600" Sender: wellner@mayne.dyndns.org To: Matt Crawford Cc: Art Kreymer , Maarten Litmaath , ols-users@fndaub.fnal.gov, cdfcode@fnal.gov, enstore@fnal.gov Message-id: Organization: Fermilab (the coolest place on earth) MIME-version: 1.0 Content-type: text/plain; charset=us-ascii User-Agent: Gnus/5.070099 (Pterodactyl Gnus v0.99) XEmacs/21.1 (Bryce Canyon) X-Stock-Tip: PTN X-MBTI: ESTJ Lines: 35 References: <200012271644.KAA07137@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 748 Matt Crawford writes: > And no one can say that ssh is "more secure" or "less secure" then > telnet without qualifying both ssh and telnet with the security and > authentication options employed on the connection. I think this is a misleading statement. It takes super-human effort to secure telnet to the point where ssh (even better ssh2) is out of the box. At Fermilab the strong authentication of the session ends at the authentication. Leaving, I'm still convinced significantly, the unecrypted session which requires the user to be quite on their toes when typing passwords. So, of course one must be more specific. It is wrong to imply that the world is a vast landscape in which all things are equal though modulo specifics. Telnet *is* less secure than ssh. > Finally, let me offer as further anecdotal fuel on the fire, the fact > that the original creator of SSH is advocating the use of Kerberos > instead of public-key methods to establish trust and privacy between > endpoints. (See ftp://ftp.ietf.org/draft-ietf-kink-ike-over-kkmp-00.txt) The correct link is ftp://ftp.ietf.org/internet-drafts/draft-ietf-kink-ike-over-kkmp-00.txt But does he really *advocate* it's use, or are they just formally specifying how to use a session encryption protocol within an already existing security framework because ssh isn't the only solution at many facilities? It's a fine point I guess. rw2 -- Keep Manhattan, just give me that countryside -Vic Mizzy From kreymer@fnal.gov Wed Dec 27 13:21:43 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA09873 for ; Wed, 27 Dec 2000 13:21:43 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G68001QTR464V@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Wed, 27 Dec 2000 13:21:42 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA09247; Wed, 27 Dec 2000 13:21:42 -0600 (CST) Date: Wed, 27 Dec 2000 13:21:42 -0600 From: Matt Crawford Subject: Re: [Fwd: ssh is basically not allowed in the secure realm.] In-reply-to: "27 Dec 2000 11:02:03 CST." Sender: crawdad@gungnir.fnal.gov To: Rich Wellner Cc: Art Kreymer , Maarten Litmaath , ols-users@fndaub.fnal.gov, cdfcode@fnal.gov, enstore@fnal.gov Message-id: <200012271921.NAA09247@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 749 > > And no one can say that ssh is "more secure" or "less secure" than > > telnet without qualifying both ssh and telnet with the security and > > authentication options employed on the connection. > > I think this is a misleading statement. It takes super-human effort > to secure telnet to the point where ssh (even better ssh2) is out of > the box. -x There. That was the superhuman effort. "telnet -x hostname" gives you an encrypted connection, with the client user and server host mutually authenticated. Well, you have to deploy Kerberos (or one of the other authentication mechanisms which telnet can use) first. But you're positing the effort expenditure for some software deployment. And ssh literally "out of the box" gives you no authentication of the server at all, which leaves you wide open to all these MITM attacks that touched off the thread. To close that barn door you have to do the PK analogue of registering the users & systems in the KDC. Once you do the work on each side, where does the operational security lie? With Kerberos, it's in the integrity of the KDC. With ssh a lot of the responsibility rests with the end user. They are permitted to ignore a mismatched server public key or to store their private key under a weak passphrase or none at all! It's true that using cryptcards for access gives you a session that is in the clear, but consider three things: 1. We're providing an access mechanism for a user who has no special software at hand, 2. Since you have Kerberos credentials upon login, your need to type a password during your session is greatly reduced, and 3. An ssh server that accepts a cryptocard response is in the works. > ftp://ftp.ietf.org/internet-drafts/draft-ietf-kink-ike-over-kkmp-00.txt > > But does he really *advocate* it's use, or are they just formally > specifying how to use a session encryption protocol within an already > existing security framework because ssh isn't the only solution at > many facilities? It's a fine point I guess. The combination of decades of failure by public-key methods to deliver some of their theoretical advantages in real-world operational environments and the erosion of some of those advantages due to advances in computing are rekindling interest in symmetric cryptography. This goes far beyond Kerberos vs. ssh. From kreymer@fnal.gov Wed Dec 27 14:58:49 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA09916 for ; Wed, 27 Dec 2000 14:58:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G680076HVM1WD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 27 Dec 2000 14:58:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0D0A@listserv.fnal.gov>; Wed, 27 Dec 2000 14:58:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 154789 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 27 Dec 2000 14:58:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0D09@listserv.fnal.gov>; Wed, 27 Dec 2000 14:58:49 -0600 Received: from hycppc05.fnal.gov ([131.225.53.254]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G680085AVM0AM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 27 Dec 2000 14:58:48 -0600 (CST) Received: from localhost (chenyc@localhost) by hycppc05.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20046; Wed, 27 Dec 2000 14:58:44 -0600 Date: Wed, 27 Dec 2000 14:58:44 -0600 (EST) From: Yen-Chu Chen Subject: Re: A question about Farms In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: hycppc05.fnal.gov: chenyc owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 750 Dear Todd, Sorry for the very late reply! I went back to Taiwan for personal issue and was out of contact for one month. Maybe Matt or someone had answered your question but here is what we do on the CDF production farm. On the production farm, we use FBSNG, a batch system developped by the FNAL CD to submit jobs to the worker nodes. For each process a ticket is created. If one needs to transfer files after the submition, the ticket must be renewed periodically. (The ticket must be created as renewable.) We are still in progress of kerberizing the production farm. We can keep you posted as we make more progress. On Tue, 28 Nov 2000, Todd Huffman (CDF/ATLAS) wrote: > Hi, > > I'm going to be setting up a farm of Intel based PC's > which will run Linux mainly as a MonteCarlo engine for > CDF analysis work. This farm will be located in the UK. > I'm wondering whether or not it would make sense to > try to put this into the strengthened realm. > > I'm really confused though as to how Kerberos could > possibly work with a farm of PC's, since each PC has > it's own IP address within the LAN it seems to me > that the whole ticketing system of Kerberos would > just not work with a farm. > > Is there a work-around? > > I'm at the information gathering stage at the moment > so any place you could point me to help me understand > the problems would be great. > > Thanks, > Todd > > ************************************************* > ~ Dr. B. Todd Huffman ~ > ~ Particle and Nuclear Physics ~ > ~ University of Oxford ~ > ~ Rm 631 ~ > ~ Keble Rd ~ > ~ Oxford OX1 3RH UK ~ > ~ ~ > ~ Phone: 44 - 1865 - 273402 ~ > ~ LMH: 44 - 1865 - 274307 ~ > ~ FAX: 44 - 1865 - 273418 ~ > ~ Home: 44 - 1865 - 450240 ~ > ~ URL of my home page: ~ > ~ http://www-pnp.physics.ox.ac.uk/~huffman/ > ************************************************* > Best regards, Yen-Chu Chen chenyc@fnal.gov Office: (630) 840-3225, FAX: (630) 840-3867 (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) From kreymer@fnal.gov Wed Dec 27 15:00:27 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09922 for ; Wed, 27 Dec 2000 15:00:27 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G680077PVOHKY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 27 Dec 2000 15:00:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0D0E@listserv.fnal.gov>; Wed, 27 Dec 2000 15:00:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 154793 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 27 Dec 2000 15:00:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0D0D@listserv.fnal.gov>; Wed, 27 Dec 2000 15:00:17 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G68007A8VOHFQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 27 Dec 2000 15:00:17 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA09704; Wed, 27 Dec 2000 15:00:16 -0600 (CST) Date: Wed, 27 Dec 2000 15:00:16 -0600 From: Matt Crawford Subject: another common problem and its solution Sender: owner-kerberos-pilot@listserv.fnal.gov To: helpdesk@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <200012272100.PAA09704@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 751 There's a defect in the Palm Pilot "software cryptocard" which is causing intermittent problems for some users. Because of the font used to display the response and the space allotted to it on the screen, sometimes the last character gets clipped, making a "0" look like a "C" or a "B" look like an "E". This leads the user to enter a wrong response and the same challenge is repeated. Example: IRIX (fcdfsgi2) (ttyq9) Portal login: jruser Press ENTER and compare this challenge to the one on your display: [52158272] Enter the displayed response: 650da28c Press ENTER and compare this challenge to the one on your display: [52158272] Enter the displayed response: 650DA28C Press ENTER and compare this challenge to the one on your display: [52158272] Enter the displayed response: 650da280 <-- intuitively guessing the C should be a 0 gives success This has been reported to the vendor. (In the first version of the Palm software we got, it was worse. Now it "only" clips when the response contains a preponderance of wide characters.) From kreymer@fnal.gov Wed Dec 27 15:13:57 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09934 for ; Wed, 27 Dec 2000 15:13:57 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6800861WA9GK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 27 Dec 2000 15:13:22 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0D42@listserv.fnal.gov>; Wed, 27 Dec 2000 15:13:22 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 154853 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 27 Dec 2000 15:13:22 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C0D41@listserv.fnal.gov>; Wed, 27 Dec 2000 15:13:22 -0600 Received: from hycppc05.fnal.gov ([131.225.53.254]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G68007D1WA9K0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 27 Dec 2000 15:13:21 -0600 (CST) Received: from localhost (chenyc@localhost) by hycppc05.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA20133 for ; Wed, 27 Dec 2000 15:13:21 -0600 Date: Wed, 27 Dec 2000 15:13:21 -0600 (EST) From: Yen-Chu Chen Subject: strange problem using cryptocard Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: hycppc05.fnal.gov: chenyc owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 752 Hi, Using cryptocard I tried to login to fcdfsgi2 from home using the IP address automatically assigned by my ISP. I successfully got through the login procedure but the final prompt never showed up. I had to close the connection eventually! The funniest thing is that I tried to do the something from Taiwan using my brother's ISP and I was successful. It seems somehow something is strange with my local ISP but I have no idea what to tell them to check. Or what should I do to work around? Best regards, Yen-Chu Chen chenyc@fnal.gov Office: (630) 840-3225, FAX: (630) 840-3867 (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) From kreymer@fnal.gov Thu Dec 28 05:58:54 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id FAA06991 for ; Thu, 28 Dec 2000 05:58:53 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6A00EJO1A4D5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 28 Dec 2000 05:58:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C10FA@listserv.fnal.gov>; Thu, 28 Dec 2000 05:58:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 155895 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 28 Dec 2000 05:58:53 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C10F9@listserv.fnal.gov>; Thu, 28 Dec 2000 05:58:53 -0600 Received: from cdfsga.fnal.gov ([131.225.232.108]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6A00DNI1A4FV@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 28 Dec 2000 05:58:52 -0600 (CST) Received: from localhost (simon@localhost) by cdfsga.fnal.gov (8.9.3/8.9.0) with ESMTP id FAA07290; Thu, 28 Dec 2000 05:59:30 -0600 (CST) Date: Thu, 28 Dec 2000 05:59:30 -0600 From: "Simone Dell'Agnello" Subject: Re: secure FTP to/from fcdfsgi2 In-reply-to: <200012222022.OAA11136@large.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "David J. Fagan" Cc: votava@fnal.gov, belforte@ts.infn.it, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=X-UNKNOWN X-Authentication-warning: cdfsga.fnal.gov: simon owned process doing -bs Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by patnt2.fnal.gov id FAA06991 Status: RO X-Status: X-Keywords: X-UID: 753 OK. Simone On Fri, 22 Dec 2000, David J. Fagan wrote: > I don't know if Matt is still reading mail for the weekend.. > > The cryptocard FTP access should be available very shortly, last time > I peeked in the door, Matt had that confident look in his eyes and said > ask me again on Jan 2nd, so I expect this should be a short inconvenience. > > ------------------------------------------------------------------------------- > David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) > SGI-liaison | Liaison Requests use SGI-liaison@fnal > Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 > ------------------------------------------------------------------------------- > On Friday, > "Simone Dell'Agnello": > > > Hi, > > I find it inconvenient that ftp access to fcdfsgi2 with the cryptocard > > (like for telnet) is not yet implemented. ftp to fcdfsgi2 is not allowed, > > while insecure ftp from fcdfsgi2 to remote nodes is allowed and I find > > this inconsistent with FNAL's concern about general security. I understand > > that files can be transferred from fcdfsgi2 to remote nodes securely > > but slowly via scp, which is not part of the strong pilot thing. > > > > Simone > > From kreymer@fnal.gov Thu Dec 28 05:59:42 2000 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id FAA07250 for ; Thu, 28 Dec 2000 05:59:42 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6A00DMQ1BGNN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 28 Dec 2000 05:59:41 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C10FC@listserv.fnal.gov>; Thu, 28 Dec 2000 05:59:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 155897 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 28 Dec 2000 05:59:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C10FB@listserv.fnal.gov>; Thu, 28 Dec 2000 05:59:41 -0600 Received: from cdfsga.fnal.gov ([131.225.232.108]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6A00EMA1BG66@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 28 Dec 2000 05:59:40 -0600 (CST) Received: from localhost (simon@localhost) by cdfsga.fnal.gov (8.9.3/8.9.0) with ESMTP id GAA07455; Thu, 28 Dec 2000 06:00:17 -0600 (CST) Date: Thu, 28 Dec 2000 06:00:17 -0600 From: "Simone Dell'Agnello" Subject: Re: secure FTP to/from fcdfsgi2 In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-pilot@fnal.gov, votava@fnal.gov, belforte@ts.infn.it Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: cdfsga.fnal.gov: simon owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 754 Thanks. On Fri, 22 Dec 2000, Glenn Cooper wrote: > Hi Simone, > > Thank you for the feedback. I agree that we need ftp access when > using a CryptoCard; I believe that is being worked on. (Same for rsh > access with a CryptoCard.) > > Note that you can use scp (thus not exposing any unencrypted > passwords), and at least reduce the overhead to a very small factor, > by specifying the "blowfish" encryption scheme rather than the > default. Example: > > scp -c blowfish file1.dat mynode.infn.it:file1.dat > > Hope this helps, > Glenn > > > On Fri, 22 Dec 2000, Simone Dell'Agnello wrote: > > > Hi, > > I find it inconvenient that ftp access to fcdfsgi2 with the cryptocard > > (like for telnet) is not yet implemented. ftp to fcdfsgi2 is not allowed, > > while insecure ftp from fcdfsgi2 to remote nodes is allowed and I find > > this inconsistent with FNAL's concern about general security. I understand > > that files can be transferred from fcdfsgi2 to remote nodes securely > > but slowly via scp, which is not part of the strong pilot thing. > > > > Simone > > > From kreymer@fnal.gov Tue Jan 2 14:40:59 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA22018 for ; Tue, 2 Jan 2001 14:40:59 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6J007DHYSANB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 02 Jan 2001 14:40:59 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C350E@listserv.fnal.gov>; Tue, 02 Jan 2001 14:40:59 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 166236 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 02 Jan 2001 14:40:59 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C350D@listserv.fnal.gov>; Tue, 02 Jan 2001 14:40:59 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6J008CMYS93B@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 02 Jan 2001 14:40:58 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 02 Jan 2001 14:40:58 -0600 Content-return: allowed Date: Tue, 02 Jan 2001 14:40:56 -0600 From: ARSystem Subject: 000000000015940 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F28C@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 755 CRAWFORD, MATT, Help Desk Ticket #000000000015940 has been assigned to you. It is a(n) Medium priority Software/Utilities /Cryptocard type of problem. Short description: Receiving same challenge Badge # (+) : 03462V First Name : NIKOS Last Name (+) : VARELAS Phone : 5404 E-Mail Address : NIKOS@FNAL.GOV Incident Time : 1/2/01 1:30:55 PM System Name : D0MINO Urgency : Medium Public Work Log : Problem Description : Nikos was successful earlier this morning using his Palm Pilot with crytocard software to connect form off-site to d0mino. Subsequent attempts to login are now failing. For some reason, Nikos keeps receiving the same challenge over and over again. The challenge displayed is 64190234 and the response is 282398AC. Since Nikos has his email forwarded to d0mino and is unable to access the system, he may be reached via telephone at 630.247.0345 with any questions. Thank you. From kreymer@fnal.gov Tue Jan 2 14:44:47 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA22034 for ; Tue, 2 Jan 2001 14:44:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6J007EPYYMNB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 02 Jan 2001 14:44:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C3520@listserv.fnal.gov>; Tue, 02 Jan 2001 14:44:47 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 166256 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 02 Jan 2001 14:44:47 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C351F@listserv.fnal.gov>; Tue, 02 Jan 2001 14:44:47 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6J008D9YYM3B@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 02 Jan 2001 14:44:46 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA12139; Tue, 02 Jan 2001 14:44:46 -0600 (CST) Date: Tue, 02 Jan 2001 14:44:46 -0600 From: Matt Crawford Subject: Re: 000000000015940 Assigned to CRAWFORD, MATT. In-reply-to: "02 Jan 2001 14:40:56 CST." <318CC3D38BE0D211BB1200105A093F7611F28C@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200101022044.OAA12139@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 756 > challenge displayed is 64190234 and the response is 282398AC. Perhaps the response is really 282398A0 (ending with zero, not C-for-Charlie) and the font on his pilot is just a wee bit too wide. We're getting lots of complaints about that sort of thing. The vendor has been contacted about it. Another character-clipping problem to watch for is 8 or B looking like an E. From kreymer@fnal.gov Tue Jan 2 15:01:50 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA22044 for ; Tue, 2 Jan 2001 15:01:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6J007KHZR1K2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 02 Jan 2001 15:01:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C35A6@listserv.fnal.gov>; Tue, 02 Jan 2001 15:01:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 166401 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 02 Jan 2001 15:01:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C35A2@listserv.fnal.gov>; Tue, 02 Jan 2001 15:01:49 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6J007HOZQYTE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 02 Jan 2001 15:01:48 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 02 Jan 2001 15:01:46 -0600 Content-return: allowed Date: Tue, 02 Jan 2001 15:01:43 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15940 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F2A9@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 757 15940 has been updated by blomberg. Short Description : Receiving same challenge New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: 000000000015940 Assigned to CRAWFORD, MATT. Date: Tuesday, January 02, 2001 2:44 PM > challenge displayed is 64190234 and the response is 282398AC. Perhaps the response is really 282398A0 (ending with zero, not C-for-Charlie) and the font on his pilot is just a wee bit too wide. We're getting lots of complaints about that sort of thing. The vendor has been contacted about it. Another character-clipping problem to watch for is 8 or B looking like an E. From kreymer@fnal.gov Tue Jan 2 15:01:52 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA22048 for ; Tue, 2 Jan 2001 15:01:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6J007KHZR1K2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 02 Jan 2001 15:01:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C35A9@listserv.fnal.gov>; Tue, 02 Jan 2001 15:01:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 166405 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 02 Jan 2001 15:01:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C35A8@listserv.fnal.gov>; Tue, 02 Jan 2001 15:01:49 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6J007HOZQYTE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 02 Jan 2001 15:01:48 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 02 Jan 2001 15:01:46 -0600 Content-return: allowed Date: Tue, 02 Jan 2001 15:01:43 -0600 From: ARSystem Subject: Note to requester has been sent - 000000000015940 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F2AB@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 758 The following note has been sent to the requester: VARELAS, NIKOS Short Description : Receiving same challenge Notes to Requester : Per the expert: Perhaps the response is really 282398A0 (ending with zero, not C-for-Charlie) and the font on his pilot is just a wee bit too wide. We're getting lots of complaints about that sort of thing. The vendor has been contacted about it. Another character-clipping problem to watch for is 8 or B looking like an E. From kreymer@fnal.gov Tue Jan 2 17:01:17 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA22127 for ; Tue, 2 Jan 2001 17:01:17 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6K00E765A46H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 02 Jan 2001 17:01:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C36E2@listserv.fnal.gov>; Tue, 02 Jan 2001 17:01:17 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 166735 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 02 Jan 2001 17:01:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C36E1@listserv.fnal.gov>; Tue, 02 Jan 2001 17:01:17 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6K00E3L5A4R1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 02 Jan 2001 17:01:16 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA14486 for ; Tue, 02 Jan 2001 17:01:15 -0600 (CST) Date: Tue, 02 Jan 2001 17:01:15 -0600 From: Matt Crawford Subject: kerberos v1_0 and krb5conf v1_0 in kits Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200101022301.RAA14486@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 759 Fermi Kerberos v1_0 is in kits as "test". I don't encourage anyone to install it just yet as it has only been tried on one system by one user. But you're free to try it on your desktop system if you wish. IMPORTANT NOTE: there's also a new version of the krb5conf product, which is "current" in kits, and it gives you a new /etc/krb5.conf file which doesn't turn on ticket forwarding by default. This is in response to many concerns about the potential for forwarding one's credentials to an untrustworthy machine. Under this configuration, kinit will continue to obtain forwardable tickets by default (use "kinit -F" to get unforwardable tickets), but telnet, rlogin, rsh and ftp will not forward them unless you request forwarding with the "-f" or "-F" flag, as appropriate. Primary new feature in v1_0: "portal mode" ftp. This allows ftp authentication with a Cryptocard in lieu of a password, as has been available for telnet logins since v0_4. Also added in v1_0: ftpd will accept forwarded credentials and run aklog if so directed by /etc/krb5.conf. The "-n" flag to ftpd will prevent the automatic sending of the username, but will still do the Kerberos authentication step. This should, at long last, make the emacs efs package (the successor to ange-ftp) happy. Some command line flags which were previously not documented now are. From kreymer@fnal.gov Wed Jan 3 09:37:02 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA25530 for ; Wed, 3 Jan 2001 09:37:02 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6L004E7FDPSO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 03 Jan 2001 09:37:01 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C3BCB@listserv.fnal.gov>; Wed, 03 Jan 2001 09:37:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 168155 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 Jan 2001 09:37:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C3BCA@listserv.fnal.gov>; Wed, 03 Jan 2001 09:37:01 -0600 Received: from ts.infn.it ([140.105.6.150]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G6L005AIFDOBG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 03 Jan 2001 09:37:01 -0600 (CST) Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Wed, 03 Jan 2001 16:36 +0100 (CET) Date: Wed, 03 Jan 2001 16:37:19 +0100 From: Stefano Belforte Subject: can't install kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A53472F.B0290FD3@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 760 I ran into yet antoher odd thing when installing kerberos. I first install the fermilab kerberos v0_6 product from kits using upd. Then, on a Solaris 5.7 machine I log in as root and type: >source ~products/etc/setups.csh >ups install-keep-ssh kerberos v0_6 And I get the following error message: You must be able to write into the product directory to perform this action. sh: cannot return when not in function ERROR: Error in call to system: error from subprocess It appears that the install script wants to write into ~products and can not. The last make sense to me since it is an NFS mounted disk belonging to a different user and I have already experimented that root can not overrride protections on remote disks. But.... can't I install kerberos without bugging the ~products installation ? Please, help. Thank Stefano And, please, also remember that I still have two machined where the kerberos portal mode allows any user to login with no password, and am anxiously waiting for a solution. Stefano -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Wed Jan 3 10:47:33 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA25586 for ; Wed, 3 Jan 2001 10:47:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6L005KHIN9MS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 03 Jan 2001 10:47:33 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C3D1D@listserv.fnal.gov>; Wed, 03 Jan 2001 10:47:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 168515 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 Jan 2001 10:47:33 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C3D1C@listserv.fnal.gov>; Wed, 03 Jan 2001 10:47:33 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G6L005Q2IN8JV@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 03 Jan 2001 10:47:32 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id KAA24247; Wed, 03 Jan 2001 10:47:46 -0600 Date: Wed, 03 Jan 2001 10:47:46 -0600 From: Glenn Cooper Subject: Re: can't install kerberos In-reply-to: <3A53472F.B0290FD3@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 761 Hi Stefano, I haven't seen the sh error before, so I don't know exactly what causes it. But I think you can get around it by commenting out the line: FileTest(${UPS_PROD_DIR}/${KRB_REL_SRC}, -w, "You must be able to write into the product directory to perform this action.") in the table file (v0_6.table in your UPS db area). Note that this line is already commented out in the v0_7 table file. I don't have any good ideas as to what is causing the password-less access on your machines. Maybe Matt or others will know more. Cheers, Glenn On Wed, 3 Jan 2001, Stefano Belforte wrote: > I ran into yet antoher odd thing when installing kerberos. > > I first install the fermilab kerberos v0_6 product from > kits using upd. > > Then, on a Solaris 5.7 machine I log in as root and type: > > >source ~products/etc/setups.csh > >ups install-keep-ssh kerberos v0_6 > > And I get the following error message: > > You must be able to write into the product directory to perform this > action. > sh: cannot return when not in function > ERROR: Error in call to system: error from subprocess > > It appears that the install script wants to write into ~products > and can not. The last make sense to me since it is an NFS mounted > disk belonging to a different user and I have already experimented > that root can not overrride protections on remote disks. > But.... can't I install kerberos without bugging the ~products > installation ? > > Please, help. > Thank > Stefano > > And, please, also remember that I still have two machined where > the kerberos portal mode allows any user to login with no password, > and am anxiously waiting for a solution. > > Stefano > > -- > Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) > Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it > 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte > From kreymer@fnal.gov Wed Jan 3 11:13:31 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA25606 for ; Wed, 3 Jan 2001 11:13:31 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6L00A50JUIWX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 03 Jan 2001 11:13:31 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C3DA2@listserv.fnal.gov>; Wed, 03 Jan 2001 11:13:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 168662 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 Jan 2001 11:13:31 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C3DA1@listserv.fnal.gov>; Wed, 03 Jan 2001 11:13:31 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6L00B4BJUI2W@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 03 Jan 2001 11:13:30 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA19571; Wed, 03 Jan 2001 11:13:30 -0600 (CST) Date: Wed, 03 Jan 2001 11:13:30 -0600 From: Matt Crawford Subject: Re: can't install kerberos In-reply-to: "03 Jan 2001 10:47:46 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: Stefano Belforte , kerberos-pilot@fnal.gov Message-id: <200101031713.LAA19571@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 762 In the products area of my system, the v0_6 (and all later versions of) kerberos.table file already has the offending test ### FileTest(${UPS_PROD_DIR}/${KRB_REL_SRC}, -w, "You must be able to write into the product directory to perform this action.") commented out with "###". I can't think why it would not be so on your copy. As for your telnet problem, I can't think of any way to begin to diagnose it without access to the system(s) exhibiting the problem. I tried connecting as illustrated in your first message, but I get "Connection refused". Write to me privately if you want to provide access or further clarifying information. From kreymer@fnal.gov Wed Jan 3 12:45:55 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA25989 for ; Wed, 3 Jan 2001 12:45:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6L00BLOO4H0H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 03 Jan 2001 12:45:54 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C3EAE@listserv.fnal.gov>; Wed, 03 Jan 2001 12:45:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 168968 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 Jan 2001 12:45:53 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C3EAD@listserv.fnal.gov>; Wed, 03 Jan 2001 12:45:53 -0600 Received: from smtp6.libero.it ([193.70.192.127]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6L00AMCO4GNP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 03 Jan 2001 12:45:53 -0600 (CST) Received: from ts.infn.it (151.15.165.236) by smtp6.libero.it (5.5.015.5) id 3A4B110A00633BCE; Wed, 03 Jan 2001 19:45:36 +0100 Date: Wed, 03 Jan 2001 19:46:10 +0100 From: Stefano Belforte Subject: Re: can't install kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: gcooper@fnal.gov, kerberos-pilot@fnal.gov Message-id: <3A537372.B4FCBF1B@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (Win98; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200101031713.LAA19571@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 763 I do not know why that line was not commented in my v0_6 either, maybe I upd'ed too long ago. Anyhow I upd'ed v0_7 and it went fine. This time I have no special problem with telnet, even if as usual in this city there was an additiona inetd daemon running rsh and rlogin for AFS (now disabled). Thanks Stefano From kreymer@fnal.gov Wed Jan 3 14:37:46 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA26439 for ; Wed, 3 Jan 2001 14:37:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6L00I68TAX97@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 03 Jan 2001 14:37:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C4055@listserv.fnal.gov>; Wed, 03 Jan 2001 14:37:45 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 169419 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 03 Jan 2001 14:37:45 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C4054@listserv.fnal.gov>; Wed, 03 Jan 2001 14:37:45 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6L00GCITAWHW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 03 Jan 2001 14:37:44 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 03 Jan 2001 14:37:44 -0600 Content-return: allowed Date: Wed, 03 Jan 2001 14:37:37 -0600 From: ARSystem Subject: CRAWFORD, MATT #15940 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F32A@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 764 Thank you for your assistance. Help Desk ticket #000000000015940 has been resolved on 1/3/01 2:34:13 PM Resolution Timestamp: : 1/3/01 2:32:31 PM Solution Category : Information Request Problem Category : Software Type : Utilities Item : Cryptocard Short Description : Receiving same challenge Solution : User was called with the information from Matt. The user tried to access the system while I was on the phone. He tried using 0 (zero) instead of C, which allowed him to get in. Problem Description : Nikos was successful earlier this morning using his Palm Pilot with crytocard software to connect form off-site to d0mino. Subsequent attempts to login are now failing. For some reason, Nikos keeps receiving the same challenge over and over again. The challenge displayed is 64190234 and the response is 282398AC. Since Nikos has his email forwarded to d0mino and is unable to access the system, he may be reached via telephone at 630.247.0345 with any questions. Thank you. From kreymer@fnal.gov Fri Jan 5 04:24:09 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id EAA02546 for ; Fri, 5 Jan 2001 04:24:09 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6O00HHIQ88VM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 04:24:09 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C5069@listserv.fnal.gov>; Fri, 05 Jan 2001 04:24:09 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 173900 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 04:24:09 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C5068@listserv.fnal.gov>; Fri, 05 Jan 2001 04:24:09 -0600 Received: from ts.infn.it ([140.105.6.150]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G6O00GONQ87NI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 04:24:08 -0600 (CST) Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Fri, 05 Jan 2001 11:24 +0100 (CET) Date: Fri, 05 Jan 2001 11:24:27 +0100 From: Stefano Belforte Subject: ticket forwarding Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A55A0DB.EC200B3D@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 765 I noticed the following difference between the /etc/krb5.conf I installed from v0_6 and v0_7 (other difference exists): v0_6 [appdefaults] forward = true forwardable = true v0_7 [appdefaults] forward = false there is no forwardable field in v0_7. For example on fcdfsgi2 the /etc/krb5.conf is the one from v0_6. This has the annoying consequence that I need to type telnet -F everytime otherwise I ticekts are nto forwarded. May I safely assume that it I can go ahead and change the krb5.conf file to have the appdefault I like ? May I assume that future releases will keep ticket forwarding as default and I will not need to keep changing this ? Thanks Stefano -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Fri Jan 5 07:10:29 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA12141 for ; Fri, 5 Jan 2001 07:10:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6O00LEFXXG32@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 07:10:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C51A8@listserv.fnal.gov>; Fri, 05 Jan 2001 07:10:28 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174260 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 07:10:28 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C51A7@listserv.fnal.gov>; Fri, 05 Jan 2001 07:10:28 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6O00M84XXDSV@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 07:10:28 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 05 Jan 2001 07:10:25 -0600 Content-return: allowed Date: Fri, 05 Jan 2001 07:10:17 -0600 From: ARSystem Subject: 000000000015972 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F409@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 766 CRAWFORD, MATT, Help Desk Ticket #000000000015972 has been assigned to you. It is a(n) Medium priority Software/Utilities /Cryptocard type of problem. Short description: cryptocard out of synch? Badge # (+) : 12782N First Name : MICHELE Last Name (+) : PETTENI Phone : 2491 E-Mail Address : MPETTENI@FNAL.GOV Incident Time : 1/4/01 4:30:45 PM System Name : Urgency : Medium Public Work Log : Problem Description : when I try to log into d0mino the cryptocard and the challenge displayed by d0mino don't match. What can I do to make then match again? Thanks Michele From kreymer@fnal.gov Fri Jan 5 08:18:46 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA12422 for ; Fri, 5 Jan 2001 08:18:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P000CD1390S@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 08:18:45 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C5208@listserv.fnal.gov>; Fri, 05 Jan 2001 08:18:45 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174365 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 08:18:45 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C5207@listserv.fnal.gov>; Fri, 05 Jan 2001 08:18:45 -0600 Received: from ts.infn.it ([140.105.6.150]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G6P000CL1381I@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 08:18:45 -0600 (CST) Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Fri, 05 Jan 2001 15:18 +0100 (CET) Date: Fri, 05 Jan 2001 15:19:03 +0100 From: Stefano Belforte Subject: problems with portal mode Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A55D7D7.CBD10329@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 767 I installed kerberos v0_7 on two Sun workstation, in Pisa and Trieste. I also installed host principals for them. I neeeded also to tamper with /etc/hosts.allow and nis services stuff (kerberos install shell updates /etc/services file, but on my machine that is part of a NIS+ domani that file is useless and another file has to be modified instead on the NIS server.... a note in the manual about this will help future installers!). After that I can telnet to those machines using kerberos tickets: /usr/krb5/bin/telnet -k PILOT.FNAL.GOV stsa11.ts.infn.it and /usr/krb5/bin/telnet -k PILOT.FNAL.GOV suncdf2.pi.infn.it both work But portal mode does not work, on neither machine. Since one (stsa11) in part of NIS+ domain and the other (suncdf2) is not, I think the problem is elsewhere. Here is the symptom: /usr/bin/telnet suncdf2.pi.infn.it Trying 192.135.9.105... Connected to suncdf2.pi.infn.it. Escape character is '^]'. UNIX(r) System V Release 4.0 (suncdf2) (pts/6) Portal login: belforte login: Key table entry not found while getting initial credentials Login incorrect instead of the prompt for the cryptocard number e.g. on fcdfsun1: UNIX(r) System V Release 4.0 (fcdfsun1) (pts/0) Portal login: belforte Press ENTER and compare this challenge to the one on your display: [14335117] Any suggestion for "what to look for" ? By the way, I earlier reported that I was not capable to telnet to suncdf2 using the kerberos ticket. That was fixed by installing v0_7 over pre-existing v0_6 that I installed in early december. Many thanks Stefano -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Fri Jan 5 09:47:47 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA12504 for ; Fri, 5 Jan 2001 09:47:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P000RJ57M1I@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 09:47:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C535D@listserv.fnal.gov>; Fri, 05 Jan 2001 09:47:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174734 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 09:47:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C535C@listserv.fnal.gov>; Fri, 05 Jan 2001 09:47:46 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00MS657LXE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 09:47:45 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA24718; Fri, 05 Jan 2001 09:47:43 -0600 (CST) Date: Fri, 05 Jan 2001 09:47:43 -0600 From: Matt Crawford Subject: Re: ticket forwarding In-reply-to: "05 Jan 2001 11:24:27 +0100." <3A55A0DB.EC200B3D@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov Message-id: <200101051547.JAA24718@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 768 > I noticed the following difference between the /etc/krb5.conf > I installed from v0_6 and v0_7 (other difference exists): > v0_6 > [appdefaults] > forward = true > forwardable = true > v0_7 > [appdefaults] > forward = false This file is created (or modified) by the "krb5conf" product, which is pulled in by the "kerberos" product, so this is not a matter of v0_6 or v0_7 of Kerberos, but a change between v0_6a and v1_0 of the krb5conf product. > there is no forwardable field in v0_7. A "forwardable = true" line got added to the "kinit = { ... }" section so you get a forwardable initial ticket from kinit. But it was removed from the top so it wouldn't cause telnet, rlogin, etc to always forward a forwardable ticket. > This has the annoying consequence that I need to type > telnet -F everytime otherwise I ticekts are nto forwarded. > May I safely assume that it I can go ahead and change the > krb5.conf file to have the appdefault I like ? On systems you administer, you may set the default action for everyone. Note that if you set forward=true and/or forwardable=true for telnet and all, then anyone who does *not* want their ticket forwarded has to give the "-N" flag to prevent it. > May I assume that future releases will keep ticket forwarding > as default and I will not need to keep changing this ? After v1_0 I intend to make new krb5conf release preserve local changes below the "flag line": # It would probably be a bad idea to change anything on or above this line From kreymer@fnal.gov Fri Jan 5 11:58:19 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA17119 for ; Fri, 5 Jan 2001 11:58:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P0092KB8JZT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 11:57:55 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C551F@listserv.fnal.gov>; Fri, 05 Jan 2001 11:57:55 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175226 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 11:57:55 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C551E@listserv.fnal.gov>; Fri, 05 Jan 2001 11:57:55 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P007FNB8EV2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 11:57:54 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 05 Jan 2001 11:57:47 -0600 Content-return: allowed Date: Fri, 05 Jan 2001 11:57:33 -0600 From: ARSystem Subject: CRAWFORD, MATT #15972 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F4D5@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 769 Thank you for your assistance. Help Desk ticket #000000000015972 has been resolved on 1/5/01 11:56:58 AM Resolution Timestamp: : 1/5/01 11:30:47 AM Solution Category : Information Request Problem Category : Software Type : Utilities Item : Cryptocard Short Description : cryptocard out of synch? Solution : From http://www.fnal.gov/docs/strongauth/html/access_sr.html#35297 4.The CryptoCard? displays a challenge. Compare the challenge on the host to the one on the card: a.If the challenges are the same, press Ent again on the CryptoCard? to get the response. (In this case the KDC and your CryptoCard? are synchronized. As long as they remain in sync, the CryptoCard? will generate the right response.) b.If the challenges are different (you may see all zeroes), press CH/MAC on the CryptoCard? and enter the challenge displayed on the host system into the card. (This resynchronizes the CryptoCard?.) Then press Ent to get the response. Problem Description : when I try to log into d0mino the cryptocard and the challenge displayed by d0mino don't match. What can I do to make then match again? Thanks Michele From kreymer@fnal.gov Fri Jan 5 13:14:33 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA29816 for ; Fri, 5 Jan 2001 13:14:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00B41ES7GI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 13:14:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C55E8@listserv.fnal.gov>; Fri, 05 Jan 2001 13:14:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175445 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 13:14:31 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C55E7@listserv.fnal.gov>; Fri, 05 Jan 2001 13:14:31 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00B70ES7CN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 13:14:31 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA25704; Fri, 05 Jan 2001 13:14:30 -0600 (CST) Date: Fri, 05 Jan 2001 13:14:30 -0600 From: Matt Crawford Subject: Re: 000000000015972 Assigned to CRAWFORD, MATT. In-reply-to: "05 Jan 2001 07:10:17 CST." <318CC3D38BE0D211BB1200105A093F7611F409@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200101051914.NAA25704@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 770 > Problem Description : when I try to log into d0mino the cryptocard and > the challenge displayed > by d0mino don't match. What can I do to make then match again? As it says on the back of the instruction sheet, or on the web at http://www.fnal.gov/cd/security/UserGuide/Cryptocard-use.html, "If the challenge does not match for some reason, press CH/MAC and enter the right challenge into the card, followed by ENT." From kreymer@fnal.gov Fri Jan 5 13:20:10 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA30162 for ; Fri, 5 Jan 2001 13:20:09 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00B6PF1K5S@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 13:20:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C55F2@listserv.fnal.gov>; Fri, 05 Jan 2001 13:20:08 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175455 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 13:20:08 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C55F1@listserv.fnal.gov>; Fri, 05 Jan 2001 13:20:08 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00C3PF1J4C@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 13:20:08 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA25762 for ; Fri, 05 Jan 2001 13:20:07 -0600 (CST) Date: Fri, 05 Jan 2001 13:20:07 -0600 From: Matt Crawford Subject: Re: problems with portal mode In-reply-to: "05 Jan 2001 15:19:03 +0100." <3A55D7D7.CBD10329@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200101051920.NAA25762@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 771 > but on my machine that is part of a NIS+ domani that file is > useless and another file has to be modified instead on the NIS > server.... a note in the manual about this will help future > installers!). As far as I know, we have no NIS+ users here and so had not run into that. Is there a simple test that will reveal that NIS+ is in use on a system? > After that I can telnet to those machines using kerberos tickets: > /usr/krb5/bin/telnet -k PILOT.FNAL.GOV stsa11.ts.infn.it and > /usr/krb5/bin/telnet -k PILOT.FNAL.GOV suncdf2.pi.infn.it > both work > > But portal mode does not work, on neither machine. I logged in and diagnosed this with Stefano and the solution turns out to be the addition of those host's own name or domain in the [domain_realm] section of krb5.conf: [domain_realm] .fnal.gov = PILOT.FNAL.GOV .ts.infn.it = PILOT.FNAL.GOV .pi.infn.it = PILOT.FNAL.GOV fixed up portal telnet and Kerberos ftp. From kreymer@fnal.gov Fri Jan 5 13:24:52 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA30673 for ; Fri, 5 Jan 2001 13:24:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00A9RF9DVN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 13:24:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C5605@listserv.fnal.gov>; Fri, 05 Jan 2001 13:24:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175474 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 13:24:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C5604@listserv.fnal.gov>; Fri, 05 Jan 2001 13:24:49 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00A8LF9DYL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 13:24:49 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 05 Jan 2001 13:24:49 -0600 Content-return: allowed Date: Fri, 05 Jan 2001 13:24:36 -0600 From: ARSystem Subject: Note to requester has been sent - 000000000015972 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F4F6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 772 The following note has been sent to the requester: PETTENI, MICHELE Short Description : cryptocard out of synch? Notes to Requester : Per the analyst: "As it says on the back of the instruction sheet, or on the web at http://www.fnal.gov/cd/security/UserGuide/Cryptocard-use.html, "If the challenge does not match for some reason, press CH/MAC and enter the right challenge into the card, followed by ENT." From kreymer@fnal.gov Fri Jan 5 13:24:55 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA30677 for ; Fri, 5 Jan 2001 13:24:55 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00B6NF9IGI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 13:24:54 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C5607@listserv.fnal.gov>; Fri, 05 Jan 2001 13:24:54 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175476 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 13:24:54 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C5606@listserv.fnal.gov>; Fri, 05 Jan 2001 13:24:54 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00C5DF9H2H@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 13:24:54 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 05 Jan 2001 13:24:52 -0600 Content-return: allowed Date: Fri, 05 Jan 2001 13:24:32 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15972 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F4F4@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 773 15972 has been updated by trb. Short Description : cryptocard out of synch? New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: 000000000015972 Assigned to CRAWFORD, MATT. Date: Friday, January 05, 2001 1:14 PM > Problem Description : when I try to log into d0mino the cryptocard and > the challenge displayed > by d0mino don't match. What can I do to make then match again? As it says on the back of the instruction sheet, or on the web at http://www.fnal.gov/cd/security/UserGuide/Cryptocard-use.html, "If the challenge does not match for some reason, press CH/MAC and enter the right challenge into the card, followed by ENT." From kreymer@fnal.gov Fri Jan 5 13:57:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA01244 for ; Fri, 5 Jan 2001 13:57:55 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00C87GSIHM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 13:57:54 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C569D@listserv.fnal.gov>; Fri, 05 Jan 2001 13:57:54 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175640 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 13:57:54 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C569C@listserv.fnal.gov>; Fri, 05 Jan 2001 13:57:54 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00BEPGSGCN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 13:57:53 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 05 Jan 2001 13:57:49 -0600 Content-return: allowed Date: Fri, 05 Jan 2001 13:57:28 -0600 From: ARSystem Subject: 000000000015998 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F510@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 774 CRAWFORD, MATT, Help Desk Ticket #000000000015998 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: kerberos password Badge # (+) : 01798C First Name : RICHARD Last Name (+) : WELLNER Phone : 6805 E-Mail Address : WELLNER@FNAL.GOV Incident Time : 1/5/01 1:50:10 PM System Name : KRB-PILOT-1 Urgency : Medium Public Work Log : 1/5/01 1:55:05 PM trb Matt, would you please reset Rich's kerberos password ? Problem Description : I need my kerberos password ASAP and Yolonda is gone for the day. Onsight 840-6805 (No VM) Cell 404-6251 (VM) rw2 -- Keep Manhattan, just give me that countryside -Vic Mizzy From kreymer@fnal.gov Fri Jan 5 14:14:12 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA01859 for ; Fri, 5 Jan 2001 14:14:12 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00AJMHJMUW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 14:14:11 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C56C0@listserv.fnal.gov>; Fri, 05 Jan 2001 14:14:10 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175676 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 14:14:10 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C56BF@listserv.fnal.gov>; Fri, 05 Jan 2001 14:14:10 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00BFUHJIPC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 14:14:10 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 05 Jan 2001 14:14:02 -0600 Content-return: allowed Date: Fri, 05 Jan 2001 14:13:43 -0600 From: ARSystem Subject: CRAWFORD, MATT #15998 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F514@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 775 Thank you for your assistance. Help Desk ticket #000000000015998 has been resolved on 1/5/01 2:08:34 PM Resolution Timestamp: : 1/5/01 2:06:26 PM Solution Category : Service Request Problem Category : Software Type : Utilities Item : Kerberos Short Description : kerberos password Solution : Per the Admin: "Done. I gave him a new password by phone." Problem Description : I need my kerberos password ASAP and Yolonda is gone for the day. Onsight 840-6805 (No VM) Cell 404-6251 (VM) rw2 -- Keep Manhattan, just give me that countryside -Vic Mizzy From kreymer@fnal.gov Fri Jan 5 14:35:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA04418 for ; Fri, 5 Jan 2001 14:35:56 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00DAAIJVQA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 14:35:55 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C56F8@listserv.fnal.gov>; Fri, 05 Jan 2001 14:35:55 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175738 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 14:35:55 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C56F6@listserv.fnal.gov>; Fri, 05 Jan 2001 14:35:55 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00BKWIJTK9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 14:35:54 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 05 Jan 2001 14:35:46 -0600 Content-return: allowed Date: Fri, 05 Jan 2001 14:35:41 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15966 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F521@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 776 15966 has been updated by trb. Short Description : kerberos password New Work Log Entry : 14:28 Lynn telephoned CSG inquiring about the status of her request. She would like her kerberos password reset a.s.a.p. Since Yolanda is off this afternoon, re-assigning this request seeking assistance. Matt ? From kreymer@fnal.gov Fri Jan 5 14:35:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA04420 for ; Fri, 5 Jan 2001 14:35:56 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00DAAIJVQA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 14:35:56 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C56FA@listserv.fnal.gov>; Fri, 05 Jan 2001 14:35:55 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175740 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 14:35:55 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C56F7@listserv.fnal.gov>; Fri, 05 Jan 2001 14:35:55 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00CFWIJTHM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 14:35:54 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 05 Jan 2001 14:35:46 -0600 Content-return: allowed Date: Fri, 05 Jan 2001 14:35:37 -0600 From: ARSystem Subject: 000000000015966 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F520@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 777 CRAWFORD, MATT, Help Desk Ticket #000000000015966 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: kerberos password Badge # (+) : 08999N First Name : LYNN Last Name (+) : GARREN Phone : 2061 E-Mail Address : GARREN@FNAL.GOV Incident Time : 1/4/01 1:25:30 PM System Name : KRB-PILOT-2 Urgency : Medium Public Work Log : 1/5/01 2:32:40 PM trb 14:28 Lynn telephoned CSG inquiring about the status of her request. She would like her kerberos password reset a.s.a.p. Since Yolanda is off this afternoon, re-assigning this request seeking assistance. Matt ? Problem Description : I was forced to change my kerberos password on the build cluster (entry is via ossbud.fnal.gov) just before Christmas. As a result, I have completely forgotten what my kerberos password is. Can you please reset my password ASAP? Thanks, Lynn x2061 garren@fnal.gov From kreymer@fnal.gov Fri Jan 5 15:08:46 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06567 for ; Fri, 5 Jan 2001 15:08:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00CM8K2K4C@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 15:08:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C5775@listserv.fnal.gov>; Fri, 05 Jan 2001 15:08:45 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175879 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 15:08:45 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C5773@listserv.fnal.gov>; Fri, 05 Jan 2001 15:08:45 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00CMNK2JHM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 15:08:44 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 05 Jan 2001 15:08:41 -0600 Content-return: allowed Date: Fri, 05 Jan 2001 15:08:27 -0600 From: ARSystem Subject: CRAWFORD, MATT #15966 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F53C@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 778 Thank you for your assistance. Help Desk ticket #000000000015966 has been resolved on 1/5/01 3:05:04 PM Resolution Timestamp: : 1/5/01 3:02:07 PM Solution Category : Service Request Problem Category : Software Type : Utilities Item : Kerberos Short Description : kerberos password Solution : Per the Admin: "Done. I called her with the new password." Problem Description : I was forced to change my kerberos password on the build cluster (entry is via ossbud.fnal.gov) just before Christmas. As a result, I have completely forgotten what my kerberos password is. Can you please reset my password ASAP? Thanks, Lynn x2061 garren@fnal.gov From kreymer@fnal.gov Fri Jan 5 15:20:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06705 for ; Fri, 5 Jan 2001 15:20:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00DJ1KLEQA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 15:20:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C579A@listserv.fnal.gov>; Fri, 05 Jan 2001 15:20:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175918 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 15:20:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C5799@listserv.fnal.gov>; Fri, 05 Jan 2001 15:20:02 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00H1BKLD40@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 15:20:01 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 05 Jan 2001 15:20:02 -0600 Content-return: allowed Date: Fri, 05 Jan 2001 15:19:41 -0600 From: ARSystem Subject: 000000000016002 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F550@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 779 CRAWFORD, MATT, Help Desk Ticket #000000000016002 has been assigned to you. It is a(n) Medium priority Software/Utilities /Cryptocard type of problem. Short description: needs cryptocard reset; password expired Badge # (+) : 08409V First Name : GREGORIO Last Name (+) : BERNARDI Phone : 8740 E-Mail Address : GREGORIO@IN2P3.FR Incident Time : 1/5/01 3:12:31 PM System Name : Urgency : Medium Public Work Log : Problem Description : Gregorio was issued a cryptocard and the password has expired. He would like to do some work this weekend and is wondering if someone could reset his cryptocard before the end of today's business. He can be reached at x8061. Thank you. From kreymer@fnal.gov Fri Jan 5 15:24:55 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06709 for ; Fri, 5 Jan 2001 15:24:55 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00H0YKSSF9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 15:24:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C57A8@listserv.fnal.gov>; Fri, 05 Jan 2001 15:24:29 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175934 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 15:24:29 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C57A7@listserv.fnal.gov>; Fri, 05 Jan 2001 15:24:29 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00F9LKSSTR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 15:24:28 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA26639; Fri, 05 Jan 2001 15:24:28 -0600 (CST) Date: Fri, 05 Jan 2001 15:24:28 -0600 From: Matt Crawford Subject: Re: 000000000016002 Assigned to CRAWFORD, MATT. In-reply-to: "05 Jan 2001 15:19:41 CST." <318CC3D38BE0D211BB1200105A093F7611F550@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200101052124.PAA26639@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 780 > Problem Description : Gregorio was issued a cryptocard and the password > has expired. He would like to do some work this weekend and is wondering > if someone could reset his cryptocard before the end of today's > business. He can be reached at x8061. I did not change his password, but I gave it 5 more days to expiration. It will expire at Wed Jan 10 15:23:13 CST 2001. From kreymer@fnal.gov Fri Jan 5 15:36:18 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06866 for ; Fri, 5 Jan 2001 15:36:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00DMGLCHQA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 05 Jan 2001 15:36:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C57C2@listserv.fnal.gov>; Fri, 05 Jan 2001 15:36:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175961 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 05 Jan 2001 15:36:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C57C1@listserv.fnal.gov>; Fri, 05 Jan 2001 15:36:18 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6P00CTBLCHBL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 05 Jan 2001 15:36:17 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 05 Jan 2001 15:36:13 -0600 Content-return: allowed Date: Fri, 05 Jan 2001 15:36:04 -0600 From: ARSystem Subject: CRAWFORD, MATT #16002 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F560@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 781 Thank you for your assistance. Help Desk ticket #000000000016002 has been resolved on 1/5/01 3:32:48 PM Resolution Timestamp: : 1/5/01 3:24:58 PM Solution Category : Service Request Problem Category : Software Type : Utilities Item : Cryptocard Short Description : needs cryptocard reset; password expired Solution : Per the Admin: "I did not change his password, but I gave it 5 more days to expiration. It will expire at Wed Jan 10 15:23:13 CST 2001." Problem Description : Gregorio was issued a cryptocard and the password has expired. He would like to do some work this weekend and is wondering if someone could reset his cryptocard before the end of today's business. He can be reached at x8061. Thank you. From kreymer@fnal.gov Mon Jan 8 11:25:42 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA06191 for ; Mon, 8 Jan 2001 11:25:42 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6U00K2STQT8B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 08 Jan 2001 11:25:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C6C4D@listserv.fnal.gov>; Mon, 08 Jan 2001 11:25:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 181856 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 08 Jan 2001 11:25:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C6C4C@listserv.fnal.gov>; Mon, 08 Jan 2001 11:25:41 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6U00J7PTQTC3@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 08 Jan 2001 11:25:41 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA10011 for ; Mon, 08 Jan 2001 11:25:40 -0600 (CST) Date: Mon, 08 Jan 2001 11:25:40 -0600 From: Matt Crawford Subject: Re: unrestricted telnet In-reply-to: "15 Dec 2000 16:29:23 +0100." <3A3A38D3.6656F34E@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200101081725.LAA10011@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 782 I diagnosed the "wide open telnet" problem reported by Stefano (original mail included below). The problem stems from use of shadow passwords on the NIS master server, an OSF/1 machine, in a way which is invisible to the Linux NIS clients. "ypcat passwd" on the clients shows empty fields where their should be either an encrypted password string or a "*" or "x" or other disabling entry. A shadow password test program doing struct spwd *sp = getspnam(username); as root on a client finds no shadow password entry for the user, so the empty field from the traditional passwd map is in effect. The empty password fields in the NIS map are the problem, but I could also bullet-proof the Kerberos login program against null-password accounts in portal mode. > I have found again the situation when the telnetd server installed > by fermi kerberos allow access without password to any user. > > Last summer this happened on my OSF machine in Trieste, was blamed > on some fancier version of OSF password security file that we run here, > we disabled all telnet and rlogin and "forgot". > > Now I installed kerberos on a Linux machine (pclx06.ts.infn.it). > I also tried to install host/ftp principals using the password I got > from compdiv@fnal.gov. It all went smootly. > > But the fermi telnet server allow any user to log in from the local > lan without password. > > belforte@quark.ts.infn.it/~> /usr/bin/telnet pclx06 -l gomezel > Trying 140.105.221.15... > Connected to pclx06.ts.infn.it. > Escape character is '^]'. > > Red Hat Linux release 6.2 (Zoot) > Kernel 2.2.16-3 on an i686 > > login: Client not found in Kerberos database while getting initial > credentials > You have new mail. > [gomezel@pclx06 ~]$ > [gomezel@pclx06 ~]$ who am i > pclx06.ts.infn.it!gomezel ttyp1 Dec 15 16:09 From kreymer@fnal.gov Mon Jan 8 12:58:41 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA06504 for ; Mon, 8 Jan 2001 12:58:41 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6U00M8YY1S8L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 08 Jan 2001 12:58:41 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C6E84@listserv.fnal.gov>; Mon, 08 Jan 2001 12:58:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 182443 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 08 Jan 2001 12:58:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C6E83@listserv.fnal.gov>; Mon, 08 Jan 2001 12:58:41 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6U0004UY1QO6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 08 Jan 2001 12:58:40 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 08 Jan 2001 12:58:38 -0600 Content-return: allowed Date: Mon, 08 Jan 2001 12:58:36 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15966 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F6FB@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 783 15966 has been updated by blomberg. Short Description : kerberos password New Work Log Entry : From: "Yolanda Valadez" To: "ARSystem" Subject: Re: 000000000015966 Assigned to VALADEZ, YOLANDA. Date: Monday, January 08, 2001 12:39 PM resetted kerberos for garren, close 15966 From kreymer@fnal.gov Mon Jan 8 14:31:27 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA06770 for ; Mon, 8 Jan 2001 14:31:27 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6V000MF2CBO6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 08 Jan 2001 14:31:23 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C6FA0@listserv.fnal.gov>; Mon, 08 Jan 2001 14:31:23 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 182734 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 08 Jan 2001 14:31:23 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C6F9D@listserv.fnal.gov>; Mon, 08 Jan 2001 14:31:23 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6V0038W2C97U@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 08 Jan 2001 14:31:22 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 08 Jan 2001 14:31:21 -0600 Content-return: allowed Date: Mon, 08 Jan 2001 14:31:20 -0600 From: ARSystem Subject: 000000000016025 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F71A@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 784 CRAWFORD, MATT, Help Desk Ticket #000000000016025 has been assigned to you. It is a(n) Medium priority Software/Utilities /Cryptocard type of problem. Short description: Cryptocard Badge # (+) : 07906V First Name : RUSSELL Last Name (+) : GILMARTIN Phone : 8384 E-Mail Address : GLMARTIN@FNAL.GOV Incident Time : 1/8/01 2:26:44 PM System Name : Urgency : Medium Public Work Log : Problem Description : I just got my cryptocard. When I got it the batteries were out. I replaced the batteries and the display said Locked. What can I do? Russell From kreymer@fnal.gov Mon Jan 8 14:35:24 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA06774 for ; Mon, 8 Jan 2001 14:35:24 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6V001HO2IZM5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 08 Jan 2001 14:35:24 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C6FAD@listserv.fnal.gov>; Mon, 08 Jan 2001 14:35:24 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 182748 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 08 Jan 2001 14:35:24 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C6FAC@listserv.fnal.gov>; Mon, 08 Jan 2001 14:35:24 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6V0046J2IZ4S@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 08 Jan 2001 14:35:23 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA11069; Mon, 08 Jan 2001 14:35:23 -0600 (CST) Date: Mon, 08 Jan 2001 14:35:22 -0600 From: Matt Crawford Subject: Re: 000000000016025 Assigned to CRAWFORD, MATT. In-reply-to: "08 Jan 2001 14:31:20 CST." <318CC3D38BE0D211BB1200105A093F7611F71A@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200101082035.OAA11069@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 785 Problem Description : I just got my cryptocard. When I got it the batteries were out. I replaced the Batteries were "out" in the sense of not inside the card, or "out" as in "held no usable charge?" Well, it really doesn't matter now. If the card says Locked when you turn it on, you have to take (or send) it back to Yolanda Valadez (compdiv@fnal.gov, x8118) for reprogramming. From kreymer@fnal.gov Mon Jan 8 14:41:46 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA06790 for ; Mon, 8 Jan 2001 14:41:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6V00MPE2TK8L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 08 Jan 2001 14:41:45 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C6FE6@listserv.fnal.gov>; Mon, 08 Jan 2001 14:41:45 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 182816 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 08 Jan 2001 14:41:45 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C6FE5@listserv.fnal.gov>; Mon, 08 Jan 2001 14:41:45 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6V001JG2TID7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 08 Jan 2001 14:41:44 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 08 Jan 2001 14:41:42 -0600 Content-return: allowed Date: Mon, 08 Jan 2001 14:41:40 -0600 From: ARSystem Subject: CRAWFORD, MATT #16025 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F723@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 786 Thank you for your assistance. Help Desk ticket #000000000016025 has been resolved on 1/8/01 2:36:36 PM Resolution Timestamp: : 1/8/01 2:35:25 PM Solution Category : Information Request Problem Category : Software Type : Utilities Item : Cryptocard Short Description : Cryptocard Solution : Batteries were "out" in the sense of not inside the card, or "out" as in "held no usable charge?" Well, it really doesn't matter now. If the card says Locked when you turn it on, you have to take (or send) it back to Yolanda Valadez (compdiv@fnal.gov, x8118) for reprogramming. Problem Description : I just got my cryptocard. When I got it the batteries were out. I replaced the batteries and the display said Locked. What can I do? Russell From kreymer@fnal.gov Tue Jan 9 10:22:28 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA15743 for ; Tue, 9 Jan 2001 10:22:28 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W002IELHFR6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 09 Jan 2001 10:22:27 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C78F3@listserv.fnal.gov>; Tue, 09 Jan 2001 10:22:27 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 185324 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 09 Jan 2001 10:22:27 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C78F2@listserv.fnal.gov>; Tue, 09 Jan 2001 10:22:27 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W002J8LHDXM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 09 Jan 2001 10:22:26 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 09 Jan 2001 10:22:26 -0600 Content-return: allowed Date: Tue, 09 Jan 2001 10:22:20 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15971 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F81E@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 787 15971 has been updated by trb. Short Description : NT: fonts with WRQ New Work Log Entry : From: "Tim Doody" To: "ARSystem" Cc: Subject: Re: 000000000015971 Assigned to DOODY, TIM. Date: Tuesday, January 09, 2001 10:12 AM this person and all person requesting help on WRQ reflections should send mail to: kerberos-pilot@fnal.gov it is a list set up here, at Fermilab, to help with the implementation of our strong authentication project (reflections is part of that project) tim ------------< Re-assigned as directed. Matt, should all of these types of requests be forwarded to mailing list kerberos-pilot@fnal.gov ? From kreymer@fnal.gov Tue Jan 9 10:22:30 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA15747 for ; Tue, 9 Jan 2001 10:22:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W002IELHFR6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 09 Jan 2001 10:22:28 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C78F6@listserv.fnal.gov>; Tue, 09 Jan 2001 10:22:27 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 185328 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 09 Jan 2001 10:22:27 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C78F5@listserv.fnal.gov>; Tue, 09 Jan 2001 10:22:27 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W002J8LHDXM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 09 Jan 2001 10:22:27 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 09 Jan 2001 10:22:26 -0600 Content-return: allowed Date: Tue, 09 Jan 2001 10:22:20 -0600 From: ARSystem Subject: 000000000015971 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F81D@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain; charset=iso-8859-1 Status: RO X-Status: X-Keywords: X-UID: 788 CRAWFORD, MATT, Help Desk Ticket #000000000015971 has been assigned to you. It is a(n) Medium priority Software/Utilities /Wrq/Reflections type of problem. Short description: NT: fonts with WRQ Badge # (+) : 12711N First Name : THOMAS Last Name (+) : NUNNEMANN Phone : 8705 E-Mail Address : NUNNE@FNAL.GOV Incident Time : 1/4/01 4:07:12 PM System Name : Urgency : Medium Public Work Log : 1/4/01 4:25:28 PM blomberg The following was e-mailed to the Requester: Under Reflections for UNIX & Digital If you go under Setup View Settings, then under Reflection Setting if you scroll down there is one called Font Size (The Default is 12). I believe you can make the chage there. Please let us know if this does not resolve your problem. 1/5/01 1:02:32 PM trb From: "Thomas Nunnemann" To: "ARSystem" Subject: Re: Additional info for 000000000015971 Date: Friday, January 05, 2001 12:24 PM Thanks for your answer. In my version of WRQ (8.02) I have an item "Font" under Reflexion X size. I cannot change the font size hear, but can allow font scaling and font substituting. Unfortunately this does not work either. I assume that HIGZ (the graphics window for PAW) uses a font which is not provided by reflexion. There is an option in Reflexion to connect to a font-server over tcp. Is such a font-server running at FNAL? Thanks, Thomas The following was e-mailed to the Requester: Tom, On what system do you login and run HIGZ ? HelpDesk Tom Bozonelos 1/5/01 2:05:56 PM trb From: "Thomas Nunnemann" To: "ARSystem" Subject: Re: Additional info for 000000000015971 Date: Friday, January 05, 2001 1:39 PM The same problem is seen when I log in on d0mino or the D0-online-Linux-cluster d0olxx. Thanks, Thomas --------------< Re-assigning AR ticket seeking assistance. Dave, have you come across this font problem ? Any idea if we have a font-server ? I tried to replicate the problem but don't know enough about paw to be of any help. 1/5/01 3:28:44 PM trb From: "David J. Fagan" To: "ARSystem" Cc: Subject: Re: 000000000015971 Assigned to FAGAN, DAVE. Date: Friday, January 05, 2001 3:21 PM The support model as I understood it defined.... Anyone experiencing problems with WRQ other then with Kerberos are to report this problem to whoever is responsible for there normal administration support. That person either resolves the problem or works the problem with the vendor. This should go to the d0 nt administrators. Thanks. ------------------------------------------------------------------------ ------- David J. Fagan | The Silicon Sorcerer? | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------ ------- Re-assigned AR ticket as directed. 1/5/01 4:35:43 PM blomberg From: "Greg Cisko" To: "ARSystem" ; Cc: "David J Fagan" Subject: Re: CISKO, GREG AR ticket 15971 Has Been Updated. Date: Friday, January 05, 2001 4:20 PM This is a CD supported product and as such should be supported by the CD. As I have stated 1,000,000 times already our only experience is limited to the installs that we have done on our PC's. We have no other expertise other than that. Thanks, Greg Anything your group could do to help? 1/8/01 7:48:22 AM trb From: "David J. Fagan" To: "Greg Cisko" Cc: "David J Fagan" ; "ARSystem" ; Subject: Re: CISKO, GREG AR ticket 15971 Has Been Updated. Date: Saturday, January 06, 2001 12:32 PM It is a CD supported product only for first line Kerberos problems. The CD policy on WRQ is that it is the responsibility of the administrator of the machine. If the administrator(s) of the machine doesn't want to help with third party products like exceed, WRQ, or whatever it's their support model and can tell users to call for themselves or whatever. ------------------------------------------------------------------------ ------- David J. Fagan | The Silicon Sorcerer? | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------ ------- On Friday, Greg Cisko: > This is a CD supported product and as such should be supported by > the CD. As I have stated 1,000,000 times already our only experience > is limited to the installs that we have done on our PC's. We have > no other expertise other than that. > > > Thanks, > Greg 1/9/01 10:21:11 AM trb From: "Tim Doody" To: "ARSystem" Cc: Subject: Re: 000000000015971 Assigned to DOODY, TIM. Date: Tuesday, January 09, 2001 10:12 AM this person and all person requesting help on WRQ reflections should send mail to: kerberos-pilot@fnal.gov it is a list set up here, at Fermilab, to help with the implementation of our strong authentication project (reflections is part of that project) tim ------------< Re-assigned as directed. Matt, should all of these types of requests be forwarded to mailing list kerberos-pilot@fnal.gov ? Problem Description : since I switched from exceed to WRQ I have problems with fonts, e.g. the selected font is not drawn (neither size nor type). The problems are in particular prominent when running HIGZ (with PAW). Is there a font libary which I can download which cures this problem? Any information is appreciated. Thanks, Thomas ============================================================== Thomas Nunnemann Fermilab, MS 357 phone: ++1-630-840-8705, -2663 P.O. Box 500 fax: ++1-630-840-8481 Batavia, IL 60510 e-mail: nunne@fnal.gov U.S.A. ============================================================== From kreymer@fnal.gov Tue Jan 9 10:26:50 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA15751 for ; Tue, 9 Jan 2001 10:26:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W003DFLOPR0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 09 Jan 2001 10:26:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C7906@listserv.fnal.gov>; Tue, 09 Jan 2001 10:26:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 185344 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 09 Jan 2001 10:26:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C7905@listserv.fnal.gov>; Tue, 09 Jan 2001 10:26:49 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W0065GLOO0I@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 09 Jan 2001 10:26:48 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA16198; Tue, 09 Jan 2001 10:26:48 -0600 (CST) Date: Tue, 09 Jan 2001 10:26:48 -0600 From: Matt Crawford Subject: Re: CRAWFORD, MATT AR ticket 15971 Has Been Updated. In-reply-to: "09 Jan 2001 10:22:20 CST." <318CC3D38BE0D211BB1200105A093F7611F81E@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200101091626.KAA16198@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 789 > Re-assigned as directed. Matt, should all of these types of requests > be forwarded to mailing list kerberos-pilot@fnal.gov ? In my opinion, no. Only a small fraction of the Kerberos users ate using WRQ reflection. Questions to do with the Kerberos aspects of WRQ may be directed here, but I don't think it's an efficient forum for questions concerning the X server, fonts, or any purely NT- related problems. From kreymer@fnal.gov Tue Jan 9 10:45:45 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA15770 for ; Tue, 9 Jan 2001 10:45:45 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W002P9MK8XM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 09 Jan 2001 10:45:45 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C7980@listserv.fnal.gov>; Tue, 09 Jan 2001 10:45:45 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 185468 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 09 Jan 2001 10:45:45 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C797F@listserv.fnal.gov>; Tue, 09 Jan 2001 10:45:44 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W0071GMK8PQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 09 Jan 2001 10:45:44 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id KAA10841; Tue, 09 Jan 2001 10:45:43 -0600 (CST) Date: Tue, 09 Jan 2001 10:45:43 -0600 (CST) From: "David J. Fagan" Subject: Re: CRAWFORD, MATT AR ticket 15971 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: helpdesk@fnal.gov Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200101091645.KAA10841@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Tue, 09 Jan 2001 10:26:48 CST.) <200101091626.KAA16198@gungnir.fnal.gov> X-Authentication-warning: large.fnal.gov: fagan@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id KAA15770 Status: RO X-Status: X-Keywords: X-UID: 790 It's in the call log, but just so that everyone see's it... WRQ problems, it first goes to the system administrator to check configurations if that fails to resolve the problem and it's KERBEROS related is goes to kerberos-pilot otherwise the policy is up to the local system administrator. i.e. They call WRQ or tell the user to. ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Tuesday, Matt Crawford: > > Re-assigned as directed. Matt, should all of these types of requests > > be forwarded to mailing list kerberos-pilot@fnal.gov ? > > In my opinion, no. Only a small fraction of the Kerberos users ate > using WRQ reflection. Questions to do with the Kerberos aspects of > WRQ may be directed here, but I don't think it's an efficient forum > for questions concerning the X server, fonts, or any purely NT- > related problems. From kreymer@fnal.gov Tue Jan 9 10:52:10 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA15781 for ; Tue, 9 Jan 2001 10:52:10 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W002MRMPBQE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 09 Jan 2001 10:48:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C799F@listserv.fnal.gov>; Tue, 09 Jan 2001 10:48:48 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 185506 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 09 Jan 2001 10:48:48 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C799C@listserv.fnal.gov>; Tue, 09 Jan 2001 10:48:47 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W0066AMPBBQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 09 Jan 2001 10:48:47 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 09 Jan 2001 10:48:48 -0600 Content-return: allowed Date: Tue, 09 Jan 2001 10:48:45 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15971 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F82B@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 791 15971 has been updated by trb. Short Description : NT: fonts with WRQ New Work Log Entry : From: "David J. Fagan" To: Cc: Subject: Re: CRAWFORD, MATT AR ticket 15971 Has Been Updated. Date: Tuesday, January 09, 2001 10:45 AM It's in the call log, but just so that everyone see's it... WRQ problems, it first goes to the system administrator to check configurations if that fails to resolve the problem and it's KERBEROS related is goes to kerberos-pilot otherwise the policy is up to the local system administrator. i.e. They call WRQ or tell the user to. ------------------------------------------------------------------------ ------- David J. Fagan | The Silicon Sorcerer? | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------ ------- On Tuesday, Matt Crawford: > > Re-assigned as directed. Matt, should all of these types of requests > > be forwarded to mailing list kerberos-pilot@fnal.gov ? > > In my opinion, no. Only a small fraction of the Kerberos users ate > using WRQ reflection. Questions to do with the Kerberos aspects of > WRQ may be directed here, but I don't think it's an efficient forum > for questions concerning the X server, fonts, or any purely NT- > related problems. From kreymer@fnal.gov Tue Jan 9 11:00:04 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA15791 for ; Tue, 9 Jan 2001 11:00:04 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W002RFMXSR6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 09 Jan 2001 10:53:52 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C79F5@listserv.fnal.gov>; Tue, 09 Jan 2001 10:53:52 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 185616 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 09 Jan 2001 10:53:52 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C79F4@listserv.fnal.gov>; Tue, 09 Jan 2001 10:53:52 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W0081EMXQ4B@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 09 Jan 2001 10:53:51 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 09 Jan 2001 10:53:51 -0600 Content-return: allowed Date: Tue, 09 Jan 2001 10:53:51 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15971 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F82C@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 792 15971 has been updated by trb. Short Description : NT: fonts with WRQ New Work Log Entry : The following is out of chronological order... From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: CRAWFORD, MATT AR ticket 15971 Has Been Updated. Date: Tuesday, January 09, 2001 10:26 AM > Re-assigned as directed. Matt, should all of these types of requests > be forwarded to mailing list kerberos-pilot@fnal.gov ? In my opinion, no. Only a small fraction of the Kerberos users ate using WRQ reflection. Questions to do with the Kerberos aspects of WRQ may be directed here, but I don't think it's an efficient forum for questions concerning the X server, fonts, or any purely NT- related problems. From kreymer@fnal.gov Tue Jan 9 11:00:04 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA15799 for ; Tue, 9 Jan 2001 11:00:04 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W004GNN6D0I@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 09 Jan 2001 10:59:01 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C7A16@listserv.fnal.gov>; Tue, 09 Jan 2001 10:59:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 185656 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 09 Jan 2001 10:59:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C7A14@listserv.fnal.gov>; Tue, 09 Jan 2001 10:59:01 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6W005IBN6C2Z@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 09 Jan 2001 10:59:00 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 09 Jan 2001 10:59:01 -0600 Content-return: allowed Date: Tue, 09 Jan 2001 10:59:00 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 15971 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7611F836@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 793 15971 has been updated by trb. Short Description : NT: fonts with WRQ New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Subject: Re: 000000000015971 Assigned to CRAWFORD, MATT. Date: Tuesday, January 09, 2001 10:48 AM Not me. I know nothing of a font server and even less about PAW. My understanding of the WRQ support situation is more like Dave Fagan's than Greg Cisko's. From kreymer@fnal.gov Wed Jan 10 06:19:42 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id GAA07994 for ; Wed, 10 Jan 2001 06:19:42 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6Y00AB54WTKH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 10 Jan 2001 06:19:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C86B2@listserv.fnal.gov>; Wed, 10 Jan 2001 06:19:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 189231 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 10 Jan 2001 06:19:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C86B1@listserv.fnal.gov>; Wed, 10 Jan 2001 06:19:42 -0600 Received: from ts.infn.it ([140.105.6.150]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G6Y009I54WS2R@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 10 Jan 2001 06:19:41 -0600 (CST) Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Wed, 10 Jan 2001 13:19 +0100 (CET) Date: Wed, 10 Jan 2001 13:20:02 +0100 From: Stefano Belforte Subject: ssh with kerberos capabiity Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: birsa@ts.infn.it Message-id: <3A5C5372.74BFBDFB@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 794 We rebuilt ssh with kerberos ticket support on our Sun machine (stsa11.ts.infn.it) and tried it out. The client appear to work finely. The server instead fails receiving connections from fermilab. Running the client with -v option I can see: belforte@fcdfsun1/~ > /usr/krb5/bin/ssh -v stsa11.ts.infn.it SSH Version 1.2.27 [sparc-sun-solaris2.5.1], protocol version 1.5. Standard version. Does not use RSAREF. fcdfsun1: Reading configuration data /etc/ssh_config fcdfsun1: ssh_connect: getuid 6423 geteuid 6423 anon 1 fcdfsun1: Connecting to stsa11.ts.infn.it [140.105.6.200] port 22. fcdfsun1: Connection established. fcdfsun1: Remote protocol version 1.5, remote software version 1.2.27 fcdfsun1: Waiting for server public key. fcdfsun1: Received server public key (768 bits) and host key (1024 bits). fcdfsun1: Host 'stsa11.ts.infn.it' is known and matches the host key. fcdfsun1: Initializing random; seed file /cdf/home/belforte/.ssh/random_seed fcdfsun1: Encryption type: idea fcdfsun1: Sent encrypted session key. fcdfsun1: Installing crc compensation attack detector. fcdfsun1: Received encrypted confirmation. fcdfsun1: Trying Kerberos V5 TGT passing. fcdfsun1: Kerberos V5 TGT passing was successful. fcdfsun1: Trying Kerberos V5 authentication. fcdfsun1: Kerberos V5: failure on credentials(Server not found in Kerberos database). So I presume the problem is that the /etc/krb5.conf file on fcdfsun1 (the only CDF node I found wuth kerberos-capable ssh) lack the [realm_domain] assignement: .ts.infn.it = PILOT.FNAL.GOV Is this assumption correct ? Also I found not trivial to come with the proper /etc/sshd_config file. Do you imagine distributing a template ? By the way I twicked the /etc/sshd_config file so that when kerberos authentication fails local encripted passwords are still accepted, so not to pre-empt the install-keep-shh that was done on this node. If you have reasons to think that this is improper or better done in different ways, please let me know. In particular I set KerberosOrLocalPasswd yes PasswordAuthentication yes I wish I never had to learn about the existance of sshd_config, but at this point I will be glad to know all that make sense to know about it. Thanks Stefano -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Wed Jan 10 07:11:50 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA08013 for ; Wed, 10 Jan 2001 07:11:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6Y00D3S7BP45@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 10 Jan 2001 07:11:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C8705@listserv.fnal.gov>; Wed, 10 Jan 2001 07:11:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 189323 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 10 Jan 2001 07:11:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C8704@listserv.fnal.gov>; Wed, 10 Jan 2001 07:11:49 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G6Y009HL7BPVK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 10 Jan 2001 07:11:49 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id HAA16234; Wed, 10 Jan 2001 07:12:16 -0600 Date: Wed, 10 Jan 2001 07:12:16 -0600 From: Glenn Cooper Subject: Re: ssh with kerberos capabiity In-reply-to: <3A5C5372.74BFBDFB@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov, birsa@ts.infn.it Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 795 Hi Stefano, I think you are correct in concluding that we need to add ".ts.infn.it = PILOT.FNAL.GOV" to our krb5.conf files. I have done this on fcdfsun1, fcdfsgi2, and cdfsga. Please try it out and let me know if you still can't connect to your INFN machine(s). A template sshd_config file does come with the ssh product installed using UPD, which of course you can't do. It may help to look at the file on fcdfsgi2, and compare it to older versions there (/etc/sshd_config.xx). Cheers, Glenn On Wed, 10 Jan 2001, Stefano Belforte wrote: > We rebuilt ssh with kerberos ticket support on our Sun machine > (stsa11.ts.infn.it) and tried it out. > The client appear to work finely. > The server instead fails receiving connections from fermilab. > Running the client with -v option I can see: > belforte@fcdfsun1/~ > /usr/krb5/bin/ssh -v stsa11.ts.infn.it > SSH Version 1.2.27 [sparc-sun-solaris2.5.1], protocol version 1.5. > Standard version. Does not use RSAREF. > fcdfsun1: Reading configuration data /etc/ssh_config > fcdfsun1: ssh_connect: getuid 6423 geteuid 6423 anon 1 > fcdfsun1: Connecting to stsa11.ts.infn.it [140.105.6.200] port 22. > fcdfsun1: Connection established. > fcdfsun1: Remote protocol version 1.5, remote software version 1.2.27 > fcdfsun1: Waiting for server public key. > fcdfsun1: Received server public key (768 bits) and host key (1024 > bits). > fcdfsun1: Host 'stsa11.ts.infn.it' is known and matches the host key. > fcdfsun1: Initializing random; seed file > /cdf/home/belforte/.ssh/random_seed > fcdfsun1: Encryption type: idea > fcdfsun1: Sent encrypted session key. > fcdfsun1: Installing crc compensation attack detector. > fcdfsun1: Received encrypted confirmation. > fcdfsun1: Trying Kerberos V5 TGT passing. > fcdfsun1: Kerberos V5 TGT passing was successful. > fcdfsun1: Trying Kerberos V5 authentication. > fcdfsun1: Kerberos V5: failure on credentials(Server not found in > Kerberos database). > > So I presume the problem is that the /etc/krb5.conf file on > fcdfsun1 (the only CDF node I found wuth kerberos-capable ssh) > lack the [realm_domain] assignement: .ts.infn.it = PILOT.FNAL.GOV > > Is this assumption correct ? > > Also I found not trivial to come with the proper /etc/sshd_config > file. Do you imagine distributing a template ? > > By the way I twicked the /etc/sshd_config > file so that when kerberos authentication fails local > encripted passwords are still accepted, so not to pre-empt the > install-keep-shh that was done on this node. If you have reasons > to think that this is improper or better done in different ways, > please let me know. In particular I set > KerberosOrLocalPasswd yes > PasswordAuthentication yes > > I wish I never had to learn about the existance of sshd_config, > but at this point I will be glad to know all that make sense to > know about it. > > Thanks > Stefano > -- > Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) > Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it > 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte > From kreymer@fnal.gov Wed Jan 10 09:07:54 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA08213 for ; Wed, 10 Jan 2001 09:07:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6Y00EC3CP5NN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 10 Jan 2001 09:07:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C882B@listserv.fnal.gov>; Wed, 10 Jan 2001 09:07:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 189637 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 10 Jan 2001 09:07:53 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C882A@listserv.fnal.gov>; Wed, 10 Jan 2001 09:07:53 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6Y00EDWCP5NS@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 10 Jan 2001 09:07:53 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA23626; Wed, 10 Jan 2001 09:07:50 -0600 (CST) Date: Wed, 10 Jan 2001 09:07:49 -0600 From: Matt Crawford Subject: Re: ssh with kerberos capabiity In-reply-to: "10 Jan 2001 13:20:02 +0100." <3A5C5372.74BFBDFB@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov, birsa@ts.infn.it Message-id: <200101101507.JAA23626@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 796 > ... > So I presume the problem is that the /etc/krb5.conf file on > fcdfsun1 (the only CDF node I found wuth kerberos-capable ssh) > lack the [realm_domain] assignement: .ts.infn.it = PILOT.FNAL.GOV > > Is this assumption correct ? If you were trying this on Jan 9 around 16:40 - 16:51 or Jan 10 05:14 - 06:00 then yes, that was exactly the problem. principal belforte on fcdfsun1 was trying to do cross-realm authentication to non-existent realms TS.INFN.IT, INFN.IT, IT. > Also I found not trivial to come with the proper /etc/sshd_config > file. Do you imagine distributing a template ? I'll suggest that to the ssh product maintainer. > By the way I twicked the /etc/sshd_config file so that when > kerberos authentication fails local encripted passwords are still > accepted, so not to pre-empt the install-keep-shh that was done on > this node. If you have reasons to think that this is improper or > better done in different ways, please let me know. In particular I > set > KerberosOrLocalPasswd yes > PasswordAuthentication yes For an off-site machine this is permissible. From kreymer@fnal.gov Wed Jan 10 09:59:23 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA08449 for ; Wed, 10 Jan 2001 09:59:23 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6Y00EISF1RNL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 10 Jan 2001 09:58:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C88BA@listserv.fnal.gov>; Wed, 10 Jan 2001 09:58:39 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 189788 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 10 Jan 2001 09:58:39 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000C88B9@listserv.fnal.gov>; Wed, 10 Jan 2001 09:58:39 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6Y00EMKF1QN4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 10 Jan 2001 09:58:38 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA23941; Wed, 10 Jan 2001 09:58:38 -0600 (CST) Date: Wed, 10 Jan 2001 09:58:38 -0600 From: Matt Crawford Subject: Re: ssh with kerberos capabiity In-reply-to: "10 Jan 2001 07:12:16 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: Stefano Belforte , kerberos-pilot@fnal.gov, birsa@ts.infn.it Message-id: <200101101558.JAA23941@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 797 I have updated the krb5conf product to v1_1 which includes ts.infn.it and pi.infn.it in the [domain_realms] section. Bear in mind the changes from v0_6a to v1_0 which now do not make ticket forwarding automatic. And this was a rush job for CDF's convenience so installation of krb5conf v1_1 will still clobber any local changes to krb5.conf, just as all previous versions did. From kreymer@fnal.gov Wed Jan 10 14:37:31 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA12335 for ; Wed, 10 Jan 2001 14:37:31 -0600 Received: from physics.ucla.edu ([169.232.152.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G6Y003JERYJ4S@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Wed, 10 Jan 2001 14:37:31 -0600 (CST) Received: from hepsun12.ucla.edu (hepsun12 [169.232.152.59]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id MAA02630 for ; Wed, 10 Jan 2001 12:37:08 -0800 (PST) Received: from localhost by hepsun12.ucla.edu (8.9.1b+Sun/SMI-SVR4) id MAA01417; Wed, 10 Jan 2001 12:37:09 -0800 (PST) Date: Wed, 10 Jan 2001 12:37:09 -0800 (PST) From: Matthew Worcester Subject: Re: run2 install In-reply-to: X-Sender: mworcest@hepsun12 To: Art Kreymer Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 798 Thanks! Matt On Wed, 10 Jan 2001, Art Kreymer wrote: > Your kerberized ftp image is producing output when it should not, > which causes init_cdf's ftp test to fail. > > Just comment out that test for ftp connectivity in init_cdf. > > # ftpout=`printf "user ftp products \n quit" | ftp -n ${UPD_HOST}` > ftpout="" > > On Wed, 10 Jan 2001, Matthew Worcester wrote: > > > Date: Wed, 10 Jan 2001 11:46:34 -0800 (PST) > > From: Matthew Worcester > > To: cdf_code_management@fnal.gov > > Subject: run2 install > > > > I have the problem: > > > > OK - can create files in /home/cdfsoft > > OK - others can read this directory > > OK - checking SSH presence > > SSH Version 1.2.22 [i686-unknown-linux], protocol version 1.5. > > Standard version. Does not use RSAREF. > > OK - have ssh > > OK - checking source of distribution > > KERBEROS_V4 rejected as an authentication type > > > > OOPS - ftp output = Please login with USER and PASS. > > Please login with USER and PASS. > > > > OOPS - we cannot access ftp at cdfkits.fnal.gov , > > and cannot find CDROM files at /mnt/cdrom > > > > Send email to cdf_code_management@fnal.gov > > > > Can you please advise? > > > > Regards, > > Matt > > > > From kreymer@fnal.gov Wed Jan 17 02:12:47 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id CAA11195 for ; Wed, 17 Jan 2001 02:12:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7A001KAS5A5G@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 17 Jan 2001 02:12:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000CEA5F@listserv.fnal.gov>; Wed, 17 Jan 2001 02:12:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 216597 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 17 Jan 2001 02:12:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000CEA5E@listserv.fnal.gov>; Wed, 17 Jan 2001 02:12:46 -0600 Received: from janus.physics.ox.ac.uk ([163.1.243.65]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7A0043LS59X9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 17 Jan 2001 02:12:46 -0600 (CST) Received: from amavis by janus.physics.ox.ac.uk with scanned-ok (Exim 3.16 #5) id 14Ini0-000425-00 for kerberos-pilot@fnal.gov; Wed, 17 Jan 2001 08:12:44 +0000 Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by janus.physics.ox.ac.uk with smtp (Exim 3.16 #5) id 14Ini0-00040m-00 for kerberos-pilot@fnal.gov; Wed, 17 Jan 2001 08:12:44 +0000 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 14Inhz-0008SF-00 for kerberos-pilot@fnal.gov; Wed, 17 Jan 2001 08:12:43 +0000 Date: Wed, 17 Jan 2001 08:12:43 +0000 (GMT) From: "Todd Huffman (CDF/ATLAS)" Subject: Probably a simple answer to this one. Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-AVtransport: scanmails_remote X-AVwrapper: AMaViS (http://www.amavis.org/) X-AVscanner: Sophos sweep (http://www.sophos.com/) Status: RO X-Status: X-Keywords: X-UID: 799 Hello, It now seems that our machine, oxpc01 in the CDF trailers, though running kerberos, cannot talk to fcdfsgi2...another kerberized machine. Below is a session that I just tried: [huffman@oxpc01 ~]$ kinit niimi@PILOT.FNAL.GOV Password for niimi@PILOT.FNAL.GOV: [huffman@oxpc01 ~]$ telnet fcdfsgi2 Trying 131.225.240.129... Connected to fcdfsgi2.fnal.gov (131.225.240.129). Escape character is '^]'. NOTICE TO USERS This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United States Government. It is for authorized use only. Users (autho- rized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copy- ing, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in admin- istrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMME- DIATELY if you do not agree to the conditions stated in this warning. Fermilab policy and rules for computing, including appropriate use, may be found at http://www.fnal.gov/cd/main/cpolicy.html [ Kerberos V5 accepts you as ``niimi@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Login incorrect login: Connection closed by foreign host. [huffman@oxpc01 ~]$ Here is a 'klist' Valid starting Expires Service principal 01/17/01 01:37:00 01/18/01 03:37:00 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 01/17/01 01:37:16 01/18/01 03:37:00 host/fcdfsgi2.fnal.gov@PILOT.FNAL.GOV It would seem that I ended up with a ticket granting ticket and a valid ticket for fcdfsgi2...so why can't I get on? (I'm connected to oxpc01 via an ssh session from another machine in Oxford.) Could this be related to the fact that my username on oxpc01 is 'huffman' while my username on fcdfsgi2 is 'niimi' again? Cheers, Todd ************************************************* ~ Dr. B. Todd Huffman ~ ~ Particle and Nuclear Physics ~ ~ University of Oxford ~ ~ Rm 631 ~ ~ Keble Rd ~ ~ Oxford OX1 3RH UK ~ ~ ~ ~ Phone: 44 - 1865 - 273402 ~ ~ LMH: 44 - 1865 - 274307 ~ ~ FAX: 44 - 1865 - 273418 ~ ~ Home: 44 - 1865 - 450240 ~ ~ URL of my home page: ~ ~ http://www-pnp.physics.ox.ac.uk/~huffman/ ************************************************* From kreymer@fnal.gov Wed Jan 17 08:13:32 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA27551 for ; Wed, 17 Jan 2001 08:13:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7B004R88TMX9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 17 Jan 2001 08:12:59 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000CEC8C@listserv.fnal.gov>; Wed, 17 Jan 2001 08:12:58 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 217225 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 17 Jan 2001 08:12:58 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000CEC8B@listserv.fnal.gov>; Wed, 17 Jan 2001 08:12:58 -0600 Received: from d0nt36 ([131.225.231.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G7B00A0B8TMQY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 17 Jan 2001 08:12:58 -0600 (CST) Date: Wed, 17 Jan 2001 08:24:44 -0600 From: Jim Fitzmaurice Subject: I think I know this one I just want to confirm it. Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos - pilot Message-id: <007801c08091$3cbe6da0$03e7e183@fnal.gov> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 X-Mailer: Microsoft Outlook Express 5.00.2314.1300 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 800 Hello, I think I already know the answer to this, but I just want to confirm it. I have 3 Tru64 systems, each system has 4 NIC cards, each card has it's own name and IP address, furthermore before I kerberize them, I will be clustering them into a TruCluster, which will also have it's own name and IP address. If I understand what I have read, I will have to get host/ftp passwords for each of the 4 NIC's on all three systems AND for the TruCluster as well. Then I will have to run "ups install-hostkeys kerberos [vN_M]" for each of the NIC's on each of the systems, to enable their principals. Then I'll need to run "ups install-hostkeys kerberos [vN_M]" for the TruCluster name as well. What I want to confirm is do I have to log into those 3 systems using each of those NIC's names, or TruCluster name before running the "ups install-hostkeys kerberos [vN_M]" command? I'm thinking yes, but I'd like to confirm that. Jim Fitzmaurice jpfitz@fnal.gov UNIX is very user friendly, It's just very particular about who it makes friends with. From kreymer@fnal.gov Wed Jan 17 09:44:10 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA03676 for ; Wed, 17 Jan 2001 09:44:10 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7B00DAFD1LEZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 17 Jan 2001 09:44:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000CEE38@listserv.fnal.gov>; Wed, 17 Jan 2001 09:44:09 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 217692 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 17 Jan 2001 09:44:09 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000CEE37@listserv.fnal.gov>; Wed, 17 Jan 2001 09:44:09 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7B00ACLD1LM6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 17 Jan 2001 09:44:09 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id JAA13233; Wed, 17 Jan 2001 09:44:08 -0600 (CST) Date: Wed, 17 Jan 2001 09:44:08 -0600 (CST) From: "David J. Fagan" Subject: Re: I think I know this one I just want to confirm it. Sender: owner-kerberos-pilot@listserv.fnal.gov To: Jim Fitzmaurice Cc: kerberos - pilot Message-id: <200101171544.JAA13233@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Wed, 17 Jan 2001 08:24:44 CST.) <007801c08091$3cbe6da0$03e7e183@fnal.gov> X-Authentication-warning: large.fnal.gov: fagan@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id JAA03676 Status: RO X-Status: X-Keywords: X-UID: 801 Are you really going to have processes going "in" to all 4 of them? ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Wednesday, Jim Fitzmaurice: > Hello, > > I think I already know the answer to this, but I just want to confirm > it. > > I have 3 Tru64 systems, each system has 4 NIC cards, each card has it's > own name and IP address, furthermore before I kerberize them, I will be > clustering them into a TruCluster, which will also have it's own name and IP > address. If I understand what I have read, I will have to get host/ftp > passwords for each of the 4 NIC's on all three systems AND for the > TruCluster as well. Then I will have to run "ups install-hostkeys kerberos > [vN_M]" for each of the NIC's on each of the systems, to enable their > principals. Then I'll need to run "ups install-hostkeys kerberos [vN_M]" for > the TruCluster name as well. What I want to confirm is do I have to log into > those 3 systems using each of those NIC's names, or TruCluster name before > running the "ups install-hostkeys kerberos [vN_M]" command? I'm thinking > yes, but I'd like to confirm that. > > Jim Fitzmaurice > jpfitz@fnal.gov > > UNIX is very user friendly, It's just very particular about who it makes > friends with. From kreymer@fnal.gov Wed Jan 17 10:20:55 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA03817 for ; Wed, 17 Jan 2001 10:20:55 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7B00G2TEQU6U@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 17 Jan 2001 10:20:55 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000CEEA4@listserv.fnal.gov>; Wed, 17 Jan 2001 10:20:54 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 217803 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 17 Jan 2001 10:20:54 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000CEEA3@listserv.fnal.gov>; Wed, 17 Jan 2001 10:20:54 -0600 Received: from d0nt36 ([131.225.231.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G7B00ECREQUBU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 17 Jan 2001 10:20:54 -0600 (CST) Date: Wed, 17 Jan 2001 10:32:39 -0600 From: Jim Fitzmaurice Subject: Re: I think I know this one I just want to confirm it. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "David J. Fagan" Cc: kerberos - pilot Message-id: <011501c080a3$1bd25e50$03e7e183@fnal.gov> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 X-Mailer: Microsoft Outlook Express 5.00.2314.1300 Content-type: text/plain; charset=iso-8859-1 X-Priority: 3 X-MSMail-priority: Normal References: <200101171544.JAA13233@large.fnal.gov> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by patnt2.fnal.gov id KAA03817 Status: RO X-Status: X-Keywords: X-UID: 802 Dave, Your right only two of them will be for users, the other two GB adapters will be primarily for collecting and sending off data. Anybody logging in through one of those connections should be afforded the extra step if typing in "kinit" to get tickets. (It should only be done in an emergency, where the other two 100Mb connections are down.) Jim Fitzmaurice jpfitz@fnal.gov UNIX is very user friendly, It's just very particular about who it makes friends with. ----- Original Message ----- From: David J. Fagan To: Jim Fitzmaurice Cc: kerberos - pilot Sent: Wednesday, January 17, 2001 9:44 AM Subject: Re: I think I know this one I just want to confirm it. Are you really going to have processes going "in" to all 4 of them? ---------------------------------------------------------------------------- --- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ---------------------------------------------------------------------------- --- On Wednesday, Jim Fitzmaurice: > Hello, > > I think I already know the answer to this, but I just want to confirm > it. > > I have 3 Tru64 systems, each system has 4 NIC cards, each card has it's > own name and IP address, furthermore before I kerberize them, I will be > clustering them into a TruCluster, which will also have it's own name and IP > address. If I understand what I have read, I will have to get host/ftp > passwords for each of the 4 NIC's on all three systems AND for the > TruCluster as well. Then I will have to run "ups install-hostkeys kerberos > [vN_M]" for each of the NIC's on each of the systems, to enable their > principals. Then I'll need to run "ups install-hostkeys kerberos [vN_M]" for > the TruCluster name as well. What I want to confirm is do I have to log into > those 3 systems using each of those NIC's names, or TruCluster name before > running the "ups install-hostkeys kerberos [vN_M]" command? I'm thinking > yes, but I'd like to confirm that. > > Jim Fitzmaurice > jpfitz@fnal.gov > > UNIX is very user friendly, It's just very particular about who it makes > friends with. From kreymer@fnal.gov Fri Jan 19 08:30:12 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA24920 for ; Fri, 19 Jan 2001 08:30:11 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7E00E6HYYB2F@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 19 Jan 2001 08:30:11 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D0AF3@listserv.fnal.gov>; Fri, 19 Jan 2001 08:30:11 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 225838 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 19 Jan 2001 08:30:11 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D0AF2@listserv.fnal.gov>; Fri, 19 Jan 2001 08:30:11 -0600 Received: from ts.infn.it ([140.105.6.150]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G7E00E2HYY9PD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 19 Jan 2001 08:30:10 -0600 (CST) Received: from ts.infn.it (140.105.6.163) by INFNTS with TCP/IP SMTP; Fri, 19 Jan 2001 15:30 +0100 (CET) Date: Fri, 19 Jan 2001 15:30:03 +0100 From: Stefano Belforte Subject: emacs-ftp with kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A684F6B.422E2507@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; OSF1 V4.0 alpha) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 803 I just remembered someone naming the possibility of using (x)emacs in amode where it ~transparently uses ftp to edit remote files. Since I now working from Italy on code that needs to be at Fermilab to be run (security issues about accessing the CDF online cpu's !!) I realised this would be very convenient and tried it. I discovered at least on xemacs v21 this to be immediate, just from stsa11.ts.infn.it I start xemacs and open file (Ctl-x Ctl-f) /belforte@quark.ts.infn.it:remotefile. It asks the ftp passwrod and works. Of course I tried to a kerberised host and of course it failed with the same message as if I used /usr/bin/ftp in place of /usr/krb5/bin/ftp. Now the question is: is there any way to make this work with kerberos ? I looked at the xemacs info (the package that does this is called efs, formerly known as ange-ftp) and there is no clue, but the actual lisp source code in efs.el (e.g. in xemacs_packages/v21_1a/NULL/lisp/efs/efs.el in the fermilab kits distribution of xemacs 21_1) has a lot to say about kerberos, tickets etc., so much that I got lost and gave up understanding. But it sounds like it *could* understand my ticket... Whlie not an immediate need, this could indeed be a nice tool once part of the standard kerberos package. Stefano -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte From kreymer@fnal.gov Fri Jan 19 09:46:07 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA26100 for ; Fri, 19 Jan 2001 09:46:07 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7F00EJP2GUL7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 19 Jan 2001 09:46:07 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D0C08@listserv.fnal.gov>; Fri, 19 Jan 2001 09:46:06 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 226162 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 19 Jan 2001 09:46:06 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D0C07@listserv.fnal.gov>; Fri, 19 Jan 2001 09:46:06 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7F00DMX2GTPE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 19 Jan 2001 09:46:06 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 19 Jan 2001 09:46:07 -0600 Content-return: allowed Date: Fri, 19 Jan 2001 09:45:59 -0600 From: ARSystem Subject: 000000000016225 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76129B06@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 804 CRAWFORD, MATT, Help Desk Ticket #000000000016225 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Kerberos password not working Badge # (+) : 04220N First Name : GREGORY Last Name (+) : CISKO Phone : 3998 E-Mail Address : CISKO@FNAL.GOV Incident Time : 1/19/01 8:43:26 AM System Name : Urgency : Medium Public Work Log : Problem Description : Everytime I try to loginto pilot.fnal.gov using cisko@PILOT.FNAL.GOV I get a pre-authentication failed (KDC024) error. It was working 2-3 days ago and I have changed nothing on my end. Thanks, Greg From kreymer@fnal.gov Fri Jan 19 10:21:50 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA26153 for ; Fri, 19 Jan 2001 10:21:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7F00J1T44DP8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 19 Jan 2001 10:21:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D0C99@listserv.fnal.gov>; Fri, 19 Jan 2001 10:21:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 226324 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 19 Jan 2001 10:21:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D0C98@listserv.fnal.gov>; Fri, 19 Jan 2001 10:21:49 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7F00EUW44BUJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 19 Jan 2001 10:21:48 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 19 Jan 2001 10:21:49 -0600 Content-return: allowed Date: Fri, 19 Jan 2001 10:21:38 -0600 From: ARSystem Subject: CRAWFORD, MATT #16225 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76129B0F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 805 Thank you for your assistance. Help Desk ticket #000000000016225 has been resolved on 1/19/01 10:16:33 AM Resolution Timestamp: : 1/19/01 10:10:18 AM Solution Category : Information Request Problem Category : Software Type : Utilities Item : Kerberos Short Description : Kerberos password not working Solution : Check the clock on your desktop machine. If it's off by more than 5 minutes, your kinit will fail. Per e-mail from the user. This was the problem. Problem Description : Everytime I try to loginto pilot.fnal.gov using cisko@PILOT.FNAL.GOV I get a pre-authentication failed (KDC024) error. It was working 2-3 days ago and I have changed nothing on my end. Thanks, Greg From kreymer@fnal.gov Fri Jan 19 15:56:21 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26763 for ; Fri, 19 Jan 2001 15:56:20 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7F00970JLWE4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 19 Jan 2001 15:56:20 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D11C2@listserv.fnal.gov>; Fri, 19 Jan 2001 15:56:20 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 227762 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 19 Jan 2001 15:56:20 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D11C1@listserv.fnal.gov>; Fri, 19 Jan 2001 15:56:20 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7F00955JLVED@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 19 Jan 2001 15:56:19 -0600 (CST) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f0JLuIO01628 for ; Fri, 19 Jan 2001 15:56:18 -0600 (CST) Date: Fri, 19 Jan 2001 15:56:18 -0600 From: aheavey@fnal.gov Subject: manual ready for review Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200101192156.f0JLuIO01628@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 806 See the website http://www.fnal.gov/docs/strongauth/ for the latest Strong Authentication at Fermilab documentation. It's close to complete, but still hasn't had final review. Feel free to send comments/feedback to me (by next Friday). -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Sun Jan 21 14:34:14 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA22007 for ; Sun, 21 Jan 2001 14:34:14 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7J00BG6551D5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sun, 21 Jan 2001 14:34:14 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D1F9A@listserv.fnal.gov>; Sun, 21 Jan 2001 14:34:12 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 231649 for LINUX-USERS@LISTSERV.FNAL.GOV; Sun, 21 Jan 2001 14:34:12 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D1F99@listserv.fnal.gov>; Sun, 21 Jan 2001 14:34:12 -0600 Received: from d0ol05.fnal.gov ([131.225.231.75]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7J00BER550JS@smtp.fnal.gov> for linux-users@listserv.fnal.gov (ORCPT linux-users@fnal.gov); Sun, 21 Jan 2001 14:34:12 -0600 (CST) Received: from localhost (nunne@localhost) by d0ol05.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA27208 for ; Sun, 21 Jan 2001 14:34:12 -0600 Date: Sun, 21 Jan 2001 14:34:12 -0600 (CST) From: Thomas Nunnemann Subject: Kerberos... Sender: owner-linux-users@listserv.fnal.gov To: linux-users@fnal.gov Reply-to: nunne@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: d0ol05.fnal.gov: nunne owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 807 Hi - I have troubles getting Kerberos running on my laptop (Toshiba Satellite 100CS with Red-Hat 6.0). Since the recommended way for the installation of kerberos via ups is not an option for me, I installed the kerberos rpms from red-hat (6.x version) and use the FNAL krb5.conf configuration file. Kinit results is the following error message: " kinit: Client not found in Kerberos database while getting initial credentials " Anybody experienced similar problems and knows how to fix this? Many thanks, Thomas From kreymer@fnal.gov Mon Jan 22 01:33:32 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id BAA00404 for ; Mon, 22 Jan 2001 01:33:31 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7J00GN1ZNQGX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 22 Jan 2001 01:33:27 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D238C@listserv.fnal.gov>; Mon, 22 Jan 2001 01:33:26 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 232804 for LINUX-USERS@LISTSERV.FNAL.GOV; Mon, 22 Jan 2001 01:33:26 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D238B@listserv.fnal.gov>; Mon, 22 Jan 2001 01:33:26 -0600 Received: from clued0.fnal.gov ([131.225.221.103]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7J00GMFZNPCE@smtp.fnal.gov> for linux-users@listserv.fnal.gov (ORCPT linux-users@fnal.gov); Mon, 22 Jan 2001 01:33:25 -0600 (CST) Date: Mon, 22 Jan 2001 01:33:25 -0600 (CST) From: Roger Moore Subject: Re: Kerberos... In-reply-to: Sender: owner-linux-users@listserv.fnal.gov To: Thomas Nunnemann Cc: linux-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 808 On Sun, 21 Jan 2001, Thomas Nunnemann wrote: > kinit: Client not found in Kerberos database while getting initial > credentials This means you are requesting a ticket which does not exist. My best guess as to why would be that your machine doesn't know which realm it is in. Try the following: kinit @PILOT.FNAL.GOV It would also be worth checking which version of krb5 you are running. The RH6.x version is I believe 1.0.x which won't support the full syntax of the krb5.conf file. While I doubt this is causes the problem it might be worth checking. I also believe there are also security problems with krb5 versions less than 1.2.1. I have the RedHat 7.0 Krb5 RPMS which I've recompiled for RH 6.1 if you are interested they are at: ftp://clued0.fnal.gov/pub/krb5/... along with RPMS for kerberized ssh using those libraries. Roger From kreymer@fnal.gov Mon Jan 22 08:05:40 2001 -0600 Return-Path: Received: from heffalump ([131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA32470 for ; Mon, 22 Jan 2001 08:03:09 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7K00053BVG2B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 22 Jan 2001 05:57:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D24D8@listserv.fnal.gov>; Mon, 22 Jan 2001 05:57:17 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 233161 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 22 Jan 2001 05:57:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D24D7@listserv.fnal.gov>; Mon, 22 Jan 2001 05:57:17 -0600 Received: from janus.physics.ox.ac.uk ([163.1.244.140]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7K00LAGBVCVM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 22 Jan 2001 05:57:16 -0600 (CST) Received: from amavis by janus.physics.ox.ac.uk with scanned-ok (Exim 3.16 #6) id 14Kfax-0000qq-00 for kerberos-pilot@fnal.gov; Mon, 22 Jan 2001 11:57:11 +0000 Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by janus.physics.ox.ac.uk with smtp (Exim 3.16 #6) id 14Kfaw-0000pT-00 for kerberos-pilot@fnal.gov; Mon, 22 Jan 2001 11:57:10 +0000 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 14Kfav-0007G2-00 for kerberos-pilot@fnal.gov; Mon, 22 Jan 2001 11:57:09 +0000 Date: Mon, 22 Jan 2001 11:57:09 +0000 (GMT) From: "Todd Huffman (CDF/ATLAS)" Subject: Kerberizing a Windows PC or laptop Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-AVtransport: scanmails_remote X-AVwrapper: AMaViS (http://www.amavis.org/) X-AVscanner: Sophos sweep (http://www.sophos.com/) Status: RO X-Status: X-Keywords: X-UID: 809 Hello, I'm looking to kerberize my laptop, I've found a site for Kerberos 5.2 for Free at MIT, I was wondering if anyone had any experience with running this on their machines and had a sample krb5.ini file? Cheers, Todd ************************************************* ~ Dr. B. Todd Huffman ~ ~ Particle and Nuclear Physics ~ ~ University of Oxford ~ ~ Rm 631 ~ ~ Keble Rd ~ ~ Oxford OX1 3RH UK ~ ~ ~ ~ Phone: 44 - 1865 - 273402 ~ ~ LMH: 44 - 1865 - 274307 ~ ~ FAX: 44 - 1865 - 273418 ~ ~ Home: 44 - 1865 - 450240 ~ ~ URL of my home page: ~ ~ http://www-pnp.physics.ox.ac.uk/~huffman/ ************************************************* From kreymer@fnal.gov Mon Jan 22 10:35:01 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA17466 for ; Mon, 22 Jan 2001 10:35:01 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7K0090EOQB9E@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 22 Jan 2001 10:34:59 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D28E2@listserv.fnal.gov>; Mon, 22 Jan 2001 10:34:59 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 234380 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 22 Jan 2001 10:34:59 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D28E1@listserv.fnal.gov>; Mon, 22 Jan 2001 10:34:59 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7K0090DOQBA7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 22 Jan 2001 10:34:59 -0600 (CST) Date: Mon, 22 Jan 2001 10:34:58 -0600 (CST) From: Dane Skow Subject: Re: Kerberizing a Windows PC or laptop In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 810 On Mon, 22 Jan 2001, Todd Huffman (CDF/ATLAS) wrote: > Hello, > > I'm looking to kerberize my laptop, I've found a site for Kerberos 5.2 > for Free at MIT, I was wondering if anyone had any experience with running > this on their machines and had a sample krb5.ini file? More power to you on making that work. There've been several local attempts at free clients (including the MIT one) that have failed. As I recall the MIT suite didn't have much in the way of applications (eg. telnet, ftp, etc.). We'd LOVE to hear of it if someone finds a good functional open source product. dane > > Cheers, > Todd > > ************************************************* > ~ Dr. B. Todd Huffman ~ > ~ Particle and Nuclear Physics ~ > ~ University of Oxford ~ > ~ Rm 631 ~ > ~ Keble Rd ~ > ~ Oxford OX1 3RH UK ~ > ~ ~ > ~ Phone: 44 - 1865 - 273402 ~ > ~ LMH: 44 - 1865 - 274307 ~ > ~ FAX: 44 - 1865 - 273418 ~ > ~ Home: 44 - 1865 - 450240 ~ > ~ URL of my home page: ~ > ~ http://www-pnp.physics.ox.ac.uk/~huffman/ > ************************************************* > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Jan 22 10:51:50 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA20261 for ; Mon, 22 Jan 2001 10:51:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7K0095KPIC9T@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 22 Jan 2001 10:51:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D2925@listserv.fnal.gov>; Mon, 22 Jan 2001 10:51:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 234456 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 22 Jan 2001 10:51:48 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D2924@listserv.fnal.gov>; Mon, 22 Jan 2001 10:51:48 -0600 Received: from physics.ucla.edu ([169.232.152.48]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7K0094RPIC9U@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 22 Jan 2001 10:51:48 -0600 (CST) Received: from [128.97.22.48] (benn.physics.ucla.edu [128.97.22.48]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id IAA00158 for ; Mon, 22 Jan 2001 08:51:13 -0800 (PST) Date: Mon, 22 Jan 2001 08:51:45 -0800 From: Benn Tannenbaum Subject: Re: Kerberizing a Windows PC or laptop In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 811 I'd like to remind people that this is true for Windows laptops-- I successfully Kerberized my Mac laptop some months back and it has been trouble free. on 22/1/01 8:34 AM, Dane Skow spake thusly: >> Hello, >> >> I'm looking to kerberize my laptop, I've found a site for Kerberos 5.2 >> for Free at MIT, I was wondering if anyone had any experience with running >> this on their machines and had a sample krb5.ini file? > > More power to you on making that work. There've been several local > attempts at free clients (including the MIT one) that have failed. > As I recall the MIT suite didn't have much in the way of applications > (eg. telnet, ftp, etc.). We'd LOVE to hear of it if someone finds > a good functional open source product. > > dane -Benn From kreymer@fnal.gov Mon Jan 22 11:49:21 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA25289 for ; Mon, 22 Jan 2001 11:49:21 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7K009HLS5IAB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 22 Jan 2001 11:48:54 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D2A15@listserv.fnal.gov>; Mon, 22 Jan 2001 11:48:54 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 234713 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 22 Jan 2001 11:48:54 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D2A14@listserv.fnal.gov>; Mon, 22 Jan 2001 11:48:54 -0600 Received: from CUERVO ([131.225.82.170]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G7K009J4S5H9O@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 22 Jan 2001 11:48:53 -0600 (CST) Date: Mon, 22 Jan 2001 11:48:53 -0600 From: "Mark O. Kaletka" Subject: RE: Kerberizing a Windows PC or laptop In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 812 When I last looked at the MIT software for Windows (and I believe Dave Fagan more recently at D0), they gave you ticket management software but NO client software (i.e. telnet or anything). Has this changed at all? If so I think we'd all be very interested. There is a way to get the MIT ticket manager software to work with Hummingbird's telnet client (and only telnet) but (again last time I looked) it was VERY ugly, both in getting it going (you need to get a patch from Hummingbird first) as well as how you use it. Reflection at least does telnet AND ftp but has it's own set of limitations (plus costs money). -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Todd Huffman > (CDF/ATLAS) > Sent: Monday, January 22, 2001 5:57 AM > To: kerberos-pilot@fnal.gov > Subject: Kerberizing a Windows PC or laptop > > > Hello, > > I'm looking to kerberize my laptop, I've found a site for Kerberos 5.2 > for Free at MIT, I was wondering if anyone had any experience with running > this on their machines and had a sample krb5.ini file? > > Cheers, > Todd > > ************************************************* > ~ Dr. B. Todd Huffman ~ > ~ Particle and Nuclear Physics ~ > ~ University of Oxford ~ > ~ Rm 631 ~ > ~ Keble Rd ~ > ~ Oxford OX1 3RH UK ~ > ~ ~ > ~ Phone: 44 - 1865 - 273402 ~ > ~ LMH: 44 - 1865 - 274307 ~ > ~ FAX: 44 - 1865 - 273418 ~ > ~ Home: 44 - 1865 - 450240 ~ > ~ URL of my home page: ~ > ~ http://www-pnp.physics.ox.ac.uk/~huffman/ > ************************************************* > > From kreymer@fnal.gov Mon Jan 22 14:01:39 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA28366 for ; Mon, 22 Jan 2001 14:01:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7K00FL8YAQN3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 22 Jan 2001 14:01:38 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D2D09@listserv.fnal.gov>; Mon, 22 Jan 2001 14:01:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 235499 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 22 Jan 2001 14:01:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D2D08@listserv.fnal.gov>; Mon, 22 Jan 2001 14:01:38 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7K00FGZYAPWT@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 22 Jan 2001 14:01:38 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA04254; Mon, 22 Jan 2001 14:01:35 -0600 (CST) Date: Mon, 22 Jan 2001 14:01:35 -0600 From: Matt Crawford Subject: Re: Probably a simple answer to this one. In-reply-to: "17 Jan 2001 08:12:43 GMT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: kerberos-pilot@fnal.gov Message-id: <200101222001.OAA04254@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 813 I was opn vacation. Did you get a solution in the meantime? (No need to answer, I'll wade through my email eventually.) > Below is a session that I just tried: > > [huffman@oxpc01 ~]$ kinit niimi@PILOT.FNAL.GOV > Password for niimi@PILOT.FNAL.GOV: > [huffman@oxpc01 ~]$ telnet fcdfsgi2 ^ -l niimi From kreymer@fnal.gov Tue Jan 23 13:49:35 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA30325 for ; Tue, 23 Jan 2001 13:49:35 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7M00B37SEM3X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 23 Jan 2001 13:49:35 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D3C85@listserv.fnal.gov>; Tue, 23 Jan 2001 13:49:35 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 239867 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 23 Jan 2001 13:49:35 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D3C84@listserv.fnal.gov>; Tue, 23 Jan 2001 13:49:35 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7M00A54SEMLO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 23 Jan 2001 13:49:34 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA10767; Tue, 23 Jan 2001 13:49:32 -0600 (CST) Date: Tue, 23 Jan 2001 13:49:32 -0600 From: Matt Crawford Subject: Re: emacs-ftp with kerberos In-reply-to: "19 Jan 2001 15:30:03 +0100." <3A684F6B.422E2507@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov Message-id: <200101231949.NAA10767@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 814 > I just remembered someone naming the possibility of > using (x)emacs in amode where it ~transparently uses > ftp to edit remote files. Right. That emacs package used to be called "ange-ftp" and is now called "efs". Oops, you found that out already. > just from stsa11.ts.infn.it I start xemacs and open file > (Ctl-x Ctl-f) /belforte@quark.ts.infn.it:remotefile. > It asks the ftp passwrod and works. ... > > Now the question is: is there any way to make this work with > kerberos ? Yes. Skip to the end for the answer, or read all the way through to find out why it didn't work until lately. > I looked at the xemacs info (the package that does this > is called efs, formerly known as ange-ftp) and there is > no clue, but the actual lisp source code in efs.el > (e.g. in xemacs_packages/v21_1a/NULL/lisp/efs/efs.el > in the fermilab kits distribution of xemacs 21_1) has > a lot to say about kerberos, tickets etc., so much > that I got lost and gave up understanding. But it sounds > like it *could* understand my ticket... The stuff it has in there about getting a Kerberos ticket is fairly bogus in any plausible environment. The reason this didn't automatically work between a Kerberized client and server is that the package invokes the ftp client with the "-n" flag to suppress the automatic sending of the username, then sends the username itself. To a Kerberos client before FNAL v1_0 or MIT version 1.1 is that the "-n" flag also suppressed the GSSAPI authentication step. Now there's a separate flag (-u) for that suppression. > Whlie not an immediate need, this could indeed be a nice > tool once part of the standard kerberos package. It should work for you now if either of these cases holds: You use cryptocard authentication on the client side and have FNAL Kerberos v1_0 or newer on the server side, or You use Kerberos authentication and have FNAL v1_0 or newer on the client side. From kreymer@fnal.gov Tue Jan 23 14:20:05 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA30346 for ; Tue, 23 Jan 2001 14:20:04 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7M00B6YTTGME@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 23 Jan 2001 14:20:04 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D3CED@listserv.fnal.gov>; Tue, 23 Jan 2001 14:20:04 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 239981 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 23 Jan 2001 14:20:04 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D3CEC@listserv.fnal.gov>; Tue, 23 Jan 2001 14:20:04 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7M00BA2TTF0I@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 23 Jan 2001 14:20:03 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA10887; Tue, 23 Jan 2001 14:20:03 -0600 (CST) Date: Tue, 23 Jan 2001 14:20:03 -0600 From: Matt Crawford Subject: Re: 000000000016225 Assigned to CRAWFORD, MATT. In-reply-to: "19 Jan 2001 09:45:59 CST." <318CC3D38BE0D211BB1200105A093F76129B06@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: kerberos-pilot@fnal.gov Message-id: <200101232020.OAA10887@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 815 Could we at least have the hostname or IP address of the machine he was using, and the time of occurrence? (Sheesh, ya get a repuation as a psychic debugger and everyone assumes yer a psychic debugger.) Never mind, just tell him to fix his system clock to be accurate within 5 minutes. "It's the chronostat. It always is." --Drax From kreymer@fnal.gov Tue Jan 23 14:32:15 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA30553 for ; Tue, 23 Jan 2001 14:32:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7M00ABTUDQAM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 23 Jan 2001 14:32:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D3D0E@listserv.fnal.gov>; Tue, 23 Jan 2001 14:32:15 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 240015 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 23 Jan 2001 14:32:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D3D0D@listserv.fnal.gov>; Tue, 23 Jan 2001 14:32:14 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7M00AE3UDQLO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 23 Jan 2001 14:32:14 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 23 Jan 2001 14:32:15 -0600 Content-return: allowed Date: Tue, 23 Jan 2001 14:32:14 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 16225 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76129E73@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 816 16225 has been updated by trb. Short Description : Kerberos password not working New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: 000000000016225 Assigned to CRAWFORD, MATT. Date: Tuesday, January 23, 2001 2:20 PM Could we at least have the hostname or IP address of the machine he was using, and the time of occurrence? (Sheesh, ya get a repuation as a psychic debugger and everyone assumes yer a psychic debugger.) Never mind, just tell him to fix his system clock to be accurate within 5 minutes. "It's the chronostat. It always is." --Drax From kreymer@fnal.gov Tue Jan 23 14:52:36 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31546 for ; Tue, 23 Jan 2001 14:52:36 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7M00AEKVBNFS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 23 Jan 2001 14:52:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D3D5F@listserv.fnal.gov>; Tue, 23 Jan 2001 14:52:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 240101 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 23 Jan 2001 14:52:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D3D5E@listserv.fnal.gov>; Tue, 23 Jan 2001 14:52:36 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7M00BDFVBNXS@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 23 Jan 2001 14:52:35 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA06849 for ; Tue, 23 Jan 2001 14:52:35 -0600 Date: Tue, 23 Jan 2001 14:52:34 -0600 (CST) From: Steven Timm Subject: Error message in ups install kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 817 ups install kerberos gives the following set of error messages. Is this really due to a missing Kerberos configuration file, or is it due rather to some other problem, like a bad password? I have checked the password several times, with no success. Preparing to configure host keys on this node... kadmin: Can't open/find Kerberos configuration file while initializing krb5 libr ary ERROR: could not add principal ftp/fnd012.fnal.gov to keytab file. kadmin: Can't open/find Kerberos configuration file while initializing krb5 libr ary ERROR: could not add principal host/fnd012.fnal.gov to keytab file. Preparing to configure inetd on this node... ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Tue Jan 23 17:09:18 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA32285 for ; Tue, 23 Jan 2001 17:09:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7N00GD11NHRL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 23 Jan 2001 17:09:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D3F51@listserv.fnal.gov>; Tue, 23 Jan 2001 17:09:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 240631 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 23 Jan 2001 17:09:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D3F50@listserv.fnal.gov>; Tue, 23 Jan 2001 17:09:18 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7N00GJX1NHW1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 23 Jan 2001 17:09:17 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA07239 for ; Tue, 23 Jan 2001 17:09:16 -0600 Date: Tue, 23 Jan 2001 17:09:16 -0600 (CST) From: Steven Timm Subject: Re: Error message in ups install kerberos In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 818 The error below is due to a bizarre situation in which the subsidiary products, krb5conf, kcommon, and kcroninit, were still showing as being in the UPS database but had been deleted from the /fnal/ups/prd directory. I reinstalled the products and the ups install kerberos works fine now. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 23 Jan 2001, Steven Timm wrote: > ups install kerberos gives the following set of error messages. > > Is this really due to a missing Kerberos configuration file, or > is it due rather to some other problem, like a bad password? > I have checked the password several times, with no success. > > > Preparing to configure host keys on this node... > kadmin: Can't open/find Kerberos configuration file while initializing krb5 libr > ary > ERROR: could not add principal ftp/fnd012.fnal.gov to keytab file. > kadmin: Can't open/find Kerberos configuration file while initializing krb5 libr > ary > ERROR: could not add principal host/fnd012.fnal.gov to keytab file. > Preparing to configure inetd on this node... > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > From kreymer@fnal.gov Wed Jan 24 09:28:10 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA30583 for ; Wed, 24 Jan 2001 09:28:10 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7O00AMRAYW9A@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 24 Jan 2001 09:28:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D45AA@listserv.fnal.gov>; Wed, 24 Jan 2001 09:28:08 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 242397 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 24 Jan 2001 09:28:08 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D45A9@listserv.fnal.gov>; Wed, 24 Jan 2001 09:28:08 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7O00AO2AYV9B@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 24 Jan 2001 09:28:07 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA16058; Wed, 24 Jan 2001 09:28:07 -0600 (CST) Date: Wed, 24 Jan 2001 09:28:07 -0600 From: Matt Crawford Subject: Re: Error message in ups install kerberos In-reply-to: "23 Jan 2001 14:52:34 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200101241528.JAA16058@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 819 That has to be a missing /etc/krb5.conf. But I don't know how it's possible to reach the install-hostkeys step of "ups install" without going through the install-krb5conf step. Was there an error on that earlier step? From kreymer@fnal.gov Wed Jan 24 11:32:39 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA13771 for ; Wed, 24 Jan 2001 11:32:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7O00GHAGPCHT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Wed, 24 Jan 2001 11:32:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D47D9@listserv.fnal.gov>; Wed, 24 Jan 2001 11:31:55 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 243029 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Wed, 24 Jan 2001 11:31:55 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D47D7@listserv.fnal.gov>; Wed, 24 Jan 2001 11:31:55 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7O00HG2GP6IG@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Wed, 24 Jan 2001 11:31:54 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA16792 for ; Wed, 24 Jan 2001 11:31:54 -0600 (CST) Date: Wed, 24 Jan 2001 11:31:54 -0600 From: Matt Crawford Subject: Fermi kerberos v1_0 is now "current" Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200101241731.LAA16792@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 820 Kerberos v1_0 has been tagged "current" on fnkits after a few weeks of use on a variety of systems with no problems reported. Important new features include portal-mode (cryptocard) ftp, and an ftp client that's more compatible with remote editing under emacs. From kreymer@fnal.gov Thu Jan 25 15:06:22 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA01703 for ; Thu, 25 Jan 2001 15:06:22 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Q00FHWLALC2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 25 Jan 2001 15:06:21 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D58DE@listserv.fnal.gov>; Thu, 25 Jan 2001 15:06:21 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 247909 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 25 Jan 2001 15:06:21 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D58DD@listserv.fnal.gov>; Thu, 25 Jan 2001 15:06:21 -0600 Received: from fnal.gov ([131.225.84.114]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Q00FJOLAKNS@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 25 Jan 2001 15:06:20 -0600 (CST) Date: Thu, 25 Jan 2001 15:06:20 -0600 From: Margaret Votava Subject: kcroninit Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A70954C.5AA6495@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 821 Hi, How do I go about running a kerberized cron job on fcdfsgi2 or d0mino? I assume that I need to telnet to that machine and then kcroninit, but the first question it asks is if I'm on a secure channel. I'm not, since the data is not being encrypted. Won't this expose my kerberos password to the net? Thanks, Margaret -- Margaret Votava votava@fnal.gov Computing Division/Online and Database Systems 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) http://www.fnal.gov From kreymer@fnal.gov Thu Jan 25 15:47:12 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA01736 for ; Thu, 25 Jan 2001 15:47:12 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Q00FWNN6NG1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 25 Jan 2001 15:47:11 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D5961@listserv.fnal.gov>; Thu, 25 Jan 2001 15:47:11 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 248051 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 25 Jan 2001 15:47:11 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D5960@listserv.fnal.gov>; Thu, 25 Jan 2001 15:47:11 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Q00FQWN6MUM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 25 Jan 2001 15:47:10 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA25186; Thu, 25 Jan 2001 15:47:10 -0600 (CST) Date: Thu, 25 Jan 2001 15:47:10 -0600 From: Matt Crawford Subject: Re: kcroninit In-reply-to: "25 Jan 2001 15:06:20 CST." <3A70954C.5AA6495@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Message-id: <200101252147.PAA25186@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 822 > How do I go about running a kerberized cron job on fcdfsgi2 or > d0mino? I assume that I need to telnet to that machine and > then kcroninit, but the first question it asks is if I'm on > a secure channel. I'm not, since the data is not being encrypted. > Won't this expose my kerberos password to the net? Excellent observation. If you "telnet -x ..." or "rlogin -x ..." to the remote system (fcdfsgi2, d0mino, etc), *or* if your /etc/krb5.conf specifies "encrypt = true" for the telnet/rlogin/whatever application, then you are on a secure channel. Watch for the flag line from rlogin: This rlogin session is using DES encryption for all data transmissions. or in telnet, use the escape character ^] and check status: ^] telnet> status Connected to d0mino.fnal.gov (131.225.224.45). Operating in single character mode Catching signals locally Remote character echo Local flow control Currently encrypting output with DES_CFB64 <--**--- Currently decrypting input with DES_CFB64 <--**--- Escape character is '^]'. The krb5conf product, all revisions, sets encrypt = true by default for rlogin, telnet and rsh, but not for rcp. From kreymer@fnal.gov Fri Jan 26 10:50:00 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA08787 for ; Fri, 26 Jan 2001 10:50:00 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7S00K4W439PC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 26 Jan 2001 10:49:58 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D60DE@listserv.fnal.gov>; Fri, 26 Jan 2001 10:49:57 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 250190 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 26 Jan 2001 10:49:57 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D60DD@listserv.fnal.gov>; Fri, 26 Jan 2001 10:49:57 -0600 Received: from d0nt36 ([131.225.231.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G7S00K8G4395D@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 26 Jan 2001 10:49:57 -0600 (CST) Date: Fri, 26 Jan 2001 11:01:58 -0600 From: Jim Fitzmaurice Subject: Installation of a new machine. Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos - pilot Message-id: <027501c087b9$b16d1730$03e7e183@fnal.gov> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2314.1300 X-Mailer: Microsoft Outlook Express 5.00.2314.1300 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 823 I have just installed FRHL 6.1.2 in three machines. I requested principals and got a password, and got them. The first two worked just fine, but not the third one. They are all the same type of machine and same, but on the third one I'm getting an error: ... Preparing to configure host keys on this node... kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal ftp/d0ol12.fnal.gov to keytab file. kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal host/d0ol12.fnal.gov to keytab file. ... Automated installation of kerberos complete. IMPORTANT: 1) /etc/krb5.keytab configuration of service "ftp/d0ol12.fnal.gov" was not completed successfully. 2) /etc/krb5.keytab configuration of service "host/d0ol12.fnal.gov" was not completed successfully. ... I thought, maybe I typed in the password wrong, so I tried "ups install-hostkeys kerberos" and took special care to type in the password correctly, But I still got the same error. Any ideas on what might be wrong? Jim Fitzmaurice jpfitz@fnal.gov UNIX is very user friendly, It's just very particular about who it makes friends with. From kreymer@fnal.gov Fri Jan 26 11:00:08 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA09808 for ; Fri, 26 Jan 2001 11:00:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7S00K9J4K681@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 26 Jan 2001 11:00:07 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D611D@listserv.fnal.gov>; Fri, 26 Jan 2001 11:00:06 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 250256 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 26 Jan 2001 11:00:06 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D611C@listserv.fnal.gov>; Fri, 26 Jan 2001 11:00:06 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7S00KCA4K53X@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 26 Jan 2001 11:00:06 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA29811; Fri, 26 Jan 2001 11:00:05 -0600 (CST) Date: Fri, 26 Jan 2001 11:00:05 -0600 From: Matt Crawford Subject: Re: Installation of a new machine. In-reply-to: "26 Jan 2001 11:01:58 CST." <027501c087b9$b16d1730$03e7e183@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Jim Fitzmaurice Cc: kerberos - pilot Message-id: <200101261700.LAA29811@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 824 > The first two worked just fine, but not the third one. [...] > Any ideas on what might be wrong? "It's the chronostat. It always is." For chronostat, read "system clock". The clock has to be correct to within 5 minutes. If you run xntp as a "broadcast client" you should have no difficulty keeping correct to within 5 milliseconds. Jan 26 10:16:29 i-krb-2.fnal.gov krb5kdc[18486]: AS_REQ 131.225.231.112(88): NEEDED_PREAUTH: ftp/d0ol12.fnal.gov@PILOT.FNAL.GOV for kadmin/admin@PILOT.FNAL.GOV, Additional pre-authentication required Jan 26 10:16:29 i-krb-2.fnal.gov krb5kdc[18486]: Clock skew too great - pa verify failure Jan 26 10:16:29 i-krb-2.fnal.gov krb5kdc[18486]: AS_REQ 131.225.231.112(88): PREAUTH_FAILED: ftp/d0ol12.fnal.gov@PILOT.FNAL.GOV for kadmin/admin@PILOT.FNAL.GOV, Preauthentication failed Jan 26 10:16:30 i-krb-2.fnal.gov krb5kdc[18486]: AS_REQ 131.225.231.112(88): NEEDED_PREAUTH: ftp/d0ol12.fnal.gov@PILOT.FNAL.GOV for kadmin/admin@PILOT.FNAL.GOV, Additional pre-authentication required Jan 26 10:16:30 i-krb-2.fnal.gov krb5kdc[18486]: Clock skew too great - pa verify failure Jan 26 10:16:30 i-krb-2.fnal.gov krb5kdc[18486]: AS_REQ 131.225.231.112(88): PREAUTH_FAILED: ftp/d0ol12.fnal.gov@PILOT.FNAL.GOV for kadmin/admin@PILOT.FNAL.GOV, Preauthentication failed Jan 26 10:16:30 i-krb-2.fnal.gov krb5kdc[18486]: AS_REQ 131.225.231.112(88): NEEDED_PREAUTH: host/d0ol12.fnal.gov@PILOT.FNAL.GOV for kadmin/admin@PILOT.FNAL.GOV, Additional pre-authentication required Jan 26 10:16:30 i-krb-2.fnal.gov krb5kdc[18486]: Clock skew too great - pa verify failure Jan 26 10:16:30 i-krb-2.fnal.gov krb5kdc[18486]: AS_REQ 131.225.231.112(88): PREAUTH_FAILED: host/d0ol12.fnal.gov@PILOT.FNAL.GOV for kadmin/admin@PILOT.FNAL.GOV, Preauthentication failed Jan 26 10:16:30 i-krb-2.fnal.gov krb5kdc[18486]: AS_REQ 131.225.231.112(88): NEEDED_PREAUTH: host/d0ol12.fnal.gov@PILOT.FNAL.GOV for kadmin/admin@PILOT.FNAL.GOV, Additional pre-authentication required Jan 26 10:16:30 i-krb-2.fnal.gov krb5kdc[18486]: Clock skew too great - pa verify failure Jan 26 10:16:30 i-krb-2.fnal.gov krb5kdc[18486]: AS_REQ 131.225.231.112(88): PREAUTH_FAILED: host/d0ol12.fnal.gov@PILOT.FNAL.GOV for kadmin/admin@PILOT.FNAL.GOV, Preauthentication failed From kreymer@fnal.gov Fri Jan 26 11:18:14 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA13816 for ; Fri, 26 Jan 2001 11:18:14 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7S00KBB5EDGV@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 26 Jan 2001 11:18:14 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D6140@listserv.fnal.gov>; Fri, 26 Jan 2001 11:18:13 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 250292 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 26 Jan 2001 11:18:13 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D613F@listserv.fnal.gov>; Fri, 26 Jan 2001 11:18:13 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7S00KF65ED81@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 26 Jan 2001 11:18:13 -0600 (CST) Date: Fri, 26 Jan 2001 11:18:11 -0600 (CST) From: "Marc W. Mengel" Subject: Re: Installation of a new machine. In-reply-to: <027501c087b9$b16d1730$03e7e183@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Jim Fitzmaurice Cc: kerberos - pilot Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 825 System clock? Marc On Fri, 26 Jan 2001, Jim Fitzmaurice wrote: > Date: Fri, 26 Jan 2001 11:01:58 -0600 > From: Jim Fitzmaurice > To: kerberos - pilot > Subject: Installation of a new machine. > > I have just installed FRHL 6.1.2 in three machines. I requested principals > and got a password, and got them. The first two worked just fine, but not > the third one. They are all the same type of machine and same, but on the > third one I'm getting an error: > ... > > Preparing to configure host keys on this node... > kadmin: Preauthentication failed while initializing kadmin interface > ERROR: could not add principal ftp/d0ol12.fnal.gov to keytab file. > kadmin: Preauthentication failed while initializing kadmin interface > ERROR: could not add principal host/d0ol12.fnal.gov to keytab file. > ... > > Automated installation of kerberos complete. > > IMPORTANT: > 1) /etc/krb5.keytab configuration of service > "ftp/d0ol12.fnal.gov" was not completed successfully. > 2) /etc/krb5.keytab configuration of service > "host/d0ol12.fnal.gov" was not completed successfully. > ... > > I thought, maybe I typed in the password wrong, so I tried "ups > install-hostkeys kerberos" and took special care to type in the password > correctly, But I still got the same error. > > Any ideas on what might be wrong? > > Jim Fitzmaurice > jpfitz@fnal.gov > > UNIX is very user friendly, It's just very particular about who it makes > friends with. > > From kreymer@fnal.gov Mon Jan 29 11:03:13 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA30524 for ; Mon, 29 Jan 2001 11:03:12 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00DDCOPAK0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 29 Jan 2001 11:03:11 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7728@listserv.fnal.gov>; Mon, 29 Jan 2001 11:03:10 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 256491 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 29 Jan 2001 11:03:10 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7727@listserv.fnal.gov>; Mon, 29 Jan 2001 11:03:10 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00DG9OPAH8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 29 Jan 2001 11:03:10 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA08941 for ; Mon, 29 Jan 2001 11:03:10 -0600 Date: Mon, 29 Jan 2001 11:03:10 -0600 From: "Isabeau's mom" Subject: beginners question Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A75A24E.76734F9F@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 826 hi,i am a beginner at using kerberos so pardon me if i am asking a very easy question. i have 2 machines. both have kerberos v1_0 from kits installed on them both have fermi redhat linux installed on them. machine A has the fully strengthened kerberos installed (ups install kerberos...) machine B has kerberos with ssh installed (ups install-keep-ssh kerberos ...) on machine B, i do a 'kinit -f' to get a forwardable ticket. when i 'telnet -F' (the krb5 telnet) on machine B to machine A, i am challenged (output below) - (stuff cut out) WARNING NOTICE! This is a United States Department of Energy computer system, which may be accessed and used only for official Government business by authorized personnel. Unauthorized access or use of this computer system may subject violators to criminal, civil, and/or administrative action. All information on this computer system may be intercepted, recorded, read, copied, and disclosed by and to authorized personnel for official purposes, including criminal investigations. Access or use of this computer system by any person, whether authorized or unauthorized, constitutes consent to these terms. The Fermilab Policy on Computing, including authorized use, may be found at http://www.fnal.gov/cd/main/cpolicy.html. [ Kerberos V5 accepts you as (name cut out in email) ] [ Kerberos V5 accepted forwarded credentials ] Red Hat Linux Fermi Red Hat Linux Release 5.2.1 (Charm) Kernel 2.2.16 on an i686 Press ENTER and compare this challenge to the one on your display: (...) in fact, if i telnet from machine A to machine A, using the same mechanism, i am also challenged. i thought that i would only need my cryptocard when i was coming from outside the strengthened realm. am i doing something wrong? is it possible to log in to machine A from machine B without being challenged? thanks much for your answer, eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Mon Jan 29 11:15:38 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA32374 for ; Mon, 29 Jan 2001 11:15:38 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00DMZPA0HJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 29 Jan 2001 11:15:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7757@listserv.fnal.gov>; Mon, 29 Jan 2001 11:15:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 256540 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 29 Jan 2001 11:15:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7756@listserv.fnal.gov>; Mon, 29 Jan 2001 11:15:36 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00DKYPA02O@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 29 Jan 2001 11:15:36 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA16256; Mon, 29 Jan 2001 11:15:35 -0600 (CST) Date: Mon, 29 Jan 2001 11:15:35 -0600 From: Matt Crawford Subject: Re: beginners question In-reply-to: "29 Jan 2001 11:03:10 CST." <3A75A24E.76734F9F@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200101291715.LAA16256@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 827 Does the unix name of the account you're logging into via telnet match the name of your Kerberos principal, before the "@"? And, no matter what the answer to that is, is there a .k5login file in the home directory of the target account? If there is, is your full Kerberos principal listed in that file, on a line by itself? (It would help considerably not to conceal details like the names of machines A and B, because sometimes import clues can be found in the KDC log files.) From kreymer@fnal.gov Mon Jan 29 11:26:59 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA00988 for ; Mon, 29 Jan 2001 11:26:59 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00DK1PSXB4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 29 Jan 2001 11:26:58 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7790@listserv.fnal.gov>; Mon, 29 Jan 2001 11:26:57 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 256599 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 29 Jan 2001 11:26:57 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D778F@listserv.fnal.gov>; Mon, 29 Jan 2001 11:26:57 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00DNHPSX2O@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 29 Jan 2001 11:26:57 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA09019; Mon, 29 Jan 2001 11:26:57 -0600 Date: Mon, 29 Jan 2001 11:26:57 -0600 From: "Isabeau's mom" Subject: Re: beginners question Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3A75A7E1.5F1E4EA6@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200101291715.LAA16256@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 828 Matt Crawford wrote: > > Does the unix name of the account you're logging into via telnet > match the name of your Kerberos principal, before the "@"? yes > > And, no matter what the answer to that is, is there a .k5login file > in the home directory of the target account? If there is, is your > full Kerberos principal listed in that file, on a line by itself? thanks much!! this was the problem. > > (It would help considerably not to conceal details like the names of > machines A and B, because sometimes import clues can be found in the > KDC log files.) sorry. i did not hide the names for any real reason other than to be more general. i did not know that they would be useful. next time i will include them. thanks again. eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Mon Jan 29 11:48:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA05150 for ; Mon, 29 Jan 2001 11:48:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00DPEQTKBD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 29 Jan 2001 11:48:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D77D8@listserv.fnal.gov>; Mon, 29 Jan 2001 11:48:57 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 256682 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 29 Jan 2001 11:48:57 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D77D7@listserv.fnal.gov>; Mon, 29 Jan 2001 11:48:57 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00ELMQTK2D@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 29 Jan 2001 11:48:56 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA16518; Mon, 29 Jan 2001 11:48:56 -0600 (CST) Date: Mon, 29 Jan 2001 11:48:56 -0600 From: Matt Crawford Subject: Re: beginners question In-reply-to: "29 Jan 2001 11:26:57 CST." <3A75A7E1.5F1E4EA6@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200101291748.LAA16518@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 829 > > And, no matter what the answer to that is, is there a .k5login file > > in the home directory of the target account? If there is, is your > > full Kerberos principal listed in that file, on a line by itself? > > thanks much!! this was the problem. Great. Note that if there is NO .k5login file, then a match between Kerberos principal and the unix account name+the system's idea of its Kerberos realm (found in /etc/krb5.conf) determines authorization. But if there is a .k5login, a match means nothing -- the principal must be listed in .k5login. From kreymer@fnal.gov Mon Jan 29 13:34:20 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA07962 for ; Mon, 29 Jan 2001 13:34:20 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00JMFVP7IW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 29 Jan 2001 13:34:19 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D79D1@listserv.fnal.gov>; Mon, 29 Jan 2001 13:34:19 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 257215 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 29 Jan 2001 13:34:19 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D79D0@listserv.fnal.gov>; Mon, 29 Jan 2001 13:34:19 -0600 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00IPZVP6X3@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 29 Jan 2001 13:34:18 -0600 (CST) Date: Mon, 29 Jan 2001 13:34:09 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: afs configuration problem on a non-AFS machine under Fermi kerberos rcp Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A75C5B1.4E4E8E64@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 830 Hi, On d0ora1/d0ora3 when I use the scp coming from Fermi's kerberos, I get the following message: d0ora1> scp d0ora3:~sam/Plots/Development/index.html . aklog: can't get afs configuration (afsconf_Open(/usr/vice/etc)) index.html | 4 KB | 4.7 kB/s | ETA: 00:00:00 | 100% It doesn't seem to prevent the scp from taking place, but it's a strange message: - krb5_run_aklog is set to false in the /etc/krb5.conf file on both machines - there is no /afs directory on either machine - afs isn't installed on either machine Details: kerberos v0_7, flavor SunOS+5. -- lauri From kreymer@fnal.gov Mon Jan 29 14:06:08 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA07986 for ; Mon, 29 Jan 2001 14:06:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00JJ9X67SL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 29 Jan 2001 14:06:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7A5D@listserv.fnal.gov>; Mon, 29 Jan 2001 14:06:08 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 257365 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 29 Jan 2001 14:06:08 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7A5C@listserv.fnal.gov>; Mon, 29 Jan 2001 14:06:08 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00JTBX67TY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 29 Jan 2001 14:06:07 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA17474; Mon, 29 Jan 2001 14:06:07 -0600 (CST) Date: Mon, 29 Jan 2001 14:06:06 -0600 From: Matt Crawford Subject: Re: afs configuration problem on a non-AFS machine under Fermi kerberos rcp In-reply-to: "29 Jan 2001 13:34:09 CST." <3A75C5B1.4E4E8E64@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Message-id: <200101292006.OAA17474@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 831 Your subject line says rcp but the example command line says scp. Which is it, or both? From kreymer@fnal.gov Mon Jan 29 14:19:20 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA08007 for ; Mon, 29 Jan 2001 14:19:20 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00JMOXS7SL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 29 Jan 2001 14:19:19 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7AB1@listserv.fnal.gov>; Mon, 29 Jan 2001 14:19:19 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 257459 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 29 Jan 2001 14:19:19 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7AB0@listserv.fnal.gov>; Mon, 29 Jan 2001 14:19:19 -0600 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X0022CXS6AZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 29 Jan 2001 14:19:18 -0600 (CST) Date: Mon, 29 Jan 2001 14:19:06 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: afs configuration problem on a non-AFS machine under Fermikerberos rcp Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3A75D03A.EB950B7E@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200101292006.OAA17474@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 832 It's scp, sorry. (I do NOT get the error when using rcp). -- lauri Matt Crawford wrote: > > Your subject line says rcp but the example command line says scp. > Which is it, or both? From kreymer@fnal.gov Mon Jan 29 14:32:31 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA08027 for ; Mon, 29 Jan 2001 14:32:30 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X00MGVYBFRN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 29 Jan 2001 14:30:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7AD3@listserv.fnal.gov>; Mon, 29 Jan 2001 14:30:51 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 257495 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 29 Jan 2001 14:30:51 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7AD2@listserv.fnal.gov>; Mon, 29 Jan 2001 14:30:51 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7X0031FYBE10@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 29 Jan 2001 14:30:50 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA17680; Mon, 29 Jan 2001 14:30:50 -0600 (CST) Date: Mon, 29 Jan 2001 14:30:50 -0600 From: Matt Crawford Subject: Re: afs configuration problem on a non-AFS machine under Fermikerberos rcp In-reply-to: "29 Jan 2001 14:19:06 CST." <3A75D03A.EB950B7E@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Message-id: <200101292030.OAA17680@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 833 > It's scp, sorry. (I do NOT get the error when using rcp). All righty, then, which version of the scp server is on the remote end and what does sshd_config look like? From kreymer@fnal.gov Mon Jan 29 15:09:45 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA08159 for ; Mon, 29 Jan 2001 15:09:45 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Y003BB03V10@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 29 Jan 2001 15:09:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7B90@listserv.fnal.gov>; Mon, 29 Jan 2001 15:09:32 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 257722 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 29 Jan 2001 15:09:31 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D7B8F@listserv.fnal.gov>; Mon, 29 Jan 2001 15:09:31 -0600 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Y0042K03U5H@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 29 Jan 2001 15:09:31 -0600 (CST) Date: Mon, 29 Jan 2001 15:09:18 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: afs configuration problem on a non-AFS machine under Fermikerberosrcp Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3A75DBFE.F5C7F977@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200101292030.OAA17680@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 834 Ah, I see a line in the /etc/sshd_config file that says: AFSRunAklog yes This is probably where the problem is coming from. I have Dave on the phone right now, I think he fixed it. Thanks, lauri Matt Crawford wrote: > > > It's scp, sorry. (I do NOT get the error when using rcp). > > All righty, then, which version of the scp server is on the remote > end and what does sshd_config look like? From kreymer@fnal.gov Tue Jan 30 09:19:16 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA10930 for ; Tue, 30 Jan 2001 09:19:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Z0031EEK2PT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 30 Jan 2001 09:19:14 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D8399@listserv.fnal.gov>; Tue, 30 Jan 2001 09:19:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 259963 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 30 Jan 2001 09:19:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D8398@listserv.fnal.gov>; Tue, 30 Jan 2001 09:19:14 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Z0031VEK1PP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 30 Jan 2001 09:19:13 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA06321 for ; Tue, 30 Jan 2001 09:19:12 -0600 Date: Tue, 30 Jan 2001 09:19:12 -0600 From: "Isabeau's mom" Subject: kcroninit problems Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A76DB70.54254E84@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 835 hi, i am having problems running kcroninit on node rip1 under user berman. this is the output i get - : : : What is your kerberos principal (default = berman@PILOT.FNAL.GOV): Enter the password for berman@PILOT.FNAL.GOV: Now adding principal berman/cron/rip1.fnal.gov@PILOT.FNAL.GOV... add_principal: Principal or policy already exists while creating "berman/cron/rip1.fnal.gov@PILOT.FNAL.GOV". Now creating empty keytab file for berman/cron/rip1.fnal.gov@PILOT.FNAL.GOV... Now writing temporary keytab for berman/cron/rip1.fnal.gov@PILOT.FNAL.GOV... Temporary keytab created. Now transferring temporary keytab file contents... ERROR transferring keytab file contents; ABORT. All done. i have run this before with the same results except that i did not get the 'already exists' line. i do see a file created under /var/adm/krb5 which is owned by me. someone suggested that i move the whole krb5 directory aside and try it again. i did this and the result is the same as above. i did an strace on the command and i seem to be getting an error when trying to open the file in /var/adm/krb5. have i forgotten to do something? thanks, eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Tue Jan 30 09:58:51 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA22031 for ; Tue, 30 Jan 2001 09:58:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Z0038YGE0QM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 30 Jan 2001 09:58:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D8447@listserv.fnal.gov>; Tue, 30 Jan 2001 09:58:48 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 260158 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 30 Jan 2001 09:58:48 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D8446@listserv.fnal.gov>; Tue, 30 Jan 2001 09:58:48 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Z003B5GE0Q5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 30 Jan 2001 09:58:48 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA22740; Tue, 30 Jan 2001 09:58:47 -0600 (CST) Date: Tue, 30 Jan 2001 09:58:47 -0600 From: Matt Crawford Subject: Re: kcroninit problems In-reply-to: "30 Jan 2001 09:19:12 CST." <3A76DB70.54254E84@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200101301558.JAA22740@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 836 Some people have found that the permissions on /var/adm were extrememly strange. What's your "ls -ld /var/adm" look like? It ought to be 755 or 711 or even 751. Not 701, which would let kcroninit work for everyone except members of the group that that directory belongs to. From kreymer@fnal.gov Tue Jan 30 10:07:38 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA22489 for ; Tue, 30 Jan 2001 10:07:38 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Z003AKGSOQ2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 30 Jan 2001 10:07:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D8470@listserv.fnal.gov>; Tue, 30 Jan 2001 10:07:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 260200 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 30 Jan 2001 10:07:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D846F@listserv.fnal.gov>; Tue, 30 Jan 2001 10:07:36 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G7Z0039UGSNQQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 30 Jan 2001 10:07:35 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA07465; Tue, 30 Jan 2001 10:07:35 -0600 Date: Tue, 30 Jan 2001 10:07:35 -0600 From: "Isabeau's mom" Subject: Re: kcroninit problems Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3A76E6C7.BC46CB1F@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200101301558.JAA22740@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 837 Matt Crawford wrote: > > Some people have found that the permissions on /var/adm were > extrememly strange. What's your "ls -ld /var/adm" look like? > It ought to be 755 or 711 or even 751. Not 701, which would let > kcroninit work for everyone except members of the group that that > directory belongs to. hi, yes that seems to have been the problem. thanks. i set the permissions to 751, reran kcroninit and it worked. eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Wed Jan 31 11:05:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA03203 for ; Wed, 31 Jan 2001 11:05:57 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8100KCPE5WM8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Wed, 31 Jan 2001 11:05:56 -0600 (CST) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f0VH5tt08012; Wed, 31 Jan 2001 11:05:55 -0600 (CST) Date: Wed, 31 Jan 2001 11:05:55 -0600 From: aheavey@fnal.gov Subject: CVS and kerberos Sender: aheavey@fnal.gov To: gcooper@fnal.gov, mengel@fnal.gov, fagan@fnal.gov, kreymer@fnal.gov, wyatt@fnal.gov Cc: kaletka@fnal.gov, crawdad@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200101311705.f0VH5tt08012@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: A X-Keywords: X-UID: 838 Hello, I'm finishing up the Strong Authentication manual, and I find that I'm not clear on what to put in for CVS. There were a series of messages to kerberos-pilot last November. Excerpts follow (see my questions ****). I would really appreciate it if somebody could list the things a sysadmin needs to do for a kerberized machine running a CVS server -AND- the things a user needs to know in order to use the CVS repository on the server. If it is handled differently in different experiments and projects, I'd like to know. Thank you. Excerpts from messages: (fagan) cvs uses the cvsuser account (doesn't need a principal) but EVERYONE > needs to be in the .k5login (or better yet the .k5users ...) **** Matt says he doesn't think these files are involved... (cooper) ssh1 executable needs to be setuid root (kaletka) No, the fact the Kerberos-aware client is NOT setuid is deliberate! ... (kreymer) > This is one reason we are urging people to start using authorized keys > for access to CVS (rather than user@node registered in .shosts), > as described in > > http://www-cdf.fnal.gov/offline/code_management/Dist/doc/agent.txt **** can I just refer CDF users to this page? (i.e. will it be kept up to date?) > > Of course, we should add kerberos principal based access > as soon as an appropriate server can be configured. **** has kerberos principal based access been added? (mengel) Well, attempts at doing a setgid ssh executable to be able to read /etc/ssh_host_key aren't sufficient, you need both the rhosts auth (i.e. coming from a secure port) *and* the host rsa key to get in with .shosts. So for the moment, for cdfsga, our best course is to make the /usr/krb5/bin/sshk4 executable setuid root, and leave the /usr/krb5/bin/ssh1 executable not setuid root. Then the failover to the krb4 executable (which was intended for afs token forwarding, and unneeded on cdfsga which doesn't have afs) will instead do the .rhosts part of .shosts authentication. **** what does D0 do? > > -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Wed Jan 31 18:15:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA14411 for ; Wed, 31 Jan 2001 18:15:02 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8100FB5Y12NL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 31 Jan 2001 18:15:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9A44@listserv.fnal.gov>; Wed, 31 Jan 2001 18:15:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 266317 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 31 Jan 2001 18:15:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9A43@listserv.fnal.gov>; Wed, 31 Jan 2001 18:15:02 -0600 Received: from fnal.gov ([131.225.84.114]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8100G5BY11Z8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 31 Jan 2001 18:15:01 -0600 (CST) Date: Wed, 31 Jan 2001 18:15:01 -0600 From: Margaret Votava Subject: [Fwd: Cron /usr/krb5/bin/kcron cron/backups] Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A78AA85.3F9E71@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 839 hi, i run a cron job to update my kerberos ticket. it failed this evening. is there some sort of problem? thanks, margaret -------- Original Message -------- Subject: Cron /usr/krb5/bin/kcron cron/backups Date: Wed, 31 Jan 2001 18:00:02 -0600 From: root@odsmev.fnal.gov (Cron Daemon) To: votava@odsmev.fnal.gov kinit: Cannot contact any KDC for requested realm while getting initial credentials path = /usr/products/Linux/ups/v4_5_1/bin:/usr/bin:/bin There are no available articles. kdestroy: No credentials cache file found while destroying cache Ticket cache NOT destroyed! From kreymer@fnal.gov Thu Feb 1 08:07:23 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA07264 for ; Thu, 1 Feb 2001 08:07:22 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G830062Y0K9H8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 01 Feb 2001 08:07:22 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F28@listserv.fnal.gov>; Thu, 01 Feb 2001 08:07:21 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 267705 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 01 Feb 2001 08:07:21 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F27@listserv.fnal.gov>; Thu, 01 Feb 2001 08:07:21 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G830064N0K8HU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 01 Feb 2001 08:07:20 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 01 Feb 2001 08:07:20 -0600 Content-return: allowed Date: Thu, 01 Feb 2001 08:07:19 -0600 From: ARSystem Subject: 000000000016442 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7613387E@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 840 CRAWFORD, MATT, Help Desk Ticket #000000000016442 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Cannot contact any KDC Badge # (+) : 07167V First Name : ANDREI Last Name (+) : MAYOROV Phone : 3859 E-Mail Address : MAYOROV@FNAL.GOV Incident Time : 1/31/01 5:10:36 PM System Name : KRB-PILOT-1 Urgency : Medium Public Work Log : Problem Description : Something went wrong with KDC on domino kinit Password for mayorov@PILOT.FNAL.GOV: kinit: Cannot contact any KDC for requested realm while getting initial credentials trying to log to d0ora3: UNIX(r) System V Release 4.0 (d0ora3) (pts/1) Portal login: mayorov login: Cannot contact any KDC for requested realm while getting initial credential s Andrei From kreymer@fnal.gov Thu Feb 1 08:12:52 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA11921 for ; Thu, 1 Feb 2001 08:12:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G830063V0SSHQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 01 Feb 2001 08:12:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F34@listserv.fnal.gov>; Thu, 01 Feb 2001 08:12:28 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 267717 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 01 Feb 2001 08:12:28 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F32@listserv.fnal.gov>; Thu, 01 Feb 2001 08:12:28 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G83006400SQHT@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 01 Feb 2001 08:12:28 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 01 Feb 2001 08:12:27 -0600 Content-return: allowed Date: Thu, 01 Feb 2001 08:12:26 -0600 From: ARSystem Subject: CRAWFORD, MATT # Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76133884@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 841 Thank you for your assistance. Help Desk ticket #000000000016443 has been resolved on 2/1/01 8:10:09 AM Resolution Timestamp: : 1/31/01 6:20:21 PM Solution Category : Software Problem/Bug Problem Category : Software Type : Utilities Item : Kerberos Short Description : kinit doesn't work: "cannot contact any KDC" Solution : Per the analyst: "Some sort of malformed request and/or software bug crashed both the master and slave KDC processes (the KDC processes, not the host systems) at 17:03. Core dumps were generated so the source (a certain CDF machine) and contents (an authentication request for a CDF task force member) of the request that triggered the crash are preserved for debugging. Nothing should be made of the fact that both server processes crashed at the same time -- naturally the client, not getting an answer from one, would try the other. Both crashed while decrypting the encrypted timestamp preauthentication data. How this came about after 348 days of error-free operation is no doubt going to prove interesting. The KDC process was restarted at 18:20." Problem Description : Hi, Next problem. What's going on here? d0mino:~/backup >kinit Password for balm@PILOT.FNAL.GOV: kinit: Cannot contact any KDC for requested realm while getting initial credentials Thanks- Paul Balm From kreymer@fnal.gov Thu Feb 1 08:12:52 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA11923 for ; Thu, 1 Feb 2001 08:12:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G830063V0SSHQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 01 Feb 2001 08:12:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F35@listserv.fnal.gov>; Thu, 01 Feb 2001 08:12:28 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 267719 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 01 Feb 2001 08:12:28 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F33@listserv.fnal.gov>; Thu, 01 Feb 2001 08:12:28 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G830065Z0SRHP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 01 Feb 2001 08:12:28 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 01 Feb 2001 08:12:27 -0600 Content-return: allowed Date: Thu, 01 Feb 2001 08:12:26 -0600 From: ARSystem Subject: 000000000016443 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76133882@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 842 CRAWFORD, MATT, Help Desk Ticket #000000000016443 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: kinit doesn't work: "cannot contact any KDC" Badge # (+) : 12710N First Name : PAUL Last Name (+) : BALM Phone : 2177 E-Mail Address : BALM@FNAL.GOV Incident Time : 1/31/01 5:14:26 PM System Name : KRB-PILOT-1 Urgency : Medium Public Work Log : 2/1/01 8:10:09 AM trb From: "Matt Crawford" To: "ARSystem" Cc: ; ; ; ; ; ; ; Subject: Re: 000000000016439 Assigned to CRAWFORD, MATT. Date: Wednesday, January 31, 2001 7:08 PM Some sort of malformed request and/or software bug crashed both the master and slave KDC processes (the KDC processes, not the host systems) at 17:03. Core dumps were generated so the source (a certain CDF machine) and contents (an authentication request for a CDF task force member) of the request that triggered the crash are preserved for debugging. Nothing should be made of the fact that both server processes crashed at the same time -- naturally the client, not getting an answer from one, would try the other. Both crashed while decrypting the encrypted timestamp preauthentication data. How this came about after 348 days of error-free operation is no doubt going to prove interesting. The KDC process was restarted at 18:20. Problem Description : Hi, Next problem. What's going on here? d0mino:~/backup >kinit Password for balm@PILOT.FNAL.GOV: kinit: Cannot contact any KDC for requested realm while getting initial credentials Thanks- Paul Balm From kreymer@fnal.gov Thu Feb 1 08:15:32 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA13843 for ; Thu, 1 Feb 2001 08:15:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G830065I0XUH3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 01 Feb 2001 08:15:30 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F3A@listserv.fnal.gov>; Thu, 01 Feb 2001 08:15:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 267725 for CDF_CODE_MANAGEMENT@LISTSERV.FNAL.GOV; Thu, 01 Feb 2001 08:15:30 -0600 Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F39@listserv.fnal.gov>; Thu, 01 Feb 2001 08:15:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 267723 for CDFCODE@LISTSERV.FNAL.GOV; Thu, 01 Feb 2001 08:15:30 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F38@listserv.fnal.gov>; Thu, 01 Feb 2001 08:15:30 -0600 Received: from vortex ([131.225.82.178]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with SMTP id <0G830065B0XUHQ@smtp.fnal.gov> for cdfcode@listserv.fnal.gov (ORCPT cdfcode@fnal.gov); Thu, 01 Feb 2001 08:15:30 -0600 (CST) Date: Thu, 01 Feb 2001 08:15:32 -0600 From: Chuck DeBaun Subject: FW: 000000000016439 Assigned to CRAWFORD, MATT. Sender: owner-cdf_code_management@listserv.fnal.gov To: cdfcode@fnal.gov Reply-to: debaun@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) Content-type: text/plain; charset=Windows-1252 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 843 F.Y.I. Fun and games last night. -----Original Message----- From: owner-csi-group@listserv.fnal.gov [mailto:owner-csi-group@listserv.fnal.gov]On Behalf Of Mark O. Kaletka Sent: Wednesday, January 31, 2001 9:51 PM To: csi-group@fnal.gov Cc: oss-mgmt@fnal.gov Subject: Fw: 000000000016439 Assigned to CRAWFORD, MATT. It looks like the Kerberos kdc problem(s) were unrelated to the electrical work on WH7W. -- Mark K. ----- Original Message ----- From: "Matt Crawford" To: "ARSystem" Cc: ; ; ; ; ; ; ; Sent: Wednesday, January 31, 2001 7:08 PM Subject: Re: 000000000016439 Assigned to CRAWFORD, MATT. > Some sort of malformed request and/or software bug crashed both the > master and slave KDC processes (the KDC processes, not the host > systems) at 17:03. Core dumps were generated so the source (a certain > CDF machine) and contents (an authentication request for a CDF task > force member) of the request that triggered the crash are preserved > for debugging. > > Nothing should be made of the fact that both server processes crashed > at the same time -- naturally the client, not getting an answer from > one, would try the other. Both crashed while decrypting the encrypted > timestamp preauthentication data. How this came about after 348 days > of error-free operation is no doubt going to prove interesting. > > The KDC process was restarted at 18:20. > > From kreymer@fnal.gov Thu Feb 1 08:17:40 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA16227 for ; Thu, 1 Feb 2001 08:17:40 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G830064Q11FH8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 01 Feb 2001 08:17:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F3C@listserv.fnal.gov>; Thu, 01 Feb 2001 08:17:39 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 267727 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 01 Feb 2001 08:17:39 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F3B@listserv.fnal.gov>; Thu, 01 Feb 2001 08:17:39 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G830064T11EHD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 01 Feb 2001 08:17:38 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 01 Feb 2001 08:17:39 -0600 Content-return: allowed Date: Thu, 01 Feb 2001 08:17:36 -0600 From: ARSystem Subject: CRAWFORD, MATT #16442 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76133888@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 844 Thank you for your assistance. Help Desk ticket #000000000016442 has been resolved on 2/1/01 8:13:20 AM Resolution Timestamp: : 1/31/01 6:20:36 PM Solution Category : Software Problem/Bug Problem Category : Software Type : Utilities Item : Kerberos Short Description : Cannot contact any KDC Solution : Per the analyst: "Some sort of malformed request and/or software bug crashed both the master and slave KDC processes (the KDC processes, not the host systems) at 17:03. Core dumps were generated so the source (a certain CDF machine) and contents (an authentication request for a CDF task force member) of the request that triggered the crash are preserved for debugging. Nothing should be made of the fact that both server processes crashed at the same time -- naturally the client, not getting an answer from one, would try the other. Both crashed while decrypting the encrypted timestamp preauthentication data. How this came about after 348 days of error-free operation is no doubt going to prove interesting. The KDC process was restarted at 18:20." Problem Description : Something went wrong with KDC on domino kinit Password for mayorov@PILOT.FNAL.GOV: kinit: Cannot contact any KDC for requested realm while getting initial credentials trying to log to d0ora3: UNIX(r) System V Release 4.0 (d0ora3) (pts/1) Portal login: mayorov login: Cannot contact any KDC for requested realm while getting initial credential s Andrei From kreymer@fnal.gov Thu Feb 1 08:43:47 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA00535 for ; Thu, 1 Feb 2001 08:43:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G830069K28AHQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 01 Feb 2001 08:43:22 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F92@listserv.fnal.gov>; Thu, 01 Feb 2001 08:43:21 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 267830 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 01 Feb 2001 08:43:21 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F8F@listserv.fnal.gov>; Thu, 01 Feb 2001 08:43:21 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G830069G288HJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 01 Feb 2001 08:43:21 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 01 Feb 2001 08:43:20 -0600 Content-return: allowed Date: Thu, 01 Feb 2001 08:43:19 -0600 From: ARSystem Subject: 000000000016446 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761338A3@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 845 CRAWFORD, MATT, Help Desk Ticket #000000000016446 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Kerberos access down on d0mino? Badge # (+) : 07977V First Name : KWOK MING Last Name (+) : CHAN Phone : 2764 E-Mail Address : KLCHAN@FNAL.GOV Incident Time : 1/31/01 6:13:51 PM System Name : KRB-PILOT-1 Urgency : Medium Public Work Log : 2/1/01 8:43:07 AM trb From: "Matt Crawford" To: "ARSystem" Cc: ; ; ; ; ; ; ; Subject: Re: 000000000016439 Assigned to CRAWFORD, MATT. Date: Wednesday, January 31, 2001 7:08 PM Some sort of malformed request and/or software bug crashed both the master and slave KDC processes (the KDC processes, not the host systems) at 17:03. Core dumps were generated so the source (a certain CDF machine) and contents (an authentication request for a CDF task force member) of the request that triggered the crash are preserved for debugging. Nothing should be made of the fact that both server processes crashed at the same time -- naturally the client, not getting an answer from one, would try the other. Both crashed while decrypting the encrypted timestamp preauthentication data. How this came about after 348 days of error-free operation is no doubt going to prove interesting. The KDC process was restarted at 18:20. Problem Description : Hi, Seems like people (and me) are experiencing some problems trying to login to d0mino, either by kinit or cryptocards. They receive an error message like: Cannot contact any KDC for requested realm while getting initial credentials However it doesn't affect anyone who is already logged in (that's how I can write this email). Only when you try to do new logins the error occurs. thanks, Leo From kreymer@fnal.gov Thu Feb 1 08:43:47 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA00544 for ; Thu, 1 Feb 2001 08:43:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G830069K28AHQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 01 Feb 2001 08:43:24 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F94@listserv.fnal.gov>; Thu, 01 Feb 2001 08:43:22 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 267834 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 01 Feb 2001 08:43:22 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000D9F91@listserv.fnal.gov>; Thu, 01 Feb 2001 08:43:21 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G83006AA287GY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 01 Feb 2001 08:43:21 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 01 Feb 2001 08:43:20 -0600 Content-return: allowed Date: Thu, 01 Feb 2001 08:43:19 -0600 From: ARSystem Subject: CRAWFORD, MATT # Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761338A1@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 846 Thank you for your assistance. Help Desk ticket #000000000016445 has been resolved on 2/1/01 8:40:41 AM Resolution Timestamp: : 1/31/01 6:20:01 PM Solution Category : Software Problem/Bug Problem Category : Software Type : Utilities Item : Kerberos Short Description : serious problem! KDC down Solution : Per the analyst: "Some sort of malformed request and/or software bug crashed both the master and slave KDC processes (the KDC processes, not the host systems) at 17:03. Core dumps were generated so the source (a certain CDF machine) and contents (an authentication request for a CDF task force member) of the request that triggered the crash are preserved for debugging. Nothing should be made of the fact that both server processes crashed at the same time -- naturally the client, not getting an answer from one, would try the other. Both crashed while decrypting the encrypted timestamp preauthentication data. How this came about after 348 days of error-free operation is no doubt going to prove interesting. The KDC process was restarted at 18:20." Problem Description : Hi, It appears that the KDC is down. I cannot access it (can't get tickets) from d0mino or any linux box that I am currently logged into. If this is the case then all of fermilab is currently in bad shape. Cheers, Dugan. ------------------------------------------------------------------------ ---- Dugan O'Neil E-mail : oneil@fnal.gov Dugan.O'Neil@cern.ch Dept. of Physics and Astronomy web : http://www-d0.fnal.gov/~oneil Michigan State University phone:(630)840-2829 It's too bad that whole families fax :(630)840-8886 have to be torn apart by something as simple as wild dogs. - Jack Handey - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Mail: Couriers: MS 352 Kirk and Wilson Streets Fermilab Mail Station 352 P.O.Box 500 Fermilab Batavia, IL 60510-0500 Batavia, IL 60510-0500 ------------------------------------------------------------------------ ---- From kreymer@fnal.gov Thu Feb 1 22:17:24 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id WAA24231 for ; Thu, 1 Feb 2001 22:17:24 -0600 Received: from mail.sisna.com ([216.126.204.54]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8400C153WZ9S@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Thu, 01 Feb 2001 22:17:23 -0600 (CST) Received: from fnal.gov [4.17.253.70] by mail.sisna.com with ESMTP (SMTPD32-6.05) id A3EA1A0700EC; Thu, 01 Feb 2001 21:13:30 -0700 Date: Thu, 01 Feb 2001 22:18:10 -0600 From: Alan M Jonckheere Subject: Re: fyi - also see following message To: wyatt@fnal.gov Cc: d0-release-mgr , gcooper@fnal.gov, "Marc W. Mengel" , fagan@fnal.gov, kreymer@fnal.gov, kaletka@fnal.gov, crawdad@fnal.gov Message-id: <3A7A3502.40251606@fnal.gov> Organization: D0 at Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <002d01c08c6c$f2507690$0ae7e183@d0nt43.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 847 See below Wyatt Merritt wrote: > > -----Original Message----- > From: aheavey@fnal.gov [mailto:aheavey@fnal.gov] > Sent: Wednesday, January 31, 2001 11:06 AM > To: gcooper@fnal.gov; mengel@fnal.gov; fagan@fnal.gov; kreymer@fnal.gov; > wyatt@fnal.gov > Cc: kaletka@fnal.gov; crawdad@fnal.gov > Subject: CVS and kerberos > > Hello, > I'm finishing up the Strong Authentication manual, and I find that I'm > not clear on what to put in for CVS. There were a series of messages > to kerberos-pilot last November. Excerpts follow (see my questions ****). > > I would really appreciate it if somebody could list the things a sysadmin > needs to do for a kerberized machine running a CVS server -AND- > the things a user needs to know in order to use the CVS repository on > the server. If it is handled differently in different experiments and > projects, I'd like to know. Thank you. > > Excerpts from messages: > > (fagan) > cvs uses the cvsuser account (doesn't need a principal) but EVERYONE > > needs to be in the .k5login (or better yet the .k5users ...) > **** Matt says he doesn't think these files are involved... Matt is wrong-wrong-wrong!! The initial access to the repository is exactly as if you were running rsh (or ssh) from the command line and not inside cvs. This is true whether or not you are kerberos'd or not. Only *after* the initial authorization does cvsh and cvs itself take over on the repository end to execute the commands. If you are on a kerberos'd system, all you need to do is have a kerberos ticket and your principal in the ~cvsuser/.k5login file on the repository machine and it all works swimmingly. I don't know why you'd bother with the .k5users file. cvsh restricts the commands you can issue. NOTE: The server *must* be running cvsh v1_4 in order to use kerberos for "cvs commit"s. Any other access doesn't require knowing who you are, so those work with older versions of cvsh. NOTE: The preceeding was true until they installed kerberos v1.0 last week. The latter changed a lot of the ticket forwarding defaults and screwed up cvs royally. We've gotten it mostly working, but there are still some unpleasantnesses. In particular, the user's ticket must be *forwardable* and it must be *forwarded* by rsh. If your ticket isn't forwardable, then you must get a forwardable ticket. This is the situation if you've logged into d0mino using your cryptocard for example. For some strange reason, just doing a "kinit" will get you a forwardable ticket. This means that in order to use kerberos access when you login over an insecure line (the definition of when you'd use your cryptocard) you must kinit and type your kerberos password *in the clear*! Seems like the wrong way to use kerberos to me. In addition, your ticket must be *forwarded* to the repository. There are two ways to do this: make it the default for rsh (which is what we've done on d0mino) or wrap the rsh command with a wrapper that merely adds a "-F" switch to the command. The latter could be done rather easily so that it'd only apply to cvs commands. CDF is doing a similar thing to get ssh access. Same idea, different reason. > (cooper) > ssh1 executable needs to be setuid root Why use ssh in *addition* to kerberos'd rsh? Doesn't make sense. What is gained? You certainly won't gain access from non-kerberos'd machines, at least not ultimately. That will be shut off as I understand the plans. > (kaletka) > No, the fact the Kerberos-aware client is NOT setuid is deliberate! ... > > (kreymer) > > This is one reason we are urging people to start using authorized keys > > for access to CVS (rather than user@node registered in .shosts), > > as described in > > > > http://www-cdf.fnal.gov/offline/code_management/Dist/doc/agent.txt > **** can I just refer CDF users to this page? (i.e. will it be kept up > to date?) > > > > Of course, we should add kerberos principal based access > > as soon as an appropriate server can be configured. It was. We've been using it since Dec 4th with no problems at all until kerberos v1.0 changed the forwarding defaults on us (without warning and seemingly with no thought to the consequences). > **** has kerberos principal based access been added? YES, long time ago. > (mengel) > Well, attempts at doing a setgid ssh executable to be able to > read /etc/ssh_host_key aren't sufficient, you need both the > rhosts auth (i.e. coming from a secure port) *and* the host > rsa key to get in with .shosts. > > So for the moment, for cdfsga, our best course is to > make the /usr/krb5/bin/sshk4 executable setuid root, and leave > the /usr/krb5/bin/ssh1 executable not setuid root. Then the > failover to the krb4 executable (which was intended for afs > token forwarding, and unneeded on cdfsga which doesn't have afs) > will instead do the .rhosts part of .shosts authentication. > > **** what does D0 do? Kerberos authentication with failover rsh/.rhost authentication for outside users. I don't know what we'll do if we have to shut off that. ssh authentication isn't in the cards as I understand the plans. NOTE: most of the above applies to R/W repository access. It is possible (and easy from what I hear with cvs v1.11 just now available) to setup a R/O repository that uses an "anonymous" read access, no authentication required. We intend to do this asap. But it doesn't solve our R/W access problem from off-site (read that non-kerberos'd off-site). > -- Anne > > Anne Heavey | Fermilab Computing Division | WWW Group > Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Fri Feb 2 09:37:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA26971 for ; Fri, 2 Feb 2001 09:37:03 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8400KJGZDR1C@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Fri, 02 Feb 2001 09:37:03 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA11300; Fri, 02 Feb 2001 09:37:03 -0600 (CST) Date: Fri, 02 Feb 2001 09:37:02 -0600 From: Matt Crawford Subject: Re: fyi - also see following message In-reply-to: "01 Feb 2001 22:18:10 CST." <3A7A3502.40251606@fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Alan M Jonckheere Cc: wyatt@fnal.gov, d0-release-mgr , gcooper@fnal.gov, "Marc W. Mengel" , fagan@fnal.gov, kreymer@fnal.gov, kaletka@fnal.gov Message-id: <200102021537.JAA11300@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 848 > See below > > (fagan) > > cvs uses the cvsuser account (doesn't need a principal) but EVERYONE > > > needs to be in the .k5login (or better yet the .k5users ...) > > **** Matt says he doesn't think these files are involved... > > Matt is wrong-wrong-wrong!! Matt was misquoted-misquoted-misquoted. I said I don't think .k5users is involved, just .k5login. Can you show me that that is incorrect? > NOTE: The preceeding was true until they installed kerberos v1.0 > last week. The latter changed a lot of the ticket forwarding > defaults and screwed up cvs royally. We've gotten it mostly > working, but there are still some unpleasantnesses. > > In particular, the user's ticket must be *forwardable* and it > must be *forwarded* by rsh. I have sat down with Mr. CVS (Marc Mengel) and agreed that the Kerberos rsh server will put the client principal name into the environment as CLIENT_PRINCIPAL and cvsh will pick it up there instead of using the disgusting kludge that has been in place until now. This will be the same whether tickets are forwarded or not. From kreymer@fnal.gov Fri Feb 2 09:37:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA26971 for ; Fri, 2 Feb 2001 09:37:03 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8400KJGZDR1C@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Fri, 02 Feb 2001 09:37:03 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA11300; Fri, 02 Feb 2001 09:37:03 -0600 (CST) Date: Fri, 02 Feb 2001 09:37:02 -0600 From: Matt Crawford Subject: Re: fyi - also see following message In-reply-to: "01 Feb 2001 22:18:10 CST." <3A7A3502.40251606@fnal.gov> Sender: crawdad@gungnir.fnal.gov To: Alan M Jonckheere Cc: wyatt@fnal.gov, d0-release-mgr , gcooper@fnal.gov, "Marc W. Mengel" , fagan@fnal.gov, kreymer@fnal.gov, kaletka@fnal.gov Message-id: <200102021537.JAA11300@gungnir.fnal.gov> Status: RO X-Status: A X-Keywords: X-UID: 849 > See below > > (fagan) > > cvs uses the cvsuser account (doesn't need a principal) but EVERYONE > > > needs to be in the .k5login (or better yet the .k5users ...) > > **** Matt says he doesn't think these files are involved... > > Matt is wrong-wrong-wrong!! Matt was misquoted-misquoted-misquoted. I said I don't think .k5users is involved, just .k5login. Can you show me that that is incorrect? > NOTE: The preceeding was true until they installed kerberos v1.0 > last week. The latter changed a lot of the ticket forwarding > defaults and screwed up cvs royally. We've gotten it mostly > working, but there are still some unpleasantnesses. > > In particular, the user's ticket must be *forwardable* and it > must be *forwarded* by rsh. I have sat down with Mr. CVS (Marc Mengel) and agreed that the Kerberos rsh server will put the client principal name into the environment as CLIENT_PRINCIPAL and cvsh will pick it up there instead of using the disgusting kludge that has been in place until now. This will be the same whether tickets are forwarded or not. From kreymer@fnal.gov Fri Feb 2 10:28:59 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA27419 for ; Fri, 2 Feb 2001 10:28:59 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G850023B1SBCC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Fri, 02 Feb 2001 10:28:59 -0600 (CST) Date: Fri, 02 Feb 2001 10:28:58 -0600 (CST) From: "Marc W. Mengel" Subject: Re: fyi - also see following message In-reply-to: To: Art Kreymer Cc: Matt Crawford , Alan M Jonckheere , wyatt@fnal.gov, d0-release-mgr , gcooper@fnal.gov, fagan@fnal.gov, kaletka@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 850 On Fri, 2 Feb 2001, Art Kreymer wrote: > > I have sat down with Mr. CVS (Marc Mengel) and agreed that the > > Kerberos rsh server will put the client principal name into the > > environment as CLIENT_PRINCIPAL and cvsh will pick it up there > > instead of using the disgusting kludge that has been in place until > > now. This will be the same whether tickets are forwarded or not. > > Does this work for non-Fermilab flavors of kerberos client software ? Yes. it's a server-side change. Marc From kreymer@fnal.gov Fri Feb 2 10:30:13 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA27425 for ; Fri, 2 Feb 2001 10:30:13 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G850023T1UCL5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Fri, 02 Feb 2001 10:30:13 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA11831; Fri, 02 Feb 2001 10:30:12 -0600 (CST) Date: Fri, 02 Feb 2001 10:30:12 -0600 From: Matt Crawford Subject: Re: fyi - also see following message In-reply-to: "02 Feb 2001 10:07:46 CST." Sender: crawdad@gungnir.fnal.gov To: Art Kreymer Cc: Alan M Jonckheere , wyatt@fnal.gov, d0-release-mgr , gcooper@fnal.gov, "Marc W. Mengel" , fagan@fnal.gov, kaletka@fnal.gov Message-id: <200102021630.KAA11831@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 851 > On Fri, 2 Feb 2001, Matt Crawford wrote: > ... > > I have sat down with Mr. CVS (Marc Mengel) and agreed that the > > Kerberos rsh server will put the client principal name into the > > environment as CLIENT_PRINCIPAL and cvsh will pick it up there > > instead of using the disgusting kludge that has been in place until > > now. This will be the same whether tickets are forwarded or not. > > Does this work for non-Fermilab flavors of kerberos client software ? Yes, it's completely in the rsh server. Only the CVS server hosts (and KDCs, for a completely separate reason) will have any reason to update to the next Fermi Kerberos release. But don't hold me to the exact env. variable name until we announce the new versions. From kreymer@fnal.gov Fri Feb 2 10:56:05 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA27442 for ; Fri, 2 Feb 2001 10:56:05 -0600 Received: from fnal.gov ([131.225.231.30]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G850029P31GQ7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Fri, 02 Feb 2001 10:56:05 -0600 (CST) Date: Fri, 02 Feb 2001 10:55:09 -0600 From: Alan M Jonckheere Subject: Re: fyi - also see following message To: Matt Crawford Cc: wyatt@fnal.gov, d0-release-mgr , gcooper@fnal.gov, "Marc W. Mengel" , fagan@fnal.gov, kreymer@fnal.gov, kaletka@fnal.gov Message-id: <3A7AE66D.26D17DB5@fnal.gov> Organization: D0 at Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200102021537.JAA11300@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 852 Matt Crawford wrote: > > > See below > > > (fagan) > > > cvs uses the cvsuser account (doesn't need a principal) but EVERYONE > > > > needs to be in the .k5login (or better yet the .k5users ...) > > > **** Matt says he doesn't think these files are involved... > > > > Matt is wrong-wrong-wrong!! > > Matt was misquoted-misquoted-misquoted. I said I don't think > .k5users is involved, just .k5login. Can you show me that that is > incorrect? That's good. YES, .k5login is involved. I suspect that .k5users *could* be used instead if I understand how it works, but I see no reason to do so, and can think of several reasons not to. > > NOTE: The preceeding was true until they installed kerberos v1.0 > > last week. The latter changed a lot of the ticket forwarding > > defaults and screwed up cvs royally. We've gotten it mostly > > working, but there are still some unpleasantnesses. > > > > In particular, the user's ticket must be *forwardable* and it > > must be *forwarded* by rsh. > > I have sat down with Mr. CVS (Marc Mengel) and agreed that the > Kerberos rsh server will put the client principal name into the > environment as CLIENT_PRINCIPAL and cvsh will pick it up there > instead of using the disgusting kludge that has been in place until > now. This will be the same whether tickets are forwarded or not. Great! Then we can drop one *major* constraint from consideration when configuring kerberos! When will we see this? I still have the problem that I don't know how to give off-site, actuall any non-kerberos user WRITE access to the repository. This is important for sites such as the major off-site farm systems which are at large computer centers. We are highly unlikely to convince their administrations to adopt our kerberos policies. There is, also a problem on NT. At least the latter, we may be able to fix by supplying a kerberos aware rsh on NT. The former, I don't think is fixable in that way. Can non-kerberos ssh be used somehow within the overall security plan? Alan From kreymer@fnal.gov Tue Feb 6 09:31:24 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA00776 for ; Tue, 6 Feb 2001 09:31:24 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00DFEDSA2V@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Feb 2001 09:31:23 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DDE87@listserv.fnal.gov>; Tue, 06 Feb 2001 09:31:23 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 286039 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Feb 2001 09:31:22 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DDE86@listserv.fnal.gov>; Tue, 06 Feb 2001 09:31:22 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00F5DDSABI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Feb 2001 09:31:22 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA22274 for ; Tue, 06 Feb 2001 09:31:22 -0600 Date: Tue, 06 Feb 2001 09:31:22 -0600 From: "Isabeau's mom" Subject: problem when doing rsh using a project Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A8018CA.425F922E@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 853 hi, i am trying to get rsh between nodes using a project login instead of a real person login. i have successfully created a keytab file that is owned by the project login . the project is enstore. i am initiating a cron job on rip2.fnal.gov. the target node is rip1.fnal.gov when i run the 'kinit -k -t ...' line i get the following - %/usr/krb5/bin/kinit -k -t /local/ups/kt/enstorekt enstore/cd/rip2.fnal.gov kinit: Internal file credentials cache error when initializing cache i noticed that the env variable KRB5CCNAME points to a file that is owned by berman and not by enstore. this is the file that is causing the problem i think, but i do not know how it got there or what i should do about it. i am running the 'kinit' line when i am logged in as user enstore. i logged in by doing an su from root to enstore. thanks, eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Tue Feb 6 09:58:45 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA05919 for ; Tue, 6 Feb 2001 09:58:44 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00FBQF1VCW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Feb 2001 09:58:43 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DDF10@listserv.fnal.gov>; Tue, 06 Feb 2001 09:58:43 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 286192 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Feb 2001 09:58:43 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DDF0F@listserv.fnal.gov>; Tue, 06 Feb 2001 09:58:42 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00CLSF1UWR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Feb 2001 09:58:42 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA04164; Tue, 06 Feb 2001 09:58:42 -0600 (CST) Date: Tue, 06 Feb 2001 09:58:42 -0600 From: Matt Crawford Subject: Re: problem when doing rsh using a project In-reply-to: "06 Feb 2001 09:31:22 CST." <3A8018CA.425F922E@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200102061558.JAA04164@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 854 > %/usr/krb5/bin/kinit -k -t /local/ups/kt/enstorekt enstore/cd/rip2.fnal.gov > kinit: Internal file credentials cache error when initializing cache > > i noticed that the env variable KRB5CCNAME points to a file that is owned > by berman and not by enstore. this is the file that is causing the problem > i think, but i do not know how it got there or what i should do about it. > > i am running the 'kinit' line when i am logged in as user enstore. i logged > in by doing an su from root to enstore. The su command carried forward all the environment of the parent process, including the KRB5CCNAME, which is useless -- even a hindrance -- after a su to a non-root id. If you can use the Kerberos ksu command instead, it's smarter about the credential cache and always makes a new one owned by the new unix id. Or you can just unset KRB5CCNAME after you su, and either set it to a private value like FILE:/tmp/krb5cc_enstore_p$$ or let the final kinit choose its default. From kreymer@fnal.gov Tue Feb 6 15:08:36 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26207 for ; Tue, 6 Feb 2001 15:08:36 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00C5XT8ROD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Feb 2001 15:05:16 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DE401@listserv.fnal.gov>; Tue, 06 Feb 2001 15:05:16 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 287622 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Feb 2001 15:05:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DE400@listserv.fnal.gov>; Tue, 06 Feb 2001 15:05:16 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00C66T8RO9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Feb 2001 15:05:15 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA23530 for ; Tue, 06 Feb 2001 15:05:15 -0600 Date: Tue, 06 Feb 2001 15:05:14 -0600 From: "Isabeau's mom" Subject: more on getting cron jobs for projects working Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A80670A.D784AE92@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 855 hi, first off, i really appreciate all of the help. hopefully, i am near the end of my questions. anyway, now the kinit line works, but the rsh line does not. the source node is rip2. the destination is rip1. both are fully within the strengthened realm. on rip2.fnal.gov, ksu'ed to user enstore, i do the following at the terminal - rip2.fnal.gov} /usr/krb5/bin/kinit -k -t /local/ups/kt/enstorekt enstore/cd/rip2.fnal.gov rip2.fnal.gov} /usr/krb5/bin/rsh rip1 touch testcron.output kshd: Permission denied. trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! rip1.fnal.gov: Connection refused if i run the same two lines as a cron job i get the following output - kshd: Permission denied. trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! rip1.fnal.gov: Connection refused thanks, eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Tue Feb 6 15:21:19 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26235 for ; Tue, 6 Feb 2001 15:21:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00D32TZIVD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Feb 2001 15:21:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DE456@listserv.fnal.gov>; Tue, 06 Feb 2001 15:21:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 287719 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Feb 2001 15:21:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DE455@listserv.fnal.gov>; Tue, 06 Feb 2001 15:21:18 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00D3HTZHUH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Feb 2001 15:21:17 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA05833; Tue, 06 Feb 2001 15:21:17 -0600 (CST) Date: Tue, 06 Feb 2001 15:21:17 -0600 From: Matt Crawford Subject: Re: more on getting cron jobs for projects working In-reply-to: "06 Feb 2001 15:05:14 CST." <3A80670A.D784AE92@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200102062121.PAA05833@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 856 > anyway, now the kinit line works, but the rsh line > does not. the source node is rip2. the destination > is rip1. both are fully within the strengthened > realm. Is there a .k5login file in the home directore of enstore on node rip1, containing the line enstore/cd/rip2.fnal.gov@PILOT.FNAL.GOV ? If not, make it so. (If it already is, try inserting "-l enstore" in your rsh command line -- but I don't think that's necessary when your unix id is already enstore on rip2.) These special principals with '/' characters do not have automatic access to anything, except where you grant it with a mechanism like .k5login. That fact helps us accept the inherent insecurity of their encryption keys being stored on disk. From kreymer@fnal.gov Tue Feb 6 15:26:38 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26252 for ; Tue, 6 Feb 2001 15:26:38 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00D31U8DV6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Feb 2001 15:26:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DE476@listserv.fnal.gov>; Tue, 06 Feb 2001 15:26:37 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 287752 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Feb 2001 15:26:37 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DE475@listserv.fnal.gov>; Tue, 06 Feb 2001 15:26:37 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00D49U8CVB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Feb 2001 15:26:36 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA23552; Tue, 06 Feb 2001 15:26:36 -0600 Date: Tue, 06 Feb 2001 15:26:36 -0600 From: "Isabeau's mom" Subject: Re: more on getting cron jobs for projects working Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3A806C0C.CADA5BB6@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200102062121.PAA05833@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 857 Matt Crawford wrote: > > > anyway, now the kinit line works, but the rsh line > > does not. the source node is rip2. the destination > > is rip1. both are fully within the strengthened > > realm. > > Is there a .k5login file in the home directore of enstore on node > rip1, containing the line > > enstore/cd/rip2.fnal.gov@PILOT.FNAL.GOV yes, here is the .k5login file on rip1 - rip1.fnal.gov} id uid=5744(enstore) gid=6209(enstore) groups=6209(enstore) rip1.fnal.gov} cd rip1.fnal.gov} cat .k5login enstore/cd/rip1.fnal.gov@PILOT.FNAL.GOV enstore/cd/rip2.fnal.gov@PILOT.FNAL.GOV rip1.fnal.gov} rip1.fnal.gov} ls -al .k5login -rw-r--r-- 1 enstore enstore 82 Feb 5 11:26 .k5login > > ? If not, make it so. (If it already is, try inserting "-l enstore" > in your rsh command line -- but I don't think that's necessary when > your unix id is already enstore on rip2.) i tried this and it did not work. here is what i got - rip2.fnal.gov} /usr/krb5/bin/kinit -k -t /local/ups/kt/enstorekt enstore/cd/rip2.fnal.gov rip2.fnal.gov} /usr/krb5/bin/rsh rip1 -l enstore touch testcron.output kshd: Permission denied. trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! rip1.fnal.gov: Connection refused > > These special principals with '/' characters do not have automatic > access to anything, except where you grant it with a mechanism > like .k5login. That fact helps us accept the inherent insecurity > of their encryption keys being stored on disk. eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Tue Feb 6 15:41:31 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26278 for ; Tue, 6 Feb 2001 15:41:31 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00D75UV3UP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Feb 2001 15:40:16 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DE4A5@listserv.fnal.gov>; Tue, 06 Feb 2001 15:40:16 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 287800 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Feb 2001 15:40:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DE4A4@listserv.fnal.gov>; Tue, 06 Feb 2001 15:40:16 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8C00D7WUV3VB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Feb 2001 15:40:15 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA05960 for ; Tue, 06 Feb 2001 15:40:15 -0600 (CST) Date: Tue, 06 Feb 2001 15:40:14 -0600 From: Matt Crawford Subject: Re: more on getting cron jobs for projects working In-reply-to: "06 Feb 2001 15:26:36 CST." <3A806C0C.CADA5BB6@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200102062140.PAA05960@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 858 Problem resolved -- it was a little extra whitespace at the ends of the lines in .k5login. From kreymer@fnal.gov Wed Feb 7 09:28:33 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA32424 for ; Wed, 7 Feb 2001 09:28:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E00BH18BJKB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Feb 2001 09:28:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DEEF6@listserv.fnal.gov>; Wed, 07 Feb 2001 09:28:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 290821 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Feb 2001 09:28:31 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DEEF5@listserv.fnal.gov>; Wed, 07 Feb 2001 09:28:31 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E00BMN8BJK2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Feb 2001 09:28:31 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA25801 for ; Wed, 07 Feb 2001 09:28:31 -0600 Date: Wed, 07 Feb 2001 09:28:30 -0600 From: "Isabeau's mom" Subject: cron jobs running on kerberized systems Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A81699E.D1324195@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 859 hi, i have been running cron jobs for the past several days on both rip1 and rip2. these jobs have been running as user root and as user berman. they ran every 5 minutes and basically just touched a file. everything has been fine until yesterday around 5 pm when all of them started failing with the same message - sh: kcmd to host rip1 failed - Software caused connection abort trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! rip1.fnal.gov: Connection refused i do not believe that i changed anything. i also believe that these cron jobs have been running straight through since last week. any ideas? thanks, eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Wed Feb 7 10:24:10 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA06297 for ; Wed, 7 Feb 2001 10:24:09 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E00I13AW7ZC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Feb 2001 10:24:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DEFDA@listserv.fnal.gov>; Wed, 07 Feb 2001 10:24:07 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 291091 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Feb 2001 10:24:07 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DEFD9@listserv.fnal.gov>; Wed, 07 Feb 2001 10:24:07 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E00I1FAW7V0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Feb 2001 10:24:07 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA25924 for ; Wed, 07 Feb 2001 10:24:07 -0600 Date: Wed, 07 Feb 2001 10:24:07 -0600 From: "Isabeau's mom" Subject: [Fwd: cron jobs running on kerberized systems] Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A8176A7.4FEF9527@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: multipart/mixed; boundary=------------5DF698C43D6DD873C142232F X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 860 This is a multi-part message in MIME format. --------------5DF698C43D6DD873C142232F Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ --------------5DF698C43D6DD873C142232F Content-Type: message/rfc822 Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mozilla-Status2: 00000000 Message-ID: <3A817691.A791EF46@fnal.gov> Date: Wed, 07 Feb 2001 10:23:45 -0600 From: Isabeau's mom X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) X-Accept-Language: en MIME-Version: 1.0 To: gcooper@fnal.gov Subject: Re: cron jobs running on kerberized systems References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Glenn Cooper wrote: > > Matt will probably have the real problem, but-- > > Check both system clocks. If they are off by more than 5 minutes, > authentication will fail. no the times are ok. > > Can't tell whether you were using the kcroninit stuff for these. If > not, make sure you still had a valid ticket. (!) yes i am using the kcroninit stuff. eileen > > Hope this helps, > Glenn > > On Wed, 7 Feb 2001, Isabeau's mom wrote: > > > hi, i have been running cron jobs for the past several > > days on both rip1 and rip2. these jobs have been running > > as user root and as user berman. they ran every 5 minutes > > and basically just touched a file. everything has been > > fine until yesterday around 5 pm when all of them started > > failing with the same message - > > > > sh: kcmd to host rip1 failed - Software caused connection abort > > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > > rip1.fnal.gov: Connection refused > > > > i do not believe that i changed anything. i also believe that > > these cron jobs have been running straight through since last week. > > > > any ideas? > > thanks, > > eileen > > -- > > _\ | | /_ > > \\| ============================= |// > > ==O( ===== What do you want? ===== )O== > > _//| ============================= |\\_ > > / | | \ > > -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ --------------5DF698C43D6DD873C142232F-- From kreymer@fnal.gov Wed Feb 7 10:30:48 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA06586 for ; Wed, 7 Feb 2001 10:30:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E00I38B7AV0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Feb 2001 10:30:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DF007@listserv.fnal.gov>; Wed, 07 Feb 2001 10:30:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 291137 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Feb 2001 10:30:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DF006@listserv.fnal.gov>; Wed, 07 Feb 2001 10:30:46 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E00H5SB79UK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Feb 2001 10:30:45 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA10611; Wed, 07 Feb 2001 10:30:45 -0600 (CST) Date: Wed, 07 Feb 2001 10:30:45 -0600 From: Matt Crawford Subject: Re: cron jobs running on kerberized systems In-reply-to: "07 Feb 2001 09:28:30 CST." <3A81699E.D1324195@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200102071630.KAA10611@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 861 > fine until yesterday around 5 pm when all of them started > failing with the same message - > > sh: kcmd to host rip1 failed - Software caused connection abort > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > rip1.fnal.gov: Connection refused Everything looks all right in the KDC log. The problem seems to be on your server (rip1) because I get the same thing when I try to rsh to it from here. The first thing the Kerberos rsh client and server try to do is the "sendauth" exchange and that returns ECONNABORTED if the read() from the socket returns 0 bytes (indicative of the server closing the socket without sending anything). I'd say your rsh server binary /usr/krb5/sbin/kshd has gone away or become unexecutable somehow. Or perhaps a tcpwrappers change has caused the conneciton to be shut down. From kreymer@fnal.gov Wed Feb 7 12:16:02 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA18526 for ; Wed, 7 Feb 2001 12:16:02 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E00IRKG2LKR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Feb 2001 12:15:58 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DF182@listserv.fnal.gov>; Wed, 07 Feb 2001 12:15:58 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 291558 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Feb 2001 12:15:58 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DF181@listserv.fnal.gov>; Wed, 07 Feb 2001 12:15:57 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E00INKG2LYR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Feb 2001 12:15:57 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA26515; Wed, 07 Feb 2001 12:15:57 -0600 Date: Wed, 07 Feb 2001 12:15:57 -0600 From: "Isabeau's mom" Subject: Re: cron jobs running on kerberized systems Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford , kerberos-pilot@fnal.gov Message-id: <3A8190DD.72F1FA19@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200102071630.KAA10611@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 862 Matt Crawford wrote: > > > fine until yesterday around 5 pm when all of them started > > failing with the same message - > > > > sh: kcmd to host rip1 failed - Software caused connection abort > > trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! > > rip1.fnal.gov: Connection refused > > Everything looks all right in the KDC log. The problem seems to be > on your server (rip1) because I get the same thing when I try to rsh > to it from here. > > The first thing the Kerberos rsh client and server try to do is the > "sendauth" exchange and that returns ECONNABORTED if the read() from > the socket returns 0 bytes (indicative of the server closing the > socket without sending anything). > > I'd say your rsh server binary /usr/krb5/sbin/kshd has gone away or > become unexecutable somehow. Or perhaps a tcpwrappers change has > caused the conneciton to be shut down. hmmm. well if i do a 'ps axf' on rip1 (or rip2) i do not see a kshd process. the file is there in /usr/krb5/sbin. is this process supposed to get started automatically? how? i looked in /var/log/messages on both nodes and did not see anything unusual. rip1.fnal.gov} pwd /usr/krb5/sbin rip1.fnal.gov} ls -al total 648 drwxr-xr-x 2 root root 4096 Jan 26 11:31 ./ drwxr-xr-x 7 root root 4096 Dec 6 14:22 ../ -rwxr-xr-x 1 root root 88056 Dec 28 14:01 ftpd* -rwxr-xr-x 1 root root 12584 Dec 28 14:01 gss-server* -rwxr-xr-x 1 root root 88268 Dec 28 14:00 kadmin* -rwxr-xr-x 1 root root 44980 Dec 28 14:01 klogind* -rwxr-xr-x 1 root root 14364 Dec 28 13:58 krb5-send-pr* -rwxr-xr-x 1 root root 117164 Dec 28 14:01 kshd* -rwxr-xr-x 1 root root 21088 Dec 28 14:00 ktutil* -rwxr-xr-x 1 root root 109120 Dec 28 14:01 login.krb5* -rwxr-xr-x 1 root root 8056 Dec 28 14:01 sim_server* -rwxr-xr-x 1 root root 7280 Dec 28 14:01 sserver* -rwxr-xr-x 1 root root 94452 Dec 28 14:01 telnetd* -rwxr-xr-x 1 root root 7536 Dec 28 14:01 uuserver* rip2.fnal.gov} pwd /usr/krb5/sbin rip2.fnal.gov} ls -al total 648 drwxr-xr-x 2 root root 4096 Feb 6 08:45 ./ drwxr-xr-x 7 root root 4096 Dec 6 11:32 ../ -rwxr-xr-x 1 root root 88056 Dec 28 14:01 ftpd* -rwxr-xr-x 1 root root 12584 Dec 28 14:01 gss-server* -rwxr-xr-x 1 root root 88268 Dec 28 14:00 kadmin* -rwxr-xr-x 1 root root 44980 Dec 28 14:01 klogind* -rwxr-xr-x 1 root root 14364 Dec 28 13:58 krb5-send-pr* -rwxr-xr-x 1 root root 117164 Dec 28 14:01 kshd* -rwxr-xr-x 1 root root 21088 Dec 28 14:00 ktutil* -rwxr-xr-x 1 root root 109120 Dec 28 14:01 login.krb5* -rwxr-xr-x 1 root root 8056 Dec 28 14:01 sim_server* -rwxr-xr-x 1 root root 7280 Dec 28 14:01 sserver* -rwxr-xr-x 1 root root 94452 Dec 28 14:01 telnetd* -rwxr-xr-x 1 root root 7536 Dec 28 14:01 uuserver* eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Wed Feb 7 13:55:28 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA23662 for ; Wed, 7 Feb 2001 13:55:28 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E002BQKOF3D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Feb 2001 13:55:27 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DF29E@listserv.fnal.gov>; Wed, 07 Feb 2001 13:55:27 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 291890 for UPS@LISTSERV.FNAL.GOV; Wed, 07 Feb 2001 13:55:27 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DF29C@listserv.fnal.gov>; Wed, 07 Feb 2001 13:55:27 -0600 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E0035EKOE76@smtp.fnal.gov>; Wed, 07 Feb 2001 13:55:26 -0600 (CST) Date: Wed, 07 Feb 2001 13:55:24 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: [Fwd: Re: Conceptual question about SAM on a Cluster.] Sender: owner-ups@listserv.fnal.gov To: ups@fnal.gov, sam-admin@fnal.gov Message-id: <3A81A82C.7434B8AB@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 863 UPS folks: file transfers to off-site stations are becoming a problem with SAM in the kerberos era. We are working on how to solve this problem. How does UPD solve this problem? How does upd 'authenticate' and allow people to get the files without using strong authentication? Thanks, lauri -------- Original Message -------- From: rockwell@pa.msu.edu Subject: Re: Conceptual question about SAM on a Cluster. To: Vicky White CC: sam-admin@fnal.gov Vicky, Thanks for the explaination. It sounds as if we will want to have the SAM caches all on one machine, and export this space using NFS. I have one more question about this though - if we set it up this way, how will jobs address the datafiles? Will they have to use the actual UNIX path to the file, or can they still use the SAM name? I'm willing to help with the Kerberos access issues - is anyone working on this now? As an aside, does anybody know the details of how UPD gets files from FNAL? This works without (strong) authentication... It seems to me that the UPD server at FNAL will send files to anybody that is accessing it from a node that is registered. It would be nice if SAM could work this way for transfers from FNAL - maybe that is not enough security though. I meant to thank Matthew, Igor, and Lauri for their help in setting up SAM. I had noted this in my jotted notes for the talk, it didn't make it into the final copy though. Anyways, thanks for your patience and help. -Tom -- Tom Rockwell Michigan State University tom@rockwell.cx rockwell@pa.msu.edu www.rockwell.cx (517) 432-1668 This message was processed by the mail server on Wed, 7 Feb 2001 13:31:39. From kreymer@fnal.gov Wed Feb 7 17:02:18 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA23936 for ; Wed, 7 Feb 2001 17:02:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E009B1TBTHY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Feb 2001 17:02:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DF549@listserv.fnal.gov>; Wed, 07 Feb 2001 17:02:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 292660 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Feb 2001 17:02:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DF547@listserv.fnal.gov>; Wed, 07 Feb 2001 17:02:17 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8E009ATTBSHM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Feb 2001 17:02:16 -0600 (CST) Date: Wed, 07 Feb 2001 17:02:16 -0600 (CST) From: Dane Skow Subject: expiring password and screensaver Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: helpdesk@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 864 I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Thu Feb 8 07:41:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA10443 for ; Thu, 8 Feb 2001 07:41:57 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8F0031CY1WQT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Feb 2001 07:41:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DFB60@listserv.fnal.gov>; Thu, 08 Feb 2001 07:41:56 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 294469 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Feb 2001 07:41:56 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DFB5F@listserv.fnal.gov>; Thu, 08 Feb 2001 07:41:56 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8F0031DY1UQR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Feb 2001 07:41:56 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <1M2PGV5D>; Thu, 08 Feb 2001 07:41:54 -0600 Content-return: allowed Date: Thu, 08 Feb 2001 07:41:44 -0600 From: ARSystem Subject: 000000000016559 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76133D6F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 865 CRAWFORD, MATT, Help Desk Ticket #000000000016559 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: expiring password and screensaver Badge # (+) : 08972N First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Urgency : Medium Public Work Log : Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Thu Feb 8 09:31:32 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA03217 for ; Thu, 8 Feb 2001 09:31:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G003GP34JR8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Feb 2001 09:31:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DFC8D@listserv.fnal.gov>; Thu, 08 Feb 2001 09:31:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 294800 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Feb 2001 09:31:31 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DFC8C@listserv.fnal.gov>; Thu, 08 Feb 2001 09:31:31 -0600 Received: from work1.hep.anl.gov ([146.139.180.66]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G003MK34IRI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Feb 2001 09:31:31 -0600 (CST) Received: from anl.gov (localhost [127.0.0.1]) by work1.hep.anl.gov (8.9.3/8.9.3) with ESMTP id JAA32537 for ; Thu, 08 Feb 2001 09:31:30 -0600 Date: Thu, 08 Feb 2001 09:31:00 -0600 From: "Thomas J. LeCompte" Subject: Java-based cryptocard Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A82BBB4.FF91C43E@anl.gov> Organization: Argonne National Laboratory MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 866 Apparently there is a Java 1.2.2 based software cryptocard (they call it the "ST-1"). Is it possible to get this here? It would be much more convenient for those of us who work in many locations (a group that includes probably all FNAL visitors) Thanks, Tom From kreymer@fnal.gov Thu Feb 8 11:30:30 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA07399 for ; Thu, 8 Feb 2001 11:30:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G009O88MTN2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Feb 2001 11:30:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DFE6F@listserv.fnal.gov>; Thu, 08 Feb 2001 11:30:29 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 295330 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Feb 2001 11:30:29 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DFE6E@listserv.fnal.gov>; Thu, 08 Feb 2001 11:30:29 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G009NC8MS4N@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Feb 2001 11:30:28 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA07410; Thu, 08 Feb 2001 11:30:27 -0600 (CST) Date: Thu, 08 Feb 2001 11:30:26 -0600 From: Matt Crawford Subject: Re: Java-based cryptocard In-reply-to: "08 Feb 2001 09:31:00 CST." <3A82BBB4.FF91C43E@anl.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Thomas J. LeCompte" Cc: kerberos-pilot@fnal.gov Message-id: <200102081730.LAA07410@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 867 > Apparently there is a Java 1.2.2 based software cryptocard (they call it > the "ST-1"). Is it possible to get this here? It would be much more > convenient for those of us who work in many locations (a group that > includes probably all FNAL visitors) We have not bought any ST-1 tokens. They would be useful to someone who always has their own laptop with them, if for some reason that laptop can't run Kerberos software. But the hardware (RB-1) and PalmOS (PT-1) tokens we've bought cover a much broader class of users than that, I think. From kreymer@fnal.gov Thu Feb 8 11:37:39 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA07408 for ; Thu, 8 Feb 2001 11:37:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G00AMJ8YQUH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Feb 2001 11:37:38 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DFE8C@listserv.fnal.gov>; Thu, 08 Feb 2001 11:37:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 295362 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Feb 2001 11:37:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DFE8B@listserv.fnal.gov>; Thu, 08 Feb 2001 11:37:38 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G009OD8YPAC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Feb 2001 11:37:37 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA29882 for ; Thu, 08 Feb 2001 11:37:37 -0600 Date: Thu, 08 Feb 2001 11:37:37 -0600 From: "Isabeau's mom" Subject: problem with cron jobs Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A82D961.18515E5F@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 868 hi, here is some more info related (i think to the problem i asked about the other day. the problem was that my cron jobs which had been running happily for days, all started giving errors. it was suggested that i look at kshd. on rip1, the file exists and still appears executable. however besides not being able to rsh to rip1, none can ssh or telnet from a kerberized node to rip1 either. any hints on what i whould try? eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Thu Feb 8 11:42:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA07414 for ; Thu, 8 Feb 2001 11:42:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G00AE494NML@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Thu, 08 Feb 2001 11:41:23 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DFE96@listserv.fnal.gov>; Thu, 08 Feb 2001 11:41:06 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 295370 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Thu, 08 Feb 2001 11:41:05 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000DFE93@listserv.fnal.gov>; Thu, 08 Feb 2001 11:41:05 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G00AJF94H1Z@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Thu, 08 Feb 2001 11:41:05 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA07541 for ; Thu, 08 Feb 2001 11:41:05 -0600 (CST) Date: Thu, 08 Feb 2001 11:41:04 -0600 From: Matt Crawford Subject: Kerberos v1_1 now available Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Errors-to: matt+kabounces@fnal.gov Message-id: <200102081741.LAA07541@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 869 Fermi Kerberos v1_1 is now in kits, as "test". It probably only of interest for certain small classes of systems: KDCs It fixes a crash we saw in the KDC process caused by a request generated by Heimdal, and a potential crash in the Kerveros v5 to v4 translator (needed for AFS support) which has not happened here yet. The new code has been installed on the slave KDC already and will be installed on the master this afternoon. CVS servers The rsh server now places the client's principal name (including the realm) into the environment as KRB5CLIENT. No more mucking around with credential caches, and no more need to forward credentials to a CVS server. Solaris 2.7 and 2.8 systems with AFS Those flavors of the product now include AFS support. From kreymer@fnal.gov Thu Feb 8 14:39:50 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA07669 for ; Thu, 8 Feb 2001 14:39:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G00L05HEDJF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Feb 2001 14:39:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E0115@listserv.fnal.gov>; Thu, 08 Feb 2001 14:39:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 296056 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Feb 2001 14:39:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E0114@listserv.fnal.gov>; Thu, 08 Feb 2001 14:39:49 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G00K4LHEDSY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Feb 2001 14:39:49 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA08363; Thu, 08 Feb 2001 14:39:48 -0600 (CST) Date: Thu, 08 Feb 2001 14:39:48 -0600 From: Matt Crawford Subject: Re: problem with cron jobs In-reply-to: "08 Feb 2001 11:37:37 CST." <3A82D961.18515E5F@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200102082039.OAA08363@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 870 We found the problem. I suspect that the last successful access before this happened was by enstore/cd/rip2.fnal.gov to host/rip1.fnal.gov authenticating at precisely 2001 Feb 6 17:00:01. The entry placed in the replay cache on rip1 at that time had one byte duplicated, which screwed up every subsequent attempt to read the replay cache. Has anyone every heard of a Linux kernel bug in 2.2.16 in which a byte gets duplicated? It seems so doubtful. Anyway, I'll put some bullet-proofing into the replay cache reading routine to avoid this, From kreymer@fnal.gov Thu Feb 8 16:40:50 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA07818 for ; Thu, 8 Feb 2001 16:40:50 -0600 Received: from dot.phys.unm.edu ([198.59.169.100]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G001B6N0181@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Thu, 08 Feb 2001 16:40:49 -0600 (CST) Received: from dot.phys.unm.edu (IDENT:gold@localhost.localdomain [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id PAA04663; Thu, 08 Feb 2001 15:40:07 -0700 Date: Thu, 08 Feb 2001 15:40:07 -0700 From: Michael Gold Subject: new linux ncdf105.fnal.gov To: kerberos-pilot@fnal.gov, kreymer@fnal.gov, Yolanda Valadez Cc: worm@dot.phys.unm.edu, gold@dot.phys.unm.edu Message-id: <200102082240.PAA04663@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.1.1 10/15/1999 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 871 can someone tell me how to fix this problem? also, I need an account with root privs (e.g. goldsu) that I can access on ncdf105 (my machine). higgs 194# rsh ncdf105.fnal.gov Couldn't authenticate to server: Server rejected authentication (during sendauth exchange) Server returned error code 60 (Generic error (see e-text)) Error text sent from server: Key version number for principal in key table is incorrect rsh: kcmd to host ncdf105.fnal.gov failed - Server rejected authentication (during sendauth exchange) trying normal rlogin (/usr/bin/rlogin) WARNING: NO ENCRYPTION! From kreymer@fnal.gov Thu Feb 8 17:09:41 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA07862 for ; Thu, 8 Feb 2001 17:09:41 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8G00343OC4IW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Thu, 08 Feb 2001 17:09:40 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA09188; Thu, 08 Feb 2001 17:09:39 -0600 (CST) Date: Thu, 08 Feb 2001 17:09:38 -0600 From: Matt Crawford Subject: Re: new linux ncdf105.fnal.gov In-reply-to: "08 Feb 2001 15:40:07 MST." <200102082240.PAA04663@dot.phys.unm.edu> Sender: crawdad@gungnir.fnal.gov To: Michael Gold Cc: kerberos-pilot@fnal.gov, kreymer@fnal.gov, Yolanda Valadez , worm@dot.phys.unm.edu Message-id: <200102082309.RAA09188@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 872 I answered this a couple of days ago, although I'm not sure it was asking at the time. Yolanda created the host & ftp principals at 11:28 Feb 2. At 12:23 they were used for install-hostkeys and at 12:52 she tried to create them again, which succeeded in changing their passwords. Now the machine itself is stuck with a useless key in the keytab file. You need to find out the new password or get it reset yet again and do ups install-hostkeys kerberos over again. > can someone tell me how to fix this problem? also, I > need an account with root privs (e.g. goldsu) > that I can access on ncdf105 (my machine). Perhaps someone who already has root access can just list your principal in root's .k5login, enabling you to ksu to root or login in as root over the net. From kreymer@fnal.gov Fri Feb 9 14:15:32 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA05753 for ; Fri, 9 Feb 2001 14:15:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8I00BH6AXW61@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 09 Feb 2001 14:15:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E105E@listserv.fnal.gov>; Fri, 09 Feb 2001 14:15:32 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 300329 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 09 Feb 2001 14:15:32 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E105D@listserv.fnal.gov>; Fri, 09 Feb 2001 14:15:32 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #44770) with ESMTP id <0G8I00AH6AXVZ9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 09 Feb 2001 14:15:31 -0600 (CST) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f19KFTf20410; Fri, 09 Feb 2001 14:15:29 -0600 (CST) Date: Fri, 09 Feb 2001 14:15:29 -0600 From: aheavey@fnal.gov Subject: completed manual Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: valadez@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200102092015.f19KFTf20410@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 873 The updated Strong Authentication manual is now complete and can be found at http://www.fnal.gov/docs/strongauth/ PostScript and PDF versions will follow soon -- not available yet. -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Mon Feb 12 08:23:13 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA28015 for ; Mon, 12 Feb 2001 08:23:13 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00H3CEMOC9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 08:23:13 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2895@listserv.fnal.gov>; Mon, 12 Feb 2001 08:23:12 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 307071 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 08:23:12 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2894@listserv.fnal.gov>; Mon, 12 Feb 2001 08:23:12 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00H5SEMOC6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 08:23:12 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA28003 for ; Mon, 12 Feb 2001 08:23:12 -0600 Date: Mon, 12 Feb 2001 08:23:12 -0600 (CST) From: Art Kreymer Subject: Testing kerberos ticket ? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 874 Does anyone know of a means of testing, in a script, for the existence of an unexpired ticket ? klist spits out lots of information, but nothing which directly indicates expiration. The 'krbtgt' ticket shows 'Valid starting' and 'Expires' times as follows Valid starting Expires Service principal 02/11/01 15:58:01 02/12/01 17:58:01 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 02/17/01 12:14:29 but I don't know any script magic for comparing the two times. From kreymer@fnal.gov Mon Feb 12 09:03:23 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA15317 for ; Mon, 12 Feb 2001 09:03:23 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00HC5GHEC7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Mon, 12 Feb 2001 09:03:14 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA28095; Mon, 12 Feb 2001 09:03:13 -0600 (CST) Date: Mon, 12 Feb 2001 09:03:13 -0600 From: Matt Crawford Subject: Re: Testing kerberos ticket ? In-reply-to: "12 Feb 2001 08:23:12 CST." Sender: crawdad@gungnir.fnal.gov To: Art Kreymer Cc: kerberos-pilot@fnal.gov Message-id: <200102121503.JAA28095@gungnir.fnal.gov> Status: RO X-Status: A X-Keywords: X-UID: 875 { klist -s && echo Good ticket; } || echo No valid ticket found From kreymer@fnal.gov Mon Feb 12 09:21:01 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA31395 for ; Mon, 12 Feb 2001 09:21:00 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00HFAHB0BZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Mon, 12 Feb 2001 09:21:00 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA08043; Mon, 12 Feb 2001 09:21:00 -0600 Date: Mon, 12 Feb 2001 09:21:00 -0600 From: "Isabeau's mom" Subject: Re: Testing kerberos ticket ? Sender: berman@fndapr.fnal.gov To: Art Kreymer Cc: kerberos-pilot@fnal.gov Message-id: <3A87FF5C.8DDB65AE@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 876 Art Kreymer wrote: > > Does anyone know of a means of testing, in a script, > for the existence of an unexpired ticket ? > > klist spits out lots of information, > but nothing which directly indicates expiration. > The 'krbtgt' ticket shows 'Valid starting' and 'Expires' times as follows > > Valid starting Expires Service principal > 02/11/01 15:58:01 02/12/01 17:58:01 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > renew until 02/17/01 12:14:29 > > but I don't know any script magic for comparing the two times. if you do a 'klist -s' it will not generate any output, and the return value will be set to - 0 : you have an unexpired ticket 1 : you do not have any unexpired tickets. in sh this return value is stored in $?. eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Mon Feb 12 10:47:31 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA09230 for ; Mon, 12 Feb 2001 10:47:30 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00MCBLB4XP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 10:47:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2BC0@listserv.fnal.gov>; Mon, 12 Feb 2001 10:47:29 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 308005 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 10:47:29 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2BBF@listserv.fnal.gov>; Mon, 12 Feb 2001 10:47:28 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00M8ULAZV4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 10:47:28 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <1M2PGWMG>; Mon, 12 Feb 2001 10:47:22 -0600 Content-return: allowed Date: Mon, 12 Feb 2001 10:47:10 -0600 From: ARSystem Subject: 000000000016617 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76133FAB@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 877 CRAWFORD, MATT, Help Desk Ticket #000000000016617 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Kerberos or SSH2 on FNALU Linux nodes? Badge # (+) : 12383N First Name : MARC Last Name (+) : PATERNO Phone : 4532 E-Mail Address : PATERNO@FNAL.GOV Incident Time : 2/12/01 9:15:05 AM System Name : Urgency : Medium Public Work Log : 2/12/01 10:45:56 AM blomberg Can you assist? Problem Description : Is there a plan in the near future to make either Kerberos or SSH2 access to the FNALU Linux nodes available? best regards, Marc Marc Paterno / CD Special Assignments paterno@fnal.gov (630) 840-4532 WH6E-36 (630) 840-2215 D0 5th floor (630) 840-6457 CDF Trailer 169F http://home.fnal.gov/~paterno/ From kreymer@fnal.gov Mon Feb 12 11:01:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA09924 for ; Mon, 12 Feb 2001 11:01:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N000GHLZ884@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 11:01:56 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2C12@listserv.fnal.gov>; Mon, 12 Feb 2001 11:01:56 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 308092 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 11:01:56 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2C11@listserv.fnal.gov>; Mon, 12 Feb 2001 11:01:56 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00099LZ7WD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 11:01:55 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA29100; Mon, 12 Feb 2001 11:01:55 -0600 (CST) Date: Mon, 12 Feb 2001 11:01:55 -0600 From: Matt Crawford Subject: Re: 000000000016617 Assigned to CRAWFORD, MATT. In-reply-to: "12 Feb 2001 10:47:10 CST." <318CC3D38BE0D211BB1200105A093F76133FAB@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200102121701.LAA29100@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 878 There are two things which are intended in the near future (by summer, say) but not "plans" in the sense of having firm schedules yet. Plans should develop this month, though. Those two things are Put Kerberos on every CD unix-like system, including FNALU, and Move from the free ssh1 to OpenSSH, which allegedly handles v1 and v2 of the SSH protocol. From kreymer@fnal.gov Mon Feb 12 11:04:19 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA09967 for ; Mon, 12 Feb 2001 11:04:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N0007WM3286@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 11:04:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2C1E@listserv.fnal.gov>; Mon, 12 Feb 2001 11:04:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 308104 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 11:04:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2C1D@listserv.fnal.gov>; Mon, 12 Feb 2001 11:04:14 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N000HEM3284@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 11:04:14 -0600 (CST) Date: Mon, 12 Feb 2001 11:04:12 -0600 (CST) From: Dane Skow Subject: Re: 000000000016617 Assigned to CRAWFORD, MATT. In-reply-to: <200102121701.LAA29100@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: ARSystem , "'kerberos-pilot@fnal.gov'" Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 879 On Mon, 12 Feb 2001, Matt Crawford wrote: > There are two things which are intended in the near future (by > summer, say) but not "plans" in the sense of having firm schedules Summer is overly optimistic in my view. Certainly true the schedule has not been made and plans need to be developed. > yet. Plans should develop this month, though. Those two things are > > Put Kerberos on every CD unix-like system, including FNALU, and > > Move from the free ssh1 to OpenSSH, which allegedly handles v1 and v2 > of the SSH protocol. > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Feb 12 11:44:05 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA14388 for ; Mon, 12 Feb 2001 11:44:04 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N000OONXE9J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 11:44:03 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2CD1@listserv.fnal.gov>; Mon, 12 Feb 2001 11:44:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 308292 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 11:44:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2CCF@listserv.fnal.gov>; Mon, 12 Feb 2001 11:44:02 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N000RSNXA84@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 11:44:02 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <1M2PGWNN>; Mon, 12 Feb 2001 11:43:57 -0600 Content-return: allowed Date: Mon, 12 Feb 2001 11:43:49 -0600 From: ARSystem Subject: CRAWFORD, MATT #16617 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76133FCE@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 880 Thank you for your assistance. Help Desk ticket #000000000016617 has been resolved on 2/12/01 11:39:00 AM Resolution Timestamp: : 2/12/01 11:04:52 AM Solution Category : Information Request Problem Category : Software Type : Utilities Item : Kerberos Short Description : Kerberos or SSH2 on FNALU Linux nodes? Solution : There are two things which are intended in the near future but not "plans" in the sense of having firm schedules yet. Plans should develop this month, though. Those two things are Put Kerberos on every CD unix-like system, including FNALU, and Move from the free ssh1 to OpenSSH, which allegedly handles v1 and v2 of the SSH protocol. Problem Description : Is there a plan in the near future to make either Kerberos or SSH2 access to the FNALU Linux nodes available? best regards, Marc Marc Paterno / CD Special Assignments paterno@fnal.gov (630) 840-4532 WH6E-36 (630) 840-2215 D0 5th floor (630) 840-6457 CDF Trailer 169F http://home.fnal.gov/~paterno/ From kreymer@fnal.gov Mon Feb 12 12:10:49 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA16867 for ; Mon, 12 Feb 2001 12:10:48 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N000PAOWRWD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 12:05:19 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2D2B@listserv.fnal.gov>; Mon, 12 Feb 2001 12:05:17 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 308389 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 12:05:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2D2A@listserv.fnal.gov>; Mon, 12 Feb 2001 12:05:16 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00MS3OVTV4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 12:05:15 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <1M2PGWN5>; Mon, 12 Feb 2001 12:04:36 -0600 Content-return: allowed Date: Mon, 12 Feb 2001 12:04:15 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76133FDB@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 881 This reminder created on 2/12/01 12:03:09 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Type : Utilities Item : Kerberos Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Feb 12 12:27:35 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA20853 for ; Mon, 12 Feb 2001 12:27:35 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N000SUPXX9B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 12:27:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2EDB@listserv.fnal.gov>; Mon, 12 Feb 2001 12:27:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 308832 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 12:27:33 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E2EDA@listserv.fnal.gov>; Mon, 12 Feb 2001 12:27:33 -0600 Received: from lotus.phys.nwu.edu ([129.105.21.210]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N001Q8PXW0S@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 12:27:32 -0600 (CST) Received: from fnal.gov (turtle.phys.nwu.edu [129.105.21.212]) by lotus.phys.nwu.edu (8.9.3/8.8.7) with ESMTP id MAA01175; Mon, 12 Feb 2001 12:27:32 -0600 Date: Mon, 12 Feb 2001 12:27:25 -0600 From: Heidi Schellman Subject: Full kerberos this summer? Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: ARSystem , "'kerberos-pilot@fnal.gov'" Message-id: <3A882B0D.F6D3C148@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200102121701.LAA29100@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 882 Just a possible request - can the full conversion occur after the Snowmass workshop (June 30-July 21). Fermilab is the major organizer for this workshop and a large number of FNAL associated people will be attempting to access the lab computing from ISP's and on unfamiliar systems maintained by overworked FNAL staff. It would be very helpful if one did not also have to worry about getting the whole FNAL community a cryptocard and the correct kerberos client at the same time. Thanks, Heidi Schellman Matt Crawford wrote: > There are two things which are intended in the near future (by > summer, say) but not "plans" in the sense of having firm schedules > yet. Plans should develop this month, though. Those two things are > > Put Kerberos on every CD unix-like system, including FNALU, and > > Move from the free ssh1 to OpenSSH, which allegedly handles v1 and v2 > of the SSH protocol. From kreymer@fnal.gov Mon Feb 12 15:25:56 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26003 for ; Mon, 12 Feb 2001 15:25:56 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00C7ZY77NF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 15:25:55 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E31FD@listserv.fnal.gov>; Mon, 12 Feb 2001 15:25:55 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 309689 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 15:25:55 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E31FC@listserv.fnal.gov>; Mon, 12 Feb 2001 15:25:55 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00BCBY76V4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 15:25:54 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA08677 for ; Mon, 12 Feb 2001 15:25:53 -0600 Date: Mon, 12 Feb 2001 15:25:51 -0600 From: "Isabeau's mom" Subject: rcp on kerberized systems Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A8854DF.31F164AC@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 883 hi. i have a question about rcp on kerberized systems. first rcp. on my 2 kerberized systems (rip1 and rip2, which now have kerberos v1_1a installed) i can rcp when i am logged in as myself or as user enstore from rip2 to rip1. however if i am logged in as root, i get the following error (root does have permission to write into /home/berman) - rip2.fnal.gov} /usr/krb5/bin/rcp -F rootrcp root@rip1.fnal.gov:/home/berman kshd: Permission denied. trying normal rcp (/usr/bin/rcp) WARNING: NO ENCRYPTION! /usr/krb5/bin/rcp: invalid option -- F usage: rcp [-p] f1 f2; or: rcp [-rp] f1 ... fn directory i am using the -F option as mentioned in the manual, but it does not appear to support it. so i will try it without the option - rip2.fnal.gov} /usr/krb5/bin/rcp rootrcp root@rip1.fnal.gov:/home/berman kshd: Permission denied. trying normal rcp (/usr/bin/rcp) WARNING: NO ENCRYPTION! rip1.fnal.gov: Connection refused i can do rsh's between the nodes. here is the .k5login file on rip1 - rip1.fnal.gov} more /root/.k5login host/rip1.fnal.gov@PILOT.FNAL.GOV host/rip2.fnal.gov@PILOT.FNAL.GOV host/rip3.fnal.gov@PILOT.FNAL.GOV host/rip4.fnal.gov@PILOT.FNAL.GOV host/rip5.fnal.gov@PILOT.FNAL.GOV host/rip6.fnal.gov@PILOT.FNAL.GOV host/rip7.fnal.gov@PILOT.FNAL.GOV host/rip8.fnal.gov@PILOT.FNAL.GOV what am i doing wrong? eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Mon Feb 12 15:59:55 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26074 for ; Mon, 12 Feb 2001 15:59:55 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00D9YZRUOY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 15:59:54 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E3269@listserv.fnal.gov>; Mon, 12 Feb 2001 15:59:54 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 309806 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 15:59:54 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E3268@listserv.fnal.gov>; Mon, 12 Feb 2001 15:59:54 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8N00CG1ZRTZM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 15:59:53 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA01090; Mon, 12 Feb 2001 15:59:53 -0600 (CST) Date: Mon, 12 Feb 2001 15:59:53 -0600 From: Matt Crawford Subject: Re: rcp on kerberized systems In-reply-to: "12 Feb 2001 15:25:51 CST." <3A8854DF.31F164AC@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200102122159.PAA01090@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 884 rip2.fnal.gov} /usr/krb5/bin/rcp -F rootrcp root@rip1.fnal.gov:/home/berman kshd: Permission denied. This means the kerberos principal you're executing under doesn't have permission to do this thing as that user on that host. Check what principal you're working under with klist. trying normal rcp (/usr/bin/rcp) WARNING: NO ENCRYPTION! /usr/krb5/bin/rcp: invalid option -- F usage: rcp [-p] f1 f2; or: rcp [-rp] f1 ... fn directory This means that when Kerberos rcp did a fallback to normal rcp, it left argv[0] unchanged and it left the -F option in. Arguably bad things to do, but no harm, just confusion. > what am i doing wrong? Perhaps omitting kinit -k host/rip1.fnal.gov From kreymer@fnal.gov Mon Feb 12 17:49:53 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA26267 for ; Mon, 12 Feb 2001 17:49:53 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8O00GHJ4V4YY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 17:49:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E354D@listserv.fnal.gov>; Mon, 12 Feb 2001 17:49:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 310678 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 17:49:52 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E354C@listserv.fnal.gov>; Mon, 12 Feb 2001 17:49:52 -0600 Received: from dot.phys.unm.edu ([198.59.169.100]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8O00GDR4V3YR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 17:49:52 -0600 (CST) Received: from dot.phys.unm.edu (IDENT:gold@localhost.localdomain [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id QAA13649; Mon, 12 Feb 2001 16:48:45 -0700 Date: Mon, 12 Feb 2001 16:48:45 -0700 From: Michael Gold Subject: cvs host Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: gold@dot.phys.unm.edu Message-id: <200102122348.QAA13649@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.1.1 10/15/1999 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 885 there is a problem with getting updates from the host cdfcvs.fnal.gov as indicated below. fcdfsgi2 176>cvs update kshd: Permission denied. trying normal rsh (/usr/bsd/rsh) WARNING: NO ENCRYPTION! Illegal option -- f usage: rsh [ -l username ] [ -n ] host command usage: rsh host [ -l username ] [ -n ] command rsh [ -n ] username@host command rsh username@host [ -n ] command cvs [update aborted]: end of file from server (consult above messages if any) From kreymer@fnal.gov Mon Feb 12 17:57:48 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA26273 for ; Mon, 12 Feb 2001 17:57:48 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8O00GGM58AYU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 17:57:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E3562@listserv.fnal.gov>; Mon, 12 Feb 2001 17:57:47 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 310704 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 17:57:47 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E3560@listserv.fnal.gov>; Mon, 12 Feb 2001 17:57:47 -0600 Received: from d0mino.fnal.gov ([131.225.224.45]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8O00GIH58AZ5@smtp.fnal.gov>; Mon, 12 Feb 2001 17:57:46 -0600 (CST) Received: from localhost (davisg@localhost) by d0mino.fnal.gov (SGI-8.9.3/8.9.3) with ESMTP id RAA13123; Mon, 12 Feb 2001 17:57:46 -0600 (CST) Date: Mon, 12 Feb 2001 17:57:46 -0600 From: Gregory Arthur Davis Subject: Security breach at EAOC (and elsewhere?) Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov, computer-security@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: d0mino.fnal.gov: davisg owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 886 To whom it may concern, I just spoke to Margaret on the phone about this issue and she asked me to lay it out in an email. The Kerberos system used at the EAOC computer classroom has a strange feature that, it seems to me, constitutes a security problem. Logging onto the Windows 2000 machines can be done by anybody because the usernames and passwords are taped to the monitors. Once a user is on the computer, he uses the Kerberos manager to enter his username and kerberos password. After he has done that he closes the Kerberos manager and can connect to any system he is allowed to use without typing a password or using a cryptocard. When he is done, he must remember to open the kerberos manager and kill the tickets to prevent the next person from using his tickets to connect to other machines. Many people probably don't remember so the next user would get the same access they had. This is asking quite a bit from users in a classrom. If they forget, when they are done working they see that no windows are open and they log off. They assume they are safe and they are not. This is bad, but it gets worse. While I was working on a pc, I accidently hit the power strip with my foot shutting the pc off. When I turned it back on, my tickets were still valid. This means that if there is a power outage, when the power returns, anybody can sit down at that computer and access whatever the previous person could access. The only defense is to stay by the pc until the power returns or the ticket times out because the user can not possibly kill the ticket without access to the computer. Gregory Davis From kreymer@fnal.gov Mon Feb 12 17:58:33 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA26277 for ; Mon, 12 Feb 2001 17:58:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8O00GIK59KZ5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 17:58:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E3566@listserv.fnal.gov>; Mon, 12 Feb 2001 17:58:32 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 310708 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 17:58:32 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E3565@listserv.fnal.gov>; Mon, 12 Feb 2001 17:58:32 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8O00GEX59JZ1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 17:58:31 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA02173; Mon, 12 Feb 2001 17:58:30 -0600 (CST) Date: Mon, 12 Feb 2001 17:58:30 -0600 From: Matt Crawford Subject: Re: cvs host In-reply-to: "12 Feb 2001 16:48:45 MST." <200102122348.QAA13649@dot.phys.unm.edu> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Gold Cc: kerberos-pilot@fnal.gov Message-id: <200102122358.RAA02173@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 887 > there is a problem with getting updates from the host > cdfcvs.fnal.gov as indicated below. > > > fcdfsgi2 176>cvs update > kshd: Permission denied. > trying normal rsh (/usr/bsd/rsh) WARNING: NO ENCRYPTION! > Illegal option -- f What's your CVS_RSH? Some script that invokes the kerberos rsh command with a "-f" to forward tickets? The kerberos access is denied and the same arguments are not accepted by plain rsh. You have several choices how to fix the problem: 1. Make a script that doesn't involve giving kerberos-only arguments to rsh. 2. Ask the CVS maintainer to give you kerberos access to the repository. 3. Prod the CVS maintainer to move to Kerberos v1_1 and the new cvsh product, and then take "-f" out of the main CVS_RSH script, since there will no longer be a need to forward tickets. From kreymer@fnal.gov Mon Feb 12 19:03:27 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id TAA26358 for ; Mon, 12 Feb 2001 19:03:27 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8O00GTK89QYL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 19:03:26 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E360C@listserv.fnal.gov>; Mon, 12 Feb 2001 19:03:27 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 310901 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 19:03:27 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E360B@listserv.fnal.gov>; Mon, 12 Feb 2001 19:03:26 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8O00GNL89PY7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 19:03:25 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id TAA26354; Mon, 12 Feb 2001 19:03:25 -0600 Date: Mon, 12 Feb 2001 19:03:25 -0600 (CST) From: Art Kreymer Subject: Re: cvs host In-reply-to: <200102122348.QAA13649@dot.phys.unm.edu> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Gold Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 888 I have registered you for access via kerberos (at about 18:50). (There is no non-kerberos rsh access to the repository) Try again, there are new and more helpful error messages to help diagnose these problems, just installed this afternoon. From kreymer@fnal.gov Mon Feb 12 21:22:00 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id VAA26593 for ; Mon, 12 Feb 2001 21:22:00 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8O00M5OEONS0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Feb 2001 21:22:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E36D3@listserv.fnal.gov>; Mon, 12 Feb 2001 21:21:59 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 311131 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Feb 2001 21:21:59 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E36D2@listserv.fnal.gov>; Mon, 12 Feb 2001 21:21:59 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8O0001FEONH2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Feb 2001 21:21:59 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id VAA50196; Mon, 12 Feb 2001 21:21:59 -0600 (CST) Date: Mon, 12 Feb 2001 21:21:59 -0600 (CST) From: "David J. Fagan" Subject: Re: Security breach at EAOC (and elsewhere?) Sender: owner-kerberos-pilot@listserv.fnal.gov To: Gregory Arthur Davis Cc: kerberos-pilot@fnal.gov Message-id: <200102130321.VAA50196@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Mon, 12 Feb 2001 17:57:46 CST.) X-Authentication-warning: large.fnal.gov: fagan@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id VAA26593 Status: RO X-Status: X-Keywords: X-UID: 889 They need to get out more paper and tape, when you create the new principal profile always select memory cache. I don't understand why this isn't the default or if it can be via a configuration. ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Monday, Gregory Arthur Davis: > To whom it may concern, > > I just spoke to Margaret on the phone about this issue and she asked me > to lay it out in an email. > > The Kerberos system used at the EAOC computer classroom has a strange > feature that, it seems to me, constitutes a security problem. Logging > onto the Windows 2000 machines can be done by anybody because the > usernames and passwords are taped to the monitors. Once a user is on the > computer, he uses the Kerberos manager to enter his username and kerberos > password. After he has done that he closes the Kerberos manager and can > connect to any system he is allowed to use without typing a password or > using a cryptocard. When he is done, he must remember to open the > kerberos manager and kill the tickets to prevent the next person from > using his tickets to connect to other machines. Many people probably > don't remember so the next user would get the same access they had. This > is asking quite a bit from users in a classrom. If they forget, when they > are done working they see that no windows are open and they log off. > They assume they are safe and they are not. This is bad, but it gets > worse. > > While I was working on a pc, I accidently hit the power strip with my > foot shutting the pc off. When I turned it back on, my tickets were still > valid. This means that if there is a power outage, when the power > returns, anybody can sit down at that computer and access whatever the > previous person could access. The only defense is to stay by the pc until > the power returns or the ticket times out because the user can not > possibly kill the ticket without access to the computer. > > Gregory Davis From kreymer@fnal.gov Thu Feb 15 12:26:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA04111 for ; Thu, 15 Feb 2001 12:26:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8T00LTL9WX9V@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 15 Feb 2001 12:26:58 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E61F8@listserv.fnal.gov>; Thu, 15 Feb 2001 12:26:57 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 323564 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 15 Feb 2001 12:26:57 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E61F7@listserv.fnal.gov>; Thu, 15 Feb 2001 12:26:57 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8T00LJ39WW4Y@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 15 Feb 2001 12:26:57 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 15 Feb 2001 12:26:56 -0600 Content-return: allowed Date: Thu, 15 Feb 2001 12:26:54 -0600 From: ARSystem Subject: 000000000016699 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761342EB@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 890 CRAWFORD, MATT, Help Desk Ticket #000000000016699 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Kerberos Badge # (+) : 12132N First Name : TOM Last Name (+) : JORDAN Phone : 4035 E-Mail Address : JORDANT@FNAL.GOV Incident Time : 2/15/01 12:20:01 PM System Name : Urgency : Medium Public Work Log : 2/15/01 12:23:22 PM blomberg Can you assist? Problem Description : I cannot find krb5.conf nor krb.realms in /etc on my fnalu account. I did copy /etc/krb.conf file that I found there into my system's /etc. Do I need the others? If so where are they? Best, Tom From kreymer@fnal.gov Wed Feb 14 12:57:34 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA14903 for ; Wed, 14 Feb 2001 12:57:34 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8R00069GNWP9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 14 Feb 2001 12:57:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E5455@listserv.fnal.gov>; Wed, 14 Feb 2001 12:57:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 319643 for UPS@LISTSERV.FNAL.GOV; Wed, 14 Feb 2001 12:57:33 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E5454@listserv.fnal.gov>; Wed, 14 Feb 2001 12:57:33 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8R0021MGNWE2@smtp.fnal.gov> for ups@listserv.fnal.gov (ORCPT ups@fnal.gov); Wed, 14 Feb 2001 12:57:32 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <1M2PGW9W>; Wed, 14 Feb 2001 12:57:32 -0600 Content-return: allowed Date: Wed, 14 Feb 2001 12:57:21 -0600 From: ARSystem Subject: CC: Help Desk Ticket 000000000016571 Has Been Updated. Sender: owner-ups@listserv.fnal.gov To: "'ups@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761341FF@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 891 Help Desk Ticket #000000000016571 has been updated by trb. Ticket # : 000000000016571 First Name : LYNN Last Name (+) : GARREN Phone : 2061 E-Mail Address : GARREN@FNAL.GOV Short Description : batch job will not run Public Work Log : 2/12/01 10:49:03 AM mengel The following was e-mailed to the Requester: It would appear taht we have developed a bug in the setups.csh script in the code that's supposed to realize the wrong flavor of ups is setup. As a workaround, you can unsetenv SETUP_UPS UPS_DIR before submitting a cross-platform batch job. I'll get started on ups v4_5_3a with a patch for this bug. 2/14/01 12:53:05 PM trb From: "Lynn Garren" To: "ARSystem" Cc: Subject: Re: Help Desk Ticket 16571 Has Been Resolved. Date: Wednesday, February 14, 2001 12:43 PM Thank you! I am now able to submit my job. Lynn Problem Description : I am attempting to submit a batch job to fsgi03 from fdei01. The job fails before executing a single line: /afs/fnal.gov/ups/ups/v4_5_3/OSF1+V4/bin/ups: Exec format error. Binary file not executable. : No such file or directory. This is apparently coming from my .cshrc. The script is ~bphyslib/distrib/run_update_batch How can I successfully submit a job from a platform other than the one I need to run on???????? Create Date : 2/8/01 2:04:24 PM New Work Log Entry : From: "Lynn Garren" To: "ARSystem" Cc: Subject: Re: Help Desk Ticket 16571 Has Been Resolved. Date: Wednesday, February 14, 2001 12:43 PM Thank you! I am now able to submit my job. Lynn From kreymer@fnal.gov Fri Feb 16 11:47:28 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA27588 for ; Fri, 16 Feb 2001 11:47:27 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8V006PR2R2RZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Feb 2001 11:47:26 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E710A@listserv.fnal.gov>; Fri, 16 Feb 2001 11:47:26 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 327836 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 16 Feb 2001 11:47:26 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E7109@listserv.fnal.gov>; Fri, 16 Feb 2001 11:47:26 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8V00D9Q2R198@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 16 Feb 2001 11:47:25 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 16 Feb 2001 11:47:25 -0600 Content-return: allowed Date: Fri, 16 Feb 2001 11:47:24 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 16699 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76134399@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 892 16699 has been updated by blomberg. Short Description : Kerberos New Work Log Entry : From: "Thomas Jordan" To: "ARSystem" Cc: Subject: Re: Help Desk Ticket 000000000016699 Date: Friday, February 16, 2001 11:25 AM Anyone there? From kreymer@fnal.gov Fri Feb 16 16:26:06 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA09990 for ; Fri, 16 Feb 2001 16:26:06 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8V00833FNHL0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Feb 2001 16:26:05 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E74C5@listserv.fnal.gov>; Fri, 16 Feb 2001 16:26:05 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 328886 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 16 Feb 2001 16:26:05 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E74C4@listserv.fnal.gov>; Fri, 16 Feb 2001 16:26:05 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8V00835FNGHF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 16 Feb 2001 16:26:04 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA00226; Fri, 16 Feb 2001 16:26:04 -0600 (CST) Date: Fri, 16 Feb 2001 16:26:03 -0600 From: Matt Crawford Subject: Re: 000000000016699 Assigned to CRAWFORD, MATT. In-reply-to: "15 Feb 2001 12:26:54 CST." <318CC3D38BE0D211BB1200105A093F761342EB@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200102162226.QAA00226@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 893 I have no clear idea of what this person is trying to do or what machine he's trying to do it to. If he's setting up an AFS client, he should talk to an AFS person for help. If he setting up Kerberos (v5), the /etc/krb5.conf (not krb.conf and not krb.realms) should have come along with the installation, as part of the prerequisite krb5conf product. In any case, it won't be found on fnalu since that machine doesn't have Kerberos v5 on it. (Yet.) From kreymer@fnal.gov Fri Feb 16 16:32:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA10016 for ; Fri, 16 Feb 2001 16:32:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8V0077UFYVKP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Feb 2001 16:32:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E74EC@listserv.fnal.gov>; Fri, 16 Feb 2001 16:32:56 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 328928 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 16 Feb 2001 16:32:56 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E74E9@listserv.fnal.gov>; Fri, 16 Feb 2001 16:32:55 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8V0079EFYSV9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 16 Feb 2001 16:32:55 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 16 Feb 2001 16:32:51 -0600 Content-return: allowed Date: Fri, 16 Feb 2001 16:32:50 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 16699 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761343CE@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 894 16699 has been updated by blomberg. Short Description : Kerberos New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: 000000000016699 Assigned to CRAWFORD, MATT. Date: Friday, February 16, 2001 4:26 PM I have no clear idea of what this person is trying to do or what machine he's trying to do it to. If he's setting up an AFS client, he should talk to an AFS person for help. If he setting up Kerberos (v5), the /etc/krb5.conf (not krb.conf and not krb.realms) should have come along with the installation, as part of the prerequisite krb5conf product. In any case, it won't be found on fnalu since that machine doesn't have Kerberos v5 on it. (Yet.) From kreymer@fnal.gov Fri Feb 16 16:32:59 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA10020 for ; Fri, 16 Feb 2001 16:32:59 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8V0077UFYVKP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Feb 2001 16:32:59 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E74F0@listserv.fnal.gov>; Fri, 16 Feb 2001 16:32:57 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 328932 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 16 Feb 2001 16:32:57 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E74EE@listserv.fnal.gov>; Fri, 16 Feb 2001 16:32:57 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G8V002MSFYTP1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 16 Feb 2001 16:32:55 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 16 Feb 2001 16:32:53 -0600 Content-return: allowed Date: Fri, 16 Feb 2001 16:32:51 -0600 From: ARSystem Subject: Note to requester has been sent - 000000000016699 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761343D0@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 895 The following note has been sent to the requester: JORDAN, TOM Short Description : Kerberos Notes to Requester : I have no clear idea of what this person is trying to do or what machine he's trying to do it to. If he's setting up an AFS client, he should talk to an AFS person for help. If he setting up Kerberos (v5), the /etc/krb5.conf (not krb.conf and not krb.realms) should have come along with the installation, as part of the prerequisite krb5conf product. In any case, it won't be found on fnalu since that machine doesn't have Kerberos v5 on it. (Yet.) From kreymer@fnal.gov Mon Feb 19 07:56:55 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA03090 for ; Mon, 19 Feb 2001 07:56:55 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G900013WC2UN0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Feb 2001 07:56:54 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E8810@listserv.fnal.gov>; Mon, 19 Feb 2001 07:56:54 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 334290 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Feb 2001 07:56:54 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E880F@listserv.fnal.gov>; Mon, 19 Feb 2001 07:56:54 -0600 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0G9000201C2UTY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Feb 2001 07:56:54 -0600 (CST) Received: from lotus.phys.nwu.edu ([129.105.21.210]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G900013ZC2TO2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Feb 2001 07:56:53 -0600 (CST) Received: from fnal.gov (turtle.phys.nwu.edu [129.105.21.212]) by lotus.phys.nwu.edu (8.9.3/8.8.7) with ESMTP id HAA13206; Mon, 19 Feb 2001 07:56:53 -0600 Date: Mon, 19 Feb 2001 07:57:02 -0600 From: Heidi Schellman Subject: timouts on remote kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A91262E.44D279BC@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 896 At Northwestern we have a single machine which is part of the FNAL kerberos system and has services except ssh shut off. I use it as a gateway machine. Occasionally when I do a kinit I get the following messages. Is this a problem on my end or with the kerberos authentication on the FNAL end? This happened on Saturday, was fine on sunday, is back this morning.... In the end I get into d0mino but it takes a long time and the error messages are discouraging And yes, I've checked my clocks. Heidi [ermine]$ setup kerberos [ermine]$ kinit Password for schellma@PILOT.FNAL.GOV: do_ypcall: clnt_call: RPC: Timed out do_ypcall: clnt_call: RPC: Timed out do_ypcall: clnt_call: RPC: Timed out do_ypcall: clnt_call: RPC: Timed out do_ypcall: clnt_call: RPC: Timed out do_ypcall: clnt_call: RPC: Timed out do_ypcall: clnt_call: RPC: Timed out do_ypcall: clnt_call: RPC: Timed out [schellma@ermine ~]$ telnet d0mino.fnal.gov Trying 131.225.224.45... Connected to d0mino.fnal.gov (131.225.224.45). Escape character is '^]'. NOTICE TO USERS Fermilab policy and rules for computing, including appropriate use, may be found at http://www.fnal.gov/cd/main/cpolicy.html do_ypcall: clnt_call: RPC: Timed out do_ypcall: clnt_call: RPC: Timed out do_ypcall: clnt_call: RPC: Timed out do_ypcall: clnt_call: RPC: Timed out [ Kerberos V5 accepts you as ``schellma@PILOT.FNAL.GOV'' ] do_ypcall: clnt_call: RPC: Timed outNeed Help ?: helpdesk@fnal.gov ext. 2345 http://csdserver1.fnal.gov/HelpDesk/cd/ You have mail. Terminal Type is xterm From kreymer@fnal.gov Mon Feb 19 09:32:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA18465 for ; Mon, 19 Feb 2001 09:32:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G90001JFGIWN0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Feb 2001 09:32:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E89AE@listserv.fnal.gov>; Mon, 19 Feb 2001 09:32:56 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 334729 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Feb 2001 09:32:56 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E89AD@listserv.fnal.gov>; Mon, 19 Feb 2001 09:32:56 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G90001NVGIWNL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Feb 2001 09:32:56 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA13467; Mon, 19 Feb 2001 09:32:56 -0600 (CST) Date: Mon, 19 Feb 2001 09:32:55 -0600 From: Matt Crawford Subject: Re: timouts on remote kerberos In-reply-to: "19 Feb 2001 07:57:02 CST." <3A91262E.44D279BC@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Heidi Schellman Cc: kerberos-pilot@fnal.gov Message-id: <200102191532.JAA13467@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 897 > do_ypcall: clnt_call: RPC: Timed out The two little letters "yp" tell the story -- this is a local problem on your system or site network. Probably your machine is using YP, aka NIS, for host name-to-address resolution and you have a transient problem with your YP server(s). This even fits with it appearing amid your telnet output, since the telnet client doesn't contact a KDC to get a ticket for host/d0mino.fnal.gov until it and d0mino have negotiated the authentication to be used. From kreymer@fnal.gov Mon Feb 19 11:49:12 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA01426 for ; Mon, 19 Feb 2001 11:49:12 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9000EKTMTYLX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Feb 2001 11:49:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E8C21@listserv.fnal.gov>; Mon, 19 Feb 2001 11:49:10 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 335397 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Feb 2001 11:49:10 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E8C1F@listserv.fnal.gov>; Mon, 19 Feb 2001 11:49:10 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9000FH9MTX1X@smtp.fnal.gov>; Mon, 19 Feb 2001 11:49:09 -0600 (CST) Date: Mon, 19 Feb 2001 11:49:10 -0600 (CST) From: Dane Skow Subject: Problems with Wyatt principal on D0mino Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov, d0-admin@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 898 Wyatt and I were testing her problem getting into D0mino via KRB ticket today after our get together. I can login from unferth to d0mino just fine, however wyatt cannot. Here is the trace of the connection attempt steps. Note that D0mino appears to have accepted her credential, but still asked for a challenge afterward. Odd. dane bash$ kinit wyatt Password for wyatt@PILOT.FNAL.GOV: bash$ klist Ticket cache: /tmp/krb5cc_1444 Default principal: wyatt@PILOT.FNAL.GOV Valid starting Expires Service principal 02/19/01 11:45:18 02/20/01 13:45:18 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 02/19/01 11:45:18 02/20/01 13:45:18 afs/fnal.gov@PILOT.FNAL.GOV bash$ telnet d0mino Trying 131.225.224.45... Connected to d0mino.fnal.gov (131.225.224.45). Escape character is '^]'. NOTICE TO USERS This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United States Government. It is for authorized use only. Users (autho- rized or unauthorized) have no explicit or implicit expectation of privacy. Any or all uses of this system and all files on this system may be intercepted, monitored, recorded, copied, audited, inspected, and disclosed to authorized site, Department of Energy and law enforcement personnel, as well as authorized officials of other agencies, both domestic and foreign. By using this system, the user consents to such interception, monitoring, recording, copy- ing, auditing, inspection, and disclosure at the discretion of authorized site or Department of Energy personnel. Unauthorized or improper use of this system may result in admin- istrative disciplinary action and civil and criminal penalties. By continuing to use this system you indicate your awareness of and consent to these terms and conditions of use. LOG OFF IMME- DIATELY if you do not agree to the conditions stated in this warning. Fermilab policy and rules for computing, including appropriate use, may be found at http://www.fnal.gov/cd/main/cpolicy.html [ Kerberos V5 accepts you as ``wyatt@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Press ENTER and compare this challenge to the one on your display: [16926319] Enter the displayed response: telnet> quit Connection closed. bash$ kdestroy bash$ klist klist: No credentials cache file found (ticket cache /tmp/krb5cc_1444) Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Feb 19 11:59:32 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA02564 for ; Mon, 19 Feb 2001 11:59:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9000EL9N7TCQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Feb 2001 11:57:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E8C52@listserv.fnal.gov>; Mon, 19 Feb 2001 11:57:29 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 335454 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Feb 2001 11:57:29 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E8C50@listserv.fnal.gov>; Mon, 19 Feb 2001 11:57:28 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9000GDCN7SIW@smtp.fnal.gov>; Mon, 19 Feb 2001 11:57:28 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA14521; Mon, 19 Feb 2001 11:57:28 -0600 (CST) Date: Mon, 19 Feb 2001 11:57:27 -0600 From: Matt Crawford Subject: Re: Problems with Wyatt principal on D0mino In-reply-to: "19 Feb 2001 11:49:10 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov, d0-admin@fnal.gov Message-id: <200102191757.LAA14521@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 899 > Wyatt and I were testing her problem getting into D0mino via KRB > ticket today after our get together. I can login from unferth to > d0mino just fine, however wyatt cannot. [...] > > bash$ kinit wyatt > Password for wyatt@PILOT.FNAL.GOV: > [...] > bash$ telnet d0mino > [...] > [ Kerberos V5 accepts you as ``wyatt@PILOT.FNAL.GOV'' ] > [ Kerberos V5 accepted forwarded credentials ] > Press ENTER and compare this challenge to the one on your display: > [16926319] > Enter the displayed response: > telnet> quit What Unix identity were you doing this under? "dane" I bet. The telnet program, in the absence of a "-l user" option, assumes the remote unix id is the same as the local unix id, not the first component of the Kerberos principal. Presuming that wyatt is not in dane's .k5login file on d0mino, this is the straightforward consequence. "Kerberos V5" *does* accept you as ``wyatt@PILOT.FNAL.GOV'', but you have no authorization to log in as dane that way. Asking for a challenge may be a confusing way for it to handle the mismatch, but plausible. From kreymer@fnal.gov Mon Feb 19 12:02:44 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA02607 for ; Mon, 19 Feb 2001 12:02:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9000GENNEXIW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Feb 2001 12:01:46 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E8C70@listserv.fnal.gov>; Mon, 19 Feb 2001 12:01:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 335487 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Feb 2001 12:01:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E8C6E@listserv.fnal.gov>; Mon, 19 Feb 2001 12:01:45 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9000EK5NEXF2@smtp.fnal.gov>; Mon, 19 Feb 2001 12:01:45 -0600 (CST) Date: Mon, 19 Feb 2001 12:01:46 -0600 (CST) From: Dane Skow Subject: Re: Problems with Wyatt principal on D0mino In-reply-to: <200102191757.LAA14521@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: wyatt@fnal.gov, kerberos-pilot@fnal.gov, d0-admin@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 900 Yup. That sounds plausible for this test. Oops. THe problem Wyatt was reporting was that she couldn't get in via her WRQ client on her desktop. Since she's no longer here, I'll have to pass followup testing/reporting to her. Wyatt ? dane On Mon, 19 Feb 2001, Matt Crawford wrote: > > Wyatt and I were testing her problem getting into D0mino via KRB > > ticket today after our get together. I can login from unferth to > > d0mino just fine, however wyatt cannot. [...] > > > > bash$ kinit wyatt > > Password for wyatt@PILOT.FNAL.GOV: > > [...] > > bash$ telnet d0mino > > [...] > > [ Kerberos V5 accepts you as ``wyatt@PILOT.FNAL.GOV'' ] > > [ Kerberos V5 accepted forwarded credentials ] > > Press ENTER and compare this challenge to the one on your display: > > [16926319] > > Enter the displayed response: > > telnet> quit > > What Unix identity were you doing this under? "dane" I bet. The > telnet program, in the absence of a "-l user" option, assumes the > remote unix id is the same as the local unix id, not the first > component of the Kerberos principal. Presuming that wyatt is not in > dane's .k5login file on d0mino, this is the straightforward > consequence. "Kerberos V5" *does* accept you as > ``wyatt@PILOT.FNAL.GOV'', but you have no authorization to log in as > dane that way. > > Asking for a challenge may be a confusing way for it to handle the > mismatch, but plausible. > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Feb 19 12:06:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA02845 for ; Mon, 19 Feb 2001 12:06:57 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9000FISNNAP0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Feb 2001 12:06:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E8CB7@listserv.fnal.gov>; Mon, 19 Feb 2001 12:06:47 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 335568 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Feb 2001 12:06:47 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E8CB6@listserv.fnal.gov>; Mon, 19 Feb 2001 12:06:47 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9000GFSNNAIF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Feb 2001 12:06:46 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id MAA58170 for ; Mon, 19 Feb 2001 12:06:45 -0600 (CST) Date: Mon, 19 Feb 2001 12:06:45 -0600 (CST) From: "David J. Fagan" Subject: Re: Problems with Wyatt principal on D0mino Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200102191806.MAA58170@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Mon, 19 Feb 2001 11:49:10 CST.) X-Authentication-warning: large.fnal.gov: fagan@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id MAA02845 Status: RO X-Status: X-Keywords: X-UID: 901 Using WRQ on my machine, Wyatt was able to get right in with no problems. ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Monday, Dane Skow: > Wyatt and I were testing her problem getting into D0mino via KRB > ticket today after our get together. I can login from unferth to > d0mino just fine, however wyatt cannot. Here is the trace of > the connection attempt steps. Note that D0mino appears to have > accepted her credential, but still asked for a challenge afterward. > Odd. > > dane > > bash$ kinit wyatt > Password for wyatt@PILOT.FNAL.GOV: > bash$ klist > Ticket cache: /tmp/krb5cc_1444 > Default principal: wyatt@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 02/19/01 11:45:18 02/20/01 13:45:18 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > 02/19/01 11:45:18 02/20/01 13:45:18 afs/fnal.gov@PILOT.FNAL.GOV > bash$ telnet d0mino > Trying 131.225.224.45... > Connected to d0mino.fnal.gov (131.225.224.45). > Escape character is '^]'. > > NOTICE TO USERS > > This is a Federal computer (and/or it is directly connected to a > Fermilab local network system) that is the property of the United > States Government. It is for authorized use only. Users (autho- > rized or unauthorized) have no explicit or implicit expectation > of privacy. > > Any or all uses of this system and all files on this system may > be intercepted, monitored, recorded, copied, audited, inspected, > and disclosed to authorized site, Department of Energy and law > enforcement personnel, as well as authorized officials of other > agencies, both domestic and foreign. By using this system, the > user consents to such interception, monitoring, recording, copy- > ing, auditing, inspection, and disclosure at the discretion of > authorized site or Department of Energy personnel. > > Unauthorized or improper use of this system may result in admin- > istrative disciplinary action and civil and criminal penalties. > By continuing to use this system you indicate your awareness of > and consent to these terms and conditions of use. LOG OFF IMME- > DIATELY if you do not agree to the conditions stated in this > warning. > > Fermilab policy and rules for computing, including appropriate > use, may be found at http://www.fnal.gov/cd/main/cpolicy.html > > > [ Kerberos V5 accepts you as ``wyatt@PILOT.FNAL.GOV'' ] > [ Kerberos V5 accepted forwarded credentials ] > Press ENTER and compare this challenge to the one on your display: > [16926319] > Enter the displayed response: > telnet> quit > Connection closed. > bash$ kdestroy > bash$ klist > klist: No credentials cache file found (ticket cache /tmp/krb5cc_1444) > > Dane Skow, > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Feb 19 12:08:08 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA03569 for ; Mon, 19 Feb 2001 12:08:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9000EMENNQUU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Feb 2001 12:07:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E8D15@listserv.fnal.gov>; Mon, 19 Feb 2001 12:07:07 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 335671 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Feb 2001 12:07:07 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E8D14@listserv.fnal.gov>; Mon, 19 Feb 2001 12:07:07 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9000FKPNNCN1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Feb 2001 12:07:06 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 19 Feb 2001 12:06:46 -0600 Content-return: allowed Date: Mon, 19 Feb 2001 12:06:42 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76134535@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 902 This reminder created on 2/19/01 12:03:26 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Type : Utilities Item : Kerberos Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Feb 19 18:33:34 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA13712 for ; Mon, 19 Feb 2001 18:33:34 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9100BM35JWFL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Feb 2001 18:33:33 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E92CB@listserv.fnal.gov>; Mon, 19 Feb 2001 18:33:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 337230 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Feb 2001 18:33:33 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E92CA@listserv.fnal.gov>; Mon, 19 Feb 2001 18:33:33 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9100CHP5JWQE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Feb 2001 18:33:32 -0600 (CST) Date: Mon, 19 Feb 2001 18:33:32 -0600 (CST) From: Dane Skow Subject: Re: Problems with Wyatt principal on D0mino In-reply-to: <200102191806.MAA58170@large.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "David J. Fagan" Cc: wyatt@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by patnt2.fnal.gov id SAA13712 Status: RO X-Status: X-Keywords: X-UID: 903 On Mon, 19 Feb 2001, David J. Fagan wrote: > Using WRQ on my machine, Wyatt was able to get right in with no problems. Well, I guess that narrows it down to her client config or a typing problem with the password (CAPSLOCK ?). dane > > > ------------------------------------------------------------------------------- > David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) > SGI-liaison | Liaison Requests use SGI-liaison@fnal > Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 > ------------------------------------------------------------------------------- > On Monday, > Dane Skow: > > > Wyatt and I were testing her problem getting into D0mino via KRB > > ticket today after our get together. I can login from unferth to > > d0mino just fine, however wyatt cannot. Here is the trace of > > the connection attempt steps. Note that D0mino appears to have > > accepted her credential, but still asked for a challenge afterward. > > Odd. > > > > dane > > > > bash$ kinit wyatt > > Password for wyatt@PILOT.FNAL.GOV: > > bash$ klist > > Ticket cache: /tmp/krb5cc_1444 > > Default principal: wyatt@PILOT.FNAL.GOV > > > > Valid starting Expires Service principal > > 02/19/01 11:45:18 02/20/01 13:45:18 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > > 02/19/01 11:45:18 02/20/01 13:45:18 afs/fnal.gov@PILOT.FNAL.GOV > > bash$ telnet d0mino > > Trying 131.225.224.45... > > Connected to d0mino.fnal.gov (131.225.224.45). > > Escape character is '^]'. > > > > NOTICE TO USERS > > > > This is a Federal computer (and/or it is directly connected to a > > Fermilab local network system) that is the property of the United > > States Government. It is for authorized use only. Users (autho- > > rized or unauthorized) have no explicit or implicit expectation > > of privacy. > > > > Any or all uses of this system and all files on this system may > > be intercepted, monitored, recorded, copied, audited, inspected, > > and disclosed to authorized site, Department of Energy and law > > enforcement personnel, as well as authorized officials of other > > agencies, both domestic and foreign. By using this system, the > > user consents to such interception, monitoring, recording, copy- > > ing, auditing, inspection, and disclosure at the discretion of > > authorized site or Department of Energy personnel. > > > > Unauthorized or improper use of this system may result in admin- > > istrative disciplinary action and civil and criminal penalties. > > By continuing to use this system you indicate your awareness of > > and consent to these terms and conditions of use. LOG OFF IMME- > > DIATELY if you do not agree to the conditions stated in this > > warning. > > > > Fermilab policy and rules for computing, including appropriate > > use, may be found at http://www.fnal.gov/cd/main/cpolicy.html > > > > > > [ Kerberos V5 accepts you as ``wyatt@PILOT.FNAL.GOV'' ] > > [ Kerberos V5 accepted forwarded credentials ] > > Press ENTER and compare this challenge to the one on your display: > > [16926319] > > Enter the displayed response: > > telnet> quit > > Connection closed. > > bash$ kdestroy > > bash$ klist > > klist: No credentials cache file found (ticket cache /tmp/krb5cc_1444) > > > > Dane Skow, > > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Tue Feb 20 08:51:12 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA23290 for ; Tue, 20 Feb 2001 08:51:12 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9200J6699BM7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Feb 2001 08:51:12 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E9A2E@listserv.fnal.gov>; Tue, 20 Feb 2001 08:51:11 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 339318 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Feb 2001 08:51:11 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E9A2D@listserv.fnal.gov>; Tue, 20 Feb 2001 08:51:11 -0600 Received: from fnal.gov ([131.225.80.7]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9200J6V99ALY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Feb 2001 08:51:10 -0600 (CST) Date: Tue, 20 Feb 2001 08:51:10 -0600 From: Gerald Guglielmo Subject: kcroninit problem Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: gug@fnal.gov Message-id: <3A92845E.7A926D2C@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.17-14 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 904 Hi, I was having trouble with kcroninit failing to create a nonempty file in /var/adm/krb5 area yesterday. The version of kcroninit appears to be v0_6 for Linux. This morning comparing the directory permissions Matt Crawford sent me last summer when I had the same problem on another node, I found that the permissions on /var differed. By executing as root: chmod g+s /var removing the /var/adm directory structure and then rerunning kcroninit the problem was solved. I do not know if removing /var/adm was necessary. This shouldn't have been necessary. Is three some part of the initial kerberos installation that is suposed to change permissions on /var? -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Tue Feb 20 09:57:52 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA24300 for ; Tue, 20 Feb 2001 09:57:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9200JMPCCELU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Feb 2001 09:57:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E9B05@listserv.fnal.gov>; Tue, 20 Feb 2001 09:57:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 339536 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Feb 2001 09:57:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E9B04@listserv.fnal.gov>; Tue, 20 Feb 2001 09:57:50 -0600 Received: from fnal.gov ([131.225.80.7]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9200JJKCCDMD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Feb 2001 09:57:49 -0600 (CST) Date: Tue, 20 Feb 2001 09:57:49 -0600 From: Gerald Guglielmo Subject: installed kerberos v1_1a but now ssh refused Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: gug@fnal.gov Message-id: <3A9293FD.99D76C28@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.17-14 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 905 odsgug}(g023) ssh -l gug odsgug -v SSH Version 1.2.27 [i686-unknown-linux], protocol version 1.5. Standard version. Does not use RSAREF. odsgug.fnal.gov: Reading configuration data /etc/ssh_config Hi, I am having trouble with ssh conections to a newly kerberized machine. I thought it was installed as keep ssh, but connections are failing with permission denied. Is there a configuration file to check to see if ssh is still allowed or is there some incompatibility going on? I compared the hosts.alow and hosts.deny to the ones on a node where ssh still works and they look the same for ssh. Here is a capture of an assh attempt: odsgug}(g023) ssh -l gug odsgug -v SSH Version 1.2.27 [i686-unknown-linux], protocol version 1.5. Standard version. Does not use RSAREF. odsgug.fnal.gov: Reading configuration data /etc/ssh_config odsgug.fnal.gov: ssh_connect: getuid 1533 geteuid 1533 anon 1 odsgug.fnal.gov: Connecting to odsgug [131.225.80.7] port 22. odsgug.fnal.gov: Connection established. odsgug.fnal.gov: Remote protocol version 1.5, remote software version 1.2.27 odsgug.fnal.gov: Waiting for server public key. odsgug.fnal.gov: Received server public key (768 bits) and host key (1024 bits).odsgug.fnal.gov: Host 'odsgug' is known and matches the host key. odsgug.fnal.gov: Initializing random; seed file /afs/fnal.gov/files/home/room1/gug/.ssh/random_seed odsgug.fnal.gov: Encryption type: idea odsgug.fnal.gov: Sent encrypted session key. odsgug.fnal.gov: Installing crc compensation attack detector. odsgug.fnal.gov: Received encrypted confirmation. odsgug.fnal.gov: Remote: AFS token accepted (afs@fnal.gov, AFS ID 1533@fnal.gov)odsgug.fnal.gov: Trying Kerberos authentication. Permission denied. -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Tue Feb 20 10:28:25 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA28284 for ; Tue, 20 Feb 2001 10:28:25 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9200502DRBO4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Feb 2001 10:28:23 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E9C16@listserv.fnal.gov>; Tue, 20 Feb 2001 10:28:23 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 339819 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Feb 2001 10:28:23 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000E9C15@listserv.fnal.gov>; Tue, 20 Feb 2001 10:28:23 -0600 Received: from fnal.gov ([131.225.80.7]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9200JOFDRALE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Feb 2001 10:28:22 -0600 (CST) Date: Tue, 20 Feb 2001 10:28:22 -0600 From: Gerald Guglielmo Subject: Re: installed kerberos v1_1a but now ssh refused Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-pilot@fnal.gov Reply-to: gug@fnal.gov Message-id: <3A929B26.49026625@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.17-14 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 906 Hi, Thanks that was the file to fix. It is now accepting ssh connections again. Glenn Cooper wrote: > > Hi Jerry, > > ssh connections are controlled by /etc/sshd_config. The installation > should have saved the old version. The key changes are probably the > lines: > > RhostsAuthentication no > RhostsRSAAuthentication no > RSAAuthentication no > KerberosOrLocalPasswd no > > where "no" used to be "yes" in each case. > > Cheers, > Glenn -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Wed Feb 21 10:41:14 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA32200 for ; Wed, 21 Feb 2001 10:41:14 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400KBU90P0H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Feb 2001 10:41:13 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAA7E@listserv.fnal.gov>; Wed, 21 Feb 2001 10:41:13 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 343802 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Feb 2001 10:41:13 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAA7D@listserv.fnal.gov>; Wed, 21 Feb 2001 10:41:13 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9400KAF90OQD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Feb 2001 10:41:12 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id KAA17148 for ; Wed, 21 Feb 2001 10:41:12 -0600 Date: Wed, 21 Feb 2001 10:41:12 -0600 From: Glenn Cooper Subject: Using Kerberos through a home switch? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 907 We have had several questions from users who have a small home network, with (e.g.) a Linksys switch providing address translation to the 2-3 home nodes. I know that NAT at the ISP, where the user can't control it, pretty well kills any chance of authenticating. Is there something the user can set up on his/her home switch to get around this? I would hate to have to tell all our most sophisticated users, who are most likely to do this kind of thing, that they are stuck with using a CryptoCard from home. Thanks, Glenn From kreymer@fnal.gov Wed Feb 21 10:50:44 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05394 for ; Wed, 21 Feb 2001 10:50:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400LF89GI63@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Feb 2001 10:50:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAA97@listserv.fnal.gov>; Wed, 21 Feb 2001 10:50:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 343828 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Feb 2001 10:50:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAA96@listserv.fnal.gov>; Wed, 21 Feb 2001 10:50:42 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400LB59GHCI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Feb 2001 10:50:41 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id KAA72503 for ; Wed, 21 Feb 2001 10:50:41 -0600 (CST) Date: Wed, 21 Feb 2001 10:50:40 -0600 (CST) From: "David J. Fagan" Subject: Re: Using Kerberos through a home switch? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200102211650.KAA72503@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Wed, 21 Feb 2001 10:41:12 CST.) X-Authentication-warning: large.fnal.gov: fagan@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id KAA05394 Status: RO X-Status: X-Keywords: X-UID: 908 Use a proxy gateway. at the end of the [libdefaults] put proxy_gateway = what.your.ip.is This will get credentials for that ip vs the private 192.168 one you are using. The behavior of this is different however between telnet and slogins. Why I have no clue. slogin works just fine but with telnet it will not forward credentials and you will have to do a klog (kinit) to access the AFS files. ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Wednesday, Glenn Cooper: > We have had several questions from users who have a small home > network, with (e.g.) a Linksys switch providing address translation to > the 2-3 home nodes. I know that NAT at the ISP, where the user can't > control it, pretty well kills any chance of authenticating. Is there > something the user can set up on his/her home switch to get around > this? I would hate to have to tell all our most sophisticated users, > who are most likely to do this kind of thing, that they are stuck with > using a CryptoCard from home. > > Thanks, > Glenn From kreymer@fnal.gov Wed Feb 21 12:20:52 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA14744 for ; Wed, 21 Feb 2001 12:20:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400LQRDMQ9J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Feb 2001 12:20:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAB8C@listserv.fnal.gov>; Wed, 21 Feb 2001 12:20:51 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 344098 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Feb 2001 12:20:51 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAB8B@listserv.fnal.gov>; Wed, 21 Feb 2001 12:20:50 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G940070HDMQNF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Feb 2001 12:20:50 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA28340; Wed, 21 Feb 2001 12:20:50 -0600 (CST) Date: Wed, 21 Feb 2001 12:20:49 -0600 From: Matt Crawford Subject: Re: Using Kerberos through a home switch? In-reply-to: "21 Feb 2001 10:41:12 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <200102211820.MAA28340@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 909 > We have had several questions from users who have a small home > network, with (e.g.) a Linksys switch providing address translation to > the 2-3 home nodes. s/providing/inflicting/ > I know that NAT at the ISP, where the user can't control it, pretty > well kills any chance of authenticating. Is there something the > user can set up on his/her home switch to get around this? No matter where the NAT is happening, if there's a fixed name that goes with the IP address that the outside world will see as the source of your packets, put that name in the krb5.conf file under the [libdefaults] section: proxy_gateway = cust1735.evil-natting-isp.net or whatever. > I would hate to have to tell all our most sophisticated users, who > are most likely to do this kind of thing, that they are stuck with > using a CryptoCard from home. No, they're your second-most sophisticated users. The truly wise get an address per host. From kreymer@fnal.gov Wed Feb 21 12:32:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA15864 for ; Wed, 21 Feb 2001 12:32:02 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400655E5DPX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Feb 2001 12:32:01 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EABB6@listserv.fnal.gov>; Wed, 21 Feb 2001 12:32:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 344142 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Feb 2001 12:32:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EABB5@listserv.fnal.gov>; Wed, 21 Feb 2001 12:32:01 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G940066IE5CGS@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Feb 2001 12:32:00 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA28543; Wed, 21 Feb 2001 12:32:00 -0600 (CST) Date: Wed, 21 Feb 2001 12:32:00 -0600 From: Matt Crawford Subject: Re: Using Kerberos through a home switch? In-reply-to: "21 Feb 2001 10:50:40 CST." <200102211650.KAA72503@large.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "David J. Fagan" Cc: kerberos-pilot@fnal.gov Message-id: <200102211832.MAA28543@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 910 > The behavior of this is different however between telnet and > slogins. Why I have no clue. slogin works just fine but with > telnet it will not forward credentials and you will have to do a > klog (kinit) to access the AFS files. It works for me. I pretended I had NAT by doing the following. I added proxy_gateway = ossbud.fnal.gov to my krb5.conf. I did a kinit to get a new ticket. I copied the resulting credential cache to ossbud. Then on ossbud I set my KRB5CCNAME to the copied file and did "telnet -f bldlinux61". The ticket was indeed forwarded. From kreymer@fnal.gov Wed Feb 21 15:33:05 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA21494 for ; Wed, 21 Feb 2001 15:33:05 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400J3QMI125@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Feb 2001 15:32:25 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAF32@listserv.fnal.gov>; Wed, 21 Feb 2001 15:32:25 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 345172 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Feb 2001 15:32:25 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAF31@listserv.fnal.gov>; Wed, 21 Feb 2001 15:32:25 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400I55MI0T0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Feb 2001 15:32:24 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA15335 for ; Wed, 21 Feb 2001 15:32:24 -0600 Date: Wed, 21 Feb 2001 15:32:22 -0600 From: "Isabeau's mom" Subject: 2 questions Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3A9433E6.1F541F88@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 911 hi, i have 2 questions. 1) the maximum time for which a ticket can be renewed is 7 days. is this a fermi imposed limit or a kerberos limit. if fermi, why was this limit chosen? 2) a user noticed that when using his palm-based cryptocard software to login to a node, the ticket that he was given was not automatically forwardable. is this also true of cryptocard logins? is this a config option that can be changed on the node that is being log on to or a feature of the software? thanks, eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Wed Feb 21 15:43:05 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA21508 for ; Wed, 21 Feb 2001 15:43:05 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400GE5MZSNN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Feb 2001 15:43:05 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAF47@listserv.fnal.gov>; Wed, 21 Feb 2001 15:43:05 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 345194 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Feb 2001 15:43:05 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAF46@listserv.fnal.gov>; Wed, 21 Feb 2001 15:43:05 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400I6XMZST0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Feb 2001 15:43:04 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA29496; Wed, 21 Feb 2001 15:43:04 -0600 (CST) Date: Wed, 21 Feb 2001 15:43:04 -0600 From: Matt Crawford Subject: Re: 2 questions In-reply-to: "21 Feb 2001 15:32:22 CST." <3A9433E6.1F541F88@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200102212143.PAA29496@gungnir.fnal.gov> Status: RO X-Status: A X-Keywords: X-UID: 912 > 1) the maximum time for which a ticket can be renewed is 7 days. > is this a fermi imposed limit or a kerberos limit. > if fermi, why was this limit chosen? It was the result of long haggling between the pro-convenience and the pro-security sides. We know that DES encryption can be broken in a matter of days by someone willing to expend the computrons. (Someone with some skill and money did it in his living room in about 4 days.) 7 days seems long enough for any plausible background job to have to run. > 2) a user noticed that when using his palm-based cryptocard software > to login to a node, the ticket that he was given was not > automatically forwardable. is this also true of cryptocard > logins? is this a config option that can be changed on the > node that is being log on to or a feature of the software? This is a config option that can be changed on each host. Look in /etc/krb5.conf under [appdefaults] for the login = { ... } block and put "forwardable = true" in there. [appdefaults] ( blah blah blah ...) login = { krb5_run_aklog = true krb5_get_tickets = true krb4_get_tickets = false krb4_convert = false forwardable = true } (blah blah ...) From kreymer@fnal.gov Wed Feb 21 16:05:37 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA21551 for ; Wed, 21 Feb 2001 16:05:37 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400IBVNZVES@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Feb 2001 16:04:44 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAF94@listserv.fnal.gov>; Wed, 21 Feb 2001 16:04:44 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 345279 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Feb 2001 16:04:44 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EAF93@listserv.fnal.gov>; Wed, 21 Feb 2001 16:04:43 -0600 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400HC1NZVWL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Feb 2001 16:04:43 -0600 (CST) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA21547; Wed, 21 Feb 2001 16:04:43 -0600 Date: Wed, 21 Feb 2001 16:04:43 -0600 (CST) From: Art Kreymer Subject: Re: 2 questions In-reply-to: <200102212143.PAA29496@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: "Isabeau's mom" , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 913 If this can be broken in days with private computing resources, it can be done in hours with global hacker resources, and probably in minutes within the next few years. It there a longer term solution to this problem ? From kreymer@fnal.gov Wed Feb 21 16:29:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA21589 for ; Wed, 21 Feb 2001 16:29:57 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9400GKUOWT0Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Wed, 21 Feb 2001 16:24:29 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA29723; Wed, 21 Feb 2001 16:24:28 -0600 (CST) Date: Wed, 21 Feb 2001 16:24:28 -0600 From: Matt Crawford Subject: Re: 2 questions In-reply-to: "21 Feb 2001 16:04:43 CST." Sender: crawdad@gungnir.fnal.gov To: Art Kreymer Cc: "Isabeau's mom" , kerberos-pilot@fnal.gov Message-id: <200102212224.QAA29723@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 914 > If this can be broken in days with private computing resources, A rich geek's resources (he designed his own ASICs and had them fabricated) but yes. > it can be done in hours with global hacker resources, > and probably in minutes within the next few years. > > It there a longer term solution to this problem ? Yes. 3DES (triple DES) support in Kerberos is almost ready for prime time. Once it's deployed, you'll get a 3DES key the next time you change your password. For service keys root would have to do something like kadmin -k -p host/mynode.fnal.gov -q "ktadd host/mynode.fnal.gov" one time to update the service key to 3DES. From kreymer@fnal.gov Mon Feb 26 12:06:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA08918 for ; Mon, 26 Feb 2001 12:06:57 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9D00F3XMBIIJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Feb 2001 12:06:56 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EE057@listserv.fnal.gov>; Mon, 26 Feb 2001 12:06:55 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 358871 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Feb 2001 12:06:55 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EE054@listserv.fnal.gov>; Mon, 26 Feb 2001 12:06:55 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9D00G0VMBB9E@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Feb 2001 12:06:54 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 26 Feb 2001 12:06:46 -0600 Content-return: allowed Date: Mon, 26 Feb 2001 12:06:33 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7613E7E4@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 915 This reminder created on 2/26/01 12:03:31 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Type : Utilities Item : Kerberos Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Feb 26 15:08:01 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA12318 for ; Mon, 26 Feb 2001 15:08:01 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9D0028QUPCYI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Feb 2001 15:08:01 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EE3B6@listserv.fnal.gov>; Mon, 26 Feb 2001 15:08:00 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 359787 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Feb 2001 15:08:00 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EE3B5@listserv.fnal.gov>; Mon, 26 Feb 2001 15:08:00 -0600 Received: from grindewald.fnal.gov ([131.225.81.209]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9D0045ZUPCIA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Feb 2001 15:08:00 -0600 (CST) Date: Mon, 26 Feb 2001 15:08:00 -0600 (CST) From: Margaret Greaney Subject: questions about strong authentication document Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: mgreaney@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 916 Hello, after reading the document GG0019 about kerberos, dated February 16, 2001, I have some questions and maybe a lot of these have already come up for CDF and DZero users of kerberos. thank you, Margaret [sec 2.3] 1. When will the transition from PILOT TO FNAL.gov occur? Note that during the transition from the PILOT.FNAL.GOV realm to the FNAL.GOV realm, you may want to include both your principals (e.g., jenniferp@PILOT.FNAL.GOV and jenniferp@FNAL.GOV) 2. When the transition occurs, will new principals have to be obtained? [sec 4.2] The doc states to "relinquish the old login name on each system as it becomes Kerberized..." 3. What about visitor accounts? Will accounts named visitor1,2, etc.A be allowed? [sec 5.2] Warning! If your on-site Kerberized system accepts a reusable login password over the network (even on an encrypted connection), this is a violation of the Fermilab Policy on Computing (see http://www.fnal.gov/cd/main/cpolicy.html). 4. Is this something advanced users would know how to do? This is a very confusing statement. What is an example of this? Can one do this by mistake? [sec 5.5.3] The doc indicates that cryptocard users login code assumes the login and principal match. You might want to stress this more. It might be a good idea to let people know that if their cryptocard is locked, it requires a visit to compdiv to reset it. 5. If I have a palm pilot and am using this in place of a cryptocard, and the cryptocard gets locked, can I reset this on the palmpilot or do I have to go through compdiv to get it reset? (What if the palmpilot has not been backed up?) 6. Is there an xlock specifically for kerberos? [sec 7.4] 7. Does the account "root" on a machine need a principal in order to run a cron job in kerberos with kcroninit? The information in this section looks like it address kcroninit for non-root accounts. [sec 7.5] 8. Does the use of kerberized ftp mean that we can no longer use wu-ftp for anonymous ftp configurations? [sec 10.1.2] 9. will we ever need to obtain host and ftp service principals for the root account on machines? for the "products" account on machines? 10. Also, the doc indicates for users to contact their CD liaison to request host-specific service principals, plus initial passwords for the machine. Does that mean that any individual in PPD to whom I now provide support will be asking me to obtain their principals. Will we be setting up forms like CDF and D0 did to facilitate obtaining principals? [sec 11.1] 11. How will current backups be affected? Does the fmb product use kerberized version of rsh? On machines where local backup is being done, the encrypted backup will take longer. Can we do backups in a unencrypted mode? What happens on backups across the net if we can't? 12. Because kerberos installation will be a requirement, will there be a requirement for /etc/ and /usr to be backed up? If the kerberos files in /etc and /usr are not being backed up by the cluster due to insufficient capacity or for some other reason and the kerberos breaks for some reason can the sysadmin now use this as a reason to get the cluster to update their capacity and keep a regular backup of system files? [sec 11.7.3] 13. I can request that my principal be added to a template in the kerberos product? 14. Will there be version conflicts with kerberos as there are now with ssh? Margaret Greaney Telephone: 630-840-4623 Fermilab E-mail: mgreaney@fnal.gov CD/OSS/SCS From kreymer@fnal.gov Mon Feb 26 16:23:48 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA12373 for ; Mon, 26 Feb 2001 16:23:48 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9D004KWY7NIA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Feb 2001 16:23:48 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EE49F@listserv.fnal.gov>; Mon, 26 Feb 2001 16:23:47 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 360029 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Feb 2001 16:23:47 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000EE49E@listserv.fnal.gov>; Mon, 26 Feb 2001 16:23:47 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9D002Q4Y7NYI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Feb 2001 16:23:47 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA00462; Mon, 26 Feb 2001 16:23:46 -0600 (CST) Date: Mon, 26 Feb 2001 16:23:46 -0600 From: Matt Crawford Subject: Re: questions about strong authentication document In-reply-to: "26 Feb 2001 15:08:00 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Greaney Cc: kerberos-pilot@fnal.gov Message-id: <200102262223.QAA00462@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 917 > [sec 2.3] > 1. When will the transition from PILOT TO FNAL.gov occur? It should start in about two weeks. When it ends is hard to say. Not too abruptly, yet not too lingeringly. > 2. When the transition occurs, will new principals have to be obtained? No. The plan, which has been checked for feasibility but not yet implemented, will duplicate all user & host principals in the new realm without so much as a new password. however, subsequent password changes in one realm will not be reflected in the new realm! > 3. What about visitor accounts? Will accounts named visitor1,2, > etc. be allowed? What I'd like to see is visitor account that automatically expire something like a week after they are first used. That magic is not implemented, though, and other mechanisms to handle visitors are possible. > [sec 5.2] > Warning! If your on-site Kerberized system accepts a reusable > login password over the network (even on an encrypted connection), > this is a violation of the Fermilab Policy on Computing (see > http://www.fnal.gov/cd/main/cpolicy.html). > > 4. Is this something advanced users would know how to do? This is a very > confusing statement. What is an example of this? > Can one do this by mistake? If you edit inetd.conf and mess with the flags on the kerberos telnetd or ftpd you could bring about this violation. A non-root user shouldn't be able to do that, though. A more likely instance of the violation would be to configure sshd to accept a password. > [sec 5.5.3] > The doc indicates that cryptocard users login code assumes the login > and principal match. > You might want to stress this more. I suppose. I worry about talking down to people, though. > It might be a good idea to let people know that if their cryptocard > is locked, it requires a visit to compdiv to reset it. That's on the instruction sheet they get with the card, too. > 5. If I have a palm pilot and am using this in place of a cryptocard, > and the cryptocard gets locked, can I reset this on the palmpilot > or do I have to go through compdiv to get it reset? (What if the palmpilot > has not been backed up?) A dirty little secret comes out here: the palmOS version does not lock on some number of wrong-PIN attempts. This actually acknowledges the reality that a determined attacker in possession of your PDA could save and reload the database as often as necessary, or even copy it to an emulator. What saves this from being a fatal flaw is that people take much better care of their PDA than a hardware cryptocard. > 6. Is there an xlock specifically for kerberos? Sort of. Dane made one work on Linux with a Kerberos PAM, but it's not in any distribution kit yet. > [sec 7.4] > 7. Does the account "root" on a machine need a principal in order > to run a cron job in kerberos with kcroninit? The information in > this section looks like it address kcroninit for non-root accounts. Look back in 7.3.2 for the appropriate procedure for root to use. It's rather simpler than kcroninit. > [sec 7.5] > 8. Does the use of kerberized ftp mean that we can no longer use wu-ftp > for anonymous ftp configurations? Yeah. Bummer, I agree. You can use wu-ftpd if the server is for anonymous access *only*. But until and unless it does Kerberos, it's an either/or. wu and anonymous-only, or kerberos ftpd with its very limited configuration knobs. > [sec 10.1.2] > 9. will we ever need to obtain host and ftp service principals for > the root account on machines? for the "products" account on machines? Those principals aren't for any particular account. They are the means by which the host recives and decrypts your proof-of-identity. A host which does not offer the ftp service doesn't need the ftp principal. A host that doesn't offer the rsh, rlogin or telnet service doesn't need the host principal. The only connection to any account is that, since the keytab for the service key is readable only by root, a process running as root can use it to authenticate as "host/node.dom.ain". > 10. Also, the doc indicates for users to contact their CD liaison to request > host-specific service principals, plus initial passwords for the machine. > Does that mean that any individual in PPD to whom I now provide support > will be asking me to obtain their principals. If you're the computing liaison for PPD, then yes. You can cut your load in half, I guess, by asking compdiv to give the info directly to the sysadmin, I suppose. But it would probably go more smoothly if they info flowed through you in both directions. > Will we be setting up > forms like CDF and D0 did to facilitate obtaining principals? I don't know. > [sec 11.1] > 11. How will current backups be affected? > Does the fmb product use kerberized version of rsh? I don't know enough about fmb. Does it use rsh at all? > On machines where local backup is being done, the encrypted backup > will take longer. Huh? If it's all local, what's encrypted? Where does Kerberos enter into it? > Can we do backups in a unencrypted mode? > What happens on backups across the net if we can't? Assuming your backups do indeed use rsh, there's no need for the data to be encrypted. You can specify encrypt = false in krb5.conf, or if it's "true" there, override that with the "-X" flag. Unlike ssh, the authentication is still safe even if the data is in the clear. > 12. Because kerberos installation will be a requirement, will there > be a requirement for /etc/ and /usr to be backed up? No. The stuff in /usr you get back by re-installing Kerberos. There are three important files in /etc: inetd.conf, that should also get fixed up by a Kerberos re-installtion; krb5.conf which is all boilerplate from the krb5conf product unless you made local customizations; and krb5.keytab which should NOT be backed up unless they backup media are kept securely. And adversary in possession of krb5.keytab can impersonate any user -- but only for purposes of logging in to that one machine. > If the kerberos files in /etc and /usr are not being backed up > by the cluster due to insufficient capacity or for some other reason > and the kerberos breaks for some reason can the sysadmin now use this > as a reason to get the cluster to update their capacity and keep > a regular backup of system files? Uh, that sounds outside of my bailiwick. > [sec 11.7.3] > 13. I can request that my principal be added to a template in the kerberos > product? You mean, that your favorite DNS domain be added, if you have off-site Kerberos servers in that domain? Yes. > 14. Will there be version conflicts with kerberos as there are now with ssh? In a word, # # ####### ## # # # # # # # # # # # # # # # # # # # ## # # # # ####### From kreymer@fnal.gov Tue Feb 27 11:55:44 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA09554 for ; Tue, 27 Feb 2001 11:55:44 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9F00660GGB5D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 27 Feb 2001 11:55:24 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000FF844@listserv.fnal.gov>; Tue, 27 Feb 2001 11:55:23 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 430871 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 27 Feb 2001 11:55:23 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000FF843@listserv.fnal.gov>; Tue, 27 Feb 2001 11:55:23 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9F002H4GGBXP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 27 Feb 2001 11:55:23 -0600 (CST) Date: Tue, 27 Feb 2001 11:55:22 -0600 (CST) From: "Marc W. Mengel" Subject: Re: questions about strong authentication document In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Greaney Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 918 Well, I can answer a *few* of these... On Mon, 26 Feb 2001, Margaret Greaney wrote: > 6. Is there an xlock specifically for kerberos? There are kerberos versions of xlock. We are not (yet?) distributing any. > [sec 7.4] > 7. Does the account "root" on a machine need a principal in order > to run a cron job in kerberos with kcroninit? The information in > this section looks like it address kcroninit for non-root accounts. The root account can get the host principal for the machine it's running on at any time in a script; so kcron stuff is sort of redundant. > [sec 7.5] > 8. Does the use of kerberized ftp mean that we can no longer use wu-ftp > for anonymous ftp configurations? No. It means you cannot use wu-ftp for *non*-anonymous ftp configurations. > [sec 10.1.2] > 9. will we ever need to obtain host and ftp service principals for > the root account on machines? for the "products" account on machines? There is a host and ftp service principal for a given machine. These are the only exceptions to date to the policy that one person owns and is responsible for each principal. Any sort of "shared" account should be accessed via kerberos rsh or ksu, via a .k5login file that lists real people's principals. This includes "root", "products", etc. > 10. Also, the doc indicates for users to contact their CD liaison to request > host-specific service principals, plus initial passwords for the machine. > Does that mean that any individual in PPD to whom I now provide support > will be asking me to obtain their principals. Will we be setting up > forms like CDF and D0 did to facilitate obtaining principals? No that's the request to set up the per-machine principals mentioned above. Users get their principals from Yolanda, although I'm sure we *could* set it up so other specific people could, too. > [sec 11.1] > 11. How will current backups be affected? > Does the fmb product use kerberized version of rsh? > On machines where local backup is being done, the encrypted backup > will take longer. Can we do backups in a unencrypted mode? > What happens on backups across the net if we can't? The fmb product wil use kerberized rsh if it is the first rsh in $PATH, or if you set $fmb_rsh to the rsh command to use. One *should* endeavor to * not include the /etc/krb5.keytab in the backup, (i.e. use "fmb -E etc/krb5.keytab ..." in your root partition backups) or * to regenerate it (so the old one is no longer valid) after the backup. (Matt, do you have the kadmin line handy for that?) so that folks can't steal your host key by reading your backup tape. > 12. Because kerberos installation will be a requirement, will there > be a requirement for /etc/ and /usr to be > backed up? If the kerberos files in /etc and /usr are not being backed up > by the cluster due to insufficient capacity or for some other reason > and the kerberos breaks for some reason can the sysadmin now use this > as a reason to get the cluster to update their capacity and keep > a regular backup of system files? All of the kerberos related files (key file, etc.) can be regenereted and the software can be reinstalled from the ups product; so it does not impose any new backup requirements. That is to say, if your / and /usr parttitions get blown away, we can put them back as far as kerberos goes without any of the data that was on the drives; [except maybe root's .k5login file]. I think Dane is working on a department-wide policy of alternate-root partitions and required backups for systems we support, but this is not related to kerberos. > 14. Will there be version conflicts with kerberos as there are now with ssh? Eventually -- mainly at some point we will want to upgrade everyone to a newer version that uses stronger encryption. But probably not for several years. From kreymer@fnal.gov Tue Feb 27 12:12:29 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA09568 for ; Tue, 27 Feb 2001 12:12:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9F0072MH6BNJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 27 Feb 2001 12:11:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000FF87C@listserv.fnal.gov>; Tue, 27 Feb 2001 12:10:59 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 430933 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 27 Feb 2001 12:10:59 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000FF87B@listserv.fnal.gov>; Tue, 27 Feb 2001 12:10:59 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9F000R2H6BOY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 27 Feb 2001 12:10:59 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA05189; Tue, 27 Feb 2001 12:10:59 -0600 Date: Tue, 27 Feb 2001 12:10:59 -0600 (CST) From: Steven Timm Subject: Re: questions about strong authentication document In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 919 > > One *should* endeavor to > * not include the /etc/krb5.keytab in the backup, > (i.e. use "fmb -E etc/krb5.keytab ..." in your root partition backups) > or > * to regenerate it (so the old one is no longer valid) after the backup. > (Matt, do you have the kadmin line handy for that?) > so that folks can't steal your host key by reading your backup tape. Doesn't this take a new kerberos host/ftp password and waiting on Yolanda V.? We had set up the farms so we did save the krb5.keytab file for each node in a secure place precisely because of this reason. > That is to say, if your > / and /usr parttitions get blown away, we can put them back as far > as kerberos goes without any of the data that was on the drives; > [except maybe root's .k5login file]. > How does one reproduce the krb5.keytab file? This is not something I've seen in any of the documentation, or realized that it was even possible. > I think Dane is working on a department-wide policy of alternate-root > partitions and required backups for systems we support, but this is not > related to kerberos. > > > 14. Will there be version conflicts with kerberos as there are now with ssh? > > Eventually -- mainly at some point we will want to upgrade everyone to > a newer version that uses stronger encryption. But probably not for > several years. > Steve Timm From kreymer@fnal.gov Tue Feb 27 13:44:17 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA09726 for ; Tue, 27 Feb 2001 13:44:17 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9F008FRLH27I@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 27 Feb 2001 13:43:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000FF9DF@listserv.fnal.gov>; Tue, 27 Feb 2001 13:43:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 431340 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 27 Feb 2001 13:43:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000FF9DE@listserv.fnal.gov>; Tue, 27 Feb 2001 13:43:50 -0600 Received: from b0sun01.fnal.gov ([131.225.232.72]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9F006R1LH2MI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 27 Feb 2001 13:43:50 -0600 (CST) Date: Tue, 27 Feb 2001 13:43:43 -0600 (CST) From: Stephan Lammel Subject: kerberos v1_1 on Sol8 missing lib.so Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 920 Dear All, it looks like the kerberos v1_1 package for Solaris 8 is missing two shared libraries: libinitializer.so => (file not found) libcryptosec.so => (file not found) I was trying a kadmin and... Should those be in the kerberos package (lib directory), already on the system, or ? Thanks, cheers, Stephan From kreymer@fnal.gov Tue Feb 27 17:42:09 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA10327 for ; Tue, 27 Feb 2001 17:42:09 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9F00165WI8T8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 27 Feb 2001 17:42:09 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000FFD88@listserv.fnal.gov>; Tue, 27 Feb 2001 17:42:08 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 432372 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 27 Feb 2001 17:42:08 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.000FFD87@listserv.fnal.gov>; Tue, 27 Feb 2001 17:42:08 -0600 Received: from CUERVO ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9F0025TWI5PW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 27 Feb 2001 17:42:07 -0600 (CST) Date: Tue, 27 Feb 2001 17:42:52 -0600 From: "Mark O. Kaletka" Subject: RE: questions about strong authentication document In-reply-to: <200102262223.QAA00462@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford , Margaret Greaney Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 921 Various comments on various replies... First Matt's ... > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Matt > Crawford > Sent: Monday, February 26, 2001 4:24 PM > To: Margaret Greaney > Cc: kerberos-pilot@fnal.gov > Subject: Re: questions about strong authentication document > > > > [sec 2.3] > > 1. When will the transition from PILOT TO FNAL.gov occur? > > It should start in about two weeks. When it ends is hard to say. > Not too abruptly, yet not too lingeringly. > > > 2. When the transition occurs, will new principals have to be obtained? > > No. The plan, which has been checked for feasibility but not yet > implemented, will duplicate all user & host principals in the new > realm without so much as a new password. however, subsequent > password changes in one realm will not be reflected in the new realm! > I'll gently suggest (I know Matt has been busy) some details be filled in, in particular sysadmins (& users) will want to know when the new realm is expected to be in production and stable, and what (if anything) has to be changed to move from PILOT.FNAL.GOV to FNAL.GOV (assuming that is the production realm). > > > 3. What about visitor accounts? Will accounts named visitor1,2, > > etc. be allowed? > > What I'd like to see is visitor account that automatically expire > something like a week after they are first used. That magic is not > implemented, though, and other mechanisms to handle visitors are > possible. Does this mean "visitor" Kerberos principals or local accounts? Don't visitor accounts on strengthened systems in general violate our security policy? I.e. "All other uses of computers or the networks within a strengthened realm must be preceded by Kerberos authentication that will verify the user is either a Fermilab employee or an onsite or offsite user who has registered with the Users' Office." (Quoted from "Special Policies and Rules for the Strong Authentication Realm") I don't see how this policy is consistent with any form of allowing visitor accounts on a strengthened realm machine. >...snip...< > > [sec 5.5.3] > > The doc indicates that cryptocard users login code assumes the login > > and principal match. > > You might want to stress this more. > > I suppose. I worry about talking down to people, though. I suppose we have to take this as an acceptable risk, since we're having to address all levels of users. >...snip...< > > 10. Also, the doc indicates for users to contact their CD > liaison to request > > host-specific service principals, plus initial passwords for > the machine. > > Does that mean that any individual in PPD to whom I now provide support > > will be asking me to obtain their principals. > > If you're the computing liaison for PPD, then yes. You can cut your > load in half, I guess, by asking compdiv to give the info directly to > the sysadmin, I suppose. But it would probably go more smoothly if > they info flowed through you in both directions. > > > Will we be setting up > > forms like CDF and D0 did to facilitate obtaining principals? > > I don't know. I think this statement derives from wanting people in the pilot phase at CDF and D0 to coordinate with their respective task force folk to get host principals. Ultimately they're all generated by COMPDIV. For CD/OSS supported systems, at least, I think we need some discussion on how to actually accomplish a migration to strong authentication for each of our client organizations, and this is one of the issues to address. >...snip...< > > 12. Because kerberos installation will be a requirement, will there > > be a requirement for /etc/ and /usr to be backed up? > > No. The stuff in /usr you get back by re-installing Kerberos. There > are three important files in /etc: inetd.conf, that should also get > fixed up by a Kerberos re-installtion; krb5.conf which is all > boilerplate from the krb5conf product unless you made local > customizations; and krb5.keytab which should NOT be backed up unless > they backup media are kept securely. And adversary in possession of > krb5.keytab can impersonate any user -- but only for purposes of > logging in to that one machine. Actually I don't think inetd.conf gets "fixed up" by a Kerberos reinstall, since that will only add the Kerberos-specific lines and comment out their evil non-Kerberos equivalents. If there's anything else in inetd.conf, though, like custom tcpwrappers configs or other services, these wouldn't necessarily be restored. So I think you have to back this file up (& I don't see a problem with doing that). > > > If the kerberos files in /etc and /usr are not being backed up > > by the cluster due to insufficient capacity or for some other reason > > and the kerberos breaks for some reason can the sysadmin now use this > > as a reason to get the cluster to update their capacity and keep > > a regular backup of system files? > > Uh, that sounds outside of my bailiwick. I think sysadmins will have to address this question with their clients and managers... >...snip...< > > 14. Will there be version conflicts with kerberos as there are > now with ssh? > > In a word, > # # ####### > ## # # # > # # # # # > # # # # # > # # # # # > # ## # # > # # ####### > We'll hold you to that, Matt ;-) Now, comments on Marc's comments: > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Marc W. > Mengel > Sent: Tuesday, February 27, 2001 11:55 AM > To: Margaret Greaney > Cc: kerberos-pilot@fnal.gov > Subject: Re: questions about strong authentication document >...snip...< > > [sec 10.1.2] > > 9. will we ever need to obtain host and ftp service principals for > > the root account on machines? for the "products" account on machines? > > There is a host and ftp service principal for a given machine. These are > the only exceptions to date to the policy that one person owns and is > responsible for each principal. Any sort of "shared" account should be > accessed via kerberos rsh or ksu, via a .k5login file that lists > real people's principals. This includes "root", "products", etc. Actually there is another class of principal which I believe was originally set up for CDF to run their "stager" jobs authenticated (and unattended). Perhaps Matt or someone can comment on when these kinds of principals are appropriate? >...snip...< > All of the kerberos related files (key file, etc.) can be regenereted > and the software can be reinstalled from the ups product; so it does > not impose any new backup requirements. That is to say, if your > / and /usr parttitions get blown away, we can put them back as far > as kerberos goes without any of the data that was on the drives; > [except maybe root's .k5login file]. I believe keytabs would have to be regenerated from a request to COMPDIV, they wouldn't (of course) be installed by the UPS product. Yes, that means effectively a delay to get information back from COMPDIV. (Hmmm, is there going to be any facility to do this off-hours on an emergency basis? Supposing some very important system was down in the middle of the night and needed it's service principals restored, for e.g.) >...snip...< And, finally, Steven's comments: > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > Sent: Tuesday, February 27, 2001 12:11 PM > To: Marc W. Mengel > Cc: kerberos-pilot@fnal.gov > Subject: Re: questions about strong authentication document > > > > > > One *should* endeavor to > > * not include the /etc/krb5.keytab in the backup, > > (i.e. use "fmb -E etc/krb5.keytab ..." in your root > partition backups) > > or > > * to regenerate it (so the old one is no longer valid) after > the backup. > > (Matt, do you have the kadmin line handy for that?) > > so that folks can't steal your host key by reading your backup tape. > > Doesn't this take a new kerberos host/ftp password and waiting on Yolanda > V.? > We had set up the farms so we did save the krb5.keytab file for each > node in a secure place precisely because of this reason. Yes, the new keytab file would have to come (indirectly) from Yolanda. So storing copies on secure media may be acceptable. Matt should probably comment, but I don't believe that violates policy (if done correctly). > > > That is to say, if your > > / and /usr parttitions get blown away, we can put them back as far > > as kerberos goes without any of the data that was on the drives; > > [except maybe root's .k5login file]. > > > How does one reproduce the krb5.keytab file? This is not something > I've seen in any of the documentation, or realized that it was even > possible. I believe the procedure is along the lines of: Contact COMPDIV to get the password(s) reset on the service principals. Run the "ups install-hostkeys kerberos" command (and/or read $KERBEROS_DIR/ups/README.hostkeys). >...snip...< From kreymer@fnal.gov Wed Feb 28 01:24:54 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id BAA10528 for ; Wed, 28 Feb 2001 01:24:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9G00AKRHXH85@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 28 Feb 2001 01:24:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00100092@listserv.fnal.gov>; Wed, 28 Feb 2001 01:24:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 433196 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 28 Feb 2001 01:24:53 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00100091@listserv.fnal.gov>; Wed, 28 Feb 2001 01:24:53 -0600 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0G9G00H01HXGPA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 28 Feb 2001 01:24:52 -0600 (CST) Received: from janus.physics.ox.ac.uk ([163.1.243.65]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9G00E94HXFLP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 28 Feb 2001 01:24:52 -0600 (CST) Received: from amavis by janus.physics.ox.ac.uk with scanned-ok (Exim 3.16 #5) id 14Y0yh-0003KX-00 for kerberos-pilot@fnal.gov; Wed, 28 Feb 2001 07:24:51 +0000 Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by janus.physics.ox.ac.uk with smtp (Exim 3.16 #5) id 14Y0yP-0003Er-00; Wed, 28 Feb 2001 07:24:33 +0000 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 14Y0yO-0007Ao-00; Wed, 28 Feb 2001 07:24:32 +0000 Date: Wed, 28 Feb 2001 07:24:32 +0000 (GMT) From: "Todd Huffman (CDF/ATLAS)" Subject: RE: questions about strong authentication document In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: Matt Crawford , Margaret Greaney , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-AVtransport: scanmails_remote X-AVwrapper: AMaViS (http://www.amavis.org/) X-AVscanner: Sophos sweep (http://www.sophos.com/) Status: RO X-Status: X-Keywords: X-UID: 922 > > > > > > 3. What about visitor accounts? Will accounts named visitor1,2, > > > etc. be allowed? > > > > What I'd like to see is visitor account that automatically expire > > something like a week after they are first used. That magic is not > > implemented, though, and other mechanisms to handle visitors are > > possible. > > Does this mean "visitor" Kerberos principals or local accounts? > > Don't visitor accounts on strengthened systems in general violate our > security policy? I.e. "All other uses of computers or the networks within a > strengthened realm must be preceded by Kerberos authentication that will > verify the user is either a Fermilab employee or an onsite or offsite user > who has registered with the Users' Office." (Quoted from "Special Policies > and Rules for the Strong Authentication Realm") I don't see how this policy > is consistent with any form of allowing visitor accounts on a strengthened > realm machine. > This might be a serious issue for CDF depending on how 'visitor' is defined. CDF has a 'visiting scientist' programme whereby an institution who is looking to join CDF but does not yet have sufficient resources can join as a 'visitor' under a sponsoring institution or group already on CDF. If a 'visitor' as defined this way is actually allowed in the strengthened realm, then we may need to ammend the security policy to make it clear that this category is actually a 'user'. It's not obvious to me reading the policy that allowances have actually been made for such a 'visitor'. Cheers, Todd From kreymer@fnal.gov Wed Feb 28 08:27:16 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA32240 for ; Wed, 28 Feb 2001 08:27:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9H001HZ1HE55@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 28 Feb 2001 08:27:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001002ED@listserv.fnal.gov>; Wed, 28 Feb 2001 08:27:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 433858 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 28 Feb 2001 08:27:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001002EC@listserv.fnal.gov>; Wed, 28 Feb 2001 08:27:14 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9H001GS1HDJF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 28 Feb 2001 08:27:14 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA06476; Wed, 28 Feb 2001 08:27:13 -0600 Date: Wed, 28 Feb 2001 08:27:13 -0600 (CST) From: Steven Timm Subject: RE: questions about strong authentication document In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: Matt Crawford , Margaret Greaney , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 923 > > > > Doesn't this take a new kerberos host/ftp password and waiting on Yolanda > > V.? > > We had set up the farms so we did save the krb5.keytab file for each > > node in a secure place precisely because of this reason. > > Yes, the new keytab file would have to come (indirectly) from Yolanda. So > storing copies on secure media may be acceptable. Matt should probably > comment, but I don't believe that violates policy (if done correctly). > > > > > > That is to say, if your > > > / and /usr parttitions get blown away, we can put them back as far > > > as kerberos goes without any of the data that was on the drives; > > > [except maybe root's .k5login file]. > > > > > How does one reproduce the krb5.keytab file? This is not something > > I've seen in any of the documentation, or realized that it was even > > possible. > > I believe the procedure is along the lines of: > > Contact COMPDIV to get the password(s) reset on the service principals. Run > the "ups install-hostkeys kerberos" command (and/or read > $KERBEROS_DIR/ups/README.hostkeys). > > >...snip...< > Unacceptable if we are dealing with 100's of nodes.. .it typically takes Yolanda a couple weeks to turn that many host principals around. IF we have to reinstall all the farms overnight (which has happened before) then saving the keytab from the previous install on secure media is the only way to go. Hopefully you are right and this does not violate policy...and hopefully backup tapes in the vault count as "secure media." Steve Timm From kreymer@fnal.gov Wed Feb 28 09:41:26 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA01220 for ; Wed, 28 Feb 2001 09:41:26 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9H007BU4X0YH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 28 Feb 2001 09:41:25 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001003F1@listserv.fnal.gov>; Wed, 28 Feb 2001 09:41:24 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 434123 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 28 Feb 2001 09:41:24 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001003F0@listserv.fnal.gov>; Wed, 28 Feb 2001 09:41:24 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9H007BB4X0Y4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 28 Feb 2001 09:41:24 -0600 (CST) Date: Wed, 28 Feb 2001 09:41:23 -0600 (CST) From: "Marc W. Mengel" Subject: RE: questions about strong authentication document In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: "Mark O. Kaletka" , Matt Crawford , Margaret Greaney , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 924 On Wed, 28 Feb 2001, Steven Timm wrote: > Unacceptable if we are dealing with 100's of nodes.. .it typically takes > Yolanda a couple weeks to turn that many host principals around. IF > we have to reinstall all the farms overnight (which has happened before) > then saving the keytab from the previous install on secure media is > the only way to go. Hopefully you are right and this does not violate > policy...and hopefully backup tapes in the vault count as "secure media." It is perfectly acceptable to backup/keep a PGP encrypted copy of the keytab, just not the cleartext one. Marc From kreymer@fnal.gov Wed Feb 28 11:24:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA11181 for ; Wed, 28 Feb 2001 11:24:56 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9H00J0L9PI0L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 28 Feb 2001 11:24:55 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001005A6@listserv.fnal.gov>; Wed, 28 Feb 2001 11:24:54 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 434619 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 28 Feb 2001 11:24:54 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001005A5@listserv.fnal.gov>; Wed, 28 Feb 2001 11:24:54 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9H00J0K9PI0T@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 28 Feb 2001 11:24:54 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA13188; Wed, 28 Feb 2001 11:24:54 -0600 (CST) Date: Wed, 28 Feb 2001 11:24:53 -0600 From: Matt Crawford Subject: Re: questions about strong authentication document In-reply-to: "27 Feb 2001 11:55:22 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: kerberos-pilot@fnal.gov Message-id: <200102281724.LAA13188@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 925 > * to regenerate it (so the old one is no longer valid) after the backup. > (Matt, do you have the kadmin line handy for that?) > so that folks can't steal your host key by reading your backup tape. There are two parts to this. root @ a host can update the keytab so the KDC and the keytab file share new random keys for the host/name and ftp/name services with one kadmin command line for each service. But the old key will still be present in the keytab file along with the new and will be accepted by the service, so a hypothetical badguy who stole your old keytab file could still write himself an acceptable ticket to your service. If you promptly delete the old key, anyone already holding a ticket based on the previous key will get an error like the following if the attempt to use that ticket again before it expires: Couldn't authenticate to server: Server rejected authentication (during sendauth exchange) Server returned error code 60 (Generic error (see e-text)) Error text sent from server: Key version number for principal in key table is incorrect So you need to do one of the following three things, two of which are probably not feasible 1. Update your keytab at a time when no one is holding a valid ticket for the service which they might use again. 2. Educate all users -- including automated processes, to renew their TGT or get a new one, thereby flusing all their other service keys, when getting an error like the above, or when you inform them that you're cutting a new host key. 3. Delete the old key, without forgetting, from the keytab after any previously issued tickets expire. This would be up to the slave KDC refresh interval (15 minutes) plus the maximum ticket lifetime (currently 26 hours). We could help the process out a bit and shrink the window of vulnerability be shortening the lifetime of host & ftp service tickets, requiring getting a new service ticket based on your longer-lived TGT. The trouble is, the applications aren't smart enough to do this transparently. They gripe Couldn't authenticate to server: Ticket expired rsh: kcmd to host gungnir failed - Ticket expired and the like. So scheduling a purge for 27 hours later seems like the way to go. And now, the commands to generate new service keys: /usr/krb5/sbin/kadmin -k -p host/`hostname` -q "ktadd host/`hostname` /usr/krb5/sbin/kadmin -k -p ftp/`hostname` -q "ktadd ftp/`hostname`" This assumes `hostname` returns the fully-qualified name. If not, spell it out. To purge old keys later with ktutil: ktutil rkt /etc/krb5.keytab list delent 2 # <-- delete old entries (lower KVNO field) from delent 1 # <-- higher to lower positions list wkt /etc/krb5.keytab.new exit mv /etc/krb5.keytab.new /etc/krb5.keytab I think it might be worth my while to package up this whole thing in a somewhat bullet-proofed script so sysadmins don't have to muck with the details. From kreymer@fnal.gov Thu Mar 1 01:27:12 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id BAA10882 for ; Thu, 1 Mar 2001 01:27:12 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9I000QECPBK9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 01 Mar 2001 01:27:12 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00100E32@listserv.fnal.gov>; Thu, 01 Mar 2001 01:27:11 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 437017 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 01 Mar 2001 01:27:11 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00100E31@listserv.fnal.gov>; Thu, 01 Mar 2001 01:27:11 -0600 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0G9I00901CPBIP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 01 Mar 2001 01:27:11 -0600 (CST) Received: from janus.physics.ox.ac.uk ([163.1.243.65]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9I002JVCPAQG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 01 Mar 2001 01:27:11 -0600 (CST) Received: from amavis by janus.physics.ox.ac.uk with scanned-ok (Exim 3.16 #5) id 14YNUT-0005Ah-00 for kerberos-pilot@fnal.gov; Thu, 01 Mar 2001 07:27:09 +0000 Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by janus.physics.ox.ac.uk with smtp (Exim 3.16 #5) id 14YNUN-00059K-00 for kerberos-pilot@fnal.gov; Thu, 01 Mar 2001 07:27:03 +0000 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 14YNUN-0002Bh-00 for kerberos-pilot@fnal.gov; Thu, 01 Mar 2001 07:27:03 +0000 Date: Thu, 01 Mar 2001 07:27:03 +0000 (GMT) From: "Todd Huffman (CDF/ATLAS)" Subject: yet another potentially simple problem to solve Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-AVtransport: scanmails_remote X-AVwrapper: AMaViS (http://www.amavis.org/) X-AVscanner: Sophos sweep (http://www.sophos.com/) Status: RO X-Status: X-Keywords: X-UID: 926 HI, I just tried again to use my kerberos principle to get on to fcdfsgi2 and it failed in a strange way: I'm starting from oxpc01 after getting on to that machine remotely using ssh: [huffman@oxpc01 ~]$ kinit Password for niimi@PILOT.FNAL.GOV: [huffman@oxpc01 ~]$ telnet fcdfsgi2 Trying 131.225.240.129... Connected to fcdfsgi2.fnal.gov (131.225.240.129). Escape character is '^]'. NOTICE TO USERS This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United ..... Fermilab policy and rules for computing, including appropriate use, may be found at http://www.fnal.gov/cd/main/cpolicy.html [ Kerberos V5 accepts you as ``niimi@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Login incorrect login: so my question is....if my credentials are OK on kerberos...then why is my login still incorrect? Note that my crypto-card log-in worked fine with the 'niimi' username. Cheers, Todd ************************************************* ~ Dr. B. Todd Huffman ~ ~ Particle and Nuclear Physics ~ ~ University of Oxford ~ ~ Rm 631 ~ ~ Keble Rd ~ ~ Oxford OX1 3RH UK ~ ~ ~ ~ Phone: 44 - 1865 - 273402 ~ ~ LMH: 44 - 1865 - 274307 ~ ~ FAX: 44 - 1865 - 273418 ~ ~ Home: 44 - 1865 - 450240 ~ ~ URL of my home page: ~ ~ http://www-pnp.physics.ox.ac.uk/~huffman/ ************************************************* From kreymer@fnal.gov Thu Mar 1 08:27:18 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA24869 for ; Thu, 1 Mar 2001 08:27:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9I00CL5W5HI5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 01 Mar 2001 08:27:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00101097@listserv.fnal.gov>; Thu, 01 Mar 2001 08:27:17 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 437687 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 01 Mar 2001 08:27:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00101096@listserv.fnal.gov>; Thu, 01 Mar 2001 08:27:17 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9I00BPIW5H7B@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 01 Mar 2001 08:27:17 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA18627; Thu, 01 Mar 2001 08:27:11 -0600 (CST) Date: Thu, 01 Mar 2001 08:27:10 -0600 From: Matt Crawford Subject: Re: yet another potentially simple problem to solve In-reply-to: "01 Mar 2001 07:27:03 GMT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: kerberos-pilot@fnal.gov Message-id: <200103011427.IAA18627@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 927 > I just tried again to use my kerberos principle to get on > to fcdfsgi2 and it failed in a strange way: > > I'm starting from oxpc01 after getting on to that machine remotely > using ssh: > > [huffman@oxpc01 ~]$ kinit > Password for niimi@PILOT.FNAL.GOV: > [huffman@oxpc01 ~]$ telnet fcdfsgi2 > Trying 131.225.240.129... > Connected to fcdfsgi2.fnal.gov (131.225.240.129). > Escape character is '^]'. > ... > [ Kerberos V5 accepts you as ``niimi@PILOT.FNAL.GOV'' ] > [ Kerberos V5 accepted forwarded credentials ] > Login incorrect > login: > > so my question is....if my credentials are OK on kerberos...then why > is my login still incorrect? I assume frmo the prompt that your username is huffman on oxpc01. Telnet assumes that you want to log in under the same username on the destination host. Although your credentials as "niimi" are all in order, they are not sufficient to grant you access to the (non-existent) huffman account on fcdfsgi2. Solution: add "-l niimi" to the telnet command. From kreymer@fnal.gov Fri Mar 2 10:31:37 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA14715 for ; Fri, 2 Mar 2001 10:31:36 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K009QKWKNPQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 10:31:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102127@listserv.fnal.gov>; Fri, 02 Mar 2001 10:31:35 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442388 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 10:31:35 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102126@listserv.fnal.gov>; Fri, 02 Mar 2001 10:31:35 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9K00H4NWKN6M@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 10:31:35 -0600 (CST) Received: (qmail 17392 invoked from network); Fri, 02 Mar 2001 10:31:34 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Fri, 02 Mar 2001 10:31:34 -0600 Date: Fri, 02 Mar 2001 10:32:18 -0600 (CST) From: Michael Kriss Subject: Install questions Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 928 We don't plan on using ups/upd. Has anyone installed and configured kerberos without using ups/upd? If not is there interest in a document on how to do this? What are the 'locally-added or configured' features in the ups/upd distribution that we might want to implement? Why is mixed-mode (ssh and kerberos) not allowed for on-site systems? michael From kreymer@fnal.gov Fri Mar 2 10:40:16 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA15096 for ; Fri, 2 Mar 2001 10:40:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00BR4WZ131@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 10:40:14 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102136@listserv.fnal.gov>; Fri, 02 Mar 2001 10:40:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442404 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 10:40:13 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102135@listserv.fnal.gov>; Fri, 02 Mar 2001 10:40:13 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00BN6WZ1IG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 10:40:13 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id KAA22042; Fri, 02 Mar 2001 10:40:12 -0600 (CST) Date: Fri, 02 Mar 2001 10:40:12 -0600 (CST) From: Tim Zingelman Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: Michael Kriss Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 929 On Fri, 2 Mar 2001, Michael Kriss wrote: > We don't plan on using ups/upd. Has anyone installed and configured kerberos > without using ups/upd? If not is there interest in a document on how to do > this? We have not done it yet, but we will also NOT be using ups/upd. I'm glad to get and give any information along these lines. > Why is mixed-mode (ssh and kerberos) not allowed for on-site systems? > michael Ssh is a requirement for us, so we plan to MAKE kerberized ssh work, no matter what it takes :) - Tim From kreymer@fnal.gov Fri Mar 2 10:49:39 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA15969 for ; Fri, 2 Mar 2001 10:49:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00DIOXEO59@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 10:49:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102161@listserv.fnal.gov>; Fri, 02 Mar 2001 10:49:37 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442449 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 10:49:37 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102160@listserv.fnal.gov>; Fri, 02 Mar 2001 10:49:36 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00BTEXEO31@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 10:49:36 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA13046; Fri, 02 Mar 2001 10:49:36 -0600 Date: Fri, 02 Mar 2001 10:49:36 -0600 (CST) From: Steven Timm Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Kriss Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 930 > We don't plan on using ups/upd. Has anyone installed and configured kerberos > without using ups/upd? If not is there interest in a document on how to do > this? There are kerberos RPMS available from RedHat...in RH 7.0 it is installed by default. I have not tried them, however. > > What are the 'locally-added or configured' features in the ups/upd distribution > that we might want to implement? Others are better qualified to answer this than me, but they certainly include putting all the right KDC names and IP numbers into /etc/krb5.conf, fixing your inetd.conf and services correctly, and some of the portal services such as portal mode telnet and ftp. > > Why is mixed-mode (ssh and kerberos) not allowed for on-site systems? > > michael > From kreymer@fnal.gov Fri Mar 2 10:55:34 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA17013 for ; Fri, 2 Mar 2001 10:55:34 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00CPCXOKB8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 10:55:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102172@listserv.fnal.gov>; Fri, 02 Mar 2001 10:55:32 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442467 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 10:55:32 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102171@listserv.fnal.gov>; Fri, 02 Mar 2001 10:55:32 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9K00CJPXOJWH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 10:55:31 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id KAA26547; Fri, 02 Mar 2001 10:55:31 -0600 Date: Fri, 02 Mar 2001 10:55:31 -0600 From: Glenn Cooper Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Kriss Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 931 Marc Mengel has instructions for installing the Fermi kerberos product on machines that don't have UPS/UPD at: http://www.fnal.gov/docs/products/bootstrap/TemporaryInstall.html Glenn From kreymer@fnal.gov Fri Mar 2 10:56:39 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA17247 for ; Fri, 2 Mar 2001 10:56:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00K0NXQE26@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 10:56:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102176@listserv.fnal.gov>; Fri, 02 Mar 2001 10:56:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442471 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 10:56:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102175@listserv.fnal.gov>; Fri, 02 Mar 2001 10:56:38 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9K00H9AXQE6M@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 10:56:38 -0600 (CST) Received: (qmail 17681 invoked from network); Fri, 02 Mar 2001 10:56:37 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Fri, 02 Mar 2001 10:56:37 -0600 Date: Fri, 02 Mar 2001 10:57:20 -0600 (CST) From: Michael Kriss Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 932 I don't plan on temporarily installing ups/upd either... michael On Fri, 2 Mar 2001, Glenn Cooper wrote: > Marc Mengel has instructions for installing the Fermi kerberos product > on machines that don't have UPS/UPD at: > > http://www.fnal.gov/docs/products/bootstrap/TemporaryInstall.html > > Glenn > From kreymer@fnal.gov Fri Mar 2 10:58:01 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA17259 for ; Fri, 2 Mar 2001 10:58:01 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00EIQXSN0R@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 10:58:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102178@listserv.fnal.gov>; Fri, 02 Mar 2001 10:57:59 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442473 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 10:57:59 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102177@listserv.fnal.gov>; Fri, 02 Mar 2001 10:57:59 -0600 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0G9K00K01XSNC5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 10:57:59 -0600 (CST) Received: from lotus.phys.nwu.edu ([129.105.21.210]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00K1GXSM26@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 10:57:58 -0600 (CST) Received: from fnal.gov (turtle.phys.nwu.edu [129.105.21.212]) by lotus.phys.nwu.edu (8.9.3/8.8.7) with ESMTP id KAA03943; Fri, 02 Mar 2001 10:57:58 -0600 Date: Fri, 02 Mar 2001 10:58:33 -0600 From: Heidi Schellman Subject: Re: Install questions Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: Michael Kriss , kerberos-pilot@fnal.gov Message-id: <3A9FD139.EDAD8045@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 933 Why not use ups/upd where you need it? FNAL has put out a generalized way of supporting FNAL products - why not use it. ups/upd can be installed easily and you only have to use it for the products you want to. It would sure save a lot of duplication of effort. Heidi Schellman - D0 Tim Zingelman wrote: > On Fri, 2 Mar 2001, Michael Kriss wrote: > > We don't plan on using ups/upd. Has anyone installed and configured kerberos > > without using ups/upd? If not is there interest in a document on how to do > > this? > > We have not done it yet, but we will also NOT be using ups/upd. I'm glad > to get and give any information along these lines. > > > Why is mixed-mode (ssh and kerberos) not allowed for on-site systems? > > michael > > Ssh is a requirement for us, so we plan to MAKE kerberized ssh work, no > matter what it takes :) > > - Tim From kreymer@fnal.gov Fri Mar 2 10:59:05 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA17263 for ; Fri, 2 Mar 2001 10:59:05 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00K1UXUF26@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 10:59:03 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010217C@listserv.fnal.gov>; Fri, 02 Mar 2001 10:59:03 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442477 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 10:59:03 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010217B@listserv.fnal.gov>; Fri, 02 Mar 2001 10:59:03 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9K00CKOXUEWH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 10:59:02 -0600 (CST) Received: (qmail 17736 invoked from network); Fri, 02 Mar 2001 10:59:01 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Fri, 02 Mar 2001 10:59:01 -0600 Date: Fri, 02 Mar 2001 10:59:45 -0600 (CST) From: Michael Kriss Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 934 On Fri, 2 Mar 2001, Steven Timm wrote: > > We don't plan on using ups/upd. Has anyone installed and configured kerberos > > without using ups/upd? If not is there interest in a document on how to do > > this? > > There are kerberos RPMS available from RedHat...in RH 7.0 it is installed > by default. I have not tried them, however. > > I plan to compile/install on both Linux and Solaris. When compiling and installing consists (simplistically) of: % ./configure % make % make check % make install what benefits does ups/upd provide? > > What are the 'locally-added or configured' features in the ups/upd distribution > > that we might want to implement? > > Others are better qualified to answer this than me, but they certainly > include putting all the right KDC names and IP numbers into > /etc/krb5.conf, fixing your inetd.conf and services correctly, > and some of the portal services such as portal mode telnet and ftp. > If it is as simple as that why can't this information be placed in the 'official' documentation? michael From kreymer@fnal.gov Fri Mar 2 11:03:52 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA17877 for ; Fri, 2 Mar 2001 11:03:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00CLRY2EWH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 11:03:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010218D@listserv.fnal.gov>; Fri, 02 Mar 2001 11:03:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442495 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 11:03:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010218C@listserv.fnal.gov>; Fri, 02 Mar 2001 11:03:50 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9K00CPKY2DDW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 11:03:49 -0600 (CST) Received: (qmail 17781 invoked from network); Fri, 02 Mar 2001 11:03:48 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Fri, 02 Mar 2001 11:03:48 -0600 Date: Fri, 02 Mar 2001 11:04:32 -0600 (CST) From: Michael Kriss Subject: Re: Install questions In-reply-to: <3A9FD139.EDAD8045@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Heidi Schellman Cc: Tim Zingelman , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 935 ups/upd MAY have been a good idea several years ago but what's the point now? What if you are not running a 'supported' OS? What if you want the latest/greatest enhancements to a software product? You have to wait until it gets put into a ups/upd package? michael On Fri, 2 Mar 2001, Heidi Schellman wrote: > Why not use ups/upd where you need it? FNAL has put out a generalized > way of supporting FNAL products - why not use it. ups/upd can be installed > easily and you only have to use it for the products you want to. It would sure > save a lot of duplication of effort. > > Heidi Schellman - D0 > > > Tim Zingelman wrote: > > > On Fri, 2 Mar 2001, Michael Kriss wrote: > > > We don't plan on using ups/upd. Has anyone installed and configured kerberos > > > without using ups/upd? If not is there interest in a document on how to do > > > this? > > > > We have not done it yet, but we will also NOT be using ups/upd. I'm glad > > to get and give any information along these lines. > > > > > Why is mixed-mode (ssh and kerberos) not allowed for on-site systems? > > > michael > > > > Ssh is a requirement for us, so we plan to MAKE kerberized ssh work, no > > matter what it takes :) > > > > - Tim > From kreymer@fnal.gov Fri Mar 2 11:18:09 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA18806 for ; Fri, 2 Mar 2001 11:18:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00CS6YQ1DW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 11:18:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001021C5@listserv.fnal.gov>; Fri, 02 Mar 2001 11:18:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442558 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 11:18:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001021C4@listserv.fnal.gov>; Fri, 02 Mar 2001 11:18:00 -0600 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0G9K00L01YPXRT@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 11:18:00 -0600 (CST) Received: from lotus.phys.nwu.edu ([129.105.21.210]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00ENTYN90R@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 11:16:21 -0600 (CST) Received: from fnal.gov (turtle.phys.nwu.edu [129.105.21.212]) by lotus.phys.nwu.edu (8.9.3/8.8.7) with ESMTP id LAA04657; Fri, 02 Mar 2001 11:16:20 -0600 Date: Fri, 02 Mar 2001 11:16:55 -0600 From: Heidi Schellman Subject: Re: Install questions Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Kriss Cc: Tim Zingelman , kerberos-pilot@fnal.gov Message-id: <3A9FD587.EC3CC7D@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 936 One does not have to use ups/upd for all products. Just the ones where it is expedient to do so, and I think this is one of them. Michael Kriss wrote: > ups/upd MAY have been a good idea several years ago but what's the point now? > What if you are not running a 'supported' OS? What if you want the > latest/greatest enhancements to a software product? You have to wait until it > gets put into a ups/upd package? > > michael > > On Fri, 2 Mar 2001, Heidi Schellman wrote: > > > Why not use ups/upd where you need it? FNAL has put out a generalized > > way of supporting FNAL products - why not use it. ups/upd can be installed > > easily and you only have to use it for the products you want to. It would sure > > save a lot of duplication of effort. > > > > Heidi Schellman - D0 > > > > > > Tim Zingelman wrote: > > > > > On Fri, 2 Mar 2001, Michael Kriss wrote: > > > > We don't plan on using ups/upd. Has anyone installed and configured kerberos > > > > without using ups/upd? If not is there interest in a document on how to do > > > > this? > > > > > > We have not done it yet, but we will also NOT be using ups/upd. I'm glad > > > to get and give any information along these lines. > > > > > > > Why is mixed-mode (ssh and kerberos) not allowed for on-site systems? > > > > michael > > > > > > Ssh is a requirement for us, so we plan to MAKE kerberized ssh work, no > > > matter what it takes :) > > > > > > - Tim > > From kreymer@fnal.gov Fri Mar 2 11:25:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA19389 for ; Fri, 2 Mar 2001 11:25:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00GJFZ38PD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 11:25:56 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001021F1@listserv.fnal.gov>; Fri, 02 Mar 2001 11:25:56 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442605 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 11:25:56 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001021F0@listserv.fnal.gov>; Fri, 02 Mar 2001 11:25:56 -0600 Received: from localhost ([131.225.30.105]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9K00HBXZ37TE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 11:25:55 -0600 (CST) Date: Fri, 02 Mar 2001 11:25:54 -0600 From: Thomas Jordan Subject: Re: Install questions Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: jordant@fnal.gov Message-id: <0G9K00HBYZ37TE@smtp.fnal.gov> MIME-version: 1.0 (Apple Message framework v337) X-Mailer: Apple Mail (2.337) Content-type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id LAA19389 Status: RO X-Status: X-Keywords: X-UID: 937 On Friday, March 2, 2001, at 10:49 AM, Steven Timm wrote: > Others are better qualified to answer this than me, but they certainly > include putting all the right KDC names and IP numbers into > /etc/krb5.conf, fixing your inetd.conf and services correctly, > and some of the portal services such as portal mode telnet and ftp. > Would someone described in the first line above post the local parameters that Steven mentioned above? I am not using UPS/UPD to install, I believe that my /etc/krb5.conf file is correct (thanks Mark) but kerberos is still broken on my node. Best, Tom From kreymer@fnal.gov Fri Mar 2 11:31:41 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA19475 for ; Fri, 2 Mar 2001 11:31:40 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00GLNZCPPD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 11:31:38 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102210@listserv.fnal.gov>; Fri, 02 Mar 2001 11:31:37 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442639 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 11:31:37 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010220F@listserv.fnal.gov>; Fri, 02 Mar 2001 11:31:37 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9K00DREZCP3N@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 11:31:37 -0600 (CST) Received: (qmail 18024 invoked from network); Fri, 02 Mar 2001 11:31:36 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Fri, 02 Mar 2001 11:31:36 -0600 Date: Fri, 02 Mar 2001 11:32:19 -0600 (CST) From: Michael Kriss Subject: Re: Install questions In-reply-to: <3A9FD587.EC3CC7D@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Heidi Schellman Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 938 I want to understand what is going on on my systems, especially when it concerns security. If you are a user who simply wants to join the realm as quickly as possible and then get back to work, then ups/upd might be appropriate. If you want to further discuss pros/cons of ups/upd let's do it off this list... michael On Fri, 2 Mar 2001, Heidi Schellman wrote: > One does not have to use ups/upd for all products. Just the ones where it is > expedient to do so, and I think this is one of them. > > Michael Kriss wrote: > > > ups/upd MAY have been a good idea several years ago but what's the point now? > > What if you are not running a 'supported' OS? What if you want the > > latest/greatest enhancements to a software product? You have to wait until it > > gets put into a ups/upd package? > > > > michael > > > > On Fri, 2 Mar 2001, Heidi Schellman wrote: > > > > > Why not use ups/upd where you need it? FNAL has put out a generalized > > > way of supporting FNAL products - why not use it. ups/upd can be installed > > > easily and you only have to use it for the products you want to. It would sure > > > save a lot of duplication of effort. > > > > > > Heidi Schellman - D0 > > > > > > > > > Tim Zingelman wrote: > > > > > > > On Fri, 2 Mar 2001, Michael Kriss wrote: > > > > > We don't plan on using ups/upd. Has anyone installed and configured kerberos > > > > > without using ups/upd? If not is there interest in a document on how to do > > > > > this? > > > > > > > > We have not done it yet, but we will also NOT be using ups/upd. I'm glad > > > > to get and give any information along these lines. > > > > > > > > > Why is mixed-mode (ssh and kerberos) not allowed for on-site systems? > > > > > michael > > > > > > > > Ssh is a requirement for us, so we plan to MAKE kerberized ssh work, no > > > > matter what it takes :) > > > > > > > > - Tim > > > > From kreymer@fnal.gov Fri Mar 2 11:34:33 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA19493 for ; Fri, 2 Mar 2001 11:34:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9K00L5YZHJ9B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 11:34:32 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102216@listserv.fnal.gov>; Fri, 02 Mar 2001 11:34:31 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442647 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 11:34:31 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102215@listserv.fnal.gov>; Fri, 02 Mar 2001 11:34:31 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9K00M15ZHIJE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 11:34:31 -0600 (CST) Received: (qmail 18058 invoked from network); Fri, 02 Mar 2001 11:34:29 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Fri, 02 Mar 2001 11:34:29 -0600 Date: Fri, 02 Mar 2001 11:35:13 -0600 (CST) From: Michael Kriss Subject: Re: Install questions In-reply-to: <0G9K00HBYZ37TE@smtp.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Thomas Jordan Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 939 If you've got a working (almost) krb5.conf file can you post it to this list? Sorry if this has already been discussed but I'm new here and no archive exists. michael On Fri, 2 Mar 2001, Thomas Jordan wrote: > On Friday, March 2, 2001, at 10:49 AM, Steven Timm wrote: > > > Others are better qualified to answer this than me, but they certainly > > include putting all the right KDC names and IP numbers into > > /etc/krb5.conf, fixing your inetd.conf and services correctly, > and some of > the portal services such as portal mode telnet and ftp. > > > Would someone described in the first line above post the local parameters > that Steven mentioned above? I am not using UPS/UPD to install, I believe > that my /etc/krb5.conf file is correct (thanks Mark) but kerberos is still > broken on my node. > > Best, > Tom > From kreymer@fnal.gov Fri Mar 2 11:48:31 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA20588 for ; Fri, 2 Mar 2001 11:48:30 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00JBP04SZE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 11:48:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102236@listserv.fnal.gov>; Fri, 02 Mar 2001 11:48:28 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442681 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 11:48:28 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102235@listserv.fnal.gov>; Fri, 02 Mar 2001 11:48:28 -0600 Received: from fnpspb.fnal.gov ([131.225.81.79]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00GPD04SPD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 11:48:28 -0600 (CST) Received: from localhost (garren@localhost) by fnpspb.fnal.gov (8.9.3/8.9.3) with SMTP id LAA00725; Fri, 02 Mar 2001 11:48:27 -0600 (CST) Date: Fri, 02 Mar 2001 11:48:27 -0600 From: Lynn Garren Subject: Re: Install questions In-reply-to: "Your message of Fri, 02 Mar 2001 11:04:32 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Kriss Cc: Heidi Schellman , Tim Zingelman , kerberos-pilot@fnal.gov Message-id: <200103021748.LAA00725@fnpspb.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: fnpspb.fnal.gov: garren@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 940 > ups/upd MAY have been a good idea several years ago but what's the point now? > What if you are not running a 'supported' OS? What if you want the > latest/greatest enhancements to a software product? You have to wait until i t > gets put into a ups/upd package? > Well, since you have raised this issue on list, I will answer it here. If you are dealing with products where you only want one version available at any time, UPS/UPD just gives you an easy way to upgrade and install the product. Unless you are using Linux rpm's there really isn't a "better way". Just "different ways". Ease of use is especially important for some people. If, however, you are maintaining products for a diverse group of people who may want to use different versions of the same product, then UPS/UPD is a powerful tool. This is especially true for products like pythia. That's the real reason that UPS/UPD was developed. Lynn From kreymer@fnal.gov Fri Mar 2 12:01:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA22409 for ; Fri, 2 Mar 2001 12:01:40 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00JEQ0QDMQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 12:01:26 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102263@listserv.fnal.gov>; Fri, 02 Mar 2001 12:01:25 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 442730 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 12:01:25 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102262@listserv.fnal.gov>; Fri, 02 Mar 2001 12:01:25 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00M3G0QDZ6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 12:01:25 -0600 (CST) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f22I1Os21899; Fri, 02 Mar 2001 12:01:24 -0600 (CST) Date: Fri, 02 Mar 2001 12:01:24 -0600 From: Anne Heavey Subject: Re: Install questions In-reply-to: "Your message of Fri, 02 Mar 2001 10:59:45 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Kriss Cc: kerberos-pilot@fnal.gov Message-id: <200103021801.f22I1Os21899@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 941 > On Fri, 2 Mar 2001, Steven Timm wrote: > > > > We don't plan on using ups/upd. Has anyone installed and configured kerb eros > > > without using ups/upd? If not is there interest in a document on how to do > > > this? > > > > There are kerberos RPMS available from RedHat...in RH 7.0 it is installed > > by default. I have not tried them, however. > > > > > I plan to compile/install on both Linux and Solaris. When compiling and > installing consists (simplistically) of: > > % ./configure > % make > % make check > % make install > > what benefits does ups/upd provide? > > > > What are the 'locally-added or configured' features in the ups/upd distri bution > > > that we might want to implement? > > > > Others are better qualified to answer this than me, but they certainly > > include putting all the right KDC names and IP numbers into > > /etc/krb5.conf, fixing your inetd.conf and services correctly, > > and some of the portal services such as portal mode telnet and ftp. > > > > If it is as simple as that why can't this information be placed in the > 'official' documentation? > > michael Michael, Your installation might not be so simple to keep updated. And a document on how to do it might need frequent updating too. If you just install the latest Fermi kerberos each time it's upgraded via UPD, you're sure to get all the right pieces. That said, if your or someone else comes up with a solution, please pass it on to me so that I can document it and add it to the web pages. -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Fri Mar 2 13:22:49 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA26643 for ; Fri, 2 Mar 2001 13:22:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L004324HZGQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 13:22:48 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010238C@listserv.fnal.gov>; Fri, 02 Mar 2001 13:22:48 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443062 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 13:22:48 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010238B@listserv.fnal.gov>; Fri, 02 Mar 2001 13:22:48 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00MJX4HZJE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 13:22:47 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA13482 for ; Fri, 02 Mar 2001 13:22:47 -0600 Date: Fri, 02 Mar 2001 13:22:47 -0600 (CST) From: Steven Timm Subject: krb5_rd_req failed.. Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 942 Has anyone seen this error message before? I am getting it consistently on only one node of the farms: -------------- -------------- snowball.timm:~> kinit Password for timm@PILOT.FNAL.GOV: snowball.timm:~> telnet fncdf90 Trying 131.225.239.90... Connected to fncdf90.fnal.gov (131.225.239.90). Escape character is '^]'. [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Trying KERBEROS4 ... ] mk_req failed: Service expired (kerberos) [ Trying KERBEROS4 ... ] mk_req failed: Service expired (kerberos) Fermi Linux Release 6.1.2 (Strange) Kernel 2.2.17-14smp on a 2-processor i686 login: No such file or directory while getting initial credentials Login incorrect =------------------------- I have already killed and restarted the inet daemon to no effect. Any idea what could be going on? Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Fri Mar 2 13:24:26 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA26647 for ; Fri, 2 Mar 2001 13:24:26 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00LSH4KOOO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 13:24:25 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102392@listserv.fnal.gov>; Fri, 02 Mar 2001 13:24:24 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443068 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 13:24:24 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102391@listserv.fnal.gov>; Fri, 02 Mar 2001 13:24:24 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00MKD4KOJE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 13:24:24 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA13486 for ; Fri, 02 Mar 2001 13:24:24 -0600 Date: Fri, 02 Mar 2001 13:24:24 -0600 (CST) From: Steven Timm Subject: tcp wrappers and kerberized telnet/rsh/rcp Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 943 A few months ago it became apparent that the default kerberos install does not use tcpwrappers when it adds the kerberos telnet and rsh services to inetd.conf. Has anyone come up with a template of how to make this change so that the services can be properly wrapped--and/or has the setup template been fixed so it is done automatically in future? Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Fri Mar 2 13:34:51 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA26657 for ; Fri, 2 Mar 2001 13:34:51 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L000IE5224D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 13:34:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001023D7@listserv.fnal.gov>; Fri, 02 Mar 2001 13:34:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443140 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 13:34:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001023D6@listserv.fnal.gov>; Fri, 02 Mar 2001 13:34:50 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00KP8522U4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 13:34:50 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA13519 for ; Fri, 02 Mar 2001 13:34:49 -0600 Date: Fri, 02 Mar 2001 13:34:49 -0600 (CST) From: Steven Timm Subject: Re: krb5_rd_req failed.. In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 944 Never mind...the error is due to a missing /etc/krb5.keytab Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Fri, 2 Mar 2001, Steven Timm wrote: > Has anyone seen this error message before? I am getting > it consistently on only one node of the farms: > -------------- > -------------- > snowball.timm:~> kinit > Password for timm@PILOT.FNAL.GOV: > snowball.timm:~> telnet fncdf90 > Trying 131.225.239.90... > Connected to fncdf90.fnal.gov (131.225.239.90). > Escape character is '^]'. > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: No such file or directory ] > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: No such file or directory ] > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: No such file or directory ] > [ Trying KERBEROS4 ... ] > mk_req failed: Service expired (kerberos) > [ Trying KERBEROS4 ... ] > mk_req failed: Service expired (kerberos) > > Fermi Linux Release 6.1.2 (Strange) > Kernel 2.2.17-14smp on a 2-processor i686 > > login: No such file or directory while getting initial credentials > Login incorrect > =------------------------- > > I have already killed and restarted the inet daemon to no effect. > Any idea what could be going on? > > Steve Timm > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > From kreymer@fnal.gov Fri Mar 2 14:14:16 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA26789 for ; Fri, 2 Mar 2001 14:14:16 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00MR76VRJE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 14:14:16 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102499@listserv.fnal.gov>; Fri, 02 Mar 2001 14:14:15 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443349 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 14:14:15 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102498@listserv.fnal.gov>; Fri, 02 Mar 2001 14:14:15 -0600 Received: from hamshack.fnal.gov ([131.225.84.179]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L000R76VQ4D@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 14:14:14 -0600 (CST) Received: from hamshack.fnal.gov (localhost [127.0.0.1]) by hamshack.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA08531; Fri, 02 Mar 2001 14:14:12 -0600 Date: Fri, 02 Mar 2001 14:14:12 -0600 From: Ken Schumacher Subject: Re: Install questions In-reply-to: "02 Mar 2001 11:04:32 -0600." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Kriss Cc: Heidi Schellman , Tim Zingelman , kerberos-pilot@fnal.gov, Ken Schumacher Message-id: <200103022014.OAA08531@hamshack.fnal.gov> Organization: Fermilab Unix System Support Group MIME-version: 1.0 X-Mailer: exmh version 2.0.3 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 945 On Friday 2 March 2001, Michael Kriss wrote: > ups/upd MAY have been a good idea several years ago but what's the > point now? Lynn did a fine job of answering that question. I won't try to add to that. > What if you are not running a 'supported' OS? What if you want the > latest/greatest enhancements to a software product? You have to wait > until it gets put into a ups/upd package? > > michael No one is stopping you from going out and getting the latest Kerberos software you can find. You can build the software, configure it from the ground up. I applaud that you want to understand fully what the addition of this software to your system will affect. Make sure that you download all the doc files with the source code. On the other hand, if you are looking to install a package that Fermilab provides, why do you complain about how it is packaged. The software is distributed using our standard distribution method (UPD). We build and test it on the operating systems that we support. If you want to run on an OS that we have not tested and don't claim to support, you are welcome to build the software yourself. If you want to test the latest bells and whistles, you may do so. The price you pay is that you have to download the software, compile it yourself and then solve any problems you encounter on your own. The UPS/UPD version of the product is ready to be installed and put into service. The manual tells you what you need to know about the changes to your system (which services are affected, etc.). If there are specific details you don't find documented, that's what this list is for. Ask what you specifically need to know, someone will know the answer. As the right questions are asked, I expect that the document will be updated with the appropriate information (at least that information that can be published). Don't forget that this is security related software and not all the details may be appropriate for publishing on-line or sharing via a mailing list. Ken S. -- =========================================================================== Ken Schumacher (o) 630-840-4579 (f) 630-840-6345 Fermilab CD/OSS SCS Group Loc:FCC-252g http://home.fnal.gov/~kschu/ =========================================================================== From kreymer@fnal.gov Fri Mar 2 14:28:28 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA26809 for ; Fri, 2 Mar 2001 14:28:28 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L0079J7JF0V@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 14:28:28 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001024E6@listserv.fnal.gov>; Fri, 02 Mar 2001 14:28:27 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443441 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 14:28:27 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001024E5@listserv.fnal.gov>; Fri, 02 Mar 2001 14:28:27 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L004FU7JF7Y@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 14:28:27 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id OAA07286 for ; Fri, 02 Mar 2001 14:28:25 -0600 (CST) Date: Fri, 02 Mar 2001 14:28:25 -0600 (CST) From: Tim Zingelman Subject: Re: Install questions In-reply-to: <200103022014.OAA08531@hamshack.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 946 I assume no one needs to read this message twice, so I've trimmed the cc: list... please do the same for any responses. On Fri, 2 Mar 2001, Ken Schumacher wrote: > On Friday 2 March 2001, Michael Kriss wrote: > > > What if you are not running a 'supported' OS? What if you want the > > latest/greatest enhancements to a software product? You have to wait > > until it gets put into a ups/upd package? > > > > michael > > On the other hand, if you are looking to install a package that > Fermilab provides, why do you complain about how it is packaged. First, what in Mike's original email (== quoted here) is a complaint? == Date: Fri, 02 Mar 2001 10:32:18 -0600 (CST) == From: Michael Kriss == To: kerberos-pilot@fnal.gov == Subject: Install questions == == We don't plan on using ups/upd. Has anyone installed and configured kerberos == without using ups/upd? If not is there interest in a document on how to do == this? == == What are the 'locally-added or configured' features in the ups/upd == distribution that we might want to implement? == == Why is mixed-mode (ssh and kerberos) not allowed for on-site systems? == == michael Second, the point is that we are NOT "looking to install a package that Fermilab provides". We are looking to comply with the requirement that our systems join the fnal kerberos realm. > ... bells and whistles, you may do so. The price you pay is that you > have to download the software, compile it yourself and then solve any > problems you encounter on your own. I didn't read anything in the charter for this mailing list that indicated to me that ONLY UPS/UPD users would find help here... if that is true I guess I should un-subscribe. > The UPS/UPD version of the product is ready to be installed and put > into service. The manual tells you what you need to know about the > changes to your system (which services are affected, etc.). If there are > specific details you don't find documented, that's what this list is for. Again I didn't understand this... I'm sorry to hear that... > Ask what you specifically need to know, someone will know the answer. As == What are the 'locally-added or configured' features in the ups/upd == distribution that we might want to implement? I've yet to see an answer to this 'specific' question. - Tim From kreymer@fnal.gov Fri Mar 2 14:49:41 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA26834 for ; Fri, 2 Mar 2001 14:49:41 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L004IQ8IS7Y@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 14:49:41 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010253A@listserv.fnal.gov>; Fri, 02 Mar 2001 14:49:40 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443534 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 14:49:40 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102539@listserv.fnal.gov>; Fri, 02 Mar 2001 14:49:40 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9L006J58IR0O@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 14:49:40 -0600 (CST) Received: (qmail 19651 invoked from network); Fri, 02 Mar 2001 14:49:38 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Fri, 02 Mar 2001 14:49:38 -0600 Date: Fri, 02 Mar 2001 14:50:22 -0600 (CST) From: Michael Kriss Subject: Re: Install questions In-reply-to: <200103022014.OAA08531@hamshack.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Ken Schumacher Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 947 Getting the entire lab kerberized by 12/31/01 is going to be a difficult task. This will require a GREAT DEAL of cooperation from local system administrators. Some of these local admins have already stated they have no intention of using UPS/UPD. To not have basic documentation (what a reasonable krb5.conf file should look like) available is ridiculous. It took me a lot of digging to finally find that this information is available on the main ftp site ftp.fnal.gov (ref. Strong Authentication at Fermilab Release 1.0b section 11.7.2). > > The UPS/UPD version of the product is ready to be installed and put > into service. The manual tells you what you need to know about the > changes to your system (which services are affected, etc.). If there are > specific details you don't find documented, that's what this list is for. > Ask what you specifically need to know, someone will know the answer. As > the right questions are asked, I expect that the document will be updated > with the appropriate information (at least that information that can be > published). Don't forget that this is security related software and not > all the details may be appropriate for publishing on-line or sharing via a > mailing list. > If this 'Strong Authentication' is going to be based on security through obscurity then it will fail. michael From kreymer@fnal.gov Fri Mar 2 14:58:35 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA26848 for ; Fri, 2 Mar 2001 14:58:35 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L009828XLP6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 14:58:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010255B@listserv.fnal.gov>; Fri, 02 Mar 2001 14:58:34 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443571 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 14:58:34 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010255A@listserv.fnal.gov>; Fri, 02 Mar 2001 14:58:34 -0600 Received: from localhost ([131.225.30.105]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9L005NR8XLJT@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 14:58:33 -0600 (CST) Date: Fri, 02 Mar 2001 14:58:32 -0600 From: Thomas Jordan Subject: Re: Install questions Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Kriss Cc: kerberos-pilot@fnal.gov Reply-to: jordant@fnal.gov Message-id: <0G9L005NS8XLJT@smtp.fnal.gov> MIME-version: 1.0 (Apple Message framework v337) X-Mailer: Apple Mail (2.337) Content-type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id OAA26848 Status: RO X-Status: X-Keywords: X-UID: 948 Hi Michael, Wanna throw me a hint for that path? I'll buy you a cup of coffee - the good stuff too! Tom On Friday, March 2, 2001, at 02:50 PM, Michael Kriss wrote: > should look like) available is ridiculous. It took me a lot of digging to > finally find that this information is available on the main ftp site > ftp.fnal.gov (ref. Strong Authentication at Fermilab Release 1.0b section > 11.7.2). > From kreymer@fnal.gov Fri Mar 2 15:02:39 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26861 for ; Fri, 2 Mar 2001 15:02:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L001UK94DV0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 15:02:38 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010256C@listserv.fnal.gov>; Fri, 02 Mar 2001 15:02:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443588 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 15:02:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010256B@listserv.fnal.gov>; Fri, 02 Mar 2001 15:02:38 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9L00B5894D8C@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 15:02:37 -0600 (CST) Received: (qmail 19768 invoked from network); Fri, 02 Mar 2001 15:02:36 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Fri, 02 Mar 2001 15:02:36 -0600 Date: Fri, 02 Mar 2001 15:03:20 -0600 (CST) From: Michael Kriss Subject: Re: Install questions In-reply-to: <0G9L005NS8XLJT@smtp.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Thomas Jordan Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 949 ftp://ftp.fnal.gov/products/krb5conf latest is v1_1/NULL/krb5conf_v1_1_NULL.ups.tar There are instructions there on how to install the krb5.conf file without UPS (gasp!)... michael On Fri, 2 Mar 2001, Thomas Jordan wrote: > Hi Michael, > > Wanna throw me a hint for that path? I'll buy you a cup of coffee - the good stuff too! > > Tom > > On Friday, March 2, 2001, at 02:50 PM, Michael Kriss wrote: > > > should look like) available is ridiculous. It took me a lot of digging to > > finally find that this information is available on the main ftp site > > ftp.fnal.gov (ref. Strong Authentication at Fermilab Release 1.0b section > > 11.7.2). > > > From kreymer@fnal.gov Fri Mar 2 15:30:55 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26983 for ; Fri, 2 Mar 2001 15:30:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L005SZAFHJT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 15:30:54 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001025CD@listserv.fnal.gov>; Fri, 02 Mar 2001 15:30:54 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443695 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 15:30:54 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001025CC@listserv.fnal.gov>; Fri, 02 Mar 2001 15:30:54 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00C6FAFHM4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 15:30:53 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id PAA09341 for ; Fri, 02 Mar 2001 15:30:52 -0600 (CST) Date: Fri, 02 Mar 2001 15:30:51 -0600 (CST) From: Tim Zingelman Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 950 On Fri, 2 Mar 2001, Michael Kriss wrote: > Why is mixed-mode (ssh and kerberos) not allowed for on-site systems? I found a patch for openssh 2.1.0p2 to make it kerberos 5 aware here: http://www.ics.muni.cz/scb/devel/heimdal.html I have not tried it yet. - Tim From kreymer@fnal.gov Fri Mar 2 15:39:38 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26995 for ; Fri, 2 Mar 2001 15:39:38 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L006P3AU1ED@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 15:39:38 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001025E4@listserv.fnal.gov>; Fri, 02 Mar 2001 15:39:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443720 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 15:39:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001025E3@listserv.fnal.gov>; Fri, 02 Mar 2001 15:39:38 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L007MVAU1TD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 15:39:37 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id PAA09772 for ; Fri, 02 Mar 2001 15:39:35 -0600 (CST) Date: Fri, 02 Mar 2001 15:39:35 -0600 (CST) From: Tim Zingelman Subject: xdm & kerberos 5 Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 951 Has anyone gotten xdm to work with kerberos 5 in portal mode? (ie. using a cryptocard for xterminals and non-kerberized Windows NT/98 boxes using eXceed.) I'm specifically interested in doing this on an xdm server box using Xfree86, which only appears to have kerberos 4 support at this point. - Tim From kreymer@fnal.gov Fri Mar 2 16:15:24 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA27062 for ; Fri, 2 Mar 2001 16:15:23 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00F5WCHM72@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 16:15:23 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102669@listserv.fnal.gov>; Fri, 02 Mar 2001 16:15:22 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443862 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 16:15:22 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102668@listserv.fnal.gov>; Fri, 02 Mar 2001 16:15:22 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00AJ3CHLJD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 16:15:21 -0600 (CST) Date: Fri, 02 Mar 2001 16:15:21 -0600 (CST) From: "Marc W. Mengel" Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 952 On Fri, 2 Mar 2001, Tim Zingelman wrote: > > > Why is mixed-mode (ssh and kerberos) not allowed for on-site systems? > > I found a patch for openssh 2.1.0p2 to make it kerberos 5 aware here: > > http://www.ics.muni.cz/scb/devel/heimdal.html That one's kind of old, you might look at: http://www.sxw.org.uk/computing/patches/ for patches to current OpenSSH releases. Its the latest one I've found for our attempts to get OpenSSh with Krb5 etc. together. Marc From kreymer@fnal.gov Fri Mar 2 16:41:28 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA27109 for ; Fri, 2 Mar 2001 16:41:28 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L009OEDP33I@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 16:41:28 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001026C5@listserv.fnal.gov>; Fri, 02 Mar 2001 16:41:28 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443959 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 16:41:28 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001026C4@listserv.fnal.gov>; Fri, 02 Mar 2001 16:41:27 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00H31DP3ME@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 16:41:27 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA28664; Fri, 02 Mar 2001 16:41:26 -0600 (CST) Date: Fri, 02 Mar 2001 16:41:26 -0600 From: Matt Crawford Subject: Re: krb5_rd_req failed.. In-reply-to: "02 Mar 2001 13:22:47 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200103022241.QAA28664@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 953 That looks to me like /etc/krb5.keytab is missing. My first guess is that the kerberos telnetd was installed but the install-hostkeys step was deferred and never performed, but checking the stats on the principal host/fncdf90.fnal.gov, it looks like it was done on Wed Jan 24 16:25:53 CST 2001. Have a look and see if something happened to the keytab file. From kreymer@fnal.gov Fri Mar 2 16:45:19 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA27113 for ; Fri, 2 Mar 2001 16:45:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00ED6DVIC3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 16:45:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001026D0@listserv.fnal.gov>; Fri, 02 Mar 2001 16:45:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 443970 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 16:45:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001026CF@listserv.fnal.gov>; Fri, 02 Mar 2001 16:45:18 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00H5FDVH23@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 16:45:17 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA28707; Fri, 02 Mar 2001 16:45:17 -0600 (CST) Date: Fri, 02 Mar 2001 16:45:17 -0600 From: Matt Crawford Subject: Re: tcp wrappers and kerberized telnet/rsh/rcp In-reply-to: "02 Mar 2001 13:24:24 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200103022245.QAA28707@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 954 > A few months ago it became apparent that the default kerberos install > does not use tcpwrappers when it adds the kerberos telnet and rsh > services to inetd.conf. > > Has anyone come up with a template of how to make this change > so that the services can be properly wrapped--and/or has the > setup template been fixed so it is done automatically in future? Yes, we believe we got it to respect and preserve existing usage of tcpwrappers on a service-by-service basis on 2000/06/01, which should be in v0_6 and later. From kreymer@fnal.gov Fri Mar 2 17:30:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA27138 for ; Fri, 2 Mar 2001 17:30:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L009TLF2QP6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 17:11:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102712@listserv.fnal.gov>; Fri, 02 Mar 2001 17:11:15 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 444037 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 17:11:15 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102711@listserv.fnal.gov>; Fri, 02 Mar 2001 17:11:15 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00EEVF2QE5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 17:11:14 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id RAA17064 for ; Fri, 02 Mar 2001 17:11:12 -0600 (CST) Date: Fri, 02 Mar 2001 17:11:12 -0600 (CST) From: Tim Zingelman Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 955 > > == What are the 'locally-added or configured' features in the ups/upd > > == distribution that we might want to implement? I read this question as, after I understand everything there is to know about kerberos outside fermilab, what else do I need to know. I hope that the answer is a short specific list of items. I don't need anyone to digest and regurgitate the existing generic kerberos documentation, or make a checklist for me... :) I just need to know about any fermi specific details. Perhaps the entire answer is: ftp://ftp.fnal.gov/products/krb5conf/v1_1/NULL/krb5conf_v1_1_NULL/ups/krb5.conf.template If not I'd be glad to hear more... Thanks, - Tim From kreymer@fnal.gov Fri Mar 2 17:30:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA27141 for ; Fri, 2 Mar 2001 17:30:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00CMRFAXM4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 17:16:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010271C@listserv.fnal.gov>; Fri, 02 Mar 2001 17:16:09 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 444047 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 17:16:09 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010271B@listserv.fnal.gov>; Fri, 02 Mar 2001 17:16:09 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00GCCFAXDC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 17:16:09 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA28873 for ; Fri, 02 Mar 2001 17:16:08 -0600 (CST) Date: Fri, 02 Mar 2001 17:16:08 -0600 From: Matt Crawford Subject: Re: Install questions In-reply-to: "02 Mar 2001 14:28:25 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200103022316.RAA28873@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 956 I'm not going to weigh in on the whole "UPS: threat or menace?" issue until after a cooling-off weekend. Answering what seems to be a question of "what do we lose if we just go and get Kerberos from MIT, or an existing FreeBSD port, or an existing Redhat rpm?" I can cite off the top of my head: 1. Cryptocard logins through telnet and ftp. That's the big one. But there's also 2. The tools to do authentication of users' cron jobs. (You could do the same job without them, but it would amount to either reinventing the wheel or doing something dreadfully insecure.) 3. Flexible fallback to a non-Kerberized client if you default to encryption "on" but connect to a non-Kerberos server. 4. An ftp client that plays nicely with Emacs' efs mode. 5. Depending which MIT version your software base comes from, it may have buffer overflows or other bugs which are fixed here. (All but one of those bugs are fixed in MIT 1.2.2, but that's only been out for two days.) There are probably a few other minor things. From kreymer@fnal.gov Fri Mar 2 17:57:50 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA27174 for ; Fri, 2 Mar 2001 17:57:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00K19H8DO1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 17:57:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102772@listserv.fnal.gov>; Fri, 02 Mar 2001 17:57:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 444137 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 17:57:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102771@listserv.fnal.gov>; Fri, 02 Mar 2001 17:57:50 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00CSWH8DM4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 17:57:49 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id RAA17326 for ; Fri, 02 Mar 2001 17:57:47 -0600 (CST) Date: Fri, 02 Mar 2001 17:57:47 -0600 (CST) From: Tim Zingelman Subject: Re: Install questions In-reply-to: <200103022316.RAA28873@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 957 On Fri, 2 Mar 2001, Matt Crawford wrote: > Answering what seems to be a question of "what do we lose if we just > go and get Kerberos from MIT, or an existing FreeBSD port, or an > existing Redhat rpm?" I can cite off the top of my head: > > 1. Cryptocard logins through telnet and ftp. > > That's the big one. But there's also > > 2. The tools to do authentication of users' cron jobs. (You could do > the same job without them, but it would amount to either reinventing > the wheel or doing something dreadfully insecure.) > > 3. Flexible fallback to a non-Kerberized client if you default to > encryption "on" but connect to a non-Kerberos server. > > 4. An ftp client that plays nicely with Emacs' efs mode. > > 5. Depending which MIT version your software base comes from, it may > have buffer overflows or other bugs which are fixed here. (All but > one of those bugs are fixed in MIT 1.2.2, but that's only been out > for two days.) > > There are probably a few other minor things. I guess my question would be how can we NOT lose all these things, if we can't use the fermi packages? Several of our most critical machines are indeed running FreeBSD. I hope that the patches/scripts/documentation/mailing-list used and generated for internal use of the fermi package maintainers can be made available to those of us who would find them useful. - Tim From kreymer@fnal.gov Fri Mar 2 17:57:50 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA27174 for ; Fri, 2 Mar 2001 17:57:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00K19H8DO1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 02 Mar 2001 17:57:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102772@listserv.fnal.gov>; Fri, 02 Mar 2001 17:57:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 444137 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 02 Mar 2001 17:57:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102771@listserv.fnal.gov>; Fri, 02 Mar 2001 17:57:50 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9L00CSWH8DM4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 02 Mar 2001 17:57:49 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id RAA17326 for ; Fri, 02 Mar 2001 17:57:47 -0600 (CST) Date: Fri, 02 Mar 2001 17:57:47 -0600 (CST) From: Tim Zingelman Subject: Re: Install questions In-reply-to: <200103022316.RAA28873@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 958 On Fri, 2 Mar 2001, Matt Crawford wrote: > Answering what seems to be a question of "what do we lose if we just > go and get Kerberos from MIT, or an existing FreeBSD port, or an > existing Redhat rpm?" I can cite off the top of my head: > > 1. Cryptocard logins through telnet and ftp. > > That's the big one. But there's also > > 2. The tools to do authentication of users' cron jobs. (You could do > the same job without them, but it would amount to either reinventing > the wheel or doing something dreadfully insecure.) > > 3. Flexible fallback to a non-Kerberized client if you default to > encryption "on" but connect to a non-Kerberos server. > > 4. An ftp client that plays nicely with Emacs' efs mode. > > 5. Depending which MIT version your software base comes from, it may > have buffer overflows or other bugs which are fixed here. (All but > one of those bugs are fixed in MIT 1.2.2, but that's only been out > for two days.) > > There are probably a few other minor things. I guess my question would be how can we NOT lose all these things, if we can't use the fermi packages? Several of our most critical machines are indeed running FreeBSD. I hope that the patches/scripts/documentation/mailing-list used and generated for internal use of the fermi package maintainers can be made available to those of us who would find them useful. - Tim From kreymer@fnal.gov Sat Mar 3 14:54:17 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA30740 for ; Sat, 3 Mar 2001 14:54:17 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9N00HD53EG4R@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 03 Mar 2001 14:54:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102EA5@listserv.fnal.gov>; Sat, 03 Mar 2001 14:54:17 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 446145 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sat, 03 Mar 2001 14:54:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00102EA4@listserv.fnal.gov>; Sat, 03 Mar 2001 14:54:16 -0600 Received: from fsgi03.fnal.gov ([131.225.68.48]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9N00DP23EGJE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sat, 03 Mar 2001 14:54:16 -0600 (CST) Received: from localhost (timm@localhost) by fsgi03.fnal.gov (8.10.2/8.10.2) with ESMTP id f23KsEN20805953; Sat, 03 Mar 2001 14:54:14 -0600 (CST) Date: Sat, 03 Mar 2001 14:54:14 -0600 From: Steven Timm Subject: Re: krb5_rd_req failed.. In-reply-to: <200103022241.QAA28664@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi03.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 959 Yes... it got blown away in a reinstall of the machine and wasn't saved in the place I save all the rest of them. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Fri, 2 Mar 2001, Matt Crawford wrote: > That looks to me like /etc/krb5.keytab is missing. My first guess is > that the kerberos telnetd was installed but the install-hostkeys step > was deferred and never performed, but checking the stats on the > principal host/fncdf90.fnal.gov, it looks like it was done on Wed Jan > 24 16:25:53 CST 2001. > > Have a look and see if something happened to the keytab file. > From kreymer@fnal.gov Mon Mar 5 08:36:23 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA12805 for ; Mon, 5 Mar 2001 08:36:23 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Q000C1AROL9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 05 Mar 2001 08:26:13 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00104AAF@listserv.fnal.gov>; Mon, 05 Mar 2001 08:26:12 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 453772 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 05 Mar 2001 08:26:12 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00104AAE@listserv.fnal.gov>; Mon, 05 Mar 2001 08:26:12 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Q000ABAROLM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 05 Mar 2001 08:26:12 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA12952 for ; Mon, 05 Mar 2001 08:26:12 -0600 (CST) Date: Mon, 05 Mar 2001 08:26:12 -0600 From: Matt Crawford Subject: systools and kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200103051426.IAA12952@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 960 I wonder if it's time for cmdscriptsuser to get Kerberos-smarts and always put an invalid encrypted-password field, such as "*" or "x", in place for new users it adds, if the host on which it runs is Kerberized. The admin could get the same effect by remembering to "disuser" each new user, which brings up another issue -- cmd disuser won't actually disable a user if Kerberos-based login is available. Or .rhosts-, .shosts- or RSA key-based for that matter! From kreymer@fnal.gov Mon Mar 5 08:36:24 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA12814 for ; Mon, 5 Mar 2001 08:36:23 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Q0008YAY5M1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 05 Mar 2001 08:30:06 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00104ABC@listserv.fnal.gov>; Mon, 05 Mar 2001 08:30:05 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 453786 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 05 Mar 2001 08:30:05 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00104ABB@listserv.fnal.gov>; Mon, 05 Mar 2001 08:30:05 -0600 Received: from fnal.gov ([131.225.80.118]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Q000AOAY4LF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 05 Mar 2001 08:30:04 -0600 (CST) Date: Mon, 05 Mar 2001 08:30:04 -0600 From: Jim Fromm Subject: Re: Install questions Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AA3A2EC.7386CDDC@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200103022316.RAA28873@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 961 Matt Crawford wrote: > > I'm not going to weigh in on the whole "UPS: threat or menace?" issue > until after a cooling-off weekend. > > Answering what seems to be a question of "what do we lose if we just > go and get Kerberos from MIT, or an existing FreeBSD port, or an > existing Redhat rpm?" I can cite off the top of my head: > > 1. Cryptocard logins through telnet and ftp. > > That's the big one. But there's also And I would add cryptocard login via ssh as well. > > 2. The tools to do authentication of users' cron jobs. (You could do > the same job without them, but it would amount to either reinventing > the wheel or doing something dreadfully insecure.) > > 3. Flexible fallback to a non-Kerberized client if you default to > encryption "on" but connect to a non-Kerberos server. > > 4. An ftp client that plays nicely with Emacs' efs mode. > > 5. Depending which MIT version your software base comes from, it may > have buffer overflows or other bugs which are fixed here. (All but > one of those bugs are fixed in MIT 1.2.2, but that's only been out > for two days.) > > There are probably a few other minor things. -- ------------------------------------------------------------- Jim Fromm Fermi National Accelerator Laboratory fromm@fnal.gov P.O. Box 500 630-840-8483 MS 369 Batavia, IL 60510 ------------------------------------------------------------- From kreymer@fnal.gov Mon Mar 5 09:16:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA25711 for ; Mon, 5 Mar 2001 09:16:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Q0060OD2QKM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 05 Mar 2001 09:16:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001053A8@listserv.fnal.gov>; Mon, 05 Mar 2001 09:16:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 456079 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 05 Mar 2001 09:16:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001053A7@listserv.fnal.gov>; Mon, 05 Mar 2001 09:16:02 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9Q0060ND2PL9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 05 Mar 2001 09:16:01 -0600 (CST) Received: (qmail 2311 invoked from network); Mon, 05 Mar 2001 09:16:00 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Mon, 05 Mar 2001 09:16:00 -0600 Date: Mon, 05 Mar 2001 09:16:47 -0600 (CST) From: Michael Kriss Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 962 Let me add to Tim's point here. The UPS/UPD packagers of Fermi Kerberos must have done a lot of work to get all of these enhancements working. They must also have some documentation on how they got them working. Provide us with the documentation and let us implement these enhancements... michael On Fri, 2 Mar 2001, Tim Zingelman wrote: > On Fri, 2 Mar 2001, Matt Crawford wrote: > > > Answering what seems to be a question of "what do we lose if we just > > go and get Kerberos from MIT, or an existing FreeBSD port, or an > > existing Redhat rpm?" I can cite off the top of my head: > > > > 1. Cryptocard logins through telnet and ftp. > > > > That's the big one. But there's also > > > > 2. The tools to do authentication of users' cron jobs. (You could do > > the same job without them, but it would amount to either reinventing > > the wheel or doing something dreadfully insecure.) > > > > 3. Flexible fallback to a non-Kerberized client if you default to > > encryption "on" but connect to a non-Kerberos server. > > > > 4. An ftp client that plays nicely with Emacs' efs mode. > > > > 5. Depending which MIT version your software base comes from, it may > > have buffer overflows or other bugs which are fixed here. (All but > > one of those bugs are fixed in MIT 1.2.2, but that's only been out > > for two days.) > > > > There are probably a few other minor things. > > I guess my question would be how can we NOT lose all these things, if we > can't use the fermi packages? Several of our most critical machines are > indeed running FreeBSD. > > I hope that the patches/scripts/documentation/mailing-list used and > generated for internal use of the fermi package maintainers can be made > available to those of us who would find them useful. > > - Tim > From kreymer@fnal.gov Mon Mar 5 12:06:55 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA05381 for ; Mon, 5 Mar 2001 12:06:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Q00F6BKY50Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 05 Mar 2001 12:06:05 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001056A9@listserv.fnal.gov>; Mon, 05 Mar 2001 12:06:05 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 456898 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 05 Mar 2001 12:06:05 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001056A6@listserv.fnal.gov>; Mon, 05 Mar 2001 12:06:05 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Q00F4GKXZ0E@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 05 Mar 2001 12:06:04 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 05 Mar 2001 12:06:00 -0600 Content-return: allowed Date: Mon, 05 Mar 2001 12:05:46 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7613ED69@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 963 This reminder created on 3/5/01 12:03:35 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Type : Utilities Item : Kerberos Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Mar 5 14:55:46 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA09136 for ; Mon, 5 Mar 2001 14:55:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Q00KH6SS4A5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Mon, 05 Mar 2001 14:55:27 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00105E82@listserv.fnal.gov>; Mon, 05 Mar 2001 14:55:13 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 459035 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Mon, 05 Mar 2001 14:55:13 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00105E7F@listserv.fnal.gov>; Mon, 05 Mar 2001 14:55:13 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Q00KJ1SS1G7@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Mon, 05 Mar 2001 14:55:13 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA17999 for ; Mon, 05 Mar 2001 14:55:12 -0600 (CST) Date: Mon, 05 Mar 2001 14:55:12 -0600 From: Matt Crawford Subject: PILOT.FNAL.GOV master KDC reboot coming up Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200103052055.OAA17999@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 964 The master KDC krb-pilot-1 will be rebooted at 15:30 for a software upgrade. The outage should be short and the slave will take up the load. From kreymer@fnal.gov Tue Mar 6 10:56:12 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA04280 for ; Tue, 6 Mar 2001 10:56:12 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9S0091IC6HRL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Mar 2001 10:51:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00106A67@listserv.fnal.gov>; Tue, 06 Mar 2001 10:51:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 0072 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Mar 2001 10:51:53 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00106A66@listserv.fnal.gov>; Tue, 06 Mar 2001 10:51:53 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9S002UIC6GA5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Mar 2001 10:51:52 -0600 (CST) Received: (qmail 10948 invoked from network); Tue, 06 Mar 2001 10:51:51 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Tue, 06 Mar 2001 10:51:51 -0600 Date: Tue, 06 Mar 2001 10:52:50 -0600 (CST) From: Michael Kriss Subject: startx problem Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 965 I've installed MIT kerberos on a linux system and, with the Fermi krb5.conf file, I've got some basic services working. Now I want to turn off all non-kerberized access to this machine. I've replaced the login program with login.krb5. I can login using the kerberos passphrase but when I try to start up X I get an error. Basically the error is cannot get console permissions. I've tracked this to (I believe) the fact that the kerberos login program does not do any of the pam modules. For the default login pam module there is an entry pam_console.so that I think is supposed to create /var/lock/console.lock. This file usually contains the name of the user who has access to the console. Apparently X won't start without this. What is the workaround for this under Fermi RedHat Linux? I don't want to do something stupid (manually create the file, install a third party pam module) that might compromise the kerberos implementation on this machine. Thanks... michael From kreymer@fnal.gov Tue Mar 6 10:56:12 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA04286 for ; Tue, 6 Mar 2001 10:56:12 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9S00924CCQX0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Mar 2001 10:55:38 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00106A78@listserv.fnal.gov>; Tue, 06 Mar 2001 10:55:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 0090 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Mar 2001 10:55:37 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00106A77@listserv.fnal.gov>; Tue, 06 Mar 2001 10:55:37 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9S00A05CCPV4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Mar 2001 10:55:37 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA20412; Tue, 06 Mar 2001 10:55:37 -0600 Date: Tue, 06 Mar 2001 10:55:37 -0600 (CST) From: Steven Timm Subject: Re: startx problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Kriss Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 966 The default behavior of X under Fermi Linux, and Fermi Kerberos, is that the X login by default does not get you a kerberos ticket. You have to log in with some normal password. I understand that it can be fixed but it is not the default in the Fermi Linux distribution. If anyone has made it work, let us all know. Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 6 Mar 2001, Michael Kriss wrote: > I've installed MIT kerberos on a linux system and, with the Fermi krb5.conf > file, I've got some basic services working. Now I want to turn off all > non-kerberized access to this machine. I've replaced the login program with > login.krb5. I can login using the kerberos passphrase but when I try to start > up X I get an error. > > Basically the error is cannot get console permissions. I've tracked this to (I > believe) the fact that the kerberos login program does not do any of the pam > modules. For the default login pam module there is an entry pam_console.so that > I think is supposed to create /var/lock/console.lock. This file usually > contains the name of the user who has access to the console. Apparently X won't > start without this. > > What is the workaround for this under Fermi RedHat Linux? I don't want to do > something stupid (manually create the file, install a third party pam module) > that might compromise the kerberos implementation on this machine. Thanks... > > michael > From kreymer@fnal.gov Tue Mar 6 11:09:31 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA05883 for ; Tue, 6 Mar 2001 11:09:30 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9S0095VCOE96@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Mar 2001 11:02:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00106AAC@listserv.fnal.gov>; Tue, 06 Mar 2001 11:02:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 0153 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Mar 2001 11:02:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00106AAB@listserv.fnal.gov>; Tue, 06 Mar 2001 11:02:38 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9S00A22COEV4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Mar 2001 11:02:38 -0600 (CST) Received: (qmail 11083 invoked from network); Tue, 06 Mar 2001 11:02:37 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Tue, 06 Mar 2001 11:02:37 -0600 Date: Tue, 06 Mar 2001 11:03:35 -0600 (CST) From: Michael Kriss Subject: Re: startx problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 967 On Tue, 6 Mar 2001, Steven Timm wrote: > The default behavior of X under Fermi Linux, and Fermi Kerberos, > is that the X login by default does not get you a kerberos ticket. > You have to log in with some normal password. > What do you mean by 'X login'? I have already logged into the machine at the console and I simply want to start X (startx, not xdm). After I have logged in I can see my tickets (?) with klist... michael From kreymer@fnal.gov Tue Mar 6 11:24:51 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA06841 for ; Tue, 6 Mar 2001 11:24:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9S0097UDPCRL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Mar 2001 11:24:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00106B0D@listserv.fnal.gov>; Tue, 06 Mar 2001 11:24:48 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 0262 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Mar 2001 11:24:48 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00106B0C@listserv.fnal.gov>; Tue, 06 Mar 2001 11:24:48 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9S009A2DPCX0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Mar 2001 11:24:48 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA20467 for ; Tue, 06 Mar 2001 11:24:48 -0600 Date: Tue, 06 Mar 2001 11:24:48 -0600 (CST) From: Steven Timm Subject: Re: kdc troubles Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: Content-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 968 Around the time of the kdc master reboot yesterday, users on the cdf farms reported some troubles. I am wondering if these could be connected to the outage of the KDC. It is my guess that the first one is not and the second one might be: >One of my daemons tried to copy a file from fncdf8, but it got the >following reply: >rcp: kcmd to host fncdf8 failed - No credentials cache found >Also, when I was trying to refresh my tgt (which was good till 03/06 - >i.e. >today), I was not able to, I had to get a new renewable ticket... Since the daemons referred to above are run by a user id which is accessed by several different people, each with a different principal, is it possible that they could clobber each other's credential caches on the local machine? Or is this referring to a cache that is on the KDC? Steve Timm From kreymer@fnal.gov Tue Mar 6 11:40:35 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA07833 for ; Tue, 6 Mar 2001 11:40:35 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9S009DUEFANG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Mar 2001 11:40:23 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00106B5D@listserv.fnal.gov>; Tue, 06 Mar 2001 11:40:22 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 0349 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Mar 2001 11:40:22 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00106B5C@listserv.fnal.gov>; Tue, 06 Mar 2001 11:40:22 -0600 Received: from CUERVO ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9S00ABEEF9B0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Mar 2001 11:40:22 -0600 (CST) Date: Tue, 06 Mar 2001 11:41:53 -0600 From: "Mark O. Kaletka" Subject: RE: kdc troubles In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 969 The credentials cache referred to would be the local one, not on the KDC. This is the error you'd expect to see if you had no tickets -- or they got clobbered -- and I wouldn't expect it to be related to rebooting the KDC. If several principals are validated into the same account I suppose this could happen. Do a klist and see what the ticket caches are set to, and/or the value of the KRB5CCNAME environment variable. If they match, they're over-writing their ticket caches. Did the user get the same error renewing the TGT? Or a different error? -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > Sent: Tuesday, March 06, 2001 11:25 AM > To: kerberos-pilot@fnal.gov > Subject: Re: kdc troubles > > > Around the time of the kdc master reboot yesterday, users on the cdf > farms reported some troubles. I am wondering if these could be connected > to the outage of the KDC. It is my guess that the first one is not > and the second one might be: > > > >One of my daemons tried to copy a file from fncdf8, but it got the > >following reply: > >rcp: kcmd to host fncdf8 failed - No credentials cache found > > >Also, when I was trying to refresh my tgt (which was good till 03/06 - > >i.e. > >today), I was not able to, I had to get a new renewable ticket... > > > Since the daemons referred to above are run by a user id which is > accessed by several different people, each with a different principal, > is it possible that they could clobber each other's credential caches on > the local machine? > Or is this referring to a cache that is on the KDC? > > Steve Timm > From kreymer@fnal.gov Tue Mar 6 22:26:30 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id WAA01690 for ; Tue, 6 Mar 2001 22:26:30 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9T00DRK8C5SL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 06 Mar 2001 22:26:30 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001075A7@listserv.fnal.gov>; Tue, 06 Mar 2001 22:26:29 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 3354 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 06 Mar 2001 22:26:29 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001075A6@listserv.fnal.gov>; Tue, 06 Mar 2001 22:26:29 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9T00EPJ8C4J8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 06 Mar 2001 22:26:28 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id WAA15394 for ; Tue, 06 Mar 2001 22:26:27 -0600 (CST) Date: Tue, 06 Mar 2001 22:26:27 -0600 (CST) From: Tim Zingelman Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 970 Can someone please let me know who to contact about this? The kerberos product info page at: http://cddocs.fnal.gov/cfdocs/productsDB/proddetail.cfm?ProdNum=PU0367 just has "CD/DCD" as contact person for this product. Thanks. - Tim On Fri, 2 Mar 2001, Tim Zingelman wrote: > On Fri, 2 Mar 2001, Matt Crawford wrote: > > > Answering what seems to be a question of "what do we lose if we just > > go and get Kerberos from MIT, or an existing FreeBSD port, or an > > existing Redhat rpm?" I can cite off the top of my head: > > > > 1. Cryptocard logins through telnet and ftp. > > > > That's the big one. But there's also > > > > 2. The tools to do authentication of users' cron jobs. (You could do > > the same job without them, but it would amount to either reinventing > > the wheel or doing something dreadfully insecure.) > > > > 3. Flexible fallback to a non-Kerberized client if you default to > > encryption "on" but connect to a non-Kerberos server. > > > > 4. An ftp client that plays nicely with Emacs' efs mode. > > > > 5. Depending which MIT version your software base comes from, it may > > have buffer overflows or other bugs which are fixed here. (All but > > one of those bugs are fixed in MIT 1.2.2, but that's only been out > > for two days.) > > > > There are probably a few other minor things. > > I guess my question would be how can we NOT lose all these things, if we > can't use the fermi packages? Several of our most critical machines are > indeed running FreeBSD. > > I hope that the patches/scripts/documentation/mailing-list used and > generated for internal use of the fermi package maintainers can be made > available to those of us who would find them useful. > > - Tim From kreymer@fnal.gov Wed Mar 7 09:32:49 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA13221 for ; Wed, 7 Mar 2001 09:32:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U00EMP36NJE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 09:32:48 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00107A70@listserv.fnal.gov>; Wed, 07 Mar 2001 09:32:48 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 4719 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 09:32:48 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00107A6F@listserv.fnal.gov>; Wed, 07 Mar 2001 09:32:48 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9U00EQB36NIB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 09:32:47 -0600 (CST) Received: (qmail 19312 invoked from network); Wed, 07 Mar 2001 09:32:46 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Wed, 07 Mar 2001 09:32:46 -0600 Date: Wed, 07 Mar 2001 09:33:46 -0600 (CST) From: Michael Kriss Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 971 In the associated documentation: http://www.fnal.gov/docs/products/kerberos/ there are details regarding /etc/services, /etc/inetd.conf and hostkeys. This is the kind of information I was requesting with my original email. This information may be helpful to those who do not wish to use UPS/UPD to install kerberos... michael On Tue, 6 Mar 2001, Tim Zingelman wrote: > Can someone please let me know who to contact about this? The kerberos > product info page at: > > http://cddocs.fnal.gov/cfdocs/productsDB/proddetail.cfm?ProdNum=PU0367 > > just has "CD/DCD" as contact person for this product. Thanks. > > - Tim > > On Fri, 2 Mar 2001, Tim Zingelman wrote: > > > On Fri, 2 Mar 2001, Matt Crawford wrote: > > > > > Answering what seems to be a question of "what do we lose if we just > > > go and get Kerberos from MIT, or an existing FreeBSD port, or an > > > existing Redhat rpm?" I can cite off the top of my head: > > > > > > 1. Cryptocard logins through telnet and ftp. > > > > > > That's the big one. But there's also > > > > > > 2. The tools to do authentication of users' cron jobs. (You could do > > > the same job without them, but it would amount to either reinventing > > > the wheel or doing something dreadfully insecure.) > > > > > > 3. Flexible fallback to a non-Kerberized client if you default to > > > encryption "on" but connect to a non-Kerberos server. > > > > > > 4. An ftp client that plays nicely with Emacs' efs mode. > > > > > > 5. Depending which MIT version your software base comes from, it may > > > have buffer overflows or other bugs which are fixed here. (All but > > > one of those bugs are fixed in MIT 1.2.2, but that's only been out > > > for two days.) > > > > > > There are probably a few other minor things. > > > > I guess my question would be how can we NOT lose all these things, if we > > can't use the fermi packages? Several of our most critical machines are > > indeed running FreeBSD. > > > > I hope that the patches/scripts/documentation/mailing-list used and > > generated for internal use of the fermi package maintainers can be made > > available to those of us who would find them useful. > > > > - Tim > From kreymer@fnal.gov Wed Mar 7 11:50:43 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA15466 for ; Wed, 7 Mar 2001 11:50:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U003NI9KHKN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 11:50:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00107C9E@listserv.fnal.gov>; Wed, 07 Mar 2001 11:50:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 5324 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 11:50:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00107C9D@listserv.fnal.gov>; Wed, 07 Mar 2001 11:50:41 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U000QQ9KGYI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 11:50:41 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA14113 for ; Wed, 07 Mar 2001 11:50:40 -0600 Date: Wed, 07 Mar 2001 11:50:40 -0600 From: "Isabeau's mom" Subject: problem with KDC?? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AA674F0.AFBEE396@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 972 i just received this error from a cron job running on rip2 and rshing to rip1. this cron job had been running fine for days.- kcmd: Error getting forwarded creds (Cannot contact any KDC for requested realm) rsh: kcmd to host rip1 failed - Cannot contact any KDC for requested realm trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! rsh: invalid option -- f usage: rsh [-nd] [-l login] host [command] eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Wed Mar 7 12:13:06 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA17586 for ; Wed, 7 Mar 2001 12:13:04 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U00A5YALPDA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 12:13:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00107CEF@listserv.fnal.gov>; Wed, 07 Mar 2001 12:13:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 5414 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 12:13:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00107CEE@listserv.fnal.gov>; Wed, 07 Mar 2001 12:13:01 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U003NJALPCX@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 12:13:01 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA02158; Wed, 07 Mar 2001 12:13:01 -0600 (CST) Date: Wed, 07 Mar 2001 12:13:00 -0600 From: Matt Crawford Subject: Re: problem with KDC?? In-reply-to: "07 Mar 2001 11:50:40 CST." <3AA674F0.AFBEE396@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200103071813.MAA02158@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 973 > i just received this error from a cron job running on rip2 and > rshing to rip1. this cron job had been running fine for days.- > > kcmd: Error getting forwarded creds (Cannot contact any KDC for requested realm) No, there's been no KDC outage. Maybe there was a network glitch? I suppose ecev a transient DNS failure could cause that as well. From kreymer@fnal.gov Wed Mar 7 15:17:15 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA21268 for ; Wed, 7 Mar 2001 15:17:14 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U00LD0J4PP2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 15:17:14 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00108397@listserv.fnal.gov>; Wed, 07 Mar 2001 15:17:13 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 7178 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 15:17:13 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00108396@listserv.fnal.gov>; Wed, 07 Mar 2001 15:17:13 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9U00JJIJ4PZD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 15:17:13 -0600 (CST) Received: (qmail 22272 invoked from network); Wed, 07 Mar 2001 15:17:12 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Wed, 07 Mar 2001 15:17:12 -0600 Date: Wed, 07 Mar 2001 15:18:12 -0600 (CST) From: Michael Kriss Subject: Re: startx problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 974 I have discovered two solutions to this problem: 1. Manually create the files /var/lock/console.lock and /var/lock/console/$USER /var/lock/console.lock should contain the username of the owner of the console and it should not have a in the file. You can create this file by: # printf "kriss" > /var/lock/console.lock /var/lock/console/$USER can be empty but typically has a count of users who may have console access. This file, if not empty, should not have a . Create by: # printf "1" > /var/lock/console/kriss Both of these files should be root:root, 600. 2. Pam'ify login.krb5. I've done this with 10 lines of code. I can provide the details on this if anyone is interested. michael On Tue, 6 Mar 2001, Michael Kriss wrote: > I've installed MIT kerberos on a linux system and, with the Fermi krb5.conf > file, I've got some basic services working. Now I want to turn off all > non-kerberized access to this machine. I've replaced the login program with > login.krb5. I can login using the kerberos passphrase but when I try to start > up X I get an error. > > Basically the error is cannot get console permissions. I've tracked this to (I > believe) the fact that the kerberos login program does not do any of the pam > modules. For the default login pam module there is an entry pam_console.so that > I think is supposed to create /var/lock/console.lock. This file usually > contains the name of the user who has access to the console. Apparently X won't > start without this. > > What is the workaround for this under Fermi RedHat Linux? I don't want to do > something stupid (manually create the file, install a third party pam module) > that might compromise the kerberos implementation on this machine. Thanks... > > michael > From kreymer@fnal.gov Wed Mar 7 15:25:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA21276 for ; Wed, 7 Mar 2001 15:25:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U000ATJJ8BQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 15:25:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001083C6@listserv.fnal.gov>; Wed, 07 Mar 2001 15:25:57 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 7228 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 15:25:57 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001083C5@listserv.fnal.gov>; Wed, 07 Mar 2001 15:25:56 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U00LFGJJ8P2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 15:25:56 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id PAA01495; Wed, 07 Mar 2001 15:25:54 -0600 (CST) Date: Wed, 07 Mar 2001 15:25:54 -0600 (CST) From: Tim Zingelman Subject: Re: startx problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: Michael Kriss Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 975 > 2. Pam'ify login.krb5. I've done this with 10 lines of code. I can provide the > details on this if anyone is interested. > michael Yes, post the pam patch... I'm interested. Have you heard anything from anyone here about patches to use the cyrptocards? The website www.cryptocard.com looks like they might give you source patches if you sign up for the 30day free trial... - Tim From kreymer@fnal.gov Wed Mar 7 16:00:38 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA21311 for ; Wed, 7 Mar 2001 16:00:38 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U00MQJL513H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 16:00:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010844E@listserv.fnal.gov>; Wed, 07 Mar 2001 16:00:37 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 7370 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 16:00:37 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010844D@listserv.fnal.gov>; Wed, 07 Mar 2001 16:00:37 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9U00KS0L50ZP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 16:00:36 -0600 (CST) Received: (qmail 22653 invoked from network); Wed, 07 Mar 2001 16:00:35 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Wed, 07 Mar 2001 16:00:35 -0600 Date: Wed, 07 Mar 2001 16:01:35 -0600 (CST) From: Michael Kriss Subject: Re: startx problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="-511475694-626620408-984002495=:1001" Status: RO X-Status: X-Keywords: X-UID: 976 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---511475694-626620408-984002495=:1001 Content-Type: TEXT/PLAIN; charset=US-ASCII The patch is attached. Go to src/appl/bsd to apply it (1.2.2 source). You will also need to create a file called /etc/pam.d/login.krb5 (root:root, 644) that contains: session optional /lib/security/pam_console.so You may also try: session optional /lib/security/pam_console.so debug if you run into problems. Finally create /etc/security/console.apps/login.krb5: # > /etc/security/console.apps/login.krb5 (root:root, 644). Realize all I have done in this patch is enable the session module-type. If you want to add auth, account and/or password module-types you will have to code that yourself and you may compromise security by doing so. Lastly, on my system, kerberos 1.2.2 does not handle utmp correctly. If I login to tty1 and also tty2, then logout of tty2 and on tty1 type: % who an entry still exists for the login on tty2. The MIT kerberos web page lists this as a known bug, so don't blame my patch (yet). Use this patch at your own risk, I used to be a programmer ;^) michael On Wed, 7 Mar 2001, Tim Zingelman wrote: > > 2. Pam'ify login.krb5. I've done this with 10 lines of code. I can provide the > > details on this if anyone is interested. > > michael > > Yes, post the pam patch... I'm interested. > > Have you heard anything from anyone here about patches to use the > cyrptocards? The website www.cryptocard.com looks like they might give > you source patches if you sign up for the 30day free trial... > > - Tim > ---511475694-626620408-984002495=:1001 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="pam.login.patch" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename="pam.login.patch" LS0tIGxvZ2luLmMub3JpZwlUdWUgTWFyICA2IDE1OjEzOjI3IDIwMDENCisr KyBsb2dpbi5jCVdlZCBNYXIgIDcgMTU6NDQ6NTYgMjAwMQ0KQEAgLTgxLDYg KzgxLDEwIEBADQogDQogI2luY2x1ZGUgPGxpYnB0eS5oPg0KIA0KKy8qIGJl Z2luIHBhbSBzdHVmZiAqLw0KKyNpbmNsdWRlIDxzZWN1cml0eS9wYW1fYXBw bC5oPg0KKyNpbmNsdWRlIDxzZWN1cml0eS9wYW1fbWlzYy5oPg0KKy8qIGVu ZCBwYW0gc3R1ZmYgKi8NCiAjaWZkZWYgSEFWRV9VTklTVERfSA0KICNpbmNs dWRlIDx1bmlzdGQuaD4NCiAjZW5kaWYNCkBAIC0xMDA0LDYgKzEwMDgsMTEg QEANCiAgICAgfQ0KIH0NCiANCisvKiBiZWdpbiBwYW0gc3R1ZmYgKi8NCisg IGludCByZXRjb2RlOw0KKyAgcGFtX2hhbmRsZV90ICpwYW1oID0gTlVMTDsN CisgIHN0cnVjdCBwYW1fY29udiBjb252ID0geyBtaXNjX2NvbnYsIE5VTEwg fTsNCisvKiBlbmQgcGFtIHN0dWZmICovDQogaW50IG1haW4oYXJnYywgYXJn dikNCiAgICAgIGludCBhcmdjOw0KICAgICAgY2hhciAqKmFyZ3Y7DQpAQCAt MTQzOCw2ICsxNDQ3LDExIEBADQogICAgIHF1aWV0bG9nID0gYWNjZXNzKEhV U0hMT0dJTiwgRl9PSykgPT0gMDsNCiAgICAgZG9sYXN0bG9nKHF1aWV0bG9n LCB0dHkpOw0KIA0KKy8qIGJlZ2luIHBhbSBzdHVmZiAqLw0KKyAgcmV0Y29k ZSA9IHBhbV9zdGFydCgibG9naW4ua3JiNSIsIHVzZXJuYW1lLCAmY29udiwg JnBhbWgpOw0KKyAgcGFtX3NldF9pdGVtKHBhbWgsIFBBTV9UVFksIHR0eSk7 DQorICBwYW1fb3Blbl9zZXNzaW9uKHBhbWgsIFBBTV9TSUxFTlQpOw0KKy8q IGVuZCBwYW0gc3R1ZmYgKi8NCiAgICAgaWYgKCFoZmxhZyAmJiAhcmZsYWcg JiYgIWtmbGFnICYmICFLZmxhZyAmJiAhZWZsYWcpIHsJLyogWFhYICovDQog CXN0YXRpYyBzdHJ1Y3Qgd2luc2l6ZSB3aW4gPSB7IDAsIDAsIDAsIDAgfTsN CiANCkBAIC0yMzk0LDYgKzI0MDgsMTAgQEANCiAjaWZkZWYgX0lCTVIyDQog ICAgIHVwZGF0ZV9yZWZfY291bnQoLTEpOw0KICNlbmRpZg0KKy8qIGJlZ2lu IHBhbSBzdHVmZiAqLw0KKyAgIHBhbV9jbG9zZV9zZXNzaW9uKHBhbWgsIFBB TV9TSUxFTlQpOw0KKyAgIHBhbV9lbmQocGFtaCwgUEFNX1NVQ0NFU1MpOw0K Ky8qIGVuZCBwYW0gc3R1ZmYgKi8NCiANCiAgICAgLyogTGVhdmUgKi8NCiAg ICAgZXhpdCgwKTsNCg== ---511475694-626620408-984002495=:1001-- From kreymer@fnal.gov Wed Mar 7 16:02:50 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA21320 for ; Wed, 7 Mar 2001 16:02:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U000JAL8PBQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 16:02:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00108452@listserv.fnal.gov>; Wed, 07 Mar 2001 16:02:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 7374 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 16:02:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00108451@listserv.fnal.gov>; Wed, 07 Mar 2001 16:02:49 -0600 Received: from CUERVO ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9U00KPYL8OJN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 16:02:48 -0600 (CST) Date: Wed, 07 Mar 2001 16:04:28 -0600 From: "Mark O. Kaletka" Subject: RE: startx problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 977 Ummm, be careful, our KDC is using CryptoCards somewhat differently and just using the client from them will not work, I think. Someone who's CryptoCard-ified one of our clients will give better advice. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Tim > Zingelman > Sent: Wednesday, March 07, 2001 3:26 PM > To: Michael Kriss > Cc: kerberos-pilot@fnal.gov > Subject: Re: startx problem > > > > 2. Pam'ify login.krb5. I've done this with 10 lines of code. > I can provide the > > details on this if anyone is interested. > > michael > > Yes, post the pam patch... I'm interested. > > Have you heard anything from anyone here about patches to use the > cyrptocards? The website www.cryptocard.com looks like they might give > you source patches if you sign up for the 30day free trial... > > - Tim > From kreymer@fnal.gov Wed Mar 7 16:11:08 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA21330 for ; Wed, 7 Mar 2001 16:11:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U00LRHLMJP2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 16:11:07 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00108474@listserv.fnal.gov>; Wed, 07 Mar 2001 16:11:07 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 7411 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 16:11:07 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00108473@listserv.fnal.gov>; Wed, 07 Mar 2001 16:11:07 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9U000KDLMIBQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 16:11:06 -0600 (CST) Received: (qmail 22750 invoked from network); Wed, 07 Mar 2001 16:11:05 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Wed, 07 Mar 2001 16:11:05 -0600 Date: Wed, 07 Mar 2001 16:12:06 -0600 (CST) From: Michael Kriss Subject: Re: startx problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 978 Doh! I forgot you also have to modify the Makefile in src/appl/bsd. I changed: LOGINLIBS = to: LOGINLIBS = -lpam -lpam_misc michael On Wed, 7 Mar 2001, Tim Zingelman wrote: > > 2. Pam'ify login.krb5. I've done this with 10 lines of code. I can provide the > > details on this if anyone is interested. > > michael > > Yes, post the pam patch... I'm interested. > > Have you heard anything from anyone here about patches to use the > cyrptocards? The website www.cryptocard.com looks like they might give > you source patches if you sign up for the 30day free trial... > > - Tim > From kreymer@fnal.gov Wed Mar 7 16:12:15 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA21334 for ; Wed, 7 Mar 2001 16:12:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U0061QLOECS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 16:12:14 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00108478@listserv.fnal.gov>; Wed, 07 Mar 2001 16:12:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 7415 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 16:12:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00108477@listserv.fnal.gov>; Wed, 07 Mar 2001 16:12:14 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U000JQLOD84@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 16:12:13 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id QAA03022; Wed, 07 Mar 2001 16:12:12 -0600 (CST) Date: Wed, 07 Mar 2001 16:12:11 -0600 (CST) From: Tim Zingelman Subject: RE: startx problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: "Mark O. Kaletka" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 979 Can you please give me a contact name for one of these 'someone's? Because I've asked repeatedly on this list for just this advice (or patches) and gotten no response. Thanks. - Tim On Wed, 7 Mar 2001, Mark O. Kaletka wrote: > Ummm, be careful, our KDC is using CryptoCards somewhat differently and just > using the client from them will not work, I think. Someone who's > CryptoCard-ified one of our clients will give better advice. > > -- Mark K. > > > -----Original Message----- > > From: owner-kerberos-pilot@listserv.fnal.gov > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Tim > > Zingelman > > Sent: Wednesday, March 07, 2001 3:26 PM > > To: Michael Kriss > > Cc: kerberos-pilot@fnal.gov > > Subject: Re: startx problem > > > > > > > 2. Pam'ify login.krb5. I've done this with 10 lines of code. > > I can provide the > > > details on this if anyone is interested. > > > michael > > > > Yes, post the pam patch... I'm interested. > > > > Have you heard anything from anyone here about patches to use the > > cyrptocards? The website www.cryptocard.com looks like they might give > > you source patches if you sign up for the 30day free trial... > > > > - Tim > > > From kreymer@fnal.gov Wed Mar 7 17:18:08 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA21528 for ; Wed, 7 Mar 2001 17:18:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U007I0OQ64C@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 17:18:07 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00109C13@listserv.fnal.gov>; Wed, 07 Mar 2001 17:18:07 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 13508 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 17:18:07 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00109C12@listserv.fnal.gov>; Wed, 07 Mar 2001 17:18:07 -0600 Received: from CUERVO ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9U007HMOQ512@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 17:18:06 -0600 (CST) Date: Wed, 07 Mar 2001 17:19:45 -0600 From: "Mark O. Kaletka" Subject: RE: startx problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 980 The source code is in the product distribution and you can grab that off fnkits for either kerberos or ssh. Current versions of both have CryptoCard support built in and you can look there to see what was done, or if you want to build everything for, e.g. some other OS. Quite frankly the developers have full plates at the moment so don't expect too much coaching. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Tim > Zingelman > Sent: Wednesday, March 07, 2001 4:12 PM > To: Mark O. Kaletka > Cc: kerberos-pilot@fnal.gov > Subject: RE: startx problem > > > Can you please give me a contact name for one of these 'someone's? > Because I've asked repeatedly on this list for just this advice (or > patches) and gotten no response. Thanks. > > - Tim > > On Wed, 7 Mar 2001, Mark O. Kaletka wrote: > > > Ummm, be careful, our KDC is using CryptoCards somewhat > differently and just > > using the client from them will not work, I think. Someone who's > > CryptoCard-ified one of our clients will give better advice. > > > > -- Mark K. > > > > > -----Original Message----- > > > From: owner-kerberos-pilot@listserv.fnal.gov > > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Tim > > > Zingelman > > > Sent: Wednesday, March 07, 2001 3:26 PM > > > To: Michael Kriss > > > Cc: kerberos-pilot@fnal.gov > > > Subject: Re: startx problem > > > > > > > > > > 2. Pam'ify login.krb5. I've done this with 10 lines of code. > > > I can provide the > > > > details on this if anyone is interested. > > > > michael > > > > > > Yes, post the pam patch... I'm interested. > > > > > > Have you heard anything from anyone here about patches to use the > > > cyrptocards? The website www.cryptocard.com looks like they > might give > > > you source patches if you sign up for the 30day free trial... > > > > > > - Tim > > > > > > From kreymer@fnal.gov Wed Mar 7 17:32:19 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA21538 for ; Wed, 7 Mar 2001 17:32:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U006IWPDTF9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 17:32:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00109C3C@listserv.fnal.gov>; Wed, 07 Mar 2001 17:32:17 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 13552 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 17:32:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00109C3B@listserv.fnal.gov>; Wed, 07 Mar 2001 17:32:17 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U007J7PDT12@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 17:32:17 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id RAA03746 for ; Wed, 07 Mar 2001 17:32:15 -0600 (CST) Date: Wed, 07 Mar 2001 17:32:15 -0600 (CST) From: Tim Zingelman Subject: RE: startx problem In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 981 > The source code is in the product distribution and you can grab that off > fnkits for either kerberos or ssh. Current versions of both have CryptoCard > support built in and you can look there to see what was done, or if you want > to build everything for, e.g. some other OS. > > Quite frankly the developers have full plates at the moment so don't expect > too much coaching. > > -- Mark K. I'm not asking for coaching, nor anything that is a large time commitment. What I'd like is the patch files they use, (and what version they are against,) so I don't have to reverse engineer them by diffing the standard MIT release against the Fermi release. If that is what I must do, I can and I will, but is sure seems a waste since these files must be sitting on someone's disk already. If anyone else on the list has already done this reverse engineering work, please speak up. If anyone is interested in the results of the work, that would be good to know too... Just to be sure I don't break any rules, is there anything proprietary in the Fermi release that I'll be in trouble for revealing if I make the diffs available? If I make them available is anyone willing and able to put them on ftp.fnal.gov and point some documentation at them? - Tim From kreymer@fnal.gov Wed Mar 7 17:34:39 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA21542 for ; Wed, 7 Mar 2001 17:34:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U008DPPHQZH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 07 Mar 2001 17:34:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00109C45@listserv.fnal.gov>; Wed, 07 Mar 2001 17:34:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 13562 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 07 Mar 2001 17:34:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00109C44@listserv.fnal.gov>; Wed, 07 Mar 2001 17:34:38 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9U009F9PHQGO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 07 Mar 2001 17:34:38 -0600 (CST) Date: Wed, 07 Mar 2001 17:34:36 -0600 (CST) From: "Marc W. Mengel" Subject: Fermi-ified kerberos... In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Kriss Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 982 For all the gory details of the source and changes you can browse the CVS repository on the web, at: http://cdcvs.fnal.gov/cgi-bin/fnal-only/cvsweb.cgi/kerberos/ If you'd rather actually cvs checkout the sources, you can: cvs -d :pserver:kpilot@cdcvs.fnal.gov:/cvs/cd login with password "curiosity", and then cvs -d :pserver:kpilot@cdcvs.fnal.gov:/cvs/cd co kerberos and you can do cvs udpates to track any changes we make. That's a read-only checkout, by the way. Marc Mengel From kreymer@fnal.gov Thu Mar 8 10:00:44 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA10333 for ; Thu, 8 Mar 2001 10:00:43 -0600 Received: from CUERVO ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9V00808Z556X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Thu, 08 Mar 2001 10:00:42 -0600 (CST) Date: Wed, 07 Mar 2001 20:00:46 -0600 From: "Mark O. Kaletka" Subject: Re: nu/TPU Support? (fwd) To: gcooper@fnal.gov, Art Kreymer Cc: cdfsys@fnal.gov, Mark Kaletka Message-id: <014701c0a7e9$30a93cf0$a805e183@fnal.gov> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: Status: RO X-Status: X-Keywords: X-UID: 983 No, the maintenance is just that -- updates and technical support. We own the licenses and can continue to run at the current rev level until it breaks. -- Mark K. ----- Original Message ----- From: "Glenn Cooper" To: "Art Kreymer" Cc: ; "Mark O. Kaletka" Sent: Tuesday, March 06, 2001 4:12 PM Subject: Re: nu/TPU Support? (fwd) > I don't think there is any problem with freezing at the current > version or with lowering the Fermilab support status. > > If we don't renew, will the current version still work? (Is the > renewal only for support, or also for the license itself?) I have the > impression that there are still a reasonable number of people using > tpu on cdfsga. We could probably wean people off tpu and onto emacs > with EDT/TPU emulation if necessary, but we might want to look more > carefully--collect stats from a longer period of time--before deciding > to drop the product, if that is in question. > > Glenn > > > On Tue, 6 Mar 2001, Art Kreymer wrote: > > > FYI - cdfsga seems to use the 1995 vintage tpu, > > so I suppose this is no problem for CDF run 1 analysis. > > > > ---------- Forwarded message ---------- > > Date: Tue, 06 Mar 2001 12:18:36 -0600 > > From: Mark O. Kaletka > > To: ups@fnal.gov, fue-wg@fnal.gov, OSS Department > > Subject: nu/TPU Support? > > > > The annual maintenance is due for the nu/TPU product. For those who don't > > remember, this is the TPU emulator for UNIX and is currently supported for > > TRU64, IRIX and SUN. I don't think this product is used much, if at all (in > > August, during one week when we gathered such stats, it was setup exactly > > four times). It is not on CDF or D0's list for Run II. So I propose to > > freeze at the current version and move the support status to "maintenance" > > or "minimal" and life cycle "deprecated". The renewal cost is $4050/year, > > not a lot but also not zero. > > > > I'd appreciate rapid feedback since, if we renew, we have to generate the > > paperwork. We need to do that before the end of the week. The default answer > > will be to not renew. > > > > -- Mark K. > > > > From kreymer@fnal.gov Thu Mar 8 11:02:15 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA17904 for ; Thu, 8 Mar 2001 11:02:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W009A41ZP4W@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 11:02:14 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AAC4@listserv.fnal.gov>; Thu, 08 Mar 2001 11:02:13 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 17435 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 11:02:12 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AAC3@listserv.fnal.gov>; Thu, 08 Mar 2001 11:02:12 -0600 Received: from fnpspb.fnal.gov ([131.225.81.79]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W008A61ZOUI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 11:02:12 -0600 (CST) Received: from localhost (garren@localhost) by fnpspb.fnal.gov (8.9.3/8.9.3) with SMTP id LAA10753 for ; Thu, 08 Mar 2001 11:02:12 -0600 (CST) Date: Thu, 08 Mar 2001 11:02:12 -0600 From: Lynn Garren Subject: kerberized web server? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: garren@fnal.gov Message-id: <200103081702.LAA10753@fnpspb.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: fnpspb.fnal.gov: garren@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 984 Has anyone kerberized a web server? Is it straightforward? Are there any issues that I should be aware of? Thanks, Lynn From kreymer@fnal.gov Thu Mar 8 11:15:38 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA19110 for ; Thu, 8 Mar 2001 11:15:37 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W007LR2LZLV@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 11:15:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AB13@listserv.fnal.gov>; Thu, 08 Mar 2001 11:15:35 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 17517 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 11:15:35 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AB12@listserv.fnal.gov>; Thu, 08 Mar 2001 11:15:35 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W009E32LZ4W@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 11:15:35 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA16336 for ; Thu, 08 Mar 2001 11:15:35 -0600 Date: Thu, 08 Mar 2001 11:15:35 -0600 From: "Isabeau's mom" Subject: getting tickets last night? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AA7BE37.63E6A09A@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 985 hi, there were 2 cron jobs that run as root on d0ensrv1 and stkensrv1. they run every 4 hours. suddenly last night the one that starts at 00:15 and at 04:15 were unable to get tickets. here is the error they reported - Copying /diska/pnfs/db/sdss /diska/pnfs/db/info/../backup/sdss.60 Transferred /diska/pnfs/db/info/../backup/sdss.60.Z 131.225.13.3:/diskc/pnfs-backup Copying /diska/pnfs/db/sdss-volmap /diska/pnfs/db/info/../backup/sdss-volmap.60 kinit: Generic error (see e-text) while getting initial credentials rsh: kcmd to host 131.225.13.3 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! rsh: invalid option -- f usage: rsh [-nd] [-l login] host [command] rsh: kcmd to host 131.225.13.3 failed - No credentials cache file found trying normal rsh (/usr/bin/rsh) WARNING: NO ENCRYPTION! 131.225.13.3: Connection refused kdestroy: No credentials cache file found while destroying cache Ticket cache NOT destroyed! Remote df -k Command failed the cron jobs run a script in order to be able to do rcps. here is what the script does - OLDKRB5CCNAME=${KRB5CCNAME:-NONE} KRB5CCNAME=/tmp/krb5cc_root_$$;export KRB5CCNAME ${krbdir}/kinit -k host/${thisHost} ${krbdir}/rcp "$@" ${krbdir}/kdestroy # if we had an old ticket cache, restore it if [ $OLDKRB5CCNAME != "NONE" ]; then KRB5CCNAME=$OLDKRB5CCNAME; fi where krbdir is /usr/krb5/bin and thisHost is the stkensrv1.fnal.gov. the time the script received the error was around Thu Mar 8 01:18:06 CST 2001. the job starts at 00:00:15. the job is running fine again. could this be a network problem again as occurred yesterday earlier? thanks, eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Thu Mar 8 11:54:12 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA23770 for ; Thu, 8 Mar 2001 11:54:11 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W007LW4E9SB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 11:54:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010ABD1@listserv.fnal.gov>; Thu, 08 Mar 2001 11:54:09 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 17713 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 11:54:09 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010ABD0@listserv.fnal.gov>; Thu, 08 Mar 2001 11:54:09 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9W008NO4E9TJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 11:54:09 -0600 (CST) Received: (qmail 537 invoked from network); Thu, 08 Mar 2001 11:54:08 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Thu, 08 Mar 2001 11:54:08 -0600 Date: Thu, 08 Mar 2001 11:55:09 -0600 (CST) From: Michael Kriss Subject: Re: Install questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 986 Apparently the short answer to this question is: The CD will not support this but, download the modified source from the CVS repository: cvs -d :pserver:kpilot@cdcvs.fnal.gov:/cvs/cd co kerberos then READ and UNDERSTAND the README.* files in the ups/ directory. Then configure, compile and install. This should enable the 'locally-added or configured' features, including cryptocard and cron jobs. This would allow those who will not be using UPS/UPD to have a fully functional Fermi Kerberos implementation. Correct me if I'm wrong here... michael On Fri, 2 Mar 2001, Michael Kriss wrote: > We don't plan on using ups/upd. Has anyone installed and configured kerberos > without using ups/upd? If not is there interest in a document on how to do > this? > > What are the 'locally-added or configured' features in the ups/upd distribution > that we might want to implement? > > Why is mixed-mode (ssh and kerberos) not allowed for on-site systems? > > michael > From kreymer@fnal.gov Thu Mar 8 12:11:10 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA25635 for ; Thu, 8 Mar 2001 12:11:10 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00H1456JRC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 12:11:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AC3C@listserv.fnal.gov>; Thu, 08 Mar 2001 12:11:07 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 17831 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 12:11:07 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AC3B@listserv.fnal.gov>; Thu, 08 Mar 2001 12:11:07 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00G4S56IE4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 12:11:06 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA10781; Thu, 08 Mar 2001 12:11:06 -0600 (CST) Date: Thu, 08 Mar 2001 12:11:06 -0600 From: Matt Crawford Subject: Re: Install questions In-reply-to: "08 Mar 2001 11:55:09 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Kriss Cc: kerberos-pilot@fnal.gov Message-id: <200103081811.MAA10781@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 987 > Apparently the short answer to this question is: > > The CD will not support this but, download the modified source from the CVS > repository: > cvs -d :pserver:kpilot@cdcvs.fnal.gov:/cvs/cd co kerberos > then READ and UNDERSTAND the README.* files in the ups/ directory. Then > configure, compile and install. This should enable the 'locally-added or > configured' features, including cryptocard and cron jobs. > > This would allow those who will not be using UPS/UPD to have a fully functional > Fermi Kerberos implementation. Correct me if I'm wrong here... As long as there are no OS-specific gotchas, this should work. If you're running a Fermi-supported OS but not UPS, you can fetch the product tar file from fnkits.fnal.gov and untar it into /usr/krb5, then carry out the /etc/services, /etc/inetd.conf and /etc/krb5.keytab steps by hand, and get the krb5.conf file from the krb5conf product or another system That by-hand command to do the keytab file is (as root, assuming /usr/krb5/sbin is in yout path, and the node name is pickle.fnal.gov) kadmin -q "ktadd host/pickle.fnal.gov" -p host/pickle.fnal.gov kadmin -q "ktadd ftp/pickle.fnal.gov" -p ftp/pickle.fnal.gov and provide the password Yolanda gives you each time From kreymer@fnal.gov Thu Mar 8 12:17:51 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA26442 for ; Thu, 8 Mar 2001 12:17:51 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W008RB5HQUI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 12:17:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AC68@listserv.fnal.gov>; Thu, 08 Mar 2001 12:17:50 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 17878 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 12:17:50 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AC67@listserv.fnal.gov>; Thu, 08 Mar 2001 12:17:50 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W009MY5HPYR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 12:17:50 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id MAA11723 for ; Thu, 08 Mar 2001 12:17:49 -0600 (CST) Date: Thu, 08 Mar 2001 12:17:49 -0600 (CST) From: "David J. Fagan" Subject: Re: Install questions Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200103081817.MAA11723@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Thu, 08 Mar 2001 11:55:09 CST.) X-Authentication-warning: large.fnal.gov: fagan@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id MAA26442 Status: RO X-Status: X-Keywords: X-UID: 988 I don't understand how this installation and maintenance procedure would be easier than the existing temporary ups procedure. ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Thursday, Michael Kriss: > Apparently the short answer to this question is: > > The CD will not support this but, download the modified source from the CVS > repository: > > cvs -d :pserver:kpilot@cdcvs.fnal.gov:/cvs/cd co kerberos > > then READ and UNDERSTAND the README.* files in the ups/ directory. Then > configure, compile and install. This should enable the 'locally-added or > configured' features, including cryptocard and cron jobs. > > This would allow those who will not be using UPS/UPD to have a fully functional > Fermi Kerberos implementation. Correct me if I'm wrong here... > > michael > ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- From kreymer@fnal.gov Thu Mar 8 12:22:15 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA26539 for ; Thu, 8 Mar 2001 12:22:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00H3L5P2RC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 12:22:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AC84@listserv.fnal.gov>; Thu, 08 Mar 2001 12:22:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 17910 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 12:22:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AC83@listserv.fnal.gov>; Thu, 08 Mar 2001 12:22:14 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9W008RA5P1PF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 12:22:13 -0600 (CST) Received: (qmail 810 invoked from network); Thu, 08 Mar 2001 12:22:13 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Thu, 08 Mar 2001 12:22:13 -0600 Date: Thu, 08 Mar 2001 12:23:14 -0600 (CST) From: Michael Kriss Subject: Re: Install questions In-reply-to: <200103081817.MAA11723@large.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=ISO-8859-2 Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by patnt2.fnal.gov id MAA26539 Status: RO X-Status: X-Keywords: X-UID: 989 You want easy, I want to understand all security aspects of the systems I administer. Knock yourself out with: % setup kerberos just don't shove it down my throat if I don't want it... michael On Thu, 8 Mar 2001, David J. Fagan wrote: > I don't understand how this installation and maintenance procedure > would be easier than the existing temporary ups procedure. > > ------------------------------------------------------------------------------- > David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) > SGI-liaison | Liaison Requests use SGI-liaison@fnal > Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 > ------------------------------------------------------------------------------- > On Thursday, > Michael Kriss: > > > Apparently the short answer to this question is: > > > > The CD will not support this but, download the modified source from the CVS > > repository: > > > > cvs -d :pserver:kpilot@cdcvs.fnal.gov:/cvs/cd co kerberos > > > > then READ and UNDERSTAND the README.* files in the ups/ directory. Then > > configure, compile and install. This should enable the 'locally-added or > > configured' features, including cryptocard and cron jobs. > > > > This would allow those who will not be using UPS/UPD to have a fully functional > > Fermi Kerberos implementation. Correct me if I'm wrong here... > > > > michael > > > ------------------------------------------------------------------------------- > David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) > SGI-liaison | Liaison Requests use SGI-liaison@fnal > Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 > ------------------------------------------------------------------------------- > From kreymer@fnal.gov Thu Mar 8 13:28:15 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA26706 for ; Thu, 8 Mar 2001 13:28:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00JAT8R2C7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 13:28:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AD51@listserv.fnal.gov>; Thu, 08 Mar 2001 13:28:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18134 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 13:28:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AD50@listserv.fnal.gov>; Thu, 08 Mar 2001 13:28:14 -0600 Received: from CUERVO ([131.225.82.66]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9W00JAX8R1EW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 13:28:14 -0600 (CST) Date: Thu, 08 Mar 2001 13:30:06 -0600 From: "Mark O. Kaletka" Subject: RE: kerberized web server? In-reply-to: <200103081702.LAA10753@fnpspb.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: garren@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 990 There is no straight-forward way to kerberize a web server. One of the issues is (lack of) support for Kerberos on the client browser side. There are some thoughts about using kerberos to generate short-lived pki certificates to issue to browsers (since browsers do support these) but at the moment we are concentrating efforts on rolling out what we already have in strong authentication. It's on the list, along with kerberized email clients, but not at the top of the list at the moment. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Lynn Garren > Sent: Thursday, March 08, 2001 11:02 AM > To: kerberos-pilot@fnal.gov > Subject: kerberized web server? > > > Has anyone kerberized a web server? > Is it straightforward? > Are there any issues that I should be aware of? > > Thanks, > Lynn > From kreymer@fnal.gov Thu Mar 8 13:36:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA26720 for ; Thu, 8 Mar 2001 13:36:57 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00JCU95K2C@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 13:36:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AD89@listserv.fnal.gov>; Thu, 08 Mar 2001 13:36:56 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18198 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 13:36:56 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AD88@listserv.fnal.gov>; Thu, 08 Mar 2001 13:36:56 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00GJD95JKX@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 13:36:55 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id NAA14203; Thu, 08 Mar 2001 13:36:54 -0600 (CST) Date: Thu, 08 Mar 2001 13:36:54 -0600 (CST) From: Tim Zingelman Subject: Re: Install questions In-reply-to: <200103081817.MAA11723@large.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: "David J. Fagan" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 991 On Thu, 8 Mar 2001, David J. Fagan wrote: > I don't understand how this installation and maintenance procedure > would be easier than the existing temporary ups procedure. Doing the SAME thing on ALL our machines, many of which are un-supported by ups, rather than doing ups on some and something else on others is indeed 'easier'. - Tim p.s. I know I've ignored this advice I'm about to give, by sending this message in the first place, but can't we maybe agree to NOT discuss the merits / flaws in the ups scheme on this kerberos mailing list? From kreymer@fnal.gov Thu Mar 8 13:49:33 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA26737 for ; Thu, 8 Mar 2001 13:49:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00IFK9QKG7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 13:49:33 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010ADC9@listserv.fnal.gov>; Thu, 08 Mar 2001 13:49:32 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18268 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 13:49:32 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010ADC8@listserv.fnal.gov>; Thu, 08 Mar 2001 13:49:32 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00HIX9QJZB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 13:49:31 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id NAA14569 for ; Thu, 08 Mar 2001 13:49:30 -0600 (CST) Date: Thu, 08 Mar 2001 13:49:30 -0600 (CST) From: Tim Zingelman Subject: RE: kerberized web server? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 992 I found this link which makes me think it would be possible to get browser support for kerberos via a java applet (like the ssh applet). http://security.dstc.edu.au/projects/java/jcsi.html Also I found mod_auth_kerb.c for apache the only catch is you need to use that over ssl, or your password goes cleartext, since the kerberos is on the server side. http://stonecold.unity.ncsu.edu/software/mod_auth_kerb/index.html We are very interested in making kerberos work to replace the various mod_auth protected web pages we have... but we have not had time to investigate this yet. There are also patches out there for the ancient mosaic web browser that make it a real kerberos client... but that may be kerberos IV. - Tim On Thu, 8 Mar 2001, Mark O. Kaletka wrote: > There is no straight-forward way to kerberize a web server. One of the > issues is (lack of) support for Kerberos on the client browser side. There > are some thoughts about using kerberos to generate short-lived pki > certificates to issue to browsers (since browsers do support these) but at > the moment we are concentrating efforts on rolling out what we already have > in strong authentication. It's on the list, along with kerberized email > clients, but not at the top of the list at the moment. > > -- Mark K. > > > -----Original Message----- > > From: owner-kerberos-pilot@listserv.fnal.gov > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Lynn Garren > > Sent: Thursday, March 08, 2001 11:02 AM > > To: kerberos-pilot@fnal.gov > > Subject: kerberized web server? > > > > > > Has anyone kerberized a web server? > > Is it straightforward? > > Are there any issues that I should be aware of? > > > > Thanks, > > Lynn From kreymer@fnal.gov Thu Mar 8 14:31:53 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA26818 for ; Thu, 8 Mar 2001 14:31:53 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W0040KBP3JR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 14:31:52 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AE73@listserv.fnal.gov>; Thu, 08 Mar 2001 14:31:52 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18453 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 14:31:52 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AE72@listserv.fnal.gov>; Thu, 08 Mar 2001 14:31:51 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00JOKBP3C7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 14:31:51 -0600 (CST) Date: Thu, 08 Mar 2001 14:31:51 -0600 (CST) From: Dane Skow Subject: RE: kerberized web server? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: garren@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 993 I believe Lynn's question may be more narrow: "How do you kerberize the machine on which a web server is running" leaving aside the question of using kerberos authentication for access control to web pages through the application (as you indicate). Presumeably issues here would be automated file updates/distributions, cgi scripts that invoke remote processes, etc. dane On Thu, 8 Mar 2001, Mark O. Kaletka wrote: > There is no straight-forward way to kerberize a web server. One of the > issues is (lack of) support for Kerberos on the client browser side. There > are some thoughts about using kerberos to generate short-lived pki > certificates to issue to browsers (since browsers do support these) but at > the moment we are concentrating efforts on rolling out what we already have > in strong authentication. It's on the list, along with kerberized email > clients, but not at the top of the list at the moment. > > -- Mark K. > > > -----Original Message----- > > From: owner-kerberos-pilot@listserv.fnal.gov > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Lynn Garren > > Sent: Thursday, March 08, 2001 11:02 AM > > To: kerberos-pilot@fnal.gov > > Subject: kerberized web server? > > > > > > Has anyone kerberized a web server? > > Is it straightforward? > > Are there any issues that I should be aware of? > > > > Thanks, > > Lynn > > > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Thu Mar 8 14:37:35 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA26838 for ; Thu, 8 Mar 2001 14:37:35 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W0041JBYLM1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 14:37:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AE95@listserv.fnal.gov>; Thu, 08 Mar 2001 14:37:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18488 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 14:37:33 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AE94@listserv.fnal.gov>; Thu, 08 Mar 2001 14:37:33 -0600 Received: from fnpspb.fnal.gov ([131.225.81.79]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00350BYLGH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 14:37:33 -0600 (CST) Received: from localhost (garren@localhost) by fnpspb.fnal.gov (8.9.3/8.9.3) with SMTP id OAA12719; Thu, 08 Mar 2001 14:37:32 -0600 (CST) Date: Thu, 08 Mar 2001 14:37:32 -0600 From: Lynn Garren Subject: Re: kerberized web server? In-reply-to: "Your message of Thu, 08 Mar 2001 14:31:51 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: "Mark O. Kaletka" , kerberos-pilot@fnal.gov Message-id: <200103082037.OAA12719@fnpspb.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: fnpspb.fnal.gov: garren@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 994 > > I believe Lynn's question may be more narrow: > "How do you kerberize the machine on which a web server is running" > leaving aside the question of using kerberos authentication for access > control to web pages through the application (as you indicate). > > Presumeably issues here would be automated file updates/distributions, > cgi scripts that invoke remote processes, etc. Yes, that's the place to start. The message I seem to be getting is "we don't know the answer yet". Lynn From kreymer@fnal.gov Thu Mar 8 14:40:47 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA26847 for ; Thu, 8 Mar 2001 14:40:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00IWQC3YM7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 14:40:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AEA5@listserv.fnal.gov>; Thu, 08 Mar 2001 14:40:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18506 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 14:40:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AEA4@listserv.fnal.gov>; Thu, 08 Mar 2001 14:40:46 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0G9W0042RC3YJR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 14:40:46 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id OAA18857; Thu, 08 Mar 2001 14:40:45 -0600 Date: Thu, 08 Mar 2001 14:40:45 -0600 From: Glenn Cooper Subject: Re: kerberized web server? In-reply-to: <200103081702.LAA10753@fnpspb.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Lynn Garren Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 995 It's not kerberizing, but one can use SSL to encrypt passwords for password-protected pages--see the omnipresent Marc Mengel's notes at http://www.fnal.gov/docs/products/apache/SSLNotes.html CDF online has already done this, and we (CDF offline) are, um, nearly there. Glenn On Thu, 8 Mar 2001, Lynn Garren wrote: > Has anyone kerberized a web server? > Is it straightforward? > Are there any issues that I should be aware of? > > Thanks, > Lynn From kreymer@fnal.gov Thu Mar 8 14:57:34 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA27173 for ; Thu, 8 Mar 2001 14:57:34 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00435CVXUL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 14:57:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AF1F@listserv.fnal.gov>; Thu, 08 Mar 2001 14:57:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18656 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 14:57:33 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AF1E@listserv.fnal.gov>; Thu, 08 Mar 2001 14:57:33 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W0061BCVW58@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 14:57:32 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA11883; Thu, 08 Mar 2001 14:57:32 -0600 (CST) Date: Thu, 08 Mar 2001 14:57:32 -0600 From: Matt Crawford Subject: Re: kerberized web server? In-reply-to: "08 Mar 2001 13:49:30 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: <200103082057.OAA11883@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 996 > Also I found mod_auth_kerb.c for apache the only catch is you need to use > that over ssl, or your password goes cleartext, since the kerberos is on > the server side. NO NO NO NO! This is not Kerberos authentication of a web client. This is using Kerberos as a backend to check a web password. Don't do it, with or without SSL, or the security people (starting with me) will be unhappy at you. > I found this link which makes me think it would be possible to get browser > support for kerberos via a java applet (like the ssh applet). > > http://security.dstc.edu.au/projects/java/jcsi.html This is better, but if you're going to make this applet run in the client, it has to be signed in order to contact the KDC as well as the web server, which means the whole PKI hair, and then have you really come out ahead? I think not. > We are very interested in making kerberos work to replace the various > mod_auth protected web pages we have... but we have not had time to > investigate this yet. If it weren't such a tricky problem, it would have been done already. One of the better approaches rests on a concept of "Kerberos authentication proxies" which are still being standardized. There's also the Globus Kerberos ticket <--> PK cert translation approach, combined with a little hack that stuffs a new "junk cert" into your browser's cache. But I suggest you don't set your sights on solving the Kerberos web authentication real soon. Technically it's about a year out there or so. From kreymer@fnal.gov Thu Mar 8 15:08:07 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA27185 for ; Thu, 8 Mar 2001 15:08:07 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00496DDIJR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 15:08:07 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AF47@listserv.fnal.gov>; Thu, 08 Mar 2001 15:08:06 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18697 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 15:08:06 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AF46@listserv.fnal.gov>; Thu, 08 Mar 2001 15:08:06 -0600 Received: from nova.fnal.gov ([131.225.18.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W002CQDDHUZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 15:08:05 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id PAA16298; Thu, 08 Mar 2001 15:08:04 -0600 (CST) Date: Thu, 08 Mar 2001 15:08:04 -0600 (CST) From: Tim Zingelman Subject: Re: kerberized web server? In-reply-to: <200103082057.OAA11883@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 997 On Thu, 8 Mar 2001, Matt Crawford wrote: > > Also I found mod_auth_kerb.c for apache the only catch is you need to use > > that over ssl, or your password goes cleartext, since the kerberos is on > > the server side. > > NO NO NO NO! This is not Kerberos authentication of a web client. > This is using Kerberos as a backend to check a web password. Don't > do it, with or without SSL, or the security people (starting with me) > will be unhappy at you. I understand exactly what it is. What I don't understand is why it is forbidden, other than not using ssl and compromising passwords that way. > > I found this link which makes me think it would be possible to get browser > > support for kerberos via a java applet (like the ssh applet). > > > > http://security.dstc.edu.au/projects/java/jcsi.html > > This is better, but if you're going to make this applet run in the > client, it has to be signed in order to contact the KDC as well as > the web server, which means the whole PKI hair, and then have you > really come out ahead? I think not. I forgot about that... the ssh client works so well since you only want to talk to the node serving it to you... > But I suggest you don't set your sights on solving the Kerberos web > authentication real soon. Technically it's about a year out there or > so. Do you mean a full solution, or just something to replace mod_auth? I guess I don't see what makes a webserver any easier or harder to kerberize than many of our other machines, other than mod_auth/.htaccess type stuff. - Tim From kreymer@fnal.gov Thu Mar 8 15:25:19 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA27204 for ; Thu, 8 Mar 2001 15:25:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W0066CE663P@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 15:25:19 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AF9E@listserv.fnal.gov>; Thu, 08 Mar 2001 15:25:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18791 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 15:25:18 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AF9D@listserv.fnal.gov>; Thu, 08 Mar 2001 15:25:18 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W0057XE65YI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 15:25:17 -0600 (CST) Date: Thu, 08 Mar 2001 15:25:15 -0600 (CST) From: "Marc W. Mengel" Subject: Re: kerberized web server? In-reply-to: <200103081702.LAA10753@fnpspb.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Lynn Garren Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 998 On Thu, 8 Mar 2001, Lynn Garren wrote: > Has anyone kerberized a web server? Well, I run test servers on kerberized nodes every time I cut a new apache release on the build cluster... > Is it straightforward? Yes. For most purposes you need do nothing about the webserver. ...except make sure its not serving /etc so you aren't giving away your krb5.keytab file or anything. Of course, you already shouldn't have been doing that so you aren't sharing your /etc/passwd file, but it's a good time to double check. > Are there any issues that I should be aware of? Mostly, if you have a shared webserver account that folks need to log into, you would put the appropriate users' principal names in the ~webserver/.k5login file. If you want to do anything authenticated in, say, a cgi script, (like rsh somewhere in the strenghtened realm), you can use the solution we've already developed for cron jobs, so read up on the kcroninit stuff, and have the cgi script use kcron. If you have password-access based pages on the webserver, the issues would be * remind your users to NEVER use their kerberos password for their web page password, and further * we would recommend that that any password-accessed server areas be SSL encrypted. ('cause users sometimes don't listen to the above reminder) Marc From kreymer@fnal.gov Thu Mar 8 15:25:39 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA27208 for ; Thu, 8 Mar 2001 15:25:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W00581E6QYI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 08 Mar 2001 15:25:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AFA6@listserv.fnal.gov>; Thu, 08 Mar 2001 15:25:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 18799 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 08 Mar 2001 15:25:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010AFA5@listserv.fnal.gov>; Thu, 08 Mar 2001 15:25:38 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9W0059UE6P9N@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 08 Mar 2001 15:25:38 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA12051; Thu, 08 Mar 2001 15:25:37 -0600 (CST) Date: Thu, 08 Mar 2001 15:25:37 -0600 From: Matt Crawford Subject: Re: kerberized web server? In-reply-to: "08 Mar 2001 15:08:04 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: <200103082125.PAA12051@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 999 > > > Also I found mod_auth_kerb.c for apache the only catch is you need to use > > > ... > > NO NO NO NO! This is not Kerberos authentication of a web client. > > ... > I understand exactly what it is. What I don't understand is why it is > forbidden, other than not using ssl and compromising passwords that way. Think "X". What-all lies between the web browser and the user's fingers? It *might* all be safe links, or it might not. And there's another problem, a little more esoteric. Suppose your web server gets this password from the user, and it sends off an AS_REQ on the network, and some blob of bits comes back that smells like a ticket, and it's decryptable with the key derived from the user's principal and password. How does the web server know the blob really came from a KDC and the password is really valid? > Do you mean a full solution, or just something to replace mod_auth? I > guess I don't see what makes a webserver any easier or harder to kerberize > than many of our other machines, other than mod_auth/.htaccess type stuff. It's the stupid protocol. It was a botch from the git-go. There's nowhere in it to say, "could we do a little authentication before we proceed?" Telnet always had the facility for negotiating options and features, but http, like rlogin and rsh, solves the authentication problem by adding a protocol preamble and moving to a different port. From kreymer@fnal.gov Fri Mar 9 15:57:01 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA08093 for ; Fri, 9 Mar 2001 15:57:01 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Y00LBBAB0HM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 09 Mar 2001 15:57:01 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010BF54@listserv.fnal.gov>; Fri, 09 Mar 2001 15:57:00 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 23232 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 09 Mar 2001 15:57:00 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010BF53@listserv.fnal.gov>; Fri, 09 Mar 2001 15:57:00 -0600 Received: from grindewald.fnal.gov ([131.225.81.209]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Y00MASAAZ7C@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 09 Mar 2001 15:56:59 -0600 (CST) Date: Fri, 09 Mar 2001 15:57:00 -0600 (CST) From: Margaret Greaney Subject: follow up question on visitor accounts Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1000 This is a follow-up question on visitor accounts. >From previous comments, it sounds like everyone is going to have to obtain a kerberos principal (and someone who has registered with the User's office). I've been asked by people in the Astro group how to help visitors who are here for only one day or part of a day. Most of the time here is spent on a presentation given by the visitor, who then asks for access to a machine to read e-mail. Right now this is being handled by a local account on theory machines and the password for this generic visitor account gets changed when the visitor leaves. It sounds like once the machines are kerberized Astro and Theory will not be able to use the generic visitor accounts? What is proposed for these visitors? One-day visitors are a very common occurrence in both Astro and Theory. Will the e-mail facility on the ground floor of Wilson Hall still be available for this purpose? thanks, Margaret Margaret Greaney Telephone: 630-840-4623 Fermilab E-mail: mgreaney@fnal.gov CD/OSS/SCS From kreymer@fnal.gov Fri Mar 9 17:16:49 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA08305 for ; Fri, 9 Mar 2001 17:16:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Y00LNAE00P0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 09 Mar 2001 17:16:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010C06D@listserv.fnal.gov>; Fri, 09 Mar 2001 17:16:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 23533 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 09 Mar 2001 17:16:48 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010C06C@listserv.fnal.gov>; Fri, 09 Mar 2001 17:16:48 -0600 Received: from ncdf30.fnal.gov ([131.225.233.153]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Y00LT1E006I@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 09 Mar 2001 17:16:48 -0600 (CST) Received: from ts.infn.it (localhost.localdomain [127.0.0.1]) by ncdf30.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA09632; Fri, 09 Mar 2001 17:16:44 -0600 Date: Fri, 09 Mar 2001 17:16:44 -0600 From: Stefano Belforte Subject: connection problems Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AA9645C.C48497CC@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1001 somehow something broke in my kerberised machine in Trieste. I can not enter with kerberos tickets anymore. Does the following strange log gives you any idea of what could be the problem ? ---------------------------------------------------------- belforte@ncdf30/~ > telnet -k PILOT.FNAL.GOV pclx06.ts.infn.it Trying 140.105.221.15... Connected to pclx06.ts.infn.it (140.105.221.15). Escape character is '^]'. [ Kerberos V5 accepts you as ``belforte@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Red Hat Linux release 6.2 (Zoot) Kernel 2.2.16-3 on an i686 Press ENTER and compare this challenge to the one on your display: [28542087] Enter the displayed response: ----------------------------------------------------------------- Apparently the kerberized telnet daemon first accepts the tickets, then revert to portal mode ! If I then use the cryptocard, I can get in and get a valid ticket that I can use to telnet back to Fnal. But I should not need to user the portal mode. I am now in Fermilab, I can not be sure if something has been changed in the system configuration on that machine, but I have found nothing wrong that at least I could see. Thanks Stefano From kreymer@fnal.gov Sat Mar 10 02:55:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id CAA11456 for ; Sat, 10 Mar 2001 02:55:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Z00G2E4RPU4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 10 Mar 2001 02:55:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010C2CA@listserv.fnal.gov>; Sat, 10 Mar 2001 02:55:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 24202 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sat, 10 Mar 2001 02:55:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010C2C9@listserv.fnal.gov>; Sat, 10 Mar 2001 02:55:01 -0600 Received: from nova.fnal.gov ([131.225.121.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0G9Z008OU4RPQG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sat, 10 Mar 2001 02:55:01 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.1) with ESMTP id CAA27296 for ; Sat, 10 Mar 2001 02:55:00 -0600 (CST) Date: Sat, 10 Mar 2001 02:55:00 -0600 (CST) From: Tim Zingelman Subject: excluding accounts from kerberos? Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1002 How do we make certain accounts NOT work with kerberos. For instance if we have a 'www' account on some systems that the webserver runs under... that is intended to be the equivalent of 'nobody'... or on other systems an account 'vxworks' that never gets logged into, but is used for file ownership purposes... or for you ups/upd users what about the 'local' entry in /etc/passwd... How do we assure that accounts such as these don't accidentally overlap with the kerberos principals namespace and suddenly allow people to log into our machines? is it safe to assume that kerberos does not allow any direct UID zero logins, or might we be worried about toor accounts too? Or am I missing something obvious? (it is almost 3:00am after all :) Thanks, - Tim From kreymer@fnal.gov Sun Mar 11 14:03:19 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20138 for ; Sun, 11 Mar 2001 14:03:19 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA100ERTUDHZQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sun, 11 Mar 2001 14:03:18 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010CA47@listserv.fnal.gov>; Sun, 11 Mar 2001 14:03:17 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 26269 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sun, 11 Mar 2001 14:03:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010CA45@listserv.fnal.gov>; Sun, 11 Mar 2001 14:03:17 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA100FNZUDFQC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sun, 11 Mar 2001 14:03:16 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Sun, 11 Mar 2001 14:03:15 -0600 Content-return: allowed Date: Sun, 11 Mar 2001 14:02:55 -0600 From: ARSystem Subject: CRAWFORD, MATT #16699 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7613F204@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1003 Thank you for your assistance. Help Desk ticket #000000000016699 has been resolved on 3/11/01 2:00:08 PM Resolution Timestamp: : 3/11/01 2:00:08 PM Solution Category : Auto Resolve Problem Category : Software Type : Utilities Item : Kerberos Short Description : Kerberos Solution : No further response from user in the past 21 days. Ticket being resolved. Problem Description : I cannot find krb5.conf nor krb.realms in /etc on my fnalu account. I did copy /etc/krb.conf file that I found there into my system's /etc. Do I need the others? If so where are they? Best, Tom From kreymer@fnal.gov Mon Mar 12 07:51:53 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA14835 for ; Mon, 12 Mar 2001 07:51:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300M4M7UFMC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Mar 2001 07:51:52 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010CFC5@listserv.fnal.gov>; Mon, 12 Mar 2001 07:51:52 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 27813 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Mar 2001 07:51:52 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010CFC4@listserv.fnal.gov>; Mon, 12 Mar 2001 07:51:52 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300M4C7UFLW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Mar 2001 07:51:51 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA02641; Mon, 12 Mar 2001 07:51:51 -0600 Date: Mon, 12 Mar 2001 07:51:51 -0600 (CST) From: Steven Timm Subject: Re: excluding accounts from kerberos? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1004 If you put a .k5login file in the home directory of the account that is blank, then nothing would be able to log in to it. I believe, however, with principals corresponding to people's names that it is very unlikely that the overlap you mention would occur. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Sat, 10 Mar 2001, Tim Zingelman wrote: > How do we make certain accounts NOT work with kerberos. > > For instance if we have a 'www' account on some systems that the webserver > runs under... that is intended to be the equivalent of 'nobody'... or on > other systems an account 'vxworks' that never gets logged into, but is > used for file ownership purposes... or for you ups/upd users what about > the 'local' entry in /etc/passwd... > > How do we assure that accounts such as these don't accidentally overlap > with the kerberos principals namespace and suddenly allow people to log > into our machines? is it safe to assume that kerberos does not allow any > direct UID zero logins, or might we be worried about toor accounts too? > Or am I missing something obvious? (it is almost 3:00am after all :) > > Thanks, > > - Tim > From kreymer@fnal.gov Mon Mar 12 09:00:10 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA04212 for ; Mon, 12 Mar 2001 09:00:10 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300MGBB08M1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Mar 2001 09:00:09 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D1A0@listserv.fnal.gov>; Mon, 12 Mar 2001 09:00:09 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28384 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Mar 2001 09:00:09 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D19F@listserv.fnal.gov>; Mon, 12 Mar 2001 09:00:08 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300MFOB08MY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Mar 2001 09:00:08 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA02797; Mon, 12 Mar 2001 09:00:05 -0600 (CST) Date: Mon, 12 Mar 2001 09:00:05 -0600 From: Matt Crawford Subject: Re: connection problems In-reply-to: "09 Mar 2001 17:16:44 CST." <3AA9645C.C48497CC@ts.infn.it> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-pilot@fnal.gov Message-id: <200103121500.JAA02797@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1005 > Does the following strange log gives you any idea of what could be > the problem ? > > belforte@ncdf30/~ > telnet -k PILOT.FNAL.GOV pclx06.ts.infn.it > [ Kerberos V5 accepts you as ``belforte@PILOT.FNAL.GOV'' ] > [ Kerberos V5 accepted forwarded credentials ] > ... > Press ENTER and compare this challenge to the one on your display: > [28542087] > Enter the displayed response: My first guess is that you have a .k5login file in your home directory there which does not list belforte@PILOT.FNAL.GOV. Another, but less likely, possibility is that the default realm in /etc/krb5/conf has been changed. If you have *no* .k5login, access is granted to a Kerberos principal whose first part matches the unix name and whose realm is the same as the host's default realm. If you do have a .k5login, only principals listed in it get access. Which brings us to Zingleman's question ... From kreymer@fnal.gov Mon Mar 12 09:16:43 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA10965 for ; Mon, 12 Mar 2001 09:16:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300MLABRUMP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Mar 2001 09:16:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D1D2@listserv.fnal.gov>; Mon, 12 Mar 2001 09:16:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28435 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Mar 2001 09:16:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D1D1@listserv.fnal.gov>; Mon, 12 Mar 2001 09:16:42 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300MHWBRTMI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Mar 2001 09:16:41 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA02920; Mon, 12 Mar 2001 09:16:41 -0600 (CST) Date: Mon, 12 Mar 2001 09:16:41 -0600 From: Matt Crawford Subject: Re: excluding accounts from kerberos? In-reply-to: "10 Mar 2001 02:55:00 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: <200103121516.JAA02920@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1006 > How do we make certain accounts NOT work with kerberos. > > For instance if we have a 'www' account on some systems that the webserver > runs under... that is intended to be the equivalent of 'nobody'... or on > other systems an account 'vxworks' that never gets logged into, ... > How do we assure that accounts such as these don't accidentally overlap > with the kerberos principals namespace and suddenly allow people to log > into our machines? Some names, such as root, we expect that CNAS will never allow to be assigned as usernames and hence never become anyone's Kerberos name. But we can't expect this to cover every case. You have two methods available to make sure locally that nobody ever gets Kerberos access to a given account due to an unplanned name match. 1. Create an empty .k5login file in the home directory. When $HOME/.k5login exists, only principals listed there have access. 2. The second way is obscure and much more difficult. One glance at src/lib/krb5/os/an_to_ln.c will show you what's involved and a second glance will convince you that you don't want to go there. > is it safe to assume that kerberos does not allow any > direct UID zero logins, or might we be worried about toor accounts too? The UID is irrelevant. The user can get access if There's no .k5login and krb5_aname_to_localname() maps the principal to the requested unix account. Unless you did something funky in krb5.conf, this mapping maps any X@REALM to unix account X iff REALM is the host's default realm, otherwise to nothing. (Not to "nobody", but to no account at all.) Or there is a .k5login and the principal is listed in it. From kreymer@fnal.gov Mon Mar 12 09:39:42 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA20693 for ; Mon, 12 Mar 2001 09:39:42 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300MMXCU5M8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Mar 2001 09:39:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D231@listserv.fnal.gov>; Mon, 12 Mar 2001 09:39:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28535 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Mar 2001 09:39:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D230@listserv.fnal.gov>; Mon, 12 Mar 2001 09:39:41 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300MMQCU5MW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Mar 2001 09:39:41 -0600 (CST) Date: Mon, 12 Mar 2001 09:39:25 -0600 (CST) From: Dane Skow Subject: Re: excluding accounts from kerberos? In-reply-to: <200103121516.JAA02920@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: Tim Zingelman , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1007 On Mon, 12 Mar 2001, Matt Crawford wrote: > > How do we make certain accounts NOT work with kerberos. > > > > For instance if we have a 'www' account on some systems that the webserver > > runs under... that is intended to be the equivalent of 'nobody'... or on > > other systems an account 'vxworks' that never gets logged into, ... > > How do we assure that accounts such as these don't accidentally overlap > > with the kerberos principals namespace and suddenly allow people to log > > into our machines? > > Some names, such as root, we expect that CNAS will never allow to be > assigned as usernames and hence never become anyone's Kerberos name. > But we can't expect this to cover every case. You have two methods > available to make sure locally that nobody ever gets Kerberos access > to a given account due to an unplanned name match. Hmm. Does Yolanda and/or the other registrars have this list of reserved principal names ? Can/should you create dummy accounts to block their creation ? How big is the list ? I would think that root nobody products bin operator ftp lp mail daemon would all be candidates. Should we create the list and/or create the dummy .k5login files as part of an upcoming Kerberos release ? dane > > 1. Create an empty .k5login file in the home directory. When > $HOME/.k5login exists, only principals listed there have access. > > 2. The second way is obscure and much more difficult. One glance at > src/lib/krb5/os/an_to_ln.c will show you what's involved and a second > glance will convince you that you don't want to go there. > > > is it safe to assume that kerberos does not allow any > > direct UID zero logins, or might we be worried about toor accounts too? > > The UID is irrelevant. The user can get access if > > There's no .k5login and krb5_aname_to_localname() maps the > principal to the requested unix account. Unless you did > something funky in krb5.conf, this mapping maps any X@REALM > to unix account X iff REALM is the host's default realm, > otherwise to nothing. (Not to "nobody", but to no account at > all.) > > Or there is a .k5login and the principal is listed in it. > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Mar 12 10:01:07 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA06422 for ; Mon, 12 Mar 2001 10:01:07 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300MTRDTSMC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Mar 2001 10:01:05 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D277@listserv.fnal.gov>; Mon, 12 Mar 2001 10:01:05 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28606 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Mar 2001 10:01:05 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D276@listserv.fnal.gov>; Mon, 12 Mar 2001 10:01:05 -0600 Received: from CUERVO ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GA30092BDTR23@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Mar 2001 10:01:04 -0600 (CST) Date: Mon, 12 Mar 2001 10:03:29 -0600 From: "Mark O. Kaletka" Subject: RE: excluding accounts from kerberos? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1008 > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Dane Skow > Sent: Monday, March 12, 2001 9:39 AM > To: Matt Crawford > Cc: Tim Zingelman; kerberos-pilot@fnal.gov > Subject: Re: excluding accounts from kerberos? >...snip...< > > Some names, such as root, we expect that CNAS will never allow to be > > assigned as usernames and hence never become anyone's Kerberos name. > > But we can't expect this to cover every case. You have two methods > > available to make sure locally that nobody ever gets Kerberos access > > to a given account due to an unplanned name match. > > Hmm. Does Yolanda and/or the other registrars have this list of > reserved principal names ? Can/should you create dummy accounts to > block their creation ? > > How big is the list ? > I would think that > > root > nobody > products > bin > operator > ftp > lp > mail > daemon > > would all be candidates. Should we create the list and/or create > the dummy .k5login files as part of an upcoming Kerberos release ? > > dane >...snip...< I agree the ups install kerberos procedure should add a step to create empty .k5login files for the canonical list. I assume doing this should always be the default action for the install? Is there ever a reason NOT to do this? Are there special file ownerships and permissions that have to be applied to the .k5login? I.e. I assume they'll be owned by root and certainly not writable by anyone; do they need to be readable by other than root? -- Mark K. From kreymer@fnal.gov Mon Mar 12 10:05:33 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA10763 for ; Mon, 12 Mar 2001 10:05:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA30091QE161M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Mar 2001 10:05:31 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D281@listserv.fnal.gov>; Mon, 12 Mar 2001 10:05:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28616 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Mar 2001 10:05:30 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D280@listserv.fnal.gov>; Mon, 12 Mar 2001 10:05:30 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300831E15PQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Mar 2001 10:05:29 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA03147; Mon, 12 Mar 2001 10:05:29 -0600 Date: Mon, 12 Mar 2001 10:05:29 -0600 (CST) From: Steven Timm Subject: RE: excluding accounts from kerberos? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1009 > > How big is the list ? > > I would think that > > > > root > > nobody > > products > > bin > > operator > > ftp > > lp > > mail > > daemon > > > would all be candidates. Should we create the list and/or create > > the dummy .k5login files as part of an upcoming Kerberos release ? > > > > dane > > >...snip...< > > I agree the ups install kerberos procedure should add a step to create empty > .k5login files for the canonical list. I assume doing this should always be > the default action for the install? Is there ever a reason NOT to do this? The reason would be if there is already a non-empty .k5login file there, especially for root, which there often is. You would need to make sure that wasn't overwritten. Steve > > Are there special file ownerships and permissions that have to be applied to > the .k5login? I.e. I assume they'll be owned by root and certainly not > writable by anyone; do they need to be readable by other than root? > > -- Mark K. > From kreymer@fnal.gov Mon Mar 12 10:07:29 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA11254 for ; Mon, 12 Mar 2001 10:07:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA30091PE4ELW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Mar 2001 10:07:27 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D288@listserv.fnal.gov>; Mon, 12 Mar 2001 10:07:27 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28624 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Mar 2001 10:07:27 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D287@listserv.fnal.gov>; Mon, 12 Mar 2001 10:07:27 -0600 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA30092PE4E8Q@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Mar 2001 10:07:26 -0600 (CST) Date: Mon, 12 Mar 2001 10:07:24 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: excluding accounts from kerberos? Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: kerberos-pilot@fnal.gov Message-id: <3AACF43C.22C7B250@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1010 If you make these changes (that the kerberos install procedure creates empty .k5login files), PLEASE make sure that you don't overwrite any EXISTING .k5login files for these accounts. Some systems already have configured the .k5login for various accounts the way they want things to be, so that a known list of "normal users" can log in under "products" or "www" to restart the web servers, etc. -- lauri "Mark O. Kaletka" wrote: > > > -----Original Message----- > > From: owner-kerberos-pilot@listserv.fnal.gov > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Dane Skow > > Sent: Monday, March 12, 2001 9:39 AM > > To: Matt Crawford > > Cc: Tim Zingelman; kerberos-pilot@fnal.gov > > Subject: Re: excluding accounts from kerberos? > > >...snip...< > > > > Some names, such as root, we expect that CNAS will never allow to be > > > assigned as usernames and hence never become anyone's Kerberos name. > > > But we can't expect this to cover every case. You have two methods > > > available to make sure locally that nobody ever gets Kerberos access > > > to a given account due to an unplanned name match. > > > > Hmm. Does Yolanda and/or the other registrars have this list of > > reserved principal names ? Can/should you create dummy accounts to > > block their creation ? > > > > How big is the list ? > > I would think that > > > > root > > nobody > > products > > bin > > operator > > ftp > > lp > > mail > > daemon > > > would all be candidates. Should we create the list and/or create > > the dummy .k5login files as part of an upcoming Kerberos release ? > > > > dane > > >...snip...< > > I agree the ups install kerberos procedure should add a step to create empty > .k5login files for the canonical list. I assume doing this should always be > the default action for the install? Is there ever a reason NOT to do this? > > Are there special file ownerships and permissions that have to be applied to > the .k5login? I.e. I assume they'll be owned by root and certainly not > writable by anyone; do they need to be readable by other than root? > > -- Mark K. From kreymer@fnal.gov Mon Mar 12 11:18:21 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA18745 for ; Mon, 12 Mar 2001 11:18:20 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300AJDHEIJC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Mar 2001 11:18:19 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D3E0@listserv.fnal.gov>; Mon, 12 Mar 2001 11:18:18 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 28986 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Mar 2001 11:18:17 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D3DF@listserv.fnal.gov>; Mon, 12 Mar 2001 11:18:17 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA3008QJHEHPQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Mar 2001 11:18:17 -0600 (CST) Date: Mon, 12 Mar 2001 11:18:15 -0600 (CST) From: "Marc W. Mengel" Subject: Re: excluding accounts from kerberos? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1011 Put an empty .k5login file in that users home directory, and kerberos will not let anyone in. On Sat, 10 Mar 2001, Tim Zingelman wrote: > How do we assure that accounts such as these don't accidentally overlap > with the kerberos principals namespace and suddenly allow people to log > into our machines? is it safe to assume that kerberos does not allow any > direct UID zero logins, or might we be worried about toor accounts too? > Or am I missing something obvious? (it is almost 3:00am after all :) From kreymer@fnal.gov Mon Mar 12 12:09:02 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA22229 for ; Mon, 12 Mar 2001 12:09:01 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA3009SFJQKLW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Mar 2001 12:08:58 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D4F0@listserv.fnal.gov>; Mon, 12 Mar 2001 12:08:51 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 29274 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Mar 2001 12:08:51 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D4EA@listserv.fnal.gov>; Mon, 12 Mar 2001 12:08:51 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300J1LJQML8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Mar 2001 12:08:50 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 12 Mar 2001 12:08:45 -0600 Content-return: allowed Date: Mon, 12 Mar 2001 12:07:45 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7613F2E9@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1012 This reminder created on 3/12/01 12:03:38 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Type : Utilities Item : Kerberos Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Mar 12 12:50:12 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA26495 for ; Mon, 12 Mar 2001 12:50:11 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300K6FLNLXQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 12 Mar 2001 12:50:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D5F7@listserv.fnal.gov>; Mon, 12 Mar 2001 12:50:09 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 29554 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 12 Mar 2001 12:50:09 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010D5F6@listserv.fnal.gov>; Mon, 12 Mar 2001 12:50:09 -0600 Received: from ncdf30.fnal.gov ([131.225.233.153]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA300JBCLNL8R@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 12 Mar 2001 12:50:09 -0600 (CST) Received: from ts.infn.it (localhost.localdomain [127.0.0.1]) by ncdf30.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA12164; Mon, 12 Mar 2001 12:50:08 -0600 Date: Mon, 12 Mar 2001 12:50:08 -0600 From: Stefano Belforte Subject: Re: connection problems Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3AAD1A60.19791A76@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200103121500.JAA02797@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1013 Matt Crawford wrote: > > My first guess is that you have a .k5login file in your home > directory there which does not list belforte@PILOT.FNAL.GOV. bingo ! I had added a tentative user in a tentative .k5login and did not realise that I had to put my principal as well or cut myself out. Thanks Matt Stefano From kreymer@fnal.gov Tue Mar 13 01:19:13 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id BAA15977 for ; Tue, 13 Mar 2001 01:19:13 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA4003CFKC0P9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Mar 2001 01:19:12 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010DE99@listserv.fnal.gov>; Tue, 13 Mar 2001 01:19:12 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 31990 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Mar 2001 01:19:11 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010DE98@listserv.fnal.gov>; Tue, 13 Mar 2001 01:19:11 -0600 Received: from nova.fnal.gov ([131.225.121.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA4004AEKBZZK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Mar 2001 01:19:11 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id BAA13192 for ; Tue, 13 Mar 2001 01:24:35 -0600 (CST) Date: Tue, 13 Mar 2001 01:24:35 -0600 (CST) From: Tim Zingelman Subject: machines with multiple names Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1014 How are machines with multiple names that all resolve to one ip address handled? Do these machines need multiple principals? Thanks, - Tim From kreymer@fnal.gov Tue Mar 13 08:15:02 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA30398 for ; Tue, 13 Mar 2001 08:15:01 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500HDK3L0GR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Mar 2001 08:15:01 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010E0BA@listserv.fnal.gov>; Tue, 13 Mar 2001 08:15:00 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 32584 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Mar 2001 08:15:00 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010E0B9@listserv.fnal.gov>; Tue, 13 Mar 2001 08:15:00 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500EJ13KZ0P@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Mar 2001 08:15:00 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA10339; Tue, 13 Mar 2001 08:14:59 -0600 (CST) Date: Tue, 13 Mar 2001 08:14:59 -0600 From: Matt Crawford Subject: Re: machines with multiple names In-reply-to: "13 Mar 2001 01:24:35 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: <200103131414.IAA10339@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1015 > How are machines with multiple names that all resolve to one ip address > handled? Do these machines need multiple principals? Are you speaking of nicknames, like those defined with DNS "CNAME" records? Those get resolved to the canonical name before forming the service principal name. For example, if nick.fnal.gov. CNAME real.fnal.gov. real.fnal.gov. A 131.225.1.1 theb a telnet/rlogin/etc to "nick" gets me a ticket for the service "host/real.fnal.gov". Now if you mean that you have a case like thing1.fnal.gov A 131.225.2.2 thing2.fnal.gov A 131.225.2.2 Then I'm all set to be revolted unless there's a plausible reason. (I also have to wonder what PTR is at 2.2.225.131.in-addr.arpa.) "Virtual" web hosting, relying on HTTP 1.1 feaures? You could simply decree that only one name is suitable for logging in to. But if for some reason you have to do it, then multiple "host" principals will do the job. From kreymer@fnal.gov Tue Mar 13 11:35:02 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA29910 for ; Tue, 13 Mar 2001 11:35:02 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA5005RMCUBZH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Mar 2001 11:35:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010E5EF@listserv.fnal.gov>; Tue, 13 Mar 2001 11:34:59 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 34101 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Mar 2001 11:34:59 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010E5EE@listserv.fnal.gov>; Tue, 13 Mar 2001 11:34:59 -0600 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GA500E01CUBAE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Mar 2001 11:34:59 -0600 (CST) Received: from hepvms2.physics.yale.edu ([198.125.138.2]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA5009EKCUBJ9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Mar 2001 11:34:59 -0600 (CST) Received: from CONVERSION-DAEMON.hepmail.physics.yale.edu by hepmail.physics.yale.edu (PMDF V6.0-24 #46730) id <01K15CLZQYGG8Y5CMP@hepmail.physics.yale.edu> for kerberos-pilot@fnal.gov; Tue, 13 Mar 2001 12:34:57 -0500 (EST) Received: from yale.edu ([198.125.138.80]) by hepmail.physics.yale.edu (PMDF V6.0-24 #46730) with ESMTP id <01K15CLYVBVC8WW5Y6@hepmail.physics.yale.edu> for kerberos-pilot@fnal.gov; Tue, 13 Mar 2001 12:34:56 -0500 (EST) Date: Tue, 13 Mar 2001 12:34:43 -0500 From: colin Subject: cryptocard/Palm Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AAE5A32.6B6D08E2@yale.edu> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (Win98; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1016 Hi, Two quick questions: I remember hearing of someone having problems with the cryptocard software running on a palm V -- has this been resolved? If so, is there a place from which I can download the software, or do I need to come in person? I already have my Kerberos principal. Thanks, Colin Gay -- _______________________________________ Colin Gay Yale University, 509 JWG, Box 208121 260 Whitney Ave. New Haven, CT, 06515 Tel: (203)432-3364 Fax: (203)432-6125 _______________________________________ From kreymer@fnal.gov Tue Mar 13 17:10:14 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA01283 for ; Tue, 13 Mar 2001 17:10:14 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA5005PSSD1VX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Mar 2001 17:10:14 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010EB96@listserv.fnal.gov>; Tue, 13 Mar 2001 17:10:13 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 35696 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Mar 2001 17:10:13 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010EB95@listserv.fnal.gov>; Tue, 13 Mar 2001 17:10:13 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500B65SD1WM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Mar 2001 17:10:13 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA06686 for ; Tue, 13 Mar 2001 17:10:13 -0600 Date: Tue, 13 Mar 2001 17:10:12 -0600 (CST) From: Steven Timm Subject: ftp localhost Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1017 I have recently observed two problems with kerberized ftp: fnpc101.timm:~> which ftp /fnal/ups/prd/kerberos/v0_6/Linux+2.2/./bin/ftp fnpc101.timm:~> ftp localhost Connected to localhost.localdomain. 220 fnpc101 FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: Cannot find KDC for requested realm GSSAPI error: initializing context GSSAPI error major: Miscellaneous failure GSSAPI error minor: Cannot find KDC for requested realm GSSAPI error: initializing context GSSAPI authentication failed Name (localhost:timm): fnpc101.timm:~> fnpc101.timm:~> So it seems that "ftp localhost" isn't supported. I then tried to specify a realm with fnpc101.timm:~> ftp localhost -k PILOT.FNAL.GOV usage: ftp host-name [port] So it would seem that the documentation in the Strong Authentication manual that says the -k option is supported is just wrong. Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Tue Mar 13 17:20:52 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA01410 for ; Tue, 13 Mar 2001 17:20:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500C5QSUQED@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Mar 2001 17:20:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010EBD7@listserv.fnal.gov>; Tue, 13 Mar 2001 17:20:51 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 35773 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Mar 2001 17:20:51 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010EBD6@listserv.fnal.gov>; Tue, 13 Mar 2001 17:20:50 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500D3KSUQG1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Mar 2001 17:20:50 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA14236; Tue, 13 Mar 2001 17:20:49 -0600 (CST) Date: Tue, 13 Mar 2001 17:20:49 -0600 From: Matt Crawford Subject: Re: ftp localhost In-reply-to: "13 Mar 2001 17:10:12 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200103132320.RAA14236@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1018 Both the man page and the one-line "usage" message agree that "-k REALM" has to come before the hostname. SYNOPSIS ftp [-v] [-d] [-i] [-n] [-g] [-k realm] [-f] [-x] [-u] [- t] [host] gungnir 3861% ftp -\? ftp: ?: unknown option Usage: ftp [-v] [-d] [-i] [-n] [-g] [-k realm] [-f] [-x] [-u] [-t] [host] But no matter, because there is no "ftp/localhost" principal in any realm's database. What key would such a principal have and where would you distribute it to -- everywhere? Ya can't do it. Well, you can, with a cryptocard response, but why? From kreymer@fnal.gov Tue Mar 13 17:29:39 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA01414 for ; Tue, 13 Mar 2001 17:29:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500C77T9EED@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Mar 2001 17:29:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010EBE4@listserv.fnal.gov>; Tue, 13 Mar 2001 17:29:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 35787 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Mar 2001 17:29:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010EBE3@listserv.fnal.gov>; Tue, 13 Mar 2001 17:29:38 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500CAPT9D85@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Mar 2001 17:29:37 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA06697; Tue, 13 Mar 2001 17:29:37 -0600 Date: Tue, 13 Mar 2001 17:29:37 -0600 (CST) From: Steven Timm Subject: Re: ftp localhost In-reply-to: <200103132320.RAA14236@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1019 On Tue, 13 Mar 2001, Matt Crawford wrote: > Both the man page and the one-line "usage" message agree that "-k > REALM" has to come before the hostname. However, the Strong Auth manual, page 9-4, shows it after the hostname. I tried it both ways, it didn't work either way. (Not to mention that the kerberos ftp man page doesn't get installed on a normal install kerberos, but I digress). All we get back is this: usage: ftp host-name [port] This is under Linux. Has it been fixed in later releases? I know mine is fairly old. Steve Timm > > SYNOPSIS > ftp [-v] [-d] [-i] [-n] [-g] [-k realm] [-f] [-x] [-u] [- t] > [host] > > gungnir 3861% ftp -\? > ftp: ?: unknown option > Usage: ftp [-v] [-d] [-i] [-n] [-g] [-k realm] [-f] [-x] [-u] [-t] [host] > > > But no matter, because there is no "ftp/localhost" principal in any > realm's database. What key would such a principal have and where > would you distribute it to -- everywhere? > > Ya can't do it. Well, you can, with a cryptocard response, but why? > From kreymer@fnal.gov Tue Mar 13 17:42:28 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA01426 for ; Tue, 13 Mar 2001 17:42:28 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500AHSTUR0M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Mar 2001 17:42:28 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010EC11@listserv.fnal.gov>; Tue, 13 Mar 2001 17:42:27 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 35836 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Mar 2001 17:42:27 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010EC10@listserv.fnal.gov>; Tue, 13 Mar 2001 17:42:27 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500AFATUQUJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Mar 2001 17:42:27 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA14416; Tue, 13 Mar 2001 17:42:26 -0600 (CST) Date: Tue, 13 Mar 2001 17:42:26 -0600 From: Matt Crawford Subject: Re: ftp localhost In-reply-to: "13 Mar 2001 17:29:37 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200103132342.RAA14416@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1020 > However, the Strong Auth manual, page 9-4, shows it after the hostname. OK, we'll chalk up that documentation error. > I tried it both ways, it didn't work either way. But it failed differently, didn't it? > (Not to mention > that the kerberos ftp man page doesn't get installed on a normal > install kerberos, but I digress) Sure it does, but maybe not where you expect. It goes in the products man page area. (/fnal/ups/man on my system. YMMV.) > All we get back is this: > > usage: ftp host-name [port] You managed to tickle a strange path through the code. It would have looked weirder if you had done, say "ftp -x hostname -k realmname". The real usage message comes if you use an unknown flag on the command line ... before the hostname. > Has it been fixed in later releases? I know mine is fairly old. Ftp to localhost ain't gonna work nohow (except as anonymous or with a cryptocard). Use ftp `hostname` instead. From kreymer@fnal.gov Tue Mar 13 18:11:43 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA01438 for ; Tue, 13 Mar 2001 18:11:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500BHZV7IRF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Mar 2001 18:11:43 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010EC5F@listserv.fnal.gov>; Tue, 13 Mar 2001 18:11:42 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 35918 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Mar 2001 18:11:42 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010EC5E@listserv.fnal.gov>; Tue, 13 Mar 2001 18:11:42 -0600 Received: from fnal.gov ([131.225.235.30]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500F3HV7HS8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Mar 2001 18:11:41 -0600 (CST) Date: Tue, 13 Mar 2001 18:11:29 -0600 From: Fedor Ratnikov Subject: Authentication problem Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AAEB731.D4D0AFB4@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: ru, en Status: RO X-Status: X-Keywords: X-UID: 1021 Hi, today I can not get a kerberos ticket. I believe I did it yesterday and why I can not get a new one? rutlap7:/home/ratnikov/cdf/run2/tau> klist Ticket cache: /tmp/krb5cc_4615 Default principal: ratnikov@PILOT.FNAL.GOV Valid starting Expires Service principal 03/12/01 19:00:18 03/13/01 21:00:18 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV rutlap7:/home/ratnikov/cdf/run2/tau> kinit Password for ratnikov@PILOT.FNAL.GOV: kinit: Cannot contact any KDC for requested realm while getting initial credentials Cheers, Fedor. -- MS318(CDF/Rutgers) Fermilab, Batavia, IL 60510 USA Tel.:+1(630)840-8435 Fax:+1(630)840-6315 From kreymer@fnal.gov Tue Mar 13 19:25:13 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id TAA01468 for ; Tue, 13 Mar 2001 19:25:12 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500DF8YLZG1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 13 Mar 2001 19:25:12 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010ECDD@listserv.fnal.gov>; Tue, 13 Mar 2001 19:25:12 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 36051 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 13 Mar 2001 19:25:12 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010ECDC@listserv.fnal.gov>; Tue, 13 Mar 2001 19:25:11 -0600 Received: from fsgi03.fnal.gov ([131.225.68.48]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA500CJEYLZFL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 13 Mar 2001 19:25:11 -0600 (CST) Received: from localhost (timm@localhost) by fsgi03.fnal.gov (8.10.2/8.10.2) with ESMTP id f2E1PCM24391901; Tue, 13 Mar 2001 19:25:12 -0600 (CST) Date: Tue, 13 Mar 2001 19:25:11 -0600 From: Steven Timm Subject: Re: Authentication problem In-reply-to: <3AAEB731.D4D0AFB4@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Fedor Ratnikov Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi03.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1022 There were some systems in the prototype farms that reported the same error "cannot contact KDC" this afternoon... by the time I investigated the system was working normally again. Try to kinit now and see if you still have the same problem. Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 13 Mar 2001, Fedor Ratnikov wrote: > Hi, > today I can not get a kerberos ticket. I believe I did it yesterday and > why I can not get a new one? > > rutlap7:/home/ratnikov/cdf/run2/tau> klist > Ticket cache: /tmp/krb5cc_4615 > Default principal: ratnikov@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 03/12/01 19:00:18 03/13/01 21:00:18 > krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > rutlap7:/home/ratnikov/cdf/run2/tau> kinit > Password for ratnikov@PILOT.FNAL.GOV: > kinit: Cannot contact any KDC for requested realm while getting initial > credentials > > Cheers, Fedor. > > > -- > MS318(CDF/Rutgers) Fermilab, Batavia, IL 60510 USA > Tel.:+1(630)840-8435 Fax:+1(630)840-6315 > From kreymer@fnal.gov Wed Mar 14 08:12:55 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA05688 for ; Wed, 14 Mar 2001 08:12:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA600AEVY5GPK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 14 Mar 2001 08:12:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010F169@listserv.fnal.gov>; Wed, 14 Mar 2001 08:12:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 37343 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 14 Mar 2001 08:12:53 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010F168@listserv.fnal.gov>; Wed, 14 Mar 2001 08:12:52 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA6007PPY5G61@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 14 Mar 2001 08:12:52 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA17746; Wed, 14 Mar 2001 08:12:51 -0600 (CST) Date: Wed, 14 Mar 2001 08:12:51 -0600 From: Matt Crawford Subject: Re: Authentication problem In-reply-to: "13 Mar 2001 18:11:29 CST." <3AAEB731.D4D0AFB4@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Fedor Ratnikov Cc: kerberos-pilot@fnal.gov Message-id: <200103141412.IAA17746@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1023 I see successful authentications for you just before, and an hour and two hours after your email. Please confirm that the problem still exists. You could also try pinging the KDCs -- there are now four for PILOT.FNAL.GOV, named krb-pilot-1 through krb-pilot-4.fnal.gov. Mar 13 18:07:35 i-krb-2.fnal.gov krb5kdc[9258]: AS_REQ 131.225.235.30(88): NEEDED_PREAUTH: ratnikov@PILOT.FNAL.GOV for krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV, Additional pre-authentication required Mar 13 18:07:35 i-krb-2.fnal.gov krb5kdc[9258]: AS_REQ 131.225.235.30(88): ISSUE: authtime 984528455, ratnikov@PILOT.FNAL.GOV for krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Mar 13 18:59:24 i-krb-2.fnal.gov krb5kdc[9258]: AS_REQ 131.225.235.30(88): NEEDED_PREAUTH: ratnikov@PILOT.FNAL.GOV for krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV, Additional pre-authentication required Mar 13 18:59:24 i-krb-2.fnal.gov krb5kdc[9258]: AS_REQ 131.225.235.30(88): ISSUE: authtime 984531564, ratnikov@PILOT.FNAL.GOV for krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Mar 13 19:00:23 i-krb-2.fnal.gov krb5kdc[9258]: TGS_REQ 131.225.235.30(88): ISSUE: authtime 984531564, ratnikov@PILOT.FNAL.GOV for host/cdfpca.fnal.gov@PILOT.FNAL.GOV Mar 13 19:00:23 i-krb-2.fnal.gov krb5kdc[9258]: TGS_REQ 131.225.235.30(88): ISSUE: authtime 984531564, ratnikov@PILOT.FNAL.GOV for krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV Mar 13 20:12:19 i-krb-2.fnal.gov krb5kdc[9258]: TGS_REQ 131.225.232.8(88): ISSUE: authtime 984531564, ratnikov@PILOT.FNAL.GOV for host/cdfsga.fnal.gov@PILOT.FNAL.GOV From kreymer@fnal.gov Wed Mar 14 09:20:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA00803 for ; Wed, 14 Mar 2001 09:20:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA700K4Q19EI9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 14 Mar 2001 09:20:03 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010F261@listserv.fnal.gov>; Wed, 14 Mar 2001 09:20:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 37605 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 14 Mar 2001 09:20:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010F260@listserv.fnal.gov>; Wed, 14 Mar 2001 09:20:02 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA700K5519DIB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 14 Mar 2001 09:20:01 -0600 (CST) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f2EFJxo17529; Wed, 14 Mar 2001 09:20:00 -0600 (CST) Date: Wed, 14 Mar 2001 09:19:59 -0600 From: Anne Heavey Subject: Re: ftp localhost In-reply-to: "Your message of Tue, 13 Mar 2001 17:29:37 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200103141520.f2EFJxo17529@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1024 > On Tue, 13 Mar 2001, Matt Crawford wrote: > > > Both the man page and the one-line "usage" message agree that "-k > > REALM" has to come before the hostname. > > However, the Strong Auth manual, page 9-4, shows it after the hostname. > I tried it both ways, it didn't work either way. (Not to mention > that the kerberos ftp man page doesn't get installed on a normal > install kerberos, but I digress). All we get back is this: > Fixed in online doc, and in updates page: http://www.fnal.gov/docs/strongauth/html/netcommands.html#28594 http://www.fnal.gov/docs/strongauth/misc/updates.html -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Wed Mar 14 16:06:32 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA03090 for ; Wed, 14 Mar 2001 16:06:32 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA700JPAK2CGQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Wed, 14 Mar 2001 16:06:31 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010F8E9@listserv.fnal.gov>; Wed, 14 Mar 2001 16:06:10 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 39428 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Wed, 14 Mar 2001 16:06:10 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0010F8E6@listserv.fnal.gov>; Wed, 14 Mar 2001 16:06:10 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GA700JS7K29GD@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Wed, 14 Mar 2001 16:06:09 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA22136 for ; Wed, 14 Mar 2001 16:06:09 -0600 (CST) Date: Wed, 14 Mar 2001 16:06:09 -0600 From: Matt Crawford Subject: No more requests for Palm Pilot Cryptocards, please! Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200103142206.QAA22136@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1025 I had a backlog of 15 PalmOS cryptocard software requests. Seven were from people who already had a hardware card issued. I just emailed Palm software files to the other eight, which uses up all the licenses we purchased to date. I am reluctant to buy more licenses until the remaining known bug in the software is fixed. (Sometimes the displayed response is too wide for its field and the last few columns of pixels are missing, making 0 look like C, B like E and so on.) I will send a notice if and when more copies become available. Following this message, I will send confirmation to the seven requesters who seemed to already have a hardware card and so were not sent the software. If you think you asked for the software and you get neither the files nor that confirmation, then I lost your request or never got it. Matt Crawford From kreymer@fnal.gov Fri Mar 16 10:11:50 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA07583 for ; Fri, 16 Mar 2001 10:11:50 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAA0055FSZP2I@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Mar 2001 10:11:50 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00110FE7@listserv.fnal.gov>; Fri, 16 Mar 2001 10:11:49 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46019 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 16 Mar 2001 10:11:49 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00110FE6@listserv.fnal.gov>; Fri, 16 Mar 2001 10:11:49 -0600 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAA00531SZO2F@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 16 Mar 2001 10:11:48 -0600 (CST) Date: Fri, 16 Mar 2001 10:11:40 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: problem with lauri/root principal: can't authenticate Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AB23B3C.E9027D0D@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1026 I cannot seem to authenticate using my lauri/root@PILOT.FNAL.GOV principal. I thought it was a password problem, so I had Yolanda reset my password, but it still isn't working. Every time I try to authenticate, I get the same error message (output below). HELP!?!?!? -- lauri $ klist -f Ticket cache: /tmp/krb5cc_lauri Default principal: lauri@PILOT.FNAL.GOV Valid starting Expires Service principal 03/16/01 08:35:45 03/17/01 10:35:45 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV renew until 03/21/01 17:21:27, Flags: FRIA $ kinit lauri/root Password for lauri/root@PILOT.FNAL.GOV: kinit: KDC policy rejects request while getting initial credentials From kreymer@fnal.gov Fri Mar 16 10:29:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA15408 for ; Fri, 16 Mar 2001 10:29:56 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAA005A7TTS2C@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Mar 2001 10:29:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00111025@listserv.fnal.gov>; Fri, 16 Mar 2001 10:29:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46081 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 16 Mar 2001 10:29:53 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00111024@listserv.fnal.gov>; Fri, 16 Mar 2001 10:29:53 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAA0058ETTS2G@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 16 Mar 2001 10:29:52 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id KAA41296; Fri, 16 Mar 2001 10:29:51 -0600 (CST) Date: Fri, 16 Mar 2001 10:29:51 -0600 (CST) From: "David J. Fagan" Subject: Re: problem with lauri/root principal: can't authenticate Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Message-id: <200103161629.KAA41296@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Fri, 16 Mar 2001 10:11:40 CST.) <3AB23B3C.E9027D0D@fnal.gov> X-Authentication-warning: large.fnal.gov: fagan@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id KAA15408 Status: RO X-Status: X-Keywords: X-UID: 1027 use -F ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Friday, "Laurelin of Middle Earth, 630-840-2214": > I cannot seem to authenticate using my lauri/root@PILOT.FNAL.GOV > principal. I thought it was a password problem, so I had > Yolanda reset my password, but it still isn't working. > > Every time I try to authenticate, I get the same error message > (output below). > > HELP!?!?!? > > -- lauri > > $ klist -f > Ticket cache: /tmp/krb5cc_lauri > Default principal: lauri@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 03/16/01 08:35:45 03/17/01 10:35:45 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > renew until 03/21/01 17:21:27, Flags: FRIA > $ kinit lauri/root > Password for lauri/root@PILOT.FNAL.GOV: > kinit: KDC policy rejects request while getting initial credentials From kreymer@fnal.gov Fri Mar 16 10:52:23 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA17242 for ; Fri, 16 Mar 2001 10:52:23 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAA005HKUV824@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Mar 2001 10:52:21 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00111063@listserv.fnal.gov>; Fri, 16 Mar 2001 10:52:20 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46146 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 16 Mar 2001 10:52:20 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00111062@listserv.fnal.gov>; Fri, 16 Mar 2001 10:52:20 -0600 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAA005DFUV72F@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 16 Mar 2001 10:52:19 -0600 (CST) Date: Fri, 16 Mar 2001 10:52:11 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: problem with lauri/root principal: can't authenticate Sender: owner-kerberos-pilot@listserv.fnal.gov To: "David J. Fagan" Cc: kerberos-pilot@fnal.gov Message-id: <3AB244BB.FBE2B17B@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=iso-8859-1 X-Accept-Language: en References: <200103161629.KAA41296@large.fnal.gov> Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by patnt2.fnal.gov id KAA17242 Status: RO X-Status: X-Keywords: X-UID: 1028 Ok, that did the trick (but NOTE, -F is not documented in the man page for kinit). I assume this has something to do with forwarding/forwardable tickets? Next question: I successfully kinit -F. Then I try to telnet [-f | -F] -l products d0ora3 I've tried with -f, -F, and with nothing at all. In all 3 cases, I still get an error message on the target system: Trying 131.225.222.6... Connected to d0ora3.fnal.gov (131.225.222.6). Escape character is '^]'. [ Kerberos V5 accepts you as ``lauri/root@PILOT.FNAL.GOV'' ] Kerberos V5: error getting forwarded creds - KDC can't fulfill requested option How do I prevent this error getting forwarded credentials? -- lauri "David J. Fagan" wrote: > > use -F > > ------------------------------------------------------------------------------- > David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) > SGI-liaison | Liaison Requests use SGI-liaison@fnal > Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 > ------------------------------------------------------------------------------- > On Friday, > "Laurelin of Middle Earth, 630-840-2214": > > > I cannot seem to authenticate using my lauri/root@PILOT.FNAL.GOV > > principal. I thought it was a password problem, so I had > > Yolanda reset my password, but it still isn't working. > > > > Every time I try to authenticate, I get the same error message > > (output below). > > > > HELP!?!?!? > > > > -- lauri > > > > $ klist -f > > Ticket cache: /tmp/krb5cc_lauri > > Default principal: lauri@PILOT.FNAL.GOV > > > > Valid starting Expires Service principal > > 03/16/01 08:35:45 03/17/01 10:35:45 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > > renew until 03/21/01 17:21:27, Flags: FRIA > > $ kinit lauri/root > > Password for lauri/root@PILOT.FNAL.GOV: > > kinit: KDC policy rejects request while getting initial credentials From kreymer@fnal.gov Fri Mar 16 11:02:48 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA17716 for ; Fri, 16 Mar 2001 11:02:48 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAA005KXVCL1Z@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Mar 2001 11:02:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00111080@listserv.fnal.gov>; Fri, 16 Mar 2001 11:02:45 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 46175 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 16 Mar 2001 11:02:45 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011107F@listserv.fnal.gov>; Fri, 16 Mar 2001 11:02:45 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAA005I6VCK22@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 16 Mar 2001 11:02:44 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA03979; Fri, 16 Mar 2001 11:02:44 -0600 (CST) Date: Fri, 16 Mar 2001 11:02:44 -0600 From: Matt Crawford Subject: Re: problem with lauri/root principal: can't authenticate In-reply-to: "16 Mar 2001 10:52:11 CST." <3AB244BB.FBE2B17B@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: "David J. Fagan" , kerberos-pilot@fnal.gov Message-id: <200103161702.LAA03979@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1029 > Ok, that did the trick (but NOTE, -F is not documented in the > man page for kinit). I assume this has something to do with > forwarding/forwardable tickets? gungnir 806% man kinit KINIT(1) User Commands KINIT(1) NAME kinit - obtain and cache Kerberos ticket-granting ticket SYNOPSIS kinit [-l lifetime] [-s start_time] [-v] [-p] [-f] [-F] [-k [ -t keytab_file]] [-r renewable_life] [-R] [-a] [-A] [-c cache_name] [-S service_name] [principal] etc... -F request non-forwardable tickets. Got an old rev? Wrong MANPATH? > Next question: I successfully kinit -F. I.e., get a non-forwardable ticket. > Then I try to > telnet [-f | -F] -l products d0ora3 I.e., you try to forward your ticket, either in a not-further-forwardable fashion or recursively forwardable. > I've tried with -f, -F, and with nothing at all. In > all 3 cases, I still get an error message on the > target system: > > Trying 131.225.222.6... > Connected to d0ora3.fnal.gov (131.225.222.6). > Escape character is '^]'. > [ Kerberos V5 accepts you as ``lauri/root@PILOT.FNAL.GOV'' ] > Kerberos V5: error getting forwarded creds - KDC can't fulfill requested option > > How do I prevent this error getting forwarded credentials? By NOT attempting to forward the UNforwardable credentials! => telnet -N -l user host From kreymer@fnal.gov Fri Mar 16 14:36:22 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA32292 for ; Fri, 16 Mar 2001 14:36:22 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAB0011I58LJ9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Mar 2001 14:36:21 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011143A@listserv.fnal.gov>; Fri, 16 Mar 2001 14:36:21 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 47246 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 16 Mar 2001 14:36:21 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00111439@listserv.fnal.gov>; Fri, 16 Mar 2001 14:36:21 -0600 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAB00FRU58KYK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 16 Mar 2001 14:36:20 -0600 (CST) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f2GKaJQ24870 for ; Fri, 16 Mar 2001 14:36:19 -0600 (CST) Date: Fri, 16 Mar 2001 14:36:19 -0600 From: aheavey@fnal.gov Subject: problem running Xwindows Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200103162036.f2GKaJQ24870@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1030 I don't know the answer to this person's problem. Can someone please help out? -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 ------- Forwarded Message Hi, I tried the script in chapter 7 of your manual. It does not give me access to my host screen, because the variable disp is undefined. I have attached the output and the script below. I would be grateful if you could tell me how to fix this, since I do not like typing xhost + fcdfsgi2 every time... Thank you, Evelyn Thomson > kxtelnet fcdfsgi2 thomsone This rsh session is using DES encryption for all data transmissions. :pserver:anonymous@cdfcvs.fnal.gov:/cdf/code/cdfcvs/run2 disp: Undefined variable. Trying 131.225.240.129... Connected to fcdfsgi2.fnal.gov (131.225.240.129). Escape character is '^]'. Waiting for encryption to be negotiated... NOTICE TO USERS #!/bin/sh if [ $# != 2 ]; then echo " usage: kxtelnet RemoteHostName RemoteUserName" 1>&2 exit 1 fi case "$DISPLAY" in :*) disp='hostname'$DISPLAY;; *) disp=$DISPLAY;; esac /usr/krb5/bin/rsh -n -x -l $2 $1 xauth add 'xauth list $disp' exec /usr/krb5/bin/telnet -x -l $2 $1 ------- End of Forwarded Message From kreymer@fnal.gov Fri Mar 16 15:36:18 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA32362 for ; Fri, 16 Mar 2001 15:36:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAB00MMM80GYH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Mar 2001 15:36:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011154A@listserv.fnal.gov>; Fri, 16 Mar 2001 15:36:16 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 47549 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 16 Mar 2001 15:36:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00111549@listserv.fnal.gov>; Fri, 16 Mar 2001 15:36:16 -0600 Received: from hamshack.fnal.gov ([131.225.84.179]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAB001H180GML@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 16 Mar 2001 15:36:16 -0600 (CST) Received: from localhost (localhost [[UNIX: localhost]]) by hamshack.fnal.gov (8.9.3/8.9.3) id PAA18766; Fri, 16 Mar 2001 15:36:15 -0600 Date: Fri, 16 Mar 2001 15:36:15 -0600 From: Ken Schumacher Subject: Re: problem running Xwindows In-reply-to: <200103162036.f2GKaJQ24870@fsui02.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: aheavey@fnal.gov Message-id: <01031615361503.12819@hamshack> Organization: Fermilab CD/OSS Scientific Computing Support group MIME-version: 1.0 X-Mailer: KMail [version 1.2] Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 8bit References: <200103162036.f2GKaJQ24870@fsui02.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1031 Greetings, It looks to me like the DISPLAY env. variable is null when the 'kxtelnet' script is being called. The script could be enhanced to ensure that the DISPLAY variable is set to something. Possibly it could set that variable to a default value if it's not set, something like ":0". Evelyn, can you make sure the DISPLAY variable is set to something and then try the kxtelnet script again. If that solves the problem, then we can put together a new version of the script that's a bit more bullet-proof. More later, Ken S. On Friday 16 March 2001 02:36 pm, Anne Heavey wrote: > I don't know the answer to this person's problem. Can someone please > help out? > > -- Anne > > Anne Heavey | Fermilab Computing Division | WWW Group > Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 > > ------- Forwarded Message > > > Hi, > > I tried the script in chapter 7 of your manual. It does not > give me access to my host screen, because the variable disp is > undefined. I have attached the output and the script below. I would > be grateful if you could tell me how to fix this, since I do not like > typing xhost + fcdfsgi2 every time... > > Thank you, > > Evelyn Thomson > > > kxtelnet fcdfsgi2 thomsone > > This rsh session is using DES encryption for all data transmissions. > > :pserver:anonymous@cdfcvs.fnal.gov:/cdf/code/cdfcvs/run2 > > disp: Undefined variable. > Trying 131.225.240.129... > Connected to fcdfsgi2.fnal.gov (131.225.240.129). > Escape character is '^]'. > Waiting for encryption to be negotiated... > NOTICE TO USERS > > > #!/bin/sh > if [ $# != 2 ]; then > echo " usage: kxtelnet RemoteHostName RemoteUserName" 1>&2 > exit 1 > fi > case "$DISPLAY" in > > :*) disp='hostname'$DISPLAY;; > > *) disp=$DISPLAY;; > esac > /usr/krb5/bin/rsh -n -x -l $2 $1 xauth add 'xauth list $disp' > exec /usr/krb5/bin/telnet -x -l $2 $1 > > ------- End of Forwarded Message -- =================================================================== Ken Schumacher (o) 630-840-4579 (f) 630-840-6345 Fermilab CD/OSS SCS Group FCC-252g http://home.fnal.gov/~kschu/ =================================================================== From kreymer@fnal.gov Fri Mar 16 15:36:38 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA32366 for ; Fri, 16 Mar 2001 15:36:38 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAB00MN9812YH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Fri, 16 Mar 2001 15:36:38 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA05830; Fri, 16 Mar 2001 15:36:35 -0600 (CST) Date: Fri, 16 Mar 2001 15:36:34 -0600 From: Matt Crawford Subject: Re: More Kerberos access problems In-reply-to: "16 Mar 2001 10:45:10 CST." <010316104510.210019ea@tthep2.phys.ttu.edu> Sender: crawdad@gungnir.fnal.gov To: ALANSILL@tthep2.phys.ttu.edu Cc: EVERETT.MCARTHUR@MAIL.NET.TTU.EDU, Art Kreymer Message-id: <200103162136.PAA05830@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1032 > >On Fri, 16 Mar 2001, Alan Sill wrote: > ... > > /home/alansill > > starfire> setup cdfsoft2 development > ... > > starfire> cvs -n update > > cdfsga.fnal.gov: Connection refused Whenever this happened, cdfsga did not have a Kerberos rsh server listening! It does now. From kreymer@fnal.gov Fri Mar 16 15:45:38 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA32373 for ; Fri, 16 Mar 2001 15:45:38 -0600 From: ALANSILL@tthep2.phys.ttu.edu Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GAB007018G21D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Mar 2001 15:45:38 -0600 (CST) Received: from tthep2.phys.ttu.edu ([129.118.41.23]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAB001J48G1ML@smtp.fnal.gov>; Fri, 16 Mar 2001 15:45:38 -0600 (CST) Received: by tthep2.phys.ttu.edu; Fri, 16 Mar 2001 15:47:02 -0600 Date: Fri, 16 Mar 2001 15:47:02 -0600 Subject: Re: More Kerberos access problems To: crawdad@fnal.gov Cc: EVERETT.MCARTHUR@MAIL.NET.TTU.EDU, KREYMER@fnal.gov, ALANSILL@tthep2.phys.ttu.edu Message-id: <010316154702.210019ee@tthep2.phys.ttu.edu> Status: RO X-Status: X-Keywords: X-UID: 1033 Hi, Still doesn't work. I think Art's message indicated that it worked when he did not use a specified command in rsh, but didn't work when he specified one. What gives? Alan --------------------------------------------------------------------------- From: SMTP%"crawdad@fnal.gov" 16-MAR-2001 15:38:02.74 To: ALANSILL CC: Subj: Re: More Kerberos access problems Message-Id: <200103162136.PAA05830@gungnir.fnal.gov> To: ALANSILL@tthep2.phys.ttu.edu Cc: EVERETT.MCARTHUR@MAIL.NET.TTU.EDU, Art Kreymer From: "Matt Crawford" Subject: Re: More Kerberos access problems In-reply-to: Your message of Fri, 16 Mar 2001 10:45:10 CST. <010316104510.210019ea@tthep2.phys.ttu.edu> Date: Fri, 16 Mar 2001 15:36:34 -0600 Sender: crawdad@gungnir.fnal.gov > >On Fri, 16 Mar 2001, Alan Sill wrote: > ... > > /home/alansill > > starfire> setup cdfsoft2 development > ... > > starfire> cvs -n update > > cdfsga.fnal.gov: Connection refused Whenever this happened, cdfsga did not have a Kerberos rsh server listening! It does now. From kreymer@fnal.gov Fri Mar 16 16:04:37 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA32410 for ; Fri, 16 Mar 2001 16:04:37 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAB001HU9BOLD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 16 Mar 2001 16:04:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001115C8@listserv.fnal.gov>; Fri, 16 Mar 2001 16:04:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 47688 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 16 Mar 2001 16:04:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001115C7@listserv.fnal.gov>; Fri, 16 Mar 2001 16:04:36 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAB001EI9BNLO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 16 Mar 2001 16:04:36 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA05985; Fri, 16 Mar 2001 16:04:35 -0600 (CST) Date: Fri, 16 Mar 2001 16:04:35 -0600 From: Matt Crawford Subject: Re: problem running Xwindows In-reply-to: "16 Mar 2001 14:36:19 CST." <200103162036.f2GKaJQ24870@fsui02.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: aheavey@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <200103162204.QAA05985@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1034 The quotes are all screwed up. On the line beginning with ":*) the quotes should be backtics. And on the "xauth add ..." line those should be "double quotes". Quote-fixed version: #!/bin/sh if [ $# != 2 ]; then echo " usage: kxtelnet RemoteHostName RemoteUserName" 1>&2 exit 1 fi case "$DISPLAY" in :*) disp=`hostname`$DISPLAY;; *) disp=$DISPLAY;; esac /usr/krb5/bin/rsh -n -x -l $2 $1 xauth add "xauth list $disp" exec /usr/krb5/bin/telnet -x -l $2 $1 From kreymer@fnal.gov Fri Mar 16 16:13:35 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA32425 for ; Fri, 16 Mar 2001 16:13:35 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAB001G29QNLO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@fnal.gov); Fri, 16 Mar 2001 16:13:35 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA06095; Fri, 16 Mar 2001 16:13:32 -0600 (CST) Date: Fri, 16 Mar 2001 16:13:32 -0600 From: Matt Crawford Subject: Re: More Kerberos access problems In-reply-to: "16 Mar 2001 15:47:02 CST." <010316154702.210019ee@tthep2.phys.ttu.edu> Sender: crawdad@gungnir.fnal.gov To: ALANSILL@tthep2.phys.ttu.edu Cc: EVERETT.MCARTHUR@MAIL.NET.TTU.EDU, KREYMER@fnal.gov Message-id: <200103162213.QAA06095@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1035 > Still doesn't work. I think Art's message indicated that it worked when > he did not use a specified command in rsh, but didn't work when he specified > one. What gives? Just like the BSD rsh, it actually morphs into rlogin if you don't give a command line. From kreymer@fnal.gov Fri Mar 16 16:20:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA32442 for ; Fri, 16 Mar 2001 16:20:57 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAB001FFA2WOP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Fri, 16 Mar 2001 16:20:56 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA06178; Fri, 16 Mar 2001 16:20:55 -0600 (CST) Date: Fri, 16 Mar 2001 16:20:55 -0600 From: Matt Crawford Subject: Re: More Kerberos access problems In-reply-to: "16 Mar 2001 16:03:07 CST." Sender: crawdad@gungnir.fnal.gov To: Art Kreymer Cc: ALANSILL@tthep2.phys.ttu.edu, EVERETT.MCARTHUR@MAIL.NET.TTU.EDU Message-id: <200103162220.QAA06178@gungnir.fnal.gov> Status: RO X-Status: A X-Keywords: X-UID: 1036 > This works > rsh -l node > This does not work > rsh -l node command Works for me. gungnir 125% rsh fcdfsgi2.fnal.gov date This rsh session is using DES encryption for all data transmissions. Fri Mar 16 16:20:40 CST 2001 Is the /etc/services file (or NIS map) messed up on starfire? It should have kshell 544/tcp From kreymer@fnal.gov Mon Mar 19 10:39:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA21646 for ; Mon, 19 Mar 2001 10:39:57 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG006H9EAIJT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Mar 2001 10:39:56 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011264E@listserv.fnal.gov>; Mon, 19 Mar 2001 10:39:55 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 52320 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Mar 2001 10:39:55 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011264D@listserv.fnal.gov>; Mon, 19 Mar 2001 10:39:55 -0600 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG006G8EAIJI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Mar 2001 10:39:54 -0600 (CST) Date: Mon, 19 Mar 2001 10:39:53 -0600 From: Troy Dawson Subject: kerberos login on desktops Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: Candies Kastner Message-id: <3AB63659.4080109@fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7bit X-Accept-Language: en User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-3smp i686; en-US; 0.8) Gecko/20010215 Status: RO X-Status: X-Keywords: X-UID: 1037 Hello, I've tried looking through the mail-list archives, but currently they only go back to the beginning of march, so this question might have already been answered but I couldn't find it. So my apologies if I'm re-asking a question. For linux, as of our kerberos 1.0, if you do a ups install-login kerberos, the login doesn't do the right things to allow you to do a startx. Has this been fixed as of the latest release of our kerberos (1.1a)? Or should we just not choose that option if we are planning on using it on our desktops? Thanks Troy -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Mon Mar 19 12:08:43 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA30114 for ; Mon, 19 Mar 2001 12:08:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG00HE3IDJ44@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Mar 2001 12:08:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001128AB@listserv.fnal.gov>; Mon, 19 Mar 2001 12:08:24 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 52975 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Mar 2001 12:08:24 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001128A8@listserv.fnal.gov>; Mon, 19 Mar 2001 12:08:24 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG00GAZIDPSA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Mar 2001 12:08:23 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 19 Mar 2001 12:08:12 -0600 Content-return: allowed Date: Mon, 19 Mar 2001 12:07:59 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76148FEA@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1038 This reminder created on 3/19/01 12:03:44 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Mar 19 15:24:37 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06558 for ; Mon, 19 Mar 2001 15:24:37 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG005OJRGZ10@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Mar 2001 15:24:36 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112D1C@listserv.fnal.gov>; Mon, 19 Mar 2001 15:24:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 54248 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Mar 2001 15:24:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112D1B@listserv.fnal.gov>; Mon, 19 Mar 2001 15:24:36 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG005MNRGZIE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Mar 2001 15:24:35 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26993 for ; Mon, 19 Mar 2001 15:24:35 -0600 Date: Mon, 19 Mar 2001 15:24:34 -0600 (CST) From: Steven Timm Subject: kerberos and tcp-wrappers Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1039 I have asked this question here a couple of times and not gotten an answer so far: The setup of kerberos has just added the following lines to my inetd.conf file: ftp stream tcp nowait root /usr/krb5/sbin/ftpd ftpd -aOP telnet stream tcp nowait root /usr/krb5/sbin/telnetd telnetd -Pa valid kshell stream tcp nowait root /usr/krb5/sbin/kshd kshd -5c klogin stream tcp nowait root /usr/krb5/sbin/klogind klogind -5c eklogin stream tcp nowait root /usr/krb5/sbin/klogind klogind -5ec How do we make these work with tcp wrappers? A normal tcp wrapper configuration is to have ftp stream tcp nowait root /usr/etc/tcpd ftpd -l now...how do we let the seventh field know what path the kerberized ftpd daemon would be in? Thanks Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Mon Mar 19 15:31:47 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06564 for ; Mon, 19 Mar 2001 15:31:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG005UKRSYLN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Mar 2001 15:31:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112D3B@listserv.fnal.gov>; Mon, 19 Mar 2001 15:31:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 54280 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Mar 2001 15:31:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112D3A@listserv.fnal.gov>; Mon, 19 Mar 2001 15:31:46 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAG00D0ZRSXKG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Mar 2001 15:31:45 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id PAA00558; Mon, 19 Mar 2001 15:31:45 -0600 Date: Mon, 19 Mar 2001 15:31:45 -0600 From: Glenn Cooper Subject: Re: kerberos and tcp-wrappers In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1040 Hi Steve, The kerberos installs since about v0_7 or so have preserved the tcpd field in our inetd.conf files; not sure why this didn't work for you. The lines should look like: telnet stream tcp nowait root /usr/etc/tcpd /usr/krb5/sbin/telnetd -Pa valid --in other words, with the full path to the executable, plus any option flags, as the last field. Hope this helps, Glenn On Mon, 19 Mar 2001, Steven Timm wrote: > I have asked this question here a couple of times and not gotten an > answer so far: > > The setup of kerberos has just added the following lines to my > inetd.conf file: > > ftp stream tcp nowait root /usr/krb5/sbin/ftpd ftpd -aOP > telnet stream tcp nowait root /usr/krb5/sbin/telnetd telnetd -Pa > valid > kshell stream tcp nowait root /usr/krb5/sbin/kshd kshd -5c > klogin stream tcp nowait root /usr/krb5/sbin/klogind klogind -5c > eklogin stream tcp nowait root /usr/krb5/sbin/klogind klogind > -5ec > > > How do we make these work with tcp wrappers? > > A normal tcp wrapper configuration is to have > > ftp stream tcp nowait root /usr/etc/tcpd ftpd -l > > now...how do we let the seventh field know what path the kerberized > ftpd daemon would be in? > > Thanks > > Steve Timm > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > From kreymer@fnal.gov Mon Mar 19 15:37:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06572 for ; Mon, 19 Mar 2001 15:37:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG00B6US1PAE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Mar 2001 15:37:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112D50@listserv.fnal.gov>; Mon, 19 Mar 2001 15:37:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 54304 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Mar 2001 15:37:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112D4F@listserv.fnal.gov>; Mon, 19 Mar 2001 15:37:01 -0600 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG00D28S1OKG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Mar 2001 15:37:00 -0600 (CST) Date: Mon, 19 Mar 2001 15:36:58 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: kerberos and tcp-wrappers Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: Steven Timm , kerberos-pilot@fnal.gov Message-id: <3AB67BFA.964456AE@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1041 I think the missing clue might be: the kerberos install "preserves" tcp wrapping. It does not "insert" tcp wrapping. So if you haven't installed tcp wrappers on these items, kerberos won't fix it for you; but if you had a system where telnet, etc., were wrapped, then the kerberos installation will keep them wrapped. -- lauri Glenn Cooper wrote: > > Hi Steve, > > The kerberos installs since about v0_7 or so have preserved the tcpd > field in our inetd.conf files; not sure why this didn't work for you. > The lines should look like: > > telnet stream tcp nowait root /usr/etc/tcpd /usr/krb5/sbin/telnetd -Pa valid > > --in other words, with the full path to the executable, plus any > option flags, as the last field. > > Hope this helps, > Glenn > > On Mon, 19 Mar 2001, Steven Timm wrote: > > > I have asked this question here a couple of times and not gotten an > > answer so far: > > > > The setup of kerberos has just added the following lines to my > > inetd.conf file: > > > > ftp stream tcp nowait root /usr/krb5/sbin/ftpd ftpd -aOP > > telnet stream tcp nowait root /usr/krb5/sbin/telnetd telnetd -Pa > > valid > > kshell stream tcp nowait root /usr/krb5/sbin/kshd kshd -5c > > klogin stream tcp nowait root /usr/krb5/sbin/klogind klogind -5c > > eklogin stream tcp nowait root /usr/krb5/sbin/klogind klogind > > -5ec > > > > > > How do we make these work with tcp wrappers? > > > > A normal tcp wrapper configuration is to have > > > > ftp stream tcp nowait root /usr/etc/tcpd ftpd -l > > > > now...how do we let the seventh field know what path the kerberized > > ftpd daemon would be in? > > > > Thanks > > > > Steve Timm > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > From kreymer@fnal.gov Mon Mar 19 15:50:48 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06580 for ; Mon, 19 Mar 2001 15:50:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG006UHSOM5Y@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Mar 2001 15:50:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112D8B@listserv.fnal.gov>; Mon, 19 Mar 2001 15:50:46 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 54363 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Mar 2001 15:50:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112D8A@listserv.fnal.gov>; Mon, 19 Mar 2001 15:50:46 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG00C8FSOLIQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Mar 2001 15:50:45 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA27100; Mon, 19 Mar 2001 15:50:45 -0600 Date: Mon, 19 Mar 2001 15:50:45 -0600 (CST) From: Steven Timm Subject: Re: kerberos and tcp-wrappers In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1042 What the kerberos install doesn't do is to wrap the new services that were never there before, such as kshd, klogin, and eklogin. It didn't wrap the other two in my case (ftpd and telnetd) because I didn't have wrappers installed to start with. Thanks Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Mon, 19 Mar 2001, Glenn Cooper wrote: > Hi Steve, > > The kerberos installs since about v0_7 or so have preserved the tcpd > field in our inetd.conf files; not sure why this didn't work for you. > The lines should look like: > > telnet stream tcp nowait root /usr/etc/tcpd /usr/krb5/sbin/telnetd -Pa valid > > --in other words, with the full path to the executable, plus any > option flags, as the last field. > > Hope this helps, > Glenn > > > On Mon, 19 Mar 2001, Steven Timm wrote: > > > I have asked this question here a couple of times and not gotten an > > answer so far: > > > > The setup of kerberos has just added the following lines to my > > inetd.conf file: > > > > ftp stream tcp nowait root /usr/krb5/sbin/ftpd ftpd -aOP > > telnet stream tcp nowait root /usr/krb5/sbin/telnetd telnetd -Pa > > valid > > kshell stream tcp nowait root /usr/krb5/sbin/kshd kshd -5c > > klogin stream tcp nowait root /usr/krb5/sbin/klogind klogind -5c > > eklogin stream tcp nowait root /usr/krb5/sbin/klogind klogind > > -5ec > > > > > > How do we make these work with tcp wrappers? > > > > A normal tcp wrapper configuration is to have > > > > ftp stream tcp nowait root /usr/etc/tcpd ftpd -l > > > > now...how do we let the seventh field know what path the kerberized > > ftpd daemon would be in? > > > > Thanks > > > > Steve Timm > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > > From kreymer@fnal.gov Mon Mar 19 16:06:05 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA06599 for ; Mon, 19 Mar 2001 16:06:05 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG00D9YTE35Z@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Mar 2001 16:06:04 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112DCD@listserv.fnal.gov>; Mon, 19 Mar 2001 16:06:03 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 54435 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Mar 2001 16:06:03 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112DCC@listserv.fnal.gov>; Mon, 19 Mar 2001 16:06:03 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG00D8XTE3KG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Mar 2001 16:06:03 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA00079; Mon, 19 Mar 2001 16:06:02 -0600 (CST) Date: Mon, 19 Mar 2001 16:06:02 -0600 From: Matt Crawford Subject: Re: kerberos and tcp-wrappers In-reply-to: "19 Mar 2001 15:24:34 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200103192206.QAA00079@gungnir.fnal.gov> Content-id: <75.985039562.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 1043 > now...how do we let the seventh field know what path the kerberized > ftpd daemon would be in? Just put the full path there. From kreymer@fnal.gov Mon Mar 19 16:09:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA06603 for ; Mon, 19 Mar 2001 16:09:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG00F2BTJ1T3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 19 Mar 2001 16:09:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112DD3@listserv.fnal.gov>; Mon, 19 Mar 2001 16:09:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 54441 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 19 Mar 2001 16:09:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00112DD2@listserv.fnal.gov>; Mon, 19 Mar 2001 16:09:01 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAG00E4UTJ1XN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 19 Mar 2001 16:09:01 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA27143; Mon, 19 Mar 2001 16:09:01 -0600 Date: Mon, 19 Mar 2001 16:09:00 -0600 (CST) From: Steven Timm Subject: Re: kerberos and tcp-wrappers In-reply-to: <200103192206.QAA00079@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1044 A follow-up question... is there anything special that you have to put in hosts.deny and/or hosts.allow to indicate that it is the kerberos daemons that are being used and not the normal ones? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Mon, 19 Mar 2001, Matt Crawford wrote: > > now...how do we let the seventh field know what path the kerberized > > ftpd daemon would be in? > > Just put the full path there. > From kreymer@fnal.gov Tue Mar 20 11:57:11 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA30145 for ; Tue, 20 Mar 2001 11:57:11 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI00LIMCJ9JQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Mar 2001 11:57:10 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00113660@listserv.fnal.gov>; Tue, 20 Mar 2001 11:57:09 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 56863 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Mar 2001 11:57:09 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011365F@listserv.fnal.gov>; Tue, 20 Mar 2001 11:57:09 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAI00NL2CJ84H@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Mar 2001 11:57:08 -0600 (CST) Received: (qmail 9010 invoked from network); Tue, 20 Mar 2001 11:57:07 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Tue, 20 Mar 2001 11:57:07 -0600 Date: Tue, 20 Mar 2001 11:58:18 -0600 (CST) From: Michael Kriss Subject: Re: kerberos login on desktops In-reply-to: <3AB63659.4080109@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Troy Dawson Cc: Candies Kastner , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1045 What is the problem with startx? Did you see my posts regarding the problem I had? If your problem is the same you should be able to use one of my workarounds... michael On Mon, 19 Mar 2001, Troy Dawson wrote: > Hello, > I've tried looking through the mail-list archives, but currently they only go > back to the beginning of march, so this question might have already been > answered but I couldn't find it. So my apologies if I'm re-asking a question. > > For linux, as of our kerberos 1.0, if you do a ups install-login kerberos, the > login doesn't do the right things to allow you to do a startx. Has this been > fixed as of the latest release of our kerberos (1.1a)? Or should we just not > choose that option if we are planning on using it on our desktops? > > Thanks > Troy > > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ > From kreymer@fnal.gov Tue Mar 20 14:06:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA30350 for ; Tue, 20 Mar 2001 14:06:57 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI00AGBIJK4W@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Mar 2001 14:06:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001138BA@listserv.fnal.gov>; Tue, 20 Mar 2001 14:06:56 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 57520 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Mar 2001 14:06:56 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001138B9@listserv.fnal.gov>; Tue, 20 Mar 2001 14:06:56 -0600 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI009FZIJJ9Z@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Mar 2001 14:06:55 -0600 (CST) Date: Tue, 20 Mar 2001 14:06:54 -0600 From: Troy Dawson Subject: Re: kerberos login on desktops Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Kriss Cc: Candies Kastner , kerberos-pilot@fnal.gov Message-id: <3AB7B85E.30203@fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7bit X-Accept-Language: en User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-3smp i686; en-US; 0.8) Gecko/20010215 References: Status: RO X-Status: X-Keywords: X-UID: 1046 Hi Michael, The basic problem is that is the kerberos login is used, the user is unable to do a startx. They get an error that basically says that the console has the wrong permissions, and shut's down X before it even gets started. Sorry I can't be more specific but we fixed the problem by putting back the original /bin/login, so we don't have the error anymore. I was also told that this was a known problem, so I didn't keep a copy of the error. I'm sorry to say that no, I didn't see your posts regarding the original problem and fix. I did see and read through the discussion 'problem running Xwindows' but the archive doesn't go back far enough to see the first few postings (and I only subscribed a couple weeks ago) By the way, the archives that I'm looking at are http://listserv.fnal.gov/archives/kerberos-pilot.html if I'm looking in the wrong place I'd appreciate it. But anyway, what was your fix? Thanks Troy Michael Kriss wrote: > What is the problem with startx? Did you see my posts regarding the problem I > had? If your problem is the same you should be able to use one of my > workarounds... > > michael > > On Mon, 19 Mar 2001, Troy Dawson wrote: > > >> Hello, >> I've tried looking through the mail-list archives, but currently they only go >> back to the beginning of march, so this question might have already been >> answered but I couldn't find it. So my apologies if I'm re-asking a question. >> >> For linux, as of our kerberos 1.0, if you do a ups install-login kerberos, the >> login doesn't do the right things to allow you to do a startx. Has this been >> fixed as of the latest release of our kerberos (1.1a)? Or should we just not >> choose that option if we are planning on using it on our desktops? >> >> Thanks >> Troy >> >> -- >> __________________________________________________ >> Troy Dawson dawson@fnal.gov (630)840-6468 >> Fermilab ComputingDivision/OSS SCS Group >> __________________________________________________ >> -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Tue Mar 20 14:10:08 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA30356 for ; Tue, 20 Mar 2001 14:10:08 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI00BFZIOUB0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Mar 2001 14:10:08 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001138C7@listserv.fnal.gov>; Tue, 20 Mar 2001 14:10:07 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 57532 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Mar 2001 14:10:07 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001138C5@listserv.fnal.gov>; Tue, 20 Mar 2001 14:10:07 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI006S0IOUS8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Mar 2001 14:10:06 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA18570; Tue, 20 Mar 2001 14:10:05 -0600 Date: Tue, 20 Mar 2001 14:10:04 -0600 From: "Isabeau's mom" Subject: Re: kerberos login on desktops Sender: owner-kerberos-pilot@listserv.fnal.gov To: Troy Dawson Cc: Michael Kriss , Candies Kastner , kerberos-pilot@fnal.gov Message-id: <3AB7B91C.65358FB0@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3AB7B85E.30203@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1047 Troy Dawson wrote: > > Hi Michael, > The basic problem is that is the kerberos login is used, the user is unable to > do a startx. They get an error that basically says that the console has the > wrong permissions, and shut's down X before it even gets started. > Sorry I can't be more specific but we fixed the problem by putting back the > original /bin/login, so we don't have the error anymore. I was also told that > this was a known problem, so I didn't keep a copy of the error. > I'm sorry to say that no, I didn't see your posts regarding the original > problem and fix. I did see and read through the discussion 'problem running > Xwindows' but the archive doesn't go back far enough to see the first few > postings (and I only subscribed a couple weeks ago) > By the way, the archives that I'm looking at are > > http://listserv.fnal.gov/archives/kerberos-pilot.html > > if I'm looking in the wrong place I'd appreciate it. > But anyway, what was your fix? hi, i believe i have seen this problem on my desktop. my solution is to login as root, and do the following - %touch /var/lock/console/username where username is the name of the user doing the startx. then i log in as username and it works. if there is a more automated way of getting this to work i would appreciate knowing it. eileen > Thanks > Troy > > Michael Kriss wrote: > > > What is the problem with startx? Did you see my posts regarding the problem I > > had? If your problem is the same you should be able to use one of my > > workarounds... > > > > michael > > > > On Mon, 19 Mar 2001, Troy Dawson wrote: > > > > > >> Hello, > >> I've tried looking through the mail-list archives, but currently they only go > >> back to the beginning of march, so this question might have already been > >> answered but I couldn't find it. So my apologies if I'm re-asking a question. > >> > >> For linux, as of our kerberos 1.0, if you do a ups install-login kerberos, the > >> login doesn't do the right things to allow you to do a startx. Has this been > >> fixed as of the latest release of our kerberos (1.1a)? Or should we just not > >> choose that option if we are planning on using it on our desktops? > >> > >> Thanks > >> Troy > >> > >> -- > >> __________________________________________________ > >> Troy Dawson dawson@fnal.gov (630)840-6468 > >> Fermilab ComputingDivision/OSS SCS Group > >> __________________________________________________ > >> > > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Tue Mar 20 14:11:22 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA30360 for ; Tue, 20 Mar 2001 14:11:22 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI00ACXIQX83@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Mar 2001 14:11:22 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001138CC@listserv.fnal.gov>; Tue, 20 Mar 2001 14:11:21 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 57538 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Mar 2001 14:11:21 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001138CB@listserv.fnal.gov>; Tue, 20 Mar 2001 14:11:21 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAI008MMIQWV0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Mar 2001 14:11:20 -0600 (CST) Received: (qmail 9920 invoked from network); Tue, 20 Mar 2001 14:11:19 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Tue, 20 Mar 2001 14:11:19 -0600 Date: Tue, 20 Mar 2001 14:12:30 -0600 (CST) From: Michael Kriss Subject: Re: kerberos login on desktops In-reply-to: <3AB7B85E.30203@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Troy Dawson Cc: Candies Kastner , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="-511475694-109262170-985119150=:21779" Status: RO X-Status: X-Keywords: X-UID: 1048 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---511475694-109262170-985119150=:21779 Content-Type: TEXT/PLAIN; charset=US-ASCII I have attached my original summary with two potential solutions. If you want the info on how to pam'ify the login.krb5 let me know... michael On Tue, 20 Mar 2001, Troy Dawson wrote: > Hi Michael, > The basic problem is that is the kerberos login is used, the user is unable to > do a startx. They get an error that basically says that the console has the > wrong permissions, and shut's down X before it even gets started. > Sorry I can't be more specific but we fixed the problem by putting back the > original /bin/login, so we don't have the error anymore. I was also told that > this was a known problem, so I didn't keep a copy of the error. > I'm sorry to say that no, I didn't see your posts regarding the original > problem and fix. I did see and read through the discussion 'problem running > Xwindows' but the archive doesn't go back far enough to see the first few > postings (and I only subscribed a couple weeks ago) > By the way, the archives that I'm looking at are > > http://listserv.fnal.gov/archives/kerberos-pilot.html > > if I'm looking in the wrong place I'd appreciate it. > But anyway, what was your fix? > Thanks > Troy > > Michael Kriss wrote: > > > What is the problem with startx? Did you see my posts regarding the problem I > > had? If your problem is the same you should be able to use one of my > > workarounds... > > > > michael > > > > On Mon, 19 Mar 2001, Troy Dawson wrote: > > > > > >> Hello, > >> I've tried looking through the mail-list archives, but currently they only go > >> back to the beginning of march, so this question might have already been > >> answered but I couldn't find it. So my apologies if I'm re-asking a question. > >> > >> For linux, as of our kerberos 1.0, if you do a ups install-login kerberos, the > >> login doesn't do the right things to allow you to do a startx. Has this been > >> fixed as of the latest release of our kerberos (1.1a)? Or should we just not > >> choose that option if we are planning on using it on our desktops? > >> > >> Thanks > >> Troy > >> > >> -- > >> __________________________________________________ > >> Troy Dawson dawson@fnal.gov (630)840-6468 > >> Fermilab ComputingDivision/OSS SCS Group > >> __________________________________________________ > >> > > > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ > ---511475694-109262170-985119150=:21779 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=Startx Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=Startx RnJvbSBrcmlzc0BmbmFsLmdvdiBUdWUgTWFyIDIwIDE0OjEwOjAwIDIwMDEN CkRhdGU6IFdlZCwgNyBNYXIgMjAwMSAxNToxODoxMiAtMDYwMCAoQ1NUKQ0K RnJvbTogTWljaGFlbCBLcmlzcyA8a3Jpc3NAZm5hbC5nb3Y+DQpUbzoga2Vy YmVyb3MtcGlsb3RAZm5hbC5nb3YNClN1YmplY3Q6IFJlOiBzdGFydHggcHJv YmxlbQ0KDQoNCkkgaGF2ZSBkaXNjb3ZlcmVkIHR3byBzb2x1dGlvbnMgdG8g dGhpcyBwcm9ibGVtOg0KDQoxLiBNYW51YWxseSBjcmVhdGUgdGhlIGZpbGVz IC92YXIvbG9jay9jb25zb2xlLmxvY2sgYW5kIC92YXIvbG9jay9jb25zb2xl LyRVU0VSDQoNCi92YXIvbG9jay9jb25zb2xlLmxvY2sgc2hvdWxkIGNvbnRh aW4gdGhlIHVzZXJuYW1lIG9mIHRoZSBvd25lciBvZiB0aGUgY29uc29sZQ0K YW5kIGl0IHNob3VsZCBub3QgaGF2ZSBhIDxDUj4gaW4gdGhlIGZpbGUuICBZ b3UgY2FuIGNyZWF0ZSB0aGlzIGZpbGUgYnk6DQoNCiMgcHJpbnRmICJrcmlz cyIgPiAvdmFyL2xvY2svY29uc29sZS5sb2NrDQoNCi92YXIvbG9jay9jb25z b2xlLyRVU0VSIGNhbiBiZSBlbXB0eSBidXQgdHlwaWNhbGx5IGhhcyBhIGNv dW50IG9mIHVzZXJzIHdobyBtYXkNCmhhdmUgY29uc29sZSBhY2Nlc3MuICBU aGlzIGZpbGUsIGlmIG5vdCBlbXB0eSwgc2hvdWxkIG5vdCBoYXZlIGEgPENS Pi4gIENyZWF0ZQ0KYnk6DQoNCiMgcHJpbnRmICIxIiA+IC92YXIvbG9jay9j b25zb2xlL2tyaXNzDQoNCkJvdGggb2YgdGhlc2UgZmlsZXMgc2hvdWxkIGJl IHJvb3Q6cm9vdCwgNjAwLg0KDQoyLiBQYW0naWZ5IGxvZ2luLmtyYjUuICBJ J3ZlIGRvbmUgdGhpcyB3aXRoIDEwIGxpbmVzIG9mIGNvZGUuICBJIGNhbiBw cm92aWRlIHRoZQ0KZGV0YWlscyBvbiB0aGlzIGlmIGFueW9uZSBpcyBpbnRl cmVzdGVkLg0KDQptaWNoYWVsDQoNCg0KDQpPbiBUdWUsIDYgTWFyIDIwMDEs IE1pY2hhZWwgS3Jpc3Mgd3JvdGU6DQoNCj4gSSd2ZSBpbnN0YWxsZWQgTUlU IGtlcmJlcm9zIG9uIGEgbGludXggc3lzdGVtIGFuZCwgd2l0aCB0aGUgRmVy bWkga3JiNS5jb25mDQo+IGZpbGUsIEkndmUgZ290IHNvbWUgYmFzaWMgc2Vy dmljZXMgd29ya2luZy4gIE5vdyBJIHdhbnQgdG8gdHVybiBvZmYgYWxsDQo+ IG5vbi1rZXJiZXJpemVkIGFjY2VzcyB0byB0aGlzIG1hY2hpbmUuICBJJ3Zl IHJlcGxhY2VkIHRoZSBsb2dpbiBwcm9ncmFtIHdpdGgNCj4gbG9naW4ua3Ji NS4gIEkgY2FuIGxvZ2luIHVzaW5nIHRoZSBrZXJiZXJvcyBwYXNzcGhyYXNl IGJ1dCB3aGVuIEkgdHJ5IHRvIHN0YXJ0DQo+IHVwIFggSSBnZXQgYW4gZXJy b3IuDQo+DQo+IEJhc2ljYWxseSB0aGUgZXJyb3IgaXMgY2Fubm90IGdldCBj b25zb2xlIHBlcm1pc3Npb25zLiAgSSd2ZSB0cmFja2VkIHRoaXMgdG8gKEkN Cj4gYmVsaWV2ZSkgdGhlIGZhY3QgdGhhdCB0aGUga2VyYmVyb3MgbG9naW4g cHJvZ3JhbSBkb2VzIG5vdCBkbyBhbnkgb2YgdGhlIHBhbQ0KPiBtb2R1bGVz LiAgRm9yIHRoZSBkZWZhdWx0IGxvZ2luIHBhbSBtb2R1bGUgdGhlcmUgaXMg YW4gZW50cnkgcGFtX2NvbnNvbGUuc28gdGhhdA0KPiBJIHRoaW5rIGlzIHN1 cHBvc2VkIHRvIGNyZWF0ZSAvdmFyL2xvY2svY29uc29sZS5sb2NrLiAgVGhp cyBmaWxlIHVzdWFsbHkNCj4gY29udGFpbnMgdGhlIG5hbWUgb2YgdGhlIHVz ZXIgd2hvIGhhcyBhY2Nlc3MgdG8gdGhlIGNvbnNvbGUuICBBcHBhcmVudGx5 IFggd29uJ3QNCj4gc3RhcnQgd2l0aG91dCB0aGlzLg0KPg0KPiBXaGF0IGlz IHRoZSB3b3JrYXJvdW5kIGZvciB0aGlzIHVuZGVyIEZlcm1pIFJlZEhhdCBM aW51eD8gIEkgZG9uJ3Qgd2FudCB0byBkbw0KPiBzb21ldGhpbmcgc3R1cGlk IChtYW51YWxseSBjcmVhdGUgdGhlIGZpbGUsIGluc3RhbGwgYSB0aGlyZCBw YXJ0eSBwYW0gbW9kdWxlKQ0KPiB0aGF0IG1pZ2h0IGNvbXByb21pc2UgdGhl IGtlcmJlcm9zIGltcGxlbWVudGF0aW9uIG9uIHRoaXMgbWFjaGluZS4gIFRo YW5rcy4uLg0KPg0KPiBtaWNoYWVsDQo+DQoNCg== ---511475694-109262170-985119150=:21779-- From kreymer@fnal.gov Tue Mar 20 14:12:57 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA30364 for ; Tue, 20 Mar 2001 14:12:57 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI00AIFITK4W@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Mar 2001 14:12:57 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001138D0@listserv.fnal.gov>; Tue, 20 Mar 2001 14:12:56 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 57542 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Mar 2001 14:12:56 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001138CF@listserv.fnal.gov>; Tue, 20 Mar 2001 14:12:56 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI006SSITJS8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Mar 2001 14:12:55 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA28647 for ; Tue, 20 Mar 2001 14:12:55 -0600 Date: Tue, 20 Mar 2001 14:12:55 -0600 (CST) From: Steven Timm Subject: kerberos and backups? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1049 Is there any reasonable way to make backups of a fully strengthened kerberos node on a fmb host that is not (yet) fully strengthened? Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Tue Mar 20 16:12:56 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA30479 for ; Tue, 20 Mar 2001 16:12:56 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI00JBFODJRY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Mar 2001 16:12:56 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00113B7C@listserv.fnal.gov>; Tue, 20 Mar 2001 16:12:55 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 58306 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Mar 2001 16:12:55 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00113B7B@listserv.fnal.gov>; Tue, 20 Mar 2001 16:12:55 -0600 Received: from cuervo ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAI00GFXODIER@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Mar 2001 16:12:54 -0600 (CST) Date: Tue, 20 Mar 2001 16:12:54 -0600 From: "Mark O. Kaletka" Subject: RE: kerberos and backups? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1050 Marc Mengel has done this and I've now bugged him to post the instructions. But the short answer is, yes, it is possible and even relatively easy. -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Steven Timm > Sent: Tuesday, March 20, 2001 2:13 PM > To: kerberos-pilot@fnal.gov > Subject: kerberos and backups? > > > Is there any reasonable way to make backups of a fully strengthened > kerberos node on a fmb host that is not (yet) fully strengthened? > > Steve Timm > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > From kreymer@fnal.gov Tue Mar 20 16:57:30 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA30547 for ; Tue, 20 Mar 2001 16:57:30 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI00JOEQFSE4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Mar 2001 16:57:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00113C58@listserv.fnal.gov>; Tue, 20 Mar 2001 16:57:29 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 58543 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Mar 2001 16:57:29 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00113C57@listserv.fnal.gov>; Tue, 20 Mar 2001 16:57:29 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI00KN7QFSUY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Mar 2001 16:57:28 -0600 (CST) Date: Tue, 20 Mar 2001 16:57:27 -0600 (CST) From: "Marc W. Mengel" Subject: RE: kerberos and backups? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: Steven Timm , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1051 On Tue, 20 Mar 2001, Mark O. Kaletka wrote: > Marc Mengel has done this and I've now bugged him to post the instructions. > But the short answer is, yes, it is possible and even relatively easy. I just put a web page up at: http://www.fnal.gov/docs/products/fmb/kerberos_and_fmb.html with some brief notes. From kreymer@fnal.gov Tue Mar 20 17:27:35 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA30660 for ; Tue, 20 Mar 2001 17:27:35 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI00JNSRTXRY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Mar 2001 17:27:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00113CB6@listserv.fnal.gov>; Tue, 20 Mar 2001 17:27:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 58639 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Mar 2001 17:27:33 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00113CB5@listserv.fnal.gov>; Tue, 20 Mar 2001 17:27:33 -0600 Received: from d0mino.fnal.gov ([131.225.224.45]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAI00528RTWHF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Mar 2001 17:27:33 -0600 (CST) Received: from localhost (stutte@localhost) by d0mino.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id RAA66906 for ; Tue, 20 Mar 2001 17:27:32 -0600 (CST) Date: Tue, 20 Mar 2001 17:27:32 -0600 (CST) From: Linda Stutte Subject: trouble logging onto d0mino Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200103202327.RAA66906@d0mino.fnal.gov> X-Authentication-warning: d0mino.fnal.gov: stutte@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1052 Hi, I kinited one place and tried to telnet to another (d0mino) and got this error [ Kerberos V5 accepts you as ``stutte@PILOT.FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Login incorrect login: stutte What is wrong? Thanks, Linda Stutte From kreymer@fnal.gov Tue Mar 20 22:14:59 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id WAA05091 for ; Tue, 20 Mar 2001 22:14:59 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAJ00C7X54XX6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 20 Mar 2001 22:14:58 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00113EA5@listserv.fnal.gov>; Tue, 20 Mar 2001 22:14:58 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 59187 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 20 Mar 2001 22:14:58 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00113EA4@listserv.fnal.gov>; Tue, 20 Mar 2001 22:14:58 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAJ005SG54XCZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 20 Mar 2001 22:14:57 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id WAA11332; Tue, 20 Mar 2001 22:14:56 -0600 (CST) Date: Tue, 20 Mar 2001 22:14:56 -0600 From: Matt Crawford Subject: Re: trouble logging onto d0mino In-reply-to: "20 Mar 2001 17:27:32 CST." <200103202327.RAA66906@d0mino.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Linda Stutte Cc: kerberos-pilot@fnal.gov Message-id: <200103210414.WAA11332@gungnir.fnal.gov> Content-id: <11328.985148096.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 1053 Your principal is not listed in a .k5login file on the target account on d0mino. Perhaps you're going for the wrong target acount because your user name on the local machine isn't stutte? From kreymer@fnal.gov Wed Mar 21 00:46:22 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id AAA09371 for ; Wed, 21 Mar 2001 00:46:21 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAJ00FAZC572B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 00:46:20 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00113F69@listserv.fnal.gov>; Wed, 21 Mar 2001 00:46:19 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 59415 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 00:46:19 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00113F68@listserv.fnal.gov>; Wed, 21 Mar 2001 00:46:19 -0600 Received: from hycppc05.fnal.gov ([131.225.53.254]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAJ008RPC574N@smtp.fnal.gov>; Wed, 21 Mar 2001 00:46:19 -0600 (CST) Received: from localhost (chenyc@localhost) by hycppc05.fnal.gov (8.9.3/8.9.3) with ESMTP id AAA05735; Wed, 21 Mar 2001 00:46:18 -0600 Date: Wed, 21 Mar 2001 00:46:18 -0600 (CST) From: Yen-Chu Chen Subject: startx problem again Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov, linux-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: hycppc05.fnal.gov: chenyc owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1054 Hi, I recently reinstalled Fermi RH Linux into a PC. It was a complete installation. The installation went on smoothly. I created two user accounts at the end. I found later on that I could do 'startx' only when I login as root. If I login as normal user and tried to startx, it said that I didn't own the console. Someone post this question before but I didn't see the answer or I missed it somehow. -- Best regards, Yen-Chu Chen chenyc@fnal.gov Office: (630) 840-3225, FAX: (630) 840-3867 (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) From kreymer@fnal.gov Wed Mar 21 07:22:22 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA21373 for ; Wed, 21 Mar 2001 07:22:22 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAJ00565UH90G@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 07:22:22 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114171@listserv.fnal.gov>; Wed, 21 Mar 2001 07:22:21 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 59995 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 07:22:21 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114170@listserv.fnal.gov>; Wed, 21 Mar 2001 07:22:21 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAJ0061IUH8G1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 07:22:20 -0600 (CST) Received: (qmail 15673 invoked from network); Wed, 21 Mar 2001 07:22:19 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Wed, 21 Mar 2001 07:22:19 -0600 Date: Wed, 21 Mar 2001 07:23:31 -0600 (CST) From: Michael Kriss Subject: Re: startx problem again In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Yen-Chu Chen Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="-511475694-1742013157-985181011=:21779" Status: RO X-Status: X-Keywords: X-UID: 1055 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---511475694-1742013157-985181011=:21779 Content-Type: TEXT/PLAIN; charset=US-ASCII I've attached a summary of the problem and two possible solutions. Perhaps the maintainers of the fermi kerberos ups package might want to look into expanding my patches then incorporating them into the official distribution... michael On Wed, 21 Mar 2001, Yen-Chu Chen wrote: > Hi, > > I recently reinstalled Fermi RH Linux into a PC. It was a complete > installation. The installation went on smoothly. I created two user > accounts at the end. > > I found later on that I could do 'startx' only when I login as root. > If I login as normal user and tried to startx, it said that I didn't own > the console. > > Someone post this question before but I didn't see the answer or I > missed it somehow. > > -- > Best regards, Yen-Chu Chen > chenyc@fnal.gov > Office: (630) 840-3225, FAX: (630) 840-3867 > (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) > ---511475694-1742013157-985181011=:21779 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=Startx Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: attachment; filename=Startx RnJvbSBrcmlzc0BmbmFsLmdvdiBUdWUgTWFyIDIwIDE0OjEwOjAwIDIwMDEN CkRhdGU6IFdlZCwgNyBNYXIgMjAwMSAxNToxODoxMiAtMDYwMCAoQ1NUKQ0K RnJvbTogTWljaGFlbCBLcmlzcyA8a3Jpc3NAZm5hbC5nb3Y+DQpUbzoga2Vy YmVyb3MtcGlsb3RAZm5hbC5nb3YNClN1YmplY3Q6IFJlOiBzdGFydHggcHJv YmxlbQ0KDQoNCkkgaGF2ZSBkaXNjb3ZlcmVkIHR3byBzb2x1dGlvbnMgdG8g dGhpcyBwcm9ibGVtOg0KDQoxLiBNYW51YWxseSBjcmVhdGUgdGhlIGZpbGVz IC92YXIvbG9jay9jb25zb2xlLmxvY2sgYW5kIC92YXIvbG9jay9jb25zb2xl LyRVU0VSDQoNCi92YXIvbG9jay9jb25zb2xlLmxvY2sgc2hvdWxkIGNvbnRh aW4gdGhlIHVzZXJuYW1lIG9mIHRoZSBvd25lciBvZiB0aGUgY29uc29sZQ0K YW5kIGl0IHNob3VsZCBub3QgaGF2ZSBhIDxDUj4gaW4gdGhlIGZpbGUuICBZ b3UgY2FuIGNyZWF0ZSB0aGlzIGZpbGUgYnk6DQoNCiMgcHJpbnRmICJrcmlz cyIgPiAvdmFyL2xvY2svY29uc29sZS5sb2NrDQoNCi92YXIvbG9jay9jb25z b2xlLyRVU0VSIGNhbiBiZSBlbXB0eSBidXQgdHlwaWNhbGx5IGhhcyBhIGNv dW50IG9mIHVzZXJzIHdobyBtYXkNCmhhdmUgY29uc29sZSBhY2Nlc3MuICBU aGlzIGZpbGUsIGlmIG5vdCBlbXB0eSwgc2hvdWxkIG5vdCBoYXZlIGEgPENS Pi4gIENyZWF0ZQ0KYnk6DQoNCiMgcHJpbnRmICIxIiA+IC92YXIvbG9jay9j b25zb2xlL2tyaXNzDQoNCkJvdGggb2YgdGhlc2UgZmlsZXMgc2hvdWxkIGJl IHJvb3Q6cm9vdCwgNjAwLg0KDQoyLiBQYW0naWZ5IGxvZ2luLmtyYjUuICBJ J3ZlIGRvbmUgdGhpcyB3aXRoIDEwIGxpbmVzIG9mIGNvZGUuICBJIGNhbiBw cm92aWRlIHRoZQ0KZGV0YWlscyBvbiB0aGlzIGlmIGFueW9uZSBpcyBpbnRl cmVzdGVkLg0KDQptaWNoYWVsDQoNCg0KDQpPbiBUdWUsIDYgTWFyIDIwMDEs IE1pY2hhZWwgS3Jpc3Mgd3JvdGU6DQoNCj4gSSd2ZSBpbnN0YWxsZWQgTUlU IGtlcmJlcm9zIG9uIGEgbGludXggc3lzdGVtIGFuZCwgd2l0aCB0aGUgRmVy bWkga3JiNS5jb25mDQo+IGZpbGUsIEkndmUgZ290IHNvbWUgYmFzaWMgc2Vy dmljZXMgd29ya2luZy4gIE5vdyBJIHdhbnQgdG8gdHVybiBvZmYgYWxsDQo+ IG5vbi1rZXJiZXJpemVkIGFjY2VzcyB0byB0aGlzIG1hY2hpbmUuICBJJ3Zl IHJlcGxhY2VkIHRoZSBsb2dpbiBwcm9ncmFtIHdpdGgNCj4gbG9naW4ua3Ji NS4gIEkgY2FuIGxvZ2luIHVzaW5nIHRoZSBrZXJiZXJvcyBwYXNzcGhyYXNl IGJ1dCB3aGVuIEkgdHJ5IHRvIHN0YXJ0DQo+IHVwIFggSSBnZXQgYW4gZXJy b3IuDQo+DQo+IEJhc2ljYWxseSB0aGUgZXJyb3IgaXMgY2Fubm90IGdldCBj b25zb2xlIHBlcm1pc3Npb25zLiAgSSd2ZSB0cmFja2VkIHRoaXMgdG8gKEkN Cj4gYmVsaWV2ZSkgdGhlIGZhY3QgdGhhdCB0aGUga2VyYmVyb3MgbG9naW4g cHJvZ3JhbSBkb2VzIG5vdCBkbyBhbnkgb2YgdGhlIHBhbQ0KPiBtb2R1bGVz LiAgRm9yIHRoZSBkZWZhdWx0IGxvZ2luIHBhbSBtb2R1bGUgdGhlcmUgaXMg YW4gZW50cnkgcGFtX2NvbnNvbGUuc28gdGhhdA0KPiBJIHRoaW5rIGlzIHN1 cHBvc2VkIHRvIGNyZWF0ZSAvdmFyL2xvY2svY29uc29sZS5sb2NrLiAgVGhp cyBmaWxlIHVzdWFsbHkNCj4gY29udGFpbnMgdGhlIG5hbWUgb2YgdGhlIHVz ZXIgd2hvIGhhcyBhY2Nlc3MgdG8gdGhlIGNvbnNvbGUuICBBcHBhcmVudGx5 IFggd29uJ3QNCj4gc3RhcnQgd2l0aG91dCB0aGlzLg0KPg0KPiBXaGF0IGlz IHRoZSB3b3JrYXJvdW5kIGZvciB0aGlzIHVuZGVyIEZlcm1pIFJlZEhhdCBM aW51eD8gIEkgZG9uJ3Qgd2FudCB0byBkbw0KPiBzb21ldGhpbmcgc3R1cGlk IChtYW51YWxseSBjcmVhdGUgdGhlIGZpbGUsIGluc3RhbGwgYSB0aGlyZCBw YXJ0eSBwYW0gbW9kdWxlKQ0KPiB0aGF0IG1pZ2h0IGNvbXByb21pc2UgdGhl IGtlcmJlcm9zIGltcGxlbWVudGF0aW9uIG9uIHRoaXMgbWFjaGluZS4gIFRo YW5rcy4uLg0KPg0KPiBtaWNoYWVsDQo+DQoNCg== ---511475694-1742013157-985181011=:21779-- From kreymer@fnal.gov Wed Mar 21 08:27:00 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA15235 for ; Wed, 21 Mar 2001 08:27:00 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAJ0082MXGZY2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 08:27:00 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114200@listserv.fnal.gov>; Wed, 21 Mar 2001 08:26:59 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 60148 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 08:26:59 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001141FF@listserv.fnal.gov>; Wed, 21 Mar 2001 08:26:59 -0600 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAJ006DPXGZ2J@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 08:26:59 -0600 (CST) Received: from localhost (fagan@localhost) by large.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id IAA55657; Wed, 21 Mar 2001 08:26:58 -0600 (CST) Date: Wed, 21 Mar 2001 08:26:58 -0600 (CST) From: "David J. Fagan" Subject: Re: trouble logging onto d0mino Sender: owner-kerberos-pilot@listserv.fnal.gov To: Linda Stutte Cc: kerberos-pilot@fnal.gov Message-id: <200103211426.IAA55657@large.fnal.gov> Organization: Fermi National Accelerator Laboratories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 Precedence: normal In-hurl-to: (Your message of Tue, 20 Mar 2001 17:27:32 CST.) <200103202327.RAA66906@d0mino.fnal.gov> X-Authentication-warning: large.fnal.gov: fagan@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id IAA15235 Status: RO X-Status: X-Keywords: X-UID: 1056 Without the from it's even hard to resolve. For D0 problems please send mail to the helpdesk they can resolve a lot of the simple kerberos questions or ask the right questions to send to us. thanks date whence telnet ? ------------------------------------------------------------------------------- David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) SGI-liaison | Liaison Requests use SGI-liaison@fnal Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 ------------------------------------------------------------------------------- On Tuesday, Linda Stutte: > Hi, > > > I kinited one place and tried to telnet to another (d0mino) and > got this error > > > > [ Kerberos V5 accepts you as ``stutte@PILOT.FNAL.GOV'' ] > [ Kerberos V5 accepted forwarded credentials ] > Login incorrect > login: stutte > > > What is wrong? Thanks, Linda Stutte From kreymer@fnal.gov Wed Mar 21 08:44:39 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA20499 for ; Wed, 21 Mar 2001 08:44:39 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAJ005IFYAE4X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 08:44:39 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114221@listserv.fnal.gov>; Wed, 21 Mar 2001 08:44:38 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 60183 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 08:44:38 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114220@listserv.fnal.gov>; Wed, 21 Mar 2001 08:44:38 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAJ006GSYAD2J@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 08:44:37 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA29757; Wed, 21 Mar 2001 08:44:37 -0600 Date: Wed, 21 Mar 2001 08:44:37 -0600 (CST) From: Steven Timm Subject: RE: kerberos and backups? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: "Mark O. Kaletka" , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1057 I have a very basic question about the practice of putting host principals in the root .k5login of a number of machines. Doesn't this introduce a gaping security hole because if a user can gain root access on one machine via a local exploit he or she then has root access to all machines in the cluster? Also, I can see why you would not want to transmit a /etc/krb5.keytab across the network unencrypted as it would be in the case of the example given on the web page. But is it a problem if the keytab is backed up only on the local host, and/or is transmitted across the net by secure means such as scp? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 20 Mar 2001, Marc W. Mengel wrote: > On Tue, 20 Mar 2001, Mark O. Kaletka wrote: > > > Marc Mengel has done this and I've now bugged him to post the instructions. > > But the short answer is, yes, it is possible and even relatively easy. > > I just put a web page up at: > http://www.fnal.gov/docs/products/fmb/kerberos_and_fmb.html > with some brief notes. > From kreymer@fnal.gov Wed Mar 21 09:28:16 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA02288 for ; Wed, 21 Mar 2001 09:28:16 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK00E070B23M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 09:28:16 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001142B6@listserv.fnal.gov>; Wed, 21 Mar 2001 09:28:15 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 60346 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 09:28:15 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001142B5@listserv.fnal.gov>; Wed, 21 Mar 2001 09:28:15 -0600 Received: from cuervo ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAK008IV0B2Y2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 09:28:14 -0600 (CST) Date: Wed, 21 Mar 2001 09:28:21 -0600 From: "Mark O. Kaletka" Subject: RE: kerberos and backups? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm , "Marc W. Mengel" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1058 > -----Original Message----- > From: Steven Timm [mailto:timm@fnal.gov] > Sent: Wednesday, March 21, 2001 8:45 AM > To: Marc W. Mengel > Cc: Mark O. Kaletka; kerberos-pilot@fnal.gov > Subject: RE: kerberos and backups? > > > I have a very basic question about the practice of putting > host principals in the root .k5login of a number of machines. > Doesn't this introduce a gaping security hole because if a user > can gain root access on one machine via a local exploit he or she > then has root access to all machines in the cluster? Is this any different from getting the root password in an nis domain? The alternative would be to set up a bunch of specialized accounts, i.e. you could create a special "backup" account, and put the principal in .k5login. This is already done in certain cases. But fundamentally if you don't trust the machine doing your backups we're probably hosed anyway. Presumably the number of backup servers is small and their security gets close scrutiny. > > Also, I can see why you would not want to transmit a /etc/krb5.keytab > across the network unencrypted as it would be in the case of > the example given on the web page. But is it a problem if > the keytab is backed up only on the local host, and/or > is transmitted across the net by secure means such as scp? > > Steve >...snip...< The particular additional bit of paranoia involved here is whether anyone else you might not trust has access to your backup tapes. From kreymer@fnal.gov Wed Mar 21 10:51:39 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA17347 for ; Wed, 21 Mar 2001 10:51:38 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK00FIJ460Z4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 10:51:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114414@listserv.fnal.gov>; Wed, 21 Mar 2001 10:51:37 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 60729 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 10:51:37 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114413@listserv.fnal.gov>; Wed, 21 Mar 2001 10:51:37 -0600 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK00HA7460LU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 10:51:36 -0600 (CST) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA29865; Wed, 21 Mar 2001 10:51:35 -0600 Date: Wed, 21 Mar 2001 10:51:35 -0600 (CST) From: Steven Timm Subject: RE: kerberos and backups? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: "Marc W. Mengel" , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1059 > > From: Steven Timm [mailto:timm@fnal.gov] > > Sent: Wednesday, March 21, 2001 8:45 AM > > To: Marc W. Mengel > > Cc: Mark O. Kaletka; kerberos-pilot@fnal.gov > > Subject: RE: kerberos and backups? > > > > > > I have a very basic question about the practice of putting > > host principals in the root .k5login of a number of machines. > > Doesn't this introduce a gaping security hole because if a user > > can gain root access on one machine via a local exploit he or she > > then has root access to all machines in the cluster? > > Is this any different from getting the root password in an nis domain? The > alternative would be to set up a bunch of specialized accounts, i.e. you > could create a special "backup" account, and put the principal in > .k5login. This is already done in certain cases. But fundamentally if you > don't trust the machine doing your backups we're probably hosed anyway. > Presumably the number of backup servers is small and their security gets > close scrutiny. The alternative I had thought about is to have the principals of the various system managers in the root .k5login and use kcron to authenticate the job as one of them. > > > > > Also, I can see why you would not want to transmit a /etc/krb5.keytab > > across the network unencrypted as it would be in the case of > > the example given on the web page. But is it a problem if > > the keytab is backed up only on the local host, and/or > > is transmitted across the net by secure means such as scp? > > > > Steve > > >...snip...< > > The particular additional bit of paranoia involved here is whether anyone > else you might not trust has access to your backup tapes. > > If you can't trust that your backup tapes are secure,then a lot of other Bad Things can happen too. Steve From kreymer@fnal.gov Wed Mar 21 11:01:24 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA21876 for ; Wed, 21 Mar 2001 11:01:24 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK00EM74M93M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 11:01:22 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114443@listserv.fnal.gov>; Wed, 21 Mar 2001 11:01:21 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 60779 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 11:01:21 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114442@listserv.fnal.gov>; Wed, 21 Mar 2001 11:01:21 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK00EPH4M91W@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 11:01:21 -0600 (CST) Date: Wed, 21 Mar 2001 11:01:19 -0600 (CST) From: "Marc W. Mengel" Subject: RE: kerberos and backups? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: "Mark O. Kaletka" , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1060 On Wed, 21 Mar 2001, Steven Timm wrote: > I have a very basic question about the practice of putting > host principals in the root .k5login of a number of machines. > Doesn't this introduce a gaping security hole because if a user > can gain root access on one machine via a local exploit he or she > then has root access to all machines in the cluster? Actually yes, that is a concern, although it is largely unavoidable with fmb. (and its no different than our current situation -- if you get into the backup server machines, you get root on everything they back up) Why? The problem is, if an unattended backup is going to run without user intervention, there must be *some* way for a program running as root on that machine to get a credential to let it do the backup, and fmb needs to run a *shell command* on the remote system to do a backup. [This is one of many reasons to move away from fmb to something that does backups without needing general purpose shell login access to the machine.] Now we *could* implement some sort of restricted shell account for the remote fmb end to cut down on this [and then you'd use something like "backupuser@host:/path/to/backup" where backupuser had uid=0 but the restricted shell for its login shell], but I'd just as soon get us to switch to amanda, where all you can do is talk to a network daemon who can send you a dump of various partitions and not much else. > Also, I can see why you would not want to transmit a /etc/krb5.keytab > across the network unencrypted as it would be in the case of > the example given on the web page. But is it a problem if > the keytab is backed up only on the local host, and/or > is transmitted across the net by secure means such as scp? I think either of those would be fine, although I think a scheme like "escrow" (but not actually escrow, since displaying a host key to the screen is kind of useless) where we store them readable but encrypted would be best, since the goal would be to be able to put the host key back in a disaster recovery scenario. Certainly keeping the host key in an alternate-boot partition is the Right Thing to do, then if you boot off of the alternate-boot partition, you have your kerberos keys to go get files restored, etc. Keep the questions coming, they're giving me lots of ideas to improve the http://www.fnal.gov/docs/products/fmb/kerberos_and_fmb.html web page... Marc From kreymer@fnal.gov Wed Mar 21 11:07:01 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA22759 for ; Wed, 21 Mar 2001 11:07:01 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK00EMU4VOCW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 11:07:01 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114456@listserv.fnal.gov>; Wed, 21 Mar 2001 11:07:00 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 60798 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 11:07:00 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114455@listserv.fnal.gov>; Wed, 21 Mar 2001 11:07:00 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK00J5P4VNSZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 11:06:59 -0600 (CST) Date: Wed, 21 Mar 2001 11:06:57 -0600 (CST) From: "Marc W. Mengel" Subject: RE: kerberos and backups? In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: "Mark O. Kaletka" , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1061 On Wed, 21 Mar 2001, Steven Timm wrote: > The alternative I had thought about is to have the principals of the > various system managers in the root .k5login and use kcron to authenticate > the job as one of them. A root-breakin user can execute kcron to get the kcron ticket just as easily as doing the kinit to get the host principal ticket... Marc From kreymer@fnal.gov Wed Mar 21 11:08:28 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA22763 for ; Wed, 21 Mar 2001 11:08:28 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK00ELB4Y28Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 11:08:28 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011445A@listserv.fnal.gov>; Wed, 21 Mar 2001 11:08:26 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 60802 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 11:08:26 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114459@listserv.fnal.gov>; Wed, 21 Mar 2001 11:08:26 -0600 Received: from fnal.gov ([131.225.80.179]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK00GI14Y2SB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 11:08:26 -0600 (CST) Date: Wed, 21 Mar 2001 11:08:26 -0600 From: Joseph Boyd Subject: [Fwd: BOYD, JOE AR ticket 17271 Has Been Updated.] Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AB8E00A.3070204@fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7bit X-Accept-Language: en User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-3smp i686; en-US; 0.8) Gecko/20010216 Status: RO X-Status: X-Keywords: X-UID: 1062 I'm sure this was asked on this mail list before but I can't remember if there was an actual solution. Is there a web interface to the archives of this list somewhere? This user says he only has cryptocard access to the kerberized machines. Is there any way for him to run cron jobs without having to type his kerberos passwd in clear text for kcroninit? I told him not to do that but if there isn't some other solution I'm pretty sure people would just run kcroninit across an unencrypted session... Thanks, joe PS: Not to mention this guy didn't even know what I meant by encrypted connection until I explained it so he was going to type his password in the clear anyway. -------- Original Message -------- Subject: BOYD, JOE AR ticket 17271 Has Been Updated. Date: Wed, 21 Mar 2001 07:24:52 -0600 From: ARSystem To: "'d0-primary@fnal.gov'" 17271 has been updated by trb. Short Description : Running kback New Work Log Entry : From: "J. Andrew Green" To: "ARSystem" Subject: Re: Additional info for 000000000017271 Date: Tuesday, March 20, 2001 5:37 PM My machine is essentially an xterm, so the ONLY way I have to logon is to use the cryptocard. I logon to d0cha using telnet, and it asks for my cyrptocard password. So, what is the procedure in my case? Thanks, Andrew ------------------------------------------- J. Andrew Green, Iowa State University agreen@fnal.gov hm 630-761-4548 wk 630-840-4062 fax x8886 From kreymer@fnal.gov Wed Mar 21 13:16:18 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA22992 for ; Wed, 21 Mar 2001 13:16:18 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK003IZAV4JY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 13:16:17 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001145FB@listserv.fnal.gov>; Wed, 21 Mar 2001 13:16:16 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 61257 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 13:16:16 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001145FA@listserv.fnal.gov>; Wed, 21 Mar 2001 13:16:16 -0600 Received: from kwakiutl ([131.225.82.24]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAK002JEAV0S2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 13:16:16 -0600 (CST) Date: Wed, 21 Mar 2001 13:16:12 -0600 From: Jack Schmidt Subject: RE: [Fwd: BOYD, JOE AR ticket 17271 Has Been Updated.] In-reply-to: <3AB8E00A.3070204@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Joseph Boyd , kerberos-pilot@fnal.gov Cc: Help Desk Reply-to: Jack.Schmidt@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1063 The kerberos pilot list is archived on http://listserv.fnal.gov/ Soon the kerberos-pilot list will be replaced with the kerberos-users list and the archives that currently exist for kerberos-pilot will be moved to kerberos-users. This said, the archive has only been in existence since the beginning of March Jack > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Joseph Boyd > Sent: Wednesday, March 21, 2001 11:08 AM > To: kerberos-pilot@fnal.gov > Subject: [Fwd: BOYD, JOE AR ticket 17271 Has Been Updated.] > > > I'm sure this was asked on this mail list before but I can't remember if > there was an actual solution. Is there a web interface to the archives > of this list somewhere? > > This user says he only has cryptocard access to the kerberized machines. > Is there any way for him to run cron jobs without having to type his > kerberos passwd in clear text for kcroninit? I told him not to do that > but if there isn't some other solution I'm pretty sure people would just > run kcroninit across an unencrypted session... > > Thanks, > > joe > > PS: Not to mention this guy didn't even know what I meant by encrypted > connection until I explained it so he was going to type his password in > the clear anyway. > > -------- Original Message -------- > Subject: BOYD, JOE AR ticket 17271 Has Been Updated. > Date: Wed, 21 Mar 2001 07:24:52 -0600 > From: ARSystem > To: "'d0-primary@fnal.gov'" > > 17271 has been updated by trb. > > Short Description : Running kback > New Work Log Entry : From: "J. Andrew Green" > To: "ARSystem" > Subject: Re: Additional info for 000000000017271 > Date: Tuesday, March 20, 2001 5:37 PM > > My machine is essentially an xterm, so the ONLY way I have to logon > is to > use the cryptocard. I logon to d0cha using telnet, and it asks for > my > cyrptocard password. > > So, what is the procedure in my case? > > Thanks, > Andrew > > ------------------------------------------- > J. Andrew Green, Iowa State University > agreen@fnal.gov > hm 630-761-4548 > wk 630-840-4062 > fax x8886 > From kreymer@fnal.gov Wed Mar 21 14:30:47 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA23051 for ; Wed, 21 Mar 2001 14:30:47 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK00C5VEB9FT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 14:30:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114743@listserv.fnal.gov>; Wed, 21 Mar 2001 14:30:45 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 61623 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 14:30:45 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114741@listserv.fnal.gov>; Wed, 21 Mar 2001 14:30:45 -0600 Received: from hppc.fnal.gov ([131.225.80.46]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK00B8HEB91T@smtp.fnal.gov>; Wed, 21 Mar 2001 14:30:45 -0600 (CST) Date: Wed, 21 Mar 2001 14:30:45 -0600 From: Don Holmgren Subject: Re: startx problem again In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Yen-Chu Chen Cc: kerberos-pilot@fnal.gov, linux-users@fnal.gov Reply-to: Don Holmgren Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1064 I don't know the root cause, or the correct way to prevent this from recurring. But, the temporary fix is to (as root): touch /var/lock/console/chenyc Your startx will then work (if you login as chenyc). Don Holmgren On Wed, 21 Mar 2001, Yen-Chu Chen wrote: > Hi, > > I recently reinstalled Fermi RH Linux into a PC. It was a complete > installation. The installation went on smoothly. I created two user > accounts at the end. > > I found later on that I could do 'startx' only when I login as root. > If I login as normal user and tried to startx, it said that I didn't own > the console. > > Someone post this question before but I didn't see the answer or I > missed it somehow. > > -- > Best regards, Yen-Chu Chen > chenyc@fnal.gov > Office: (630) 840-3225, FAX: (630) 840-3867 > (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) > From kreymer@fnal.gov Wed Mar 21 14:32:58 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA23059 for ; Wed, 21 Mar 2001 14:32:58 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK003SNEEXWC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 14:32:58 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114753@listserv.fnal.gov>; Wed, 21 Mar 2001 14:32:57 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 61643 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 14:32:57 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114752@listserv.fnal.gov>; Wed, 21 Mar 2001 14:32:57 -0600 Received: from cuervo ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAK00C6FEEWBA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 14:32:56 -0600 (CST) Date: Wed, 21 Mar 2001 14:33:04 -0600 From: "Mark O. Kaletka" Subject: RE: [Fwd: BOYD, JOE AR ticket 17271 Has Been Updated.] In-reply-to: <3AB8E00A.3070204@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1065 No, I believe he needs to be on a secure link. What does he mean by "essentially" an xterm? What (exactly) is he running on? -- Mark K. > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Joseph Boyd > Sent: Wednesday, March 21, 2001 11:08 AM > To: kerberos-pilot@fnal.gov > Subject: [Fwd: BOYD, JOE AR ticket 17271 Has Been Updated.] > > > I'm sure this was asked on this mail list before but I can't remember if > there was an actual solution. Is there a web interface to the archives > of this list somewhere? > > This user says he only has cryptocard access to the kerberized machines. > Is there any way for him to run cron jobs without having to type his > kerberos passwd in clear text for kcroninit? I told him not to do that > but if there isn't some other solution I'm pretty sure people would just > run kcroninit across an unencrypted session... > > Thanks, > > joe > > PS: Not to mention this guy didn't even know what I meant by encrypted > connection until I explained it so he was going to type his password in > the clear anyway. > > -------- Original Message -------- > Subject: BOYD, JOE AR ticket 17271 Has Been Updated. > Date: Wed, 21 Mar 2001 07:24:52 -0600 > From: ARSystem > To: "'d0-primary@fnal.gov'" > > 17271 has been updated by trb. > > Short Description : Running kback > New Work Log Entry : From: "J. Andrew Green" > To: "ARSystem" > Subject: Re: Additional info for 000000000017271 > Date: Tuesday, March 20, 2001 5:37 PM > > My machine is essentially an xterm, so the ONLY way I have to logon > is to > use the cryptocard. I logon to d0cha using telnet, and it asks for > my > cyrptocard password. > > So, what is the procedure in my case? > > Thanks, > Andrew > > ------------------------------------------- > J. Andrew Green, Iowa State University > agreen@fnal.gov > hm 630-761-4548 > wk 630-840-4062 > fax x8886 > From kreymer@fnal.gov Wed Mar 21 14:41:14 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA23069 for ; Wed, 21 Mar 2001 14:41:14 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK005RPESPKO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 14:41:14 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114769@listserv.fnal.gov>; Wed, 21 Mar 2001 14:41:13 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 61665 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 14:41:13 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114768@listserv.fnal.gov>; Wed, 21 Mar 2001 14:41:13 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAK00C5LESO99@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 14:41:13 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id OAA09885; Wed, 21 Mar 2001 14:41:12 -0600 Date: Wed, 21 Mar 2001 14:41:12 -0600 From: Glenn Cooper Subject: RE: [Fwd: BOYD, JOE AR ticket 17271 Has Been Updated.] In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Mark O. Kaletka" Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1066 I'm interested in this too, as we have users whose machines are in fact X-terminals, essentially or not. There are similar problems, like how do they change their Kerberos passwords every 6 months, etc. Is there an official solution to this, or are they expected to replace the X-terminals, VAXstations, etc.? Glenn On Wed, 21 Mar 2001, Mark O. Kaletka wrote: > No, I believe he needs to be on a secure link. What does he mean by > "essentially" an xterm? What (exactly) is he running on? > > -- Mark K. > > > -----Original Message----- > > From: owner-kerberos-pilot@listserv.fnal.gov > > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Joseph Boyd > > Sent: Wednesday, March 21, 2001 11:08 AM > > To: kerberos-pilot@fnal.gov > > Subject: [Fwd: BOYD, JOE AR ticket 17271 Has Been Updated.] > > > > > > I'm sure this was asked on this mail list before but I can't remember if > > there was an actual solution. Is there a web interface to the archives > > of this list somewhere? > > > > This user says he only has cryptocard access to the kerberized machines. > > Is there any way for him to run cron jobs without having to type his > > kerberos passwd in clear text for kcroninit? I told him not to do that > > but if there isn't some other solution I'm pretty sure people would just > > run kcroninit across an unencrypted session... > > > > Thanks, > > > > joe > > > > PS: Not to mention this guy didn't even know what I meant by encrypted > > connection until I explained it so he was going to type his password in > > the clear anyway. > > > > -------- Original Message -------- > > Subject: BOYD, JOE AR ticket 17271 Has Been Updated. > > Date: Wed, 21 Mar 2001 07:24:52 -0600 > > From: ARSystem > > To: "'d0-primary@fnal.gov'" > > > > 17271 has been updated by trb. > > > > Short Description : Running kback > > New Work Log Entry : From: "J. Andrew Green" > > To: "ARSystem" > > Subject: Re: Additional info for 000000000017271 > > Date: Tuesday, March 20, 2001 5:37 PM > > > > My machine is essentially an xterm, so the ONLY way I have to logon > > is to > > use the cryptocard. I logon to d0cha using telnet, and it asks for > > my > > cyrptocard password. > > > > So, what is the procedure in my case? > > > > Thanks, > > Andrew > > > > ------------------------------------------- > > J. Andrew Green, Iowa State University > > agreen@fnal.gov > > hm 630-761-4548 > > wk 630-840-4062 > > fax x8886 > > > From kreymer@fnal.gov Wed Mar 21 20:09:42 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id UAA23424 for ; Wed, 21 Mar 2001 20:09:42 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK003ICU0414@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 20:09:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114C22@listserv.fnal.gov>; Wed, 21 Mar 2001 20:09:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 62998 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 20:09:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114C21@listserv.fnal.gov>; Wed, 21 Mar 2001 20:09:41 -0600 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GAK00801U04WV@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 20:09:40 -0600 (CST) Received: from dot.phys.unm.edu ([198.59.169.100]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK002FCU03ZM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 20:09:40 -0600 (CST) Received: from dot.phys.unm.edu (IDENT:gold@localhost.localdomain [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id TAA15547 for ; Wed, 21 Mar 2001 19:09:20 -0700 Date: Wed, 21 Mar 2001 19:09:20 -0700 From: Michael Gold Subject: ftp transfers Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200103220209.TAA15547@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.1.1 10/15/1999 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 1067 I have been experiencing problems with ftp between fermi machines and my local machines. The network (via ping or just typing to the keyboard) is just fine. However, ftp will hang in the middle of a (small) file transfer. If I'm patient it will eventually go through. This happens at seemingly random times-- after hanging and finally transferring a file, the next file can have no problem. is it possible there is a handshaking problem with kerberos? locally I am running kerberos as a client. From kreymer@fnal.gov Wed Mar 21 20:33:03 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id UAA23437 for ; Wed, 21 Mar 2001 20:33:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK0069IV31H1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 21 Mar 2001 20:33:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114C55@listserv.fnal.gov>; Wed, 21 Mar 2001 20:33:02 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 63061 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 21 Mar 2001 20:33:02 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00114C54@listserv.fnal.gov>; Wed, 21 Mar 2001 20:33:02 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAK0082KV31TK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 21 Mar 2001 20:33:01 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id UAA20195; Wed, 21 Mar 2001 20:32:59 -0600 (CST) Date: Wed, 21 Mar 2001 20:32:59 -0600 From: Matt Crawford Subject: Re: ftp transfers In-reply-to: "21 Mar 2001 19:09:20 MST." <200103220209.TAA15547@dot.phys.unm.edu> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Michael Gold Cc: kerberos-pilot@fnal.gov Message-id: <200103220232.UAA20195@gungnir.fnal.gov> Content-id: <20191.985228379.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 1068 Kerberos protection always applies to the command channel, but is optional on the data channel. Use the "protect" command to see what you have it set at, but I believe the default is always "clear", which means that the data channel has nothing to do with Kerberos - no integrity protection, no encryption. From kreymer@fnal.gov Thu Mar 22 10:57:44 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA31557 for ; Thu, 22 Mar 2001 10:57:43 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAL007KZZ45SX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 22 Mar 2001 10:57:42 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011531C@listserv.fnal.gov>; Thu, 22 Mar 2001 10:57:41 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 65021 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 22 Mar 2001 10:57:41 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011531B@listserv.fnal.gov>; Thu, 22 Mar 2001 10:57:41 -0600 Received: from fsgi02.fnal.gov ([131.225.68.15]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAL009E3Z45EA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 22 Mar 2001 10:57:41 -0600 (CST) Received: from localhost (csieh@localhost) by fsgi02.fnal.gov (8.11.0/8.11.0) with ESMTP id f2MGvek22558 for ; Thu, 22 Mar 2001 10:57:40 -0600 (CST) Date: Thu, 22 Mar 2001 10:57:39 -0600 From: Connie Sieh Subject: Re: startx problem again (fwd) Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi02.fnal.gov: csieh owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1069 So is this problem getting fixed. This issue of a a pam aware login was made ages ago. So does this problem also happen on Solaris which also is PAM aware -connie sieh ---------- Forwarded message ---------- Date: Thu, 22 Mar 2001 09:49:39 -0600 (CST) From: Michael Kriss To: linux-users@fnal.gov Subject: Re: startx problem again -----BEGIN PGP SIGNED MESSAGE----- Let me add here that there is a more difficult but more correct way of fixing this. The problem lies in the fact that login.krb5 is not pam aware. The typical (I can speak for RedHat only here) login program is of course pam aware. If you look in /etc/pam.d/login you see this entry: session optional /lib/security/pam_console.so The pam_console.so module is responsible for changing the ownership and permissions on the console devices. So the more correct way to fix this problem is to pam'ify login.krb5. I am not aware if anyone in the ups development team is working on this or not. I have produced a patch that can be applied to the kerberos source which does pam'ify login.krb5 (the patch is basically 10 lines of code). If you don't want to recompile I can provide a binary patched login.krb5 if you are interested... michael On Thu, 22 Mar 2001, Troy Dawson wrote: > Hi, > Since this was actually answered on the kerberos-pilot mailing list, and I had > just asked the same question there, I figured I'd give their answer here so > that ya'll can see what the problem and solution is. > > First thing to note Yen-Chu is that you didn't say that you had kerberized > this machine. By looking at who you sent this e-mail too I was able to figure > that out. Also, since this is the exact same problem I had before, I am > assuming that you completely kerberized your machine with the install-login > option, which replaces your normal desktop login. So here is the solution for > people who do this, this is what was posted on the kerberos-pilot mailing list. > > ---------------------------- > > Manually create the files /var/lock/console.lock and /var/lock/console/$USER > > /var/lock/console.lock should contain the username of the owner of the console > and it should not have a in the file. You can create this file by: > > # printf "kriss" > /var/lock/console.lock > > /var/lock/console/$USER can be empty but typically has a count of users who > may have console access. This file, if not empty, should not have a . Create > by: > > # printf "1" > /var/lock/console/kriss > > Both of these files should be root:root, 600 > > ------------------------------ > Another, quicker but not as indepth solution was (as root) to do the following > > touch /var/lock/console/kriss > > but use whatever your username is instead of 'kriss'. > > ------------------------------- > > > > > > Yen-Chu Chen wrote: > > > Hi, > > > > I recently reinstalled Fermi RH Linux into a PC. It was a complete > > installation. The installation went on smoothly. I created two user > > accounts at the end. > > > > I found later on that I could do 'startx' only when I login as root. > > If I login as normal user and tried to startx, it said that I didn't own > > the console. > > > > Someone post this question before but I didn't see the answer or I > > missed it somehow. > > > > -- > > Best regards, Yen-Chu Chen > > chenyc@fnal.gov > > Office: (630) 840-3225, FAX: (630) 840-3867 > > (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) > > > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ > -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOrofFUCAGISya6tRAQF9hwQA0HZ14zQPRjoVXEU0teeJYemtUo+00TBp Vd6E8fNxgfg9973neTsEdn5G1PXT8F5rsJxI7mNztx9uam3ff0PXKBglQg39AeUs 78C7+HKqPeHZAenb1Nw6T5Y+XSpBmCCuQY5QMSVIA/kbNRtxMgt5uGXnRerba0vt sv8a0BOrG9U= =8lGq -----END PGP SIGNATURE----- From kreymer@fnal.gov Thu Mar 22 11:26:32 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA03346 for ; Thu, 22 Mar 2001 11:26:31 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAM009LO0G6EA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 22 Mar 2001 11:26:31 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001153B1@listserv.fnal.gov>; Thu, 22 Mar 2001 11:26:30 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 65174 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 22 Mar 2001 11:26:29 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001153B0@listserv.fnal.gov>; Thu, 22 Mar 2001 11:26:29 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAM007Q20G5OC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 22 Mar 2001 11:26:29 -0600 (CST) Received: (qmail 24875 invoked from network); Thu, 22 Mar 2001 11:26:28 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Thu, 22 Mar 2001 11:26:28 -0600 Date: Thu, 22 Mar 2001 11:27:41 -0600 (CST) From: Michael Kriss Subject: Re: startx problem again (fwd) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1070 I would be happy to share my patch with the ups developers of fermi kerberos. As I mentioned my patch to login.krb5 consists of 10 lines of code. Other changes, of course, are necessary (create a /etc/pam.d/login.krb5, change the Makefile in appl/bsd to link login.krb5 with -lpam and -lpam_misc, or change the top-level configure script to test for pam, etc.). My patch only adds session capabilities to the login.krb5 executeable so it should not alter the security in any way of this program. Perhaps the ups developers are working on a more thorough and complete version of a pam'ified login.krb5... michael On Thu, 22 Mar 2001, Connie Sieh wrote: > So is this problem getting fixed. This issue of a a pam aware login was > made ages ago. So does this problem also happen on Solaris which also is > PAM aware > > -connie sieh > > ---------- Forwarded message ---------- > Date: Thu, 22 Mar 2001 09:49:39 -0600 (CST) > From: Michael Kriss > To: linux-users@fnal.gov > Subject: Re: startx problem again > > > ----[Begin of authenticated portion]---- > > > > Let me add here that there is a more difficult but more correct way of fixing > this. The problem lies in the fact that login.krb5 is not pam aware. The > typical (I can speak for RedHat only here) login program is of course pam aware. > If you look in /etc/pam.d/login you see this entry: > > session optional /lib/security/pam_console.so > > The pam_console.so module is responsible for changing the ownership and > permissions on the console devices. So the more correct way to fix this problem > is to pam'ify login.krb5. I am not aware if anyone in the ups development team > is working on this or not. I have produced a patch that can be applied to the > kerberos source which does pam'ify login.krb5 (the patch is basically 10 lines > of code). If you don't want to recompile I can provide a binary patched > login.krb5 if you are interested... > > michael > > On Thu, 22 Mar 2001, Troy Dawson wrote: > > > Hi, > > Since this was actually answered on the kerberos-pilot mailing list, and I had > > just asked the same question there, I figured I'd give their answer here so > > that ya'll can see what the problem and solution is. > > > > First thing to note Yen-Chu is that you didn't say that you had kerberized > > this machine. By looking at who you sent this e-mail too I was able to figure > > that out. Also, since this is the exact same problem I had before, I am > > assuming that you completely kerberized your machine with the install-login > > option, which replaces your normal desktop login. So here is the solution for > > people who do this, this is what was posted on the kerberos-pilot mailing list. > > > > ---------------------------- > > > > Manually create the files /var/lock/console.lock and /var/lock/console/$USER > > > > /var/lock/console.lock should contain the username of the owner of the console > > and it should not have a in the file. You can create this file by: > > > > # printf "kriss" > /var/lock/console.lock > > > > /var/lock/console/$USER can be empty but typically has a count of users who > > may have console access. This file, if not empty, should not have a . Create > > by: > > > > # printf "1" > /var/lock/console/kriss > > > > Both of these files should be root:root, 600 > > > > ------------------------------ > > Another, quicker but not as indepth solution was (as root) to do the following > > > > touch /var/lock/console/kriss > > > > but use whatever your username is instead of 'kriss'. > > > > ------------------------------- > > > > > > > > > > > > Yen-Chu Chen wrote: > > > > > Hi, > > > > > > I recently reinstalled Fermi RH Linux into a PC. It was a complete > > > installation. The installation went on smoothly. I created two user > > > accounts at the end. > > > > > > I found later on that I could do 'startx' only when I login as root. > > > If I login as normal user and tried to startx, it said that I didn't own > > > the console. > > > > > > Someone post this question before but I didn't see the answer or I > > > missed it somehow. > > > > > > -- > > > Best regards, Yen-Chu Chen > > > chenyc@fnal.gov > > > Office: (630) 840-3225, FAX: (630) 840-3867 > > > (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) > > > > > > -- > > __________________________________________________ > > Troy Dawson dawson@fnal.gov (630)840-6468 > > Fermilab ComputingDivision/OSS SCS Group > > __________________________________________________ > > > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBOrofFUCAGISya6tRAQF9hwQA0HZ14zQPRjoVXEU0teeJYemtUo+00TBp > Vd6E8fNxgfg9973neTsEdn5G1PXT8F5rsJxI7mNztx9uam3ff0PXKBglQg39AeUs > 78C7+HKqPeHZAenb1Nw6T5Y+XSpBmCCuQY5QMSVIA/kbNRtxMgt5uGXnRerba0vt > sv8a0BOrG9U= > =8lGq > -----END PGP SIGNATURE----- > From kreymer@fnal.gov Sat Mar 24 06:03:38 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id GAA14942 for ; Sat, 24 Mar 2001 06:03:38 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAP00DP6AU001@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 24 Mar 2001 06:03:37 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00116C32@listserv.fnal.gov>; Sat, 24 Mar 2001 06:03:36 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 72116 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sat, 24 Mar 2001 06:03:36 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00116C31@listserv.fnal.gov>; Sat, 24 Mar 2001 06:03:36 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAP00CPYATZK5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sat, 24 Mar 2001 06:03:36 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Sat, 24 Mar 2001 06:03:35 -0600 Content-return: allowed Date: Sat, 24 Mar 2001 06:03:33 -0600 From: ARSystem Subject: 000000000017396 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76149409@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1071 CRAWFORD, MATT, Help Desk Ticket #000000000017396 has been assigned to you. It is a(n) Medium priority Software/Server /Kdc type of problem. Short description: kinit doesn't work: " Cannot contact any KDC for requested realm while getting initial Badge # (+) : 03739V First Name : WILLIAM Last Name (+) : TRISCHUK Phone : 2400 E-Mail Address : WILLIAM@PHYSICS.UTORONTO.CA Incident Time : 3/24/01 5:50:49 AM System Name : KRB-PILOT-1 Urgency : Medium Public Work Log : 3/24/01 6:02:15 AM jereboze 06:00 Paged the KDC primary Matt Crawford. Problem Description : User at CDF Control Room reporting kinit doesn't work: " Cannot contact any KDC for requested realm while getting initial credentials" From kreymer@fnal.gov Sat Mar 24 06:34:07 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id GAA24404 for ; Sat, 24 Mar 2001 06:34:07 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAP00FPFC8U1T@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 24 Mar 2001 06:34:07 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00116C3C@listserv.fnal.gov>; Sat, 24 Mar 2001 06:34:06 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 72126 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sat, 24 Mar 2001 06:34:06 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00116C3B@listserv.fnal.gov>; Sat, 24 Mar 2001 06:34:06 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAP0003BC8T3P@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sat, 24 Mar 2001 06:34:05 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Sat, 24 Mar 2001 06:34:06 -0600 Content-return: allowed Date: Sat, 24 Mar 2001 06:34:05 -0600 From: ARSystem Subject: CRAWFORD, MATT AR ticket 17396 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7614940C@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1072 17396 has been updated by jereboze. Short Description : kinit doesn't work: " Cannot contact any KDC for requested realm while getting initial credentials" New Work Log Entry : 06:10 Paged Matt again. 06:20 Had the FERMI operator contact Matt at home. Matt stated to have the user check his DNS settings and also have him configure Pilot 2 and 3 in his settings. 06:25 Called the user at his extension ... no answer. From kreymer@fnal.gov Mon Mar 26 08:47:25 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA25879 for ; Mon, 26 Mar 2001 08:47:25 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT0025V7QZGB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Mar 2001 08:47:24 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001178BA@listserv.fnal.gov>; Mon, 26 Mar 2001 08:47:24 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 75637 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Mar 2001 08:47:24 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001178B9@listserv.fnal.gov>; Mon, 26 Mar 2001 08:47:24 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT0026E7QZ8X@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Mar 2001 08:47:23 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 26 Mar 2001 08:47:24 -0600 Content-return: allowed Date: Mon, 26 Mar 2001 08:47:15 -0600 From: ARSystem Subject: CRAWFORD, MATT #17396 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7614944C@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1073 Thank you for your assistance. Help Desk ticket #000000000017396 has been resolved on 3/26/01 8:45:37 AM Resolution Timestamp: : 3/24/01 7:12:48 AM Solution Category : Auto Resolve Problem Category : Software Item : Kdc Type : Server Short Description : kinit doesn't work: " Cannot contact any KDC for requested realm while getting initial credentials" Solution : Per William (the requester): "Hi, Several things have been unstable here at CDF this morning. It seems my kerberos problems are now fixed. I am not sure whether this was "pilot error" on my part or something to do with our systems here, which have now apparently been fixed. Thanks for any effort you have already put into this." Problem Description : User at CDF Control Room reporting kinit doesn't work: " Cannot contact any KDC for requested realm while getting initial credentials" From kreymer@fnal.gov Mon Mar 26 10:36:04 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA03034 for ; Mon, 26 Mar 2001 10:36:04 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00B1KCS2JL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Mar 2001 10:36:03 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00117A7C@listserv.fnal.gov>; Mon, 26 Mar 2001 10:36:03 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 76131 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Mar 2001 10:36:03 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00117A7B@listserv.fnal.gov>; Mon, 26 Mar 2001 10:36:03 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00B2ICS2DE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Mar 2001 10:36:02 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA14754; Mon, 26 Mar 2001 10:36:01 -0600 (CST) Date: Mon, 26 Mar 2001 10:36:01 -0600 From: Matt Crawford Subject: Re: startx problem again (fwd) In-reply-to: "22 Mar 2001 10:57:39 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Connie Sieh Cc: kerberos-pilot@fnal.gov Message-id: <200103261636.KAA14754@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1074 It sounds to me as if Linux's X server will be happy if it seems the current user's name in a magic file somewhere. Correct? Solaris accomplishes the same purpose by setting the permissions and ownership of a bunch of devices specified in /etc/logindevperm at login time. This function is present in the Kerberos login program as well. If someone will make clear exactly what needs to be done for Linux, it seems like it will be trivial to make it happen in the login program. A couple of people here have said they have made a Kerberos 5 PAM work, but none have contributed the code and the installation and configuration information back to me. If someone ever does, there's no good reason not to add it to the Kerberos product. From kreymer@fnal.gov Mon Mar 26 11:11:47 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA20570 for ; Mon, 26 Mar 2001 11:11:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00B6OEFLH7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Mar 2001 11:11:45 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00117B13@listserv.fnal.gov>; Mon, 26 Mar 2001 11:11:44 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 76284 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Mar 2001 11:11:44 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00117B12@listserv.fnal.gov>; Mon, 26 Mar 2001 11:11:44 -0600 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAT00B9REFKM9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Mar 2001 11:11:44 -0600 (CST) Received: (qmail 19496 invoked from network); Mon, 26 Mar 2001 11:11:43 -0600 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Mon, 26 Mar 2001 11:11:43 -0600 Date: Mon, 26 Mar 2001 11:12:59 -0600 (CST) From: Michael Kriss Subject: Re: startx problem again (fwd) In-reply-to: <200103261636.KAA14754@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: Connie Sieh , kerberos-pilot@fnal.gov Message-id: Content-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; CHARSET=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1075 I started this current thread on Mar 6 to kerberos-pilot. In looking at my follow-up posts I noticed I never really did explain the problem and solution thoroughly so I will do so now. I do not use Fermi RedHat but I suspect for this discussion that fact is irrelevant (I use stock RedHat). RedHat's login program uses pam. In the /etc/pam.d/login file there is an entry for pam_console: session optional /lib/security/pam_console.so pam_console sets the permissions of the appropriate tty to the user who happens to be logging in. Since the error message from startx was something along the lines of "cannot access console" I thought this would be the place to start. Also since the entry in /etc/pam.d/login for console was for session and was optional I thought that adding this functionality to login.krb5 would in no way impact security. I do not know a lot about pam so someone correct me if I'm wrong here. I thought that the simplest, correct way for the appropriate permissions to be set for the console would be to call the pam_console.so module, I went about trying to minimally pam'ify login.krb5. I did this with just a couple of lines of code: pam_start() pam_set_item(TTY) pam_open_session() pam_close_session() pam_end() Then with the pam'ified login.krb5 in place, and with a /etc/pam.d/login.krb5 file that contained: session optional /lib/security/pam_console.so I was able to properly set the permissions on the console device that I was logging in to and was able to startx. I have a patch (created from the 1.2.2 tree) which will minimally pam'ify the login.krb5 program. I will send the patch to all who are interested (until the Fermi Kerberos has a pam ready login.krb5). The patch was not the only change needed to the kerberos source. I also needed to link, while compiling login.krb5, the pam and pam_misc libraries. michael On Mon, 26 Mar 2001, Matt Crawford wrote: > It sounds to me as if Linux's X server will be happy if it seems the > current user's name in a magic file somewhere. Correct? Solaris > accomplishes the same purpose by setting the permissions and > ownership of a bunch of devices specified in /etc/logindevperm at > login time. This function is present in the Kerberos login program > as well. > > If someone will make clear exactly what needs to be done for Linux, > it seems like it will be trivial to make it happen in the login > program. > > A couple of people here have said they have made a Kerberos 5 PAM > work, but none have contributed the code and the installation and > configuration information back to me. If someone ever does, there's > no good reason not to add it to the Kerberos product. > From kreymer@fnal.gov Mon Mar 26 11:48:42 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA25576 for ; Mon, 26 Mar 2001 11:48:42 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00CFRG53J6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Mar 2001 11:48:40 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00117BE6@listserv.fnal.gov>; Mon, 26 Mar 2001 11:48:39 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 76515 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Mar 2001 11:48:39 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00117BE5@listserv.fnal.gov>; Mon, 26 Mar 2001 11:48:39 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00CF3G5389@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Mar 2001 11:48:39 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA15365 for ; Mon, 26 Mar 2001 11:48:38 -0600 (CST) Date: Mon, 26 Mar 2001 11:48:38 -0600 From: Matt Crawford Subject: Re: [Fwd: BOYD, JOE AR ticket 17271 Has Been Updated.] In-reply-to: "21 Mar 2001 14:41:12 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200103261748.LAA15365@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1076 > I'm interested in this too, as we have users whose machines are in > fact X-terminals, essentially or not. There are similar problems, > like how do they change their Kerberos passwords every 6 months, etc. > Is there an official solution to this, or are they expected to replace > the X-terminals, VAXstations, etc.? There is no feasible way to provide an alternative to passwords for functions such as kadmin and their derivatives like kcroninit or kpasswd. Ssh with cryptocard support covers a lot of the need, but someone sitting at a device that can't open any sort of an encrypted connection continues to have no safe way to send a password across. From kreymer@fnal.gov Mon Mar 26 12:09:47 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA27454 for ; Mon, 26 Mar 2001 12:09:46 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00BP7H3WTT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Mar 2001 12:09:44 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00117CFD@listserv.fnal.gov>; Mon, 26 Mar 2001 12:09:40 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 76806 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Mar 2001 12:09:40 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00117CFC@listserv.fnal.gov>; Mon, 26 Mar 2001 12:09:40 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00DGBH3M3D@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Mar 2001 12:09:36 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 26 Mar 2001 12:09:18 -0600 Content-return: allowed Date: Mon, 26 Mar 2001 12:09:12 -0600 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7614954B@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1077 This reminder created on 3/26/01 12:03:48 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Mar 26 14:56:34 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA04800 for ; Mon, 26 Mar 2001 14:56:34 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT000H0OU9XC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Mar 2001 14:56:34 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011806A@listserv.fnal.gov>; Mon, 26 Mar 2001 14:56:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 77835 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Mar 2001 14:56:33 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00118069@listserv.fnal.gov>; Mon, 26 Mar 2001 14:56:33 -0600 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00NGPOU82X@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Mar 2001 14:56:32 -0600 (CST) Date: Mon, 26 Mar 2001 14:56:32 -0600 From: Troy Dawson Subject: Re: startx problem again (fwd) Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: Connie Sieh , kerberos-pilot@fnal.gov Message-id: <3ABFAD00.92CA15DA@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200103261636.KAA14754@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1078 Hi Matt, For password authentication (and for a few other things as well) Linux uses PAM (Plugable Authentication Modules). I am told Solaris does as well, but I haven't really checked, and since your question was geared towards Linux, I'll stick to that. In order for PAM to work properly you have to have a PAM module that does some type of authenticating. There only has to be one and it can work for login, xdm, xscreensaver, kde, ... basically anthing that might need some type of authentication. Once you have that module (I've seen Dane give you the source code for one, so you do have one) you stick it with the other pam modules, in /lib/security/. For examples sake, we'll give it the name that Dane had, pam_krb5.so, so we have a file /lib/security/pam_krb5.so After you have the module there, you then edit the different files that use the PAM modules, these files are found in /etc/pam.d/ We'll look at just two of them for an example, login and xscreensaver. We'll look at xscreensaver first, because it is by far the easiest. bash-2.03$ cat /etc/pam.d/xscreensaver #%PAM-1.0 auth required /lib/security/pam_pwdb.so shadow nullok So to change it so that xscreensaver uses our kerberose password authentication, we would just need to change that to #%PAM-1.0 auth required /lib/security/pam_krb5.so and then anytime someone did an xlock, they would need to type in their kerberos password. If the pam module were written write, this would even renew their tickets. Now, lets look at the module file for login, and in particular, an AFS login. bash-2.03$ cat /etc/pam.d/login #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_afs.so ignore_root auth required /lib/security/pam_pwdb.so try_first_pass shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session optional /lib/security/pam_console.so This looks pretty complicated, but the main part that you are looking for is the lines that start with 'auth'. The first line is an extra security measure that only allows root to log in from certain areas. All other users are ignored by it. The second line checks to see if the nologin file exists. If it does, then only root is allowed to login. This is for letting root do maintenance without having to remain in single user mode The next two lines, with pam_afs, and pam_pwdb, are the modules that actually ask the user for thier password. These are the two lines that you need to replace. All the rest of the lines just deal with getting things setup right. So if we replaced those two lines we'd get #%PAM-1.0 auth required /lib/security/pam_securetty.so auth required /lib/security/pam_nologin.so auth required /lib/security/pam_krb5.so account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session optional /lib/security/pam_console.so And there you have it. You have someone logging in via their kerberos password, but you didn't have to recompile and/or replace /bin/login. By the way, I made some web pages on this (not kerberizing it, but PAM modules) if you wanted to see if they help, they are at http://home.fnal.gov/~dawson/howto/pam.html Thanks Troy Matt Crawford wrote: > > It sounds to me as if Linux's X server will be happy if it seems the > current user's name in a magic file somewhere. Correct? Solaris > accomplishes the same purpose by setting the permissions and > ownership of a bunch of devices specified in /etc/logindevperm at > login time. This function is present in the Kerberos login program > as well. > > If someone will make clear exactly what needs to be done for Linux, > it seems like it will be trivial to make it happen in the login > program. > > A couple of people here have said they have made a Kerberos 5 PAM > work, but none have contributed the code and the installation and > configuration information back to me. If someone ever does, there's > no good reason not to add it to the Kerberos product. -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Mon Mar 26 15:18:49 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA04818 for ; Mon, 26 Mar 2001 15:18:49 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT001M9PVC37@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Mar 2001 15:18:49 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001180F2@listserv.fnal.gov>; Mon, 26 Mar 2001 15:18:48 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 77986 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Mar 2001 15:18:48 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001180F1@listserv.fnal.gov>; Mon, 26 Mar 2001 15:18:48 -0600 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GAT00MSOPVB99@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Mar 2001 15:18:47 -0600 (CST) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id PAA26736; Mon, 26 Mar 2001 15:18:47 -0600 Date: Mon, 26 Mar 2001 15:18:47 -0600 From: Glenn Cooper Subject: Re: Kerberos access if no encryption is available In-reply-to: <200103261748.LAA15365@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1079 OK, so... What is the policy for people in this group? We have been telling them, "Get a CryptoCard." But their cards will be useless after six months if they can't change their Kerberos passwords, which they never use at all otherwise. (Well, that will really mean that they'll have to get Yolanda to change their passwords for them; but presumably she has better things to do.) Would it be possible to have a category of users who cannot get a ticket using k[cron]init, but can *only* use a CryptoCard? Password expiration could then be turned off for this group, and they could at least continue using their cards. Thanks, Glenn On Mon, 26 Mar 2001, Matt Crawford wrote: > > I'm interested in this too, as we have users whose machines are in > > fact X-terminals, essentially or not. There are similar problems, > > like how do they change their Kerberos passwords every 6 months, etc. > > Is there an official solution to this, or are they expected to replace > > the X-terminals, VAXstations, etc.? > > There is no feasible way to provide an alternative to passwords for > functions such as kadmin and their derivatives like kcroninit or > kpasswd. Ssh with cryptocard support covers a lot of the need, but > someone sitting at a device that can't open any sort of an encrypted > connection continues to have no safe way to send a password across. From kreymer@fnal.gov Mon Mar 26 15:52:29 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA04842 for ; Mon, 26 Mar 2001 15:52:29 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00977RFG8B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Mar 2001 15:52:29 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001181AB@listserv.fnal.gov>; Mon, 26 Mar 2001 15:52:28 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 78187 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Mar 2001 15:52:28 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001181AA@listserv.fnal.gov>; Mon, 26 Mar 2001 15:52:28 -0600 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00NSQRFF2X@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Mar 2001 15:52:27 -0600 (CST) Date: Mon, 26 Mar 2001 15:52:27 -0600 (CST) From: Dane Skow Subject: Re: startx problem again (fwd) In-reply-to: <3ABFAD00.92CA15DA@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Troy Dawson Cc: Connie Sieh , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1080 On Mon, 26 Mar 2001, Troy Dawson wrote: > So to change it so that xscreensaver uses our kerberose password > authentication, we would just need to change that to > > #%PAM-1.0 > auth required /lib/security/pam_krb5.so > > and then anytime someone did an xlock, they would need to type in their > kerberos password. If the pam module were written write, this would even > renew their tickets. The current pam module that I use (and distributed) has a "keep_cred" option that overwrites the existing cache with a new ticket so it's a crude renewal, but it works. Here is my xscreensaver line. bash$ cat /etc/pam.d/xscreensaver #%PAM-1.0 auth sufficient /lib/security/pam_krb5.so keep_cred ignore_root > > Now, lets look at the module file for login, and in particular, an AFS login. > > bash-2.03$ cat /etc/pam.d/login > #%PAM-1.0 > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_nologin.so > auth sufficient /lib/security/pam_afs.so ignore_root > auth required /lib/security/pam_pwdb.so try_first_pass shadow nullok > account required /lib/security/pam_pwdb.so > password required /lib/security/pam_cracklib.so > password required /lib/security/pam_pwdb.so shadow nullok use_authtok > session required /lib/security/pam_pwdb.so > session optional /lib/security/pam_console.so > > This looks pretty complicated, but the main part that you are looking for is > the lines that start with 'auth'. > The first line is an extra security measure that only allows root to log in > from certain areas. All other users are ignored by it. > The second line checks to see if the nologin file exists. If it does, then > only root is allowed to login. This is for letting root do maintenance > without having to remain in single user mode > The next two lines, with pam_afs, and pam_pwdb, are the modules that actually > ask the user for thier password. These are the two lines that you need to > replace. All the rest of the lines just deal with getting things setup > right. So if we replaced those two lines we'd get > > #%PAM-1.0 > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_nologin.so > auth required /lib/security/pam_krb5.so > account required /lib/security/pam_pwdb.so > password required /lib/security/pam_cracklib.so > password required /lib/security/pam_pwdb.so shadow nullok use_authtok > session required /lib/security/pam_pwdb.so > session optional /lib/security/pam_console.so > > And there you have it. You have someone logging in via their kerberos > password, but you didn't have to recompile and/or replace /bin/login. In principal this should work, but I seem to have to get an AFS token as well for some startup (inittab mode 5 startup) on Linux and the current pam-krb5 doesn't have a hook to call aklog. I think we have two choices: either extend the pam_krb5 to include an aklog call option to create an AFS token, or have a (new ?) PAM module that accepts a KRB5 tgt as authentication to get an AFS token. I guess one could finesse this by having your KRB5 and AFS passwords the same and the "use_first_pass" but this will lead to violations of the KRB password exposure principle. I've stubbed out the code in the pam_krb5 but, as I mentioned, ran into the bitrot problem that I can no longer compile. Also that I'm not very good C programmer. I'd be happy to sit down with you Matt and incorporate this into the source tree and try builds on the build cluster. I had hoped that RH7 would make the linux build superfluous, but that doesn't seem likely now. Dane > > By the way, I made some web pages on this (not kerberizing it, but PAM > modules) if you wanted to see if they help, they are at > http://home.fnal.gov/~dawson/howto/pam.html > > Thanks > Troy > > Matt Crawford wrote: > > > > It sounds to me as if Linux's X server will be happy if it seems the > > current user's name in a magic file somewhere. Correct? Solaris > > accomplishes the same purpose by setting the permissions and > > ownership of a bunch of devices specified in /etc/logindevperm at > > login time. This function is present in the Kerberos login program > > as well. > > > > If someone will make clear exactly what needs to be done for Linux, > > it seems like it will be trivial to make it happen in the login > > program. > > > > A couple of people here have said they have made a Kerberos 5 PAM > > work, but none have contributed the code and the installation and > > configuration information back to me. If someone ever does, there's > > no good reason not to add it to the Kerberos product. > > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Mar 26 16:12:54 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA04868 for ; Mon, 26 Mar 2001 16:12:54 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00A6BSDGKI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Mar 2001 16:12:53 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011821A@listserv.fnal.gov>; Mon, 26 Mar 2001 16:12:53 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 78304 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Mar 2001 16:12:52 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00118219@listserv.fnal.gov>; Mon, 26 Mar 2001 16:12:52 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00A76SDGNH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Mar 2001 16:12:52 -0600 (CST) Date: Mon, 26 Mar 2001 16:12:51 -0600 (CST) From: "Marc W. Mengel" Subject: Re: startx problem again (fwd) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: Troy Dawson , Connie Sieh , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1081 On Mon, 26 Mar 2001, Dane Skow wrote: > In principal this should work, but I seem to have to get an AFS token as > well for some startup (inittab mode 5 startup) on Linux and the current > pam-krb5 doesn't have a hook to call aklog. I think we have two choices: > either extend the pam_krb5 to include an aklog call option to create > an AFS token, or have a (new ?) PAM module that accepts a KRB5 tgt as > authentication to get an AFS token. I guess one could finesse this by > having your KRB5 and AFS passwords the same and the "use_first_pass" but > this will lead to violations of the KRB password exposure principle. Actually, you shouldn't need to do anything with passwords at that point; once the module has written your credentials file, you should be able to system("/usr/krb5/bin/aklog"); either in the pam_krb5 module, or in an otherwise stubbed out pam_aklog module. This is how wed did it in the kerberized ssh code; its not elegant, but its easy to write. Marc From kreymer@fnal.gov Mon Mar 26 16:15:44 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA04872 for ; Mon, 26 Mar 2001 16:15:44 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT00A6SSI7ZJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 26 Mar 2001 16:15:44 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00118222@listserv.fnal.gov>; Mon, 26 Mar 2001 16:15:43 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 78312 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 26 Mar 2001 16:15:43 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00118221@listserv.fnal.gov>; Mon, 26 Mar 2001 16:15:43 -0600 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAT008CASI6NW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 26 Mar 2001 16:15:42 -0600 (CST) Date: Mon, 26 Mar 2001 16:15:41 -0600 (CST) From: "Marc W. Mengel" Subject: Re: Kerberos access if no encryption is available In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: gcooper@fnal.gov Cc: Matt Crawford , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1082 Wouldn't this work already if we dumped the user's principal's key into a file somewhere, like we do with host keys? [We could then even toss the file...] Does a cryptocard for a principal still work if it has been stored in a key file? On Mon, 26 Mar 2001, Glenn Cooper wrote: > Would it be possible to have a category of users who cannot get a > ticket using k[cron]init, but can *only* use a CryptoCard? Password > expiration could then be turned off for this group, and they could at > least continue using their cards. From kreymer@fnal.gov Wed Mar 28 10:40:13 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA30926 for ; Wed, 28 Mar 2001 10:40:13 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAX00FN62AZR0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 28 Mar 2001 10:40:12 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001198EB@listserv.fnal.gov>; Wed, 28 Mar 2001 10:40:12 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 84637 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 28 Mar 2001 10:40:12 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001198EA@listserv.fnal.gov>; Wed, 28 Mar 2001 10:40:12 -0600 Received: from fsgi02.fnal.gov ([131.225.68.15]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAX00FLF2AYQT@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 28 Mar 2001 10:40:10 -0600 (CST) Received: from localhost (csieh@localhost) by fsgi02.fnal.gov (8.11.0/8.11.0) with ESMTP id f2SGe9C24849; Wed, 28 Mar 2001 10:40:09 -0600 (CST) Date: Wed, 28 Mar 2001 10:40:09 -0600 From: Connie Sieh Subject: Re: startx problem again (fwd) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: Troy Dawson , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi02.fnal.gov: csieh owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1083 But there are kerberos rpms for 6.x . They are in 6.1.2. Up until I put in the new mutt and pine they were not installed by default. The new mutt and pine both require krb5 libraries. So these are now installed by default as both pine and mutt are installed by default. SO maybe these would help. -connie On Mon, 26 Mar 2001, Dane Skow wrote: > On Mon, 26 Mar 2001, Troy Dawson wrote: > > > > So to change it so that xscreensaver uses our kerberose password > > authentication, we would just need to change that to > > > > #%PAM-1.0 > > auth required /lib/security/pam_krb5.so > > > > and then anytime someone did an xlock, they would need to type in their > > kerberos password. If the pam module were written write, this would even > > renew their tickets. > > The current pam module that I use (and distributed) has a "keep_cred" > option that overwrites the existing cache with a new ticket so it's a > crude renewal, but it works. Here is my xscreensaver line. > > bash$ cat /etc/pam.d/xscreensaver > #%PAM-1.0 > auth sufficient /lib/security/pam_krb5.so keep_cred ignore_root > > > > > Now, lets look at the module file for login, and in particular, an AFS login. > > > > bash-2.03$ cat /etc/pam.d/login > > #%PAM-1.0 > > auth required /lib/security/pam_securetty.so > > auth required /lib/security/pam_nologin.so > > auth sufficient /lib/security/pam_afs.so ignore_root > > auth required /lib/security/pam_pwdb.so try_first_pass shadow nullok > > account required /lib/security/pam_pwdb.so > > password required /lib/security/pam_cracklib.so > > password required /lib/security/pam_pwdb.so shadow nullok use_authtok > > session required /lib/security/pam_pwdb.so > > session optional /lib/security/pam_console.so > > > > This looks pretty complicated, but the main part that you are looking for is > > the lines that start with 'auth'. > > The first line is an extra security measure that only allows root to log in > > from certain areas. All other users are ignored by it. > > The second line checks to see if the nologin file exists. If it does, then > > only root is allowed to login. This is for letting root do maintenance > > without having to remain in single user mode > > The next two lines, with pam_afs, and pam_pwdb, are the modules that actually > > ask the user for thier password. These are the two lines that you need to > > replace. All the rest of the lines just deal with getting things setup > > right. So if we replaced those two lines we'd get > > > > #%PAM-1.0 > > auth required /lib/security/pam_securetty.so > > auth required /lib/security/pam_nologin.so > > auth required /lib/security/pam_krb5.so > > account required /lib/security/pam_pwdb.so > > password required /lib/security/pam_cracklib.so > > password required /lib/security/pam_pwdb.so shadow nullok use_authtok > > session required /lib/security/pam_pwdb.so > > session optional /lib/security/pam_console.so > > > > And there you have it. You have someone logging in via their kerberos > > password, but you didn't have to recompile and/or replace /bin/login. > > In principal this should work, but I seem to have to get an AFS token as > well for some startup (inittab mode 5 startup) on Linux and the current > pam-krb5 doesn't have a hook to call aklog. I think we have two choices: > either extend the pam_krb5 to include an aklog call option to create > an AFS token, or have a (new ?) PAM module that accepts a KRB5 tgt as > authentication to get an AFS token. I guess one could finesse this by > having your KRB5 and AFS passwords the same and the "use_first_pass" but > this will lead to violations of the KRB password exposure principle. > > I've stubbed out the code in the pam_krb5 but, as I mentioned, ran into > the bitrot problem that I can no longer compile. Also that I'm not very > good C programmer. I'd be happy to sit down with you Matt and incorporate > this into the source tree and try builds on the build cluster. I had > hoped that RH7 would make the linux build superfluous, but that doesn't > seem likely now. > > Dane > > > > > By the way, I made some web pages on this (not kerberizing it, but PAM > > modules) if you wanted to see if they help, they are at > > http://home.fnal.gov/~dawson/howto/pam.html > > > > Thanks > > Troy > > > > Matt Crawford wrote: > > > > > > It sounds to me as if Linux's X server will be happy if it seems the > > > current user's name in a magic file somewhere. Correct? Solaris > > > accomplishes the same purpose by setting the permissions and > > > ownership of a bunch of devices specified in /etc/logindevperm at > > > login time. This function is present in the Kerberos login program > > > as well. > > > > > > If someone will make clear exactly what needs to be done for Linux, > > > it seems like it will be trivial to make it happen in the login > > > program. > > > > > > A couple of people here have said they have made a Kerberos 5 PAM > > > work, but none have contributed the code and the installation and > > > configuration information back to me. If someone ever does, there's > > > no good reason not to add it to the Kerberos product. > > > > -- > > __________________________________________________ > > Troy Dawson dawson@fnal.gov (630)840-6468 > > Fermilab ComputingDivision/OSS SCS Group > > __________________________________________________ > > > > Dane Skow, > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > > > From kreymer@fnal.gov Wed Mar 28 15:37:48 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA31121 for ; Wed, 28 Mar 2001 15:37:48 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAX00D96G2YXE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 28 Mar 2001 15:37:47 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00119D1D@listserv.fnal.gov>; Wed, 28 Mar 2001 15:37:47 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 85815 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 28 Mar 2001 15:37:46 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00119D1C@listserv.fnal.gov>; Wed, 28 Mar 2001 15:37:46 -0600 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAX00DBWG2XTA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 28 Mar 2001 15:37:46 -0600 (CST) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 28 Mar 2001 15:37:46 -0600 Content-return: allowed Date: Wed, 28 Mar 2001 15:37:39 -0600 From: ARSystem Subject: 000000000017477 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7614978F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1084 CRAWFORD, MATT, Help Desk Ticket #000000000017477 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Client not found in Kerberos database while getting initial credentials Badge # (+) : 09404N First Name : KURT Last Name (+) : RUTHMANSDORFER Phone : 8057 E-Mail Address : KURT@FNAL.GOV Incident Time : 3/28/01 2:57:29 PM System Name : D0ORA1 Urgency : Medium Public Work Log : Problem Description : Please log a call with the kerberos support people. on d0mino did kinit -F boyd/root@PILOT.FNAL.GOV then telnet -l toolman d0ora1 and get "Client not found in Kerberos database while getting initial credentials" This does not seem to happen with non root principals or with accounts similar to toolman on d0ora3. What does the eoor message mean? and why are we not authenitcated to login? D0mino and d0ora output folows: d0mino> klist Ticket cache: /tmp/krb5cc_ttyu8 Default principal: boyd/root@PILOT.FNAL.GOV Valid starting Expires Service principal 03/28/01 13:53:16 03/28/01 16:53:16 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 03/28/01 13:53:49 03/28/01 16:53:16 host/d0mino.fnal.gov@PILOT.FNAL.GOV 03/28/01 13:54:43 03/28/01 16:53:16 host/d0ora3.fnal.gov@PILOT.FNAL.GOV d0mino> telnet -l toolman d0ora3.fnal.gov Trying 131.225.222.6... Connected to d0ora3.fnal.gov (131.225.222.6). Escape character is '^]'. [ Kerberos V5 accepts you as ``boyd/root@PILOT.FNAL.GOV'' ] Kerberos V5: error getting forwarded creds - KDC can't fulfill requested option login: Client not found in Kerberos database while getting initial credentials Login incorrect login: Connection closed by foreign host. d0mino> date Wed Mar 28 14:48:56 CST 2001 # hostname d0ora3 # cat ~toolman/.k5login nelly@PILOT.FNAL.GOV diana@PILOT.FNAL.GO diana/root@PILOT.fnal.gov jtrumbo@PILOT.fnal.gov akumar@PILOT.fnal.gov kurt@PILOT.fnal.gov boyd/root@PILOT.fnal.gov -- Kurt Ruthmansdorfer WH6W 6.15 Fermi National Accelerator Lab; ms 234 kurt@fnal.fnal.gov PO Box 500 Batavia, Il 60510-0500 From kreymer@fnal.gov Wed Mar 28 16:13:33 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA31149 for ; Wed, 28 Mar 2001 16:13:33 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAX00COMHQJ11@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 28 Mar 2001 16:13:33 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00119DB3@listserv.fnal.gov>; Wed, 28 Mar 2001 16:13:32 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 85983 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 28 Mar 2001 16:13:32 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00119DB2@listserv.fnal.gov>; Wed, 28 Mar 2001 16:13:31 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GAX00CKPHQJRQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 28 Mar 2001 16:13:31 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA29535; Wed, 28 Mar 2001 16:13:30 -0600 (CST) Date: Wed, 28 Mar 2001 16:13:30 -0600 From: Matt Crawford Subject: Re: 000000000017477 Assigned to CRAWFORD, MATT. In-reply-to: "28 Mar 2001 15:37:39 CST." <318CC3D38BE0D211BB1200105A093F7614978F@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" , boyd@fnal.gov, KURT@fnal.gov Message-id: <200103282213.QAA29535@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1085 Note to helpdesk: Please make sure to get the date & time of occurrence from requesters with Kerberos problems. This requester did a great job by including a "date" command in his transcript. > on d0mino > did kinit -F boyd/root@PILOT.FNAL.GOV > then telnet -l toolman d0ora1 > and get "Client not found in Kerberos database while getting initial > credentials" That message turned out to be a bit of a red herring > What does the eoor message mean? and why are we not authenitcated to > login? > > D0mino and d0ora output folows: > [...] > d0mino> telnet -l toolman d0ora3.fnal.gov > Trying 131.225.222.6... > Connected to d0ora3.fnal.gov (131.225.222.6). > Escape character is '^]'. > [ Kerberos V5 accepts you as ``boyd/root@PILOT.FNAL.GOV'' ] > Kerberos V5: error getting forwarded creds - KDC can't fulfill > requested option Ah! That's the real error! You remembered to tell kinit not to ask for a forwardable ticket, but you forgot to tell telnet not to forward the ticket! And then this ... > login: Client not found in Kerberos database while getting initial > credentials > Login incorrect Is just because it tried to fall back to cryptocard mode, but there is no cryptocard entry for boyd/root. Add "-N" to your telnet command. From kreymer@fnal.gov Fri Mar 30 09:46:15 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21500 for ; Fri, 30 Mar 2001 09:46:15 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB000IG2P5277@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 30 Mar 2001 09:46:15 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011B468@listserv.fnal.gov>; Fri, 30 Mar 2001 09:46:14 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 92380 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 30 Mar 2001 09:46:14 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011B467@listserv.fnal.gov>; Fri, 30 Mar 2001 09:46:14 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB000JDFP51KA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 30 Mar 2001 09:46:14 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA25830 for ; Fri, 30 Mar 2001 09:46:13 -0600 Date: Fri, 30 Mar 2001 09:46:09 -0600 From: "Isabeau's mom" Subject: rsh to a machine that then crashes Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AC4AA41.1E5116E8@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1086 hi, we have noticed a problem when using /usr/krb5/bin/rsh. an rsh will hang when the remote node crashes without finishing the remote command. here is an example. on d0enmvr18a, the following process still exists - root 22400 0.0 0.2 2264 1188 ? S Mar25 0:00 /usr/krb5/bin/rsh -f d0enmvr10a echo 'DATE Sun Mar 25 00:01:27 CST 2001'>>/SEL; /usr/local/bin/selread>>/SEL; /usr/local/bin/selclear this rsh process was run as part of a cron job. the remote node - d0enmvr10a rebooted during the execution of the above command. here is the last line of the /var/log/messages.1 file - Mar 25 00:01:27 d0enmvr10a kshd[3790]: Executing -x echo 'DATE Sun Mar 25 00:01:27 CST 2001'>>/SEL; /usr/local/bin/selread>>/SEL; /usr/local/bin/selclear for principal host/d0enmvr18a.fnal.gov@PILOT.FNAL.GOV (root@131.225.164.118 (d0enmvr18a.fnal.gov)) as ROOT but the command never completes because the machine reboots during it. the rsh on d0enmvr18a is stuck in a select call - d0enmvr18a.fnal.gov} strace -p22400 select(1024, [3 5], NULL, NULL, NULL is there something i am missing? eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Fri Mar 30 10:14:34 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA21535 for ; Fri, 30 Mar 2001 10:14:34 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB00013ZQG8FN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 30 Mar 2001 10:14:33 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011B4D5@listserv.fnal.gov>; Fri, 30 Mar 2001 10:14:33 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 92496 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 30 Mar 2001 10:14:33 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011B4D4@listserv.fnal.gov>; Fri, 30 Mar 2001 10:14:33 -0600 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB000129QG8FO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 30 Mar 2001 10:14:32 -0600 (CST) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA10430; Fri, 30 Mar 2001 10:14:31 -0600 (CST) Date: Fri, 30 Mar 2001 10:14:30 -0600 From: Matt Crawford Subject: Re: rsh to a machine that then crashes In-reply-to: "30 Mar 2001 09:46:09 CST." <3AC4AA41.1E5116E8@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200103301614.KAA10430@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1087 > hi, we have noticed a problem when using /usr/krb5/bin/rsh. > an rsh will hang when the remote node crashes without finishing > the remote command. here is an example. > [...] > is there something i am missing? No, this is inherent in the TCP protocol. If your side is done sending data (at least for the moment) and simply waiting for the other end to send some or close the connection, your end will never know if the other end dies. (If the process is killed, the OS will send the packets that close the connection. But if the OS dies, then nothing. Adding a timeout to rsh is not the answer because you might want to invoke a remote process that computes for many hours. Setting the KEEPALIVE option on the socket would solve your problem. This makes the OS periodically send some packets which don't contain new data but do elicit a response from the TCP stack on the OS at the other end to respond - aborting the connection if it has crashed and rebooted, or causing your end to time out if the remote has crashed or gone unreachable and not come back. The downside is that if there's an extended network failure while you're in this state, you'll lose your connection. But the odds are very great that this owuld happen anyway, when the other end tried to send. If nobody can suggest a reason why TCP keepalives would be a bad thing for rsh, I can put it in. From kreymer@fnal.gov Fri Mar 30 15:11:05 2001 -0600 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA22731 for ; Fri, 30 Mar 2001 15:11:05 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB100J1F46GWU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 30 Mar 2001 15:11:04 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011BA33@listserv.fnal.gov>; Fri, 30 Mar 2001 15:11:04 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 93952 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 30 Mar 2001 15:11:04 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011BA32@listserv.fnal.gov>; Fri, 30 Mar 2001 15:11:04 -0600 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB100BT646FC8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 30 Mar 2001 15:11:03 -0600 (CST) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26254 for ; Fri, 30 Mar 2001 15:11:03 -0600 Date: Fri, 30 Mar 2001 15:10:58 -0600 From: "Isabeau's mom" Subject: error documentation Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AC4F662.668CE867@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1088 hi, can someone recommend a good place to read about the errors generated with respect to kerberos. i especially mean the errors in the 'messages' files. i have looked on the web and could not find anything. thanks, eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Sat Mar 31 20:01:52 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id UAA28680 for ; Sat, 31 Mar 2001 20:01:52 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB300A05CB2PO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 31 Mar 2001 20:01:51 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011C3BF@listserv.fnal.gov>; Sat, 31 Mar 2001 20:01:51 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 96666 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sat, 31 Mar 2001 20:01:51 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011C3BE@listserv.fnal.gov>; Sat, 31 Mar 2001 20:01:51 -0600 Received: from nova.fnal.gov ([131.225.121.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB300A10CB2GR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sat, 31 Mar 2001 20:01:50 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id UAA14920 for ; Sat, 31 Mar 2001 20:01:50 -0600 (CST) Date: Sat, 31 Mar 2001 20:01:50 -0600 (CST) From: Tim Zingelman Subject: Name issues (was: excluding accounts from kerberos?) In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1089 > > Some names, such as root, we expect that CNAS will never allow to be > > assigned as usernames and hence never become anyone's Kerberos name. > > But we can't expect this to cover every case. You have two methods > > available to make sure locally that nobody ever gets Kerberos access > > to a given account due to an unplanned name match. Since it appears that the unix.uid.list (obtain uids) is not currently the canonical user name list from a Kerberos perspective, I believe that I must add empty .k5login files for ALL my users that don't yet have assigned principals. This is due the the fact that their username may have been (or will be) given out as a principal to someone else. First, a help for others in the same situation, a little perl script to make a list of commands to create the .k5login files for all accounts in /etc/passwd, just a quick hack but may save you a few minutes: #!/usr/bin/perl open(IFILE,"/etc/passwd") || warn "Can't open /etc/passwd file: $!\n"; open(KA,">k5login_add") || warn "Can't open k5login_add file: $!\n"; print KA "cp /dev/null /.k5login\n"; while() { /:(\/[^:]*):[^:]+$/ && ($dirname=$1); print KA "touch $dirname/.k5login\n" unless ($dirname eq "/"); # the line below is a more brute force option... # print KA "cp /dev/null $dirname/.k5login\n" unless ($dirname eq "/"); } close(IFILE); close(KA); Second, a request: Can the current list of assigned principals be made available via 'obtain' or some other easy method. (Better yet of course would be to make unix.uid.list the canonical assigned names list, but I guess that would be both too easy and too hard :( Thanks, - Tim From kreymer@fnal.gov Sun Apr 1 00:19:04 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id AAA13440 for ; Sun, 1 Apr 2001 00:19:03 -0600 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB300ADRO7PBR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sun, 01 Apr 2001 00:19:02 -0600 (CST) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011C48B@listserv.fnal.gov>; Sun, 01 Apr 2001 00:19:01 -0600 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 96898 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Sun, 01 Apr 2001 00:19:01 -0600 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011C48A@listserv.fnal.gov>; Sun, 01 Apr 2001 00:19:01 -0600 Received: from nova.fnal.gov ([131.225.121.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB3009EJO7PZL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Sun, 01 Apr 2001 00:19:01 -0600 (CST) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id AAA17169 for ; Sun, 01 Apr 2001 00:19:01 -0600 (CST) Date: Sun, 01 Apr 2001 00:19:01 -0600 (CST) From: Tim Zingelman Subject: cryptoCard vs. cryptoKeyChain Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1090 The cryptocard website (www.cryptocard.com) has a Key Chain version of the crypto token... Since the reports I've heard seem to indicate that there is no reasonable way for the typical bluejeans & t-shirt fermilab user to carry a cryptoCard without destroying it, this seems like a good option. Is there a significant cost difference? or some other reason why this is not an option for us? Along the same lines, can we expect that whatever hardware tokens are used, that the cost will continue to be covered by some CD budget, or do we need to be warning our Division/Department heads to budget for these? Thanks, - Tim From kreymer@fnal.gov Mon Apr 2 09:04:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA10980 for ; Mon, 2 Apr 2001 09:04:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600HJA4FWTG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 09:04:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CD0B@listserv.fnal.gov>; Mon, 02 Apr 2001 09:04:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99294 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 09:04:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CD0A@listserv.fnal.gov>; Mon, 02 Apr 2001 09:04:44 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600HJZ4FURD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 09:04:43 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Apr 2001 09:04:44 -0500 Content-return: allowed Date: Mon, 02 Apr 2001 09:04:39 -0500 From: ARSystem Subject: 000000000017524 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7614990F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1091 CRAWFORD, MATT, Help Desk Ticket #000000000017524 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Kerberos Badge # (+) : 00683N First Name : RICHARD Last Name (+) : KRULL Phone : 3709 E-Mail Address : KRULL@FNAL.GOV Incident Time : 4/2/01 7:55:57 AM System Name : Urgency : Medium Public Work Log : 4/2/01 9:04:21 AM blomberg Can you assist? The following was e-mailed to the Requester: What is the error you are receiving? Problem Description : Is there something going on with Kerberos passwords? I and another user get an error when trying to Authenticate. Rich From kreymer@fnal.gov Mon Apr 2 09:04:46 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA10984 for ; Mon, 2 Apr 2001 09:04:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600HJA4FWTG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 09:04:46 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CD0D@listserv.fnal.gov>; Mon, 02 Apr 2001 09:04:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99296 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 09:04:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CD0C@listserv.fnal.gov>; Mon, 02 Apr 2001 09:04:44 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600IJB4FV9J@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 09:04:43 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Apr 2001 09:04:44 -0500 Content-return: allowed Date: Mon, 02 Apr 2001 09:04:39 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000017524 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76149911@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1092 The following note has been sent to the requester: KRULL, RICHARD Short Description : Kerberos Notes to Requester : What is the error you are receiving? From kreymer@fnal.gov Mon Apr 2 09:25:31 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA10992 for ; Mon, 2 Apr 2001 09:25:31 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000395EIXT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 09:25:30 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CD53@listserv.fnal.gov>; Mon, 02 Apr 2001 09:25:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99370 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 09:25:30 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CD52@listserv.fnal.gov>; Mon, 02 Apr 2001 09:25:30 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB60004N5EHYU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 09:25:29 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA23783; Mon, 02 Apr 2001 09:25:29 -0500 (CDT) Date: Mon, 02 Apr 2001 09:25:29 -0500 From: Matt Crawford Subject: Re: cryptoCard vs. cryptoKeyChain In-reply-to: "01 Apr 2001 00:19:01 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: <200104021425.JAA23783@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1093 > The cryptocard website (www.cryptocard.com) has a Key Chain version > of the crypto token... some other reason why this is not an option > for us? It is tedious to enter the PIN on those tokens. The user can never change the PIN, and there is no way to put it back in sync with the KDC if it gets out of sync, short of bringing it back for reprogramming. I think the latter point rules it out for our application. I have one sample unit if you want to have a look. > Along the same lines, can we expect that whatever hardware tokens are > used, that the cost will continue to be covered by some CD budget, Yes. From kreymer@fnal.gov Mon Apr 2 09:26:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA11000 for ; Mon, 2 Apr 2001 09:26:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB60003U5GBY0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 09:26:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CD5D@listserv.fnal.gov>; Mon, 02 Apr 2001 09:26:36 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99380 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 09:26:36 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CD5C@listserv.fnal.gov>; Mon, 02 Apr 2001 09:26:36 -0500 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000455GBYS@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 09:26:35 -0500 (CDT) Date: Mon, 02 Apr 2001 08:26:34 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Problem with Reflection Kerberos this morning? Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AC88C1A.5489A7F8@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1094 I am not able to authenticate with WRQ this morning. It could be one of at least two things: a) I changed my password this morning (probably not the problem, but...) b) DST time change. I've re-synched my clock (or, at least, I think I did, using the WRQ time-synch tab somewhere in the configurations). I'm getting an error Pre-authentication failed (KDC024) This happens with both the old password and the new password. However, I am able to authenticate on other systems (using ssh to log in to ossbud, I can kinit there; from there, I can telnet to e.g., d0ora3 and kinit successfully) -- using the new password. I am trying to authenticate on node nargothrond.fnal.gov. ???? Anybody else with a PC experiencing this type of problem today? -- lauri From kreymer@fnal.gov Mon Apr 2 10:11:16 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA11057 for ; Mon, 2 Apr 2001 10:11:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000GF7IGYT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 10:11:16 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CF5F@listserv.fnal.gov>; Mon, 02 Apr 2001 10:11:08 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100016 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 10:11:08 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CF5E@listserv.fnal.gov>; Mon, 02 Apr 2001 10:11:08 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000C57IHYM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 10:11:06 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Apr 2001 10:11:05 -0500 Content-return: allowed Date: Mon, 02 Apr 2001 10:10:57 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 17524 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7614991E@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1095 17524 has been updated by blomberg. Short Description : Kerberos New Work Log Entry : From: "Richard A. Krull" To: "ARSystem" Subject: RE: Additional info for 000000000017524 Date: Monday, April 02, 2001 10:07 AM The error is Pre-authentication failed (KDC024). I heard from Yolanda it may have to do with the time change. Rich From kreymer@fnal.gov Mon Apr 2 10:21:59 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA11063 for ; Mon, 2 Apr 2001 10:21:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000HI80KY0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 10:21:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CF87@listserv.fnal.gov>; Mon, 02 Apr 2001 10:21:57 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100056 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 10:21:57 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CF86@listserv.fnal.gov>; Mon, 02 Apr 2001 10:21:57 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000H980KY3@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 10:21:56 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Apr 2001 10:21:56 -0500 Content-return: allowed Date: Mon, 02 Apr 2001 10:21:53 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000017524 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7614993D@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1096 The following note has been sent to the requester: KRULL, RICHARD Short Description : Kerberos Notes to Requester : Hi Rich, Which system were you trying to access? From kreymer@fnal.gov Mon Apr 2 10:25:31 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA11067 for ; Mon, 2 Apr 2001 10:25:31 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000EY86IYM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 10:25:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CF92@listserv.fnal.gov>; Mon, 02 Apr 2001 10:25:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100068 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 10:25:30 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CF91@listserv.fnal.gov>; Mon, 02 Apr 2001 10:25:30 -0500 Received: from d0cha.fnal.gov ([131.225.224.78]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000I786HYS@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 10:25:30 -0500 (CDT) Received: from localhost (mao@localhost) by d0cha.fnal.gov (SGI-8.9.3/8.9.3) with ESMTP id KAA00974; Mon, 02 Apr 2001 10:25:29 -0500 (CDT) Date: Mon, 02 Apr 2001 10:25:29 -0500 From: Mao Huishun Subject: Re: Problem with Reflection Kerberos this morning? In-reply-to: <3AC88C1A.5489A7F8@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1097 I am also not able to authenticate with WRQ this morning. getting same error > > Pre-authentication failed (KDC024) > Would you (or anybody) like to tell me how to solve the problem? Thanks mao From kreymer@fnal.gov Mon Apr 2 10:37:17 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA11077 for ; Mon, 2 Apr 2001 10:37:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000XZ8Q3YK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 10:37:16 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CFBE@listserv.fnal.gov>; Mon, 02 Apr 2001 10:37:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100114 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 10:37:15 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CFBB@listserv.fnal.gov>; Mon, 02 Apr 2001 10:37:15 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000JG8Q2XY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 10:37:14 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Apr 2001 10:37:14 -0500 Content-return: allowed Date: Mon, 02 Apr 2001 10:37:09 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 17523 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76149941@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1098 17523 has been updated by blomberg. Short Description : kerberos problem New Work Log Entry : From: "Richard A. Krull" To: "ARSystem" Subject: RE: Additional info for 000000000017524 Date: Monday, April 02, 2001 10:28 AM CDFSGA Rich From kreymer@fnal.gov Mon Apr 2 10:37:17 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA11081 for ; Mon, 2 Apr 2001 10:37:17 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000XZ8Q3YK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 10:37:17 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CFBF@listserv.fnal.gov>; Mon, 02 Apr 2001 10:37:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100116 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 10:37:15 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011CFBC@listserv.fnal.gov>; Mon, 02 Apr 2001 10:37:15 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000LM8Q2Y8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 10:37:14 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Apr 2001 10:37:14 -0500 Content-return: allowed Date: Mon, 02 Apr 2001 10:37:09 -0500 From: ARSystem Subject: 000000000017523 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76149940@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1099 CRAWFORD, MATT, Help Desk Ticket #000000000017523 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: kerberos problem Badge # (+) : 00951C First Name : JULIE Last Name (+) : TRUMBO Phone : 3637 E-Mail Address : JTRUMBO@FNAL.GOV Incident Time : 4/2/01 7:00:28 AM System Name : Urgency : High Public Work Log : 4/2/01 9:02:19 AM blomberg The following was e-mailed to the Requester: What systems are you trying to get into??? 4/2/01 10:33:18 AM blomberg From: "Richard A. Krull" To: "ARSystem" Subject: RE: Additional info for 000000000017524 Date: Monday, April 02, 2001 10:28 AM CDFSGA Rich Problem Description : Cannot use reflections to get to a kerberized machine this morning, getting pre authentication failed(KDC024). Maybe a time change problem? Looked in the kerberos documentation, it suggested running xntp after downloading it from kits. Could not find xntp in kits. Cannot connect to any server. From kreymer@fnal.gov Mon Apr 2 10:57:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA11092 for ; Mon, 2 Apr 2001 10:57:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000O69O2YS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 10:57:40 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D04A@listserv.fnal.gov>; Mon, 02 Apr 2001 10:57:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100275 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 10:57:39 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D049@listserv.fnal.gov>; Mon, 02 Apr 2001 10:57:39 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000MT9O1YM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 10:57:38 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Apr 2001 10:57:37 -0500 Content-return: allowed Date: Mon, 02 Apr 2001 10:57:35 -0500 From: ARSystem Subject: 000000000017526 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7614994A@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1100 CRAWFORD, MATT, Help Desk Ticket #000000000017526 has been assigned to you. It is a(n) Medium priority Software/Utilities /Wrq/Reflections type of problem. Short description: cannot access any kerberized machine through WRQ reflections Badge # (+) : 05545N First Name : DIANA Last Name (+) : BONHAM Phone : 6299 E-Mail Address : DIANA@FNAL.GOV Incident Time : 4/2/01 10:27:21 AM System Name : WRQ REFLECTIONS Urgency : Medium Public Work Log : Problem Description : Is there an expert for the WRQ reflections product? None of us on the 8th floor who use WRQ to access kerberized machines through the WRQ product can get it to work this morning. We think it may have something to do with the 1 hour time change over the weekend. This doesn't appear to be a unix or kerberos problem, rather a WRQ problem. From kreymer@fnal.gov Mon Apr 2 11:18:52 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA11130 for ; Mon, 2 Apr 2001 11:18:52 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600A5DANEF5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 11:18:51 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D0B5@listserv.fnal.gov>; Mon, 02 Apr 2001 11:18:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100391 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 11:18:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D0B3@listserv.fnal.gov>; Mon, 02 Apr 2001 11:18:51 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600B0XANC14@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 11:18:49 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Apr 2001 11:18:48 -0500 Content-return: allowed Date: Mon, 02 Apr 2001 11:18:38 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 17526 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7614995E@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1101 17526 has been updated by ARWebGuest. Short Description : cannot access any kerberized machine through WRQ reflections New Work Log Entry : Laurelin of Middle Earth, 630-840-2214 added this information: Matt, don't know if you saw my earlier message, don't know if it helps, but in case you didn't and in case it does: I am not able to authenticate with WRQ this morning. It could be one of at least two things: a) I changed my password this morning (probably not the problem, but...) b) DST time change. I've re-synched my clock (or, at least, I think I did, using the WRQ time-synch tab somewhere in the configurations). I'm getting an error Pre-authentication failed (KDC024) This happens with both the old password and the new password. However, I am able to authenticate on other systems (using ssh to log in to ossbud, I can kinit there; from there, I can telnet to e.g., d0ora3 and kinit successfully) -- using the new password. I am trying to authenticate on node nargothrond.fnal.gov. -- lauri -------- Original Message -------- From: ARSystem Subject: 000000000017526 Assigned to CRAWFORD, MATT. To: "'kerberos-pilot@fnal.gov'" CRAWFORD, MATT, Help Desk Ticket #000000000017526 has been assigned to you. It is a(n) Medium priority Software/Utilities /Wrq/Reflections type of problem. Short description: cannot access any kerberized machine through WRQ reflections Badge # (+) : 05545N First Name : DIANA Last Name (+) : BONHAM Phone : 6299 E-Mail Address : DIANA@FNAL.GOV Incident Time : 4/2/01 10:27:21 AM System Name : WRQ REFLECTIONS Urgency : Medium Public Work Log : Problem Description : Is there an expert for the WRQ reflections product? None of us on the 8th floor who use WRQ to access kerberized machines through the WRQ product can get it to work this morning. We think it may have something to do with the 1 hour time change over the weekend. This doesn't appear to be a unix or kerberos problem, rather a WRQ problem. From kreymer@fnal.gov Mon Apr 2 11:37:49 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA11158 for ; Mon, 2 Apr 2001 11:37:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600C0YBJ0EI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 11:37:49 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D0FD@listserv.fnal.gov>; Mon, 02 Apr 2001 11:37:48 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100467 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 11:37:48 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D0FC@listserv.fnal.gov>; Mon, 02 Apr 2001 11:37:48 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600A52BIZM5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 11:37:47 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA24662; Mon, 02 Apr 2001 11:37:47 -0500 (CDT) Date: Mon, 02 Apr 2001 11:37:47 -0500 From: Matt Crawford Subject: Re: Problem with Reflection Kerberos this morning? In-reply-to: "02 Apr 2001 08:26:34 MDT." <3AC88C1A.5489A7F8@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-pilot@fnal.gov Message-id: <200104021637.LAA24662@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1102 > I am not able to authenticate with WRQ this morning. > It could be one of at least two things: *************************** ** > b) DST time change. ** *************************** More specifically, Windows' inability to cope sanely and simply with same. > ???? Anybody else with a PC experiencing this type of problem > today? Or rather, is anyone with Windows NOT experiencing this problem? From kreymer@fnal.gov Mon Apr 2 11:42:02 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA11164 for ; Mon, 2 Apr 2001 11:42:02 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600AASBQ17E@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 11:42:02 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D109@listserv.fnal.gov>; Mon, 02 Apr 2001 11:42:01 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100480 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 11:42:01 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D108@listserv.fnal.gov>; Mon, 02 Apr 2001 11:42:01 -0500 Received: from fnal.gov ([131.225.82.176]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600A5UBQ0TN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 11:42:00 -0500 (CDT) Date: Mon, 02 Apr 2001 11:42:00 -0500 From: Heidi Schellman Subject: Re: Problem with Reflection Kerberos this morning? Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: "Laurelin of Middle Earth, 630-840-2214" , kerberos-pilot@fnal.gov Message-id: <3AC8ABD8.123C52D5@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (Win98; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200104021637.LAA24662@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1103 No - I think all wrq users are suffering from this. Given that we are setting our clocks from the time server, this seems a bit strange. Matt Crawford wrote: > > > I am not able to authenticate with WRQ this morning. > > It could be one of at least two things: > *************************** > ** > b) DST time change. ** > *************************** > > More specifically, Windows' inability to cope sanely and simply with same. > > > ???? Anybody else with a PC experiencing this type of problem > > today? > > Or rather, is anyone with Windows NOT experiencing this problem? From kreymer@fnal.gov Mon Apr 2 11:47:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA11168 for ; Mon, 2 Apr 2001 11:47:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600B5TBZEUB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 11:47:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D11D@listserv.fnal.gov>; Mon, 02 Apr 2001 11:47:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100500 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 11:47:39 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D11C@listserv.fnal.gov>; Mon, 02 Apr 2001 11:47:39 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600C4VBZEEI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 11:47:38 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA24820; Mon, 02 Apr 2001 11:47:38 -0500 (CDT) Date: Mon, 02 Apr 2001 11:47:37 -0500 From: Matt Crawford Subject: Re: Problem with Reflection Kerberos this morning? In-reply-to: "02 Apr 2001 10:25:29 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Mao Huishun Cc: kerberos-pilot@fnal.gov Message-id: <200104021647.LAA24820@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1104 > I am also not able to authenticate with WRQ this morning. > getting same error > > > > Pre-authentication failed (KDC024) > > > Would you (or anybody) like to tell me how to solve the problem? > Thanks mao The only real solution I know is probably not acceptable to you. (Reformat disk, return Windows s/w for refund, install Fermi Red Hat Linux.) Your friendly Windows support person may have a solution that gets the daylight savings time right and still lets you keep the same fine professionally engineered commercially supported so-called operating system you enjoy today. From kreymer@fnal.gov Mon Apr 2 11:48:23 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA11172 for ; Mon, 2 Apr 2001 11:48:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600C2MC0ML6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 11:48:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D11F@listserv.fnal.gov>; Mon, 02 Apr 2001 11:48:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100502 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 11:48:22 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D11E@listserv.fnal.gov>; Mon, 02 Apr 2001 11:48:22 -0500 Received: from fnal.gov ([131.225.82.103]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600B6SC0LUQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 11:48:21 -0500 (CDT) Date: Mon, 02 Apr 2001 11:48:09 -0500 From: Al Lilianstrom Subject: Re: Problem with Reflection Kerberos this morning? Sender: owner-kerberos-pilot@listserv.fnal.gov To: Heidi Schellman Cc: Matt Crawford , "Laurelin of Middle Earth, 630-840-2214" , kerberos-pilot@fnal.gov Message-id: <3AC8AD49.1A745C72@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200104021637.LAA24662@gungnir.fnal.gov> <3AC8ABD8.123C52D5@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1105 It appears to be a problem with the time change and the way WRQ or Microsoft handles it. If you take away the setting for NT or 2000 to automatically adjust for daylight savings time you can authenticate with the Reflection Kerberos Manager and use the Reflection telnet to log in to kerberized systems. However your local clock in now one hour off. al Heidi Schellman wrote: > > No - I think all wrq users are suffering from this. > > Given that we are setting our clocks from the time server, this seems a bit > strange. > > Matt Crawford wrote: > > > > > I am not able to authenticate with WRQ this morning. > > > It could be one of at least two things: > > *************************** > > ** > b) DST time change. ** > > *************************** > > > > More specifically, Windows' inability to cope sanely and simply with same. > > > > > ???? Anybody else with a PC experiencing this type of problem > > > today? > > > > Or rather, is anyone with Windows NOT experiencing this problem? -- Al Lilianstrom lilianstrom@fnal.gov From kreymer@fnal.gov Mon Apr 2 12:05:01 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA11193 for ; Mon, 2 Apr 2001 12:05:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600AAMCS9TN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 12:05:00 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D194@listserv.fnal.gov>; Mon, 02 Apr 2001 12:04:58 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100626 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 12:04:58 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D190@listserv.fnal.gov>; Mon, 02 Apr 2001 12:04:58 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600AHUCRW7E@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 12:04:56 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Apr 2001 12:04:43 -0500 Content-return: allowed Date: Mon, 02 Apr 2001 12:04:39 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 17477 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76149979@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1106 This reminder created on 4/2/01 12:03:13 PM Ticket 17477 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : KURT Last Name (+) : RUTHMANSDORFER Phone : 8057 E-Mail Address : KURT@FNAL.GOV Incident Time : 3/28/01 2:57:29 PM System Name : D0ORA1 Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : Client not found in Kerberos database while getting initial credentials Problem Description : Please log a call with the kerberos support people. on d0mino did kinit -F boyd/root@PILOT.FNAL.GOV then telnet -l toolman d0ora1 and get "Client not found in Kerberos database while getting initial credentials" This does not seem to happen with non root principals or with accounts similar to toolman on d0ora3. What does the eoor message mean? and why are we not authenitcated to login? D0mino and d0ora output folows: d0mino> klist Ticket cache: /tmp/krb5cc_ttyu8 Default principal: boyd/root@PILOT.FNAL.GOV Valid starting Expires Service principal 03/28/01 13:53:16 03/28/01 16:53:16 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 03/28/01 13:53:49 03/28/01 16:53:16 host/d0mino.fnal.gov@PILOT.FNAL.GOV 03/28/01 13:54:43 03/28/01 16:53:16 host/d0ora3.fnal.gov@PILOT.FNAL.GOV d0mino> telnet -l toolman d0ora3.fnal.gov Trying 131.225.222.6... Connected to d0ora3.fnal.gov (131.225.222.6). Escape character is '^]'. [ Kerberos V5 accepts you as ``boyd/root@PILOT.FNAL.GOV'' ] Kerberos V5: error getting forwarded creds - KDC can't fulfill requested option login: Client not found in Kerberos database while getting initial credentials Login incorrect login: Connection closed by foreign host. d0mino> date Wed Mar 28 14:48:56 CST 2001 # hostname d0ora3 # cat ~toolman/.k5login nelly@PILOT.FNAL.GOV diana@PILOT.FNAL.GO diana/root@PILOT.fnal.gov jtrumbo@PILOT.fnal.gov akumar@PILOT.fnal.gov kurt@PILOT.fnal.gov boyd/root@PILOT.fnal.gov -- Kurt Ruthmansdorfer WH6W 6.15 Fermi National Accelerator Lab; ms 234 kurt@fnal.fnal.gov PO Box 500 Batavia, Il 60510-0500 From kreymer@fnal.gov Mon Apr 2 12:05:34 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA11197 for ; Mon, 2 Apr 2001 12:05:34 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600BCZCSFLZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 12:05:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D1F0@listserv.fnal.gov>; Mon, 02 Apr 2001 12:05:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100719 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 12:05:15 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D1EB@listserv.fnal.gov>; Mon, 02 Apr 2001 12:05:15 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600C6GCSCL6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 12:05:13 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Apr 2001 12:04:59 -0500 Content-return: allowed Date: Mon, 02 Apr 2001 12:04:52 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761499B8@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1107 This reminder created on 4/2/01 12:04:08 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Apr 2 12:19:43 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA11219 for ; Mon, 2 Apr 2001 12:19:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600AFVDGUTN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 12:19:42 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D24D@listserv.fnal.gov>; Mon, 02 Apr 2001 12:19:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100822 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 12:19:41 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D24C@listserv.fnal.gov>; Mon, 02 Apr 2001 12:19:41 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6009MWDGT9P@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 12:19:41 -0500 (CDT) Date: Mon, 02 Apr 2001 12:19:42 -0500 (CDT) From: Dane Skow Subject: Re: Problem with Reflection Kerberos this morning? (fwd) Sender: owner-kerberos-pilot@listserv.fnal.gov To: helpdesk@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1108 A copy for you too, helpdesk. There's a call in with WRQ, but reports are of same trouble with Exceed, so may not just be their problem. While Matt's solution would be effective in this instance, and has some humor value, less drastic measures are advised and more the official response. The current work around: Go into the Windows Control Panel and uncheck the Automatic Daylight Saving Time adjustment box in Date/Time. This seems to work. Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 ---------- Forwarded message ---------- Date: Mon, 02 Apr 2001 11:48:09 -0500 From: Al Lilianstrom To: Heidi Schellman Cc: Matt Crawford , "Laurelin of Middle Earth, 630-840-2214" , kerberos-pilot@fnal.gov Subject: Re: Problem with Reflection Kerberos this morning? It appears to be a problem with the time change and the way WRQ or Microsoft handles it. If you take away the setting for NT or 2000 to automatically adjust for daylight savings time you can authenticate with the Reflection Kerberos Manager and use the Reflection telnet to log in to kerberized systems. However your local clock in now one hour off. al Heidi Schellman wrote: > > No - I think all wrq users are suffering from this. > > Given that we are setting our clocks from the time server, this seems a bit > strange. > > Matt Crawford wrote: > > > > > I am not able to authenticate with WRQ this morning. > > > It could be one of at least two things: > > *************************** > > ** > b) DST time change. ** > > *************************** > > > > More specifically, Windows' inability to cope sanely and simply with same. > > > > > ???? Anybody else with a PC experiencing this type of problem > > > today? > > > > Or rather, is anyone with Windows NOT experiencing this problem? -- Al Lilianstrom lilianstrom@fnal.gov From kreymer@fnal.gov Mon Apr 2 12:27:32 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA11225 for ; Mon, 2 Apr 2001 12:27:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6009G7DTVHJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 12:27:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D264@listserv.fnal.gov>; Mon, 02 Apr 2001 12:27:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100850 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 12:27:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D263@listserv.fnal.gov>; Mon, 02 Apr 2001 12:27:31 -0500 Received: from kwakiutl ([131.225.82.24]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GB600BGXDTV14@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 12:27:31 -0500 (CDT) Date: Mon, 02 Apr 2001 12:27:31 -0500 From: Jack Schmidt Subject: RE: Problem with Reflection Kerberos this morning? In-reply-to: <200104021637.LAA24662@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: "Kerberos-Pilot@Fnal. Gov" Reply-to: Jack.Schmidt@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1109 Now thats not very nice! I can log in from my W2K system and have it authenticate with the MIT KDC. If I use the WRQ software to get a ticket in the W2K test realm that isn't using the MIT KDC I still get a pre-auth error. The problem seems to be with the WRQ and Exceed software. Jack > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Matt > Crawford > Sent: Monday, April 02, 2001 11:38 AM > To: Laurelin of Middle Earth, 630-840-2214 > Cc: kerberos-pilot@fnal.gov > Subject: Re: Problem with Reflection Kerberos this morning? > > > > I am not able to authenticate with WRQ this morning. > > It could be one of at least two things: > *************************** > ** > b) DST time change. ** > *************************** > > More specifically, Windows' inability to cope sanely and simply with same. > > > ???? Anybody else with a PC experiencing this type of problem > > today? > > Or rather, is anyone with Windows NOT experiencing this problem? > From kreymer@fnal.gov Mon Apr 2 12:43:01 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA11233 for ; Mon, 2 Apr 2001 12:43:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600BNBEJNUQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 12:43:00 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D2A7@listserv.fnal.gov>; Mon, 02 Apr 2001 12:42:59 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100922 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 12:42:59 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D2A6@listserv.fnal.gov>; Mon, 02 Apr 2001 12:42:59 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6008NNEJNT6@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 12:42:59 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA25196; Mon, 02 Apr 2001 12:42:59 -0500 (CDT) Date: Mon, 02 Apr 2001 12:42:59 -0500 From: Matt Crawford Subject: Re: Problem with Reflection Kerberos this morning? In-reply-to: "02 Apr 2001 12:27:31 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Jack.Schmidt@fnal.gov Cc: "Kerberos-Pilot@Fnal. Gov" Message-id: <200104021742.MAA25196@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1110 I looked in my email logs for last October and last April and I don't see any flurry of email about time-related Kerberos problems. I'm suspecting that some SP maybe changed the UTC <--> Local time conversion interface, thereby raping all the third party software vendors yet again. But then, I'm a cynic. From kreymer@fnal.gov Mon Apr 2 13:24:28 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA11451 for ; Mon, 2 Apr 2001 13:24:28 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600K34GGR4X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 13:24:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D383@listserv.fnal.gov>; Mon, 02 Apr 2001 13:24:27 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 101178 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 13:24:27 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D382@listserv.fnal.gov>; Mon, 02 Apr 2001 13:24:27 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600B3KGGQLZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 13:24:26 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA25449; Mon, 02 Apr 2001 13:24:26 -0500 (CDT) Date: Mon, 02 Apr 2001 13:24:26 -0500 From: Matt Crawford Subject: Re: Problem with Reflection Kerberos this morning? In-reply-to: "02 Apr 2001 12:27:31 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Jack.Schmidt@fnal.gov Cc: "Kerberos-Pilot@Fnal. Gov" Message-id: <200104021824.NAA25449@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1111 Checking some newsgroups, I have found that two more non-Microsoft Windows Kerberos packages, other than WRQ and Exceed, which are having the same problem today. From kreymer@fnal.gov Mon Apr 2 13:45:12 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA11467 for ; Mon, 2 Apr 2001 13:45:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600L4LHFA45@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 13:45:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D3F2@listserv.fnal.gov>; Mon, 02 Apr 2001 13:45:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 101301 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 13:45:10 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D3EF@listserv.fnal.gov>; Mon, 02 Apr 2001 13:45:10 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600I8QHF8RA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 13:45:09 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Apr 2001 13:45:08 -0500 Content-return: allowed Date: Mon, 02 Apr 2001 13:45:01 -0500 From: ARSystem Subject: CRAWFORD, MATT #17477 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76149A14@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1112 Thank you for your assistance. Help Desk ticket #000000000017477 has been resolved on 4/2/01 1:39:59 PM Resolution Timestamp: : 4/2/01 1:37:52 PM Solution Category : Service Request Problem Category : Software Item : Kerberos Type : Utilities Short Description : Client not found in Kerberos database while getting initial credentials Solution : That message turned out to be a bit of a red herring > > > What does the eoor message mean? and why are we not authenitcated to > > login? > > > > D0mino and d0ora output folows: > > [...] > > d0mino> telnet -l toolman d0ora3.fnal.gov > > Trying 131.225.222.6... > > Connected to d0ora3.fnal.gov (131.225.222.6). > > Escape character is '^]'. > > [ Kerberos V5 accepts you as ``boyd/root@PILOT.FNAL.GOV'' ] > > Kerberos V5: error getting forwarded creds - KDC can't fulfill > > requested option > > Ah! That's the real error! You remembered to tell kinit not to ask > for a forwardable ticket, but you forgot to tell telnet not to > forward the ticket! And then this ... > > > login: Client not found in Kerberos database while getting initial > > credentials > > Login incorrect > > Is just because it tried to fall back to cryptocard mode, but there > is no cryptocard entry for boyd/root. > > Add "-N" to your telnet command. Problem Description : Please log a call with the kerberos support people. on d0mino did kinit -F boyd/root@PILOT.FNAL.GOV then telnet -l toolman d0ora1 and get "Client not found in Kerberos database while getting initial credentials" This does not seem to happen with non root principals or with accounts similar to toolman on d0ora3. What does the eoor message mean? and why are we not authenitcated to login? D0mino and d0ora output folows: d0mino> klist Ticket cache: /tmp/krb5cc_ttyu8 Default principal: boyd/root@PILOT.FNAL.GOV Valid starting Expires Service principal 03/28/01 13:53:16 03/28/01 16:53:16 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 03/28/01 13:53:49 03/28/01 16:53:16 host/d0mino.fnal.gov@PILOT.FNAL.GOV 03/28/01 13:54:43 03/28/01 16:53:16 host/d0ora3.fnal.gov@PILOT.FNAL.GOV d0mino> telnet -l toolman d0ora3.fnal.gov Trying 131.225.222.6... Connected to d0ora3.fnal.gov (131.225.222.6). Escape character is '^]'. [ Kerberos V5 accepts you as ``boyd/root@PILOT.FNAL.GOV'' ] Kerberos V5: error getting forwarded creds - KDC can't fulfill requested option login: Client not found in Kerberos database while getting initial credentials Login incorrect login: Connection closed by foreign host. d0mino> date Wed Mar 28 14:48:56 CST 2001 # hostname d0ora3 # cat ~toolman/.k5login nelly@PILOT.FNAL.GOV diana@PILOT.FNAL.GO diana/root@PILOT.fnal.gov jtrumbo@PILOT.fnal.gov akumar@PILOT.fnal.gov kurt@PILOT.fnal.gov boyd/root@PILOT.fnal.gov -- Kurt Ruthmansdorfer WH6W 6.15 Fermi National Accelerator Lab; ms 234 kurt@fnal.fnal.gov PO Box 500 Batavia, Il 60510-0500 From kreymer@fnal.gov Mon Apr 2 14:00:52 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA11490 for ; Mon, 2 Apr 2001 14:00:52 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600M3QI5FHH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 14:00:52 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D43E@listserv.fnal.gov>; Mon, 02 Apr 2001 14:00:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 101392 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 14:00:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D43D@listserv.fnal.gov>; Mon, 02 Apr 2001 14:00:51 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600KFDI5E7P@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 14:00:50 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA25662; Mon, 02 Apr 2001 14:00:50 -0500 (CDT) Date: Mon, 02 Apr 2001 14:00:50 -0500 From: Matt Crawford Subject: MS bug in start date of DST this year Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov, helpdesk@fnal.gov, schmidt@fnal.gov Cc: "....................." Message-id: <200104021900.OAA25662@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1113 Apparently Windows at some point believed that DST starts on a Sunday in April with a date *greater than 1*. microsoft.public.windowsnt.apps: ================ Microsoft has a self extracting executable for it... Reza "Jim Steinberg" wrote in message news:tch290n7n2i9f7@corp.supernews.com... > Has anyone noticed a problem with Visual c/c++ regarding > daylight savings and the use of the call 'localtime'? > It appears that it thinks DST starts April 8, not April 1 ================ http://www.zdnet.com/zdnn/stories/news/0,4586,2702929,00.html?&_ref=551105044 April Fool!: Timing's right for a bug By Bob Sullivan MSNBC March 30, 2001 4:50 AM PT As if Sunday morning won't already be hard enough for the Daylight-Savings-Time challenged (is it spring ahead/fall back or spring back/fall ahead?), a computer glitch might add to the clock confusion. A two-year-old bug in Microsoft software will finally hit this Sunday, as some software won't correctly spring ahead to the new time. Major problems are not expected, but some minor annoyances --like failure of hotel wake-up call systems--could surface. Noted cybersleuth Richard Smith, now chief technology officer of PrivacyFoundation.org, found the bug in January of 1999, but Microsoft officials say it was introduced into software back in 1995. It's a quirky bug. Basically, some Windows-based programs become confused when Daylight Savings Time kicks off on April 1, creating an accidental April Fool's joke. For the following week, all software impacted will be one hour behind the correct time. On Sunday April 8, the problem corrects itself. Since the bug was discovered so long ago, most systems have since been patched. But there is the possibility that so-called embedded systems, which are not networked and have no way to receive updates, might encounter the problem this weekend. In a "reminder" note to developers sent out Thursday, Smith suggested there might be pesky problems in airport arrival and departure time monitors, transportation scheduling screens, worker punch clocks or hotel wake-up systems. In other words, travelers might wake up late for church on Sunday; and hotel desks might get some complaints from customers that wake-up calls were late. But even Smith isn't sure just how many of these problems will crop up. "My crystal ball is very fuzzy is if this bug is going to cause any problems or not," Smith said in his note. Besides, aren't people used to waking up confused on Daylight Savings Time morning? "Yea, if your wake-up system doesn't work, it's not like you needed that excuse anyway, you already have one," said Russ Cooper, who moderates a popular Windows bug mailing list. Cooper downplayed the impact of the bug, too. "Ninety-eight percent of all computers--maybe 99 percent--that have monitors or keyboards won't be affected," he said. The source of the problem is the way certain programs figure out what time it is. Programmers can choose to have their software ask the computer's operating system for the time, or they can ask other software to compute the time. If the program was written in using Microsoft's Visual C++, the programmer might have employed the time function in the Visual C++ Runtime Library - and that's where the bug is. Two years ago, Smith said, there were "tons" of programs utilizing the faulty clock, including Microsoft's Internet Explorer. But since then, most software has since be updated and reinstalled, and won't exhibit the bug. "It's not like desktops will have the wrong time," Cooper said. "And I can't think of a critical system that could be affected by this. It's pretty much a ho-hummer." From kreymer@fnal.gov Mon Apr 2 15:46:21 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA11632 for ; Mon, 2 Apr 2001 15:46:21 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6000M1N17GG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 15:46:20 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D66A@listserv.fnal.gov>; Mon, 02 Apr 2001 15:46:19 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 102021 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 15:46:19 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D668@listserv.fnal.gov>; Mon, 02 Apr 2001 15:46:19 -0500 Received: from oss56304 ([131.225.82.224]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GB60066FN17MO@smtp.fnal.gov>; Mon, 02 Apr 2001 15:46:19 -0500 (CDT) Date: Mon, 02 Apr 2001 15:46:01 -0500 From: Dane Skow Subject: problems with cryptocard fallback this AM on d0mino Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov, d0-admin@fnal.gov Cc: HELPDESK Reply-to: Dane Skow Message-id: <000501c0bbb5$ee392110$e052e183@oss56304> Organization: Fermilab MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 X-Mailer: Microsoft Outlook Express 5.00.2919.6700 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1114 This morning I was thinking I had a fallback as well to use the CryptoCard from my NT box onto d0mino so I felt somewhat reassured. However, I tried to use it and ran into the following problems: (laptop in FNAL domain running Windows 2000) 1) telnet from the cmd screen get the following error message U:\>telnet d0mino Connecting to d0mino...Could not open a connection to host: Connect failed 2) F-Secure SSH The connect screen asks for host and password together. If you leave the password blank, it does not prompt you from the machine. I get a "login incorrect" error window and that's it. (With the clock fix, WRQ telnet into d0mino works fine from the same machine so I don't think it's a network/service block.) How SHOULD a person have gotten around with a CryptoCard until the clock workaround was found ? IS there a known solution ? (I'm presuming the clocks don't need to be synced for CryptoCard. Is this correct ?) dane From kreymer@fnal.gov Mon Apr 2 15:53:10 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA11643 for ; Mon, 2 Apr 2001 15:53:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600LVMNCKL0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 15:53:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D686@listserv.fnal.gov>; Mon, 02 Apr 2001 15:53:08 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 102055 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 15:53:08 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D685@listserv.fnal.gov>; Mon, 02 Apr 2001 15:53:08 -0500 Received: from kwakiutl ([131.225.82.24]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GB6000O4NCJGG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 15:53:08 -0500 (CDT) Date: Mon, 02 Apr 2001 15:53:07 -0500 From: Jack Schmidt Subject: RE: MS bug in start date of DST this year In-reply-to: <200104021900.OAA25662@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford , kerberos-pilot@fnal.gov, helpdesk@fnal.gov Reply-to: Jack.Schmidt@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1115 There is a technet note out on this but its not very helpful since we can't fix it. The WRQ people are working on the problem and as soon as we get a fix we will let everyone know. http://support.microsoft.com/support/kb/articles/Q214/6/61.ASP Jack > -----Original Message----- > From: owner-kerberos-pilot@listserv.fnal.gov > [mailto:owner-kerberos-pilot@listserv.fnal.gov]On Behalf Of Matt > Crawford > Sent: Monday, April 02, 2001 2:01 PM > To: kerberos-pilot@fnal.gov; helpdesk@fnal.gov; schmidt@fnal.gov > Cc: ..................... > Subject: MS bug in start date of DST this year > > > Apparently Windows at some point believed that DST starts on a Sunday > in April with a date *greater than 1*. > > > microsoft.public.windowsnt.apps: > ================ > Microsoft has a self extracting executable for it... > > Reza > > > "Jim Steinberg" wrote in message > news:tch290n7n2i9f7@corp.supernews.com... > > Has anyone noticed a problem with Visual c/c++ regarding > > daylight savings and the use of the call 'localtime'? > > It appears that it thinks DST starts April 8, not April 1 > ================ > > > http://www.zdnet.com/zdnn/stories/news/0,4586,2702929,00.html?&_re > f=551105044 > > > April Fool!: Timing's right for a bug > > By Bob Sullivan > MSNBC > March 30, 2001 4:50 AM PT > As if Sunday morning won't already be hard enough for the > Daylight-Savings-Time challenged (is it spring ahead/fall back or > spring back/fall ahead?), a computer glitch might add to the clock > confusion. > > A two-year-old bug in Microsoft software will finally hit this > Sunday, as some > software won't correctly spring ahead to the new time. Major > problems are not > expected, but some minor annoyances --like failure of hotel > wake-up call > systems--could surface. > > Noted cybersleuth Richard Smith, now chief technology officer of > PrivacyFoundation.org, found the bug in January of 1999, but Microsoft > officials say it was introduced into software back in 1995. > > It's a quirky bug. Basically, some Windows-based programs > become confused > when Daylight Savings Time kicks off on April 1, creating an > accidental April > Fool's joke. For the following week, all software impacted > will be one hour > behind the correct time. On Sunday April 8, the problem > corrects itself. > > Since the bug was discovered so long ago, most systems have since been > patched. But there is the possibility that so-called embedded > systems, which > are not networked and have no way to receive updates, might > encounter the > problem this weekend. > > In a "reminder" note to developers sent out Thursday, Smith > suggested there > might be pesky problems in airport arrival and departure time monitors, > transportation scheduling screens, worker punch clocks or hotel wake-up > systems. > > In other words, travelers might wake up late for church on > Sunday; and hotel > desks might get some complaints from customers that wake-up > calls were late. > > But even Smith isn't sure just how many of these problems will crop up. > > "My crystal ball is very fuzzy is if this bug is going to > cause any problems or > not," Smith said in his note. > > Besides, aren't people used to waking up confused on Daylight > Savings Time > morning? > > "Yea, if your wake-up system doesn't work, it's not like you > needed that > excuse anyway, you already have one," said Russ Cooper, who moderates a > popular Windows bug mailing list. Cooper downplayed the impact > of the bug, > too. > > "Ninety-eight percent of all computers--maybe 99 percent--that have > monitors or keyboards won't be affected," he said. > > The source of the problem is the way certain > programs figure out what time it is. Programmers can > choose to have their software ask the computer's > operating system for the time, or they can ask other > software to compute the time. If the program was > written in using Microsoft's Visual C++, the > programmer might have employed the time function > in the Visual C++ Runtime Library - and that's where the bug is. > > Two years ago, Smith said, there were "tons" of programs > utilizing the faulty > clock, including Microsoft's Internet Explorer. > > But since then, most software has since be updated and > reinstalled, and won't > exhibit the bug. > > "It's not like desktops will have the wrong time," Cooper > said. "And I can't > think of a critical system that could be affected by this. > It's pretty much a > ho-hummer." > From kreymer@fnal.gov Mon Apr 2 16:07:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA11677 for ; Mon, 2 Apr 2001 16:07:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB60093LNZS2F@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 16:07:05 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D6B6@listserv.fnal.gov>; Mon, 02 Apr 2001 16:07:04 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 102108 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 16:07:04 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D6B4@listserv.fnal.gov>; Mon, 02 Apr 2001 16:07:04 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB600697NZREP@smtp.fnal.gov>; Mon, 02 Apr 2001 16:07:03 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA26942; Mon, 02 Apr 2001 16:07:03 -0500 (CDT) Date: Mon, 02 Apr 2001 16:07:03 -0500 From: Matt Crawford Subject: Re: problems with cryptocard fallback this AM on d0mino In-reply-to: "02 Apr 2001 15:46:01 CDT." <000501c0bbb5$ee392110$e052e183@oss56304> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov, d0-admin@fnal.gov, HELPDESK Message-id: <200104022107.QAA26942@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1116 > This morning I was thinking I had a fallback as well to use the CryptoCard > from my NT box onto d0mino so I felt somewhat reassured. However, I > tried to use it and ran into the following problems: > > (laptop in FNAL domain running Windows 2000) > > 1) telnet from the cmd screen get the following error message > > U:\>telnet d0mino > Connecting to d0mino...Could not open a connection to host: Connect failed > ... > > (With the clock fix, WRQ telnet into d0mino works fine from the same machine > so I don't think it's a network/service block.) When you type "telnet", are you running the Windows telnet or the WRQ telnet? > 2) F-Secure SSH > The connect screen asks for host and password together. If you leave the > password blank, it does not prompt you from the machine. I get a "login > incorrect" error window and that's it. I do not think d0mino is running the cryptocard-capable sshd. From kreymer@fnal.gov Mon Apr 2 16:14:47 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA11696 for ; Mon, 2 Apr 2001 16:14:47 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6006DFOCM0Y@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 16:14:47 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D6F6@listserv.fnal.gov>; Mon, 02 Apr 2001 16:14:46 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 102195 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 16:14:46 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D6F5@listserv.fnal.gov>; Mon, 02 Apr 2001 16:14:46 -0500 Received: from fnal.gov ([131.225.231.30]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6006H4OCMHQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 16:14:46 -0500 (CDT) Date: Mon, 02 Apr 2001 16:14:24 -0500 From: Alan M Jonckheere Subject: Re: MS bug in start date of DST this year Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov, helpdesk@fnal.gov, schmidt@fnal.gov Message-id: <3AC8F9C0.465F3465@fnal.gov> Organization: D0 at Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200104021900.OAA25662@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1117 Thank you. That's more like it. Matt Crawford wrote: > > Apparently Windows at some point believed that DST starts on a Sunday > in April with a date *greater than 1*. > > microsoft.public.windowsnt.apps: > ================ > Microsoft has a self extracting executable for it... > > Reza > > "Jim Steinberg" wrote in message > news:tch290n7n2i9f7@corp.supernews.com... > > Has anyone noticed a problem with Visual c/c++ regarding > > daylight savings and the use of the call 'localtime'? > > It appears that it thinks DST starts April 8, not April 1 > ================ > > http://www.zdnet.com/zdnn/stories/news/0,4586,2702929,00.html?&_ref=551105044 > > April Fool!: Timing's right for a bug > > By Bob Sullivan > MSNBC > March 30, 2001 4:50 AM PT > As if Sunday morning won't already be hard enough for the > Daylight-Savings-Time challenged (is it spring ahead/fall back or > spring back/fall ahead?), a computer glitch might add to the clock > confusion. > > A two-year-old bug in Microsoft software will finally hit this Sunday, as some > software won't correctly spring ahead to the new time. Major problems are not > expected, but some minor annoyances --like failure of hotel wake-up call > systems--could surface. > > Noted cybersleuth Richard Smith, now chief technology officer of > PrivacyFoundation.org, found the bug in January of 1999, but Microsoft > officials say it was introduced into software back in 1995. > > It's a quirky bug. Basically, some Windows-based programs become confused > when Daylight Savings Time kicks off on April 1, creating an accidental April > Fool's joke. For the following week, all software impacted will be one hour > behind the correct time. On Sunday April 8, the problem corrects itself. > > Since the bug was discovered so long ago, most systems have since been > patched. But there is the possibility that so-called embedded systems, which > are not networked and have no way to receive updates, might encounter the > problem this weekend. > > In a "reminder" note to developers sent out Thursday, Smith suggested there > might be pesky problems in airport arrival and departure time monitors, > transportation scheduling screens, worker punch clocks or hotel wake-up > systems. > > In other words, travelers might wake up late for church on Sunday; and hotel > desks might get some complaints from customers that wake-up calls were late. > > But even Smith isn't sure just how many of these problems will crop up. > > "My crystal ball is very fuzzy is if this bug is going to cause any problems or > not," Smith said in his note. > > Besides, aren't people used to waking up confused on Daylight Savings Time > morning? > > "Yea, if your wake-up system doesn't work, it's not like you needed that > excuse anyway, you already have one," said Russ Cooper, who moderates a > popular Windows bug mailing list. Cooper downplayed the impact of the bug, > too. > > "Ninety-eight percent of all computers--maybe 99 percent--that have > monitors or keyboards won't be affected," he said. > > The source of the problem is the way certain > programs figure out what time it is. Programmers can > choose to have their software ask the computer's > operating system for the time, or they can ask other > software to compute the time. If the program was > written in using Microsoft's Visual C++, the > programmer might have employed the time function > in the Visual C++ Runtime Library - and that's where the bug is. > > Two years ago, Smith said, there were "tons" of programs utilizing the faulty > clock, including Microsoft's Internet Explorer. > > But since then, most software has since be updated and reinstalled, and won't > exhibit the bug. > > "It's not like desktops will have the wrong time," Cooper said. "And I can't > think of a critical system that could be affected by this. It's pretty much a > ho-hummer." From kreymer@fnal.gov Mon Apr 2 16:42:50 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA11755 for ; Mon, 2 Apr 2001 16:42:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6009AVPND64@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 16:42:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D75B@listserv.fnal.gov>; Mon, 02 Apr 2001 16:42:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 102299 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 16:42:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D759@listserv.fnal.gov>; Mon, 02 Apr 2001 16:42:49 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6008ASPNCRU@smtp.fnal.gov>; Mon, 02 Apr 2001 16:42:49 -0500 (CDT) Date: Mon, 02 Apr 2001 16:42:47 -0500 (CDT) From: Dane Skow Subject: Re: problems with cryptocard fallback this AM on d0mino In-reply-to: <200104022107.QAA26942@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov, d0-admin@fnal.gov, HELPDESK Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1118 On Mon, 2 Apr 2001, Matt Crawford wrote: > > This morning I was thinking I had a fallback as well to use the CryptoCard > > from my NT box onto d0mino so I felt somewhat reassured. However, I > > tried to use it and ran into the following problems: > > > > (laptop in FNAL domain running Windows 2000) > > > > 1) telnet from the cmd screen get the following error message > > > > U:\>telnet d0mino > > Connecting to d0mino...Could not open a connection to host: Connect failed > > ... > > > > (With the clock fix, WRQ telnet into d0mino works fine from the same machine > > so I don't think it's a network/service block.) > > When you type "telnet", are you running the Windows telnet or the WRQ > telnet? In this case, I was using the Windows telnet since I wanted to test back doors that people might use a fallback. I did not try to redefine a new login for WRQ. > > > > 2) F-Secure SSH > > The connect screen asks for host and password together. If you leave the > > password blank, it does not prompt you from the machine. I get a "login > > incorrect" error window and that's it. > > I do not think d0mino is running the cryptocard-capable sshd. > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Apr 2 16:56:17 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA11878 for ; Mon, 2 Apr 2001 16:56:17 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6006L5Q9SUU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 16:56:17 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D794@listserv.fnal.gov>; Mon, 02 Apr 2001 16:56:16 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 102365 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 16:56:16 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D792@listserv.fnal.gov>; Mon, 02 Apr 2001 16:56:16 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6009DWQ9R64@smtp.fnal.gov>; Mon, 02 Apr 2001 16:56:15 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA27422; Mon, 02 Apr 2001 16:56:15 -0500 (CDT) Date: Mon, 02 Apr 2001 16:56:15 -0500 From: Matt Crawford Subject: Re: problems with cryptocard fallback this AM on d0mino In-reply-to: "02 Apr 2001 16:42:47 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov, d0-admin@fnal.gov, HELPDESK Message-id: <200104022156.QAA27422@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1119 > > > 1) telnet from the cmd screen get the following error message > > > > > > U:\>telnet d0mino > > > Connecting to d0mino...Could not open a connection to host: Connect failed > > > ... > > > (With the clock fix, WRQ telnet into d0mino works fine from the same machine > > > so I don't think it's a network/service block.) > > > > When you type "telnet", are you running the Windows telnet or the WRQ > > telnet? > > In this case, I was using the Windows telnet ... Then there's no Kerberos-based explanation for failure to connect. You'd have to suppose there was one (or more of) the following problems: a transient failure of inetd on d0mino a transient packet routing failure a problem with the native windows telnet program or the name-to-address service it uses. Every kind of telnet I can try, including Windows telnet from a DOS box, works fine to d0mino right now. From kreymer@fnal.gov Mon Apr 2 17:08:08 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA11890 for ; Mon, 2 Apr 2001 17:08:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6008HVQTIQC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 17:08:07 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D7B3@listserv.fnal.gov>; Mon, 02 Apr 2001 17:08:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 102397 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 17:08:06 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D7B1@listserv.fnal.gov>; Mon, 02 Apr 2001 17:08:06 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB6008FGQTHAU@smtp.fnal.gov>; Mon, 02 Apr 2001 17:08:05 -0500 (CDT) Date: Mon, 02 Apr 2001 17:08:05 -0500 (CDT) From: Dane Skow Subject: Re: problems with cryptocard fallback this AM on d0mino In-reply-to: <200104022156.QAA27422@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov, d0-admin@fnal.gov, HELPDESK Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1120 On Mon, 2 Apr 2001, Matt Crawford wrote: > > > > 1) telnet from the cmd screen get the following error message > > > > > > > > U:\>telnet d0mino > > > > Connecting to d0mino...Could not open a connection to host: Connect failed > > > > ... > > > > (With the clock fix, WRQ telnet into d0mino works fine from the same machine > > > > so I don't think it's a network/service block.) > > > > > > When you type "telnet", are you running the Windows telnet or the WRQ > > > telnet? > > > > In this case, I was using the Windows telnet ... > > Then there's no Kerberos-based explanation for failure to connect. > You'd have to suppose there was one (or more of) the following > problems: > > a transient failure of inetd on d0mino > a transient packet routing failure > a problem with the native windows telnet program or the name-to-address > service it uses. > > Every kind of telnet I can try, including Windows telnet from a DOS > box, works fine to d0mino right now. Well, I was COMPLETELY accurate when I copied down the screen: "telnet d0mino" continues to fail but "telnet d0mino.fnal.gov" works. DNS problem on my machine. False alarm. Sorry. Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Apr 2 21:34:12 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id VAA12169 for ; Mon, 2 Apr 2001 21:34:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB700HFG34ZVI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Apr 2001 21:34:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D9BC@listserv.fnal.gov>; Mon, 02 Apr 2001 21:34:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 102987 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 02 Apr 2001 21:34:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011D9BB@listserv.fnal.gov>; Mon, 02 Apr 2001 21:34:11 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GB700M0134YQI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 21:34:10 -0500 (CDT) Received: from fnal.gov ([24.19.45.108]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB700ESZ34YQ3@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 02 Apr 2001 21:34:10 -0500 (CDT) Date: Mon, 02 Apr 2001 21:34:00 -0500 From: Al Lilianstrom Subject: Reflection Kerberos problems Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AC93698.61C4197D@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (Windows NT 5.0; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1121 I opened a trouble call with WRQ about this problem and it is the Microsoft bug. They are working on a fix for Reflection to deal with the MS bug. As a workaround that does not effect the time of things like mail (which the previous DST fix changes) they suggest the following; -- Set the PC's Time zone, in Date/Time Properties, to a zone that does not observe daylight savings (as evidenced by the "Automatically adjust clock for daylight savings time changes" field either being dimmed or absent,) and one hour ahead of your current time zone (thus making the time in your current zone identical to the target time zone.) For the main US time zones this would be: Pacific -> Arizona Moutain -> Saskatchewan Central -> Bogata, Lima, Quito Eastern -> Caracas, La Paz Altantic -> Buenos Aires, Georgetown Alaska has no such qualifying time zone setting, so the only alternative is to set the PC clock back one hour, log in to the host(s), then set the PC clock back to the correct time. -- I set my timezone to Central -> Bogata, Lima, Quito and the time was correct. I was also able to use the Reflection Kerberos Manager to get a ticket. al From kreymer@fnal.gov Tue Apr 3 07:20:25 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA25203 for ; Tue, 3 Apr 2001 07:20:25 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GB700F2CUA16J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Tue, 03 Apr 2001 07:20:25 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id HAA19125; Tue, 03 Apr 2001 07:20:24 -0500 Date: Tue, 03 Apr 2001 07:20:24 -0500 From: Glenn Cooper Subject: Re: fkw.lns.mit.edu/cdfpca In-reply-to: To: Art Kreymer Cc: Steve Pavlon , cdfsys@fnal.gov, cdfcode@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1122 This (/cdf/home) will happen as soon as Yolanda creates accounts for Steve on fcdfsgi2 and fcdfsun1. That was held up by the expired-ID problem, so it should come through fairly soon now. I'm reasonably certain that using an MIT principal won't work, as the lab has not (yet) set up any kind of trusted realm relationship with other places. Glenn On Mon, 2 Apr 2001, Art Kreymer wrote: > cdfsys - please create a /cdf/home/pavlon home area for Steve Pavlon. > > Steve - We no longer provide password access to cdfpca, > we're kerberized there, though we do still allow ssh access. > But your /cdf/home/area does not exist so this is moot. > > As soon as there's a /cdf/home/pavlon, > I will put in a .shosts entry to allow you into cdfpca, > pending your kerberos credential. > I could also put in a .k5login entry for your MIT principal... > not sure whether this works, though. From kreymer@fnal.gov Tue Apr 3 11:06:30 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA26329 for ; Tue, 3 Apr 2001 11:06:30 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB8001GT4QTIT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Apr 2001 11:06:30 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011DF93@listserv.fnal.gov>; Tue, 03 Apr 2001 11:06:29 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 104642 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 03 Apr 2001 11:06:29 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011DF92@listserv.fnal.gov>; Tue, 03 Apr 2001 11:06:29 -0500 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB8002EV4QS4V@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 03 Apr 2001 11:06:28 -0500 (CDT) Date: Tue, 03 Apr 2001 10:06:25 -0600 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: Reflection Kerberos problems Sender: owner-kerberos-pilot@listserv.fnal.gov To: Al Lilianstrom Cc: kerberos-pilot@fnal.gov Message-id: <3ACA0311.D35FD99C@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3AC93698.61C4197D@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1123 THANK YOU! This is an acceptable solution -- it doesn't screw up my calendar by an hour and it lets me authenticate. THANK YOU! Al Lilianstrom wrote: > > I opened a trouble call with WRQ about this problem and it is the > Microsoft bug. They are working on a fix for Reflection to deal with the > MS bug. As a workaround that does not effect the time of things like > mail (which the previous DST fix changes) they suggest the following; > > -- > Set the PC's Time zone, in Date/Time Properties, to a zone that does not > observe daylight savings (as evidenced by the "Automatically adjust > clock for daylight savings time changes" field either being dimmed or > absent,) and one hour ahead of your current time zone (thus making the > time in your current zone identical to the target time zone.) > > For the main US time zones this would be: > > Pacific -> Arizona > Moutain -> Saskatchewan > Central -> Bogata, Lima, Quito > Eastern -> Caracas, La Paz > Altantic -> Buenos Aires, Georgetown > > Alaska has no such qualifying time zone setting, so the only alternative > is to set the PC clock back one hour, log in to the host(s), then set > the PC clock back to the correct time. -- > > I set my timezone to Central -> Bogata, Lima, Quito and the time was > correct. I was also able to use the Reflection Kerberos Manager to get a > ticket. > > al From kreymer@fnal.gov Tue Apr 3 11:56:23 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA26490 for ; Tue, 3 Apr 2001 11:56:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB800A0R71XBC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Apr 2001 11:56:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011E0FB@listserv.fnal.gov>; Tue, 03 Apr 2001 11:56:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105040 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 03 Apr 2001 11:56:22 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011E0FA@listserv.fnal.gov>; Tue, 03 Apr 2001 11:56:22 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GB800A0171XL5@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 03 Apr 2001 11:56:21 -0500 (CDT) Received: from kaon1.physics.Arizona.EDU ([128.196.188.246]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB800A0N71WBC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 03 Apr 2001 11:56:21 -0500 (CDT) Received: from kaon1.physics.Arizona.EDU (elliott@localhost) by kaon1.physics.Arizona.EDU (8.9.1a/8.9.1a) with ESMTP id JAA21335 for ; Tue, 03 Apr 2001 09:56:20 -0700 (MST) Date: Tue, 03 Apr 2001 09:56:20 -0700 From: Elliott Cheu Subject: kerberos installation. Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200104031656.JAA21335@kaon1.physics.Arizona.EDU> Status: RO X-Status: X-Keywords: X-UID: 1124 Hi, Two things: I tried installing kerberos v1.0 on a DEC alpha running OSF1. I found that there was a missing bracket in the installation script. After inserting this "}", I was able to install kerberos. However, this installation has broken our backups which use rsh. So, I would like to uninstall kerberos on this machine and reinstall it on another machine. I cannot find a means for uninstalling it. Does this exist? Or, do I have to do it by hand? Thanks. Elliott Cheu From kreymer@fnal.gov Tue Apr 3 12:36:12 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA26675 for ; Tue, 3 Apr 2001 12:36:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB800AC08WBQ1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Apr 2001 12:36:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011E1B4@listserv.fnal.gov>; Tue, 03 Apr 2001 12:36:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105256 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 03 Apr 2001 12:36:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011E1B3@listserv.fnal.gov>; Tue, 03 Apr 2001 12:36:11 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB800ABW8WAQ1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 03 Apr 2001 12:36:10 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA18135; Tue, 03 Apr 2001 12:36:10 -0500 Date: Tue, 03 Apr 2001 12:36:09 -0500 (CDT) From: Steven Timm Subject: Re: kerberos installation. In-reply-to: <200104031656.JAA21335@kaon1.physics.Arizona.EDU> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Elliott Cheu Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1125 ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 3 Apr 2001, Elliott Cheu wrote: > Hi, > > Two things: > > I tried installing kerberos v1.0 on a DEC alpha running > OSF1. I found that there was a missing bracket in the > installation script. After inserting this "}", I was > able to install kerberos. Thanks for pointing this out... I will forward this bug report to the appropriate people. > > However, this installation has broken our backups which use > rsh. So, I would like to uninstall kerberos on this machine > and reinstall it on another machine. I cannot find a means > for uninstalling it. Does this exist? Or, do I have to do > it by hand? > You have to do it by hand. The original inetd.conf and services files on your machine should have been backed up by the install process. Just move them back into place, and do kill -HUP on your inetd. Off site you are allowed to do ups install-keep-ssh kerberos which would still allow access into your off-site machine by unkerberized ssh if you want. Steve > Thanks. > > Elliott Cheu > From kreymer@fnal.gov Tue Apr 3 13:03:43 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA26702 for ; Tue, 3 Apr 2001 13:03:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB800BKVA66OM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Apr 2001 13:03:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011E222@listserv.fnal.gov>; Tue, 03 Apr 2001 13:03:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105378 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 03 Apr 2001 13:03:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011E221@listserv.fnal.gov>; Tue, 03 Apr 2001 13:03:42 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB800BDRA65XQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 03 Apr 2001 13:03:41 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA04750; Tue, 03 Apr 2001 13:03:41 -0500 (CDT) Date: Tue, 03 Apr 2001 13:03:41 -0500 From: Matt Crawford Subject: Re: kerberos installation. In-reply-to: "03 Apr 2001 12:36:09 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: Elliott Cheu , kerberos-pilot@fnal.gov Message-id: <200104031803.NAA04750@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1126 > > I tried installing kerberos v1.0 on a DEC alpha running > > OSF1. I found that there was a missing bracket in the > > installation script. After inserting this "}", I was > > able to install kerberos. In install.pl? I don't see how all other installers of Kerberos could have missed that. Could you point me to the right file and line, please? > > However, this installation has broken our backups which use > > rsh. So, I would like to uninstall kerberos on this machine > > and reinstall it on another machine. I cannot find a means > > for uninstalling it. Does this exist? Or, do I have to do > > it by hand? > > You have to do it by hand. The original inetd.conf and services > files on your machine should have been backed up by the install > process. Just move them back into place, and do kill -HUP > on your inetd. You don't need to worry about services, even though it was changed by the installtion. Just move back or re-edit inetd.conf and send the SIGHUP as Steve said. Then you can figure out what to do to make your backups secure. From kreymer@fnal.gov Tue Apr 3 13:15:06 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA26708 for ; Tue, 3 Apr 2001 13:15:06 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB800BFEAP5BJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Apr 2001 13:15:06 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011E24A@listserv.fnal.gov>; Tue, 03 Apr 2001 13:15:05 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105422 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 03 Apr 2001 13:15:05 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011E249@listserv.fnal.gov>; Tue, 03 Apr 2001 13:15:05 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB800CCTAP5D1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 03 Apr 2001 13:15:05 -0500 (CDT) Date: Tue, 03 Apr 2001 13:15:04 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: kerberos installation. In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Elliott Cheu Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1127 Also, you might want to look at http://www.fnal.gov/docs/products/fmb/kerberos_and_fmb.html Marc > However, this installation has broken our backups which use > rsh. So, I would like to uninstall kerberos on this machine > and reinstall it on another machine. I cannot find a means > for uninstalling it. Does this exist? Or, do I have to do > it by hand? From kreymer@fnal.gov Tue Apr 3 17:35:19 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA27194 for ; Tue, 3 Apr 2001 17:35:19 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB8006IBMQUQX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Apr 2001 17:35:19 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011E709@listserv.fnal.gov>; Tue, 03 Apr 2001 17:35:19 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106773 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 03 Apr 2001 17:35:19 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011E708@listserv.fnal.gov>; Tue, 03 Apr 2001 17:35:18 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB8006JTMQUHB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 03 Apr 2001 17:35:18 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA06823 for ; Tue, 03 Apr 2001 17:35:17 -0500 (CDT) Date: Tue, 03 Apr 2001 17:35:17 -0500 From: Matt Crawford Subject: news from WRQ Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200104032235.RAA06823@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1128 "A WRQ patch should be available from our download website download.wrq.com tomorrow 4/4." Of course on 4/8 it becomes moot until 2007. From kreymer@fnal.gov Wed Apr 4 03:17:06 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id DAA00977 for ; Wed, 4 Apr 2001 03:17:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB90040IDOFIM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 04 Apr 2001 03:17:05 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011EA12@listserv.fnal.gov>; Wed, 04 Apr 2001 03:17:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 107660 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 04 Apr 2001 03:17:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011EA11@listserv.fnal.gov>; Wed, 04 Apr 2001 03:17:03 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GB900401DOFPG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 04 Apr 2001 03:17:03 -0500 (CDT) Received: from phya.snu.ac.kr ([147.46.43.30]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB90028WDOA44@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 04 Apr 2001 03:17:03 -0500 (CDT) Received: from mulli.snu.ac.kr (mulli.snu.ac.kr [147.46.43.3]) by phya.snu.ac.kr (8.9.3/8.9.3) with ESMTP id RAA06677 for ; Wed, 04 Apr 2001 17:12:04 +0900 (KST) Date: Wed, 04 Apr 2001 17:17:24 +0900 (KST) From: Koo Ja-Wook Subject: Some errors on setup kerberos Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: arcris@mulli.snu.ac.kr To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1129 Hi, I've finished installing kerberos on my linux machine. I could get a ticket using kinit. But I couldn't use kerberized machine on FNAL. I think the reason is that my local machine ID (which I logged in) and my FNAL machine ID (which I got a ticket) isn't same. When I tested with a new ID which is the same with FNAL machine ID, I could use kerberized maching. How I can use kerberized machine with my local machine ID? Thanks, Ja-Wook. From kreymer@fnal.gov Wed Apr 4 08:58:12 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA13523 for ; Wed, 4 Apr 2001 08:58:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB900CCYTGZT9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 04 Apr 2001 08:58:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011ED27@listserv.fnal.gov>; Wed, 04 Apr 2001 08:58:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 108479 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 04 Apr 2001 08:58:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011ED26@listserv.fnal.gov>; Wed, 04 Apr 2001 08:58:11 -0500 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB900CDNTGYT3@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 04 Apr 2001 08:58:11 -0500 (CDT) Date: Wed, 04 Apr 2001 08:58:08 -0500 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Not working again -- but it was working yesterday?!?! Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3ACB2870.7E11C23@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200104032235.RAA06823@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1130 This morning things are even stranger than on Monday. I am able to authenticate using the Reflection/Kerberos Manager menu. But, when I try to connect to another node (d0ora1 and d0ora3 are the two I tried), using the HOST - Digital/Unix VT tool, I get an error message Difference between expected and actual ticket time is too great (KDC037) I have re-synched my clock (using the WRQ "TimeSynch" tool), I have tried both the "Bogota/Lima" time zone (which was working yesterday) and CST. Now what's the problem?!?!?! Coming from node nargothrond.fnal.gov, where I have a ticket valid until 8:53:13AM Thursday April 05, 2001. -- lauri From kreymer@fnal.gov Wed Apr 4 09:17:11 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA13988 for ; Wed, 4 Apr 2001 09:17:11 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB900CI2UCLT3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 04 Apr 2001 09:17:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011ED89@listserv.fnal.gov>; Wed, 04 Apr 2001 09:17:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 108591 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 04 Apr 2001 09:17:10 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011ED88@listserv.fnal.gov>; Wed, 04 Apr 2001 09:17:10 -0500 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB900CFCUCLTL@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 04 Apr 2001 09:17:09 -0500 (CDT) Date: Wed, 04 Apr 2001 09:17:06 -0500 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: Not working again -- but it was working yesterday?!?! Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford , kerberos-pilot@fnal.gov Message-id: <3ACB2CE2.2AB3A793@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200104032235.RAA06823@gungnir.fnal.gov> <3ACB2870.7E11C23@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1131 Well, for whatever reason, it's working again now. I didn't change anything except the order in which I tweaked things -- and connecting from a brand new VT connection rather than the one that I had opened yesterday (successfully) but which was disconnected (thank you Dave Fagan) over night. Sigh. -- lauri "Laurelin of Middle Earth, 630-840-2214" wrote: > > This morning things are even stranger than on Monday. > > I am able to authenticate using the Reflection/Kerberos > Manager menu. But, when I try to connect to another > node (d0ora1 and d0ora3 are the two I tried), using the > HOST - Digital/Unix VT tool, I get an error message > > Difference between expected and actual > ticket time is too great (KDC037) > > I have re-synched my clock (using the WRQ "TimeSynch" > tool), I have tried both the "Bogota/Lima" time zone > (which was working yesterday) and CST. > > Now what's the problem?!?!?! Coming from node > nargothrond.fnal.gov, where I have a ticket valid > until 8:53:13AM Thursday April 05, 2001. > > -- lauri From kreymer@fnal.gov Wed Apr 4 09:51:03 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA14199 for ; Wed, 4 Apr 2001 09:51:03 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB900CRBVX0T3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 04 Apr 2001 09:51:02 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011EDF8@listserv.fnal.gov>; Wed, 04 Apr 2001 09:51:01 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 108711 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 04 Apr 2001 09:51:01 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011EDF7@listserv.fnal.gov>; Wed, 04 Apr 2001 09:51:01 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GB900COEVX0TH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 04 Apr 2001 09:51:00 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id JAA24929; Wed, 04 Apr 2001 09:50:51 -0500 Date: Wed, 04 Apr 2001 09:50:51 -0500 From: Glenn Cooper Subject: Re: Some errors on setup kerberos In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Koo Ja-Wook Cc: kerberos-pilot@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1132 Hi, Use "telnet -l [fermi_username] [node_at_fermi]". Otherwise, telnet tries to log you in as your local username, which of course won't work on the Fermi machine. Cheers, Glenn On Wed, 4 Apr 2001, Koo Ja-Wook wrote: > Hi, > > I've finished installing kerberos on my linux machine. > I could get a ticket using kinit. But I couldn't use kerberized machine > on FNAL. I think the reason is that my local machine ID (which I logged > in) and my FNAL machine ID (which I got a ticket) isn't same. > When I tested with a new ID which is the same with FNAL machine ID, I > could use kerberized maching. > How I can use kerberized machine with my local machine ID? > > Thanks, > Ja-Wook. From kreymer@fnal.gov Wed Apr 4 10:33:43 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA14236 for ; Wed, 4 Apr 2001 10:33:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB900KAFXW6R6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 04 Apr 2001 10:33:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011EEAA@listserv.fnal.gov>; Wed, 04 Apr 2001 10:33:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 108906 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 04 Apr 2001 10:33:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011EEA9@listserv.fnal.gov>; Wed, 04 Apr 2001 10:33:42 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GB900K7AXW5W9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 04 Apr 2001 10:33:41 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA12148; Wed, 04 Apr 2001 10:33:28 -0500 (CDT) Date: Wed, 04 Apr 2001 10:33:28 -0500 From: Matt Crawford Subject: Re: Some errors on setup kerberos In-reply-to: "04 Apr 2001 17:17:24 +0900." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Koo Ja-Wook Cc: kerberos-pilot@fnal.gov Message-id: <200104041533.KAA12148@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1133 > I've finished installing kerberos on my linux machine. > I could get a ticket using kinit. But I couldn't use kerberized machine > on FNAL. I think the reason is that my local machine ID (which I logged > in) and my FNAL machine ID (which I got a ticket) isn't same. > When I tested with a new ID which is the same with FNAL machine ID, I > could use kerberized maching. > How I can use kerberized machine with my local machine ID? If by "local machine ID" you mean the linux username you alrady have on your local machine, add "-l jwkoo" in your rsh, rlogin or telnet command, just as you would with the "traditional" Berkeley r-commands. From kreymer@fnal.gov Thu Apr 5 08:28:50 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA15348 for ; Thu, 5 Apr 2001 08:28:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB00483MS08T@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Apr 2001 08:28:49 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FC1B@listserv.fnal.gov>; Thu, 05 Apr 2001 08:28:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 112773 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 05 Apr 2001 08:28:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FC1A@listserv.fnal.gov>; Thu, 05 Apr 2001 08:28:48 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GBB00601MS0Q3@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 05 Apr 2001 08:28:48 -0500 (CDT) Received: from othello.physics.gla.ac.uk ([130.209.204.200]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB00476MRZ82@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 05 Apr 2001 08:28:48 -0500 (CDT) Received: from a5.ph.gla.ac.uk ([130.209.45.103]) by othello.physics.gla.ac.uk with esmtp (Exim 3.13 #1) id 14l9oc-0005I0-00; Thu, 05 Apr 2001 14:28:46 +0100 Received: from localhost (thompson@localhost) by a5.ph.gla.ac.uk (8.8.8/8.8.8) with ESMTP id OAA16261; Thu, 05 Apr 2001 14:28:46 +0100 (BST) Date: Thu, 05 Apr 2001 14:28:46 +0100 (BST) From: "A. Stan Thompson" Subject: kinit failure Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: Rick StDenis Reply-to: A.S.Thompson@physics.gla.ac.uk Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1134 Hello, quite often when I access kerberos using kinit on a remote kerberised machine I get the following message kinit: No locks available when initializing cache and it fails. Usually it works OK when I switch to a different window but not always. I have never had this when using kinit on a machine in Fermilab. I can't spot anything in the documentation on this. What is the explanation for this and how can I avoid it. thanks Stan Thompson From kreymer@fnal.gov Thu Apr 5 09:07:18 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA25284 for ; Thu, 5 Apr 2001 09:07:18 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB004DROK481@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Apr 2001 09:07:18 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FCA0@listserv.fnal.gov>; Thu, 05 Apr 2001 09:07:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 112912 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 05 Apr 2001 09:07:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FC9F@listserv.fnal.gov>; Thu, 05 Apr 2001 09:07:17 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB004CBOK48S@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 05 Apr 2001 09:07:16 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA24972; Thu, 05 Apr 2001 09:07:13 -0500 (CDT) Date: Thu, 05 Apr 2001 09:07:13 -0500 From: Matt Crawford Subject: Re: kinit failure In-reply-to: "05 Apr 2001 14:28:46 BST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: A.S.Thompson@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov, Rick StDenis Message-id: <200104051407.JAA24972@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1135 Fermi Kerberos or some other? In either case, which version? What operating system? Did you build a custom kernel on that machine so that, perhaps, you have the header files in /usr/include for POSIX file locking, but your kernel doesn't support it? Or is the number of availble locks somehow set absurdly low? (The credential cache library only wants one at a time.) > Hello, > quite often when I access kerberos using kinit on a remote > kerberised machine I get the following message > > kinit: No locks available when initializing cache > > and it fails. Usually it works OK when I switch to a different window but > not always. I have never had this when using kinit on a machine in > Fermilab. I can't spot anything in the documentation on this. > What is the explanation for this and how can I avoid it. > > thanks Stan Thompson From kreymer@fnal.gov Thu Apr 5 09:08:54 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA26345 for ; Thu, 5 Apr 2001 09:08:53 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB004F4OMR8F@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Apr 2001 09:08:53 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FCA4@listserv.fnal.gov>; Thu, 05 Apr 2001 09:08:52 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 112916 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 05 Apr 2001 09:08:52 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FCA3@listserv.fnal.gov>; Thu, 05 Apr 2001 09:08:52 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB004CUOMR8D@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 05 Apr 2001 09:08:51 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA25022; Thu, 05 Apr 2001 09:08:49 -0500 (CDT) Date: Thu, 05 Apr 2001 09:08:49 -0500 From: Matt Crawford Subject: Re: kinit failure In-reply-to: "05 Apr 2001 09:07:13 CDT." <200104051407.JAA24972@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: A.S.Thompson@physics.gla.ac.uk, kerberos-pilot@fnal.gov, Rick StDenis Message-id: <200104051408.JAA25022@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1136 One more question: is /tmp NFS-mounted, or on some other non-standard filesystem? From kreymer@fnal.gov Thu Apr 5 09:21:36 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA31358 for ; Thu, 5 Apr 2001 09:21:36 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB004HNP7Z89@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Apr 2001 09:21:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FCCC@listserv.fnal.gov>; Thu, 05 Apr 2001 09:21:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 112958 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 05 Apr 2001 09:21:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FCCB@listserv.fnal.gov>; Thu, 05 Apr 2001 09:21:35 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GBB00901P7YSO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 05 Apr 2001 09:21:34 -0500 (CDT) Received: from othello.physics.gla.ac.uk ([130.209.204.200]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB004ISP7X8N@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 05 Apr 2001 09:21:34 -0500 (CDT) Received: from a5.ph.gla.ac.uk ([130.209.45.103]) by othello.physics.gla.ac.uk with esmtp (Exim 3.13 #1) id 14lAdh-0005zl-00; Thu, 05 Apr 2001 15:21:33 +0100 Received: from localhost (thompson@localhost) by a5.ph.gla.ac.uk (8.8.8/8.8.8) with ESMTP id PAA17511; Thu, 05 Apr 2001 15:21:32 +0100 (BST) Date: Thu, 05 Apr 2001 15:21:32 +0100 (BST) From: "A. Stan Thompson" Subject: Re: kinit failure In-reply-to: <200104051407.JAA24972@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov, Rick StDenis Reply-to: A.S.Thompson@physics.gla.ac.uk Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1137 It is Fermi Kerberos v5 running on a Linux OS Fermi RH6.1 (CDF flavour), both out of the box so no custom kernel. Do I need to change the number of available locks, could you point me at the file. thanks Stan Thompson On Thu, 5 Apr 2001, Matt Crawford wrote: > Fermi Kerberos or some other? In either case, which version? > > What operating system? > > Did you build a custom kernel on that machine so that, perhaps, you > have the header files in /usr/include for POSIX file locking, but > your kernel doesn't support it? Or is the number of availble locks > somehow set absurdly low? (The credential cache library only wants > one at a time.) > > > Hello, > > quite often when I access kerberos using kinit on a remote > > kerberised machine I get the following message > > > > kinit: No locks available when initializing cache > > > > and it fails. Usually it works OK when I switch to a different window but > > not always. I have never had this when using kinit on a machine in > > Fermilab. I can't spot anything in the documentation on this. > > What is the explanation for this and how can I avoid it. > > > > thanks Stan Thompson > > From kreymer@fnal.gov Thu Apr 5 11:45:12 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA06976 for ; Thu, 5 Apr 2001 11:45:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB00EKRVVBTT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Apr 2001 11:45:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FF2E@listserv.fnal.gov>; Thu, 05 Apr 2001 11:45:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113598 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 05 Apr 2001 11:45:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FF2D@listserv.fnal.gov>; Thu, 05 Apr 2001 11:45:11 -0500 Received: from large.fnal.gov ([131.225.80.90]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB00I81VVAF0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 05 Apr 2001 11:45:10 -0500 (CDT) Received: from localhost (fagan@localhost) by large.fnal.gov (SGI-8.9.3/8.9.3) with SMTP id LAA91016 for ; Thu, 05 Apr 2001 11:45:11 -0500 (CDT) Date: Thu, 05 Apr 2001 11:45:11 -0500 (CDT) From: "David J. Fagan" Subject: From large Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200104051645.LAA91016@large.fnal.gov> Organization: Fermi National Accelerator Laboritories MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=iso-8859-1 X-Authentication-warning: large.fnal.gov: fagan@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by patnt2.fnal.gov id LAA06976 Status: RO X-Status: X-Keywords: X-UID: 1138 To d02ka or d0mino it's my machine (or the file), I can't seem to move it I re-download it elsewhere and try. What else? ------- Forwarded Message Date: Thu, 05 Apr 2001 11:20:49 -0500 From: Joseph Boyd To: fagan@fnal.gov Subject: Re: what the [sanitised] am I doing wrong? Nothing that I can see. What machine are you on? It looks broken. joe fagan@fnal.gov wrote: > $ rcp bbftp.v.2.0.0.tar.gz d02ka: > rcp: ./bbftp.v.2.0.0.tar.gz: Unknown code D 109 > $ whence rcp > /usr/krb5/bin/rcp > $ rcp bbftp.v.2.0.0.tar.gz d02ka:bbv2.gz > rcp: bbv2.gz: Unknown code D 109 > $ ls bbf* > bbftp.v.1.9.4.tar bbftp.v.2.0.0.tar.gz > $ rcp bbftp.v.2.0.0.tar.gz d02ka:~/bb2.gz > rcp: /home/fagan/bb2.gz: Unknown code D 109 > $ rsh d02ka pwd > This rsh session is using DES encryption for all data transmissions. > /home/fagan > > ----------------------------------------------------------------------------- -- > David J. Fagan | The Silicon Sorcerer® | Internet: Fagan@large (.fnal.gov) > SGI Liaison | Liaison Requests: sgi-liaison@fnal > Fermi National Accelerator Laboratory | MaBellnet: 1 (630) 840-2914 > ----------------------------------------------------------------------------- -- ------- End of Forwarded Message 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI authentication succeeded Name (d0mino:fagan): 232 GSSAPI user fagan@PILOT.FNAL.GOV is authorized as fagan Remote system type is UNIX. Using binary mode to transfer files. ftp> binary 200 Type set to I. ftp> put bbftp.v.2.0.0.tar.gz local: bbftp.v.2.0.0.tar.gz remote: bbftp.v.2.0.0.tar.gz 200 PORT command successful. 553 bbftp.v.2.0.0.tar.gz: (null). ftp> quit 221 Goodbye. $ rsh d0mino "ls -l bb*.gz" This rsh session is using DES encryption for all data transmissions. UX:ls: ERROR: Cannot access bb*.gz: No such file or directory $ ls -l bb*.gz -rw-r--r-- 1 fagan 5023 5112677 Apr 5 10:51 bbftp.v.2.0.0.tar.gz $ ls -l bb* -rw-r--r-- 1 fagan 1664 5315 Nov 14 1994 bbb -rw-r--r-- 1 fagan 1664 15964160 Feb 14 11:35 bbftp.v.1.9.4.tar -rw-r--r-- 1 fagan 5023 5112677 Apr 5 10:51 bbftp.v.2.0.0.tar.gz $ rcp bbftp.v.2.0.0.tar.gz d0mino: rcp: ./bbftp.v.2.0.0.tar.gz: Unknown code D 109 From kreymer@fnal.gov Thu Apr 5 12:01:34 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA11003 for ; Thu, 5 Apr 2001 12:01:34 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB00DQAWML9E@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Apr 2001 12:01:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FF79@listserv.fnal.gov>; Thu, 05 Apr 2001 12:01:33 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113683 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 05 Apr 2001 12:01:33 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0011FF78@listserv.fnal.gov>; Thu, 05 Apr 2001 12:01:33 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBB00EKKWMK6T@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 05 Apr 2001 12:01:32 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA26685; Thu, 05 Apr 2001 12:01:32 -0500 (CDT) Date: Thu, 05 Apr 2001 12:01:32 -0500 From: Matt Crawford Subject: Re: From large In-reply-to: "05 Apr 2001 11:45:11 CDT." <200104051645.LAA91016@large.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "David J. Fagan" Cc: kerberos-pilot@fnal.gov Message-id: <200104051701.MAA26685@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1139 IRIX went a little nuts with errno's and introduced some non-standard ones above 255. Kerberos doesn't understand them. But if you take > rcp: ./bbftp.v.2.0.0.tar.gz: Unknown code D 109 And psychicly intuit that 'D' stands for 4, you are led to 2 * 256 + 109 = 1133, and voila: #define EDQUOT 1133 /* cruft this to be __IRIXBASE + IRIX4 value */ appears in IRIX's So ... need more quota? "I'm sorry, Dave, but I'm afraid I can't do that." From kreymer@fnal.gov Fri Apr 6 11:39:31 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA11276 for ; Fri, 6 Apr 2001 11:39:30 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD0099BQ9T3B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Apr 2001 11:39:30 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00120EAC@listserv.fnal.gov>; Fri, 06 Apr 2001 11:39:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 118024 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 06 Apr 2001 11:39:30 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00120EAB@listserv.fnal.gov>; Fri, 06 Apr 2001 11:39:30 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GBD00C01Q9SDC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 06 Apr 2001 11:39:28 -0500 (CDT) Received: from othello.physics.gla.ac.uk ([130.209.204.200]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD0098JQ9RJ4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 06 Apr 2001 11:39:28 -0500 (CDT) Received: from a5.ph.gla.ac.uk ([130.209.45.103]) by othello.physics.gla.ac.uk with esmtp (Exim 3.13 #1) id 14lZGg-0002wg-00; Fri, 06 Apr 2001 17:39:27 +0100 Received: from localhost (thompson@localhost) by a5.ph.gla.ac.uk (8.8.8/8.8.8) with ESMTP id RAA08656; Fri, 06 Apr 2001 17:39:26 +0100 (BST) Date: Fri, 06 Apr 2001 17:39:25 +0100 (BST) From: "A. Stan Thompson" Subject: Re: kinit failure In-reply-to: <200104051407.JAA24972@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov, Rick StDenis Reply-to: A.S.Thompson@physics.gla.ac.uk Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1140 Hello Matt, Have you had any more thoughts on the problem I have accessing kerberos, I am finding I have this lock messages every time I try now. thanks Stan On Thu, 5 Apr 2001, Matt Crawford wrote: > Fermi Kerberos or some other? In either case, which version? > > What operating system? > > Did you build a custom kernel on that machine so that, perhaps, you > have the header files in /usr/include for POSIX file locking, but > your kernel doesn't support it? Or is the number of availble locks > somehow set absurdly low? (The credential cache library only wants > one at a time.) > > > Hello, > > quite often when I access kerberos using kinit on a remote > > kerberised machine I get the following message > > > > kinit: No locks available when initializing cache > > > > and it fails. Usually it works OK when I switch to a different window but > > not always. I have never had this when using kinit on a machine in > > Fermilab. I can't spot anything in the documentation on this. > > What is the explanation for this and how can I avoid it. > > > > thanks Stan Thompson > > From kreymer@fnal.gov Fri Apr 6 13:40:09 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA11671 for ; Fri, 6 Apr 2001 13:40:09 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00I3TVUV4H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Apr 2001 13:40:09 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00121032@listserv.fnal.gov>; Fri, 06 Apr 2001 13:40:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 118461 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 06 Apr 2001 13:40:07 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00121030@listserv.fnal.gov>; Fri, 06 Apr 2001 13:40:07 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00I1BVUTZ0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 06 Apr 2001 13:40:07 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRXGNY>; Fri, 06 Apr 2001 13:40:06 -0500 Content-return: allowed Date: Fri, 06 Apr 2001 13:40:05 -0500 From: ARSystem Subject: 000000000017642 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7615528D@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1141 CRAWFORD, MATT, Help Desk Ticket #000000000017642 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: kerberos and lsf interopability problem Badge # (+) : 12754N First Name : JOE Last Name (+) : BOYD Phone : 8275 E-Mail Address : BOYD@FNAL.GOV Incident Time : 4/6/01 1:31:16 PM System Name : D0MINO Urgency : Medium Public Work Log : 4/6/01 1:39:05 PM trb Matt, can you help Joe ? Problem Description : Please assign this to Matt Crawford. I do this on d0mino: d0mino 1:17pm ~ 1 > echo $KRB5CCNAME FILE:/tmp/krb5cc_p48900313 d0mino 1:17pm ~ 2 > bsub -I 'echo $KRB5CCNAME' Job <92327> is submitted to default queue . <> <> FILE:/tmp/krb5cc_p6151912 d0mino 1:18pm ~ 3 > As you can see, the KRB5CCNAME variable changed in the LSF job. Whether you run interactively or in a script the behaviour is always the same. The problem is that it seems to be the same for everyone. If some other user submits a job they will get the same name for KRB5CCNAME. Matt, here is the specific question. Can you think of any way the kerberos stuff we have installed would do this? What stuff from the kerberos package would set the KRB5CCNAME environment variable at all? kinit, kcron, ...??? I don't know where else to look. The lastest thing that LSF folks have told me (after about two weeks of back and forth) is that they don't change the KRB5CCNAME variable. I don't believe them but since that is what they have told me I am looking elsewhere. I can't find anywhere that it is getting set/changed in starup scripts. The kerberos package doesn't even replace /bin/login on install so I can't imagine any of our kerberos stuff is being called. Same behaviour on LSF 3.2.2 and 4.1. Same behaviour on Irix and Linux. The file name that does get set seems to change over a days time but at any particular time, multiple users seem to get the same name set. Thanks, joe From kreymer@fnal.gov Fri Apr 6 14:22:00 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA11716 for ; Fri, 6 Apr 2001 14:22:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00ICNXSN4H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Apr 2001 14:22:00 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00121100@listserv.fnal.gov>; Fri, 06 Apr 2001 14:21:59 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 118682 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 06 Apr 2001 14:21:59 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001210FF@listserv.fnal.gov>; Fri, 06 Apr 2001 14:21:59 -0500 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00IDRXSNMU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 06 Apr 2001 14:21:59 -0500 (CDT) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA05840 for ; Fri, 06 Apr 2001 14:21:59 -0500 Date: Fri, 06 Apr 2001 14:21:59 -0500 From: "Isabeau's mom" Subject: kerberos and socket KEEPALIVE option Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3ACE1757.2046B842@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1142 hi, i know that there are some plans to set the socket KEEPALIVE option when doing an rsh under kerberos. is there any estimate on when the new version of kerberos will be out? thanks, eileen -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Fri Apr 6 14:40:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA11732 for ; Fri, 6 Apr 2001 14:40:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00IG8YNWWG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Apr 2001 14:40:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012116F@listserv.fnal.gov>; Fri, 06 Apr 2001 14:40:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 118798 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 06 Apr 2001 14:40:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012116E@listserv.fnal.gov>; Fri, 06 Apr 2001 14:40:44 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00J9KYNVTK@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 06 Apr 2001 14:40:43 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA03861; Fri, 06 Apr 2001 14:40:40 -0500 (CDT) Date: Fri, 06 Apr 2001 14:40:39 -0500 From: Matt Crawford Subject: Re: kinit failure In-reply-to: "06 Apr 2001 17:39:25 BST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: A.S.Thompson@physics.gla.ac.uk Cc: kerberos-pilot@fnal.gov, Rick StDenis Message-id: <200104061940.OAA03861@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1143 > Have you had any more thoughts on the problem I have accessing > kerberos, I am finding I have this lock messages every time I try now. It pretty much has to be some kernel problem or resource exhaustion due to some other processes. Have you rebooted since this started happening? Does linux give you a way to see what process is using up some resource? (Something along the lines of lsof.) From kreymer@fnal.gov Fri Apr 6 14:48:30 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA11738 for ; Fri, 6 Apr 2001 14:48:30 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00JB8Z0TTK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Apr 2001 14:48:30 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00121198@listserv.fnal.gov>; Fri, 06 Apr 2001 14:48:29 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 118840 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 06 Apr 2001 14:48:29 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00121197@listserv.fnal.gov>; Fri, 06 Apr 2001 14:48:29 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00IFAZ0SIM@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 06 Apr 2001 14:48:29 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA03916; Fri, 06 Apr 2001 14:48:28 -0500 (CDT) Date: Fri, 06 Apr 2001 14:48:28 -0500 From: Matt Crawford Subject: Re: 000000000017642 Assigned to CRAWFORD, MATT. In-reply-to: "06 Apr 2001 13:40:05 CDT." <318CC3D38BE0D211BB1200105A093F7615528D@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem , boyd@fnal.gov Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200104061948.OAA03916@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1144 Matt, here is the specific question. Can you think of any way the kerberos stuff we have installed would do this? What stuff from the kerberos package would set the KRB5CCNAME environment variable at all? kinit, kcron, ...??? If the LSF system was started by someone who had that environment variable set to that value, and if LSF does not "purify" its environment before starting a process, this would happen. Does that fit the other facts you know? From kreymer@fnal.gov Fri Apr 6 14:51:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA11750 for ; Fri, 6 Apr 2001 14:51:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00JEJZ63U2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Apr 2001 14:51:40 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001211A8@listserv.fnal.gov>; Fri, 06 Apr 2001 14:51:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 118857 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 06 Apr 2001 14:51:39 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001211A7@listserv.fnal.gov>; Fri, 06 Apr 2001 14:51:39 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00IG6Z63W9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 06 Apr 2001 14:51:39 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA03946; Fri, 06 Apr 2001 14:51:38 -0500 (CDT) Date: Fri, 06 Apr 2001 14:51:38 -0500 From: Matt Crawford Subject: Re: kerberos and socket KEEPALIVE option In-reply-to: "06 Apr 2001 14:21:59 CDT." <3ACE1757.2046B842@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Isabeau's mom" Cc: kerberos-pilot@fnal.gov Message-id: <200104061951.OAA03946@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1145 > hi, i know that there are some plans to set the > socket KEEPALIVE option when doing an rsh under > kerberos. is there any estimate on when the new > version of kerberos will be out? This month. I can't be more precise yet. From kreymer@fnal.gov Fri Apr 6 14:51:54 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA11756 for ; Fri, 6 Apr 2001 14:51:54 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00JH6Z6G3G@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Apr 2001 14:51:53 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001211AC@listserv.fnal.gov>; Fri, 06 Apr 2001 14:51:52 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 118861 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 06 Apr 2001 14:51:52 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001211AB@listserv.fnal.gov>; Fri, 06 Apr 2001 14:51:52 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBD00JHYZ6E1L@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 06 Apr 2001 14:51:51 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRXG36>; Fri, 06 Apr 2001 14:51:50 -0500 Content-return: allowed Date: Fri, 06 Apr 2001 14:51:48 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 17642 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761552AA@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1146 17642 has been updated by trb. Short Description : kerberos and lsf interopability problem New Work Log Entry : From: "Matt Crawford" To: "ARSystem" ; Cc: Subject: Re: 000000000017642 Assigned to CRAWFORD, MATT. Date: Friday, April 06, 2001 2:48 PM Matt, here is the specific question. Can you think of any way the kerberos stuff we have installed would do this? What stuff from the kerberos package would set the KRB5CCNAME environment variable at all? kinit, kcron, ...??? If the LSF system was started by someone who had that environment variable set to that value, and if LSF does not "purify" its environment before starting a process, this would happen. Does that fit the other facts you know? From kreymer@fnal.gov Fri Apr 6 16:03:36 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA11901 for ; Fri, 6 Apr 2001 16:03:36 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBE0051K2HZRA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Apr 2001 16:03:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001212C5@listserv.fnal.gov>; Fri, 06 Apr 2001 16:03:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 119173 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 06 Apr 2001 16:03:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001212C4@listserv.fnal.gov>; Fri, 06 Apr 2001 16:03:35 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBE0054B2HYBA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 06 Apr 2001 16:03:34 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRXGQA>; Fri, 06 Apr 2001 16:03:35 -0500 Content-return: allowed Date: Fri, 06 Apr 2001 16:03:28 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 17642 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761552CF@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1147 17642 has been updated by blomberg. Short Description : kerberos and lsf interopability problem New Work Log Entry : From: "Joseph Boyd" To: "ARSystem" Subject: Re: CRAWFORD, MATT AR ticket 17642 Has Been Updated. Date: Friday, April 06, 2001 3:59 PM That's an interesting possiblity but I still don't think that is it. We start LSF from the init scripts. Occasionally we do have to restart it so maybe... Talking to Jim Fromm though he doesn't think there is any way that should be possible. LSF is supposed to be very stringent about making sure your environment is the same as when you submitted the job and if that is leaking through that would be a bug in itself. The value that gets set does in fact change from day to day. At any one time everyone that submits gets the same value set and throughout the day all the jobs that get submitted by the same user will have the same value. The next day though everything will be getting a new value. Maybe lsf does some sort of "restart" of itself every night but I'm still not sure then what would change the variable value. You can go ahead and close out this ticket if you want. I think this is still a mystery that Platform needs to spend more time on. Thsnks, joe > If the LSF system was started by someone who had that environment > variable set to that value, and if LSF does not "purify" its > environment before starting a process, this would happen. Does that > fit the other facts you know? From kreymer@fnal.gov Mon Apr 9 12:08:24 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA13828 for ; Mon, 9 Apr 2001 12:08:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ00M1ZBLUEC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Apr 2001 12:08:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012275B@listserv.fnal.gov>; Mon, 09 Apr 2001 12:08:21 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125004 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Apr 2001 12:08:21 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122759@listserv.fnal.gov>; Mon, 09 Apr 2001 12:08:21 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ00DOMBLIE0@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Apr 2001 12:08:20 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRXGZF>; Mon, 09 Apr 2001 12:08:04 -0500 Content-return: allowed Date: Mon, 09 Apr 2001 12:07:51 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 17526 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761553F4@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1148 This reminder created on 4/9/01 12:03:16 PM Ticket 17526 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DIANA Last Name (+) : BONHAM Phone : 6299 E-Mail Address : DIANA@FNAL.GOV Incident Time : 4/2/01 10:27:21 AM System Name : WRQ REFLECTIONS Problem Category : Software Item : Wrq/Reflections Type : Utilities Urgency : Medium Short Description : cannot access any kerberized machine through WRQ reflections Problem Description : Is there an expert for the WRQ reflections product? None of us on the 8th floor who use WRQ to access kerberized machines through the WRQ product can get it to work this morning. We think it may have something to do with the 1 hour time change over the weekend. This doesn't appear to be a unix or kerberos problem, rather a WRQ problem. From kreymer@fnal.gov Mon Apr 9 12:08:38 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA13832 for ; Mon, 9 Apr 2001 12:08:38 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ00M1ZBLUEC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Apr 2001 12:08:38 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122783@listserv.fnal.gov>; Mon, 09 Apr 2001 12:08:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125044 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Apr 2001 12:08:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122781@listserv.fnal.gov>; Mon, 09 Apr 2001 12:08:31 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ00CH1BLXXJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Apr 2001 12:08:29 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRXG54>; Mon, 09 Apr 2001 12:08:20 -0500 Content-return: allowed Date: Mon, 09 Apr 2001 12:07:59 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76155429@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1149 This reminder created on 4/9/01 12:03:48 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Apr 9 13:49:14 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14051 for ; Mon, 9 Apr 2001 13:49:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ00LO9GA1HA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Apr 2001 13:49:14 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122982@listserv.fnal.gov>; Mon, 09 Apr 2001 13:49:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125599 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Apr 2001 13:49:13 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012297F@listserv.fnal.gov>; Mon, 09 Apr 2001 13:49:13 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ000JSGA0J9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Apr 2001 13:49:12 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRXG9X>; Mon, 09 Apr 2001 13:49:12 -0500 Content-return: allowed Date: Mon, 09 Apr 2001 13:49:10 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000017526 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761554A4@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1150 The following note has been sent to the requester: BONHAM, DIANA Short Description : cannot access any kerberized machine through WRQ reflections Notes to Requester : Diana, Are you still having problems with WRQ/Reflections. From kreymer@fnal.gov Mon Apr 9 13:49:16 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14055 for ; Mon, 9 Apr 2001 13:49:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ00LO9GA1HA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Apr 2001 13:49:15 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122983@listserv.fnal.gov>; Mon, 09 Apr 2001 13:49:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125601 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Apr 2001 13:49:13 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122981@listserv.fnal.gov>; Mon, 09 Apr 2001 13:49:13 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ000JSGA0J9@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Apr 2001 13:49:13 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRXG9Y>; Mon, 09 Apr 2001 13:49:12 -0500 Content-return: allowed Date: Mon, 09 Apr 2001 13:49:10 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 17526 Has Been Updated. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761554A2@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1151 17526 has been updated by blomberg. Short Description : cannot access any kerberized machine through WRQ reflections New Work Log Entry : From: "Matt Crawford" To: "HelpDesk" Subject: Re: CRAWFORD, MATT, Reminder for 17526 Date: Monday, April 09, 2001 1:36 PM Well, ask the user if everything is all right now. It should be. From kreymer@fnal.gov Mon Apr 9 14:08:21 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA14087 for ; Mon, 9 Apr 2001 14:08:21 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ00LRRH5VHZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Apr 2001 14:08:21 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122A0E@listserv.fnal.gov>; Mon, 09 Apr 2001 14:08:20 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125758 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Apr 2001 14:08:20 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122A0D@listserv.fnal.gov>; Mon, 09 Apr 2001 14:08:19 -0500 Received: from fnal.gov ([131.225.80.118]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ000N8H5VGN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Apr 2001 14:08:19 -0500 (CDT) Date: Mon, 09 Apr 2001 14:08:19 -0500 From: Jim Fromm Subject: ftp Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AD208A3.95AF8EAB@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1152 FTP issues that I have found.... 1. man page doesn't seem right. bldlinux61> man ftp FTP(1) User Commands FTP(1) NAME ftp - ARPANET file transfer program SYNOPSIS ftp [-v] [-d] [-i] [-n] [-g] [-k realm] [host] [-forward] ... ** -forward doesn't work **: ftp casey -forward casey: bad port number-- -forward -- ------------------------------------------------------------- Jim Fromm Fermi National Accelerator Laboratory fromm@fnal.gov P.O. Box 500 630-840-8483 MS 369 Batavia, IL 60510 ------------------------------------------------------------- From kreymer@fnal.gov Mon Apr 9 14:25:10 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA14188 for ; Mon, 9 Apr 2001 14:25:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ000TDHXXLN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Apr 2001 14:25:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122A4E@listserv.fnal.gov>; Mon, 09 Apr 2001 14:25:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125829 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Apr 2001 14:25:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122A4D@listserv.fnal.gov>; Mon, 09 Apr 2001 14:25:09 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ00930HXW57@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Apr 2001 14:25:08 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA17991; Mon, 09 Apr 2001 14:25:08 -0500 (CDT) Date: Mon, 09 Apr 2001 14:25:08 -0500 From: Matt Crawford Subject: Re: ftp In-reply-to: "09 Apr 2001 14:08:19 CDT." <3AD208A3.95AF8EAB@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Jim Fromm Cc: kerberos-pilot@fnal.gov Message-id: <200104091925.OAA17991@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1153 Could your MANPATH be wrong? The man pages go into the UPS man-page area. A very early version of Fermi Kerberos put them in /usr/local/man. Any Kerberos-related man pages should be removed from there. (I think that would have happened already if the recommended action was performed on the second release.) gungnir 4278% man ftp FTP(1) User Commands FTP(1) NAME ftp - ARPANET file transfer program SYNOPSIS ftp [-v] [-d] [-i] [-n] [-g] [-k realm] [-f] [-x] [-u] [- t] [host] ... From kreymer@fnal.gov Mon Apr 9 14:55:27 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA14201 for ; Mon, 9 Apr 2001 14:55:27 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ00B45JCD6C@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Apr 2001 14:55:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122AE4@listserv.fnal.gov>; Mon, 09 Apr 2001 14:55:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125986 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 09 Apr 2001 14:55:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00122AE3@listserv.fnal.gov>; Mon, 09 Apr 2001 14:55:25 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBJ004KPJCDTF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 09 Apr 2001 14:55:25 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRXG0C>; Mon, 09 Apr 2001 14:55:25 -0500 Content-return: allowed Date: Mon, 09 Apr 2001 14:55:21 -0500 From: ARSystem Subject: CRAWFORD, MATT #17526 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761554AE@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1154 Thank you for your assistance. Help Desk ticket #000000000017526 has been resolved on 4/9/01 2:51:08 PM Resolution Timestamp: : 4/9/01 2:31:31 PM Solution Category : Service Request Problem Category : Software Item : Wrq/Reflections Type : Utilities Short Description : cannot access any kerberized machine through WRQ reflections Solution : Per e-mail from the user: No, I used the "fix" that Alan Jonckheere provided, and which I also sent to the helpdesk so it could be passed on to other people. Problem Description : Is there an expert for the WRQ reflections product? None of us on the 8th floor who use WRQ to access kerberized machines through the WRQ product can get it to work this morning. We think it may have something to do with the 1 hour time change over the weekend. This doesn't appear to be a unix or kerberos problem, rather a WRQ problem. From kreymer@fnal.gov Tue Apr 10 13:44:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA04867 for ; Tue, 10 Apr 2001 13:44:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBL000E3AQBWB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Apr 2001 13:44:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00123BD0@listserv.fnal.gov>; Tue, 10 Apr 2001 13:44:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 130748 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 10 Apr 2001 13:44:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00123BCF@listserv.fnal.gov>; Tue, 10 Apr 2001 13:44:35 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBL00MFYAQBV8@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 10 Apr 2001 13:44:35 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA23630 for ; Tue, 10 Apr 2001 13:44:35 -0500 (CDT) Date: Tue, 10 Apr 2001 13:44:35 -0500 From: Matt Crawford Subject: krb5conf v1_2 in kits as "test" Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200104101844.NAA23630@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1155 Version v1_2 of the krb5conf product, which creates or updates only your /etc/krb5.conf file, is now on fnkits as "test". I've tested it eight ways from Sunday but only on one system. Would the first few testers (build cluster and some CDF & D0 volunteers, please) report back? Thanks. The important new features are: 1. It lists the new slave KDCs inside the CDF and D0 critical system boundaries. 2. It defines the production realm FNAL.GOV -- but does NOT put your system or users into that realm. It just makes that realm known to your system. 3. As promised, it leaves the "bottom half" of your /etc/krb5.conf intact in case you have made local changes to, for example, your [appdefaults] section. This occurs so long as the marker line introduced in krb5conf v1_0 is present. From kreymer@fnal.gov Thu Apr 12 08:37:54 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA28699 for ; Thu, 12 Apr 2001 08:37:54 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00H7JLV5UT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 08:37:54 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001254DA@listserv.fnal.gov>; Thu, 12 Apr 2001 08:37:53 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 137631 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 08:37:53 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001254D9@listserv.fnal.gov>; Thu, 12 Apr 2001 08:37:53 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00H5ZLV49K@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 08:37:52 -0500 (CDT) Date: Thu, 12 Apr 2001 08:37:51 -0500 From: Troy Dawson Subject: Group Principles Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AD5AFAF.19D575A9@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1156 Hello, Back when this kerberos stuff was starting up, they talked of this, and to me, this was one of it's selling points. Now that I'm in a position that I want to set one of these up, I can't find the documentation for it. So I figure one of three things is happening. A) I just can't find the documentation, and I need to pointed in the right direction B) this part of our kerberos stuff isn't set up yet (or just barely setup) and so there isn't documentation yet C) this was discovered to be a bad thing and we arn't supposed to do it. So that you know what I'm talking about I'll explain what I'm talking about. (Names are for example only, any similarity between them and the real world is purely coincidence ... well sorta) Let's say I'm part of a cluster called OSS, where I'm one of several system administrators that has root access to that cluster. This cluster is fully kerberized, and we don't want root's password going over the net, so we make sure that root has a .k5login file in it. Now we can do one of two things with the .k5login file. We can put in a line for each person, or we can put in one line with this group principle. So the file could look like one of two things. either rodger@FNAL.GOV joeshmoe@FNAL.GOV blahblah@FNAL.GOV janejohnson@FNAL.GOV yadayada@FNAL.GOV or oss_group@FNAL.GOV At first glance you would say 'Oh, you're just trying to save yourself a little work, it's not that hard to change all your machines.' But let's take this scenario. Let's say that after working like this, as a group, for about 6 months, that Rodger get's this hankering to work underground, and so transfers over to the Beams Division. Depending on which path we chose before we will have to do one of two things. Change one single entry in the KDC database, stating that rodger isn't part of the oss_group. Or track down each machine of the cluster and make sure the it's .k5login file is changed, with the possibility that one or two computers get missed for a couple months (especially if rodger was the one who set them up) So in short, how do I go about setting up, and maintaining, one of these group principles? Troy -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Thu Apr 12 09:09:36 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA28770 for ; Thu, 12 Apr 2001 09:09:36 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00EM9NBZP3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 09:09:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012555E@listserv.fnal.gov>; Thu, 12 Apr 2001 09:09:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 137770 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 09:09:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012555D@listserv.fnal.gov>; Thu, 12 Apr 2001 09:09:35 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00GH7NBYVE@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 09:09:34 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA03896; Thu, 12 Apr 2001 09:09:34 -0500 (CDT) Date: Thu, 12 Apr 2001 09:09:34 -0500 From: Matt Crawford Subject: Re: Group Principles In-reply-to: "12 Apr 2001 08:37:51 CDT." <3AD5AFAF.19D575A9@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Troy Dawson Cc: kerberos-pilot@fnal.gov Message-id: <200104121409.JAA03896@gungnir.fnal.gov> Status: RO X-Status: A X-Keywords: X-UID: 1157 > Back when this kerberos stuff was starting up, they talked of this, and to me, > this was one of it's selling points. Now that I'm in a position that I want > to set one of these up, I can't find the documentation for it. So I figure > one of three things is happening. A) I just can't find the documentation, and > I need to pointed in the right direction B) this part of our kerberos stuff > isn't set up yet (or just barely setup) and so there isn't documentation yet > C) this was discovered to be a bad thing and we arn't supposed to do it. There are no principals for groups of people. There are principals for "projects" which are treated like services except that they happen to be more commonly authenticating as a Kerberos client to a service than as a service to a client. > Let's say I'm part of a cluster called OSS, where I'm one of several system > ... we sure that root has a .k5login file in it. > ... the file could look like one of two things. > either > rodger@FNAL.GOV > joeshmoe@FNAL.GOV > blahblah@FNAL.GOV > janejohnson@FNAL.GOV > yadayada@FNAL.GOV > or > oss_group@FNAL.GOV > > ... Let's say that after working like this, as a group, for about > 6 months, that Rodger get's this hankering to work underground, and so > transfers over to the Beams Division. > Depending on which path we chose before we will have to do one of two things. > Change one single entry in the KDC database, stating that rodger isn't part of > the oss_group. The KDC has no concept of one set of principals being "members" of another principal. The only way to get a TGT as "oss_group" would be to have the password or the cryptocard for the oss_group principal. Then when jolly Rodger leaves, you're left with the classic "get the new password to everyone" problem. > Or track down each machine of the cluster and make sure the it's > .k5login file is changed, with the possibility that one or two > computers get missed for a couple months (especially if rodger was > the one who set them up) It's a simple matter like for host in $cluster; do echo $host ... rsh -x -N -l root $host \ awk -F: "'{print $6/.k5login, $6/.k5users}'" \| \ xargs grep -s -l rodger@ done (with possible augmentation for NIS and AFS) to examine all the hosts' .k5login files for traces of your ex-colleague. If Rodger (and I do hope this is a fictional name!) parted on friendly terms, your exposure due to a delay in tracking down every last .k5login file is not a great worry. We trust our authorized sysadmins and users. If there was acrimony, Rodger's principal has been disabled in the KDC and you have oodles of time to purge it from .k5login files. > So in short, how do I go about setting up, and maintaining, one of > these group principles? You don't. The group principals we have, which I actually call "project" principals, are something else entirely, and there are no passwords for them, except for an initial moment, as for host/ and ftp/ principals. From kreymer@fnal.gov Thu Apr 12 09:30:08 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA28784 for ; Thu, 12 Apr 2001 09:30:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00GKZOA7HP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 09:30:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00125611@listserv.fnal.gov>; Thu, 12 Apr 2001 09:30:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 137953 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 09:30:07 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00125610@listserv.fnal.gov>; Thu, 12 Apr 2001 09:30:07 -0500 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00GPLOA6J4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 09:30:06 -0500 (CDT) Date: Thu, 12 Apr 2001 09:30:06 -0500 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: Group Principles Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: Troy Dawson , kerberos-pilot@fnal.gov Message-id: <3AD5BBEE.371FDD8B@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200104121409.JAA03896@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1158 Here in the SAM project, we face similar difficulties, though not for the 'root' account (but for other similar types of accounts). We have had to jump through a number of hoops, and some of what you say below doesn't correspond to what I've been told by Powerful People, (i.e., our sysadmins), so I'd like to review what we've done and what we're planning and find out how many of these hoops are completely beaurocratic and how many are real. FIRST, we've been required to use special username/root@PILOT.FNAL.GOV principals in the .k5login file for these 'shared' accounts. Note that the 'root' in 'username/root@PILOT.FNAL.GOV' has nothing to do with the 'root' account on the system, it was just a poorly chosen symbol to represent a different principal on the KDC, one which is NOT forwardable and has a shorter lifetime. I'd prefer to call it 'username/alt' or 'username/special' or something. But they didn't ask me. This has been a major pain in the butt, and seems counterintuitive to the whole "log in once and everybody knows who you are" concept of kerberos. All of our SAM-admin collaborators now have to have TWO principals, one of which is their "real" account and the other for doing "SAM" things. They need to remember to kinit username/root@PILOT.FNAL.GOV from an encrypted window before they can "ksu sam" or telnet into the sam account on another node. IS THIS REALLY NECESSARY?!?! (It's not just the sam account; it includes accounts for product maintanence, web server maintenance, cron job maintanance, etc.) Seems to me that by forcing people to re-kinit you are opening up the possibility of a whole lot more passwords-in-the-clear over the net. It's easy to remember to log in originally on an encrypted window. Once you're logged in, and doing your work in Xterm windows which are NOT encrypted, it's much more painful to remember to go back to that original encrypted window to change accounts. (I come from an NT box, using WRQ, which may put me into a small category of users; but even if small, it is a significant fraction of our users... The WRQ window is useless except for the fact that it is encrypted. I do nothing in that window except for kinit; and because of that, the window is frequently logged out on my behalf because it is idle. My Xterms, where I really work, are not encrypted, but they don't get logged out because they aren't idle). SECOND: How to maintain the .k5login files. What we've chosen to do (but haven't implemented quite yet) is to place a .k5login file into a CVS repository. Set up a cron job running under the appropriate command to "cvs update" the .k5login file every night (or every hour, depends on how paranoid you are). Then you can update the CVS repository when Rodger leaves, and within [specified period of cron job] the .k5login files will all be updated to reflect the change. -- lauri Matt Crawford wrote: > > > Back when this kerberos stuff was starting up, they talked of this, and to me, > > this was one of it's selling points. Now that I'm in a position that I want > > to set one of these up, I can't find the documentation for it. So I figure > > one of three things is happening. A) I just can't find the documentation, and > > I need to pointed in the right direction B) this part of our kerberos stuff > > isn't set up yet (or just barely setup) and so there isn't documentation yet > > C) this was discovered to be a bad thing and we arn't supposed to do it. > > There are no principals for groups of people. There are principals > for "projects" which are treated like services except that they > happen to be more commonly authenticating as a Kerberos client to a > service than as a service to a client. > > > Let's say I'm part of a cluster called OSS, where I'm one of several system > > ... we sure that root has a .k5login file in it. > > ... the file could look like one of two things. > > either > > rodger@FNAL.GOV > > joeshmoe@FNAL.GOV > > blahblah@FNAL.GOV > > janejohnson@FNAL.GOV > > yadayada@FNAL.GOV > > or > > oss_group@FNAL.GOV > > > > ... Let's say that after working like this, as a group, for about > > 6 months, that Rodger get's this hankering to work underground, and so > > transfers over to the Beams Division. > > Depending on which path we chose before we will have to do one of two things. > > Change one single entry in the KDC database, stating that rodger isn't part of > > the oss_group. > > The KDC has no concept of one set of principals being "members" of > another principal. The only way to get a TGT as "oss_group" would be > to have the password or the cryptocard for the oss_group principal. > Then when jolly Rodger leaves, you're left with the classic "get the > new password to everyone" problem. > > > Or track down each machine of the cluster and make sure the it's > > .k5login file is changed, with the possibility that one or two > > computers get missed for a couple months (especially if rodger was > > the one who set them up) > > It's a simple matter like > > for host in $cluster; do > echo $host ... > rsh -x -N -l root $host \ > awk -F: "'{print $6/.k5login, $6/.k5users}'" \| \ > xargs grep -s -l rodger@ > done > > (with possible augmentation for NIS and AFS) to examine all the > hosts' .k5login files for traces of your ex-colleague. > > If Rodger (and I do hope this is a fictional name!) parted on > friendly terms, your exposure due to a delay in tracking down every > last .k5login file is not a great worry. We trust our authorized > sysadmins and users. If there was acrimony, Rodger's principal has > been disabled in the KDC and you have oodles of time to purge it from > .k5login files. > > > So in short, how do I go about setting up, and maintaining, one of > > these group principles? > > You don't. The group principals we have, which I actually call > "project" principals, are something else entirely, and there are no > passwords for them, except for an initial moment, as for host/ and > ftp/ principals. From kreymer@fnal.gov Thu Apr 12 09:40:24 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA28790 for ; Thu, 12 Apr 2001 09:40:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00GOKORAB2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 09:40:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012562A@listserv.fnal.gov>; Thu, 12 Apr 2001 09:40:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 137980 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 09:40:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00125629@listserv.fnal.gov>; Thu, 12 Apr 2001 09:40:23 -0500 Received: from fndapr.fnal.gov ([131.225.84.56]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00HPTORA0I@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 09:40:22 -0500 (CDT) Received: from fnal.gov (localhost [127.0.0.1]) by fndapr.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA08087; Thu, 12 Apr 2001 09:40:21 -0500 Date: Thu, 12 Apr 2001 09:40:21 -0500 From: "Isabeau's mom" Subject: Re: Group Principles Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: Matt Crawford , Troy Dawson , kerberos-pilot@fnal.gov Message-id: <3AD5BE55.1FFB2AC3@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200104121409.JAA03896@gungnir.fnal.gov> <3AD5BBEE.371FDD8B@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1159 "Laurelin of Middle Earth, 630-840-2214" wrote: > hi, so here is my 4 cents (inflation) about using group accounts or projects from the enstore perspective. there is a login account on the enstore machines by the name of enstore. this account is used by many people to admin enstore on the various nodes on which it runs. we have a project principal for enstore. when i installed kerberos on these machines, i did a kadmin once on each node to get a keytab file for the enstore account. i also created .k5login files which contain the names of all the people that need to be logged in as enstore at some point. these people all have personal kerberos principals. then when any of these people need to login as enstore, they first login as themselves (which may or may not involve entering a kerberos password) and then do a 'ksu enstore' which will allow them to become enstore without entering any passwords. we also maintain our .k5login file in cvs. i would be happy to discuss this with anyone else if i have not said things clearly. eileen > Here in the SAM project, we face similar difficulties, though not for > the 'root' account (but for other similar types of accounts). > > We have had to jump through a number of hoops, and some of what you > say below doesn't correspond to what I've been told by Powerful People, > (i.e., our sysadmins), so I'd like to review what we've done and what > we're planning and find out how many of these hoops are completely > beaurocratic and how many are real. > > FIRST, we've been required to use special > username/root@PILOT.FNAL.GOV > > principals in the .k5login file for these 'shared' accounts. Note that > the 'root' in 'username/root@PILOT.FNAL.GOV' has nothing to do > with the 'root' account on the system, it was just a poorly chosen > symbol to represent a different principal on the KDC, one which is > NOT forwardable and has a shorter lifetime. I'd prefer to call it > 'username/alt' or 'username/special' or something. But they didn't > ask me. > > This has been a major pain in the butt, and seems counterintuitive > to the whole "log in once and everybody knows who you are" concept > of kerberos. All of our SAM-admin collaborators now have to have > TWO principals, one of which is their "real" account and the other > for doing "SAM" things. They need to remember to > > kinit username/root@PILOT.FNAL.GOV > > from an encrypted window before they can "ksu sam" or telnet into > the sam account on another node. > > IS THIS REALLY NECESSARY?!?! (It's not just the sam account; > it includes accounts for product maintanence, web server > maintenance, cron job maintanance, etc.) Seems to me that by > forcing people to re-kinit you are opening up the possibility > of a whole lot more passwords-in-the-clear over the net. It's > easy to remember to log in originally on an encrypted window. > Once you're logged in, and doing your work in Xterm windows > which are NOT encrypted, it's much more painful to remember > to go back to that original encrypted window to change > accounts. (I come from an NT box, using WRQ, which may put > me into a small category of users; but even if small, it > is a significant fraction of our users... The WRQ window > is useless except for the fact that it is encrypted. I do > nothing in that window except for kinit; and because of that, > the window is frequently logged out on my behalf because > it is idle. My Xterms, where I really work, are not > encrypted, but they don't get logged out because they > aren't idle). > > SECOND: How to maintain the .k5login files. > > What we've chosen to do (but haven't implemented quite > yet) is to place a .k5login file into a CVS repository. > Set up a cron job running under the appropriate > command to "cvs update" the .k5login file every night > (or every hour, depends on how paranoid you are). Then > you can update the CVS repository when Rodger leaves, > and within [specified period of cron job] the .k5login > files will all be updated to reflect the change. > > -- lauri > > Matt Crawford wrote: > > > > > Back when this kerberos stuff was starting up, they talked of this, and to me, > > > this was one of it's selling points. Now that I'm in a position that I want > > > to set one of these up, I can't find the documentation for it. So I figure > > > one of three things is happening. A) I just can't find the documentation, and > > > I need to pointed in the right direction B) this part of our kerberos stuff > > > isn't set up yet (or just barely setup) and so there isn't documentation yet > > > C) this was discovered to be a bad thing and we arn't supposed to do it. > > > > There are no principals for groups of people. There are principals > > for "projects" which are treated like services except that they > > happen to be more commonly authenticating as a Kerberos client to a > > service than as a service to a client. > > > > > Let's say I'm part of a cluster called OSS, where I'm one of several system > > > ... we sure that root has a .k5login file in it. > > > ... the file could look like one of two things. > > > either > > > rodger@FNAL.GOV > > > joeshmoe@FNAL.GOV > > > blahblah@FNAL.GOV > > > janejohnson@FNAL.GOV > > > yadayada@FNAL.GOV > > > or > > > oss_group@FNAL.GOV > > > > > > ... Let's say that after working like this, as a group, for about > > > 6 months, that Rodger get's this hankering to work underground, and so > > > transfers over to the Beams Division. > > > Depending on which path we chose before we will have to do one of two things. > > > Change one single entry in the KDC database, stating that rodger isn't part of > > > the oss_group. > > > > The KDC has no concept of one set of principals being "members" of > > another principal. The only way to get a TGT as "oss_group" would be > > to have the password or the cryptocard for the oss_group principal. > > Then when jolly Rodger leaves, you're left with the classic "get the > > new password to everyone" problem. > > > > > Or track down each machine of the cluster and make sure the it's > > > .k5login file is changed, with the possibility that one or two > > > computers get missed for a couple months (especially if rodger was > > > the one who set them up) > > > > It's a simple matter like > > > > for host in $cluster; do > > echo $host ... > > rsh -x -N -l root $host \ > > awk -F: "'{print $6/.k5login, $6/.k5users}'" \| \ > > xargs grep -s -l rodger@ > > done > > > > (with possible augmentation for NIS and AFS) to examine all the > > hosts' .k5login files for traces of your ex-colleague. > > > > If Rodger (and I do hope this is a fictional name!) parted on > > friendly terms, your exposure due to a delay in tracking down every > > last .k5login file is not a great worry. We trust our authorized > > sysadmins and users. If there was acrimony, Rodger's principal has > > been disabled in the KDC and you have oodles of time to purge it from > > .k5login files. > > > > > So in short, how do I go about setting up, and maintaining, one of > > > these group principles? > > > > You don't. The group principals we have, which I actually call > > "project" principals, are something else entirely, and there are no > > passwords for them, except for an initial moment, as for host/ and > > ftp/ principals. -- _\ | | /_ \\| ============================= |// ==O( ===== What do you want? ===== )O== _//| ============================= |\\_ / | | \ From kreymer@fnal.gov Thu Apr 12 09:42:26 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA28794 for ; Thu, 12 Apr 2001 09:42:26 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00GHKOUPTW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 09:42:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00125637@listserv.fnal.gov>; Thu, 12 Apr 2001 09:42:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 137996 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 09:42:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00125636@listserv.fnal.gov>; Thu, 12 Apr 2001 09:42:25 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00GRBOUORD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 09:42:24 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA04144 for ; Thu, 12 Apr 2001 09:42:24 -0500 (CDT) Date: Thu, 12 Apr 2001 09:42:24 -0500 From: Matt Crawford Subject: Re: Group Principles In-reply-to: "12 Apr 2001 09:30:06 CDT." <3AD5BBEE.371FDD8B@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200104121442.JAA04144@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1160 > we're planning and find out how many of these hoops are completely > beaurocratic and how many are real. > > FIRST, we've been required to use special > username/root@PILOT.FNAL.GOV That's not mandated by the security goons, but is a facility provided for use at the option of the sysadmins. > This has been a major pain in the butt, and seems counterintuitive > to the whole "log in once and everybody knows who you are" concept > of kerberos. All of our SAM-admin collaborators now have to have > TWO principals, one of which is their "real" account and the other > for doing "SAM" things. They need to remember to > > kinit username/root@PILOT.FNAL.GOV > > from an encrypted window before they can "ksu sam" or telnet into > the sam account on another node. > > IS THIS REALLY NECESSARY?!?! Given the abysmal lack of concern security in the SAM software itself, it does seem awfully silly for them to get strict on this point. But it's not for me to dictate. And all this has to do with group principles, but not group principals. > SECOND: How to maintain the .k5login files. > > What we've chosen to do (but haven't implemented quite > yet) is to place a .k5login file into a CVS repository. > Set up a cron job running under the appropriate > command to "cvs update" the .k5login file every night > (or every hour, depends on how paranoid you are). Then > you can update the CVS repository when Rodger leaves, > and within [specified period of cron job] the .k5login > files will all be updated to reflect the change. Please tell me (truthfully) that your CVS repository allows only secure kerberized access and is not in NFS space! Otherwise and rdist push from a trusted node would be infinitely preferable. From kreymer@fnal.gov Thu Apr 12 10:13:24 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA28820 for ; Thu, 12 Apr 2001 10:13:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00363QAB2H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 10:13:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00125889@listserv.fnal.gov>; Thu, 12 Apr 2001 10:13:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 138690 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 10:13:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00125888@listserv.fnal.gov>; Thu, 12 Apr 2001 10:13:23 -0500 Received: from patnt2.fnal.gov ([131.225.84.37]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00HPEQAA66@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 10:13:22 -0500 (CDT) Received: from localhost (localhost [127.0.0.1]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA28816; Thu, 12 Apr 2001 10:13:22 -0500 Date: Thu, 12 Apr 2001 10:13:22 -0500 (CDT) From: Art Kreymer Subject: Re: Group Principles In-reply-to: <200104121409.JAA03896@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: Troy Dawson , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1161 >On Thu, 12 Apr 2001, Matt Crawford wrote: > It's a simple matter like > > for host in $cluster; do > echo $host ... > rsh -x -N -l root $host \ > awk -F: "'{print $6/.k5login, $6/.k5users}'" \| \ > xargs grep -s -l rodger@ > done Not when there are nearly 100 such systems scattered all around the world. The typical time to clean up any such global change is 1 or 2 weeks, months in some cases. From kreymer@fnal.gov Thu Apr 12 10:34:32 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA28848 for ; Thu, 12 Apr 2001 10:34:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00ILUQDJVG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 10:34:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00125F77@listserv.fnal.gov>; Thu, 12 Apr 2001 10:33:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 140831 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 10:33:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00125F75@listserv.fnal.gov>; Thu, 12 Apr 2001 10:33:35 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO001EIR7Y6A@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 10:33:34 -0500 (CDT) Date: Thu, 12 Apr 2001 10:33:33 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: Group Principles^H^H^Hals In-reply-to: <3AD5BBEE.371FDD8B@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: Matt Crawford , Troy Dawson , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1162 Just to clarify a few things that seem to be confused in the disucssion so far: First (a pet peeve), its a kerberos "principal" not "principle". (Yeah, I know, "It's an uneducated man who cannot think of at least 5 ways to spell a word...") But it's the principle of the thing :-). Forward: One does not need a group/project principal to have a shared account. If nothing needs to be kerberos authenticated as that account, no principal is needed, you can just put a .k5login or .k5users file on the account as needed, and rcp, rdist, rsync, or other tools can be used to synch up those files on multiple systems. Note that pretty much anyone currently allowed to login to the account can do this updating. So things like webserver accounts, products accounts, cvs repositories, etc. don't generally need a kerberos principal. Backward: One does not need a shared account to have a group/project principal. If you have the keytab somewhere for the principal, anyone who can read that keytab can get a ticket as that principal with "kinit -t filename", whether or not theres a local UNIX account of that name. So you could have a keytab file somewhere readable by the appropriate folks, and they can get tickets for that principal, and use them to do things like kerberos rsh, get an afs token, etc. However, we MUST resist the temptation to put such keytab files in AFS space or NFS space! The transport underlying these protocols is not encrypted, so any files stored that way go over the network in the clear! Instead, if you need to make a keytab available to lots of folks in lots of places, use rcp -x to do an encrypted copy to local disk on the places where people need to use it; or put a PGP encrypted (or otherwise encrypted) copy of the keytab in the shared filesystem, and write a wrapper that decrypts it to local disk somewhere, and then does a "kinit -t filename" on the decrypted version -- then only folks who can PGP decrypt the file can get tickets as that principal. Marc From kreymer@fnal.gov Thu Apr 12 10:49:16 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA28854 for ; Thu, 12 Apr 2001 10:49:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO003DFRY35F@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 10:49:16 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00126067@listserv.fnal.gov>; Thu, 12 Apr 2001 10:49:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 141115 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 10:49:15 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00126066@listserv.fnal.gov>; Thu, 12 Apr 2001 10:49:15 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO003FBRY26K@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 10:49:14 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA04597 for ; Thu, 12 Apr 2001 10:49:14 -0500 (CDT) Date: Thu, 12 Apr 2001 10:49:14 -0500 From: Matt Crawford Subject: Re: Group Principles^H^H^Hals In-reply-to: "12 Apr 2001 10:33:33 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <200104121549.KAA04597@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1163 > ... > So things like webserver accounts, products accounts, cvs > repositories, etc. don't generally need a kerberos principal. Completely correct. I may have been assuming everyone knew that, but it helps to make sure we're all on the same page. > that keytab can get a ticket as that principal with "kinit -t filename", You need a "-k" in there as well. (And I left out a "/etc/passwd" or a "ypcat passwd |" in my previous off-the-cuff shell command.) > whether or not theres a local UNIX account of that name. > So you could have a keytab file somewhere readable by the appropriate > folks, and they can get tickets for that principal, and use them to do > things like kerberos rsh, get an afs token, etc. Of course such a keytab must never be created for a regular user principal or it becomes impossible to do an initial login as that principal, and darned difficult for the user to change the password back to something they know. > Instead, if you need to make a keytab available to lots of folks in > lots of places, use rcp -x to do an encrypted copy to local disk on > the places where people need to use it; ... Generally these principals have three-part names with the third being the hostname on which the keytab file will live. That way, if one host is compromised (or outright stolen) we can cancel all the principals whose keytabs are at risk. This is much better than replicating a single keytab all around. From kreymer@fnal.gov Thu Apr 12 11:09:39 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA28873 for ; Thu, 12 Apr 2001 11:09:39 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO008BXSW14O@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 11:09:38 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001260C3@listserv.fnal.gov>; Thu, 12 Apr 2001 11:09:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 141217 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 11:09:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001260C2@listserv.fnal.gov>; Thu, 12 Apr 2001 11:09:38 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GBO00B01SW1PO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 11:09:37 -0500 (CDT) Received: from physics.ucla.edu ([169.232.152.48]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO003KNSW06K@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 11:09:37 -0500 (CDT) Received: from [169.232.152.90] (benn.physics.ucla.edu [169.232.152.90]) by physics.ucla.edu (8.9.3/8.9.3) with ESMTP id JAA17577 for ; Thu, 12 Apr 2001 09:07:51 -0700 (PDT) Date: Thu, 12 Apr 2001 09:05:56 -0700 From: Benn Tannenbaum Subject: a Dilemma In-reply-to: <200104121549.KAA04597@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 1164 I am a remote user (UCLA), running Solaris 5.8. Until recently, I was outside our departmental firewalls. About 10 days ago I got pretty brutally hacked. I decided that I needed to be inside the departmental firewall. However, that means I can no longer do any meaningful work at FNAL. Why? 1) Our sysadmin refuses to open the necessary ports for me to do kinit-style Kerberos authentication. 2) If I use Cryptocard style authentication, I cannot get X packets to my machine, as it is behind the firewall. That means no editors, no event displays, no real debuggers, no on-line data monitoring, etc. 3) There's no other way to connect to fcdfsgi2. Any suggestions? Any large sticks I can use to convince our sysadmin to open the needed ports? This is a clear example of system administrators wanting to have a system that works, rather than a system that works for their users. -Benn From kreymer@fnal.gov Thu Apr 12 11:14:31 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA28879 for ; Thu, 12 Apr 2001 11:14:31 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO002N5T45K4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 11:14:30 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001260CD@listserv.fnal.gov>; Thu, 12 Apr 2001 11:14:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 141229 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 11:14:30 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001260CC@listserv.fnal.gov>; Thu, 12 Apr 2001 11:14:30 -0500 Received: from fnal.gov ([131.225.80.179]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO002HTT45VZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 11:14:29 -0500 (CDT) Date: Thu, 12 Apr 2001 11:14:29 -0500 From: Joseph Boyd Subject: Re: a Dilemma Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-pilot@fnal.gov Message-id: <3AD5D465.7060101@fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7bit X-Accept-Language: en User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-3smp i686; en-US; 0.8) Gecko/20010216 References: Status: RO X-Status: X-Keywords: X-UID: 1165 There is work actively been done to add cryptocard support to ssh. That would mean that you could use your cryptocard to login and then tunnel the X traffic back through it. Doesn't help you right now I guess but it should be relatively soon... joe From kreymer@fnal.gov Thu Apr 12 11:22:44 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA28910 for ; Thu, 12 Apr 2001 11:22:44 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO002KTTHUVZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 11:22:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00126112@listserv.fnal.gov>; Thu, 12 Apr 2001 11:22:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 141319 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 11:22:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00126111@listserv.fnal.gov>; Thu, 12 Apr 2001 11:22:43 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBO00B4LTHUGA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 11:22:42 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA04844; Thu, 12 Apr 2001 11:22:39 -0500 (CDT) Date: Thu, 12 Apr 2001 11:22:39 -0500 From: Matt Crawford Subject: Re: a Dilemma In-reply-to: "12 Apr 2001 09:05:56 PDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-pilot@fnal.gov Message-id: <200104121622.LAA04844@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1166 > 1) Our sysadmin refuses to open the necessary ports for me to do > kinit-style Kerberos authentication. Does he/she understand how paradoxical that is? > 2) If I use Cryptocard style authentication, I cannot get X packets to my > machine, as it is behind the firewall. That means no editors, no event > displays, no real debuggers, no on-line data monitoring, etc. > > 3) There's no other way to connect to fcdfsgi2. If the fcdfsgi2 admin will update ssh there, you can use a vanilla ssh client with your cryptocard and thereby get the familiar X forwarding feature. Er, I'm assuming port 22 gets though your firewall! > Any suggestions? Any large sticks I can use to convince our > sysadmin to open the needed ports? I can give you a list of the ports you need. kinit needs to send and receive UDP on a random high-numbered port on your end and port 88 on our end. kpasswd needs to connect a random high-numbered TCP port on your end to port 749 on our end. Ask the firewall admin to explain why these are any greater risk than the ports already open. > This is a clear example of system administrators wanting to have a > system that works, rather than a system that works for their users. If the system is in such a state as to preclude your getting your work done, it might as well have been trashed by script-kiddies. From kreymer@fnal.gov Thu Apr 12 17:12:27 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA29494 for ; Thu, 12 Apr 2001 17:12:27 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBP005NF9OPDG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Apr 2001 17:12:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012684D@listserv.fnal.gov>; Thu, 12 Apr 2001 17:12:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 143371 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 12 Apr 2001 17:12:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012684C@listserv.fnal.gov>; Thu, 12 Apr 2001 17:12:25 -0500 Received: from nova.fnal.gov ([131.225.121.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBP00D5Y9OP7D@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 12 Apr 2001 17:12:25 -0500 (CDT) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id RAA27752; Thu, 12 Apr 2001 17:12:22 -0500 (CDT) Date: Thu, 12 Apr 2001 17:12:22 -0500 (CDT) From: Tim Zingelman Subject: Re: a Dilemma In-reply-to: <200104121622.LAA04844@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Cc: Matt Crawford Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1167 > > 3) There's no other way to connect to fcdfsgi2. > > If the fcdfsgi2 admin will update ssh there, you can use a vanilla > ssh client with your cryptocard and thereby get the familiar X > forwarding feature. Er, I'm assuming port 22 gets though your > firewall! So the current fermi sshd works with cryptocard now? (a previous message implied that it didn't yet... but would later...) I was going to just try it rather than ask, but I do not seem to have permission to get it (from on-site): $ ftp ftp.fnal.gov ... 230-You are registered to retrieve files from the UNIX kits area. 230- 230 Guest login ok, access restrictions apply. Remote system type is UNIX. Using binary mode to transfer files. ftp> cd /products/ssh/v1_2_27d/SunOS+5 250 CWD command successful. ftp> dir 200 PORT command successful. 150 Opening ASCII mode data connection for directory listing. total 28442 drwxrwx--- 3 100 997 512 Apr 6 14:07 ssh_v1_2_27d_SunOS+5 -rw-rw-r-- 1 100 997 1263 Apr 6 14:07 ssh_v1_2_27d_SunOS+5.table -rw-rw---- 1 100 997 1263 Mar 23 09:00 ssh_v1_2_27d_SunOS+5.table.old -rw-rw---- 1 100 997 14397440 Apr 6 14:06 ssh_v1_2_27d_SunOS+5.tar -rw-rw---- 1 100 997 137728 Apr 6 14:08 ssh_v1_2_27d_SunOS+5.ups.tar 226 Transfer complete. ftp> get ssh_v1_2_27d_SunOS+5.tar local: ssh_v1_2_27d_SunOS+5.tar remote: ssh_v1_2_27d_SunOS+5.tar 200 PORT command successful. 550 ssh_v1_2_27d_SunOS+5.tar: Permission denied. ftp> - Tim From kreymer@fnal.gov Fri Apr 13 10:28:03 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA28088 for ; Fri, 13 Apr 2001 10:28:03 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBQ00GQALMQKX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 13 Apr 2001 10:28:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001271F8@listserv.fnal.gov>; Fri, 13 Apr 2001 10:28:02 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146117 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 13 Apr 2001 10:28:02 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001271F7@listserv.fnal.gov>; Fri, 13 Apr 2001 10:28:02 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBQ00GOZLMPKY@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 13 Apr 2001 10:28:01 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA10217; Fri, 13 Apr 2001 10:28:01 -0500 (CDT) Date: Fri, 13 Apr 2001 10:28:01 -0500 From: Matt Crawford Subject: Re: a Dilemma In-reply-to: "12 Apr 2001 17:12:22 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: <200104131528.KAA10217@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1168 > 550 ssh_v1_2_27d_SunOS+5.tar: Permission denied. I get the same error now. Beats me, unless this is a method Jim used to disabled access due to the bug he found, pending a fixed version coming some, presumably to be called v1_2_27e. From kreymer@fnal.gov Fri Apr 13 11:22:39 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA28169 for ; Fri, 13 Apr 2001 11:22:39 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBQ0038BO5Q1G@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 13 Apr 2001 11:22:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00127358@listserv.fnal.gov>; Fri, 13 Apr 2001 11:22:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146530 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 13 Apr 2001 11:22:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00127357@listserv.fnal.gov>; Fri, 13 Apr 2001 11:22:38 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBQ0026QO5PTV@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 13 Apr 2001 11:22:37 -0500 (CDT) Date: Fri, 13 Apr 2001 11:22:35 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: a Dilemma In-reply-to: <200104131528.KAA10217@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: Tim Zingelman , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1169 Since sshd is still a non-export product, you have to use the ftp server on port 9021 to get it; i.e. ftp ftp.fnal.gov 9020 or URL ftp://fnkits.fnal.gov:9021/ftp/products/ssh/v1_2_27d/... via ftp. upd knows to do this automatically, since that's how the Archive File entry for the product is listed. Marc On Fri, 13 Apr 2001, Matt Crawford wrote: > Date: Fri, 13 Apr 2001 10:28:01 -0500 > From: Matt Crawford > To: Tim Zingelman > Cc: kerberos-pilot@fnal.gov > Subject: Re: a Dilemma > > > 550 ssh_v1_2_27d_SunOS+5.tar: Permission denied. > > I get the same error now. Beats me, unless this is a method Jim used > to disabled access due to the bug he found, pending a fixed version > coming some, presumably to be called v1_2_27e. > From kreymer@fnal.gov Mon Apr 16 10:53:13 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA24527 for ; Mon, 16 Apr 2001 10:53:13 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00J9J6SNUN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Apr 2001 10:53:13 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128D3E@listserv.fnal.gov>; Mon, 16 Apr 2001 10:53:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 153798 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 16 Apr 2001 10:53:12 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128D3D@listserv.fnal.gov>; Mon, 16 Apr 2001 10:53:12 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00K6P6SNE4@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 16 Apr 2001 10:53:11 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRX2K1>; Mon, 16 Apr 2001 10:53:13 -0500 Content-return: allowed Date: Mon, 16 Apr 2001 10:53:11 -0500 From: ARSystem Subject: 000000000017797 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761559F6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1170 CRAWFORD, MATT, Help Desk Ticket #000000000017797 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Kerberos x ssh Badge # (+) : 08172V First Name : JOSE GUILHERME Last Name (+) : LIMA Phone : 2454 E-Mail Address : LIMA@FNAL.GOV Incident Time : 4/16/01 10:40:02 AM System Name : D0MINO Urgency : Medium Public Work Log : 4/16/01 10:52:19 AM trb Matt, woud you care to answer this one please ? Problem Description : Hi, Since Kerberos have been used extensively in D0, I have been using my Cryptocard to log into d0mino without problems, using common, unencrypted telnet. However, I was told that logging on via unencrypted telnet is not as safe as using ssh, as somebody could intercept my unencrypted IP packets and do a man-in- -the-middle attack, dropping my connection and pretending to be me for d0mino. Is this true? So why the use of ssh has been disabled? How it come it is not safer to use an unencrypted session (ssh + portal mode) than an unencrypted one (telnet + portal mode)? Thanks, Guilherme From kreymer@fnal.gov Mon Apr 16 11:24:24 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA24685 for ; Mon, 16 Apr 2001 11:24:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00JJH88MPO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Apr 2001 11:24:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128DF0@listserv.fnal.gov>; Mon, 16 Apr 2001 11:24:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 154001 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 16 Apr 2001 11:24:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128DEF@listserv.fnal.gov>; Mon, 16 Apr 2001 11:24:23 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00KF588MZH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 16 Apr 2001 11:24:22 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA23007; Mon, 16 Apr 2001 11:24:21 -0500 (CDT) Date: Mon, 16 Apr 2001 11:24:21 -0500 From: Matt Crawford Subject: Re: 000000000017797 Assigned to CRAWFORD, MATT. In-reply-to: "16 Apr 2001 10:53:11 CDT." <318CC3D38BE0D211BB1200105A093F761559F6@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200104161624.LAA23007@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1171 > Since Kerberos have been used extensively in D0, > I have been using my Cryptocard to log into d0mino > without problems, using common, unencrypted telnet. > However, I was told that logging on via unencrypted > telnet is not as safe as using ssh, as somebody could > intercept my unencrypted IP packets and do a man-in- > -the-middle attack, dropping my connection and pretending > to be me for d0mino. > > Is this true? Most of what you wrote is true, but not all. It's a little-known fact that man-in-the-middle attacks are also possible against ssh, although they are more difficult. Toolkits already available to the "script kiddies" can let them get into the middle of your ssh connection, although the required skill level for such an attack against ssh -- or even telnet -- is still a little higher than the commonly-seen attacks. And if you are carefully observant there's little or no chance of someone getting at your telnet or ssh session in this way without you noticing something wrong. > So why the use of ssh has been disabled? How it come it is not > safer to use an unencrypted session (ssh + portal mode) than an > unencrypted one (telnet + portal mode)? Ssh is still allowed, but I do not know whether the portal mode version of the ssh server has been installed on d0mino. That version works but is not quite in its final form on the products server. From kreymer@fnal.gov Mon Apr 16 11:48:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA24709 for ; Mon, 16 Apr 2001 11:48:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00KG79D0AU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Apr 2001 11:48:37 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128E3F@listserv.fnal.gov>; Mon, 16 Apr 2001 11:48:36 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 154086 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 16 Apr 2001 11:48:36 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128E3E@listserv.fnal.gov>; Mon, 16 Apr 2001 11:48:36 -0500 Received: from fnal.gov ([131.225.80.179]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00JLV9CZUN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 16 Apr 2001 11:48:35 -0500 (CDT) Date: Mon, 16 Apr 2001 11:48:35 -0500 From: Joseph Boyd Subject: Re: 000000000017797 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: "'kerberos-pilot@fnal.gov'" Message-id: <3ADB2263.6010701@fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7bit X-Accept-Language: en User-Agent: Mozilla/5.0 (X11; U; Linux 2.2.16-3smp i686; en-US; 0.8) Gecko/20010216 References: <200104161624.LAA23007@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1172 It isn't on there yet but is a priority. I need to talk to Jim again and see what the status is and then do a little testing. joe > Ssh is still allowed, but I do not know whether the portal mode > version of the ssh server has been installed on d0mino. That version > works but is not quite in its final form on the products server. From kreymer@fnal.gov Mon Apr 16 12:05:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA24738 for ; Mon, 16 Apr 2001 12:05:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00JPAA5KUN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Apr 2001 12:05:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128EB9@listserv.fnal.gov>; Mon, 16 Apr 2001 12:05:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 154214 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 16 Apr 2001 12:05:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128EB8@listserv.fnal.gov>; Mon, 16 Apr 2001 12:05:44 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00JN3A5CVV@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 16 Apr 2001 12:05:43 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRX2MD>; Mon, 16 Apr 2001 12:05:37 -0500 Content-return: allowed Date: Mon, 16 Apr 2001 12:05:31 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 17642 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76155A3A@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1173 This reminder created on 4/16/01 12:03:20 PM Ticket 17642 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : JOE Last Name (+) : BOYD Phone : 8275 E-Mail Address : BOYD@FNAL.GOV Incident Time : 4/6/01 1:31:16 PM System Name : D0MINO Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : kerberos and lsf interopability problem Problem Description : Please assign this to Matt Crawford. I do this on d0mino: d0mino 1:17pm ~ 1 > echo $KRB5CCNAME FILE:/tmp/krb5cc_p48900313 d0mino 1:17pm ~ 2 > bsub -I 'echo $KRB5CCNAME' Job <92327> is submitted to default queue . <> <> FILE:/tmp/krb5cc_p6151912 d0mino 1:18pm ~ 3 > As you can see, the KRB5CCNAME variable changed in the LSF job. Whether you run interactively or in a script the behaviour is always the same. The problem is that it seems to be the same for everyone. If some other user submits a job they will get the same name for KRB5CCNAME. Matt, here is the specific question. Can you think of any way the kerberos stuff we have installed would do this? What stuff from the kerberos package would set the KRB5CCNAME environment variable at all? kinit, kcron, ...??? I don't know where else to look. The lastest thing that LSF folks have told me (after about two weeks of back and forth) is that they don't change the KRB5CCNAME variable. I don't believe them but since that is what they have told me I am looking elsewhere. I can't find anywhere that it is getting set/changed in starup scripts. The kerberos package doesn't even replace /bin/login on install so I can't imagine any of our kerberos stuff is being called. Same behaviour on LSF 3.2.2 and 4.1. Same behaviour on Irix and Linux. The file name that does get set seems to change over a days time but at any particular time, multiple users seem to get the same name set. Thanks, joe From kreymer@fnal.gov Mon Apr 16 12:06:27 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA24742 for ; Mon, 16 Apr 2001 12:06:27 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00KNIA5U4O@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Apr 2001 12:06:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128F1C@listserv.fnal.gov>; Mon, 16 Apr 2001 12:06:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 154313 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 16 Apr 2001 12:06:13 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128F1B@listserv.fnal.gov>; Mon, 16 Apr 2001 12:06:13 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00LJXA60PP@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 16 Apr 2001 12:06:11 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRX23A>; Mon, 16 Apr 2001 12:06:01 -0500 Content-return: allowed Date: Mon, 16 Apr 2001 12:05:46 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76155A77@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1174 This reminder created on 4/16/01 12:03:56 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon Apr 16 12:14:13 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA24748 for ; Mon, 16 Apr 2001 12:14:13 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00KR6AJOZH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Apr 2001 12:14:13 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128F5C@listserv.fnal.gov>; Mon, 16 Apr 2001 12:14:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 154385 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 16 Apr 2001 12:14:12 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128F5B@listserv.fnal.gov>; Mon, 16 Apr 2001 12:14:12 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00KPCAJM11@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 16 Apr 2001 12:14:11 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRX2PL>; Mon, 16 Apr 2001 12:14:10 -0500 Content-return: allowed Date: Mon, 16 Apr 2001 12:14:10 -0500 From: ARSystem Subject: CRAWFORD, MATT #17797 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76155AA2@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1175 Thank you for your assistance. Help Desk ticket #000000000017797 has been resolved on 4/16/01 12:09:18 PM Resolution Timestamp: : 4/16/01 11:24:07 AM Solution Category : Information Request Problem Category : Software Item : Kerberos Type : Utilities Short Description : Kerberos x ssh Solution : > Since Kerberos have been used extensively in D0, > I have been using my Cryptocard to log into d0mino > without problems, using common, unencrypted telnet. > However, I was told that logging on via unencrypted > telnet is not as safe as using ssh, as somebody could > intercept my unencrypted IP packets and do a man-in- > -the-middle attack, dropping my connection and pretending > to be me for d0mino. > > Is this true? Most of what you wrote is true, but not all. It's a little-known fact that man-in-the-middle attacks are also possible against ssh, although they are more difficult. Toolkits already available to the "script kiddies" can let them get into the middle of your ssh connection, although the required skill level for such an attack against ssh -- or even telnet -- is still a little higher than the commonly-seen attacks. And if you are carefully observant there's little or no chance of someone getting at your telnet or ssh session in this way without you noticing something wrong. > So why the use of ssh has been disabled? How it come it is not > safer to use an unencrypted session (ssh + portal mode) than an > unencrypted one (telnet + portal mode)? Ssh is still allowed, but I do not know whether the portal mode version of the ssh server has been installed on d0mino. That version works but is not quite in its final form on the products server. Problem Description : Hi, Since Kerberos have been used extensively in D0, I have been using my Cryptocard to log into d0mino without problems, using common, unencrypted telnet. However, I was told that logging on via unencrypted telnet is not as safe as using ssh, as somebody could intercept my unencrypted IP packets and do a man-in- -the-middle attack, dropping my connection and pretending to be me for d0mino. Is this true? So why the use of ssh has been disabled? How it come it is not safer to use an unencrypted session (ssh + portal mode) than an unencrypted one (telnet + portal mode)? Thanks, Guilherme From kreymer@fnal.gov Mon Apr 16 12:34:12 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA24756 for ; Mon, 16 Apr 2001 12:34:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00KW8BGYF1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Apr 2001 12:34:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128FF1@listserv.fnal.gov>; Mon, 16 Apr 2001 12:34:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 154542 for LINUX-USERS@LISTSERV.FNAL.GOV; Mon, 16 Apr 2001 12:34:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00128FF0@listserv.fnal.gov>; Mon, 16 Apr 2001 12:34:09 -0500 Received: from dcdrjh.fnal.gov ([131.225.232.66]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00LNVBGXPP@smtp.fnal.gov> for linux-users@listserv.fnal.gov (ORCPT linux-users@fnal.gov); Mon, 16 Apr 2001 12:34:09 -0500 (CDT) Received: (from herber@localhost) by dcdrjh.fnal.gov (SGI-8.9.3/8.9.3) id MAA45350; Mon, 16 Apr 2001 12:34:00 -0500 (CDT) Date: Mon, 16 Apr 2001 12:34:00 -0500 (CDT) From: "Randolph J. Herber" Subject: Re: installing Linux on IBM thinkpad with Windows 2000 existing Sender: owner-linux-users@listserv.fnal.gov To: Connie Sieh , Yen-Chu Chen Cc: linux-users@fnal.gov Reply-to: "Randolph J. Herber" Message-id: <200104161734.MAA45350@dcdrjh.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1176 The following header lines retained to effect attribution: |Date: Mon, 16 Apr 2001 10:54:38 -0500 (CDT) |From: Yen-Chu Chen |Subject: Re: installing Linux on IBM thinkpad with Windows 2000 existing |To: Connie Sieh |Cc: linux-users@fnal.gov |Dear Connie, |> So what did you do to get it to install? | I went into the 'expert' mode while installing the Linux. This way |allows me to use fdisk instead of diskgruid only. I did check the |partitions and make sure that the partition where the linux were to be |installed had 1024 cylinders. The second time I tried it, I simply used |the normal procedure since the partition was already there. | Just for your information, the partitions were, | 3 GB for Windows 2000 system | 3 GB for Windows 2000 users | 128 MB, Linux swap | The rest about 13 GB is for Linux, including the system and | home area | Both installation went through smoothly. It just that after the |installation completed, the computer came up with Windows 2000 only. |'lilo' didn't take the position when booting up. | Best regards, Yen-Chu Chen | chenyc@fnal.gov | Office: (630) 840-3225, FAX: (630) 840-3867 | (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) May I make a suggestion of a different partition layout that addresses much of the boot partition too large problem. 3 GB for Windows 2000 system 8 MB for Linux /boot directory and partition 3 GB for Windows 2000 users 2 GB for Linux / partition 128 MB for Linux swap partition 11 GB for Linux user area. The important points are that the small /boot partition should be within the 1024 block boundary and that the Linux system material and the Linux user materials are separated so that a Linux upgrade by system replacement does not have to be traumatic. Randolph J. Herber, herber@fnal.gov, +1 630 840 2966, CD/CDFTF PK-149F, Mail Stop 318, Fermilab, Kirk & Pine Rds., PO Box 500, Batavia, IL 60510-0500, USA. (Speaking for myself and not for US, US DOE, FNAL nor URA.) (Product, trade, or service marks herein belong to their respective owners.) From kreymer@fnal.gov Mon Apr 16 13:24:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA24804 for ; Mon, 16 Apr 2001 13:24:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW00789DS3P8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Apr 2001 13:24:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001290D9@listserv.fnal.gov>; Mon, 16 Apr 2001 13:24:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 154813 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 16 Apr 2001 13:24:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001290D8@listserv.fnal.gov>; Mon, 16 Apr 2001 13:24:03 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW006BHDS3EZ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 16 Apr 2001 13:24:03 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA23586; Mon, 16 Apr 2001 13:24:02 -0500 (CDT) Date: Mon, 16 Apr 2001 13:24:02 -0500 From: Matt Crawford Subject: Re: CRAWFORD, MATT, Reminder for 17642 In-reply-to: "16 Apr 2001 12:05:31 CDT." <318CC3D38BE0D211BB1200105A093F76155A3A@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200104161824.NAA23586@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1177 Joe Boyd reported to me that the offending variable was indeed inherited from the startup of the LSF process. He and the vendor are batting back and forth the question of the desired behavior and how to make it happen. I think the ticket can be closed. From kreymer@fnal.gov Mon Apr 16 13:31:28 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA24814 for ; Mon, 16 Apr 2001 13:31:28 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW0086GE4FX8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Apr 2001 13:31:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001290FE@listserv.fnal.gov>; Mon, 16 Apr 2001 13:31:27 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 154850 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 16 Apr 2001 13:31:27 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001290FD@listserv.fnal.gov>; Mon, 16 Apr 2001 13:31:27 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBW001QQE4EQB@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 16 Apr 2001 13:31:26 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRX2QQ>; Mon, 16 Apr 2001 13:31:26 -0500 Content-return: allowed Date: Mon, 16 Apr 2001 13:31:24 -0500 From: ARSystem Subject: CRAWFORD, MATT #17642 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76155AC6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1178 Thank you for your assistance. Help Desk ticket #000000000017642 has been resolved on 4/16/01 1:27:34 PM Resolution Timestamp: : 4/16/01 1:24:06 PM Solution Category : Software Problem/Bug Problem Category : Software Item : Kerberos Type : Utilities Short Description : kerberos and lsf interopability problem Solution : Joe Boyd reported to me that the offending variable was indeed inherited from the startup of the LSF process. He and the vendor are batting back and forth the question of the desired behavior and how to make it happen. I think the ticket can be closed. Problem Description : Please assign this to Matt Crawford. I do this on d0mino: d0mino 1:17pm ~ 1 > echo $KRB5CCNAME FILE:/tmp/krb5cc_p48900313 d0mino 1:17pm ~ 2 > bsub -I 'echo $KRB5CCNAME' Job <92327> is submitted to default queue . <> <> FILE:/tmp/krb5cc_p6151912 d0mino 1:18pm ~ 3 > As you can see, the KRB5CCNAME variable changed in the LSF job. Whether you run interactively or in a script the behaviour is always the same. The problem is that it seems to be the same for everyone. If some other user submits a job they will get the same name for KRB5CCNAME. Matt, here is the specific question. Can you think of any way the kerberos stuff we have installed would do this? What stuff from the kerberos package would set the KRB5CCNAME environment variable at all? kinit, kcron, ...??? I don't know where else to look. The lastest thing that LSF folks have told me (after about two weeks of back and forth) is that they don't change the KRB5CCNAME variable. I don't believe them but since that is what they have told me I am looking elsewhere. I can't find anywhere that it is getting set/changed in starup scripts. The kerberos package doesn't even replace /bin/login on install so I can't imagine any of our kerberos stuff is being called. Same behaviour on LSF 3.2.2 and 4.1. Same behaviour on Irix and Linux. The file name that does get set seems to change over a days time but at any particular time, multiple users seem to get the same name set. Thanks, joe From kreymer@fnal.gov Tue Apr 17 13:51:00 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA02183 for ; Tue, 17 Apr 2001 13:51:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBY0035P9OH27@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Tue, 17 Apr 2001 13:51:00 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00129EDB@listserv.fnal.gov>; Tue, 17 Apr 2001 13:50:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 158652 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Tue, 17 Apr 2001 13:50:39 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00129ED8@listserv.fnal.gov>; Tue, 17 Apr 2001 13:50:39 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBY0017B9OFCN@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Tue, 17 Apr 2001 13:50:39 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA00663 for ; Tue, 17 Apr 2001 13:50:38 -0500 (CDT) Date: Tue, 17 Apr 2001 13:50:38 -0500 From: Matt Crawford Subject: better warning of password expiration Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200104171850.NAA00663@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1179 The kinit command, when used with a password to get an initial ticket, will now warn you if your password has less than 30 days remaining before its expiration. You do not have to install a new version of the software to get this effect. A password expiration upon console or cryptocard login will have to wait for the next software version, coming within two weeks or so. From kreymer@fnal.gov Tue Apr 17 15:00:26 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA02235 for ; Tue, 17 Apr 2001 15:00:26 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBY0076NCWPFH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 17 Apr 2001 15:00:25 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00129FFF@listserv.fnal.gov>; Tue, 17 Apr 2001 15:00:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 158974 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 17 Apr 2001 15:00:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00129FFE@listserv.fnal.gov>; Tue, 17 Apr 2001 15:00:25 -0500 Received: from nova.fnal.gov ([131.225.121.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBY00914CWO4W@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 17 Apr 2001 15:00:24 -0500 (CDT) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id PAA02559 for ; Tue, 17 Apr 2001 15:00:24 -0500 (CDT) Date: Tue, 17 Apr 2001 15:00:24 -0500 (CDT) From: Tim Zingelman Subject: kerberos 4 from TGV-Multinet on VAX/VMS Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1180 Has anyone looked at interoperating with kerberos 4 from TGV-Multinet on VAX/VMS? or should we just shove all these (60+) nodes behind a firewall and call it a day? And before anyone asks... yes you can volunteer to help porting the 925 applications, 85 services and 36 libraries from VAX Fortran & VAX C with a custom X11 gui library into our new java framework :) - Tim From kreymer@fnal.gov Tue Apr 17 15:27:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA02247 for ; Tue, 17 Apr 2001 15:27:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBY0032BE6727@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 17 Apr 2001 15:27:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012A04C@listserv.fnal.gov>; Tue, 17 Apr 2001 15:27:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 159056 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 17 Apr 2001 15:27:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012A04B@listserv.fnal.gov>; Tue, 17 Apr 2001 15:27:43 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GBY00A1SE67U1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 17 Apr 2001 15:27:43 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA01996; Tue, 17 Apr 2001 15:27:43 -0500 (CDT) Date: Tue, 17 Apr 2001 15:27:42 -0500 From: Matt Crawford Subject: Re: kerberos 4 from TGV-Multinet on VAX/VMS In-reply-to: "17 Apr 2001 15:00:24 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: <200104172027.PAA01996@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1181 > Has anyone looked at interoperating with kerberos 4 from TGV-Multinet on > VAX/VMS? or should we just shove all these (60+) nodes behind a firewall > and call it a day? In theory the Kerberos 5-to-4 compatibility we have is supposed to let V5 clients get at V4 services. In practice, nobody here has yet had the bad taste to want to try it or the bad luck to have to. If you want to be the Cavia porcellus, just ask for the usual service principals and have a gander at krb524init. From kreymer@fnal.gov Thu Apr 19 10:18:06 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA18217 for ; Thu, 19 Apr 2001 10:18:06 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC100MAIP64DB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 19 Apr 2001 10:18:05 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012B603@listserv.fnal.gov>; Thu, 19 Apr 2001 10:18:05 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 165092 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 19 Apr 2001 10:18:04 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012B602@listserv.fnal.gov>; Thu, 19 Apr 2001 10:18:04 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC100102P64UG@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 19 Apr 2001 10:18:04 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA23597 for ; Thu, 19 Apr 2001 10:18:04 -0500 Date: Thu, 19 Apr 2001 10:18:03 -0500 (CDT) From: Steven Timm Subject: kinit Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1182 Is there any way to make kinit smart enough to detect that it is being invoked from within either a kerberos telnet session that isn't encrypted, or a portal-mode cryptocard telnet session-- and then refuse to run? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Thu Apr 19 10:34:58 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA22436 for ; Thu, 19 Apr 2001 10:34:58 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC10014TPY9UG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 19 Apr 2001 10:34:58 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012B647@listserv.fnal.gov>; Thu, 19 Apr 2001 10:34:58 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 165163 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 19 Apr 2001 10:34:57 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012B646@listserv.fnal.gov>; Thu, 19 Apr 2001 10:34:57 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC100MCVPY977@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 19 Apr 2001 10:34:57 -0500 (CDT) Date: Thu, 19 Apr 2001 10:34:55 -0500 (CDT) From: Dane Skow Subject: Re: kinit In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1183 Actually is it easier/sufficient to have it run only from securettys ? Is there a CryptoCard equivalent for kinit that could be used for the other cases ? dane On Thu, 19 Apr 2001, Steven Timm wrote: > Is there any way to make kinit smart enough to detect that it is > being invoked from within either a kerberos telnet session > that isn't encrypted, or a portal-mode cryptocard telnet session-- > and then refuse to run? > > Steve > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Thu Apr 19 10:42:00 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA23852 for ; Thu, 19 Apr 2001 10:42:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC100320Q9Z54@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 19 Apr 2001 10:41:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012B66F@listserv.fnal.gov>; Thu, 19 Apr 2001 10:41:59 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 165208 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 19 Apr 2001 10:41:59 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012B66E@listserv.fnal.gov>; Thu, 19 Apr 2001 10:41:59 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC100248Q9YHC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 19 Apr 2001 10:41:58 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA23678; Thu, 19 Apr 2001 10:41:58 -0500 Date: Thu, 19 Apr 2001 10:41:58 -0500 (CDT) From: Steven Timm Subject: Re: kinit In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1184 On Thu, 19 Apr 2001, Dane Skow wrote: > > Actually is it easier/sufficient to have it run only from securettys ? > There are a number of cases where kinit is reading a keytab file in a non-interactive job. These could obviously be run from anywhere. There are some interactive cases where root has to go to a remote node and then kinit (or kadmin) with a different principal than what it came in with--these are usually but not always based on a keytab. > Is there a CryptoCard equivalent for kinit that could be used for > the other cases ? > I think in the long run this will be necessary and it is obviously possible, because wrq can do that. Ditto for kpasswd. Steve > dane > > On Thu, 19 Apr 2001, Steven Timm wrote: > > > Is there any way to make kinit smart enough to detect that it is > > being invoked from within either a kerberos telnet session > > that isn't encrypted, or a portal-mode cryptocard telnet session-- > > and then refuse to run? > > > > Steve > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > > > Dane Skow, > Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 > > > From kreymer@fnal.gov Thu Apr 19 13:13:46 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA13588 for ; Thu, 19 Apr 2001 13:13:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC1008KHXAVZM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 19 Apr 2001 13:13:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012B826@listserv.fnal.gov>; Thu, 19 Apr 2001 13:13:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 165703 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 19 Apr 2001 13:13:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012B825@listserv.fnal.gov>; Thu, 19 Apr 2001 13:13:42 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC1009G3XAU62@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 19 Apr 2001 13:13:42 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA12894; Thu, 19 Apr 2001 13:13:42 -0500 (CDT) Date: Thu, 19 Apr 2001 13:13:42 -0500 From: Matt Crawford Subject: Re: kinit In-reply-to: "19 Apr 2001 10:18:03 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200104191813.NAA12894@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1185 > Is there any way to make kinit smart enough to detect that it is > being invoked from within either a kerberos telnet session > that isn't encrypted, or a portal-mode cryptocard telnet session-- > and then refuse to run? Not reliably, no. And the trouble with unreliable methods is that if they err on the permissive side, they don't do much good and may engender a false sense of security, while if they err on the strict side, user will be forced to learn to circumvent them. > Is there a CryptoCard equivalent for kinit that could be used for > the other cases ? About a year ago I put that on my to-do list, and a couple of days afterward I crossed it off. It's a Hard Problem. Here's why: The KDC has to deliver the credential encrypted, otherwise an eavesdropper can simply steal it. Normally, the password itself provides the decryption key. In portal mode, the login.krb5 program or ftp server is running as root before the authentication is complete, and it negotiates with the KDC to let a key from the host's keytab file serve as the decryption key. Kinit is run from an unprivileged user shell and is not setuid. (Simply making it setuid is not the answer, because then users could generate credentials as the host principal or peek at other users' credentials, with bad consequences.) The cryptocard response itself is not usable as an encryption key since it only has somewhere between 20 and 32 "bits of entropy". > > Is there a CryptoCard equivalent for kinit that could be used for > > the other cases ? > > > I think in the long run this will be necessary and it is obviously > possible, because wrq can do that. Say what? From kreymer@fnal.gov Thu Apr 19 14:50:52 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20872 for ; Thu, 19 Apr 2001 14:50:52 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC200GGR1SRPG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 19 Apr 2001 14:50:51 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012B987@listserv.fnal.gov>; Thu, 19 Apr 2001 14:50:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 166091 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 19 Apr 2001 14:50:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012B986@listserv.fnal.gov>; Thu, 19 Apr 2001 14:50:51 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC200FJG1SQQJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 19 Apr 2001 14:50:50 -0500 (CDT) Date: Thu, 19 Apr 2001 14:50:50 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: kinit In-reply-to: <200104191813.NAA12894@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: Content-id: MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="-511477423-220296088-987709767=:2763" Status: RO X-Status: X-Keywords: X-UID: 1186 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---511477423-220296088-987709767=:2763 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: On Thu, 19 Apr 2001, Matt Crawford wrote: > > > Is there a CryptoCard equivalent for kinit that could be used for > > the other cases ? > > About a year ago I put that on my to-do list, and a couple of days > afterward I crossed it off. It's a Hard Problem. Here's why: Assuming there is telnet service on the local host, you can use the attached, which simply telnets to localhost, lets telnet make you a key, and copies it onto your current cache. Marc ---511477423-220296088-987709767=:2763 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII; NAME=k5cryptocard Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: cryptocard fun Content-Disposition: ATTACHMENT; FILENAME=k5cryptocard IyEvYmluL3NoDQoNCiMgZ2V0IHVpZA0KZXZhbCBgaWQgfCBzZWQgLWUgJ3Mv KC4qLy8nYA0KDQojIGZpZ3VyZSB0aWNrZXQgY2FjaGUNCmlmIFsgIngkS1JC NUNDTkFNRSIgPSB4IF0NCnRoZW4NCiAgICBLUkI1Q0NOQU1FPS90bXAva3Ji NWNjXyR1aWQNCmZpDQoNCigNCiAgIHJlYWQgbGluZQ0KICAgZWNobyAkbGlu ZQ0KICAgc2xlZXAgMTAwMCAmDQogICBwaWQ9JCENCiAgIGVjaG8gImNwIFwk S1JCNUNDTkFNRSAkS1JCNUNDTkFNRSINCiAgIGVjaG8gImtkZXN0cm95Ig0K ICAgZWNobyAiZWNobyB4eXp6eSAkcGlkIHh5enp5Ig0KICAgZWNobyAiZXhp dCINCiAgIHdhaXQgJHBpZA0KKSB8ICgNCiAgICAvdXNyL2tyYjUvYmluL3Rl bG5ldCBsb2NhbGhvc3QNCikgfCANCiAgICB3aGlsZSByZWFkIGxpbmUNCiAg ICBkbw0KICAgICAgICBzZXQgOiAkbGluZQ0KICAgICAgICBjYXNlICQyIGlu DQogICAgICAgIFByZXNzKSAJDQoJICAgIHByaW50ZiAiJGxpbmVcbiINCgkg ICAgcHJpbnRmICJFbnRlciB0aGUgZGlzcGxheWVkIHJlc3BvbnNlOiAiDQoJ ICAgIDs7DQogICAgICAgIHh5enp5KSAJDQoJICAgIGtpbGwgJDMNCgkgICAg OzsNCiAgICAgICAgZXNhYw0KICAgIGRvbmUNCg== ---511477423-220296088-987709767=:2763-- From kreymer@fnal.gov Thu Apr 19 15:59:04 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA20908 for ; Thu, 19 Apr 2001 15:59:04 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC20023N4YF45@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 19 Apr 2001 15:59:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012BA80@listserv.fnal.gov>; Thu, 19 Apr 2001 15:59:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 166348 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 19 Apr 2001 15:59:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012BA7F@listserv.fnal.gov>; Thu, 19 Apr 2001 15:59:03 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC2000974YELI@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 19 Apr 2001 15:59:02 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA13607; Thu, 19 Apr 2001 15:59:02 -0500 (CDT) Date: Thu, 19 Apr 2001 15:59:02 -0500 From: Matt Crawford Subject: Re: kinit In-reply-to: "19 Apr 2001 14:50:50 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: kerberos-pilot@fnal.gov Message-id: <200104192059.PAA13607@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1187 Ugly, but functional. However ... ... echo "cp \$KRB5CCNAME $KRB5CCNAME" ... I suggest that you allow for the possibility that KRB5CCNAME may have the "TYPE:" prefix on it. For example, FILE:/tmp/krb5cc_foobie. Besides the obvious stripping of characters, there's another way to handle that, which I will probably be sorry I thought of: echo ln -s / FILE: echo "cp \$KRB5CCNAME $KRB5CCNAME" echo rm FILE: From kreymer@fnal.gov Thu Apr 19 18:16:09 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA21089 for ; Thu, 19 Apr 2001 18:16:09 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC2004FRBAVUK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 19 Apr 2001 18:16:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012BC52@listserv.fnal.gov>; Thu, 19 Apr 2001 18:16:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 166845 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 19 Apr 2001 18:16:07 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012BC51@listserv.fnal.gov>; Thu, 19 Apr 2001 18:16:07 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC20093KBAVNO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 19 Apr 2001 18:16:07 -0500 (CDT) Date: Thu, 19 Apr 2001 18:16:06 -0500 (CDT) From: Dane Skow Subject: Re: kinit In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1188 > > > > Is there a CryptoCard equivalent for kinit that could be used for > > the other cases ? > > > I think in the long run this will be necessary and it is obviously > possible, because wrq can do that. Ditto for kpasswd. I wouldn't think we'd ever want to use even CryptoCard access to kpasswd. That should be local only always (after all you're typing the new password, twice). I don't understand the wrq comment either. What have you made WRQ do ? dane From kreymer@fnal.gov Fri Apr 20 08:39:11 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA26303 for ; Fri, 20 Apr 2001 08:39:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC3002ICF98LD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 20 Apr 2001 08:39:09 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012C0E4@listserv.fnal.gov>; Fri, 20 Apr 2001 08:39:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 168102 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 20 Apr 2001 08:39:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012C0E3@listserv.fnal.gov>; Fri, 20 Apr 2001 08:39:09 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC30094CF98CH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 20 Apr 2001 08:39:08 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA28865; Fri, 20 Apr 2001 08:39:08 -0500 Date: Fri, 20 Apr 2001 08:39:07 -0500 (CDT) From: Steven Timm Subject: Re: kinit In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Dane Skow Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1189 On Thu, 19 Apr 2001, Dane Skow wrote: > > > > > > > Is there a CryptoCard equivalent for kinit that could be used for > > > the other cases ? > > > > > I think in the long run this will be necessary and it is obviously > > possible, because wrq can do that. Ditto for kpasswd. > > I wouldn't think we'd ever want to use even CryptoCard access to > kpasswd. That should be local only always (after all you're typing > the new password, twice). > > I don't understand the wrq comment either. What have you made WRQ do ? > > dane > > Maybe I don't understand what wrq is doing, then. But if I understand it correctly it does provide a way to do a kpasswd on a machine that isn't otherwise kerberized. Whether that is encrypted or not...who knows? Steve From kreymer@fnal.gov Fri Apr 20 09:06:26 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA01741 for ; Fri, 20 Apr 2001 09:06:26 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC3000RIGIOY3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 20 Apr 2001 09:06:25 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012C19C@listserv.fnal.gov>; Fri, 20 Apr 2001 09:06:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 168305 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 20 Apr 2001 09:06:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012C19B@listserv.fnal.gov>; Fri, 20 Apr 2001 09:06:25 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC3006JLGIOMC@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 20 Apr 2001 09:06:24 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA17241; Fri, 20 Apr 2001 09:06:24 -0500 (CDT) Date: Fri, 20 Apr 2001 09:06:23 -0500 From: Matt Crawford Subject: Re: kinit In-reply-to: "20 Apr 2001 08:39:07 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200104201406.JAA17241@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1190 > > > I think in the long run this will be necessary and it is obviously > > > possible, because wrq can do that. Ditto for kpasswd. > > > > I don't understand the wrq comment either. What have you made WRQ do ? > > Maybe I don't understand what wrq is doing, then. But if I understand it > correctly it does provide a way to do a kpasswd on a machine that isn't > otherwise kerberized. Whether that is encrypted or not...who knows? WRQ's password-changing function talks to the Kerberos admin server (on the master KDC) just like the Unix kpasswd command does. Well, not "just like", since it is using a different message format, but it does the same job in roughly the same manner. And the answer to your final question is, I do. It is. From kreymer@fnal.gov Fri Apr 20 11:39:04 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA14230 for ; Fri, 20 Apr 2001 11:39:03 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC30003PNL2EM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 20 Apr 2001 11:39:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012C58B@listserv.fnal.gov>; Fri, 20 Apr 2001 11:39:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 169456 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 20 Apr 2001 11:39:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012C58A@listserv.fnal.gov>; Fri, 20 Apr 2001 11:39:03 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC300M4LNL1QS@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 20 Apr 2001 11:39:02 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f3KGd0305725; Fri, 20 Apr 2001 11:39:01 -0500 (CDT) Date: Fri, 20 Apr 2001 11:39:00 -0500 From: aheavey@fnal.gov Subject: online form to request kerberos principal Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov, cdf-sys@fnal.gov, wyatt@fnal.gov Cc: helpdesk@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200104201639.f3KGd0305725@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1191 The WWW group has created a form that we'd like to implement lab-wide for kerberos principal requests. Please direct users in your group or experiment to this form to request principals (user,host,ftp,root) and Cryptocards. WRQ requests continue to go through PC admins. http://www.fnal.gov/cd/forms/strongauth.html Thanks. -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Mon Apr 23 12:09:38 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA17420 for ; Mon, 23 Apr 2001 12:09:38 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC900BN38ZVH6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 23 Apr 2001 12:09:37 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012E663@listserv.fnal.gov>; Mon, 23 Apr 2001 12:09:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 178696 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 23 Apr 2001 12:09:32 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0012E662@listserv.fnal.gov>; Mon, 23 Apr 2001 12:09:32 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GC900BO28ZRHX@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 23 Apr 2001 12:09:31 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <2LRRXJ7Z>; Mon, 23 Apr 2001 12:09:28 -0500 Content-return: allowed Date: Mon, 23 Apr 2001 12:09:15 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76156034@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1192 This reminder created on 4/23/01 12:03:58 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Wed Apr 25 14:14:00 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA09123 for ; Wed, 25 Apr 2001 14:14:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD00IKA43ARL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 25 Apr 2001 14:13:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013107F@listserv.fnal.gov>; Wed, 25 Apr 2001 14:13:58 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190249 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 25 Apr 2001 14:13:58 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013107E@listserv.fnal.gov>; Wed, 25 Apr 2001 14:13:58 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD00LQ043AFH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 25 Apr 2001 14:13:58 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA17977 for ; Wed, 25 Apr 2001 14:13:58 -0500 Date: Wed, 25 Apr 2001 14:13:58 -0500 (CDT) From: Liz Buckley-Geer Subject: some questions Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1193 Hi, I have been reading the manual in preparation for explaining strong authentication to my MINOS collaborators. I have a number of questions. 1. in section 5.7 - logging in from off-site section 5.7.2 states that "It is allowed for off-site machines to participate in the stengthened realm while still allowing other secure login methods, such as ssh, in place of in in addition to kerberos" If the off-site machine only has regular ssh (non-kerberized) and tries to ssh to a machine in the strengthened realm what happens? Does the machine respond in portal mode? What happens if the off-site machine has kerberized ssh and connects using ssh to the FNAL machine? 2. What constitutes an unencrypted connenction? For example, let us say that user Y only has an X-terminal on their desk. They login to a fnal machine using their cryptocard. What do they do if they need to do something that requires them to type their password - such as change it. I assume this constitutes an unencrypted connection. Does the same apply to a PC that is unstrengthened also? Do you have to have access to some other machine that is secure that you can use if you need to do things that require typing a password? 3. I was planning to hand out cryptocards for those in MINOS that need them at our meeting in June in Ely Minnesota (MINOS people do not come to FNAL as often as people on D0 and CDF). However once they get their principle they will need to login somewhere and change their passwords. Our SGI minos1 will not be converted until September (at least that is the current schedule I got from Dane). Will fnalu be kerberized on this timescale so that they can use those machines. I wanted to make sure that people are all setup before minos1 gets switched. 4. MINOS does not use ups/upd for its software installation - much to my chagrin. How hard is it to take the ups tar files that we have but not use ups to install them. I am visualizing the reaction of some of my colleagues in the software group when I tell them that in order to install kerberos they must first install ups/upd! 5. As you kerberize the various machines such as MINOS1 are you now making the kerberized login program the default? 6. We are currently using ssh to connect to our cvs repository. We are not using cvsh. If we are running kerberized ssh here at fnal and a remote site wants to connect to the repository using regular ssh I assume that doesn't work because it would want to exchange public/private keys? 7. I am currently typing a mail to send to minos collaborators - sort of "a warning shot across the bows" type of things. I would like to make sure that I don't have any errors before I send it so I would like to send it to this list and ask a few folks to look it over for me. I think that is all for now. Thanks Liz From kreymer@fnal.gov Wed Apr 25 15:15:26 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09269 for ; Wed, 25 Apr 2001 15:15:26 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD004GE6XPY7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 25 Apr 2001 15:15:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00131125@listserv.fnal.gov>; Wed, 25 Apr 2001 15:15:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190432 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 25 Apr 2001 15:15:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00131124@listserv.fnal.gov>; Wed, 25 Apr 2001 15:15:25 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD003EL6XOAH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 25 Apr 2001 15:15:24 -0500 (CDT) Date: Wed, 25 Apr 2001 15:15:22 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: some questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1194 On Wed, 25 Apr 2001, Liz Buckley-Geer wrote: > 1. in section 5.7 - logging in from off-site > section 5.7.2 states that "It is allowed for off-site machines to > participate in the stengthened realm while still allowing other secure > login methods, such as ssh, in place of in in addition to kerberos" > > If the off-site machine only has regular ssh (non-kerberized) and tries to > ssh to a machine in the strengthened realm what happens? Does the machine > respond in portal mode? What happens if the off-site machine has > kerberized ssh and connects using ssh to the FNAL machine? The onsite machine will respond to a non-kerberized ssh request in portal mode. If the off-site machine has kerberized ssh, you are allowed in via your kerberos tickets (assuming you have some). > 2. What constitutes an unencrypted connenction? For example, let us say > that user Y only has an X-terminal on their desk. They login to a fnal > machine using their cryptocard. What do they do if they need to do > something that requires them to type their password - such as change it. I > assume this constitutes an unencrypted connection. Does the same apply to > a PC that is unstrengthened also? Do you have to have access to some other > machine that is secure that you can use if you need to do things that > require typing a password? An ssh connection from a PC is an encrypted connection, and there are numerous ssh implementations avaliable, so PC users can generally get an encrypted connection to do things like this. For X terminals (i.e. NCD or Tektronix X terminals) you are unable under the rules to change or otherwise use your kerberos password from that terminal. We dohope to have a reccomendation for an inexpensive X Terminal replacement, which will be able to run Kerberos utilities locally, by mid-summer. > 3. I was planning to hand out cryptocards for those in MINOS that need > them at our meeting in June in Ely Minnesota (MINOS people do not come to > FNAL as often as people on D0 and CDF). However once they get their > principle they will need to login somewhere and change their passwords. > Our SGI minos1 will not be converted until September (at least that is > the current schedule I got from Dane). Will fnalu be kerberized on this > timescale so that they can use those machines. I wanted to make sure that > people are all setup before minos1 gets switched. You can "upd install" the kerberos software without doing the "ups install" actions, and users can "setup kerberos" and update their password on that system (assuming they are either directly connected, or on an encrypted connection). You may also be able to take along one of our X Terminal replacements to let them change their password at the meeting. > 4. MINOS does not use ups/upd for its software installation - much to my > chagrin. How hard is it to take the ups tar files that we have but not use > ups to install them. I am visualizing the reaction of some of my > colleagues in the software group when I tell them that in order to install > kerberos they must first install ups/upd! We greatly prefer ups/upd as the mechanism, even if only as a temporary install. For Linux machines, folks are building RPM files. It should certainly be possible to make the non-ups installation easier; but so far we have managed to avoid making it a requirement. Feedback on what sort of configurations would need to be supported would be worthwhile. (i.e. onsite/offsite-with-ssh, etc.) And of course volunteers to help document and test such a procedure would be welcome. However, there are already 4 distinct ups products that go along with kerberos for a full install, plus the kerberized-ssh for a total of 5, and each has its own separate install actions, etc. so it is likely to be at least somewhat involved for a full install. Instead we probably want to document how to get "just enough" of the kerberos related tools to use Fermilab systems from offsite. > 5. As you kerberize the various machines such as MINOS1 are you now making > the kerberized login program the default? Wherever possible, yes. There are currently stumbling blocks with the graphical login utilities on several platforms. > 6. We are currently using ssh to connect to our cvs repository. We are not > using cvsh. If we are running kerberized ssh here at fnal and a remote > site wants to connect to the repository using regular ssh I assume that > doesn't work because it would want to exchange public/private keys? We believe we can make an exception for RSA key based ssh access to CVS repositories; but we will certainly require some sort of restricted login shell (like cvsh) for that cvs repository access; otherwise any of those folks can login as the cvs repository account via ssh, and that would not be permitted in the on-site strong auth. realm. This would need to be done as a separate ssh service run on a separate port or IP address, which did an "AllowUsers cvsuser; RSAAuthentication" in its config file. That is to say, RSAAuthentication would be allowed, but only the cvsuser account which has a restricted, only-run-cvs-server login shell would be allowed in. If you also want regular ssh access to the system, then either the ssh cvs access or the ssh login access would need to run on an alternate port, and would be reached via "ssh -p port host"; or run on an alternate IP address, with ListenAddress in the config files of the two sshd's, and users would use one IP address for regular login, and the other for ssh/cvs access. > 7. I am currently typing a mail to send to minos collaborators - sort of > "a warning shot across the bows" type of things. I would like to make sure > that I don't have any errors before I send it so I would like to send it > to this list and ask a few folks to look it over for me. I suspect you can count on this list for comments :-). Marc From kreymer@fnal.gov Wed Apr 25 15:27:14 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09275 for ; Wed, 25 Apr 2001 15:27:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD006DK7HDJR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 25 Apr 2001 15:27:14 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013114C@listserv.fnal.gov>; Wed, 25 Apr 2001 15:27:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190473 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 25 Apr 2001 15:27:13 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013114B@listserv.fnal.gov>; Wed, 25 Apr 2001 15:27:13 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD007CI7HC0M@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 25 Apr 2001 15:27:13 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA18054; Wed, 25 Apr 2001 15:27:12 -0500 Date: Wed, 25 Apr 2001 15:27:12 -0500 (CDT) From: Liz Buckley-Geer Subject: Re: some questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1195 > > 2. What constitutes an unencrypted connenction? For example, let us say > > that user Y only has an X-terminal on their desk. They login to a fnal > > machine using their cryptocard. What do they do if they need to do > > something that requires them to type their password - such as change it. I > > assume this constitutes an unencrypted connection. Does the same apply to > > a PC that is unstrengthened also? Do you have to have access to some other > > machine that is secure that you can use if you need to do things that > > require typing a password? > > An ssh connection from a PC is an encrypted connection, and there are > numerous ssh implementations avaliable, so PC users can generally get an > encrypted connection to do things like this. So for example say I login at the console of my unstrengthened PC and use my cryptocard to connect to fcdfsgi2. Now I want to change my kerberos password. What should I do to prevent transmitting anything as clear text? > > For X terminals (i.e. NCD or Tektronix X terminals) you are unable under > the rules to change or otherwise use your kerberos password from that > terminal. We dohope to have a reccomendation for an inexpensive X > Terminal replacement, which will be able to run Kerberos utilities > locally, by mid-summer. Hos is the pilot by the way? I notice that I got put on some mailing list the other day so I wondered if that meant machines were here. > > > 3. I was planning to hand out cryptocards for those in MINOS that need > > them at our meeting in June in Ely Minnesota (MINOS people do not come to > > FNAL as often as people on D0 and CDF). However once they get their > > principle they will need to login somewhere and change their passwords. > > Our SGI minos1 will not be converted until September (at least that is > > the current schedule I got from Dane). Will fnalu be kerberized on this > > timescale so that they can use those machines. I wanted to make sure that > > people are all setup before minos1 gets switched. > > You can "upd install" the kerberos software without doing the > "ups install" actions, and users can "setup kerberos" and update their > password on that system (assuming they are either directly connected, > or on an encrypted connection). You may also be able to take along > one of our X Terminal replacements to let them change their password > at the meeting. That might be a possibility - there are monitors in the community college where we meet. I assume a laptop with kerberos on would also work? > > > 6. We are currently using ssh to connect to our cvs repository. We are not > > using cvsh. If we are running kerberized ssh here at fnal and a remote > > site wants to connect to the repository using regular ssh I assume that > > doesn't work because it would want to exchange public/private keys? > > We believe we can make an exception for RSA key based ssh access to CVS > repositories; but we will certainly require some sort of restricted > login shell (like cvsh) for that cvs repository access; otherwise > any of those folks can login as the cvs repository account via ssh, and > that would not be permitted in the on-site strong auth. realm. We have tried cvsh but backed off for some reason that I forget. However we will have to make the switch if that is what is needed. > Marc > > Thanks Liz From kreymer@fnal.gov Wed Apr 25 15:32:58 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09289 for ; Wed, 25 Apr 2001 15:32:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD004K17QWY7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 25 Apr 2001 15:32:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013115D@listserv.fnal.gov>; Wed, 25 Apr 2001 15:32:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190491 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 25 Apr 2001 15:32:56 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013115C@listserv.fnal.gov>; Wed, 25 Apr 2001 15:32:56 -0500 Received: from nova.fnal.gov ([131.225.121.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD001Q67QWEJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 25 Apr 2001 15:32:56 -0500 (CDT) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id PAA00769 for ; Wed, 25 Apr 2001 15:32:56 -0500 (CDT) Date: Wed, 25 Apr 2001 15:32:56 -0500 (CDT) From: Tim Zingelman Subject: kerberos from 'unknown' machines... Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1196 I just loaded fermi kerberos onto a machine that does not have a host principal, and was able to kinit and then log into our kerberized machines from it. I am a little confused... does this mean that any machine can authenticate users to the PILOT.FNAL.GOV KDC without having a host principal? If so, I'm not clear on how this is any better than plain ssh. Can anyone explain what I'm missing? Thanks. - Tim From kreymer@fnal.gov Wed Apr 25 15:35:41 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09293 for ; Wed, 25 Apr 2001 15:35:41 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD007BG7VFPQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 25 Apr 2001 15:35:40 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013116A@listserv.fnal.gov>; Wed, 25 Apr 2001 15:35:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190505 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 25 Apr 2001 15:35:39 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00131169@listserv.fnal.gov>; Wed, 25 Apr 2001 15:35:39 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD002EL7VEZN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 25 Apr 2001 15:35:38 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA13464; Wed, 25 Apr 2001 15:35:38 -0500 Date: Wed, 25 Apr 2001 15:35:38 -0500 (CDT) From: Steven Timm Subject: Re: kerberos from 'unknown' machines... In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1197 The host/ftp principal is only if you want to offer services on your machine. It's only for inbound services that it is needed. Outbound is fine without it. Or so I understand. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Wed, 25 Apr 2001, Tim Zingelman wrote: > I just loaded fermi kerberos onto a machine that does not have a host > principal, and was able to kinit and then log into our kerberized machines > from it. > > I am a little confused... does this mean that any machine can > authenticate users to the PILOT.FNAL.GOV KDC without having a host > principal? If so, I'm not clear on how this is any better than plain ssh. > > Can anyone explain what I'm missing? Thanks. > > - Tim > From kreymer@fnal.gov Wed Apr 25 15:37:50 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09297 for ; Wed, 25 Apr 2001 15:37:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD0048I7Z1XF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 25 Apr 2001 15:37:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00131172@listserv.fnal.gov>; Wed, 25 Apr 2001 15:37:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190513 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 25 Apr 2001 15:37:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00131171@listserv.fnal.gov>; Wed, 25 Apr 2001 15:37:49 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD007CW7Z1PQ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 25 Apr 2001 15:37:49 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f3PKblr07720; Wed, 25 Apr 2001 15:37:47 -0500 (CDT) Date: Wed, 25 Apr 2001 15:37:47 -0500 From: Anne Heavey Subject: Re: kerberos from 'unknown' machines... In-reply-to: "Your message of Wed, 25 Apr 2001 15:32:56 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov, aheavey@fsui02.fnal.gov Message-id: <200104252037.f3PKblr07720@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1198 > I just loaded fermi kerberos onto a machine that does not have a host > principal, and was able to kinit and then log into our kerberized machines > from it. > > I am a little confused... does this mean that any machine can > authenticate users to the PILOT.FNAL.GOV KDC without having a host > principal? If so, I'm not clear on how this is any better than plain ssh. > > Can anyone explain what I'm missing? Thanks. > > - Tim The host principal allows INCOMING connections, not outgoing ones. -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Wed Apr 25 15:40:28 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09303 for ; Wed, 25 Apr 2001 15:40:28 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD007EW83F0H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 25 Apr 2001 15:40:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013117A@listserv.fnal.gov>; Wed, 25 Apr 2001 15:40:27 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190521 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 25 Apr 2001 15:40:27 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00131179@listserv.fnal.gov>; Wed, 25 Apr 2001 15:40:27 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD001S783EEJ@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 25 Apr 2001 15:40:26 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA13474; Wed, 25 Apr 2001 15:40:26 -0500 Date: Wed, 25 Apr 2001 15:40:26 -0500 (CDT) From: Steven Timm Subject: Re: some questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Liz Buckley-Geer Cc: "Marc W. Mengel" , kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1199 On Wed, 25 Apr 2001, Liz Buckley-Geer wrote: > > > 2. What constitutes an unencrypted connenction? For example, let us say > > > that user Y only has an X-terminal on their desk. They login to a fnal > > > machine using their cryptocard. What do they do if they need to do > > > something that requires them to type their password - such as change it. I > > > assume this constitutes an unencrypted connection. Does the same apply to > > > a PC that is unstrengthened also? Do you have to have access to some other > > > machine that is secure that you can use if you need to do things that > > > require typing a password? > > > > An ssh connection from a PC is an encrypted connection, and there are > > numerous ssh implementations avaliable, so PC users can generally get an > > encrypted connection to do things like this. > > So for example say I login at the console of my unstrengthened PC and use > my cryptocard to connect to fcdfsgi2. Now I want to change my kerberos > password. What should I do to prevent transmitting anything as clear text? I believe what Marc is saying here is that such people should find a pc-version of ssh and then connect to a Fermi machine which will respond to the ssh request in portal mode. Then on the encrypted ssh connection you can do kpasswd. You should never do this over a cryptocard Telnet connection. Or so I understand. Steve Timm From kreymer@fnal.gov Wed Apr 25 15:49:51 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09307 for ; Wed, 25 Apr 2001 15:49:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD005J28J1VW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 25 Apr 2001 15:49:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013118E@listserv.fnal.gov>; Wed, 25 Apr 2001 15:49:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190545 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 25 Apr 2001 15:49:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013118D@listserv.fnal.gov>; Wed, 25 Apr 2001 15:49:49 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD0087H8J1HW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 25 Apr 2001 15:49:49 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA19920; Wed, 25 Apr 2001 15:49:48 -0500 (CDT) Date: Wed, 25 Apr 2001 15:49:48 -0500 From: Matt Crawford Subject: Re: kerberos from 'unknown' machines... In-reply-to: "25 Apr 2001 15:32:56 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: <200104252049.PAA19920@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1200 > I just loaded fermi kerberos onto a machine that does not have a host > principal, and was able to kinit and then log into our kerberized machines > from it. > > I am a little confused... does this mean that any machine can > authenticate users to the PILOT.FNAL.GOV KDC without having a host > principal? If so, I'm not clear on how this is any better than plain ssh. > > Can anyone explain what I'm missing? Thanks. The host principals are only for offering services. They do not help to identify a user on the host in any way. Kerberos authentication never involves the DNS name, IP address or other identity of the host where the client is located[*]. When you set Kerberos access controls, it's always done by username@REALM, with no reference to a source host. The ssh host key is needed (in *some* authentication modes) because without tying your authentication to a host, there's no unambiguous meaning to a name like "zingleman". In Kerberos, the realm name is the added identifier. Matt * Except indirectly if there's a list of addresses embedded in the ticket -- but a client can ask the KDC to change that list at will, so it's not authentication of the client, just a partial protection against credential theft. From kreymer@fnal.gov Wed Apr 25 17:31:47 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA09468 for ; Wed, 25 Apr 2001 17:31:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD00H1LD8XLF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 25 Apr 2001 17:31:46 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013130D@listserv.fnal.gov>; Wed, 25 Apr 2001 17:31:45 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190960 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 25 Apr 2001 17:31:45 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013130C@listserv.fnal.gov>; Wed, 25 Apr 2001 17:31:45 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD008RXD8X6A@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 25 Apr 2001 17:31:45 -0500 (CDT) Date: Wed, 25 Apr 2001 17:31:42 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: some questions In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1201 On Wed, 25 Apr 2001, Liz Buckley-Geer wrote: > So for example say I login at the console of my unstrengthened PC and use > my cryptocard to connect to fcdfsgi2. Now I want to change my kerberos > password. What should I do to prevent transmitting anything as clear text? Install some version of ssh on your PC, and use it to login to fcdfsgi2. > Hos is the pilot by the way? I notice that I got put on some mailing list > the other day so I wondered if that meant machines were here. You should stop by and see Connie for a CD and pick up the unit at Prep. > > That might be a possibility - there are monitors in the community college > where we meet. I assume a laptop with kerberos on would also work? Yes. > We have tried cvsh but backed off for some reason that I forget. However > we will have to make the switch if that is what is needed. The other option is to go straight 'cvs pserver', which Lynn Garren for example has done for BTEV. It isn't the most secure system in the world, but for the most part if someone checks in an evil change to your CVS repository, you can check in the undo of it, too. And you can put tcpwrapper stuff around the cvs pserver setup, so you can hostname restrict access, etc. Marc From kreymer@fnal.gov Wed Apr 25 18:21:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA09648 for ; Wed, 25 Apr 2001 18:21:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD00EIOFK3H8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 25 Apr 2001 18:21:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013136C@listserv.fnal.gov>; Wed, 25 Apr 2001 18:21:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 191062 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 25 Apr 2001 18:21:39 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013136B@listserv.fnal.gov>; Wed, 25 Apr 2001 18:21:39 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCD00H71FK2LF@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 25 Apr 2001 18:21:38 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA18116 for ; Wed, 25 Apr 2001 18:21:38 -0500 Date: Wed, 25 Apr 2001 18:21:38 -0500 (CDT) From: Liz Buckley-Geer Subject: could you please correct my errors Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: MULTIPART/MIXED; BOUNDARY="-511468492-1231333727-988240898=:17848" X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1202 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. ---511468492-1231333727-988240898=:17848 Content-Type: TEXT/PLAIN; charset=US-ASCII Hi all, as promised attached is the mail that I plan to send to minos collaborators. Could a few of you look it over and correct any errors that I may have made. Thanks Liz ---511468492-1231333727-988240898=:17848 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="strong_auth.txt" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: mail message for minos collaborators Content-Disposition: attachment; filename="strong_auth.txt" RGVhciBDb2xsYWJvcmF0b3IsDQoNCk1hbnkgb2YgeW91IG1heSBiZSBhd2Fy ZSB0aGF0IEZlcm1pbGFiIGlzIGluIHRoZSBwcm9jZXNzIG9mDQppbXBsZW1l bnRpbmcgbmV3IG1ldGhvZHMgZm9yIHVzZXJzIHRvIGFjY2VzcyB0aGUgY29t cHV0ZXJzIGF0IHRoZSBGTkFMDQpzaXRlLiBUaGlzIGlzIHJlZmVycmVkIHRv IGFzICJTdHJvbmcgQXV0aGVudGljYXRpb24iLg0KDQpJIHF1b3RlIGZyb20g dGhlICJTdHJvbmcgQXV0aGVudGljYXRpb24gYXQgRmVybWlsYWIiIHVzZXIg bWFudWFsOg0KDQoiQW4gYW5hbHlzaXMgb2YgdGhlIG1ham9yIGNvbXB1dGVy IHNlY3VyaXR5IGluY2lkZW50cyBhdCBGZXJtaWxhYiBvdmVyDQp0aGUgcGFz dCBjb3VwbGUgb2YgeWVhcnMsIGFzIHdlbGwgYXMgdGhlIGdlbmVyYWwgc2Vu c2Ugb2Ygc2VjdXJpdHkNCmluY2lkZW50cyBwcmlvciB0byB0aGF0LCBzaG93 cyB0aGF0IGEgY29tbW9uIHJvb3QgY2F1c2Ugb2YNCnRoZXNlIGluY2lkZW50 cyBpcyB0aGUgY29tcHJvbWlzZSBvZiB1c2VyIHBhc3N3b3JkcyBieSB0aGVp cg0KdHJhbnNtaXNzaW9uIGluIGNsZWFyIHRleHQgb3ZlciB0aGUgbmV0d29y ay4gT25jZSBpbnRlcmNlcHRlZCxwYXNzd29yZHMgY2FuIGJlDQpyZS11c2Vk IHRvIGdhaW4gdW5hdXRob3JpemVkIGFjY2VzcyB0byB0aGUgZGVzdGluYXRp b24NCnN5c3RlbS4gRnVydGhlciwgd2l0aCAgdXNlciBhY2Nlc3MgdG8gYSBj b21wcm9taXNlZCBzeXN0ZW0sIGhhY2tlcnMNCmNhbiBmYWlybHkgZWFzaWx5 IGdhaW4gcHJpdmlsZWdlZCByb290IGFjY2Vzcy4gSW4NCm9yZGVyIHRvIHBy b3RlY3QgYWdhaW5zdCB1bmF1dGhvcml6ZWQgYWNjZXNzIHRvIEZlcm1pbGFi IGNvbXB1dGVycywNCnRoZSAgQ29tcHV0aW5nIERpdmlzaW9uIGlzIGltcGxl bWVudGluZyB0aGUgS2VyYmVyb3MgTmV0d29yaw0KQXV0aGVudGljYXRpb24g IFNlcnZpY2UgVjUgdG8gcHJvdmlkZSB3aGF0IGlzIGtub3duIGFzIHN0cm9u Zw0KYXV0aGVudGljYXRpb24gb3ZlciB0aGUgbmV0d29yay4iIA0KDQpUaGUg cHVycG9zZSBvZiB0aGlzIG1haWwgaXMgdG8gc3VtbWFyaXplIHRoZSBwbGFu IGFuZCBleHBsYWluIHdoYXQgYWxsDQp0aGlzIG1lYW5zIGZvciBNSU5PUyBj b2xsYWJvcmF0b3JzIGFuZCB3aGF0IHlvdSB3aWxsIG5lZWQgdG8gZG8gdG8g YmUNCnByZXBhcmVkLiBJZiB5b3UNCmhhdmUgcXVlc3Rpb25zIHBsZWFzZSBz ZW5kIG1haWwgdG8gYnVja2xleUBmbmFsLmdvdi4gUGxlYXNlIHVuZGVyc3Rh bmQNCnRoYXQgdGhpcyBpcyBhIGxhYiBtYW5kYXRlZCBjaGFuZ2UuIEluIG90 aGVyIHdvcmRzICJkb24ndCBzaG9vdCBtZSBJJ20NCm9ubHkgdGhlIG1lc3Nl bmdlciIuIEkgYXBvbG9naXplIGZvciB0aGUgbGVuZ3RoIG9mIHRoaXMgbWFp bC4gDQoNClRoZSBpbmZvcm1hdGlvbiBoZXJlIGFwcGxpZXMgdG8gYWNjZXNz IHRvIGNvbXB1dGVycyBhdCB0aGUgRmVybWlsYWIgc2l0ZQ0KYW5kIEFMU08g YXQgU291ZGFuLiBXZSBoYXZlIGRlY2lkZWQgdGhhdCB0aGUgbmV0d29yayBh dCBTb3VkYW4gd2lsbA0KYmUgcGFydCBvZiB0aGUgRk5BTCBMQU4gd2hpY2gg bWVhbnMgdGhhdCB0aGUgRk5BTCBydWxlcyBhYm91dCBjb21wdXRlcg0KYWNj ZXNzIGFwcGx5IGF0IFNvdWRhbi4gU28gYWxsIHBsYWNlcyB3aGVyZSBGTkFM IGlzIG1lbnRpb25lZCB5b3UNCnNob3VsZCB0YWtlIHRoYXQgdG8gbWVhbiBG TkFMIGFuZCBTb3VkYW4uDQoNClRoZSBjdXJyZW50IHBsYW4gcmVxdWlyZXMg dGhhdCB0aGUgc3Ryb25nIGF1dGhlbnRpY2F0aW9uIGJlIGZ1bGx5DQpkZXBs b3llZCBhdCBGTkFMIGJ5IHRoZSBlbmQgb2YgY2FsZW5kYXIgMjAwMS4gVGhl IGN1cnJlbnQgc2NoZWR1bGUNCnJlcXVpcmVzIG1pbm9zMSAob3VyIEZOQUwg bWFjaGluZSkgYW5kIGZuYWx1IHRvIGJlIGNvbnZlcnRlZCBkdXJpbmcNClNl cHRlbWJlci4gTWFjaGluZXMgYXQgU291ZGFuIG11c3QgYWxzbyBiZSBkb25l IGJ5IHRoaXMgZGVhZGxpbmUuDQoNCk1vcmUgZGV0YWlsIG9uIHRoZSBwbGFu IGFuZCBpbXBsZW1lbnRhdGlvbiBjYW4gYmUgZm91bmQgYXQgDQpodHRwOi8v d3d3LmZuYWwuZ292L2RvY3Mvc3Ryb25nYXV0aC8NCg0KDQpUaGUgQXV0aGVu dGljYXRpb24gTW9kZWwgYXQgRk5BTCAtIG1vc3RseSBjb3BpZWQgZnJvbSB0 aGUgbWFudWFsLg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0N ClRoZSBzdHJvbmcgYXV0aGVudGljYXRpb24gc2VydmljZSBpbXBsZW1lbnRl ZCBhdCBGZXJtaWxhYiBpcyB0aGUNCktlcmJlcm9zIE5ldHdvcmsgQXV0aGVu dGljYXRpb24gU2VydmljZSBWNS4gDQoNClRoZSBSZWFsbXMNCi0tLS0tLS0t LS0NClRoZSBtb2RlbCBlbXBsb3llZCBhdCBGZXJtaWxhYiBkaXZpZGVzIHRo ZSBjb21wdXRpbmcgZW52aXJvbm1lbnQgaW50bw0KdGhyZWUgIHJlYWxtczog DQogICAgIA0KVGhlIHN0cmVuZ3RoZW5lZCByZWFsbSANCiAgICAgICAgIFRo ZSBzdHJlbmd0aGVuZWQgcmVhbG0gY29uc2lzdHMgb2YgYWxsIHN5c3RlbXMg KHdoZXRoZXIgb24tDQpvciBvZmYtc2l0ZSkgdGhhdCByZXF1aXJlIHN0cm9u ZyBhdXRoZW50aWNhdGlvbiBmb3IgYWNjZXNzIGZyb20gdGhlDQpuZXR3b3Jr LiBPbiBhIHN0cmVuZ3RoZW5lZCBzeXN0ZW0sIGFsbCB0cmFkaXRpb25hbCBt ZWFucyBvZiBhY2Nlc3MNCnRoYXQgdXNlIHdlYWsgYXV0aGVudGljYXRpb24s IHN1Y2ggYXMgdGVsbmV0LCBybG9naW4sIEZUUCwgYW5kIHNvIG9uLA0KYXJl ICByZXBsYWNlZCB3aXRoIHN0cmVuZ3RoZW5lZCB2ZXJzaW9ucyBvZiB0aGVz ZSBwcm9ncmFtcy4NCiAgICAgICAgIE1lYW5zIG9mIGFjY2VzcyBvdmVyIHRo ZSBuZXR3b3JrIHRoYXQgZG8gbm90IGludm9sdmUNCnBhc3N3b3JkcyBhcmUg YWxsb3dlZC4gV2VhayBhdXRoZW50aWNhdGlvbiAoc3RhbmRhcmQgc2VjdXJp dHkpIGlzDQphbGxvd2VkIGZvciBsb2NhbCBhY2Nlc3MgIG9ubHksIGkuZS4s IHZpYSB0aGUgY29uc29sZSBvciBsb2NhbGx5DQphdHRhY2hlZCAgZGlzcGxh eS4gDQoNClRoZSB0cnVzdGVkIHJlYWxtIA0KICAgICAgICAgT3RoZXIgc2l0 ZXMgd2hpY2ggaW1wbGVtZW50IHN0cm9uZyBhdXRoZW50aWNhdGlvbiwgYW5k IHdoaWNoDQptZWV0ICBjZXJ0YWluIGNyaXRlcmlhLCBtYXkgYmUgcmVjb2du aXplZCBieSB0aGUgc3RyZW5ndGhlbmVkIHJlYWxtIGF0DQpGZXJtaWxhYiBh cyBhICJ0cnVzdGVkIiByZWFsbS4NCiAgICAgICAgIFRydXN0ZWQgcmVhbG1z IHByb3ZpZGUgbGV2ZWxzIG9mIHNlY3VyaXR5IGFuZCBhdXRoZW50aWNhdGlv bg0KZXF1aXZhbGVudCB0byBvdXIgb3duLiBUcnVzdCByZWxhdGlvbnMgKGNy b3NzLWF1dGhlbnRpY2F0aW9uKSBiZXR3ZWVuDQp0aGUgdHJ1c3RlZCByZWFs bSBhbmQgdGhlIHN0cmVuZ3RoZW5lZCByZWFsbSBhbGxvdyBhY2Nlc3Mgd2l0 aG91dCBmdXJ0aGVyDQphdXRoZW50aWNhdGlvbiAoaS5lLiwgdGhlIGF1dGhl bnRpY2F0aW9uIHRha2VzIHBsYWNlIG9ubHkgd2hlbiB1c2VyDQphY2Nlc3Nl cyBlaXRoZXIgcmVhbG0gaW5kaXZpZHVhbGx5KS4gLSBGb3IgZXhhbXBsZSBp ZiBSQUwgZGVjaWRlZCB0bw0KaW1wbGVtZW50IGl0cyBvd24gdmVyc2lvbiBv ZiBzdHJvbmcgYXV0aGVudGljYXRpb24gYW5kIEZOQUwgd2FzIGhhcHB5DQp0 aGF0IGl0IHdhcyBzZWN1cmUgdGhlbiBSQUwgd291bGQgYmVjb21lIGEgInRy dXN0ZWQgcmVhbG0iLg0KDQpUaGUgdW50cnVzdGVkIHJlYWxtIA0KICAgICAg ICAgVGhlIHVudHJ1c3RlZCByZWFsbSBjb25zaXN0cyBvZiB0aG9zZSBzeXN0 ZW1zIHRoYXQgZG8gbm90DQpyZXF1aXJlIHN0cm9uZyBhdXRoZW50aWNhdGlv biBhbmQgdGhhdCBwZXJtaXQgdHJhZGl0aW9uYWwgbWVhbnMgb2YNCmFjY2Vz cy4gIFRoZXNlIHN5c3RlbXMgdHlwaWNhbGx5IGV4cG9zZSBjbGVhci10ZXh0 IHBhc3N3b3JkcyBvbiB0aGUNCm5ldHdvcmsuIEFuIGV4YW1wbGUgd291bGQg YmUgYW4gWC10ZXJtaW5hbCBvciBhIGR1bWIgYXNjaWkgdGVybWluYWwuDQoN Cg0KRGlyZWN0IGNvbm5lY3Rpb25zIGZyb20gdGhlIHVudHJ1c3RlZCB0byB0 aGUgc3RyZW5ndGhlbmVkIHJlYWxtLCBhcmUNCm5vdCBhbGxvd2VkLiBBdCBG ZXJtaWxhYiwgc3RyZW5ndGhlbmVkIG1hY2hpbmVzIGFyZSBjb25maWd1cmVk IHRvDQpyZXNwb25kIGluIHBvcnRhbCBtb2RlIHdoZW4gcmVxdWVzdHMgZm9y IGFjY2VzcyBjb21lIGZyb20gbWFjaGluZXMgaW4NCmVpdGhlciB0aGUgdW50 cnVzdGVkIHJlYWxtIG9yIGEgKGRpZmZlcmVudCkgdHJ1c3RlZCByZWFsbS4g SW4gcG9ydGFsDQptb2RlLCB0aGUgc3RyZW5ndGhlbmVkIG1hY2hpbmUgYWN0 cyBhcyBhIHNlY3VyZSBnYXRld2F5IGludG8gdGhlDQpzdHJlbmd0aGVuZWQg cmVhbG0sIHJlcXVpcmluZyBhIHNpbmdsZS11c2UgcGFzc3dvcmQgZm9yDQph dXRoZW50aWNhdGlvbi4gVGhpcyBhdm9pZHMgdHJhbnNtaXNzaW9uIG9mIHJl dXNhYmxlIGNsZWFyLXRleHQNCnBhc3N3b3JkcyBvdmVyIGEgcG90ZW50aWFs bHkgdW5wcm90ZWN0ZWQgbmV0d29yay4gDQogICAgIA0KRGlmZmVyZW50IHBy b2dyYW1zIGV4aXN0IGZvciBnZW5lcmF0aW5nIG5vbi1yZXVzYWJsZSBwYXNz d29yZHMsIGFuZCBhdA0KRmVybWlsYWIgd2UgY3VycmVudGx5IHN1cHBvcnQg Q1JZUFRPQ2FyZC4gQSBDUllQVE9DYXJkIGlzIGENCmNhbGN1bGF0b3Itc3R5 bGUsIGJhdHRlcnktcG93ZXJlZCB0b2tlbiB0aGF0IG11c3QgYmUgaW5pdGlh bGl6ZWQgYW5kDQpzeW5jaHJvbml6ZWQgd2l0aCB0aGUgS0RDIHByaW9yIHRv IGlzc3VlIChtb3JlIGFib3V0IEtEQyBsYXRlcikuIA0KDQoNCkhvdyBkb2Vz IGl0IHdvcms/DQotLS0tLS0tLS0tLS0tLS0tLQ0KS2VyYmVyb3Mgb3BlcmF0 ZXMgYnkgdGhlIGV4Y2hhbmdlIG9mIHRpY2tldHMgdGhhdCBhbGxvdyBhY2Nl c3MgdG8gYWxsDQpzZXJ2aWNlcyBieSB0aGUgdXNlciBpbiB0aGUgc3RyZW5n dGhlbmVkIHJlYWxtOg0KbyBQYXNzd29yZHMgYXJlIHN0b3JlZCBpbiB0aGUg Y2VudHJhbCBLZXkgRGlzdHJpYnV0aW9uIFNlcnZlciAoS0RDKS4NCm8gVXNl ciBsb2dzIGludG8ga2VyYmVyaXplZCBjb21wdXRlciBhdCB0aGUgY29uc29s ZSAtIG1heSBoYXZlIHRvIHR5cGUNCiAga2luaXQgYW5kIGdpdmUga2VyYmVy b3MgcGFzc3dvcmQgaWYgdGhlIGxvZ2luIHByb2dyYW0gb24gdGhlIG1hY2hp bmUNCiAgaXMgbm90IHRoZSBrZXJiZXJpemVkIG9uZS4NCm8gVXNlciBnZXRz ICJ0aWNrZXQiIGZyb20gS0RDLg0KbyBQYXNzd29yZCBpcyB1c2VkIGFzIGEg a2V5IHRvIGVuY3J5cHQgdGhlIGV4Y2hhbmdlcyBiZXR3ZWVuIGhvc3QgYW5k DQogIEtEQyBidXQgaXMgbm90IHRyYW5zbWl0dGVkIGJldHdlZW4gdGhlbS4N Cm8gWW91IGNhbiBub3cgbG9naW4gdG8gb3RoZXIgc3RyZW5ndGhlbmVkIGhv c3RzIHdpdGhvdXQgdHlwaW5nIGENCiAgcGFzc3dvcmQgYWdhaW4uDQogDQpP bmUgYmlnIGFkdmFudGFnZSBpcyB0aGF0IHlvdSBoYXZlIE9ORSBsb2dpbiwg a25vd24gYXMgeW91ciBrZXJiZXJvcw0KcHJpbmNpcGxlIGFuZCBPTkUgcGFz c3dvcmQuIFRoaXMgc2ltcGxpZmllcyBsaWZlIGNvbnNpZGVyYWJseS4gWW91 DQpzdGlsbCBuZWVkIGFuIGFjY291bnQgb24gbWFjaGluZXMgdGhhdCB5b3Ug bG9naW4gdG8gYnV0IHRoZXJlIGFyZSBubw0KcGFzc3dvcmRzIHN0b3JlZCBs b2NhbGx5IGFueW1vcmUuDQoNCldoYXQgZG9lcyB0aGlzIG1lYW4gZm9yIHlv dT8NCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KQWxsIG1hY2hpbmVz IGF0IEZOQUwgd2lsbCBiZSBrZXJiZXJpemVkIGJ5IGRlZmF1bHQuIElmIHlv dSBicmluZyBhDQptYWNoaW5lIGZyb20geW91ciB1bml2ZXJzaXR5IHRvIEZO QUwgdGhlbiBpdCB3aWxsIGJlIGtlcmJlcml6ZWQgaWYgeW91DQp3aGljaCB0 byBwYXJ0aWNpcGF0ZSBpbiB0aGUgc3RyZW5ndGhlbmVkIHJlYWxtIC0gdGhp cyBpcyBoaWdobHkNCnJlY29tbWVuZGVkIGFzIGl0IG1ha2VzIHlvdSBhY2Nl c3MgdG8gb3RoZXIgRk5BTCBtYWNoaW5lcyBtdWNoDQpzaW1wbGVyLg0KDQpJ ZiB5b3UgYXJlIGF0IGEgdW5pdmVyc2l0eSB5b3UgaGF2ZSAzIGNob2ljZXM6 DQoNCjEuIExlYXZlIHlvdXIgbWFjaGluZXMgdW5zdHJlbmd0aGVuZWQgYW5k IGFsd2F5cyBsb2dpbiB1c2luZyB5b3VyDQpDUllQVE9DYXJkLiBOb3RlIHRo YXQgaWYgeW91IGNob29zZSB0byBkbyB0aGlzIGFuZCBuZWVkIHRvIHBlcmZv cm0NCm9wZXJhdGlvbnMgdGhhdCBpbnZvbHZlIHR5cGluZyB5b3VyIGtlcmJl cm9zIHBhc3N3b3JkIHlvdSBtdXN0IGZpcnN0DQpsb2dpbiB0byB0aGUgc3Ry ZW5ndGhlbmVkIG1hY2hpbmUgdXNpbmcgc3NoICh1c2luZyB5b3VyIENSWVBU T0NhcmQpIHNvDQp0aGF0IHlvdSBoYXZlIGFuIGVuY3J5cHRlZCBjb25uZWN0 aW9uIHNvIHRoYXQgeW91ciBwYXNzd29yZCBpcyBub3QNCmV4cG9zZWQuIFlv dSBtdXN0IE5FVkVSIHR5cGUgaW4geW91ciBwYXNzd29yZCBpZiB5b3UgYXJl IG9uIGFuDQp1bmVuY3J5cHRlZCBjaGFubmVsIC0gdGhpcyBtZWFucyB0aGF0 IHRoZXJlIGlzIG5vIHdheSB0byBwZXJmb3JtIGFueQ0Ka2VyYmVyb3MgY29t bWFuZCB0aGF0IHJlcXVpcmVzIGEgcGFzc3dvcmQgd2hpbGUgbG9nZ2VkIGlu IHVzaW5nIGFuIFgtdGVybWluYWwuDQoNCjIuIEluc3RhbGwgdGhlIGtlcmJl cm9zIGNsaWVudCBzb2Z0d2FyZSBvbiB5b3VyIG1hY2hpbmVzIGFuZCBzaWdu IHVwIHRvIGJlDQpwYXJ0IG9mIHRoZSBGTkFMIHN0cmVuZ3RoZW5lZCByZWFs bS4gVGhpcyBtZWFucyB5b3UgY2FuIGNvbm5lY3QgdG8NCkZOQUwgd2l0aG91 dCBuZWVkaW5nIGEgQ1JZUFRPQ2FyZC4gVGhpcyBpcyB0aGUgcHJlZmVycmVk IG1ldGhvZCBpZiB5b3UNCmFyZSBhYmxlIHRvIGRvIHRoaXMuDQoNCklNUE9S VEFOVCBOT1RFOiBQcmFjdGljYWwgY29uc2lkZXJhdGlvbnMsIG5hbWVseSB0 aGUgZmFjdCB0aGF0IG9mZi1zaXRlDQptYWNoaW5lcyBhdCB1bml2ZXJzaXRp ZXMgbWF5IGJlIHNoYXJlZCBieSBtYW55IHBlb3BsZSBzb21lIG9mIHdob20g ZG8NCm5vdCBhY2Nlc3MgRk5BTCBhdCBhbGwsIG1lYW4gdGhhdCBvZmYtc2l0 ZSB1c2VycyB3aWxsDQphbHNvIGJlIGFsbG93ZWQgdG8gcnVuIHNzaCB3aXRo IHBhc3N3b3JkcywgcHVibGljL3ByaXZhdGUga2V5cywNCmhvc3QtYmFzZWQg a2V5cyBvciBrZXJiZXJvcyBvbiB0aGVpciBtYWNoaW5lcyBhdCB0aGVpciB1 bml2ZXJzaXR5Lg0KSG93ZXZlciB1bml2ZXJzaXR5IG1hY2hpbmVzIHRoYXQg YXJlIHNpdGVkIGF0IEZOQUwgKGFuZA0KU291ZGFuKSB0aGF0IG5lZWQgdG8g dXNlIHNzaCB3aWxsIGJlIHJlcXVpcmVkIHRvIHVzZSBrZXJiZXJpemVkIHNz aCwNCm5vbi1rZXJiZXJpemVkIHNzaCBpcyBub3QgcGVybWl0dGVkIG9uIHRo ZXNlIG1hY2hpbmVzLiANCg0KMy4gWW91ciBzaXRlIG1heSBoYXZlIGl0cyBv d24gdmVyc2lvbiBvZiBzdHJvbmcgYXV0aGVudGljYXRpb24gd2hpY2gNCm1h eSBiZSBhY2NlcHRhYmxlIHRvIEZOQUwgYW5kIHRoZW4geW91IGJlY29tZSBh IHRydXN0ZWQgcmVhbG0uDQoNCkdyb3VwcyBzaG91bGQgc3RhcnQgdGhpbmtp bmcgYWJvdXQgd2hldGhlciB0aGV5IHBsYW4gdG8ga2VyYmVyaXplDQp0aGVp ciBtYWNoaW5lcyBvciBub3QuIFBlb3BsZSBzaG91bGQgYWxzbyBiZSB0aGlu a2luZyBhYm91dCB3aGV0aGVyDQp0aGV5IHdpbGwgbmVlZCBhIENSWVBUT0Nh cmQgaW4gdGhlIGZpcnN0IHBoYXNlLiBJIGFtIHBsYW5uaW5nIG9uDQpoYXZp bmcgY2FyZHMgdG8gZGlzdHJpYnV0ZSBhdCB0aGUgRWx5IG1lZXRpbmcgYXMg bWFueSBwZW9wbGUgZG8NCm5vdCB2aXNpdCBGTkFMIG9uIGEgcmVndWxhciBi YXNpcy4gDQoNCkkgd2lsbCBiZQ0KZm9sbG93aW5nIHVwIHdpdGggc3BlY2lm aWMgaW5zdHJ1Y3Rpb25zIG9uIGhvdyB0byBvYnRhaW4geW91ciBrZXJiZXJv cw0KcHJpbmNpcGxlIGFuZCBDUllQVE9DYXJkIGlmIHlvdSBuZWVkIG9uZS4g Q3VycmVudGx5IGFib3V0IDcwIHBlb3BsZQ0KZnJvbSB0aGUgZXhwZXJpbWVu dCBoYXZlIGFjY291bnQgb24gbWlub3MxIHdoaWNoIGlzIGEgbGl0dGxlIGxl c3MgdGhhdA0KaGFsZiB0aGUgZXhwZXJpbWVudC4NCg0KDQoJIFRoYW5rcyBm b3IgeW91IGF0dGVudGlvbg0KDQoJCUxpeiANCg== ---511468492-1231333727-988240898=:17848-- From kreymer@fnal.gov Thu Apr 26 14:04:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA21073 for ; Thu, 26 Apr 2001 14:04:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCE00DLOYBO0S@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 26 Apr 2001 14:04:37 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00131D4F@listserv.fnal.gov>; Thu, 26 Apr 2001 14:04:36 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 193857 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 26 Apr 2001 14:04:36 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00131D4E@listserv.fnal.gov>; Thu, 26 Apr 2001 14:04:36 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCE00H9YYBNYW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 26 Apr 2001 14:04:35 -0500 (CDT) Date: Thu, 26 Apr 2001 14:04:35 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: kinit In-reply-to: <200104192059.PAA13607@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1203 On Thu, 19 Apr 2001, Matt Crawford wrote: > Ugly, but functional. However ... > > ... > echo "cp \$KRB5CCNAME $KRB5CCNAME" > ... > > I suggest that you allow for the possibility that KRB5CCNAME may have > the "TYPE:" prefix on it. For example, FILE:/tmp/krb5cc_foobie. > Besides the obvious stripping of characters, there's another way to > handle that, which I will probably be sorry I thought of: > > echo ln -s / FILE: > echo "cp \$KRB5CCNAME $KRB5CCNAME" > echo rm FILE: > I think I have a cleaner one now: #!/bin/sh # get uid eval `id | sed -e 's/(.*//'` # figure ticket cache if [ "x$KRB5CCNAME" = x ] then krb5file=/tmp/krb5cc_$uid else krb5file=`echo $KRB5CCNAME | sed -e sxFILE:xx` fi ( read line echo $line sleep 1000 & pid=$! echo 'rkrb5file=`echo $KRB5CCNAME | sed -e xFILE:xx`' echo "cp \$rkrb5file $krb5file" echo "kdestroy" echo "echo xyzzy $pid xyzzy" echo "exit" wait $pid ) | ( /usr/krb5/bin/telnet localhost ) | while read line do set : $line case $2 in Press) printf "$line\n" printf "Enter the displayed response: " ;; xyzzy) kill $3 ;; esac done From kreymer@fnal.gov Thu Apr 26 15:13:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA21135 for ; Thu, 26 Apr 2001 15:13:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCF00N7Z1HR29@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 26 Apr 2001 15:13:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00131E6B@listserv.fnal.gov>; Thu, 26 Apr 2001 15:13:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 194180 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 26 Apr 2001 15:13:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00131E6A@listserv.fnal.gov>; Thu, 26 Apr 2001 15:13:03 -0500 Received: from nova.fnal.gov ([131.225.121.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCF00N921HR30@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 26 Apr 2001 15:13:03 -0500 (CDT) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id PAA13121 for ; Thu, 26 Apr 2001 15:13:03 -0500 (CDT) Date: Thu, 26 Apr 2001 15:13:03 -0500 (CDT) From: Tim Zingelman Subject: kerberos host key security (was: kerberos from 'unknown' machines...) In-reply-to: <200104252049.PAA19920@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1204 On Wed, 25 Apr 2001, Matt Crawford wrote: > The host principals are only for offering services. They do not help > to identify a user on the host in any way. Kerberos authentication > never involves the DNS name, IP address or other identity of the host > where the client is located[*]. > > When you set Kerberos access controls, it's always done by > username@REALM, with no reference to a source host. So the danger in someone illicitly getting a host key is that they could, given that they did some sort of ip address or dns spoofing, impersonate the host, and accept forwarded credentials, then use them to get into the realm. What, if any, are the other risks? Thanks, - Tim From kreymer@fnal.gov Thu Apr 26 16:38:42 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA21275 for ; Thu, 26 Apr 2001 16:38:42 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCF00NNZ5GG29@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 26 Apr 2001 16:38:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00132001@listserv.fnal.gov>; Thu, 26 Apr 2001 16:38:40 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 194623 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 26 Apr 2001 16:38:40 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00132000@listserv.fnal.gov>; Thu, 26 Apr 2001 16:38:40 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCF00MQE5GGQR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 26 Apr 2001 16:38:40 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA03190; Thu, 26 Apr 2001 16:38:37 -0500 (CDT) Date: Thu, 26 Apr 2001 16:38:37 -0500 From: Matt Crawford Subject: Re: kerberos host key security (was: kerberos from 'unknown' machines...) In-reply-to: "26 Apr 2001 15:13:03 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: <200104262138.QAA03190@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1205 > So the danger in someone illicitly getting a host key is that they could, > given that they did some sort of ip address or dns spoofing, impersonate > the host, and accept forwarded credentials, then use them to get into the > realm. Complicated, but attacks nearly as complicated are already in the paws of the script kiddies, so it shouldn't be overlooked. > What, if any, are the other risks? The more plausible scenario is that by using a stolen host key, the attacker can impersonate any client, *to* that one host, whether or not any ticket for that client is ever seen. Now the most obvious way to steal a host key involves getting root access on the host, in which case you've already accomplished everything you could do with the host key, except that the host key lets you come back again later (until the key is changed -- a fairly simple operation) whereas the means you got in the first time might be fixed later. From kreymer@fnal.gov Fri Apr 27 13:36:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA27724 for ; Fri, 27 Apr 2001 13:36:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCG006CGRP0LU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 27 Apr 2001 13:36:37 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00132A07@listserv.fnal.gov>; Fri, 27 Apr 2001 13:36:36 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 197450 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Fri, 27 Apr 2001 13:36:36 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00132A06@listserv.fnal.gov>; Fri, 27 Apr 2001 13:36:36 -0500 Received: from RALPH.fnal.gov ([131.225.82.167]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCG005HARP0NU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 27 Apr 2001 13:36:36 -0500 (CDT) Date: Fri, 27 Apr 2001 13:36:33 -0500 From: Randy Reitz Subject: Kerberos client software for CygWIN32 Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: rreitz@mailhost.chi.ameritech.net To: kerberos-pilot@fnal.gov Message-id: <5.1.0.14.2.20010427133416.02a97568@mailhost.chi.ameritech.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Content-type: text/plain; charset=us-ascii; format=flowed Status: RO X-Status: X-Keywords: X-UID: 1206 I'm curious why there is no kerberos client software for cygwin? I see that other UPS/UPD products support this platform. Thanks Randy From kreymer@fnal.gov Mon Apr 30 08:34:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA15348 for ; Mon, 30 Apr 2001 08:34:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCL00CLZXPNAE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 30 Apr 2001 08:34:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00133E0C@listserv.fnal.gov>; Mon, 30 Apr 2001 08:34:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 203206 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 30 Apr 2001 08:34:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00133E0B@listserv.fnal.gov>; Mon, 30 Apr 2001 08:34:35 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCL00CNGXPM6P@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 30 Apr 2001 08:34:34 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA12372; Mon, 30 Apr 2001 08:34:25 -0500 (CDT) Date: Mon, 30 Apr 2001 08:34:25 -0500 From: Matt Crawford Subject: Re: kinit In-reply-to: "26 Apr 2001 14:04:35 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: kerberos-pilot@fnal.gov Message-id: <200104301334.IAA12372@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1207 > I think I have a cleaner one now: > [...] > echo 'rkrb5file=`echo $KRB5CCNAME | sed -e xFILE:xx`' Missing an "s" in the sed command, at it only works if the user's shell is Bourne-like. I fixed up those two little details, wrote a man page and added it to the upcoming Fermi Kerberos v1_2 release under the cumbersome name new-portal-ticket. Thanks for the contribution! From kreymer@fnal.gov Mon Apr 30 12:06:56 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA14140 for ; Mon, 30 Apr 2001 12:06:56 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCM00D0T7IOG5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 30 Apr 2001 12:06:55 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001341EE@listserv.fnal.gov>; Mon, 30 Apr 2001 12:06:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 204259 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 30 Apr 2001 12:06:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001341EC@listserv.fnal.gov>; Mon, 30 Apr 2001 12:06:44 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCM00B6X7J26G@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 30 Apr 2001 12:06:43 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 30 Apr 2001 12:06:38 -0500 Content-return: allowed Date: Mon, 30 Apr 2001 12:06:16 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761602EA@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1208 This reminder created on 4/30/01 12:03:15 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Tue May 1 13:10:08 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA32277 for ; Tue, 1 May 2001 13:10:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCO00A3D54UTX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 01 May 2001 13:10:07 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013547C@listserv.fnal.gov>; Tue, 01 May 2001 13:10:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 209607 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 01 May 2001 13:10:06 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013547B@listserv.fnal.gov>; Tue, 01 May 2001 13:10:06 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCO00B2R54U7P@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 01 May 2001 13:10:06 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 01 May 2001 13:10:06 -0500 Content-return: allowed Date: Tue, 01 May 2001 13:09:10 -0500 From: ARSystem Subject: 000000000018111 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76160452@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1209 CRAWFORD, MATT, Help Desk Ticket #000000000018111 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Can't find KDC for requested realm Badge # (+) : 06307N First Name : THOMAS Last Name (+) : MEYER Phone : 5193 E-Mail Address : TSMEYER@FNAL.GOV Incident Time : 5/1/01 10:48:06 AM System Name : Urgency : Medium Public Work Log : Problem Description : Tom has installed Leash32, a Kerberos for Win32 product developed by MIT, on his PC. He has configured the software using Fermi's KDC. Tom is able to authenticate and obtains a krbtgt. He would like to change his Kerberos password from the Leash32 kerberos management window but is unable to do so. Attempts result in the error: "Can't find KDC for requested realm". The Beams Division is in the process of kerberizing its systems. Tom doesn't have any accounts on a 'kerberized' system therefore he can't login to one and change his password after using kinit. He would like to change his kerberos password before it expires after the initial 30 days. How can he do so ? From kreymer@fnal.gov Tue May 1 13:30:32 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA32305 for ; Tue, 1 May 2001 13:30:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCO00A9P62U3C@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 01 May 2001 13:30:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001354DB@listserv.fnal.gov>; Tue, 01 May 2001 13:30:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 209709 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 01 May 2001 13:30:30 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001354DA@listserv.fnal.gov>; Tue, 01 May 2001 13:30:30 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCO00A7F62UWH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 01 May 2001 13:30:30 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA02021; Tue, 01 May 2001 13:30:19 -0500 (CDT) Date: Tue, 01 May 2001 13:30:19 -0500 From: Matt Crawford Subject: Re: 000000000018111 Assigned to CRAWFORD, MATT. In-reply-to: "01 May 2001 13:09:10 CDT." <318CC3D38BE0D211BB1200105A093F76160452@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200105011830.NAA02021@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1210 > Problem Description : Tom has installed Leash32, a Kerberos for Win32 > product developed by MIT, on his PC. He has configured the software > using Fermi's KDC. Tom is able to authenticate and obtains a krbtgt. He > would like to change his Kerberos password from the Leash32 kerberos > management window but is unable to do so. Attempts result in the error: > "Can't find KDC for requested realm". Where do I begin? Leash32 is not supported by me or, to my knowledge, anyone else at FNAL. There is a Kerberos product for Windows that we recommend. I have nothing personally against the adventurous striking out on their own, but they can't expect too much help when they strike out. The bit of information he probably needs to configure is that the "admin server" for PILOT.FNAL.GOV is krb-pilot-admin.fnal.gov. > The Beams Division is in the process of kerberizing its systems. Tom > doesn't have any accounts on a 'kerberized' system Oh, really? What is nova, Chopped Liver 1.0? He seems to have an account on nova and to have changed his Kerberos password from there at 11:20:52 today. Principal: tsmeyer@PILOT.FNAL.GOV Last password change: Tue May 01 11:20:52 CDT 2001 Last modified: Tue May 01 11:20:52 CDT 2001 (tsmeyer@PILOT.FNAL.GOV) May 1 11:20:52 i-krb-2.fnal.gov kadmind[23486]: Request: kadm5_chpass_principal, tsmeyer@PILOT.FNAL.GOV, success, client=tsmeyer@PILOT.FNAL.GOV, service=kadmin/changepw@PILOT.FNAL.GOV, addr=131.225.121.207 Unfortunately, nova seems to be a system obtaining Kerberso tickets from passwords while still allowing cleartext passworded logins. This is not good and someone will have to make an explanation. From kreymer@fnal.gov Tue May 1 13:45:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA32319 for ; Tue, 1 May 2001 13:45:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCO00BBM6S870@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 01 May 2001 13:45:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00135549@listserv.fnal.gov>; Tue, 01 May 2001 13:45:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 209830 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 01 May 2001 13:45:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00135548@listserv.fnal.gov>; Tue, 01 May 2001 13:45:43 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCO00ACM6S6KU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Tue, 01 May 2001 13:45:43 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 01 May 2001 13:45:43 -0500 Content-return: allowed Date: Tue, 01 May 2001 13:44:54 -0500 From: ARSystem Subject: CRAWFORD, MATT #18111 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76160465@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1211 Thank you for your assistance. Help Desk ticket #000000000018111 has been resolved on 5/1/01 1:44:12 PM Resolution Timestamp: : 5/1/01 1:30:00 PM Solution Category : Information Request Problem Category : Software Item : Kerberos Type : Utilities Short Description : Can't find KDC for requested realm Solution : Leash32 is not supported by me or, to my knowledge, anyone else at FNAL. There is a Kerberos product for Windows that we recommend. I have nothing personally against the adventurous striking out on their own, but they can't expect too much help when they strike out. The bit of information he probably needs to configure is that the "admin server" for PILOT.FNAL.GOV is krb-pilot-admin.fnal.gov. He seems to have an account on nova and to have changed his Kerberos password from there at 11:20:52 today. Principal: tsmeyer@PILOT.FNAL.GOV Last password change: Tue May 01 11:20:52 CDT 2001 Last modified: Tue May 01 11:20:52 CDT 2001 (tsmeyer@PILOT.FNAL.GOV) May 1 11:20:52 i-krb-2.fnal.gov kadmind[23486]: Request: kadm5_chpass_principal, tsmeyer@PILOT.FNAL.GOV, success, client=tsmeyer@PILOT.FNAL.GOV, service=kadmin/changepw@PILOT.FNAL.GOV, addr=131.225.121.207 Unfortunately, nova seems to be a system obtaining Kerberso tickets from passwords while still allowing cleartext passworded logins. This is not good and someone will have to make an explanation. Problem Description : Tom has installed Leash32, a Kerberos for Win32 product developed by MIT, on his PC. He has configured the software using Fermi's KDC. Tom is able to authenticate and obtains a krbtgt. He would like to change his Kerberos password from the Leash32 kerberos management window but is unable to do so. Attempts result in the error: "Can't find KDC for requested realm". The Beams Division is in the process of kerberizing its systems. Tom doesn't have any accounts on a 'kerberized' system therefore he can't login to one and change his password after using kinit. He would like to change his kerberos password before it expires after the initial 30 days. How can he do so ? From kreymer@fnal.gov Wed May 2 17:13:29 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA03602 for ; Wed, 2 May 2001 17:13:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCQ00EW2B2G5Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 02 May 2001 17:13:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001369B6@listserv.fnal.gov>; Wed, 02 May 2001 17:13:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 215728 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 02 May 2001 17:13:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001369B5@listserv.fnal.gov>; Wed, 02 May 2001 17:13:28 -0500 Received: from fnal.gov ([131.225.82.9]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCQ00M46B2GY7@smtp.fnal.gov>; Wed, 02 May 2001 17:13:28 -0500 (CDT) Date: Wed, 02 May 2001 17:13:27 -0500 From: Margaret Votava Subject: kerberos principal Sender: owner-kerberos-pilot@listserv.fnal.gov To: compdiv@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <3AF08687.C003F960@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.17-14 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1212 Hi, I would like to install kerberos on my laptop (connected with dhcp). I guess I don't quite understand how this would work. It's nominal node name is lapdog.dhcp.fnal.gov. Thanks, Margaret -- Margaret Votava votava@fnal.gov Computing Division/Online and Database Systems 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) http://www.fnal.gov 630-612-8220 (pager) From kreymer@fnal.gov Wed May 2 17:32:22 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA03626 for ; Wed, 2 May 2001 17:32:22 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCQ00LACBXWI4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 02 May 2001 17:32:21 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001369F2@listserv.fnal.gov>; Wed, 02 May 2001 17:32:20 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 215799 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 02 May 2001 17:32:20 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001369F1@listserv.fnal.gov>; Wed, 02 May 2001 17:32:20 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCQ00KA3BXWH7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 02 May 2001 17:32:20 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA02634; Wed, 02 May 2001 17:32:19 -0500 Date: Wed, 02 May 2001 17:32:19 -0500 (CDT) From: Steven Timm Subject: Re: kerberos principal In-reply-to: <3AF08687.C003F960@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1213 If I understand the discussions correctly, these are the issues-- 1) you don't actually need a host/ftp password for your laptop if you don't plan to offer any inbound services such as kerberos telnet, rcp, rsh, ftp. Just do ups install kerberos (presuming this is a Linux desktop), say no when asked if you have the passwords, and outbound connections to elsewhere will just work. 2) You can get a host/ftp principal for a dhcp-based laptop, but you have to beware because if someone else should grab lapdog.dhcp.fnal.gov then you won't have the same host name anymore. It's not guaranteed, after all. If you plan to offer any reliable services, you should get a static IP. 3) if you move your laptop from network to another then you will have to reinitialize your credentials because the IP number will change even though the hostname doesn't. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Wed, 2 May 2001, Margaret Votava wrote: > Hi, > > I would like to install kerberos on my laptop (connected with dhcp). > I guess I don't quite understand how this would work. It's nominal > node name is lapdog.dhcp.fnal.gov. > > > Thanks, > Margaret > > > -- > Margaret Votava votava@fnal.gov > Computing Division/Online and Database Systems 630-840-2625 (office) > Fermi National Accelerator Laboratory 630-840-6345 (fax) > http://www.fnal.gov 630-612-8220 (pager) > From kreymer@fnal.gov Wed May 2 18:30:56 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA03924 for ; Wed, 2 May 2001 18:30:56 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCQ00LI1ENII4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 02 May 2001 18:30:56 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136AA3@listserv.fnal.gov>; Wed, 02 May 2001 18:30:55 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 215993 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 02 May 2001 18:30:55 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136AA1@listserv.fnal.gov>; Wed, 02 May 2001 18:30:55 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCQ00KKMENIHE@smtp.fnal.gov>; Wed, 02 May 2001 18:30:54 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id SAA07630; Wed, 02 May 2001 18:30:42 -0500 (CDT) Date: Wed, 02 May 2001 18:30:42 -0500 From: Matt Crawford Subject: Re: kerberos principal In-reply-to: "02 May 2001 17:13:27 CDT." <3AF08687.C003F960@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: compdiv@fnal.gov, kerberos-pilot@fnal.gov Message-id: <200105022330.SAA07630@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1214 > I would like to install kerberos on my laptop (connected with dhcp). > I guess I don't quite understand how this would work. It's nominal > node name is lapdog.dhcp.fnal.gov. If you don't care about making connections *into* the laptop, just *don't* request host & ftp principals from Yolanda, do a normal UPS installation, and answer "no" when asked if you have the passwrods for them. If you *do* want to be able to make Kerberos connections *to* the laptop, request the host & ftp princs for lapdog.dhcp.fnal.gov, but be on your guard that whenever that name does not resolve to your current IP address, you can't get in. From kreymer@fnal.gov Wed May 2 18:32:38 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA03928 for ; Wed, 2 May 2001 18:32:38 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCQ00LHMEQDQ6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 02 May 2001 18:32:38 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136AA9@listserv.fnal.gov>; Wed, 02 May 2001 18:32:37 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 215999 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 02 May 2001 18:32:37 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136AA8@listserv.fnal.gov>; Wed, 02 May 2001 18:32:37 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCQ00193EQC8G@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 02 May 2001 18:32:37 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id SAA07656; Wed, 02 May 2001 18:32:24 -0500 (CDT) Date: Wed, 02 May 2001 18:32:24 -0500 From: Matt Crawford Subject: Re: kerberos principal In-reply-to: "02 May 2001 17:32:19 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: Margaret Votava , kerberos-pilot@fnal.gov Message-id: <200105022332.SAA07656@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1215 > 2) You can get a host/ftp principal for a dhcp-based laptop, > but you have to beware because if someone else should grab > lapdog.dhcp.fnal.gov then you won't have the same host name anymore. > It's not guaranteed, after all. But that other machine could not impersonate yours or steal kerberized connections intended for your machine. It would just interfere with the connection being made to your host. From kreymer@fnal.gov Thu May 3 08:33:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA04732 for ; Thu, 3 May 2001 08:33:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR0026BHO0RX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 May 2001 08:33:37 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136F54@listserv.fnal.gov>; Thu, 03 May 2001 08:33:36 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 217326 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 May 2001 08:33:36 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136F53@listserv.fnal.gov>; Thu, 03 May 2001 08:33:36 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00272HO0S2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 May 2001 08:33:36 -0500 (CDT) Date: Thu, 03 May 2001 08:33:34 -0500 From: Troy Dawson Subject: kerberos path Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: <3AF15E2E.5655C11@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1216 Howdy, Is there a technical and/or security reason why the kerberos stuff is installed in /usr/krb5? I actually had a good chuckle (I am easily ammused) when I saw that we have a product called kerberos that is installed in /usr/krb5, while MIT's rpms has a package called krb5 that is installed in /usr/kerberos. What sort of things will go wrong if I install my kerberos in /usr/kerberos to be consistant with MIT's? (I do realize the user confusion, I'm just wondering about what else.) Troy -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Thu May 3 08:41:19 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA04738 for ; Thu, 3 May 2001 08:41:19 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR0027AI0US5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 May 2001 08:41:19 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136F64@listserv.fnal.gov>; Thu, 03 May 2001 08:41:18 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 217342 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 May 2001 08:41:18 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136F63@listserv.fnal.gov>; Thu, 03 May 2001 08:41:18 -0500 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00279I0TRU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 May 2001 08:41:18 -0500 (CDT) Date: Thu, 03 May 2001 08:41:13 -0500 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: kerberos path Sender: owner-kerberos-pilot@listserv.fnal.gov To: Troy Dawson Cc: kerberos-pilot@fnal.gov Message-id: <3AF15FF9.A53F078@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3AF15E2E.5655C11@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1217 Troy Dawson wrote: > > Howdy, > Is there a technical and/or security reason why the kerberos stuff is > installed in /usr/krb5? > I actually had a good chuckle (I am easily ammused) when I saw that we have a > product called kerberos that is installed in /usr/krb5, while MIT's rpms has a > package called krb5 that is installed in /usr/kerberos. > What sort of things will go wrong if I install my kerberos in /usr/kerberos to > be consistant with MIT's? (I do realize the user confusion, I'm just > wondering about what else.) > Troy The ups installation assumes /usr/krb5. I'm not sure how deeply embedded this is after the installation; my guess is, not at all (for straight kerberos). You would need to rename the /usr/krb5 directory, and modify any /etc files defining kerberized services, of course. HOWEVER, lots of subsidiary FNAL products assume /usr/krb5. These include (off the top of my head): - kcron (if you want to run authenticated cron jobs) and the related kcroninit, etc. - setpath (which is part of the login suite, and adds /usr/krb5/bin to your path automagically) - ??? -- lauri From kreymer@fnal.gov Thu May 3 09:17:04 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA04878 for ; Thu, 3 May 2001 09:17:04 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR002GWJOERS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 May 2001 09:17:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136FE5@listserv.fnal.gov>; Thu, 03 May 2001 09:17:02 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 217483 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 May 2001 09:17:02 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136FE4@listserv.fnal.gov>; Thu, 03 May 2001 09:17:02 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR002GUJOES7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 May 2001 09:17:02 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA27810 for ; Thu, 03 May 2001 09:17:02 -0500 Date: Thu, 03 May 2001 09:17:00 -0500 (CDT) From: Liz Buckley-Geer Subject: confusing statement in manual Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1218 Hi all, I am somewhat confused by the following in the manual The manual has the following description of the "trusted realm" "The trusted realm Other sites which implement strong authentication, and which meet certain criteria, may be recognized by the strengthened realm at Fermilab as a "trusted" realm. Trusted realms provide levels of security and authentication equivalent to our own. Trust relations (cross-authentication) between the trusted realm and the strengthened realm allow access without further authentication (i.e., the authentication takes place only when user accesses either realm individually). " However, later it states "At Fermilab, strengthened machines are configured to respond in portal mode when requests for access come from machines in either the untrusted realm or a (different) trusted realm." This appears to contradict the first statement and would appear to render the idea of a trusted realm completely useless. Can someone comment on this apparent inconsistency. Also what are the criteria that people have in mind for deciding that a site can be a trusted realm? I assume they would be required to have some form of kerberos authentication? Thanks Liz From kreymer@fnal.gov Thu May 3 09:25:15 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA04884 for ; Thu, 3 May 2001 09:25:15 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR002JJK21RX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 May 2001 09:25:14 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136FFF@listserv.fnal.gov>; Thu, 03 May 2001 09:25:14 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 217513 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 May 2001 09:25:14 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00136FFE@listserv.fnal.gov>; Thu, 03 May 2001 09:25:14 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR002GSK21S1@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 May 2001 09:25:13 -0500 (CDT) Date: Thu, 03 May 2001 09:25:11 -0500 From: Troy Dawson Subject: Re: kerberos path Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3AF16A47.169F2984@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200105031407.JAA09259@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1219 Matt Crawford wrote: > > In addition to what Lauri listed, which were not trivia, there's also > the fact that the full path to login.krb5 is hard-coded in the > kerberos telnetd ... and in the separated sshd product supporting > portal mode. Thanks. I guess I'll make sure that I keep things in krb5. I probrubly will make a link of /usr/kerberos pointing to /usr/krb5 though. > > If you're asking why the Kerberos stuff isn't just thrown into > /usr/local or some $PRODUCTS sort of directory, there were good > reasons for that choice as well. I actually was asking because the rpm's for linux from RedHat have it in /usr/kerberos, I didn't know that it was in /usr/local originally (I just looked at the tarred binaries from MIT). I certainly agree with the choice of not putting them in there. Troy -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Thu May 3 10:58:42 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA04970 for ; Thu, 3 May 2001 10:58:42 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00DB9ODT8Z@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 May 2001 10:58:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00137208@listserv.fnal.gov>; Thu, 03 May 2001 10:58:41 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 218065 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 May 2001 10:58:41 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00137207@listserv.fnal.gov>; Thu, 03 May 2001 10:58:41 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00CB6ODSGA@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 May 2001 10:58:40 -0500 (CDT) Date: Thu, 03 May 2001 10:58:40 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: kerberos path In-reply-to: <3AF15E2E.5655C11@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Troy Dawson Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1220 Several of the utilities do have the /usr/krb5 path compiled into them. (rsh to fail over to rlogin, etc.) I'm not sure how signifigant the breakage would be if it wasn't there... On Thu, 3 May 2001, Troy Dawson wrote: > Date: Thu, 03 May 2001 08:33:34 -0500 > From: Troy Dawson > To: kerberos-pilot@fnal.gov > Subject: kerberos path > > Howdy, > Is there a technical and/or security reason why the kerberos stuff is > installed in /usr/krb5? > I actually had a good chuckle (I am easily ammused) when I saw that we have a > product called kerberos that is installed in /usr/krb5, while MIT's rpms has a > package called krb5 that is installed in /usr/kerberos. > What sort of things will go wrong if I install my kerberos in /usr/kerberos to > be consistant with MIT's? (I do realize the user confusion, I'm just > wondering about what else.) > Troy > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ > From kreymer@fnal.gov Thu May 3 11:21:36 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA04993 for ; Thu, 3 May 2001 11:21:36 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00CH7PFYMG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 May 2001 11:21:35 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001372E0@listserv.fnal.gov>; Thu, 03 May 2001 11:21:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 218286 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 May 2001 11:21:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001372DF@listserv.fnal.gov>; Thu, 03 May 2001 11:21:35 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00E6UPFYB7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 May 2001 11:21:34 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA09689; Thu, 03 May 2001 11:21:20 -0500 (CDT) Date: Thu, 03 May 2001 11:21:19 -0500 From: Matt Crawford Subject: Re: confusing statement in manual In-reply-to: "03 May 2001 09:17:00 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-pilot@fnal.gov Message-id: <200105031621.LAA09689@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1221 > However, later it states > > "At Fermilab, strengthened machines are configured to > respond in portal mode when requests for access come from machines in > either the untrusted realm or a (different) trusted realm." Yes, this sentence is wrong. There's a germ of truth: if you're coming from our own realm or another one we do trust, but your credentials do not grantyou access to the account to which you're trying to log in, and that account does have a corresponding Kerberos principal, then you'll get the portal-mode challenge. That's a detail that's probably not worth the confusing language. Let's get that sentence changed to "At Fermilab, strengthened machines are configured to respond in portal mode when requests for access come from machines in the untrusted realm." From kreymer@fnal.gov Thu May 3 12:28:49 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA05067 for ; Thu, 3 May 2001 12:28:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00DSFSK0DB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 May 2001 12:28:48 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00137462@listserv.fnal.gov>; Thu, 03 May 2001 12:28:48 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 218693 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 May 2001 12:28:48 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00137461@listserv.fnal.gov>; Thu, 03 May 2001 12:28:48 -0500 Received: from nova.fnal.gov ([131.225.121.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00EL1SJZB7@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 May 2001 12:28:47 -0500 (CDT) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id MAA07019 for ; Thu, 03 May 2001 12:28:47 -0500 (CDT) Date: Thu, 03 May 2001 12:28:47 -0500 (CDT) From: Tim Zingelman Subject: Re: kerberos path In-reply-to: Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1222 On Thu, 3 May 2001, Marc W. Mengel wrote: > Several of the utilities do have the /usr/krb5 path compiled into them. > (rsh to fail over to rlogin, etc.) I'm not sure how significant the > breakage would be if it wasn't there... configure included with fermi kerberos allows --prefix=/usr/local (I you are doing something dangerous like building it yourself :) How difficult would it be to propagate this information down into the source code where it is hard coded? Would it be a waste of my time to figure it out and submit patches? - Tim From kreymer@fnal.gov Thu May 3 12:45:30 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA05091 for ; Thu, 3 May 2001 12:45:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00ESETBS5L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 May 2001 12:45:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013748E@listserv.fnal.gov>; Thu, 03 May 2001 12:45:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 218740 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 May 2001 12:45:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013748D@listserv.fnal.gov>; Thu, 03 May 2001 12:45:28 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00M4BTBR2I@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 May 2001 12:45:27 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA10701; Thu, 03 May 2001 12:45:14 -0500 (CDT) Date: Thu, 03 May 2001 12:45:14 -0500 From: Matt Crawford Subject: Re: kerberos path In-reply-to: "03 May 2001 12:28:47 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-pilot@fnal.gov Message-id: <200105031745.MAA10701@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1223 > configure included with fermi kerberos allows --prefix=/usr/local > (I you are doing something dangerous like building it yourself :) > > How difficult would it be to propagate this information down into the > source code where it is hard coded? Would it be a waste of my time to > figure it out and submit patches? That's exactly how it gets into the binary: --prefix=... on the configure command to ${exec_prefix} in the configure scrtip to CLIENT_BINDIR in the Makefile to KRB_PATH_RLOGIN ni the source code to "/usr/krb5/bin/rlogin" in the object code, and so on for other paths. From kreymer@fnal.gov Thu May 3 12:56:16 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA05108 for ; Thu, 3 May 2001 12:56:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00M9ETTQSY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 May 2001 12:56:15 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001374C5@listserv.fnal.gov>; Thu, 03 May 2001 12:56:14 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 218804 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 May 2001 12:56:14 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001374C4@listserv.fnal.gov>; Thu, 03 May 2001 12:56:14 -0500 Received: from nova.fnal.gov ([131.225.121.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR0010CTTPMO@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 May 2001 12:56:13 -0500 (CDT) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id MAA07922; Thu, 03 May 2001 12:56:13 -0500 (CDT) Date: Thu, 03 May 2001 12:56:13 -0500 (CDT) From: Tim Zingelman Subject: Re: kerberos path In-reply-to: <200105031745.MAA10701@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov X-Sender: To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1224 > > configure included with fermi kerberos allows --prefix=/usr/local > > (I you are doing something dangerous like building it yourself :) > > > > How difficult would it be to propagate this information down into the > > source code where it is hard coded? Would it be a waste of my time to > > figure it out and submit patches? > > That's exactly how it gets into the binary: --prefix=... on the > configure command to ${exec_prefix} in the configure scrtip to > CLIENT_BINDIR in the Makefile to KRB_PATH_RLOGIN ni the source code > to "/usr/krb5/bin/rlogin" in the object code, and so on for other > paths. Great! I assumed that it worked 'right' until the recently posted comments here implied otherwise... I should have looked at the code first :) - Tim From kreymer@fnal.gov Thu May 3 13:46:18 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA05152 for ; Thu, 3 May 2001 13:46:18 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00MGWW54KN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 May 2001 13:46:17 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013759C@listserv.fnal.gov>; Thu, 03 May 2001 13:46:16 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 219041 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 May 2001 13:46:16 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013759B@listserv.fnal.gov>; Thu, 03 May 2001 13:46:16 -0500 Received: from fnal.gov ([131.225.84.114]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR00MJPW54PU@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 May 2001 13:46:16 -0500 (CDT) Date: Thu, 03 May 2001 13:46:17 -0500 From: Margaret Votava Subject: Re: kerberos principal Sender: owner-kerberos-pilot@listserv.fnal.gov To: Matt Crawford Cc: kerberos-pilot@fnal.gov Message-id: <3AF1A779.F20DFBF4@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200105022330.SAA07630@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1225 hi, this laptop will replace my desktop, so i therefore have decided to allow telnet access in. since i will also be running this from home i'm allowing only kerberos access and not ssh (according to the strong authentication guide). i've logged in with my kerberos principal and now i cannot start my xserver lapdog.dhcp.fnal.gov> startx Autentication failed - cannot start X server _X11TransSoceketUNIXConnect: Can't connect: errno = 111 What have I misconfigured? Margaret Matt Crawford wrote: > > > I would like to install kerberos on my laptop (connected with dhcp). > > I guess I don't quite understand how this would work. It's nominal > > node name is lapdog.dhcp.fnal.gov. > > If you don't care about making connections *into* the laptop, just > *don't* request host & ftp principals from Yolanda, do a normal UPS > installation, and answer "no" when asked if you have the passwrods > for them. > > If you *do* want to be able to make Kerberos connections *to* the > laptop, request the host & ftp princs for lapdog.dhcp.fnal.gov, but > be on your guard that whenever that name does not resolve to your > current IP address, you can't get in. -- Margaret Votava votava@fnal.gov Computing Division/Online and Database Systems 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) http://www.fnal.gov 630-612-8220 (pager) From kreymer@fnal.gov Thu May 3 14:45:12 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA05225 for ; Thu, 3 May 2001 14:45:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCR002L4YVA18@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 03 May 2001 14:45:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001376F2@listserv.fnal.gov>; Thu, 03 May 2001 14:45:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 219422 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Thu, 03 May 2001 14:45:10 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001376F1@listserv.fnal.gov>; Thu, 03 May 2001 14:45:10 -0500 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GCR00NSWYVA2P@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Thu, 03 May 2001 14:45:10 -0500 (CDT) Received: (qmail 977 invoked from network); Thu, 03 May 2001 14:45:08 -0500 Received: from darkwing.fnal.gov (kriss@131.225.18.128) by waldo.fnal.gov with SMTP; Thu, 03 May 2001 14:45:08 -0500 Date: Thu, 03 May 2001 14:45:15 -0500 (CDT) From: Michael Kriss Subject: Re: kerberos principal In-reply-to: <3AF1A779.F20DFBF4@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1226 -----BEGIN PGP SIGNED MESSAGE----- This appears to be the linux/login.krb5/pam problem discussed on this list before. If archives of this list are available I would recommend searching for 'startx'. If they are not available I believe a document is being prepared that addresses this issue. If you need an immediate fix to this, email me directly so we don't subject the list to the same problem again. michael On Thu, 3 May 2001, Margaret Votava wrote: > hi, > > this laptop will replace my desktop, so i therefore have decided to > allow telnet access in. since i will also be running this from home > i'm allowing only kerberos access and not ssh (according to the > strong authentication guide). > > i've logged in with my kerberos principal and now > i cannot start my xserver > > lapdog.dhcp.fnal.gov> startx > Autentication failed - cannot start X server > _X11TransSoceketUNIXConnect: Can't connect: errno = 111 > > What have I misconfigured? > > Margaret > > > > Matt Crawford wrote: > > > > > I would like to install kerberos on my laptop (connected with dhcp). > > > I guess I don't quite understand how this would work. It's nominal > > > node name is lapdog.dhcp.fnal.gov. > > > > If you don't care about making connections *into* the laptop, just > > *don't* request host & ftp principals from Yolanda, do a normal UPS > > installation, and answer "no" when asked if you have the passwrods > > for them. > > > > If you *do* want to be able to make Kerberos connections *to* the > > laptop, request the host & ftp princs for lapdog.dhcp.fnal.gov, but > > be on your guard that whenever that name does not resolve to your > > current IP address, you can't get in. > > -- > Margaret Votava votava@fnal.gov > Computing Division/Online and Database Systems 630-840-2625 (office) > Fermi National Accelerator Laboratory 630-840-6345 (fax) > http://www.fnal.gov 630-612-8220 (pager) > -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOvG1TUCAGISya6tRAQFILQP/brGR+e18PKmg1Gx1Jhs0xuf7E8IqR4o2 TUKKfDfrW7NX3esM7ORRTV6R7a9Q5Ygh8+hBRzS+Cl0tVZS8VSQyeHADXauHE4KO Mf6ZfCjAnVnrkjhhY2sBRImZqxnacNu0qfPcAYdSyUVjhD8wmzr6qi/KQEV7RiNU Skupm8KtrEE= =BSLC -----END PGP SIGNATURE----- From kreymer@fnal.gov Mon May 7 12:06:47 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA10124 for ; Mon, 7 May 2001 12:06:47 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCZ00DSA65M8T@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 07 May 2001 12:06:46 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013A37D@listserv.fnal.gov>; Mon, 07 May 2001 12:06:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 232225 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 07 May 2001 12:06:06 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013A37A@listserv.fnal.gov>; Mon, 07 May 2001 12:06:06 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCZ00M5565U2H@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 07 May 2001 12:06:04 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 07 May 2001 12:05:51 -0500 Content-return: allowed Date: Mon, 07 May 2001 12:05:33 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 16559 Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76160924@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1227 This reminder created on 5/7/01 12:03:22 PM Ticket 16559 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : DANE Last Name (+) : SKOW Phone : 4730 E-Mail Address : DANE@FNAL.GOV Incident Time : 2/7/01 5:02:09 PM System Name : UNFERTH Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : expiring password and screensaver Problem Description : I just ran into something that may be a minor wave of confusion: my password expired and this means your screensaver lock breaks. Since I run a Linux screensaver and have the KRB5 PAM module installed it refreshs my kerberos ticket (actually gets a new one) every time I unlock my screensaver. This has the nice feature that I very rarely have to relogin to my box or do an explicit kinit. However, since there is no error message from the screensaver (other than refusal to unlock) figuring out the cause of the problem took a little bit. The error message on an explicit kinit was crystal clear once I thought to issue that. I saw no reminder that my password was nearly expired. Is there any mechanism in place now ? planned ? At a minimum, we should add this to the helpdesk usual answers (like caps lock and time skew). Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Mon May 7 17:31:46 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA10911 for ; Mon, 7 May 2001 17:31:46 -0500 Received: from fnpsph.fnal.gov ([131.225.84.100]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCZ00L9DL8X9P@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Mon, 07 May 2001 17:31:45 -0500 (CDT) Received: from localhost (mcbride@localhost) by fnpsph.fnal.gov (980427.SGI.8.8.8/980728.SGI.AUTOCF) via SMTP id RAA08225; Mon, 07 May 2001 17:31:43 -0500 (CDT) Date: Mon, 07 May 2001 17:31:41 -0500 (CDT) From: Patricia McBride Subject: Strong Authentication roll-out in CD To: mf@fnal.gov, garren@fnal.gov, kreymer@fnal.gov Cc: mcbride@fnpsph.fnal.gov Message-id: <200105072231.RAA08225@fnpsph.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 1228 ------- Forwarded Message Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by fnpsph.fnal.gov (980427.SGI.8.8.8/980728.SGI.AUTOCF) via ESMTP id QAA08152 for ; Mon, 7 May 2001 16:36:18 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCZ00J4HIOHRX@smtp.fnal.gov> for mcbride@fnpsph.fnal.gov (ORCPT MCBRIDE@FNAL.GOV); Mon, 07 May 2001 16:36:17 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013A9A6@listserv.fnal.gov>; Mon, 07 May 2001 16:36:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 233971 for CD-DH@LISTSERV.FNAL.GOV; Mon, 07 May 2001 16:36:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013A9A5@listserv.fnal.gov>; Mon, 07 May 2001 16:36:17 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCZ00I6ZIOGUU@smtp.fnal.gov> for cd-dh@listserv.fnal.gov (ORCPT cd-dh@fnal.gov); Mon, 07 May 2001 16:36:16 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA09725; Mon, 07 May 2001 16:35:55 -0500 (CDT) Date: Mon, 07 May 2001 16:35:55 -0500 From: Matt Crawford Subject: Re: Strong Authentication roll-out in CD Sender: owner-cd-dh@listserv To: cd-dh@fnal.gov, colombo@fnal.gov, garren@fnal.gov, kasemann@fnal.gov, ddyxin@fnal.gov, aheavey@fnal.gov Message-id: <200105072135.QAA09725@gungnir.fnal.gov> First off, let me just say that I'll take cd-dh off this mailing list after our first meeting, as several department heads have designated persons other than themselves to be the sub-project manager for their departments. For our first meeting on May 9, there's no need to have a count of individual systems. The most important items of information to have handy will be those listed below. Bear in mind that the systems we're most concerned with at this time are those used internally by the computing division. Systems we support for the use of others will come a bit later. The different OS types in use Windows 2000 NT4 NT3.5? 98/95 Unix ["Unix" includes Linux throughout this note] CD-supported versions Other versions Macintosh? X-terminals Others? What authenticated network access do the users of each of those systems have to make? Login to Unix Login to Windows (by Citrix or something, I suppose) File access to Windows server Print server access -- if it requires authentication ...other modes... What services do the affected systems provide that are carried out over some general-purpose mechanism like rsh? Are there other services which are tantamount to full command- execution or file-transfer access? Do unattended processes (cron jobs, batch jobs, boot-time operations) need to make network access to authenticated services? Here are some examples of services which are NOT affected by current strong authenticaiton plans. Email (including SMTP to send and POP or IMAP to read), NFS, anonymous FTP, printing, and for the most part, web. Web access will be affected only to the extent that use of the system password file for checking web passwords will be strongly discouraged, and any web service that requires password control will be strongly urged to go over SSL. (If it's worth having a password, it's worth protecting the password.) Here's some background and information about what facilities exist in Fermi Kerberos and some of the more challenging problems to which solutions have been found. First, a little terminology for any who have not yet been exposed: the strong authentication system is based on Kerberos, which is a protocol for clients and services to prove their identity to each other without revealing information to an eavesdropper. Except for an initial password authentication, which may serve to identify you to a variety of servers for a day or even a week, most of the authentication protocol messages take place invisibly to the user. The coined adjective "Kerberized" describes a host which uses Kerberos in its access control decisions by running special versions of the common network access services (telnet, ftp, and so on). Free Kerberos client software of good quality exists for Unix and Macintosh. The free software for Windows does not provide much application support, but at least two commercial packages are fairly decent for giving Win32 users login and ftp access to Unix. Unattended processes initiated by "root" on a unix machine can do Kerberos authentication very simply. For unattended processes running on behalf of other users, a locally-developed tool has been in use for almost a year. For network access to "Kerberized" unix systems from a host with no Kerberos software present, plain telnet and ftp clients can be used together with a "Cryptocard" challenge-response device. Authentication of Windows clients to Windows servers will be defined by the Windows 2000 migration, which is not yet in a deployment phase ------- End of Forwarded Message From kreymer@fnal.gov Mon May 7 18:07:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA11175 for ; Mon, 7 May 2001 18:07:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCZ00IKIMWQUU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 07 May 2001 18:07:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013AB3C@listserv.fnal.gov>; Mon, 07 May 2001 18:07:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 234442 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 07 May 2001 18:07:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013AB3A@listserv.fnal.gov>; Mon, 07 May 2001 18:07:38 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCZ00IKPMWQXV@smtp.fnal.gov>; Mon, 07 May 2001 18:07:38 -0500 (CDT) Date: Mon, 07 May 2001 18:07:37 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: kerberos principal In-reply-to: <3AF08687.C003F960@fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: Margaret Votava Cc: compdiv@fnal.gov, kerberos-pilot@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1229 On Wed, 2 May 2001, Margaret Votava wrote: > I would like to install kerberos on my laptop (connected with dhcp). > I guess I don't quite understand how this would work. It's nominal > node name is lapdog.dhcp.fnal.gov. It occurs to me to ask, if you have a laptop that is either mylaptop.dhcp.fnal.gov or somehost.dhcp.some.isp depending whether you're at home or at work, could you not get/add host keys for both addresses (assuming you get repeatable IP addresses from DHCP). Similarly, if your machine has two (or more) IP active addresses, can you get a host key for each of them? Marc From kreymer@fnal.gov Mon May 7 21:03:09 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id VAA11249 for ; Mon, 7 May 2001 21:03:09 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCZ0055PV17FX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 07 May 2001 21:03:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013AC65@listserv.fnal.gov>; Mon, 07 May 2001 21:03:08 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 234766 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Mon, 07 May 2001 21:03:08 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013AC64@listserv.fnal.gov>; Mon, 07 May 2001 21:03:08 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GCZ0049XV17G2@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Mon, 07 May 2001 21:03:07 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id VAA11167; Mon, 07 May 2001 21:02:45 -0500 (CDT) Date: Mon, 07 May 2001 21:02:45 -0500 From: Matt Crawford Subject: Re: kerberos principal In-reply-to: "07 May 2001 18:07:37 CDT." Sender: owner-kerberos-pilot@listserv.fnal.gov To: "Marc W. Mengel" Cc: kerberos-pilot@fnal.gov Message-id: <200105080202.VAA11167@gungnir.fnal.gov> Content-id: <11163.989287365.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 1230 > It occurs to me to ask, if you have a laptop that is either > mylaptop.dhcp.fnal.gov or somehost.dhcp.some.isp depending whether > you're at home or at work, could you not get/add host keys for > both addresses (assuming you get repeatable IP addresses from DHCP). First of all, beware that some DHCP servers -- perhaps most -- will not insert a name-to-address mapping for your box when you get your address. So for the purpose of accepting incoming authentication, the service principal in such a case is no use. (Read on for details.) But if you will have a valid name-to-address mapping in either location, it's fine. (With a caveat to follow.) > Similarly, if your machine has two (or more) IP active addresses, can you > get a host key for each of them? It's not the addresses, it's the names. If you have one name with 37 IP addresses you don't need to do anything special. Just be sure not to omit some of your addresses in DNS. But if you have multiple names which are not nicknames, get "host" service principals for each name and the telnet and r-family will be fine. Your client specifies the service it's connecting to and as long as the server finds the right key in its keytab, all is well. Bear in mind that the client uses the server's DNS name in two logically independent ways: to find the servers IP address from DNS, and to get a credential ("letter of introduction") from Kerberos. FTP is a different matter. Because the Kerberos ftp is written to the GSS API, it has to[*] commit itself to a service name before it gets to see what service you thought you were connecting to. If you were looking for the other name, you get a "wrong principal in request" error, or something to that effect. [*] Well, not quite has to. It could hold onto the GSS "tokens" you send (no relation to AFS tokens) and keep feeding them to the gss_accept_sec_context() routine after trying each possible service name in turn. But at present, it does not. And in full generality, I suppose the first token the client sends might not be enough, and by the second one, you can't undo the client state. But in practice, with Kerberos as the underlying mechanism, the first token would be enough and so this could be made to work. From kreymer@fnal.gov Tue May 8 14:34:42 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA13412 for ; Tue, 8 May 2001 14:34:42 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD10078H7P4HH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Tue, 08 May 2001 14:34:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013B584@listserv.fnal.gov>; Tue, 08 May 2001 14:34:16 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 2306 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Tue, 08 May 2001 14:34:16 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013B581@listserv.fnal.gov>; Tue, 08 May 2001 14:34:16 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD10079S7P3GV@smtp.fnal.gov>; Tue, 08 May 2001 14:34:15 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA14674; Tue, 08 May 2001 14:33:53 -0500 (CDT) Date: Tue, 08 May 2001 14:33:52 -0500 From: Matt Crawford Subject: Important note for all Kerberos users Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <200105081933.OAA14674@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1231 The migration from the realm name PILOT.FNAL.GOV to the production realm FNAL.GOV begins this week. Nothing you do will be affected until some of the systems you use change their default realm, but you must bear in mind this one IMPORTANT NOTE Whatever your Kerberos password for the PILOT.FNAL.GOV realm is at 1:00 PM on Thursday, May 10, 2001, will be your Kerberos password in the FNAL.GOV realm. After that time, password changes in one realm will not be reflected in the other. If your password has only a short time left until expiration in the PILOT realm, you might be required to change it before you have begun using it in the production realm. If so, you can change the password in the production realm with "kpasswd yourname@FNAL.GOV" as long as you're on a system knows about the production realm. (Which it does if the krb5conf product is at v1_0 of Dec 29 2000 or later.) Also note that your Cryptocard challenge sequence may change in the production realm, so you may have to manually enter a challenge into your card the first time you do a portal login to a production-realm host, or more often if you alternate between pilot and production hosts. You might save yourself some inconvenience by sticking with the production realm for your initial portal login once you begin using it, and using your Kerberos ticket to log into any hosts you need to use which are still in the pilot realm. Trust between the two realms is two-way and transparent. From kreymer@fnal.gov Tue May 8 14:53:49 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA13433 for ; Tue, 8 May 2001 14:53:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD1007EG8KWH6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Tue, 08 May 2001 14:53:48 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013B5EF@listserv.fnal.gov>; Tue, 08 May 2001 14:53:20 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 2426 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Tue, 08 May 2001 14:53:20 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013B5EC@listserv.fnal.gov>; Tue, 08 May 2001 14:53:20 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD1007FI8KWGQ@smtp.fnal.gov>; Tue, 08 May 2001 14:53:20 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA14810; Tue, 08 May 2001 14:52:57 -0500 (CDT) Date: Tue, 08 May 2001 14:52:56 -0500 From: Matt Crawford Subject: Fermi Kerberos v1_2 now in kits, realm migration to begin Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Cc: kerberos-pilot@fnal.gov Message-id: <200105081952.OAA14810@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1232 This note is intended for those who install and update the Kerberos product on their systems, but may also be of interest to other sysadmins as well. Kerberos v1_2 is now in fnkits, as is krb5conf v1_3. The migration to the "production" realm FNAL.GOV begins now. Here are the steps. 1. Be sure to take note of the previous message to kerberos-announce saying that your password in the production realm will be it was in the pilot realm as of * 1:00 PM Thursday, May 10 *. After that time, any password changes affect only one realm or the other! 2. Install the new Kerberos, which will bring along the new krb5conf. (Naturally, for most hosts you may want to wait until the new version is marked "current", but I expect that to happen by next week.) After installation is complete, also run the separate action "ups add-new-realm kerberos". This will make your host aware of both realms and accessible by clients in either realm. Your system's default realm IS NOT CHANGED by this action. Details on what is changed are below. 3. Run in this configuration for a while. You should be able (after the date mentioned in step 1) to kinit as yourname@FNAL.GOV or yourname@PILOT.FNAL.GOV and have normal access to any other system on which step 2 has also been performed. Individual desktops should be able to do step 4 or not, almost without inconvenience. 4. When good and ready, execute "ups change-realm kerberos". All this does is to change the default realm of the system to FNAL.GOV in /etc/krb5.conf, and to make sure the AFS servers are noted in that file as belonging to the same realm. (Actually, the AFS servers aren't using Kerberos 5 at all yet, but for the Kerberos to AFS ticket/token translation, your host has to think it's in the same realm as the AFS servers.) 5. When step 4 is done, drop a note to dcd_security_team@fnal.gov listing the hosts which now have a default realm of FNAL.GOV. You may have noticed the word "almost" in step 3 above, about "almost no inconvenience" to clients on hosts that move to the production realm before the servers they commonly use. The exception is FTP. The telnet and r-command services will respond properly to clients who try to treat them as members of either realm, as long as step 2 has been completed. But the ftp server will accept Kerberos authentication only if the ftp client presents a service ticket from the server's default realm. So if the ftp server is "f.fnal.gov", any client accessing it with ftp must know which realm is currently f.fnal.gov's default realm. To help out with that, the Kerberos code will now look for a DNS text record (as well as in the krb5.conf file) for host-to-realm mapping information. The priority is (1) hostname.domain in krb5.conf (2) _kerberos.hostname.domain in DNS (3) .domain in krb5.conf (4) _kerberos.domain in DNS When you notify dcd_security_team in step 5, we'll take the explicit mapping of those hosts to realm PILOT.FNAL.GOV out of DNS and let them be mapped to FNAL.GOV by rule (4). Here's what is affected by the "ups add-new-realm kerberos" action of step 2. 1. The status of the krb5conf product is double-checked. 2. The new keytab-convert program is run on /etc/krb5.keytab and any cron keytabs found in /var/adm/krb5. What it does is + If any key from the new realm is already present in the file, it exits. + Otherwise, every key in the old realm is duplicated in the new realm. Before and after output of "klist -k" look like this: KVNO Principal ---- ---------------------------------------------------------- 3 ftp/gungnir.fnal.gov@PILOT.FNAL.GOV 7 host/gungnir.fnal.gov@PILOT.FNAL.GOV KVNO Principal ---- ---------------------------------------------------------- 3 ftp/gungnir.fnal.gov@PILOT.FNAL.GOV 7 host/gungnir.fnal.gov@PILOT.FNAL.GOV 3 ftp/gungnir.fnal.gov@FNAL.GOV 7 host/gungnir.fnal.gov@FNAL.GOV 3. For every home directory found in /etc/passwd or the NIS passwd map, if there is already a .k5login present, it is updated analogously to the keytab files -- if the new realm is already mentioned, nothing happens. Otherwise, for every principal in the old realm mentioned in the file, the corresponding principal in the new realm is added. If the file is not readable and writable by the user whose home directory it's in (perhaps because of AFS protection), it is skipped. From kreymer@fnal.gov Tue May 8 15:14:46 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA13482 for ; Tue, 8 May 2001 15:14:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD1007N59KJH9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 08 May 2001 15:14:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013B747@listserv.fnal.gov>; Tue, 08 May 2001 15:14:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 2795 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 08 May 2001 15:14:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013B744@listserv.fnal.gov>; Tue, 08 May 2001 15:14:43 -0500 Received: from casey.fnal.gov ([131.225.80.118]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD1007G59KIH0@smtp.fnal.gov>; Tue, 08 May 2001 15:14:42 -0500 (CDT) Received: (from fromm@localhost) by casey.fnal.gov (8.9.3/8.9.3) id PAA09611; Tue, 08 May 2001 15:14:41 -0500 Date: Tue, 08 May 2001 15:14:41 -0500 From: James Fromm Subject: ssh v1_2_27f Sender: owner-kerberos-pilot@listserv.fnal.gov To: csi-group@fnal.gov, ssh-users@fnal.gov, kerberos-pilot@fnal.gov, oss-dept@fnal.gov Reply-to: fromm@fnal.gov Message-id: <200105082014.PAA09611@casey.fnal.gov> Organization: Fermilab Unix Application Support Group Newsgroups: fnal.announce.unix,fnal.announce.products,fnal.sys.fnalu.announce Status: RO X-Status: X-Keywords: X-UID: 1233 IRIX+6, Linux+2, Linux+2.2, OSF1+V4, and SunOS+5. ssh v1_2_27f has been put in kits and marked as test. This version closes a security hole that was introduced with cryptocard support. Prior versions of ssh, for csh and tcsh users, would run your .cshrc (.tcshrc) script before authenticating via cryptocard. There are also minor bug fixes in this release. From kreymer@fnal.gov Tue May 8 16:20:40 2001 -0500 Return-Path: Received: from woozle (woozle.fnal.gov [131.225.9.22]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA13604 for ; Tue, 8 May 2001 16:20:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37518) with ESMTP id <0GD10030BCMELF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 08 May 2001 16:20:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013B8AD@listserv.fnal.gov>; Tue, 08 May 2001 16:20:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 3190 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Tue, 08 May 2001 16:20:39 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013B8AB@listserv.fnal.gov>; Tue, 08 May 2001 16:20:39 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD100F98CMEL5@smtp.fnal.gov>; Tue, 08 May 2001 16:20:38 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f48LKZq19732; Tue, 08 May 2001 16:20:35 -0500 (CDT) Date: Tue, 08 May 2001 16:20:35 -0500 From: Anne Heavey Subject: Re: Fermi Kerberos v1_2 now in kits, realm migration to begin In-reply-to: "Your message of Tue, 08 May 2001 14:52:56 CDT." <200105081952.OAA14810@gungnir.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: kerberos-announce@fnal.gov, kerberos-pilot@fnal.gov Message-id: <200105082120.f48LKZq19732@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1234 I have included Matt's messages on the web site with instructions http://www.fnal.gov/docs/strongauth/ -- Anne From kreymer@fnal.gov Wed May 9 08:50:30 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA14295 for ; Wed, 9 May 2001 08:50:30 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD2001C4MG3WX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 09 May 2001 08:50:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013C08D@listserv.fnal.gov>; Wed, 09 May 2001 08:50:27 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 5439 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 09 May 2001 08:50:27 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013C08C@listserv.fnal.gov>; Wed, 09 May 2001 08:50:27 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD2001BXMG2ZD@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 09 May 2001 08:50:27 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 09 May 2001 08:50:27 -0500 Content-return: allowed Date: Wed, 09 May 2001 08:50:18 -0500 From: ARSystem Subject: 000000000018284 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76160B1A@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1235 CRAWFORD, MATT, Help Desk Ticket #000000000018284 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Pre-authentication failure Badge # (+) : 08658N First Name : BOAZ Last Name (+) : KLIMA Phone : 2323 E-Mail Address : KLIMA@FNAL.GOV Incident Time : 5/9/01 8:32:18 AM System Name : Urgency : Medium Public Work Log : 5/9/01 8:46:21 AM blomberg Can you assist? Problem Description : I'm trying to install WRQ on my new PC running OS Windows2000 by following your web-based instructions. I managed to get to step 2 in 12.3 where it failed after I typed in my password due to "Pre-authentication failure (KDC024)". I'd appreciate your quick help! Thanks, Boaz ------------------------------------------------------------------------ ---- Boaz Klima phone: Work - (630) 840-2323 Fermilab, MS 357 Fax - (630) 840-8481 P.O. Box 500 Home - (708) 358-0860 Batavia, IL 60510 e-mail: klima@fnal.gov web: http://www-d0.fnal.gov/~klima/boaz_home.html ------------------------------------------------------------------------ ---- From kreymer@fnal.gov Wed May 9 08:53:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA14299 for ; Wed, 9 May 2001 08:53:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD200382MLB7B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 09 May 2001 08:53:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013C094@listserv.fnal.gov>; Wed, 09 May 2001 08:53:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 5446 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 09 May 2001 08:53:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013C093@listserv.fnal.gov>; Wed, 09 May 2001 08:53:35 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD20038ZMLA9Q@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 09 May 2001 08:53:34 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA16899; Wed, 09 May 2001 08:53:10 -0500 (CDT) Date: Wed, 09 May 2001 08:53:10 -0500 From: Matt Crawford Subject: Re: 000000000018284 Assigned to CRAWFORD, MATT. In-reply-to: "09 May 2001 08:50:18 CDT." <318CC3D38BE0D211BB1200105A093F76160B1A@csdserver2.fnal.gov> Sender: owner-kerberos-pilot@listserv.fnal.gov To: ARSystem Cc: "'kerberos-pilot@fnal.gov'" Message-id: <200105091353.IAA16899@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1236 Set the system clock to the right time. May 8 15:05:00 i-krb-2.fnal.gov krb5kdc[23483]: Clock skew too great - pa verify failure May 8 15:05:00 i-krb-2.fnal.gov krb5kdc[23483]: AS_REQ 131.225.224.251(88): PREAUTH_FAILED: klima@PILOT.FNAL.GOV for krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV, Preauthentication failed From kreymer@fnal.gov Wed May 9 09:06:16 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA14311 for ; Wed, 9 May 2001 09:06:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD2003DCN6EPO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 09 May 2001 09:06:15 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013C0D1@listserv.fnal.gov>; Wed, 09 May 2001 09:06:14 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 5507 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 09 May 2001 09:06:14 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013C0CF@listserv.fnal.gov>; Wed, 09 May 2001 09:06:14 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD2002DQN6CJN@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 09 May 2001 09:06:13 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 09 May 2001 09:06:12 -0500 Content-return: allowed Date: Wed, 09 May 2001 09:05:35 -0500 From: ARSystem Subject: CRAWFORD, MATT #18284 Resolved. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76160B24@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1237 Thank you for your assistance. Help Desk ticket #000000000018284 has been resolved on 5/9/01 9:03:10 AM Resolution Timestamp: : 5/9/01 8:53:04 AM Solution Category : Information Request Problem Category : Software Item : Kerberos Type : Utilities Short Description : Pre-authentication failure Solution : Set the system clock to the right time. May 8 15:05:00 i-krb-2.fnal.gov krb5kdc[23483]: Clock skew too great - pa verify failure May 8 15:05:00 i-krb-2.fnal.gov krb5kdc[23483]: AS_REQ 131.225.224.251(88): PREAUTH_FAILED: klima@PILOT.FNAL.GOV for krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV, Preauthentication failed Problem Description : I'm trying to install WRQ on my new PC running OS Windows2000 by following your web-based instructions. I managed to get to step 2 in 12.3 where it failed after I typed in my password due to "Pre-authentication failure (KDC024)". I'd appreciate your quick help! Thanks, Boaz ------------------------------------------------------------------------ ---- Boaz Klima phone: Work - (630) 840-2323 Fermilab, MS 357 Fax - (630) 840-8481 P.O. Box 500 Home - (708) 358-0860 Batavia, IL 60510 e-mail: klima@fnal.gov web: http://www-d0.fnal.gov/~klima/boaz_home.html ------------------------------------------------------------------------ ---- From kreymer@fnal.gov Wed May 9 10:58:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA14635 for ; Wed, 9 May 2001 10:58:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD200BDRSDP4N@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 09 May 2001 10:58:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013C2F4@listserv.fnal.gov>; Wed, 09 May 2001 10:58:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 6105 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 09 May 2001 10:58:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013C2F2@listserv.fnal.gov>; Wed, 09 May 2001 10:58:37 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD200CCHSDOKR@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 09 May 2001 10:58:37 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 09 May 2001 10:58:36 -0500 Content-return: allowed Date: Wed, 09 May 2001 10:58:15 -0500 From: ARSystem Subject: 000000000018296 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-pilot@listserv.fnal.gov To: "'kerberos-pilot@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76160B65@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1238 CRAWFORD, MATT, Help Desk Ticket #000000000018296 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Migration to realm FNAL.GOV Badge # (+) : 09733V First Name : TERRENCE Last Name (+) : TOOLE Phone : 2321 E-Mail Address : TOOLE@FNAL.GOV Incident Time : 5/9/01 10:47:47 AM System Name : Urgency : Medium Public Work Log : Problem Description : I am new to Kerberos and have a few questions about the migration to the production realm FNAL.GOV. Is this migration something that people offsite need to be concerned about? There seems to be a chance that one may have to change one's password prior to logging in. My understanding is that this is not something that should be done from offsite (unless the remote machine is kerberized). Also, prior to logging into a Fermilab machine, how does one know which machines are in PILOT.FNAL.GOV and which machines are in FNAL.GOV? Is there a list available from a website? Cheers. Terry =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Terrence S. Toole University of Maryland Fermilab, MS 352 phone: (630) 840-2321 P.O. Box 500 fax: (630) 840-8886 Batavia, IL 60510 From kreymer@fnal.gov Wed May 9 11:31:25 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA14685 for ; Wed, 9 May 2001 11:31:25 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD200DKSTWB27@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 09 May 2001 11:31:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013C39F@listserv.fnal.gov>; Wed, 09 May 2001 11:31:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 6299 for KERBEROS-PILOT@LISTSERV.FNAL.GOV; Wed, 09 May 2001 11:31:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0013C39E@listserv.fnal.gov>; Wed, 09 May 2001 11:31:23 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GD200EF5TWAAH@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Wed, 09 May 2001 11:31:22 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA17645; Wed, 09 May 2001 11:30:58 -0500 (CDT) Date: Wed, 09 May 2001 11:30:58 -0500 From: Matt Crawford Subject: Re: kerberos and tcp-wrappers In-reply-to: "19 Mar 2001 16:09:00 CST." Sender: owner-kerberos-pilot@listserv.fnal.gov To: Steven Timm Cc: kerberos-pilot@fnal.gov Message-id: <200105091630.LAA17645@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1239 An old question, but I didn't see whether it got answered. > A follow-up question... is there anything special that you have > to put in hosts.deny and/or hosts.allow to indicate that it is > the kerberos daemons that are being used and not the normal ones? No. That's determined by the argv[0] that tcpd gets through inetd.conf. From kreymer@fnal.gov Tue Jun 5 16:37:53 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA02788 for ; Tue, 5 Jun 2001 16:37:53 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEH009JQ833M6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Jun 2001 16:37:52 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00151EBB@listserv.fnal.gov>; Tue, 05 Jun 2001 16:37:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 68393 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 05 Jun 2001 16:37:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00151EBA@listserv.fnal.gov>; Tue, 05 Jun 2001 16:37:51 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEH006TF833XP@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 05 Jun 2001 16:37:51 -0500 (CDT) Date: Tue, 05 Jun 2001 16:37:49 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: Kerberos CVS access from Windows/WRQ In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1240 Well, several options are possible: 1) use cvs pserver for write access for particular users. 2) get the Heimdal kerberos for Cygwin, and use that for your users, with a :ext:cvsuser@hostname:/path $CVSROOT, and $CVSRSH set to the heimdal rsh. -- assuming Cygwin is suitable for your Windows users. 3) put up a separate IP address, and an ssh daemon that is listening to just that address, allows in only your cvsuser account, and allows hostkey access. Then your ssh cvs users need to use an alternate hostname. I don't believe the WRQ software includes a command-line kerberos rsh. On Tue, 5 Jun 2001, Glenn Cooper wrote: > Good citizens that we are, we are preparing to restrict cdfsga, the > node where the CVS repository for CDF resides, to require Kerberos > authentication for access. This is fine for ordinary logins. We have > anonymous pserver service for CVS read access. Users with UNIX > flavored desktops can get write access using a Kerberos-aware rsh. > All fine. > > However, a small number of developers have Windows desktops and are > currently using a non-Kerberos-aware ssh-agent for CVS access. Is > there a way to use Kerberos authentication for CVS write access > through whatever WRQ offers? Alan Jonckheere tells me that MIT has an > rsh client for Windows, but it's not clear how to combine that with > the WRQ ticket manager. > > Or alternately, is there an official or semi-official recommendation > on how to handle this problem? Allow non-Kerberos-aware ssh access > but restrict it to CVS access only, somehow? From kreymer@fnal.gov Tue Jun 5 17:02:31 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA02803 for ; Tue, 5 Jun 2001 17:02:31 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEH00CAU985DT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Jun 2001 17:02:30 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00151F81@listserv.fnal.gov>; Tue, 05 Jun 2001 17:02:29 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 68627 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 05 Jun 2001 17:02:29 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00151F80@listserv.fnal.gov>; Tue, 05 Jun 2001 17:02:29 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEH009PK984M6@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 05 Jun 2001 17:02:28 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id RAA14544; Tue, 05 Jun 2001 17:01:17 -0500 (CDT) Date: Tue, 05 Jun 2001 17:01:17 -0500 From: Matt Crawford Subject: Re: Kerberos CVS access from Windows/WRQ In-reply-to: "05 Jun 2001 16:37:49 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: gcooper@fnal.gov, kerberos-users@fnal.gov Message-id: <200106052201.RAA14544@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1241 > I don't believe the WRQ software includes a command-line kerberos rsh. It didn't in the initial release. Randy will check tomorrow whether the beta (due this month as a released product) includes rsh. Or rather, since it clearly includes rsh, is the rsh now Kerberized when you add the updated Kerberos security package? From kreymer@fnal.gov Fri Jun 8 12:13:01 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA08386 for ; Fri, 8 Jun 2001 12:13:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEM001EZFTOQB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Jun 2001 12:13:01 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015493D@listserv.fnal.gov>; Fri, 08 Jun 2001 12:13:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 80395 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 08 Jun 2001 12:13:00 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015493C@listserv.fnal.gov>; Fri, 08 Jun 2001 12:13:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEM00NKRFTN0G@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@FNAL.GOV); Fri, 08 Jun 2001 12:12:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015493A@listserv.fnal.gov>; Fri, 08 Jun 2001 12:12:59 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00154939@listserv.fnal.gov>; Fri, 08 Jun 2001 12:12:59 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GEM00501FTMRV@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Jun 2001 12:12:59 -0500 (CDT) Received: from dot.phys.unm.edu ([64.106.62.203]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEM000HKFTMTW@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Jun 2001 12:12:58 -0500 (CDT) Received: from dot.phys.unm.edu (IDENT:gold@localhost.localdomain [127.0.0.1]) by dot.phys.unm.edu (8.9.3/8.9.3) with ESMTP id LAA06639; Fri, 08 Jun 2001 11:09:35 -0600 Date: Fri, 08 Jun 2001 11:09:35 -0600 From: Michael Gold Subject: ftp error Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-pilot@fnal.gov Cc: gold@dot.phys.unm.edu Message-id: <200106081709.LAA06639@dot.phys.unm.edu> MIME-version: 1.0 X-Mailer: exmh version 2.1.1 10/15/1999 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 1242 what has changed? I never had this error before. higgs 5# ftp ncdf105.fnal.gov Connected to ncdf105.fnal.gov. 220 ncdf105.fnal.gov FTP server (Version 5.60) ready. 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI error major: Miscellaneous failure GSSAPI error minor: Wrong principal in request GSSAPI error: accepting context GSSAPI ADAT failed GSSAPI authentication failed KERBEROS_V4 accepted as authentication type Kerberos V4 krb_mk_req failed: You have no tickets cached Name (ncdf105.fnal.gov:gold): From kreymer@fnal.gov Fri Jun 8 12:16:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA08390 for ; Fri, 8 Jun 2001 12:16:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEM000H4FYR1N@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Jun 2001 12:16:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015494E@listserv.fnal.gov>; Fri, 08 Jun 2001 12:16:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 80412 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 08 Jun 2001 12:16:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015494D@listserv.fnal.gov>; Fri, 08 Jun 2001 12:16:03 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEM001D0FYRVG@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@FNAL.GOV); Fri, 08 Jun 2001 12:16:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015494B@listserv.fnal.gov>; Fri, 08 Jun 2001 12:16:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015494A@listserv.fnal.gov>; Fri, 08 Jun 2001 12:16:03 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEM002ADFYQ8V@smtp.fnal.gov> for kerberos-pilot@listserv.fnal.gov (ORCPT kerberos-pilot@fnal.gov); Fri, 08 Jun 2001 12:16:02 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id MAA23412; Fri, 08 Jun 2001 12:14:48 -0500 (CDT) Date: Fri, 08 Jun 2001 12:14:48 -0500 From: Matt Crawford Subject: Re: ftp error In-reply-to: "08 Jun 2001 11:09:35 MDT." <200106081709.LAA06639@dot.phys.unm.edu> Sender: owner-kerberos-users@listserv.fnal.gov To: Michael Gold Cc: kerberos-pilot@fnal.gov Message-id: <200106081714.MAA23412@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1243 > what has changed? I never had this error before. > > 334 Using authentication type GSSAPI; ADAT must follow > GSSAPI accepted as authentication type > GSSAPI error major: Miscellaneous failure > GSSAPI error minor: Wrong principal in request They just changes ncdf105's default realm today. Putting a line like this in the [domain_realm] section of your krb5.conf should get you over the hump until the DNS reflects the realm change next Monday. ncdf105.fnal.gov = FNAL.GOV From kreymer@fnal.gov Fri Jun 8 13:21:52 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA08659 for ; Fri, 8 Jun 2001 13:21:52 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEM00923J0EE0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Jun 2001 13:21:52 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00154A5A@listserv.fnal.gov>; Fri, 08 Jun 2001 13:21:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 80725 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 08 Jun 2001 13:21:50 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00154A58@listserv.fnal.gov>; Fri, 08 Jun 2001 13:21:50 -0500 Received: from bpmail.fnal.gov ([131.225.18.213]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GEM0090EJ0EUA@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 08 Jun 2001 13:21:50 -0500 (CDT) Received: (qmail 21723 invoked from network); Fri, 08 Jun 2001 13:21:49 -0500 Received: from darkwing.fnal.gov (131.225.18.128) by waldo.fnal.gov with SMTP; Fri, 08 Jun 2001 13:21:49 -0500 Date: Fri, 08 Jun 2001 13:22:19 -0500 (CDT) From: Michael Kriss Subject: Re: Cryptocard sshd? In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1244 -----BEGIN PGP SIGNED MESSAGE----- Marc, Ok, so it looks like when you run configure you want prefix to be the directory where kerberos is installed. Would you mind reviewing my invocation of configure to make sure I'm not missing anything important in building my own ssh? % ./configure --prefix=/usr/kerberos --with-libwrap \ --with-kerberos5=/usr/kerberos --enable-kerberos-tgt-passing I don't want afs and is kerberos4 necessary? michael On Thu, 7 Jun 2001, Marc W. Mengel wrote: > On Thu, 7 Jun 2001, Michael Kriss wrote: > > > That was exactly it! We do not install kerberos using ups/upd and we use a > > different path than /usr/krb5. > > > > Now I have also downloaded the ssh src from cvs: > > > > cvs -d :pserver:kpilot@cdcvs.fnal.gov:/cvs/cd co -d src5 -r hut ssh/src > > > > and did a ./configure and make and had the same symptom with the resultant > > binaries. Is /usr/krb5 hardcoded into this source? The only references I saw > > to /usr/krb5 were in: > > I it is not directly configure-able, but is in the Makefile.in: > ./src/Makefile.in:PORTAL_AUTHENTICATION_PGM = $(prefix)/sbin/login.krb5 > so it should move with the --prefix= option... > > Marc > -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOyEX3UCAGISya6tRAQFoKAQAsrUUkKS13AEbq8Y3TLpX5R2ulN8iJrcv LoBWrgfgehKz3NalXZMQU1Xr2IZwMVj6LNdS4QQj5e49VEEFiV8TZ1f8ZszytpeH H2GZAgSCkC2PxngsQpDt2ZFalIZtkrnAMK+Ho6YKXXrAQvpGuymXdn+q6yGoP9iY KC2BPivZN4M= =wB4r -----END PGP SIGNATURE----- From kreymer@fnal.gov Fri Jun 8 15:03:51 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA08848 for ; Fri, 8 Jun 2001 15:03:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEM009H2NQETY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Jun 2001 15:03:51 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00154BEE@listserv.fnal.gov>; Fri, 08 Jun 2001 15:03:50 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 81161 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 08 Jun 2001 15:03:50 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00154BED@listserv.fnal.gov>; Fri, 08 Jun 2001 15:03:50 -0500 Received: from nova.fnal.gov ([131.225.121.207]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEM009IWNQD7X@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 08 Jun 2001 15:03:49 -0500 (CDT) Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id PAA08431 for ; Fri, 08 Jun 2001 15:03:47 -0500 (CDT) Date: Fri, 08 Jun 2001 15:03:47 -0500 (CDT) From: Tim Zingelman Subject: Re: kerberized rsh for windows In-reply-to: <5.1.0.14.2.20010605094903.0429ae78@imapserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov X-Sender: To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1245 On Tue, 5 Jun 2001, rreitz wrote: > I have not been able to compile the heimdal source under Cygwin. I'm using > a "travelkit" binary distribution from > http://www.ics.muni.cz/scb/travelkit/. Unfortunately, this binary > distribution is not complete (i.e. there is stuff in the heimdal source > that doesn't appear in the travelkit - like rlogin). There is no It appears that there is very nice travelkit at: http://www.pdc.kth.se/support/kerberos-travel-tour.html If you follow the link "improve your configuration" towards the bottom and the link "binaries" half way down the next page, they also have binaries for the rest of the commands... rlogin, etc. I can't get this to work at all because I don't have administrator on any Windose boxes... but it comes with a nice GUI installer that tells lets me know that is what my problem is :) - Tim From kreymer@fnal.gov Fri Jun 8 15:21:46 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA08901 for ; Fri, 8 Jun 2001 15:21:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEM00CHDOK8BP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 08 Jun 2001 15:21:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00154C38@listserv.fnal.gov>; Fri, 08 Jun 2001 15:21:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 81240 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 08 Jun 2001 15:21:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00154C37@listserv.fnal.gov>; Fri, 08 Jun 2001 15:21:44 -0500 Received: from ncdf30.fnal.gov ([131.225.233.153]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEM009L7OK8E0@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 08 Jun 2001 15:21:44 -0500 (CDT) Received: from ts.infn.it (localhost.localdomain [127.0.0.1]) by ncdf30.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26345; Fri, 08 Jun 2001 15:21:43 -0500 Date: Fri, 08 Jun 2001 15:21:43 -0500 From: Stefano Belforte Subject: Re: kerberized rsh for windows Sender: owner-kerberos-users@listserv.fnal.gov To: Tim Zingelman Cc: kerberos-users@fnal.gov Message-id: <3B2133D7.676A441A@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1246 I am very interested in these things. Did really anybody found a simple k5 client for Windows that actually works with fnal ? The first link the message is redirected to a non existing page, the second from Tim appear to point to a product called ktelnet that I tried, but could not authenticate with fnal KDC. I have passed that to Matt Crawford but as I have not heard I think he did not find a way to make it work either. Stefano -- Stefano Belforte - I.N.F.N. tel : +39 040 375-6261 (fax: 375-6258) Area di Ricerca - Padriciano 99 e-mail: Stefano.Belforte@ts.infn.it 34012 TRIESTE TS - Italy Web : http://www.ts.infn.it/~belforte at Fermilab: CDF trailers 169-N tel: (630)840-8698 Tim Zingelman wrote: > > On Tue, 5 Jun 2001, rreitz wrote: > > > I have not been able to compile the heimdal source under Cygwin. I'm using > > a "travelkit" binary distribution from > > http://www.ics.muni.cz/scb/travelkit/. Unfortunately, this binary > > distribution is not complete (i.e. there is stuff in the heimdal source > > that doesn't appear in the travelkit - like rlogin). There is no > > It appears that there is very nice travelkit at: > > http://www.pdc.kth.se/support/kerberos-travel-tour.html > > If you follow the link "improve your configuration" towards the bottom and > the link "binaries" half way down the next page, they also have binaries > for the rest of the commands... rlogin, etc. > > I can't get this to work at all because I don't have administrator on any > Windose boxes... but it comes with a nice GUI installer that tells lets me > know that is what my problem is :) > > - Tim From kreymer@fnal.gov Mon Jun 11 05:08:24 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id FAA11674 for ; Mon, 11 Jun 2001 05:08:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER009AGG5ZQB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Jun 2001 05:08:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00155D47@listserv.fnal.gov>; Mon, 11 Jun 2001 05:08:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 86006 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 11 Jun 2001 05:08:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00155D46@listserv.fnal.gov>; Mon, 11 Jun 2001 05:08:23 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GER00E01G5Y8K@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 11 Jun 2001 05:08:22 -0500 (CDT) Received: from janus.physics.ox.ac.uk ([163.1.244.140]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER009D3G5XD9@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 11 Jun 2001 05:08:22 -0500 (CDT) Received: from amavis by janus.physics.ox.ac.uk with scanned-ok (Exim 3.16 #6) id 159OcP-0002XZ-00 for kerberos-users@fnal.gov; Mon, 11 Jun 2001 11:08:21 +0100 Received: from ppnt41.physics.ox.ac.uk ([163.1.244.27]) by janus.physics.ox.ac.uk with esmtp (Exim 3.16 #6) id 159OcO-0002WC-00; Mon, 11 Jun 2001 11:08:20 +0100 Received: by ppnt41.physics.ox.ac.uk with Internet Mail Service (5.5.2653.19) id ; Mon, 11 Jun 2001 11:08:19 +0100 Date: Mon, 11 Jun 2001 11:08:12 +0100 From: David Waters Subject: X-display Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" , "'cdfsys@fnal.gov'" Message-id: <35666012DF4CD411BE940090279FA240014E49F4@ppnt41.physics.ox.ac.uk> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-type: text/plain; charset=iso-8859-1 X-AVtransport: scanmails_remote X-AVwrapper: AMaViS (http://www.amavis.org/) X-AVscanner: Sophos sweep (http://www.sophos.com/) Status: RO X-Status: X-Keywords: X-UID: 1247 Hello, We are logging on to a remote machine as a user without a kerberos principal (user level3 at machine b0dap31). How can we export X-display from b0dap31 ? David. *************************************** * Dr. David Waters * * Nuclear and Astrophysics Laboratory * * Keble Road * * Oxford OX1 3RH * * * * Tel : (UK)-1865-273344 * * (UK)-7812-748843 (mobile) * * Fax : (UK)-1865-273418 * * * * E-Mail : d.waters1@physics.ox.ac.uk * *************************************** From kreymer@fnal.gov Mon Jun 11 09:08:44 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA11920 for ; Mon, 11 Jun 2001 09:08:44 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER00I89RAIF7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Jun 2001 09:08:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00155F57@listserv.fnal.gov>; Mon, 11 Jun 2001 09:08:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 86574 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 11 Jun 2001 09:08:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00155F55@listserv.fnal.gov>; Mon, 11 Jun 2001 09:08:42 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER00IE9RAHFV@smtp.fnal.gov>; Mon, 11 Jun 2001 09:08:41 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA00100; Mon, 11 Jun 2001 09:08:32 -0500 (CDT) Date: Mon, 11 Jun 2001 09:08:32 -0500 From: Matt Crawford Subject: Re: X-display In-reply-to: "11 Jun 2001 11:08:12 BST." <35666012DF4CD411BE940090279FA240014E49F4@ppnt41.physics.ox.ac.uk> Sender: owner-kerberos-users@listserv.fnal.gov To: David Waters Cc: "'kerberos-users@fnal.gov'" , "'cdfsys@fnal.gov'" Message-id: <200106111408.JAA00100@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1248 > We are logging on to a remote machine as a user without a kerberos > principal (user level3 at machine b0dap31). How can we export > X-display from b0dap31 ? Your question confuses me. Let me see if I can guess your situation. Are you logging in with a Kerberos client form some remote system "R" to b0dap31 and wanting to start an X client application that displays on R:0 ? What you have to do depends on the access control method in use on R. In the worst case you have set "xhost +" on R and need only invoke your client on b0dap31 as "xprogname -d R:0 &". That will work until some badguy finds your wide open X display on R and completely trashes your system. Assuming that hasn't already happened, your display is probably not that wide open. If you are using xhosts, but using it a little more carefully than "xhost +", then you need to do "xhost +b0dap31.fnal.gov" on R, then proceed as above. In the best likely case, you are using "magic cookie" X authentication and can forward your cookie to b0dap31 by doing the following command on R: rsh -x -l level3 b0dap31.fnal.gov xauth add `xauth list R:0` Then on b0dap31 you can invoke your X client: "xprogname -d R:0 &". In all cases you can set the environment variable DISPLAY to "R:0" instead of including the command-line flags "-d R:0". None of the above as anything whatsoever to do with Kerberos. As an alternative, no matter what your X authentication, it should work transparently if you use a Kerberized ssh client - you can skip the xhost or xauth commands. From kreymer@fnal.gov Mon Jun 11 09:53:57 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA12089 for ; Mon, 11 Jun 2001 09:53:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER00IP9TDWEW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Jun 2001 09:53:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00156037@listserv.fnal.gov>; Mon, 11 Jun 2001 09:53:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 86832 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 11 Jun 2001 09:53:56 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00156035@listserv.fnal.gov>; Mon, 11 Jun 2001 09:53:56 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER00ILNTDVEM@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 11 Jun 2001 09:53:55 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 11 Jun 2001 09:53:55 -0500 Content-return: allowed Date: Mon, 11 Jun 2001 09:53:49 -0500 From: ARSystem Subject: CRAWFORD, MATT #18752 Resolved. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76177DB7@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1249 Thank you for your assistance. Help Desk ticket #000000000018752 has been resolved on 6/11/01 9:49:55 AM Resolution Timestamp: : 6/11/01 9:27:23 AM Solution Category : Service Request Problem Category : Software Item : Kerberos Type : Utilities Short Description : Problem with cvs access following kerberos realm change. Solution : I have previously received a response to this query which stated that the effect I saw was a "harmless but annoying feature of Linux" and I see exactly the same behaviour on d0lxbld5.fnal.gov, so I guess this one is closed. Problem Description : I have just (within the last hour) updated kerberos on our machine, d0gs.hep.ph.ic.ac.uk, and changed the default realm to FNAL.GOV . Everything I have checked so far seems to work fine, except I am now getting socket errors reported when I use cvs. I am not sure whether the command is working anyway, regardless of the complaints, or whether it is just failing back to the non-kerberised rsh access. I get these errors whether I obtain a kerberos ticket for PILOT.FNAL.GOV or FNAL.GOV (see below). [beuselin@d0gs tvx]$ kinit beuselin@PILOT.FNAL.GOV Password for beuselin@PILOT.FNAL.GOV: [beuselin@d0gs tvx]$ cvs history -Tan l3ftrack_cft | tail This rsh session is using DES encryption for all data transmissions. setsockopt (stdin): Permission denied setsockopt (stderr): Permission denied T 04/20 18:22 +0000 jonckheere l3ftrack_cft [p07-00-05:v00-05-22] T 04/20 18:22 +0000 jonckheere l3ftrack_cft [p08-09-00:p08-04-00] T 04/23 15:18 +0000 jonckheere l3ftrack_cft [p07-00-05a:v00-05-22] T 05/01 16:44 +0000 jonckheere l3ftrack_cft [p08-10-00:p08-04-00] T 05/06 23:38 +0000 danielw l3ftrack_cft [v00-06-11:A] T 05/15 21:15 +0000 jonckheere l3ftrack_cft [p08-11-00:p08-04-00] T 05/17 12:40 +0000 beuselin l3ftrack_cft [v00-06-12:A] T 05/22 15:04 +0000 danielw l3ftrack_cft [v00-06-13:A] T 05/25 22:45 +0000 jonckheere l3ftrack_cft [p09-br:v00-06-12] T 05/25 22:45 +0000 jonckheere l3ftrack_cft [p09-00-00:p09-br] [beuselin@d0gs tvx]$ kinit beuselin@FNAL.GOV Password for beuselin@FNAL.GOV: [beuselin@d0gs tvx]$ cvs history -Tan l3ftrack_cft | tail This rsh session is using DES encryption for all data transmissions. setsockopt (stdin): Permission denied setsockopt (stderr): Permission denied T 04/20 18:22 +0000 jonckheere l3ftrack_cft [p07-00-05:v00-05-22] T 04/20 18:22 +0000 jonckheere l3ftrack_cft [p08-09-00:p08-04-00] T 04/23 15:18 +0000 jonckheere l3ftrack_cft [p07-00-05a:v00-05-22] T 05/01 16:44 +0000 jonckheere l3ftrack_cft [p08-10-00:p08-04-00] T 05/06 23:38 +0000 danielw l3ftrack_cft [v00-06-11:A] T 05/15 21:15 +0000 jonckheere l3ftrack_cft [p08-11-00:p08-04-00] T 05/17 12:40 +0000 beuselin l3ftrack_cft [v00-06-12:A] T 05/22 15:04 +0000 danielw l3ftrack_cft [v00-06-13:A] T 05/25 22:45 +0000 jonckheere l3ftrack_cft [p09-br:v00-06-12] T 05/25 22:45 +0000 jonckheere l3ftrack_cft [p09-00-00:p09-br] [beuselin@d0gs tvx]$ Is this a real problem or just a question of someone updating some authorisation data for our host or our user principals ? Thanks, Ray Beuselinck Imperial College, DZERO. From kreymer@fnal.gov Mon Jun 11 09:58:51 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA12107 for ; Mon, 11 Jun 2001 09:58:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER00IMLTM2F0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Jun 2001 09:58:51 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015604A@listserv.fnal.gov>; Mon, 11 Jun 2001 09:58:50 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 86855 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 11 Jun 2001 09:58:50 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00156049@listserv.fnal.gov>; Mon, 11 Jun 2001 09:58:50 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER00IK8TM1ES@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 11 Jun 2001 09:58:49 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA00376; Mon, 11 Jun 2001 09:58:42 -0500 (CDT) Date: Mon, 11 Jun 2001 09:58:42 -0500 From: Matt Crawford Subject: Re: CRAWFORD, MATT #18752 Resolved. In-reply-to: "11 Jun 2001 09:53:49 CDT." <318CC3D38BE0D211BB1200105A093F76177DB7@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem , beuselin@fnal.gov Cc: "'kerberos-users@fnal.gov'" Message-id: <200106111458.JAA00376@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1250 > Solution : I have previously received a response to this > query which stated that the effect I saw was a "harmless but > annoying feature of Linux" and I see exactly the same behaviour on > d0lxbld5.fnal.gov, so I guess this one is closed. > ... > [beuselin@d0gs tvx]$ cvs history -Tan l3ftrack_cft | tail > This rsh session is using DES encryption for all data transmissions. > setsockopt (stdin): Permission denied > setsockopt (stderr): Permission denied It is harmless and annoying and specific to Linux, but it is also fixed in Fermi Kerberos v1_3a, which also fixed a possible core dump in portal-mode login on IRIX. Those are the only two substantive changes in code between v1_3 and v1_3a. From kreymer@fnal.gov Mon Jun 11 10:04:31 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA12115 for ; Mon, 11 Jun 2001 10:04:31 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER00IPOTVGEK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Jun 2001 10:04:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00156077@listserv.fnal.gov>; Mon, 11 Jun 2001 10:04:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 86901 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 11 Jun 2001 10:04:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00156074@listserv.fnal.gov>; Mon, 11 Jun 2001 10:04:28 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER00IQGTVEFA@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 11 Jun 2001 10:04:27 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 11 Jun 2001 10:04:26 -0500 Content-return: allowed Date: Mon, 11 Jun 2001 10:04:17 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 18752 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76177DC6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1251 18752 has been updated by marih. Short Description : Problem with cvs access following kerberos realm change. New Work Log Entry : From: "Matt Crawford" To: "ARSystem" ; Cc: Subject: Re: CRAWFORD, MATT #18752 Resolved. Date: Monday, June 11, 2001 9:58 AM It is harmless and annoying and specific to Linux, but it is also fixed in Fermi Kerberos v1_3a, which also fixed a possible core dump in portal-mode login on IRIX. Those are the only two substantive changes in code between v1_3 and v1_3a. From kreymer@fnal.gov Mon Jun 11 10:57:43 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA12140 for ; Mon, 11 Jun 2001 10:57:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER005ATWC5AP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Jun 2001 10:57:42 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015615B@listserv.fnal.gov>; Mon, 11 Jun 2001 10:57:41 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 87159 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 11 Jun 2001 10:57:41 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015615A@listserv.fnal.gov>; Mon, 11 Jun 2001 10:57:41 -0500 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER0059GWC4WV@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 11 Jun 2001 10:57:41 -0500 (CDT) Date: Mon, 11 Jun 2001 10:57:40 -0500 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Problem with WRQ this morning Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <3B24EA74.67961C1A@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1252 This morning something strange seems to be happening between my WRQ software and my attempt to connect to node sammy.fnal.gov. I have a WRQ VT (UNIX/Digital) connection configuration that I have used many many times in the past. The specifics are: - connect using Network, encrypt data stream, require mutual authentication - connect to node sammy.fnal.gov - kerberos authentication In the past I double-clicked on the icon. If I wasn't already authenticated on my PC, the WRQ would throw up a window to authenticate. Then the VT session would open and I would be accepted as lauri@FNAL.GOV. This morning, I am seeing something entirely new: First, an error message: telnetd: krb5_rd_req failed: Key table entry not found Fermi Linux Release 6.1.1 (Strange) Kernel 2.2.16-3smp on a 2-processor i686 Press ENTER and compare this challenge to the one on your display: [05054434] Enter the displayed response: Ugh, I should already be authenticated. But then when I start to enter my cryptocard information, I get a pop-up error message: You may have connected to an unsecure host or encryption negotiation did not succeed. I *am* able to use similar WRQ VT configurations to other nodes. I am able to log in to sammy with forwarded tickets from other nodes. Node sammy is Linux+2.2, running: kerberos v1_3a krb5conf v1_4 ssh v1_2_7f (kerberos v1_3a and ssh were installed just last week, this is probably what changed -- but how to fix it?) -- lauri From kreymer@fnal.gov Mon Jun 11 11:09:55 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA12148 for ; Mon, 11 Jun 2001 11:09:54 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER005C5WWHWV@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Jun 2001 11:09:54 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001561BD@listserv.fnal.gov>; Mon, 11 Jun 2001 11:09:53 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 87273 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 11 Jun 2001 11:09:53 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001561BC@listserv.fnal.gov>; Mon, 11 Jun 2001 11:09:53 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER006BIWWGMQ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 11 Jun 2001 11:09:52 -0500 (CDT) Date: Mon, 11 Jun 2001 11:09:51 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: Problem with WRQ this morning In-reply-to: <3B24EA74.67961C1A@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1253 On Mon, 11 Jun 2001, Laurelin of Middle Earth, 630-840-2214 wrote: > This morning something strange seems to be happening > between my WRQ software and my attempt to connect to > node sammy.fnal.gov. ... > telnetd: krb5_rd_req failed: Key table entry not found Sounds to me like either the /etc/krb5.keytab got trashed, or the Real Name of sammy.fnal.gov got changed, so that it can't find its host key(?!?) Marc From kreymer@fnal.gov Mon Jun 11 12:04:14 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA12239 for ; Mon, 11 Jun 2001 12:04:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER008N5ZF0ET@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Jun 2001 12:04:13 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00156346@listserv.fnal.gov>; Mon, 11 Jun 2001 12:04:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 87720 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 11 Jun 2001 12:04:12 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00156344@listserv.fnal.gov>; Mon, 11 Jun 2001 12:04:12 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GER005M8ZEVPF@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 11 Jun 2001 12:04:11 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 11 Jun 2001 12:04:06 -0500 Content-return: allowed Date: Mon, 11 Jun 2001 12:03:58 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 18807 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76177E4A@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1254 This reminder created on 6/11/01 12:03:05 PM Ticket 18807 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : GEORGE Last Name (+) : ALVERSON Phone : 2573 E-Mail Address : ALVERSON@FNAL.GOV Incident Time : 6/4/01 11:19:51 AM System Name : Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : KDC Unreachable Problem Description : I just tried to log onto d0mino using a WRQ Reflection client and it gave me a "KDC unreachable" error. Is the KDC unreachable? Thanks, George Alverson From kreymer@fnal.gov Mon Jun 11 13:22:19 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA12439 for ; Mon, 11 Jun 2001 13:22:19 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GES00H7C315KB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Jun 2001 13:22:18 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001565AF@listserv.fnal.gov>; Mon, 11 Jun 2001 13:22:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 88374 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 11 Jun 2001 13:22:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001565AE@listserv.fnal.gov>; Mon, 11 Jun 2001 13:22:17 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GES00GAP314XN@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 11 Jun 2001 13:22:16 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA01106; Mon, 11 Jun 2001 13:22:08 -0500 (CDT) Date: Mon, 11 Jun 2001 13:22:08 -0500 From: Matt Crawford Subject: Re: Problem with WRQ this morning In-reply-to: "11 Jun 2001 10:57:40 CDT." <3B24EA74.67961C1A@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-users@fnal.gov Message-id: <200106111822.NAA01106@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1255 > This morning, I am seeing something entirely new: > First, an error message: > > telnetd: krb5_rd_req failed: Key table entry not found That's nearly the whole story right there. The ticket you presented was for a service principal the server did not have in its keytab file. Given that it used to work, the keytab entry used to be there. Two things could have happened: You're now asking for the principal in a different realm, and sammy doesn't have a key in that realm, or Something sad happened to the keytab file on sammy. I see that today you have requested and received service tickets for sammy in both realms (but from differnt systems). The DNS host-to-realm mapping information for sammy still says it's in PILOT.FNAL.GOV, so that hasn't changed lately. Ball's in your court, or the court of sammy's sysadmin (if that isn't you). > pop-up error message: > > You may have connected to an unsecure host or > encryption negotiation did not succeed. A consequence of the foregoing, since it's no good to negotiate encryption if you can't securely verify who you're talking to. From kreymer@fnal.gov Mon Jun 11 14:30:30 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA12591 for ; Mon, 11 Jun 2001 14:30:30 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GES00JBW66TT0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 11 Jun 2001 14:30:30 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00156766@listserv.fnal.gov>; Mon, 11 Jun 2001 14:30:29 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 88870 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 11 Jun 2001 14:30:29 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00156765@listserv.fnal.gov>; Mon, 11 Jun 2001 14:30:29 -0500 Received: from RALPH.fnal.gov ([131.225.82.167]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GES00KB666SZY@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 11 Jun 2001 14:30:28 -0500 (CDT) Date: Mon, 11 Jun 2001 14:30:26 -0500 From: rreitz Subject: Re: kerberized rsh for windows In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov X-Sender: rreitz@imapserver2.fnal.gov (Unverified) To: kerberos-users@fnal.gov Message-id: <5.1.0.14.2.20010611135656.04760eb0@imapserver2.fnal.gov> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Content-type: text/plain; charset=us-ascii; format=flowed References: <5.1.0.14.2.20010605094903.0429ae78@imapserver2.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1256 At 03:03 PM 6/8/2001 -0500, Tim Zingelman wrote: >On Tue, 5 Jun 2001, rreitz wrote: > > > I have not been able to compile the heimdal source under Cygwin. I'm using > > a "travelkit" binary distribution from > > http://www.ics.muni.cz/scb/travelkit/. Unfortunately, this binary > > distribution is not complete (i.e. there is stuff in the heimdal source > > that doesn't appear in the travelkit - like rlogin). There is no > >It appears that there is very nice travelkit at: > > http://www.pdc.kth.se/support/kerberos-travel-tour.html Under the "Select the operating system version..." heading on this page, the "PC Other:" links for Windows points to a Kerberos 4 only client. The Kerberos 5 client is beta and is here: http://www.stacken.kth.se/~thn/ktelnet/beta/. The current beta is V3.00.950 BETA 010328. I have tried this client and find that it doesn't understand any pre-authentication requests. I created a new kerberos user principal that did not require pre-auth and changed a host principal to "no pre-auth". Using the new user principal I was able to connected to the host. Without pre-auth support, this client is of no value in the Fermilab Kerberos environment. >If you follow the link "improve your configuration" towards the bottom and >the link "binaries" half way down the next page, they also have binaries >for the rest of the commands... rlogin, etc. Following the binaries link, I get here ftp://ftp.pdc.kth.se/pub/krb/binaries/i386-unknown-winnt4.0/. This is kerberos 4 stuff. I don't see any kerberos 5 clients. >I can't get this to work at all because I don't have administrator on any >Windose boxes... but it comes with a nice GUI installer that tells lets me >know that is what my problem is :) > > - Tim The only Windows Kerberos 5 clients I know of are "Reflection" from WRQ (does not include rsh or rlogin) and the heimdal travelkit here http://www.pdc.kth.se/heimdal/. I have sent email to this site pointing out that the "travelkits" link is broken. Oops, the link is fixed. http://scb.ics.muni.cz/static/software/travelkit/index.en.html seems to point to the same ports as before. The MS Windows "travelkit.zip" is the same as before, so I can say that telnet does work, there is no rlogin, and the rsh doesn't work without a command (i.e. "rsh host" != rlogin host). Randy Randy From kreymer@fnal.gov Tue Jun 12 10:09:46 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA13815 for ; Tue, 12 Jun 2001 10:09:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00L9YOS79J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 10:09:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001574D4@listserv.fnal.gov>; Tue, 12 Jun 2001 10:09:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 92568 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 10:09:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001574D3@listserv.fnal.gov>; Tue, 12 Jun 2001 10:09:43 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00FQ7OS6ID@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 10:09:43 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 12 Jun 2001 10:09:42 -0500 Content-return: allowed Date: Tue, 12 Jun 2001 10:09:35 -0500 From: ARSystem Subject: 000000000018980 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76177FC1@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1257 CRAWFORD, MATT, Help Desk Ticket #000000000018980 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Computer access question... Badge # (+) : 08492V First Name : MIGUEL Last Name (+) : BARRIO Phone : 5708 E-Mail Address : MBARRIO@HEP.UCHICAGO.EDU Incident Time : 6/12/01 9:53:03 AM System Name : Urgency : Medium Public Work Log : Problem Description : I an aware of the imminent migration to Kerberos authentication for computer access at Femilab. I was wondering if rsa or dsa public key authentication will be allowed. Thanks. Miguel Barrio From kreymer@fnal.gov Tue Jun 12 10:53:03 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA13869 for ; Tue, 12 Jun 2001 10:53:03 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET001AOQSDYQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 10:53:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015762A@listserv.fnal.gov>; Tue, 12 Jun 2001 10:53:01 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 92933 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 10:53:01 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157629@listserv.fnal.gov>; Tue, 12 Jun 2001 10:53:01 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00282QSDS4@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 10:53:01 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA05007; Tue, 12 Jun 2001 10:52:53 -0500 (CDT) Date: Tue, 12 Jun 2001 10:52:53 -0500 From: Matt Crawford Subject: Re: 000000000018980 Assigned to CRAWFORD, MATT. In-reply-to: "12 Jun 2001 10:09:35 CDT." <318CC3D38BE0D211BB1200105A093F76177FC1@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" , MBARRIO@HEP.UCHICAGO.EDU Message-id: <200106121552.KAA05007@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1258 > Problem Description : I an aware of the imminent migration to Kerberos > authentication for computer access at Femilab. I was wondering if > rsa or dsa public key authentication will be allowed. For shell or ftp-style access into systems at FNAL, no. From kreymer@fnal.gov Tue Jun 12 11:01:30 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA13879 for ; Tue, 12 Jun 2001 11:01:30 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET001E6R6GYQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 11:01:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157679@listserv.fnal.gov>; Tue, 12 Jun 2001 11:01:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 93017 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 11:01:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157677@listserv.fnal.gov>; Tue, 12 Jun 2001 11:01:28 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET0037CR6FT6@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 11:01:28 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 12 Jun 2001 11:01:27 -0500 Content-return: allowed Date: Tue, 12 Jun 2001 11:01:20 -0500 From: ARSystem Subject: CRAWFORD, MATT #18980 Resolved. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76177FEC@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1259 Thank you for your assistance. Help Desk ticket #000000000018980 has been resolved on 6/12/01 11:00:03 AM Resolution Timestamp: : 6/12/01 10:53:28 AM Solution Category : Information Request Problem Category : Software Item : Kerberos Type : Utilities Short Description : Computer access question... Solution : For shell or ftp-style access into systems at FNAL, no. Problem Description : I an aware of the imminent migration to Kerberos authentication for computer access at Femilab. I was wondering if rsa or dsa public key authentication will be allowed. Thanks. Miguel Barrio From kreymer@fnal.gov Tue Jun 12 11:47:26 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA14023 for ; Tue, 12 Jun 2001 11:47:26 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00MQETB0E4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 11:47:25 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015774D@listserv.fnal.gov>; Tue, 12 Jun 2001 11:47:24 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 93245 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 11:47:24 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015774C@listserv.fnal.gov>; Tue, 12 Jun 2001 11:47:24 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET002I4TB0G4@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 11:47:24 -0500 (CDT) Date: Tue, 12 Jun 2001 11:47:24 -0500 From: Troy Dawson Subject: afs tokens with telnet Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <3B26479C.A2D0AAC7@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1260 Hello, I could have sworn this used to work, but now that I'm looking, I can't find any machine where it does. Basically, I can't get a AFS token when I telnet into a machine that has AFS on it, and where I USED to get an AFS token. As far as I can tell, all these machines are using the latest kerberos v1.3a, so it is possible that it is something with the version. I can ssh (v1.2.27f) into these machines fine and get my token, but not telnet, or rlogin. Troy -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Tue Jun 12 12:22:56 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA14064 for ; Tue, 12 Jun 2001 12:22:56 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET004JEUY712@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 12:22:56 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157852@listserv.fnal.gov>; Tue, 12 Jun 2001 12:22:55 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 93547 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 12:22:55 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157851@listserv.fnal.gov>; Tue, 12 Jun 2001 12:22:55 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET003PIUY64M@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 12:22:54 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA31122; Tue, 12 Jun 2001 12:22:55 -0500 Date: Tue, 12 Jun 2001 12:22:55 -0500 (CDT) From: Steven Timm Subject: Re: afs tokens with telnet In-reply-to: <3B26479C.A2D0AAC7@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Troy Dawson Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1261 You won't get an AFS token unless you forward your credentials to the remote machine with telnet -f It used to be the default that credentials would be forwarded with telnet, now it is not. This can be changed in /etc/krb5.conf. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 12 Jun 2001, Troy Dawson wrote: > Hello, > I could have sworn this used to work, but now that I'm looking, I can't find > any machine where it does. Basically, I can't get a AFS token when I telnet > into a machine that has AFS on it, and where I USED to get an AFS token. As > far as I can tell, all these machines are using the latest kerberos v1.3a, so > it is possible that it is something with the version. > I can ssh (v1.2.27f) into these machines fine and get my token, but not > telnet, or rlogin. > Troy > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ > From kreymer@fnal.gov Tue Jun 12 12:48:41 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA14084 for ; Tue, 12 Jun 2001 12:48:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET006JWW53AN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 12:48:40 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001578C2@listserv.fnal.gov>; Tue, 12 Jun 2001 12:48:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 93668 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 12:48:39 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001578C1@listserv.fnal.gov>; Tue, 12 Jun 2001 12:48:39 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET0089WW52X7@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 12:48:38 -0500 (CDT) Date: Tue, 12 Jun 2001 12:48:38 -0500 From: Troy Dawson Subject: Re: afs tokens with telnet Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <3B2655F6.DBE2D22E@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1262 Thanks Steve, that worked. Now I've been searching through the documentation about that so that I can simply tell users where to go, but I'm unable to find anything about AFS credentials in the documentation and that includes man pages. (I personally had no idea that I needed to forward my credentials to get an AFS token because getting the token was part of logging in.) Am I just missing it, or is this something that hasn't been written/released yet? Troy Steven Timm wrote: > > You won't get an AFS token unless you forward your credentials > to the remote machine with > telnet -f > > It used to be the default that credentials would be forwarded > with telnet, now it is not. This can be changed in /etc/krb5.conf. > > Steve > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Tue, 12 Jun 2001, Troy Dawson wrote: > > > Hello, > > I could have sworn this used to work, but now that I'm looking, I can't find > > any machine where it does. Basically, I can't get a AFS token when I telnet > > into a machine that has AFS on it, and where I USED to get an AFS token. As > > far as I can tell, all these machines are using the latest kerberos v1.3a, so > > it is possible that it is something with the version. > > I can ssh (v1.2.27f) into these machines fine and get my token, but not > > telnet, or rlogin. > > Troy > > -- > > __________________________________________________ > > Troy Dawson dawson@fnal.gov (630)840-6468 > > Fermilab ComputingDivision/OSS SCS Group > > __________________________________________________ > > -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Tue Jun 12 12:58:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA14096 for ; Tue, 12 Jun 2001 12:58:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET008BPWLQX7@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 12:58:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001578D7@listserv.fnal.gov>; Tue, 12 Jun 2001 12:58:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 93689 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 12:58:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001578D5@listserv.fnal.gov>; Tue, 12 Jun 2001 12:58:16 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET008CXWL3WZ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 12:58:15 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA31336 for ; Tue, 12 Jun 2001 12:58:16 -0500 Date: Tue, 12 Jun 2001 12:58:15 -0500 (CDT) From: Steven Timm Subject: [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Key version number for principal in key table is incorrect ] Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1263 Here is the history of a fairly involved host/ftp principal setting problem 1) I receive the host/ftp principal, first for a new node. Clock is out of sync so it doesn't work. I send E-mail asking for a reset. 2) I figure out the clock was out of sync, set the clock, principal works fine. 3) the password reset happens anyway. Now my /etc/krb5.keytab is out of sync with the KDC. 4) I lose that password, ask for another reset, which is done. 5) I delete /etc/krb5.keytab off the node and do ups install-hostkeys kerberos (I believe this was the fatal mistake here...should have manually done kadmin, ktadd, etc.) Get error: Preauthentication failed while initializing kadmin interface.... 6) There are things in /etc/krb5.keytab afterwards, and kinit -k works [root@fnpcd /root]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 6 ftp/fnpcd.fnal.gov@FNAL.GOV 6 host/fnpcd.fnal.gov@FNAL.GOV Ticket cache: /tmp/krb5cc_p2913 Default principal: host/fnpcd.fnal.gov@FNAL.GOV Valid starting Expires Service principal 06/12/01 12:56:48 06/13/01 14:56:48 krbtgt/FNAL.GOV@FNAL.GOV 7) but inbound telnet/ssh does not. [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Key version number for principal in key table is incorrect ] Is there any way to fix this without resetting the host/ftp principals for the fifth time and driving Yolanda to distraction? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Tue Jun 12 13:12:11 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14219 for ; Tue, 12 Jun 2001 13:12:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00D3SX898L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 13:12:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015791C@listserv.fnal.gov>; Tue, 12 Jun 2001 13:12:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 93767 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 13:12:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015791B@listserv.fnal.gov>; Tue, 12 Jun 2001 13:12:09 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00C6SX8874@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 13:12:09 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA05467; Tue, 12 Jun 2001 13:11:58 -0500 (CDT) Date: Tue, 12 Jun 2001 13:11:57 -0500 From: Matt Crawford Subject: Re: afs tokens with telnet In-reply-to: "12 Jun 2001 12:48:38 CDT." <3B2655F6.DBE2D22E@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Troy Dawson Cc: kerberos-users@fnal.gov Message-id: <200106121811.NAA05467@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1264 > Now I've been searching through the documentation about that so that I can > simply tell users where to go, but I'm unable to find anything about AFS > credentials in the documentation and that includes man pages. (I personally > had no idea that I needed to forward my credentials to get an AFS token > because getting the token was part of logging in.) > Am I just missing it, or is this something that hasn't been written/released > yet? http://www.fnal.gov/docs/strongauth/html/user.html section 6.2.4 talks about needing to forward your credentials if you will have to access AFS on the remote end. It is under a subheading "A Note about rsh and rcp" but it applies to telnet as well. This on-line document has many AFS-specific notes scattered throughout, marked with http://www.fnal.gov/docs/strongauth/html/images/afsmon.gif The only Kerberos man pages that mention AFS are aklog(1) and login.krb5(8). From kreymer@fnal.gov Tue Jun 12 13:28:44 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14247 for ; Tue, 12 Jun 2001 13:28:44 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00E3BXZUZJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 13:28:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015797A@listserv.fnal.gov>; Tue, 12 Jun 2001 13:28:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 93869 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 13:28:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157979@listserv.fnal.gov>; Tue, 12 Jun 2001 13:28:42 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00D8RXZT43@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 13:28:41 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id NAA05560; Tue, 12 Jun 2001 13:28:32 -0500 (CDT) Date: Tue, 12 Jun 2001 13:28:31 -0500 From: Matt Crawford Subject: Re: [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Key version number for principal in key table is incorrect ] In-reply-to: "12 Jun 2001 12:58:15 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: <200106121828.NAA05560@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1265 > 7) but inbound telnet/ssh does not. > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: > Key version number for principal in key table is incorrect ] > > Is there any way to fix this without resetting the host/ftp > principals for the fifth time and driving Yolanda to distraction? Yes. The problem is that you have a service ticket that was issued with a version (kvno = key version number) of the service key that the server host does not have in its keytab. The client doesn't know that there's anything wrong, as it was properly obtained from the KDC. You can ditch that ticket on the *client* side in two ways: If your TGT is renewable, just do "kinit -R". That drops all the tickets other than the renewed TGT. Otherwise, do a new "kinit" to start your credential cache from scratch. You can hit this problem a lot more simply (and others have) if you merely try to access the service after it's been created in the KDC but before they keytab file has been created for the first time, then you try again to access it when they keytab exists but your previous service ticket hasn't expired. From kreymer@fnal.gov Tue Jun 12 13:31:03 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14261 for ; Tue, 12 Jun 2001 13:31:03 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00B8TY3PRQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 13:31:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001579A4@listserv.fnal.gov>; Tue, 12 Jun 2001 13:31:01 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 93923 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 13:31:01 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001579A3@listserv.fnal.gov>; Tue, 12 Jun 2001 13:31:01 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET008GTY3OMN@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 13:31:00 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA31616; Tue, 12 Jun 2001 13:31:01 -0500 Date: Tue, 12 Jun 2001 13:31:00 -0500 (CDT) From: Steven Timm Subject: Re: [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Key version number for principal in key table is incorrect ] In-reply-to: <200106121828.NAA05560@gungnir.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1266 Thanks, Matt. This works fine now. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 12 Jun 2001, Matt Crawford wrote: > > 7) but inbound telnet/ssh does not. > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: > > Key version number for principal in key table is incorrect ] > > > > Is there any way to fix this without resetting the host/ftp > > principals for the fifth time and driving Yolanda to distraction? > > Yes. The problem is that you have a service ticket that was issued > with a version (kvno = key version number) of the service key that > the server host does not have in its keytab. The client doesn't know > that there's anything wrong, as it was properly obtained from the > KDC. You can ditch that ticket on the *client* side in two ways: > > If your TGT is renewable, just do "kinit -R". That drops all the > tickets other than the renewed TGT. > > Otherwise, do a new "kinit" to start your credential cache from > scratch. > > > > You can hit this problem a lot more simply (and others have) if you > merely try to access the service after it's been created in the KDC > but before they keytab file has been created for the first time, then > you try again to access it when they keytab exists but your previous > service ticket hasn't expired. > From kreymer@fnal.gov Tue Jun 12 13:56:27 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14380 for ; Tue, 12 Jun 2001 13:56:27 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00EBYZA1QQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 13:56:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157A4D@listserv.fnal.gov>; Tue, 12 Jun 2001 13:56:26 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94108 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 13:56:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157A4A@listserv.fnal.gov>; Tue, 12 Jun 2001 13:56:25 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00CHWZA0NL@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 13:56:25 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 12 Jun 2001 13:56:25 -0500 Content-return: allowed Date: Tue, 12 Jun 2001 13:56:23 -0500 From: ARSystem Subject: 000000000018992 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7617802E@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1267 CRAWFORD, MATT, Help Desk Ticket #000000000018992 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: kerberized FTP Badge # (+) : 12383N First Name : MARC Last Name (+) : PATERNO Phone : 4532 E-Mail Address : PATERNO@FNAL.GOV Incident Time : 6/12/01 11:29:45 AM System Name : D0LXBLD7 Urgency : Medium Public Work Log : 6/12/01 11:56:38 AM trb Jason, can you help ? 6/12/01 1:53:44 PM marih From: "Jason Allen" To: "ARSystem" Subject: Re: 000000000018992 Assigned to ALLEN, JASON. Date: Tuesday, June 12, 2001 1:47 PM Please reassign to Matt Crawford as a Kerberos documentation issue. Problem Description : Hello, I'm trying to use Reflection FTP Client to do a kerberized FTP from d0lxbld7 to my laptop. I'm no longer able to do so. I suspect it may be because I'm still using paterno@PILOT.FNAL.GOV as my Kerberos principal. I tried looking in the documentation at http://www.fnal.gov/docs/strongauth/, but was unable to find instructions for how to switch my principal. The installation instructions for WRQ Reflection still say to use PILOT.FNAL.GOV. Could someone please tell me where I can find the appropriate instructions? thanks, Marc -- Marc Paterno FNAL/CD Special Assignments (630) 840-4532 (WH 6E, 645) (630) 840-6457 (CDF Trailer 169F) (630) 840-6689 (DAB 5) From kreymer@fnal.gov Tue Jun 12 13:56:29 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14384 for ; Tue, 12 Jun 2001 13:56:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00EBYZA1QQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 13:56:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157A4E@listserv.fnal.gov>; Tue, 12 Jun 2001 13:56:26 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94110 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 13:56:26 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157A4B@listserv.fnal.gov>; Tue, 12 Jun 2001 13:56:25 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GET00E7FZA0WI@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 13:56:25 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 12 Jun 2001 13:56:25 -0500 Content-return: allowed Date: Tue, 12 Jun 2001 13:56:23 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 18992 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7617802F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1268 18992 has been updated by marih. Short Description : kerberized FTP New Work Log Entry : From: "Jason Allen" To: "ARSystem" Subject: Re: 000000000018992 Assigned to ALLEN, JASON. Date: Tuesday, June 12, 2001 1:47 PM Please reassign to Matt Crawford as a Kerberos documentation issue. From kreymer@fnal.gov Tue Jun 12 14:19:46 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA14402 for ; Tue, 12 Jun 2001 14:19:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEU00CG70CWG1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 14:19:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157B03@listserv.fnal.gov>; Tue, 12 Jun 2001 14:19:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94305 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 14:19:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157B02@listserv.fnal.gov>; Tue, 12 Jun 2001 14:19:44 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEU00J2G0CV8W@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 14:19:43 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id OAA05674; Tue, 12 Jun 2001 14:19:35 -0500 (CDT) Date: Tue, 12 Jun 2001 14:19:35 -0500 From: Matt Crawford Subject: Re: 000000000018992 Assigned to CRAWFORD, MATT. In-reply-to: "12 Jun 2001 13:56:23 CDT." <318CC3D38BE0D211BB1200105A093F7617802E@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem , jallen@fnal.gov Cc: "'kerberos-users@fnal.gov'" Message-id: <200106121919.OAA05674@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1269 > I'm trying to use Reflection FTP Client to do a kerberized FTP > from d0lxbld7 to my laptop. I'm no longer able to do so. I suspect > it may be because I'm still using paterno@PILOT.FNAL.GOV as my > Kerberos principal. It doesn't matter what realm your own ticket is in (although it's probably about time to switch to FNAL.GOV for regular use), it matters what realm your host thinks the server considers itself to be in. To put it another way, the client host and the server host have to agree about which realm the server is in. d0lxbld7 used to be in the PILOT.FNAL.GOV realm but is now in FNAL.GOV and you need to stop WRQ from believing otherwise. It's done under Configure Realms somewhere, but that's where my WRQ knowledge fizzles out. Someone else on the kerberos-users list can be more specific. From kreymer@fnal.gov Tue Jun 12 14:37:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA14426 for ; Tue, 12 Jun 2001 14:37:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEU00K4J16R97@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 14:37:40 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157B75@listserv.fnal.gov>; Tue, 12 Jun 2001 14:37:39 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 94434 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 14:37:39 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157B74@listserv.fnal.gov>; Tue, 12 Jun 2001 14:37:39 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEU00FG516PUB@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 12 Jun 2001 14:37:38 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 12 Jun 2001 14:37:38 -0500 Content-return: allowed Date: Tue, 12 Jun 2001 14:37:34 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 18992 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76178042@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1270 18992 has been updated by marih. Short Description : kerberized FTP New Work Log Entry : From: "Matt Crawford" To: "ARSystem" ; Cc: Subject: Re: 000000000018992 Assigned to CRAWFORD, MATT. Date: Tuesday, June 12, 2001 2:19 PM > I'm trying to use Reflection FTP Client to do a kerberized FTP > from d0lxbld7 to my laptop. I'm no longer able to do so. I suspect > it may be because I'm still using paterno@PILOT.FNAL.GOV as my > Kerberos principal. It doesn't matter what realm your own ticket is in (although it's probably about time to switch to FNAL.GOV for regular use), it matters what realm your host thinks the server considers itself to be in. To put it another way, the client host and the server host have to agree about which realm the server is in. d0lxbld7 used to be in the PILOT.FNAL.GOV realm but is now in FNAL.GOV and you need to stop WRQ from believing otherwise. It's done under Configure Realms somewhere, but that's where my WRQ knowledge fizzles out. Someone else on the kerberos-users list can be more specific. From kreymer@fnal.gov Tue Jun 12 17:44:57 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA14919 for ; Tue, 12 Jun 2001 17:44:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEU0078T9UVDL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 17:44:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157FA9@listserv.fnal.gov>; Tue, 12 Jun 2001 17:44:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 95722 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 17:44:56 -0500 Received: from abacus.fnal.gov (131.225.248.13:1816) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00157FA8@listserv.fnal.gov>; Tue, 12 Jun 2001 17:44:56 -0500 Received: from fnal.gov (IDENT:amundson@localhost.localdomain [127.0.0.1]) by abacus.fnal.gov (8.11.0/8.11.0) with ESMTP id f5CMiV431794 for ; Tue, 12 Jun 2001 17:44:31 -0500 Date: Tue, 12 Jun 2001 17:44:31 -0500 From: James Amundson Subject: Why can't I connect with kerberized ssh? Sender: owner-kerberos-users@listserv.fnal.gov To: KERBEROS-USERS Mailing list Message-id: <3B269B4F.4DC790B1@fnal.gov> Organization: CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.19-7.0.1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1271 I just installed ssh v1_2_27f on droidg. As the products user, I did [products@droidg tmp-ssh]$ upd install ssh -G'-c' Then as root, I did [root@droidg tmp-ssh]# ups InstallAsRoot ssh v1_2_27f [root@droidg tmp-ssh]# /etc/rc.d/init.d/sshd stop [root@droidg tmp-ssh]# /etc/rc.d/init.d/sshd start I also installed it on my laptop, abacus. I can ssh from abacus to another machine: ---------------------------------- |abacus>ssh fcdfsgi2 echo "connection fine" /usr/bin/X11/xauth: creating new authority file /tmp/Xauth8818_10428807 connection fine --------------------------------- I cannot, however, connect from abacus to droidg. Here's what happens: --------------------------------------------------------- |abacus>ssh -v droidg SSH Version 1.2.27f [i686-unknown-linux], protocol version 1.5. Standard version. Does not use RSAREF. abacus: Reading configuration data /etc/ssh_config abacus: ssh_connect: getuid 8818 geteuid 8818 anon 1 abacus: Connecting to droidg [131.225.224.184] port 22. abacus: Connection established. abacus: Remote protocol version 1.5, remote software version 1.2.27f Portal abacus: Waiting for server public key. abacus: Received server public key (768 bits) and host key (1024 bits). abacus: Host 'droidg' is known and matches the host key. abacus: Initializing random; seed file /home/amundson/.ssh/random_seed abacus: Encryption type: idea abacus: Sent encrypted session key. abacus: Installing crc compensation attack detector. abacus: Received encrypted confirmation. abacus: Trying Kerberos V5 TGT passing. abacus: Kerberos V5 TGT passing failed. abacus: Trying Kerberos V5 authentication abacus: Kerberos V5 authentication failed. abacus: Connection to authentication agent opened. abacus: Trying RSA authentication via agent with 'amundson@abacus.fnal.gov' abacus: Server refused our key. abacus: RSA authentication using agent refused. abacus: Trying RSA authentication with key 'amundson@abacus.fnal.gov' abacus: Server refused our key. abacus: Doing password authentication. ---------------------------------------------------------- I don't see any messages in /var/log/messages or /var/log/secure on droidg. What could be wrong? --Jim From kreymer@fnal.gov Tue Jun 12 21:45:07 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id VAA15031 for ; Tue, 12 Jun 2001 21:45:07 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEU00BSPKZ6EL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 12 Jun 2001 21:45:07 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001581A2@listserv.fnal.gov>; Tue, 12 Jun 2001 21:45:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 96265 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 12 Jun 2001 21:45:06 -0500 Received: from fsgi03.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001581A1@listserv.fnal.gov>; Tue, 12 Jun 2001 21:45:06 -0500 Received: from localhost (timm@localhost) by fsgi03.fnal.gov (8.11.0/8.11.0) with ESMTP id f5D2j5A7364505; Tue, 12 Jun 2001 21:45:05 -0500 (CDT) Date: Tue, 12 Jun 2001 21:45:05 -0500 From: Steven Timm Subject: Re: Why can't I connect with kerberized ssh? In-reply-to: <3B269B4F.4DC790B1@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: James Amundson Cc: KERBEROS-USERS Mailing list Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi03.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1272 What kerberos principal and what user id are you logged with at the time? By default if you have principal amundson the ssh will try to log in as you, not as root. If you have the right combination and that still doesn't work, add .fnal.gov = FNAL.GOV to the domain-realm section of /etc/krb5.conf Does kerberized telnet work into droidg? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 12 Jun 2001, James Amundson wrote: > I just installed ssh v1_2_27f on droidg. As the products user, I did > > [products@droidg tmp-ssh]$ upd install ssh -G'-c' > > Then as root, I did > > [root@droidg tmp-ssh]# ups InstallAsRoot ssh v1_2_27f > [root@droidg tmp-ssh]# /etc/rc.d/init.d/sshd stop > [root@droidg tmp-ssh]# /etc/rc.d/init.d/sshd start > > I also installed it on my laptop, abacus. I can ssh from abacus to > another machine: > > ---------------------------------- > |abacus>ssh fcdfsgi2 echo "connection fine" > /usr/bin/X11/xauth: creating new authority file /tmp/Xauth8818_10428807 > connection fine > --------------------------------- > > I cannot, however, connect from abacus to droidg. Here's what happens: > > --------------------------------------------------------- > |abacus>ssh -v droidg > SSH Version 1.2.27f [i686-unknown-linux], protocol version 1.5. > Standard version. Does not use RSAREF. > abacus: Reading configuration data /etc/ssh_config > abacus: ssh_connect: getuid 8818 geteuid 8818 anon 1 > abacus: Connecting to droidg [131.225.224.184] port 22. > abacus: Connection established. > abacus: Remote protocol version 1.5, remote software version 1.2.27f > Portal > abacus: Waiting for server public key. > abacus: Received server public key (768 bits) and host key (1024 bits). > abacus: Host 'droidg' is known and matches the host key. > abacus: Initializing random; seed file /home/amundson/.ssh/random_seed > abacus: Encryption type: idea > abacus: Sent encrypted session key. > abacus: Installing crc compensation attack detector. > abacus: Received encrypted confirmation. > abacus: Trying Kerberos V5 TGT passing. > abacus: Kerberos V5 TGT passing failed. > abacus: Trying Kerberos V5 authentication > abacus: Kerberos V5 authentication failed. > abacus: Connection to authentication agent opened. > abacus: Trying RSA authentication via agent with > 'amundson@abacus.fnal.gov' > abacus: Server refused our key. > abacus: RSA authentication using agent refused. > abacus: Trying RSA authentication with key 'amundson@abacus.fnal.gov' > abacus: Server refused our key. > abacus: Doing password authentication. > ---------------------------------------------------------- > > I don't see any messages in /var/log/messages or /var/log/secure on > droidg. What could be wrong? > > --Jim > From kreymer@fnal.gov Wed Jun 13 08:33:55 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA16434 for ; Wed, 13 Jun 2001 08:33:55 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00AH4F0HKF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 08:33:54 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158701@listserv.fnal.gov>; Wed, 13 Jun 2001 08:33:52 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 97741 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 08:33:52 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158700@listserv.fnal.gov>; Wed, 13 Jun 2001 08:33:52 -0500 Received: from fnal.gov ([131.225.80.7]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00E5NF0GLT@smtp.fnal.gov> for KERBEROS-USERS@listserv.fnal.gov; Wed, 13 Jun 2001 08:33:52 -0500 (CDT) Date: Wed, 13 Jun 2001 08:33:50 -0500 From: Gerald Guglielmo Subject: Re: Why can't I connect with kerberized ssh? Sender: owner-kerberos-users@listserv.fnal.gov To: James Amundson Cc: KERBEROS-USERS Mailing list Reply-to: gug@fnal.gov Message-id: <3B276BBE.A0909FC1@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.17-14 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B269B4F.4DC790B1@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1273 Hi, I am not up to date on my mail, but as of 8:30am this morning I was able to ssh from odsgug to droidg. I assume you are using the kerberized ssh from abacus. What does klist say? odsgug}(g023) ssh droidg Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host 'droidg' added to the list of known hosts. NOTICE TO USERS This is a Federal computer (and/or it is directly connected to a Fermilab local network system) that is the property of the United States Government. It is for authorized use only. Users (autho- rized or unauthorized) have no explicit or implicit expectation of privacy. --- the rest of the session was cut to shorten the email, I ended up in Info initially--- James Amundson wrote: > > I just installed ssh v1_2_27f on droidg. As the products user, I did > > [products@droidg tmp-ssh]$ upd install ssh -G'-c' > > Then as root, I did > > [root@droidg tmp-ssh]# ups InstallAsRoot ssh v1_2_27f > [root@droidg tmp-ssh]# /etc/rc.d/init.d/sshd stop > [root@droidg tmp-ssh]# /etc/rc.d/init.d/sshd start > > I also installed it on my laptop, abacus. I can ssh from abacus to > another machine: > > ---------------------------------- > |abacus>ssh fcdfsgi2 echo "connection fine" > /usr/bin/X11/xauth: creating new authority file /tmp/Xauth8818_10428807 > connection fine > --------------------------------- > > I cannot, however, connect from abacus to droidg. Here's what happens: > > --------------------------------------------------------- > |abacus>ssh -v droidg > SSH Version 1.2.27f [i686-unknown-linux], protocol version 1.5. > Standard version. Does not use RSAREF. > abacus: Reading configuration data /etc/ssh_config > abacus: ssh_connect: getuid 8818 geteuid 8818 anon 1 > abacus: Connecting to droidg [131.225.224.184] port 22. > abacus: Connection established. > abacus: Remote protocol version 1.5, remote software version 1.2.27f > Portal > abacus: Waiting for server public key. > abacus: Received server public key (768 bits) and host key (1024 bits). > abacus: Host 'droidg' is known and matches the host key. > abacus: Initializing random; seed file /home/amundson/.ssh/random_seed > abacus: Encryption type: idea > abacus: Sent encrypted session key. > abacus: Installing crc compensation attack detector. > abacus: Received encrypted confirmation. > abacus: Trying Kerberos V5 TGT passing. > abacus: Kerberos V5 TGT passing failed. > abacus: Trying Kerberos V5 authentication > abacus: Kerberos V5 authentication failed. > abacus: Connection to authentication agent opened. > abacus: Trying RSA authentication via agent with > 'amundson@abacus.fnal.gov' > abacus: Server refused our key. > abacus: RSA authentication using agent refused. > abacus: Trying RSA authentication with key 'amundson@abacus.fnal.gov' > abacus: Server refused our key. > abacus: Doing password authentication. > ---------------------------------------------------------- > > I don't see any messages in /var/log/messages or /var/log/secure on > droidg. What could be wrong? > > --Jim -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Wed Jun 13 11:13:14 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA16684 for ; Wed, 13 Jun 2001 11:13:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV000G2ME1DA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 11:13:14 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001589E5@listserv.fnal.gov>; Wed, 13 Jun 2001 11:13:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 98528 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 11:13:13 -0500 Received: from abacus.fnal.gov (131.225.248.13:2114) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001589E4@listserv.fnal.gov>; Wed, 13 Jun 2001 11:13:12 -0500 Received: from fnal.gov (IDENT:amundson@localhost.localdomain [127.0.0.1]) by abacus.fnal.gov (8.11.0/8.11.0) with ESMTP id f5DGD3401133; Wed, 13 Jun 2001 11:13:03 -0500 Date: Wed, 13 Jun 2001 11:13:03 -0500 From: James Amundson Subject: Re: Why can't I connect with kerberized ssh? Sender: owner-kerberos-users@listserv.fnal.gov To: KERBEROS-USERS Mailing list Cc: Steven Timm Message-id: <3B27910F.67C33E35@fnal.gov> Organization: CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.19-7.0.1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1274 Steven Timm wrote: > Does kerberized telnet work into droidg? Yes. I should have said that in the first place. It turns out that I can now answer my own question. After turning on FascistLogging in ssh, I saw a message in /var/log/secure: Jun 13 09:30:13 droidg sshd[2060]: debug: Can't find amundson's shadow - access denied. It turns out there was a problem with the shadow password setup on this machine. Somehow, kerberos telnet and rsh were unaffected. Once I fixed the problem with the password file, I could log in. Thanks for the help. --Jim From kreymer@fnal.gov Tue Jun 5 15:38:33 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA02713 for ; Tue, 5 Jun 2001 15:38:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEH000QE5C71L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 05 Jun 2001 15:38:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00151DD3@listserv.fnal.gov>; Tue, 05 Jun 2001 15:38:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 68151 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 05 Jun 2001 15:38:32 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00151DD2@listserv.fnal.gov>; Tue, 05 Jun 2001 15:38:32 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GEH00B0P5C74S@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 05 Jun 2001 15:38:31 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id PAA27556 for ; Tue, 05 Jun 2001 15:38:31 -0500 Date: Tue, 05 Jun 2001 15:38:30 -0500 From: Glenn Cooper Subject: Kerberos CVS access from Windows/WRQ Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1275 Good citizens that we are, we are preparing to restrict cdfsga, the node where the CVS repository for CDF resides, to require Kerberos authentication for access. This is fine for ordinary logins. We have anonymous pserver service for CVS read access. Users with UNIX flavored desktops can get write access using a Kerberos-aware rsh. All fine. However, a small number of developers have Windows desktops and are currently using a non-Kerberos-aware ssh-agent for CVS access. Is there a way to use Kerberos authentication for CVS write access through whatever WRQ offers? Alan Jonckheere tells me that MIT has an rsh client for Windows, but it's not clear how to combine that with the WRQ ticket manager. Or alternately, is there an official or semi-official recommendation on how to handle this problem? Allow non-Kerberos-aware ssh access but restrict it to CVS access only, somehow? Thanks, Glenn From kreymer@fnal.gov Wed Jun 13 14:26:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA17242 for ; Wed, 13 Jun 2001 14:26:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00G6SVBGKD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 14:26:05 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158CFB@listserv.fnal.gov>; Wed, 13 Jun 2001 14:26:04 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99362 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 14:26:04 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158CFA@listserv.fnal.gov>; Wed, 13 Jun 2001 14:26:04 -0500 Received: from abacus.fnal.gov ([131.225.248.13]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00BMKVBFK3@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 13 Jun 2001 14:26:03 -0500 (CDT) Received: from fnal.gov (IDENT:amundson@localhost.localdomain [127.0.0.1]) by abacus.fnal.gov (8.11.0/8.11.0) with ESMTP id f5DJPe402466; Wed, 13 Jun 2001 14:25:40 -0500 Date: Wed, 13 Jun 2001 14:25:40 -0500 From: James Amundson Subject: Another kerberos connection problem Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Cc: Margaret E Votava Message-id: <3B27BE34.9F91F0E@fnal.gov> Organization: CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.19-7.0.1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1276 We now have another machine with kerberos installed, fnods. As far as I can tell, I can only get automatic authentication to it if I have an afs token. Here is what happens when I try to log in to fnods from my machine, where I do not have an afs token: ----------------------------------------------------------- |abacus>klist Ticket cache: /tmp/krb5cc_8818 Default principal: amundson@PILOT.FNAL.GOV Valid starting Expires Service principal 06/13/01 14:18:58 06/14/01 16:18:58 krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV 06/13/01 14:19:09 06/14/01 16:18:58 host/droidg.fnal.gov@PILOT.FNAL.GOV |abacus>/usr/krb5/bin/telnet fnods Trying 131.225.81.88... Connected to fnods.fnal.gov (131.225.81.88). Escape character is '^]'. [ Trying KERBEROS4 ... ] mk_req failed: You have no tickets cached [ Trying KERBEROS4 ... ] mk_req failed: You have no tickets cached Fermi Linux Release 6.1.2 (Strange) Kernel 2.2.16-3smp on a 2-processor i686 Press ENTER and compare this challenge to the one on your display: [86797573] Enter the displayed response: ----------------------------------------------------------- If I go to another machine where I get afs tokens along with my k5 tokens, I don't have any problem: ----------------------------------------------------------- |droidg>klist Ticket cache: /tmp/krb5cc_p4042 Default principal: amundson@FNAL.GOV Valid starting Expires Service principal 06/13/01 14:20:04 06/14/01 16:20:04 krbtgt/FNAL.GOV@FNAL.GOV 06/13/01 14:20:04 06/14/01 16:20:04 afs@FNAL.GOV |droidg>/usr/krb5/bin/telnet fnods Trying 131.225.81.88... Connected to fnods.fnal.gov (131.225.81.88). Escape character is '^]'. [ Kerberos V5 accepts you as ``amundson@FNAL.GOV'' ] ---------------------------------------------------------- Perhaps the afs thing is a red herring, but I don't have any other bright ideas. Other people can log in to fnods with their kerberos tickets, but they all have afs tokens. I can log in to any machine but fnods. Any bright ideas? --Jim From kreymer@fnal.gov Wed Jun 13 14:29:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA17246 for ; Wed, 13 Jun 2001 14:29:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00BIHVHBHL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 14:29:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158D07@listserv.fnal.gov>; Wed, 13 Jun 2001 14:29:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99374 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 14:29:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158D06@listserv.fnal.gov>; Wed, 13 Jun 2001 14:29:35 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00I1DVHAAY@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 13 Jun 2001 14:29:34 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA14368; Wed, 13 Jun 2001 14:29:35 -0500 Date: Wed, 13 Jun 2001 14:29:35 -0500 (CDT) From: Steven Timm Subject: Re: Another kerberos connection problem In-reply-to: <3B27BE34.9F91F0E@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: James Amundson Cc: kerberos-users@fnal.gov, Margaret E Votava Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1277 There's something wrong with the telnet daemon on fnods. The only way those people are getting in is with kerberos 4 authentication... the kerberos 5 authentication isn't working. Did you kill -HUP the inetd properly? Is the /etc/krb5.keytab set properly? (klist -k will say) Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Wed, 13 Jun 2001, James Amundson wrote: > We now have another machine with kerberos installed, fnods. As far as I > can tell, I can only get automatic authentication to it if I have an afs > token. > > Here is what happens when I try to log in to fnods from my machine, > where I do not have an afs token: > ----------------------------------------------------------- > |abacus>klist > Ticket cache: /tmp/krb5cc_8818 > Default principal: amundson@PILOT.FNAL.GOV > > Valid starting Expires Service principal > 06/13/01 14:18:58 06/14/01 16:18:58 > krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > 06/13/01 14:19:09 06/14/01 16:18:58 > host/droidg.fnal.gov@PILOT.FNAL.GOV > |abacus>/usr/krb5/bin/telnet fnods > Trying 131.225.81.88... > Connected to fnods.fnal.gov (131.225.81.88). > Escape character is '^]'. > [ Trying KERBEROS4 ... ] > mk_req failed: You have no tickets cached > [ Trying KERBEROS4 ... ] > mk_req failed: You have no tickets cached > > Fermi Linux Release 6.1.2 (Strange) > Kernel 2.2.16-3smp on a 2-processor i686 > > Press ENTER and compare this challenge to the one on your display: > [86797573] > Enter the displayed response: > ----------------------------------------------------------- > > If I go to another machine where I get afs tokens along with my k5 > tokens, I don't have any problem: > > ----------------------------------------------------------- > |droidg>klist > Ticket cache: /tmp/krb5cc_p4042 > Default principal: amundson@FNAL.GOV > > Valid starting Expires Service principal > 06/13/01 14:20:04 06/14/01 16:20:04 krbtgt/FNAL.GOV@FNAL.GOV > 06/13/01 14:20:04 06/14/01 16:20:04 afs@FNAL.GOV > |droidg>/usr/krb5/bin/telnet fnods > Trying 131.225.81.88... > Connected to fnods.fnal.gov (131.225.81.88). > Escape character is '^]'. > [ Kerberos V5 accepts you as ``amundson@FNAL.GOV'' ] > ---------------------------------------------------------- > > Perhaps the afs thing is a red herring, but I don't have any other > bright ideas. Other people can log in to fnods with their kerberos > tickets, but they all have afs tokens. I can log in to any machine but > fnods. > > Any bright ideas? > > --Jim > From kreymer@fnal.gov Wed Jun 13 14:41:43 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA17269 for ; Wed, 13 Jun 2001 14:41:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00GD0W1H9R@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 14:41:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158D65@listserv.fnal.gov>; Wed, 13 Jun 2001 14:41:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99484 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 14:41:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158D64@listserv.fnal.gov>; Wed, 13 Jun 2001 14:41:41 -0500 Received: from fnal.gov ([131.225.82.243]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00GCQW1H9X@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 13 Jun 2001 14:41:41 -0500 (CDT) Date: Wed, 13 Jun 2001 14:41:41 -0500 From: Margaret Votava Subject: Re: Another kerberos connection problem Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: James Amundson , kerberos-users@fnal.gov Message-id: <3B27C1F5.EEB9DB93@fnal.gov> Organization: Fermi National Accelerator Laboratory MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1278 Hi, We rebooted fnods at lunch time so all servers should be the new kerberos versions - we installed v1_3a. If I'm fnods, and telnet to fnods, it says it using K5: telnet fnods Trying 131.225.81.88... Connected to fnods.fnal.gov (131.225.81.88). Escape character is '^]'. [ Kerberos V5 accepts you as ``votava@FNAL.GOV'' ] I assume this is correct? # klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 ftp/fnods.fnal.gov@FNAL.GOV 2 host/fnods.fnal.gov@FNAL.GOV It looks like it tries K5 sometimes and K4 sometimes. Margaret Steven Timm wrote: > > There's something wrong with the telnet daemon on fnods. > The only way those people are getting in is with kerberos 4 > authentication... the kerberos 5 authentication isn't working. > Did you kill -HUP the inetd properly? > > Is the /etc/krb5.keytab set properly? (klist -k will say) > > Steve > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Wed, 13 Jun 2001, James Amundson wrote: > > > We now have another machine with kerberos installed, fnods. As far as I > > can tell, I can only get automatic authentication to it if I have an afs > > token. > > > > Here is what happens when I try to log in to fnods from my machine, > > where I do not have an afs token: > > ----------------------------------------------------------- > > |abacus>klist > > Ticket cache: /tmp/krb5cc_8818 > > Default principal: amundson@PILOT.FNAL.GOV > > > > Valid starting Expires Service principal > > 06/13/01 14:18:58 06/14/01 16:18:58 > > krbtgt/PILOT.FNAL.GOV@PILOT.FNAL.GOV > > 06/13/01 14:19:09 06/14/01 16:18:58 > > host/droidg.fnal.gov@PILOT.FNAL.GOV > > |abacus>/usr/krb5/bin/telnet fnods > > Trying 131.225.81.88... > > Connected to fnods.fnal.gov (131.225.81.88). > > Escape character is '^]'. > > [ Trying KERBEROS4 ... ] > > mk_req failed: You have no tickets cached > > [ Trying KERBEROS4 ... ] > > mk_req failed: You have no tickets cached > > > > Fermi Linux Release 6.1.2 (Strange) > > Kernel 2.2.16-3smp on a 2-processor i686 > > > > Press ENTER and compare this challenge to the one on your display: > > [86797573] > > Enter the displayed response: > > ----------------------------------------------------------- > > > > If I go to another machine where I get afs tokens along with my k5 > > tokens, I don't have any problem: > > > > ----------------------------------------------------------- > > |droidg>klist > > Ticket cache: /tmp/krb5cc_p4042 > > Default principal: amundson@FNAL.GOV > > > > Valid starting Expires Service principal > > 06/13/01 14:20:04 06/14/01 16:20:04 krbtgt/FNAL.GOV@FNAL.GOV > > 06/13/01 14:20:04 06/14/01 16:20:04 afs@FNAL.GOV > > |droidg>/usr/krb5/bin/telnet fnods > > Trying 131.225.81.88... > > Connected to fnods.fnal.gov (131.225.81.88). > > Escape character is '^]'. > > [ Kerberos V5 accepts you as ``amundson@FNAL.GOV'' ] > > ---------------------------------------------------------- > > > > Perhaps the afs thing is a red herring, but I don't have any other > > bright ideas. Other people can log in to fnods with their kerberos > > tickets, but they all have afs tokens. I can log in to any machine but > > fnods. > > > > Any bright ideas? > > > > --Jim > > -- Margaret Votava votava@fnal.gov Computing Division/Online and Database Systems 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) http://www.fnal.gov 630-612-8220 (pager) From kreymer@fnal.gov Wed Jun 13 15:01:33 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA17316 for ; Wed, 13 Jun 2001 15:01:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00K18WYJQK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 15:01:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158DAF@listserv.fnal.gov>; Wed, 13 Jun 2001 15:01:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99561 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 15:01:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158DAE@listserv.fnal.gov>; Wed, 13 Jun 2001 15:01:31 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00GC4WYI7R@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 13 Jun 2001 15:01:30 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA08416; Wed, 13 Jun 2001 15:01:20 -0500 (CDT) Date: Wed, 13 Jun 2001 15:01:20 -0500 From: Matt Crawford Subject: Re: Another kerberos connection problem In-reply-to: "13 Jun 2001 14:25:40 CDT." <3B27BE34.9F91F0E@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: James Amundson Cc: kerberos-users@fnal.gov, Margaret E Votava Message-id: <200106132001.PAA08416@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1279 I see that in the non-qorking case you were authenticated as amundson@PILOT.FNAL.GOV while in the working case you were amundson@FNAL.GOV. That itself doesn't matter but it leads me to *guess* that the former system (abacus) considers fnods to be in the PILOT realm, when in fact fnods exists only in the production realm. Possible solutions: Update abacus to be purely production realm. (ups add-new-realm kerberos and/or ups change-realm kerberos) or Edit krb5.conf to eliminate a line ".fnal.gov = PILOT.FNAL.GOV" if present. If not running v1_2 or later, instead edit it to say ".fnal.gov = FNAL.GOV". From kreymer@fnal.gov Wed Jun 13 15:18:00 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA17330 for ; Wed, 13 Jun 2001 15:18:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00GGSXPY7R@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 15:17:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158E18@listserv.fnal.gov>; Wed, 13 Jun 2001 15:17:58 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99676 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 15:17:58 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158E17@listserv.fnal.gov>; Wed, 13 Jun 2001 15:17:58 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00L1MXPXQ9@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 13 Jun 2001 15:17:58 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 13 Jun 2001 15:17:58 -0500 Content-return: allowed Date: Wed, 13 Jun 2001 15:17:57 -0500 From: ARSystem Subject: 000000000019036 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761781E4@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1280 CRAWFORD, MATT, Help Desk Ticket #000000000019036 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Kerberos telnet/ssh hangs or crashes Badge # (+) : 12382N First Name : MAARTEN Last Name (+) : LITMAATH Phone : 6467 E-Mail Address : LITMAATH@FNAL.GOV Incident Time : 6/13/01 3:11:56 PM System Name : Urgency : Medium Public Work Log : Problem Description : I have repeatedly observed that a /usr/krb5/bin/telnet to a non-Kerberos host at CERN after some period of inactivity (>~ 30 min.) just hangs and has to be killed. Similarly an inactive /usr/krb5/bin/ssh to a non-Kerberos host at CERN crashed various times on me, the last time accompanied by this error message: Local: Corrupted check bytes on input. This happens on 3 Kerberized nodes: fndaub (IRIX), fndaut (Solaris) and fndapt (Linux). Needless to say this is extremely annoying. Thanks, Maarten From kreymer@fnal.gov Wed Jun 13 15:30:19 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA17346 for ; Wed, 13 Jun 2001 15:30:19 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00J9PYAHIT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 15:30:18 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158E4C@listserv.fnal.gov>; Wed, 13 Jun 2001 15:30:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99735 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 15:30:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158E4B@listserv.fnal.gov>; Wed, 13 Jun 2001 15:30:17 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00K6WYAGM6@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 13 Jun 2001 15:30:16 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id PAA08548; Wed, 13 Jun 2001 15:30:05 -0500 (CDT) Date: Wed, 13 Jun 2001 15:30:05 -0500 From: Matt Crawford Subject: Re: 000000000019036 Assigned to CRAWFORD, MATT. In-reply-to: "13 Jun 2001 15:17:57 CDT." <318CC3D38BE0D211BB1200105A093F761781E4@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200106132030.PAA08548@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1281 Sorry, that's not enough information. What host at CERN? Does it happen with one host and not with others? What does "netstat" show for the state and Send Queue on each end when the conneciton is hung? (You probably need a second session to look at the far end. And "netstat -n" on both ends may reveal part of the answer to the next quesiton.) Are there any stateful non-transparent network devices between here and there? For example, a stateless firewall or NAT? If you open a connection from the CERN host back to yours, does a similar thing happen? If the connection is not idle, does the problem never happen? (You could start a remote sh -c "while echo -n .; do sleep 60; done" [modifying the echo command if it's a SysV echo] and leave it alone for a few hours.) And finally, can we eliminate the possibility of some idle-process killer on the far end? From kreymer@fnal.gov Wed Jun 13 15:54:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA17375 for ; Wed, 13 Jun 2001 15:54:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00JDZZE3PJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 15:54:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158EC0@listserv.fnal.gov>; Wed, 13 Jun 2001 15:54:04 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99860 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 15:54:04 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158EBD@listserv.fnal.gov>; Wed, 13 Jun 2001 15:54:04 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEV00IN6ZE1AY@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 13 Jun 2001 15:54:03 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 13 Jun 2001 15:54:02 -0500 Content-return: allowed Date: Wed, 13 Jun 2001 15:54:01 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19036 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761781F6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1282 19036 has been updated by marih. Short Description : Kerberos telnet/ssh hangs or crashes New Work Log Entry : From: "Maarten Litmaath" To: "ARSystem" Subject: Re: Additional info for 000000000019036 Date: Wednesday, June 13, 2001 3:47 PM > What host at CERN? Does it happen with one host and not with others? The telnet is to a Sun running SunOS 4.1.4; the ssh to an IBM RS-6000/ PowerPC running AIX 4.3. There were essentially no problems before fndaub/fndaut/fndapt got kerberized. > What does "netstat" show for the state and Send Queue on each end > when the conneciton is hung? (You probably need a second session to > look at the far end. And "netstat -n" on both ends may reveal part > of the answer to the next quesiton.) I will check next time. > Are there any stateful non-transparent network devices between here > and there? For example, a stateless firewall or NAT? How can a stateLESS firewall be stateFUL? Anyway, CERN has a firewall, of course, but it is stateless, AFAIK. > If you open a connection from the CERN host back to yours, does a > similar thing happen? Will try. > If the connection is not idle, does the problem never happen? > (You could start a remote > sh -c "while echo -n .; do sleep 60; done" > [modifying the echo command if it's a SysV echo] and leave it > alone for a few hours.) Will try. > And finally, can we eliminate the possibility of some idle-process > killer on the far end? Yes. One more idea: may the absence/expiration of credentials have anything to do with the matter? Do telnet/ssh require them for their operation? Thanks, Maarten From kreymer@fnal.gov Wed Jun 13 16:16:09 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA17432 for ; Wed, 13 Jun 2001 16:16:09 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEW001570ETST@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 16:16:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158F32@listserv.fnal.gov>; Wed, 13 Jun 2001 16:16:05 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 99988 for LINUX-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 16:16:05 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158F30@listserv.fnal.gov>; Wed, 13 Jun 2001 16:16:05 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEW00JM50ESIT@smtp.fnal.gov>; Wed, 13 Jun 2001 16:16:04 -0500 (CDT) Date: Wed, 13 Jun 2001 16:16:03 -0500 From: Troy Dawson Subject: fermi-kerberos rpms Sender: owner-linux-users@listserv.fnal.gov To: linux-users@fnal.gov, kerberos-users@fnal.gov Message-id: <3B27D813.276FE8B1@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1283 Hello, I have gotten the kerberos rpm's finished. I have made a web page detailing just the rpm part. This tells basically what is in each of the packages, as well as where to get them (there is a link to the ftp area). There is also a link to fermilab's main kerberos page as well. Since all of you might not want to go there, here is the summary. There are three rpms. krb5-fermi krb5-fermi-login krb5-fermi-config To get an install just like a product install you need to install all three. Here is what is in each of them. krb5-fermi The binaries, libs, headers, and man pages. krb5-fermi-login just replaces /bin/login with the kerberized one. (note: this doesn't have the binary, krb5-fermi does and so krb5-fermi must be installed first.) krb5-fermi-config Changes /etc/services, /etc/inetd.conf, /etc/sshd_config, /etc/krb5.conf. It has a script to add host/ftp priciples. It does not do this for you because this needs to be interactive, but it does tell you what to run. Web Page http://home.fnal.gov/~dawson/rpms/kerberos.html http://www.fnal.gov/docs/strongauth/ FTP Area ftp://linux1.fnal.gov/linux/612/i386/contrib/kerberos/ If you have any problem with the install, please let me know. More general kerberos questions can be answered at the Strong Authentication page, or by e-mail to kerberos-users@fnal.gov Troy -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Wed Jun 13 16:20:12 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA17446 for ; Wed, 13 Jun 2001 16:20:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEW00JEQ0LME1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 16:20:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158F5C@listserv.fnal.gov>; Wed, 13 Jun 2001 16:20:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100038 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 16:20:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158F5B@listserv.fnal.gov>; Wed, 13 Jun 2001 16:20:11 -0500 Received: from abacus.fnal.gov ([131.225.248.13]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEW00IUS0LMAY@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 13 Jun 2001 16:20:10 -0500 (CDT) Received: from fnal.gov (IDENT:amundson@localhost.localdomain [127.0.0.1]) by abacus.fnal.gov (8.11.0/8.11.0) with ESMTP id f5DLJc405363; Wed, 13 Jun 2001 16:19:38 -0500 Date: Wed, 13 Jun 2001 16:19:38 -0500 From: James Amundson Subject: Re: Another kerberos connection problem Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov, Margaret E Votava Message-id: <3B27D8EA.A5CE2CD6@fnal.gov> Organization: CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.19-7.0.1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200106132001.PAA08416@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1284 Matt Crawford wrote: > > I see that in the non-qorking case you were authenticated as > amundson@PILOT.FNAL.GOV while in the working case you were > amundson@FNAL.GOV. That itself doesn't matter That's what I thought. Just to make sure, I tried kdestroy kinit amundson@FNAL.GOV That did not help. >but it leads me to > *guess* that the former system (abacus) considers fnods to be in the > PILOT realm, when in fact fnods exists only in the production realm. > > Possible solutions: > Update abacus to be purely production realm. (ups add-new-realm > kerberos and/or ups change-realm kerberos) > or > Edit krb5.conf to eliminate a line ".fnal.gov = PILOT.FNAL.GOV" > if present. If not running v1_2 or later, instead edit it to say > ".fnal.gov = FNAL.GOV". Ding ding ding! That did the trick. Your assesment was correct. Thanks, Jim From kreymer@fnal.gov Wed Jun 13 16:28:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA17454 for ; Wed, 13 Jun 2001 16:28:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEW00JOJ0ZWIT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 13 Jun 2001 16:28:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158F88@listserv.fnal.gov>; Wed, 13 Jun 2001 16:28:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 100085 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 13 Jun 2001 16:28:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00158F87@listserv.fnal.gov>; Wed, 13 Jun 2001 16:28:44 -0500 Received: from ncdf30.fnal.gov ([131.225.233.153]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEW00KE30ZVX0@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 13 Jun 2001 16:28:43 -0500 (CDT) Received: from ts.infn.it (localhost.localdomain [127.0.0.1]) by ncdf30.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA31610; Wed, 13 Jun 2001 16:28:43 -0500 Date: Wed, 13 Jun 2001 16:28:43 -0500 From: Stefano Belforte Subject: version # Sender: owner-kerberos-users@listserv.fnal.gov To: "kerberos-users@fnal.gov" Message-id: <3B27DB0B.2A7257E5@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1285 Is there a way to know which version of fermi kerberos has been installed on a given machine ? Stefano From kreymer@fnal.gov Thu Jun 14 09:05:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA19225 for ; Thu, 14 Jun 2001 09:05:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX00A4CB5JAG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Jun 2001 09:05:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015956B@listserv.fnal.gov>; Thu, 14 Jun 2001 09:05:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 101734 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 14 Jun 2001 09:05:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015956A@listserv.fnal.gov>; Thu, 14 Jun 2001 09:05:43 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX005L2B5J8E@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 14 Jun 2001 09:05:43 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id JAA10139; Thu, 14 Jun 2001 09:05:27 -0500 (CDT) Date: Thu, 14 Jun 2001 09:05:27 -0500 From: Matt Crawford Subject: Re: version # In-reply-to: "13 Jun 2001 16:28:43 CDT." <3B27DB0B.2A7257E5@ts.infn.it> Sender: owner-kerberos-users@listserv.fnal.gov To: Stefano Belforte Cc: "kerberos-users@fnal.gov" Message-id: <200106141405.JAA10139@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1286 > Is there a way to know which version of fermi kerberos > has been installed on a given machine ? I thought "ups list kerberos" would do it until I ran into cases where a new version and been "upd install"d but not "ups install"d. You could compare the binaries to each version in your product area, but that would be tedious. Maybe a new script in /usr/krb5/bin that can print the version, the build flags and/or the RELEASE-NOTES? From kreymer@fnal.gov Thu Jun 14 13:10:43 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA19913 for ; Thu, 14 Jun 2001 13:10:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX000O5MHU6M@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Jun 2001 13:10:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159A3D@listserv.fnal.gov>; Thu, 14 Jun 2001 13:10:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 103193 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 14 Jun 2001 13:10:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159A3C@listserv.fnal.gov>; Thu, 14 Jun 2001 13:10:42 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX003BFMHT0N@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 14 Jun 2001 13:10:41 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA02697 for ; Thu, 14 Jun 2001 13:10:41 -0500 Date: Thu, 14 Jun 2001 13:10:41 -0500 (CDT) From: Steven Timm Subject: Strong Auth manual Sec. 11.3 Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1287 On the web page http://www.fnal.gov/docs/strongauth/htmlpost1_0b/nonfermi_install.html there is a section 11.3 which says If you're running an OS that's not supported at Fermilab, to enable the locally-added features of Kerberos, including CRYPTOCard and cron job support, download the modified source from the Computing Division CVS repository: % cvs -d :pserver:kpilot@cdcvs.fnal.gov:/cvs/cd co kerberos What this doesn't tell you is that Joe Average User can't just log into the CDCVS server. Who is it that we are supposed to ask for a login to same? And isn't this server supposed to be supporting kerberos logins now? Also there are the following comments in section 11.4 > dawson 3/26 14:56 > use pam module that does authenticating (e.g., > /lib/security/pam_krb5.so) Only problem...this module doesn't exist in the normal Fermi Linux distribution or the Fermi Kerberos distribution. Unless I much mistake, someone is going to have to actually write it. > Edit different files that use the module (in /etc/pam.d/) > in /etc/pam.d/xscreensaver, change > auth required /lib/security/pam_pwdb.so shadow nullok > to > auth required /lib/security/pam_pam_krb5.so [keep_cred ignore_root] > ( the [...] part from Dane, renews creds) > then whenever do an xlock, type kerb pw. > Then fix lines in /etc/pam.d/login None of this is actually going to work until the pam_krb5.so module is made but I am pretty sure that once it is here it should be pam_krb5.so and not pam_pam_krb5.so above. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Thu Jun 14 14:00:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20042 for ; Thu, 14 Jun 2001 14:00:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX006ECOS4AB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Jun 2001 14:00:05 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159B40@listserv.fnal.gov>; Thu, 14 Jun 2001 14:00:04 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 103485 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 14 Jun 2001 14:00:04 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159B3F@listserv.fnal.gov>; Thu, 14 Jun 2001 14:00:04 -0500 Received: from b0dap11.fnal.gov ([131.225.234.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX005CHOS2P6@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 14 Jun 2001 14:00:03 -0500 (CDT) Received: (from jschmidt@localhost) by b0dap11.fnal.gov (8.9.3/8.9.3) id OAA01379; Thu, 14 Jun 2001 14:00:02 -0500 Date: Thu, 14 Jun 2001 14:00:02 -0500 From: Jeffrey Schmidt Subject: Re: Linux kerberos login and XDM login In-reply-to: <"from timm"@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: <20010614140002.E23450@b0dap11.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: b0dap11.fnal.gov References: Status: RO X-Status: X-Keywords: X-UID: 1288 doesn't the kerberos pam module (pam_krb5.so) work? it's easy to integrate into pam-aware apps like login, xdm/gdm/kdm, ssh, and xscreensaver. Jeff On Thu, Jun 14, 2001 at 12:12:15PM -0500, Steven Timm wrote: > Since the middle of March or possibly earlier there have been reports > on this list that it is not possible to start X properly when you > log into a Linux box at the console prompt using the /bin/login that > is supplied as part of the Kerberos product. This has been identified > as being caused by the fact that the kerberos login for Linux isn't > PAM aware, as most other things are. > > Has any progress been made in correcting this problem? This is an > issue that potentially affects hundreds of Linux desktop users. > Michael Kriss posted a patched login that showed it could be done > but the solution should be integrated into the Fermi product. > > Also, has there been any progress on the related problem of making > the graphical login for KDE or Gnome kerberos-aware? This would > be the ideal solution. > > Steve Timm > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations -- +-------------------------------------------------+ | Jeffrey A. Schmidt - SysAdmin, PPD/CDF Online | | Fermi National Accelerator Lab | | Batavia, IL USA | | jschmidt@fnal.gov (630) 840-2207 | +-------------------------------------------------+ From kreymer@fnal.gov Thu Jun 14 14:06:43 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20048 for ; Thu, 14 Jun 2001 14:06:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX005IUP3662@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Jun 2001 14:06:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159B51@listserv.fnal.gov>; Thu, 14 Jun 2001 14:06:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 103503 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 14 Jun 2001 14:06:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159B50@listserv.fnal.gov>; Thu, 14 Jun 2001 14:06:42 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX006IAP35TF@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 14 Jun 2001 14:06:41 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA03122; Thu, 14 Jun 2001 14:06:41 -0500 Date: Thu, 14 Jun 2001 14:06:41 -0500 (CDT) From: Steven Timm Subject: Re: Linux kerberos login and XDM login In-reply-to: <20010614140002.E23450@b0dap11.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Jeffrey Schmidt Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1289 On Thu, 14 Jun 2001, Jeffrey Schmidt wrote: > doesn't the kerberos pam module (pam_krb5.so) work? it's easy to integrate into pam-aware apps like login, xdm/gdm/kdm, ssh, and xscreensaver. > > Jeff Where does one get this pam_krb5.so? Steve > > On Thu, Jun 14, 2001 at 12:12:15PM -0500, Steven Timm wrote: > > Since the middle of March or possibly earlier there have been reports > > on this list that it is not possible to start X properly when you > > log into a Linux box at the console prompt using the /bin/login that > > is supplied as part of the Kerberos product. This has been identified > > as being caused by the fact that the kerberos login for Linux isn't > > PAM aware, as most other things are. > > > > Has any progress been made in correcting this problem? This is an > > issue that potentially affects hundreds of Linux desktop users. > > Michael Kriss posted a patched login that showed it could be done > > but the solution should be integrated into the Fermi product. > > > > Also, has there been any progress on the related problem of making > > the graphical login for KDE or Gnome kerberos-aware? This would > > be the ideal solution. > > > > Steve Timm > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > -- > +-------------------------------------------------+ > | Jeffrey A. Schmidt - SysAdmin, PPD/CDF Online | > | Fermi National Accelerator Lab | > | Batavia, IL USA | > | jschmidt@fnal.gov (630) 840-2207 | > +-------------------------------------------------+ > From kreymer@fnal.gov Thu Jun 14 16:11:11 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA20171 for ; Thu, 14 Jun 2001 16:11:11 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX00EQ5UUL40@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Jun 2001 16:11:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159D4B@listserv.fnal.gov>; Thu, 14 Jun 2001 16:11:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 104055 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 14 Jun 2001 16:11:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159D4A@listserv.fnal.gov>; Thu, 14 Jun 2001 16:11:09 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX00CPUUUKGX@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 14 Jun 2001 16:11:08 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA06281 for ; Thu, 14 Jun 2001 16:11:08 -0500 Date: Thu, 14 Jun 2001 16:11:08 -0500 (CDT) From: Steven Timm Subject: pam_krb5.so Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1290 I have successfully modified my /etc/pam.d to use pam_krb5.so, so that I can use my kerberos password to log into a kde session and get tickets, also to lock and unlock the kde screensaver (and/or the x screen saver) using the kerberos password. However, there are a couple of unexpected side effects: 1) Credentials are created but the credentials cache ends up in /tmp/krb5cc_p2904 (2904 is my uid) instead of /tmp/krb5cc_2904 which would be the default if you just did kinit in one of the windows after logging in by conventional means. This means that, by default, the windows don't know they have kerberos credentials. This can, of course, be corrected by setting the environment variable KRB5CCNAME, but it is a pain to do so in every window. It can also be taken care of with a strategically placed symlink but I am not sure what the implications of this are. 2) The credentials created don't seem to be forwardable (and the flags as shown in klist indicate that as well). snowball.timm:~> klist -f Ticket cache: /tmp/krb5cc_p2904 Default principal: timm@FNAL.GOV Valid starting Expires Service principal 06/14/01 15:49:38 06/15/01 01:49:39 krbtgt/FNAL.GOV@FNAL.GOV Flags: IA 06/14/01 15:54:33 06/15/01 01:49:39 krbtgt/PILOT.FNAL.GOV@FNAL.GOV Flags: A The following error message appears when you try to telnet: [ Kerberos V5 accepts you as ``timm@FNAL.GOV'' ] Kerberos V5: error getting forwarded creds - KDC can't fulfill requested option 3) As seen above, it fetches credentials both in the pilot and the production realm...somewhat strange. 4) There is no afs ticket that appears..yet I can access my afs space just fine. ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Thu Jun 14 16:29:33 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA20206 for ; Thu, 14 Jun 2001 16:29:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX00AQWVP86D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Jun 2001 16:29:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159D98@listserv.fnal.gov>; Thu, 14 Jun 2001 16:29:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 104139 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 14 Jun 2001 16:29:32 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159D97@listserv.fnal.gov>; Thu, 14 Jun 2001 16:29:32 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX00EVTVP740@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 14 Jun 2001 16:29:31 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id QAA11893; Thu, 14 Jun 2001 16:29:18 -0500 (CDT) Date: Thu, 14 Jun 2001 16:29:18 -0500 From: Matt Crawford Subject: Re: pam_krb5.so In-reply-to: "14 Jun 2001 16:11:08 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: <200106142129.QAA11893@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1291 > 1) Credentials are created but the credentials cache > ends up in > > /tmp/krb5cc_p2904 (2904 is my uid) > > instead of /tmp/krb5cc_2904 which would be the default if you > just did kinit in one of the windows after logging in by conventional > means. Now that's fishy. The only patterns for ccache names I've seen come out of Kerberos are krb5cc_ttyname from login.krb5 krb5cc_pNNNNN NNNN = pid of kshd/klogind/telnetd parent proc. krb5cc_UID UID = numeric uid, default when no $KRB5CCNAME Unless by an amazing coincidence your kde login pid was the same as your uid, this may be a bug in pam_krb5.so. And in any case, I would expect the credential cache name to be exported to your environment! Is there some reason a PAM can't do that? > 2) The credentials created don't seem to be forwardable (and the > flags as shown in klist indicate that as well). kinit and login.krb5 check [appdefaults] to decide this. Whence the PAM you're using, and can it be tweaked to check the profile? > 3) As seen above, it fetches credentials both in the pilot and > the production realm...somewhat strange. This part is not strange. The second ticket, dated five minutes later, came from a cross-realm authentication to a host service you tried to access which was believed to be in another realm. > 4) There is no afs ticket that appears..yet I can access my afs > space just fine. Interesting. A leftover token from an earlier session, perhaps? Does "tokens" show it? From kreymer@fnal.gov Thu Jun 14 16:34:36 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA20220 for ; Thu, 14 Jun 2001 16:34:36 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX00I9PVXMQM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Jun 2001 16:34:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159DAA@listserv.fnal.gov>; Thu, 14 Jun 2001 16:34:34 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 104157 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 14 Jun 2001 16:34:34 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159DA9@listserv.fnal.gov>; Thu, 14 Jun 2001 16:34:34 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX00I9AVXLWM@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 14 Jun 2001 16:34:33 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA13171; Thu, 14 Jun 2001 16:34:33 -0500 Date: Thu, 14 Jun 2001 16:34:33 -0500 (CDT) From: Steven Timm Subject: Re: pam_krb5.so In-reply-to: <200106142129.QAA11893@gungnir.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1292 On Thu, 14 Jun 2001, Matt Crawford wrote: > > 1) Credentials are created but the credentials cache > > ends up in > > > > /tmp/krb5cc_p2904 (2904 is my uid) > > > > instead of /tmp/krb5cc_2904 which would be the default if you > > just did kinit in one of the windows after logging in by conventional > > means. > > Now that's fishy. The only patterns for ccache names I've seen come > out of Kerberos are > > krb5cc_ttyname from login.krb5 > krb5cc_pNNNNN NNNN = pid of kshd/klogind/telnetd parent proc. > krb5cc_UID UID = numeric uid, default when no $KRB5CCNAME > > Unless by an amazing coincidence your kde login pid was the same as > your uid, this may be a bug in pam_krb5.so. And in any case, I would > expect the credential cache name to be exported to your environment! > Is there some reason a PAM can't do that? I will check the docs and see. No coincidence happening here.. I have seen the same thing come back after several kdestroy. > > > 2) The credentials created don't seem to be forwardable (and the > > flags as shown in klist indicate that as well). > > kinit and login.krb5 check [appdefaults] to decide this. Whence the > PAM you're using, and can it be tweaked to check the profile? > The PAM I'm using is of unknown parentage (to me) but is supposedly the same one Dane has been playing with. > > 3) As seen above, it fetches credentials both in the pilot and > > the production realm...somewhat strange. > > This part is not strange. The second ticket, dated five minutes > later, came from a cross-realm authentication to a host service you > tried to access which was believed to be in another realm. > > > 4) There is no afs ticket that appears..yet I can access my afs > > space just fine. > > Interesting. A leftover token from an earlier session, perhaps? > Does "tokens" show it? > snowball.timm:~> tokens Tokens held by the Cache Manager: User's (AFS ID 2904) tokens for afs@fnal.gov [Expires Jun 22 00:23] According to the documentation I've seen so far, the PAM is supposed to get the tokens like that so I suppose this shouldn't be surprising. From kreymer@fnal.gov Thu Jun 14 16:36:08 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA20224 for ; Thu, 14 Jun 2001 16:36:07 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX00K3NW06JS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Jun 2001 16:36:07 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159DB0@listserv.fnal.gov>; Thu, 14 Jun 2001 16:36:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 104163 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 14 Jun 2001 16:36:06 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159DAF@listserv.fnal.gov>; Thu, 14 Jun 2001 16:36:06 -0500 Received: from fnal.gov ([131.225.226.206]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX00DMSW0578@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 14 Jun 2001 16:36:06 -0500 (CDT) Date: Thu, 14 Jun 2001 16:36:05 -0500 From: Michael Diesburg Subject: Re: pam_krb5.so Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: Steven Timm , kerberos-users@fnal.gov Message-id: <3B292E45.DC4149B3@fnal.gov> Organization: Fermi National Accelerator Laboratory MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200106142129.QAA11893@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1293 Matt Crawford wrote: > > > 1) Credentials are created but the credentials cache > > ends up in > > > > /tmp/krb5cc_p2904 (2904 is my uid) > > > > instead of /tmp/krb5cc_2904 which would be the default if you > > just did kinit in one of the windows after logging in by conventional > > means. > > Now that's fishy. The only patterns for ccache names I've seen come > out of Kerberos are > > krb5cc_ttyname from login.krb5 > krb5cc_pNNNNN NNNN = pid of kshd/klogind/telnetd parent proc. > krb5cc_UID UID = numeric uid, default when no $KRB5CCNAME The pam_krb5.so modules seem to be pretty loose with this naming convention. I have one that I got from the RedHat site which produces a credential cache named kr5cc_uid_hash where hash looks like some 7 or 8 digit random hash number. Needless to say it had the same problems Steve descibes. I assume it was a different version than what Steve had (it's definitley diffferent thanthe one I was using). Mike > > Unless by an amazing coincidence your kde login pid was the same as > your uid, this may be a bug in pam_krb5.so. And in any case, I would > expect the credential cache name to be exported to your environment! > Is there some reason a PAM can't do that? > > > 2) The credentials created don't seem to be forwardable (and the > > flags as shown in klist indicate that as well). > > kinit and login.krb5 check [appdefaults] to decide this. Whence the > PAM you're using, and can it be tweaked to check the profile? > > > 3) As seen above, it fetches credentials both in the pilot and > > the production realm...somewhat strange. > > This part is not strange. The second ticket, dated five minutes > later, came from a cross-realm authentication to a host service you > tried to access which was believed to be in another realm. > > > 4) There is no afs ticket that appears..yet I can access my afs > > space just fine. > > Interesting. A leftover token from an earlier session, perhaps? > Does "tokens" show it? From kreymer@fnal.gov Thu Jun 14 16:57:50 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA20262 for ; Thu, 14 Jun 2001 16:57:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX00L4FX0CYF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Jun 2001 16:57:49 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159E14@listserv.fnal.gov>; Thu, 14 Jun 2001 16:57:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 104280 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 14 Jun 2001 16:57:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159E13@listserv.fnal.gov>; Thu, 14 Jun 2001 16:57:49 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEX00GHDX0CIP@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 14 Jun 2001 16:57:48 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA13449; Thu, 14 Jun 2001 16:57:48 -0500 Date: Thu, 14 Jun 2001 16:57:48 -0500 (CDT) From: Steven Timm Subject: Re: pam_krb5.so In-reply-to: <200106142129.QAA11893@gungnir.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1294 > > 2) The credentials created don't seem to be forwardable (and the > > flags as shown in klist indicate that as well). > > kinit and login.krb5 check [appdefaults] to decide this. Whence the > PAM you're using, and can it be tweaked to check the profile? > It checks the profile by default...just have to add a "pam" stanza to appdefaults. Steve From kreymer@fnal.gov Thu Jun 14 18:28:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA20409 for ; Thu, 14 Jun 2001 18:28:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEY0031A17VFZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 14 Jun 2001 18:28:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159EDA@listserv.fnal.gov>; Thu, 14 Jun 2001 18:28:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 104500 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 14 Jun 2001 18:28:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00159ED9@listserv.fnal.gov>; Thu, 14 Jun 2001 18:28:44 -0500 Received: from ncdf30.fnal.gov ([131.225.233.153]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEY00IR917VWM@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 14 Jun 2001 18:28:43 -0500 (CDT) Received: from ts.infn.it (localhost.localdomain [127.0.0.1]) by ncdf30.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA09776; Thu, 14 Jun 2001 18:28:43 -0500 Date: Thu, 14 Jun 2001 18:28:43 -0500 From: Stefano Belforte Subject: telnet failure to Italian node Sender: owner-kerberos-users@listserv.fnal.gov To: "kerberos-users@fnal.gov" Message-id: <3B2948AB.3E8FA467@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1295 A few days ago I did not have this problem. Now if I try logging from Fnal to my kerberised machine in Italy it first accepts the ticket, then falls in portal mode: belforte@ncdf30/~ > klist Ticket cache: /tmp/krb5cc_6423 Default principal: belforte@FNAL.GOV Valid starting Expires Service principal 06/14/01 18:03:17 06/15/01 20:03:17 krbtgt/FNAL.GOV@FNAL.GOV renew until 06/21/01 17:28:22 06/14/01 18:03:20 06/15/01 20:03:17 krbtgt/PILOT.FNAL.GOV@FNAL.GOV renew until 06/21/01 17:28:22 06/14/01 18:03:21 06/15/01 20:03:17 host/b0dau30.fnal.gov@PILOT.FNAL.GOV renew until 06/21/01 17:28:22 06/14/01 18:17:49 06/15/01 20:03:17 host/stsa11.ts.infn.it@PILOT.FNAL.GOV renew until 06/21/01 17:28:22 belforte@ncdf30/~ > telnet stsa11.ts.infn.it Trying 140.105.6.200... Connected to stsa11.ts.infn.it (140.105.6.200). Escape character is '^]'. [ Kerberos V5 accepts you as ``belforte@FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] Press ENTER and compare this challenge to the one on your display: [56215333] Enter the displayed response: IS this some sign that something is wrong on my system in the non-k5 part, or is it simply the sign that I have to do something about realm/new kerberos version transition ? I installed kerberos v0_7 one and half year ago and never changed anything since (it was working !). I admit I am confused wether update to latest k5 is advisable, mandatory, or just optional. The news about it was quite technical and I did not understood good part of it, so got scared away from upgrading. The client on stsa11.ts.infn.it still works OK, by the way, only the server seems to be affected. I also tried telnet -k PILOT.FNAL.GOV (just in case), no difference. Stefano From kreymer@fnal.gov Fri Jun 15 08:39:54 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA20992 for ; Fri, 15 Jun 2001 08:39:54 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ0031I4MHKB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 08:39:54 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A3CA@listserv.fnal.gov>; Fri, 15 Jun 2001 08:39:53 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105896 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 08:39:52 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A3C9@listserv.fnal.gov>; Fri, 15 Jun 2001 08:39:52 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003194MGKO@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 08:39:52 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA28586 for ; Fri, 15 Jun 2001 08:39:53 -0500 Date: Fri, 15 Jun 2001 08:39:52 -0500 (CDT) From: Steven Timm Subject: pam_krb5.so Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1296 Two different sets of documentation on pam_krb5.so have led me to try two different configurations of /etc/krb5.conf. One doc says it should take a "pam" stanza in appdefaults, the other suggests a separate [pam] section. I have now tried both and so far there is no indication that it has read either one. Has anyone successfully managed to get pam_krb5.so to give forwardable tickets? If so, how? Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Fri Jun 15 08:46:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA21006 for ; Fri, 15 Jun 2001 08:46:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ0032H4XOK2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 08:46:37 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A3DF@listserv.fnal.gov>; Fri, 15 Jun 2001 08:46:36 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105920 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 08:46:36 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A3DE@listserv.fnal.gov>; Fri, 15 Jun 2001 08:46:36 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003314XNKF@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 08:46:35 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id IAA13437; Fri, 15 Jun 2001 08:46:22 -0500 (CDT) Date: Fri, 15 Jun 2001 08:46:22 -0500 From: Matt Crawford Subject: Re: pam_krb5.so In-reply-to: "14 Jun 2001 16:57:48 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: <200106151346.IAA13437@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1297 > It checks the profile by default...just have to add a "pam" > stanza to appdefaults. Then I'll make it so in the krb5conf template file, but that will only affect new installations. From kreymer@fnal.gov Fri Jun 15 09:05:34 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21023 for ; Fri, 15 Jun 2001 09:05:34 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003355T8KV@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 09:05:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A407@listserv.fnal.gov>; Fri, 15 Jun 2001 09:05:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105962 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 09:05:32 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A406@listserv.fnal.gov>; Fri, 15 Jun 2001 09:05:32 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ0037S5T7KT@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 09:05:31 -0500 (CDT) Date: Fri, 15 Jun 2001 09:05:31 -0500 From: Troy Dawson Subject: Re: Linux kerberos login and XDM login Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: Jeffrey Schmidt , kerberos-users@fnal.gov Message-id: <3B2A162B.FFD13BBE@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1298 Hi, There must be a e-mail that wasn't sent to the kerberos-users list, mainly the one that says where to get this from. Since later e-mails indicate that Steve got a pam module, I'm assuming there is one out there. Would ya'll mind letting us know where it is? Troy Steven Timm wrote: > > On Thu, 14 Jun 2001, Jeffrey Schmidt wrote: > > > doesn't the kerberos pam module (pam_krb5.so) work? it's easy to integrate into pam-aware apps like login, xdm/gdm/kdm, ssh, and xscreensaver. > > > > Jeff > > Where does one get this pam_krb5.so? > > Steve > -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Fri Jun 15 09:13:09 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21038 for ; Fri, 15 Jun 2001 09:13:09 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ0035J65UKV@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 09:13:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A424@listserv.fnal.gov>; Fri, 15 Jun 2001 09:13:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 105992 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 09:13:06 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A423@listserv.fnal.gov>; Fri, 15 Jun 2001 09:13:06 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ0037I65TJV@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 09:13:05 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 15 Jun 2001 09:13:05 -0500 Content-return: allowed Date: Fri, 15 Jun 2001 09:13:02 -0500 From: ARSystem Subject: 000000000019077 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7617835C@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1299 CRAWFORD, MATT, Help Desk Ticket #000000000019077 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: setup kerberos does not work Badge # (+) : 09708V First Name : WILLEM Last Name (+) : VAN LEEUWEN Phone : 2817 E-Mail Address : WILLEM@FNAL.GOV Incident Time : 6/15/01 6:40:04 AM System Name : Urgency : Medium Public Work Log : Problem Description : When I setup kerberos I get: [hoeve] [33] setup kerberos INFORMATIONAL: Product 'kerberos' (with qualifiers ''), has no current chain (or may not exist) This seems to be in contradiction with: [hoeve] [34] ups list kerberos -aK+ "kerberos" "v0_7" "Linux+2.2" "" "" "kerberos" "v1_3" "Linux+2.2" "" "current" What am I doing wrong? Thanks and best regards, Willem From kreymer@fnal.gov Fri Jun 15 09:15:50 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21046 for ; Fri, 15 Jun 2001 09:15:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ0038S6ACJV@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 09:15:49 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A42F@listserv.fnal.gov>; Fri, 15 Jun 2001 09:15:48 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106003 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 09:15:48 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A42E@listserv.fnal.gov>; Fri, 15 Jun 2001 09:15:48 -0500 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003B16ABKF@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 09:15:48 -0500 (CDT) Date: Fri, 15 Jun 2001 09:15:43 -0500 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: 000000000019077 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: ticketupdate@fnal.gov Cc: "'kerberos-users@fnal.gov'" Message-id: <3B2A188F.4E2123DF@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <318CC3D38BE0D211BB1200105A093F7617835C@csdserver2.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1300 Weird. Can you send the output of setup -vvvv kerberos ? -- lauri ARSystem wrote: > > CRAWFORD, MATT, Help Desk Ticket #000000000019077 > has been assigned to you. > > It is a(n) Medium priority Software/Utilities > /Kerberos type of problem. > Short description: setup kerberos does not work > > Badge # (+) : 09708V > First Name : WILLEM > Last Name (+) : VAN LEEUWEN > Phone : 2817 > E-Mail Address : WILLEM@FNAL.GOV > Incident Time : 6/15/01 6:40:04 AM > System Name : > Urgency : Medium > Public Work Log : > Problem Description : When I setup kerberos I get: > > [hoeve] [33] setup kerberos > INFORMATIONAL: Product 'kerberos' (with qualifiers ''), has no > current chain (or may not exist) > > This seems to be in contradiction with: > > [hoeve] [34] ups list kerberos -aK+ > "kerberos" "v0_7" "Linux+2.2" "" "" > "kerberos" "v1_3" "Linux+2.2" "" "current" > > What am I doing wrong? > > Thanks and best regards, > > Willem From kreymer@fnal.gov Fri Jun 15 09:18:17 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21062 for ; Fri, 15 Jun 2001 09:18:17 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ0039T6EFKP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 09:18:16 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A44B@listserv.fnal.gov>; Fri, 15 Jun 2001 09:18:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106035 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 09:18:14 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A44A@listserv.fnal.gov>; Fri, 15 Jun 2001 09:18:14 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003AA6EDJV@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 09:18:14 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 15 Jun 2001 09:18:14 -0500 Content-return: allowed Date: Fri, 15 Jun 2001 09:18:11 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19077 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7617835F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1301 19077 has been updated by marih. Short Description : setup kerberos does not work New Work Log Entry : From: "HelpDesk" To: "Willem van Leeuwen" Cc: "Help Desk" Subject: Re: setup kerberos does not work Date: Friday, June 15, 2001 8:15 AM Willem, On what 'system' are you executing the command ? Thank you, Tom Bozonelos From kreymer@fnal.gov Fri Jun 15 09:23:27 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21068 for ; Fri, 15 Jun 2001 09:23:27 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003CG6N1KB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 09:23:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A461@listserv.fnal.gov>; Fri, 15 Jun 2001 09:23:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106059 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 09:23:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A45F@listserv.fnal.gov>; Fri, 15 Jun 2001 09:23:25 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003AS6N0JW@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 09:23:25 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 15 Jun 2001 09:23:24 -0500 Content-return: allowed Date: Fri, 15 Jun 2001 09:23:20 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19077 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76178361@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1302 19077 has been updated by marih. Short Description : setup kerberos does not work New Work Log Entry : From: "Willem van Leeuwen" To: "HelpDesk" Subject: Re: setup kerberos does not work Date: Friday, June 15, 2001 9:15 AM On Fri, 15 Jun 2001, HelpDesk wrote: > Willem, > > On what 'system' are you executing the command ? > On hoeve.nikhef.nl This system is the server of our farm. ups/upd has been used to install sam, fbsng I could use kerberos some time ago but now the setup does not work anymore. Thanks for your help, Willem From kreymer@fnal.gov Fri Jun 15 09:23:29 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21072 for ; Fri, 15 Jun 2001 09:23:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003CG6N1KB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 09:23:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A464@listserv.fnal.gov>; Fri, 15 Jun 2001 09:23:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106063 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 09:23:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A463@listserv.fnal.gov>; Fri, 15 Jun 2001 09:23:25 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003AZ6N0K7@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 09:23:25 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Fri, 15 Jun 2001 09:23:24 -0500 Content-return: allowed Date: Fri, 15 Jun 2001 09:23:20 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19077 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76178360@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1303 19077 has been updated by ARWebGuest. Short Description : setup kerberos does not work New Work Log Entry : Laurelin of Middle Earth, 630-840-2214 added this information: Weird. Can you send the output of setup -vvvv kerberos ? -- lauri ARSystem wrote: > > CRAWFORD, MATT, Help Desk Ticket #000000000019077 > has been assigned to you. > > It is a(n) Medium priority Software/Utilities > /Kerberos type of problem. > Short description: setup kerberos does not work > > Badge # (+) : 09708V > First Name : WILLEM > Last Name (+) : VAN LEEUWEN > Phone : 2817 > E-Mail Address : WILLEM@FNAL.GOV > Incident Time : 6/15/01 6:40:04 AM > System Name : > Urgency : Medium > Public Work Log : > Problem Description : When I setup kerberos I get: > > [hoeve] [33] setup kerberos > INFORMATIONAL: Product 'kerberos' (with qualifiers ''), has no > current chain (or may not exist) > > This seems to be in contradiction with: > > [hoeve] [34] ups list kerberos -aK+ > "kerberos" "v0_7" "Linux+2.2" "" "" > "kerberos" "v1_3" "Linux+2.2" "" "current" > > What am I doing wrong? > > Thanks and best regards, > > Willem From kreymer@fnal.gov Fri Jun 15 09:48:32 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21097 for ; Fri, 15 Jun 2001 09:48:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003JG7SVJX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 09:48:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A4D4@listserv.fnal.gov>; Fri, 15 Jun 2001 09:48:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106191 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 09:48:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A4D3@listserv.fnal.gov>; Fri, 15 Jun 2001 09:48:31 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003HF7SUKR@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 09:48:30 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA30232; Fri, 15 Jun 2001 09:48:31 -0500 Date: Fri, 15 Jun 2001 09:48:30 -0500 (CDT) From: Steven Timm Subject: Re: Linux kerberos login and XDM login In-reply-to: <3B2A162B.FFD13BBE@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Troy Dawson Cc: Jeffrey Schmidt , kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1304 Jeffrey sent me a binary by E-mail of a pam_krb5.so that he had gotten from Dane. I don't know what rpm version it is or anything. For Redhat7 the rpms are all on linux2:/export/linux/7xtest/i386, and they all work. The question is just how to make it work with Redhat 6.1 and fermi Kerberos. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Fri, 15 Jun 2001, Troy Dawson wrote: > Hi, > There must be a e-mail that wasn't sent to the kerberos-users list, mainly the > one that says where to get this from. Since later e-mails indicate that Steve > got a pam module, I'm assuming there is one out there. Would ya'll mind > letting us know where it is? > Troy > Steven Timm wrote: > > > > On Thu, 14 Jun 2001, Jeffrey Schmidt wrote: > > > > > doesn't the kerberos pam module (pam_krb5.so) work? it's easy to integrate into pam-aware apps like login, xdm/gdm/kdm, ssh, and xscreensaver. > > > > > > Jeff > > > > Where does one get this pam_krb5.so? > > > > Steve > > > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ > From kreymer@fnal.gov Fri Jun 15 10:01:20 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA21122 for ; Fri, 15 Jun 2001 10:01:20 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003KN8E6KR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 10:01:19 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A504@listserv.fnal.gov>; Fri, 15 Jun 2001 10:01:18 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106243 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 10:01:18 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A503@listserv.fnal.gov>; Fri, 15 Jun 2001 10:01:18 -0500 Received: from RALPH.fnal.gov ([131.225.82.167]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003MO8E6KT@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 10:01:18 -0500 (CDT) Date: Fri, 15 Jun 2001 10:01:17 -0500 From: rreitz Subject: Re: telnet failure to Italian node In-reply-to: <3B2948AB.3E8FA467@ts.infn.it> Sender: owner-kerberos-users@listserv.fnal.gov X-Sender: rreitz@imapserver2.fnal.gov (Unverified) To: Stefano Belforte , "kerberos-users@fnal.gov" Message-id: <5.1.0.14.2.20010615091322.03c0bf50@imapserver2.fnal.gov> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Content-type: text/plain; charset=us-ascii; format=flowed Status: RO X-Status: X-Keywords: X-UID: 1305 Stefano, The short answer is that you are authenticated in the production realm 'FNAL.GOV', but you are not authorized to access 'stsa11.ts.infn.it' with your production realm credential. I'm not sure what changed in the "last few days" to cause this situation. Likely, the host you were using (ncdf30) was moved (i.e. it's default realm was changed) into the production FNAL.GOV realm. Several "fixes" are available. Here is a list of fixes with the most desirable fix first. 1) Upgrade 'stsa11.ts.infn.it' to the current Fermi Kerberos v1_3a. This will allow you to move this host into the production realm using the ups action "change-realm". Upgrading will place a cross-realm authorization rule in krb5.conf that will allow authorized access from production to pilot realm. 2) Leave the Kerberos v0_7 on stsa11, but add a principal in the .k5login in your account to accept a production realm credential. That is, add this line to the .k5login file.... belforte@FNAL.GOV You will also need to add a line for any PILOT realm credentials.... belforte@PILOT.FNAL.GOV 3) Get a ticket-granting-ticket in the PILOT realm by using 'kinit belforte@PILOT.FNAL.GOV'. Use this credential to access stsa11. The problem with this fix is that you may find that you cannot use the PILOT credential to access other hosts. The first fix (upgrading kerberos) is recommended. Randy Reitz At 06:28 PM 6/14/2001 -0500, Stefano Belforte wrote: >A few days ago I did not have this problem. >Now if I try logging from Fnal to my kerberised machine in Italy >it first accepts the ticket, then falls in portal mode: > >belforte@ncdf30/~ > klist >Ticket cache: /tmp/krb5cc_6423 >Default principal: belforte@FNAL.GOV > >Valid starting Expires Service principal >06/14/01 18:03:17 06/15/01 20:03:17 krbtgt/FNAL.GOV@FNAL.GOV > renew until 06/21/01 17:28:22 >06/14/01 18:03:20 06/15/01 20:03:17 krbtgt/PILOT.FNAL.GOV@FNAL.GOV > renew until 06/21/01 17:28:22 >06/14/01 18:03:21 06/15/01 20:03:17 >host/b0dau30.fnal.gov@PILOT.FNAL.GOV > renew until 06/21/01 17:28:22 >06/14/01 18:17:49 06/15/01 20:03:17 >host/stsa11.ts.infn.it@PILOT.FNAL.GOV > renew until 06/21/01 17:28:22 >belforte@ncdf30/~ > telnet stsa11.ts.infn.it >Trying 140.105.6.200... >Connected to stsa11.ts.infn.it (140.105.6.200). >Escape character is '^]'. >[ Kerberos V5 accepts you as ``belforte@FNAL.GOV'' ] >[ Kerberos V5 accepted forwarded credentials ] >Press ENTER and compare this challenge to the one on your display: >[56215333] >Enter the displayed response: > >IS this some sign that something is wrong on my system in the >non-k5 part, or is it simply the sign that I have to do >something about realm/new kerberos version transition ? >I installed kerberos v0_7 one and half year ago and never >changed anything since (it was working !). > >I admit I am confused wether update to latest k5 is advisable, >mandatory, or just optional. The news about it was quite technical >and I did not understood good part of it, so got scared away >from upgrading. > >The client on stsa11.ts.infn.it still works OK, by the way, only >the server seems to be affected. > >I also tried telnet -k PILOT.FNAL.GOV (just in case), no difference. > > Stefano From kreymer@fnal.gov Fri Jun 15 10:48:49 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA21184 for ; Fri, 15 Jun 2001 10:48:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ003R6ALCKS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 10:48:49 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A5C4@listserv.fnal.gov>; Fri, 15 Jun 2001 10:48:48 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106459 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 10:48:48 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A5C3@listserv.fnal.gov>; Fri, 15 Jun 2001 10:48:48 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ00C37ALBG5@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 10:48:47 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id KAA13930; Fri, 15 Jun 2001 10:48:33 -0500 (CDT) Date: Fri, 15 Jun 2001 10:48:32 -0500 From: Matt Crawford Subject: Re: pam_krb5.so In-reply-to: "15 Jun 2001 08:39:52 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: <200106151548.KAA13930@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1306 I suggesting doing "strings" on pam_krb5.so, ro sending me [a pointer to] the source code. From kreymer@fnal.gov Fri Jun 15 11:38:57 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA21252 for ; Fri, 15 Jun 2001 11:38:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ00CH4CWW33@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 15 Jun 2001 11:38:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A694@listserv.fnal.gov>; Fri, 15 Jun 2001 11:38:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 106688 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 15 Jun 2001 11:38:56 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015A693@listserv.fnal.gov>; Fri, 15 Jun 2001 11:38:56 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GEZ00CBKCWVG5@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 15 Jun 2001 11:38:55 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.9.1/8.9.1) with ESMTP id LAA14240; Fri, 15 Jun 2001 11:38:39 -0500 (CDT) Date: Fri, 15 Jun 2001 11:38:39 -0500 From: Matt Crawford Subject: Re: version # Sender: owner-kerberos-users@listserv.fnal.gov To: Stefano Belforte Cc: kerberos-users@fnal.gov Message-id: <200106151638.LAA14240@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1307 > Is there a way to know which version of fermi kerberos > has been installed on a given machine ? It turns out I already put in a way to tell the version, of one key file at least: % strings /usr/krb5/lib/libkrb5.so | grep BRAND @(#)KRB5_BRAND: FNAL $Name: FNAL_v1_3a $ $Date: 1999/07/27 20:35:44 $ From kreymer@fnal.gov Mon Jun 18 10:28:43 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA14867 for ; Mon, 18 Jun 2001 10:28:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF400GBNTNT4V@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Jun 2001 10:28:42 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015BE25@listserv.fnal.gov>; Mon, 18 Jun 2001 10:28:41 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 113385 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 18 Jun 2001 10:28:41 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015BE24@listserv.fnal.gov>; Mon, 18 Jun 2001 10:28:41 -0500 Received: from fnpspb.fnal.gov ([131.225.81.79]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF400F5WTNSZL@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 18 Jun 2001 10:28:40 -0500 (CDT) Received: from localhost (garren@localhost) by fnpspb.fnal.gov (8.9.3/8.9.3) with SMTP id KAA01042 for ; Mon, 18 Jun 2001 10:28:40 -0500 (CDT) Date: Mon, 18 Jun 2001 10:28:40 -0500 From: Lynn Garren Subject: login machine by Friday? Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Reply-to: garren@fnal.gov Message-id: <200106181528.KAA01042@fnpspb.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: fnpspb.fnal.gov: garren@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1308 I know that there are plans to have kerberos installed on some machine in the e-mail center. FOCUS has a group meeting this weekend. Is it possible to have a machine available for changing kerberos passwords by Friday morning? Lynn From kreymer@fnal.gov Mon Jun 18 12:04:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA15019 for ; Mon, 18 Jun 2001 12:04:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF40013VY2PCC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Jun 2001 12:04:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C06D@listserv.fnal.gov>; Mon, 18 Jun 2001 12:04:02 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 114057 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 18 Jun 2001 12:04:02 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C067@listserv.fnal.gov>; Mon, 18 Jun 2001 12:04:01 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF400JKUY2KEE@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 18 Jun 2001 12:04:00 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 18 Jun 2001 12:03:55 -0500 Content-return: allowed Date: Mon, 18 Jun 2001 12:03:51 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 19036 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182134@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1309 This reminder created on 6/18/01 12:03:02 PM Ticket 19036 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : MAARTEN Last Name (+) : LITMAATH Phone : 6467 E-Mail Address : LITMAATH@FNAL.GOV Incident Time : 6/13/01 3:11:56 PM System Name : Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : Kerberos telnet/ssh hangs or crashes Problem Description : I have repeatedly observed that a /usr/krb5/bin/telnet to a non-Kerberos host at CERN after some period of inactivity (>~ 30 min.) just hangs and has to be killed. Similarly an inactive /usr/krb5/bin/ssh to a non-Kerberos host at CERN crashed various times on me, the last time accompanied by this error message: Local: Corrupted check bytes on input. This happens on 3 Kerberized nodes: fndaub (IRIX), fndaut (Solaris) and fndapt (Linux). Needless to say this is extremely annoying. Thanks, Maarten From kreymer@fnal.gov Mon Jun 18 12:04:11 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA15023 for ; Mon, 18 Jun 2001 12:04:11 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF40013VY2PCC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Jun 2001 12:04:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C07D@listserv.fnal.gov>; Mon, 18 Jun 2001 12:04:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 114073 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 18 Jun 2001 12:04:07 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C07A@listserv.fnal.gov>; Mon, 18 Jun 2001 12:04:07 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF400GY6Y2P4V@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 18 Jun 2001 12:04:06 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 18 Jun 2001 12:03:56 -0500 Content-return: allowed Date: Mon, 18 Jun 2001 12:03:53 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 18992 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618213D@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1310 This reminder created on 6/18/01 12:03:04 PM Ticket 18992 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : MARC Last Name (+) : PATERNO Phone : 4532 E-Mail Address : PATERNO@FNAL.GOV Incident Time : 6/12/01 11:29:45 AM System Name : D0LXBLD7 Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : kerberized FTP Problem Description : Hello, I'm trying to use Reflection FTP Client to do a kerberized FTP from d0lxbld7 to my laptop. I'm no longer able to do so. I suspect it may be because I'm still using paterno@PILOT.FNAL.GOV as my Kerberos principal. I tried looking in the documentation at http://www.fnal.gov/docs/strongauth/, but was unable to find instructions for how to switch my principal. The installation instructions for WRQ Reflection still say to use PILOT.FNAL.GOV. Could someone please tell me where I can find the appropriate instructions? thanks, Marc -- Marc Paterno FNAL/CD Special Assignments (630) 840-4532 (WH 6E, 645) (630) 840-6457 (CDF Trailer 169F) (630) 840-6689 (DAB 5) From kreymer@fnal.gov Mon Jun 18 12:04:27 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA15027 for ; Mon, 18 Jun 2001 12:04:27 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF40013VY2PCC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Jun 2001 12:04:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C09E@listserv.fnal.gov>; Mon, 18 Jun 2001 12:04:18 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 114106 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 18 Jun 2001 12:04:18 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C09D@listserv.fnal.gov>; Mon, 18 Jun 2001 12:04:18 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF400JKXY2UEE@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 18 Jun 2001 12:04:17 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 18 Jun 2001 12:04:06 -0500 Content-return: allowed Date: Mon, 18 Jun 2001 12:03:59 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 18807 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182155@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1311 This reminder created on 6/18/01 12:03:09 PM Ticket 18807 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : GEORGE Last Name (+) : ALVERSON Phone : 2573 E-Mail Address : ALVERSON@FNAL.GOV Incident Time : 6/4/01 11:19:51 AM System Name : Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : KDC Unreachable Problem Description : I just tried to log onto d0mino using a WRQ Reflection client and it gave me a "KDC unreachable" error. Is the KDC unreachable? Thanks, George Alverson From kreymer@fnal.gov Mon Jun 18 14:27:06 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA15355 for ; Mon, 18 Jun 2001 14:27:06 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF500A6H4P53O@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Jun 2001 14:27:06 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C3E9@listserv.fnal.gov>; Mon, 18 Jun 2001 14:27:05 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 115057 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 18 Jun 2001 14:27:05 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C3E8@listserv.fnal.gov>; Mon, 18 Jun 2001 14:27:05 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF5001P04P4RX@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 18 Jun 2001 14:27:04 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 18 Jun 2001 14:27:04 -0500 Content-return: allowed Date: Mon, 18 Jun 2001 14:27:04 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000018992 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182206@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1312 The following note has been sent to the requester: PATERNO, MARC Short Description : kerberized FTP Notes to Requester : Per the expert: "Did the requester find my message of June 12 insufficient? I never heard anything back?" From kreymer@fnal.gov Mon Jun 18 14:32:16 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA15365 for ; Mon, 18 Jun 2001 14:32:15 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF5007H94XQ7L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Jun 2001 14:32:15 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C41A@listserv.fnal.gov>; Mon, 18 Jun 2001 14:32:14 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 115107 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 18 Jun 2001 14:32:14 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C419@listserv.fnal.gov>; Mon, 18 Jun 2001 14:32:14 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF500C0R4XPCK@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 18 Jun 2001 14:32:14 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 18 Jun 2001 14:32:13 -0500 Content-return: allowed Date: Mon, 18 Jun 2001 14:32:11 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000018807 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182208@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1313 The following note has been sent to the requester: ALVERSON, GEORGE Short Description : KDC Unreachable Notes to Requester : Per the expert: "Was my message of June 4 insufficient? I never saw anything back." From kreymer@fnal.gov Mon Jun 18 14:42:33 2001 -0500 Return-Path: Received: from woozle (woozle.fnal.gov [131.225.9.22]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA15371 for ; Mon, 18 Jun 2001 14:42:33 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37518) id <0GF500F015EVBB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Jun 2001 14:42:33 -0500 (CDT) Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37518) with ESMTP id <0GF500F085EU2F@smtp.fnal.gov>; Mon, 18 Jun 2001 14:42:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C454@listserv.fnal.gov>; Mon, 18 Jun 2001 14:42:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 115169 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 18 Jun 2001 14:42:30 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C451@listserv.fnal.gov>; Mon, 18 Jun 2001 14:42:30 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF500C265ES4D@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 18 Jun 2001 14:42:29 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 18 Jun 2001 14:42:29 -0500 Content-return: allowed Date: Mon, 18 Jun 2001 14:42:27 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 18992 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618220E@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1314 18992 has been updated by marih. Short Description : kerberized FTP New Work Log Entry : From: "Marc Paterno" To: "ARSystem" Subject: RE: Additional info for 000000000018992 Date: Monday, June 18, 2001 2:32 PM Hello, I don't think I received the message sent on June 12, but I was able to find it on the web. The answer is not quite sufficient: can someone with WRQ expertise tell me where to find the documentation of how to switch from using PILOT.FNAL.GOV to the FNAL.GOV realm? thanks, Marc From kreymer@fnal.gov Mon Jun 18 16:30:51 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA16454 for ; Mon, 18 Jun 2001 16:30:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF500GCWAFCER@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 18 Jun 2001 16:30:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C7CB@listserv.fnal.gov>; Mon, 18 Jun 2001 16:30:48 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 116212 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 18 Jun 2001 16:30:48 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015C7C8@listserv.fnal.gov>; Mon, 18 Jun 2001 16:30:48 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF500GE1AF9EN@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 18 Jun 2001 16:30:47 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 18 Jun 2001 16:30:46 -0500 Content-return: allowed Date: Mon, 18 Jun 2001 16:30:37 -0500 From: ARSystem Subject: CRAWFORD, MATT #18807 Resolved. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182240@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1315 Thank you for your assistance. Help Desk ticket #000000000018807 has been resolved on 6/18/01 4:27:37 PM Resolution Timestamp: : 6/18/01 4:25:58 PM Solution Category : Service Request Problem Category : Software Item : Kerberos Type : Utilities Short Description : KDC Unreachable Solution : I haven't had any other problems since the original report, so as far as I'm concerned, whatever it was has "healed" itself. If something like this occurs again, I'll make sure to note the time. Problem Description : I just tried to log onto d0mino using a WRQ Reflection client and it gave me a "KDC unreachable" error. Is the KDC unreachable? Thanks, George Alverson From kreymer@fnal.gov Tue Jun 19 11:01:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA17688 for ; Tue, 19 Jun 2001 11:01:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF600AGHPUQQL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Jun 2001 11:01:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D193@listserv.fnal.gov>; Tue, 19 Jun 2001 11:01:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 118938 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 19 Jun 2001 11:01:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D192@listserv.fnal.gov>; Tue, 19 Jun 2001 11:01:38 -0500 Received: from cuervo ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GF600BCIPUPXW@smtp.fnal.gov>; Tue, 19 Jun 2001 11:01:38 -0500 (CDT) Date: Tue, 19 Jun 2001 11:01:37 -0500 From: "Mark O. Kaletka" Subject: WRQ & Production Realm Definitions Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov, wrq-users@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1316 I've created a registry update file to set up the definitions for the production domain for the WRQ Kerberos Manager v7.0. It will add the realm definition for FNAL.GOV, update the admin servers for both FNAL.GOV and PILOT.FNAL.GOV, add the new KDC's for FNAL.GOV and PILOT.FNAL.GOV, and change the default realm for the machine to FNAL.GOV. After applying the registry update users will need to open the Kerberos Manager and, under the "Credentials" menu, create a "New Principal Profile..." for themselves in the production FNAL.GOV realm. Note that you can keep principal profiles defined in both realms. To apply the update, open the registry export file from here: \\pckits\WRQ\FNAL.GOV.reg Please note that this update is NOT valid for the v8.0 Kerberos Manager, if you have been part of the beta test! If you need updates for the beta version, please email me directly. -- Mark K. From kreymer@fnal.gov Tue Jun 19 15:22:11 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA18308 for ; Tue, 19 Jun 2001 15:22:11 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF70093H1WYRK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Jun 2001 15:22:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D81A@listserv.fnal.gov>; Tue, 19 Jun 2001 15:22:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120766 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 19 Jun 2001 15:22:10 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D819@listserv.fnal.gov>; Tue, 19 Jun 2001 15:22:10 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF70096E1WX7O@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 19 Jun 2001 15:22:10 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 19 Jun 2001 15:22:10 -0500 Content-return: allowed Date: Tue, 19 Jun 2001 15:22:01 -0500 From: ARSystem Subject: 000000000019145 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618232F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1317 CRAWFORD, MATT, Help Desk Ticket #000000000019145 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Cannot activate host/ftp principals Badge # (+) : 12004N First Name : IGOR Last Name (+) : TEREKHOV Phone : 8884 E-Mail Address : TEREKHOV@FNAL.GOV Incident Time : 6/19/01 3:16:46 PM System Name : Urgency : Medium Public Work Log : 6/19/01 3:19:56 PM blomberg Can you assist? Problem Description : When I try to ups install kerberos on e.g. sameggs.fnal.gov, I get this highly informative message: kadmin: Preauthentication failed while initializing kadmin interface kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal ftp/sameggs.fnal.gov to keytab file. kadmin: Preauthentication failed while initializing kadmin interface kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal host/sameggs.fnal.gov to keytab file. I have followed every line at http://www.fnal.gov/docs/products/kerberos/. I had Yolanda reset that password for me two times. I have checked the time on the system. I have no bloody CLUE!!! Please help!!! Thank you. Addt-l info: the system (and others I try) has been in PILOT for a few months. Can't migrate to FNAL.GOV. -+-+-+-+-+-+-+-+-+-+ Igor Terekhov, Ph.D. Computing Division, ODS MS 114 Fermi National Accelerator Laboratory Phone: 630-840-8884 Fax: x2783 E-mail: terekhov@fnal.gov From kreymer@fnal.gov Tue Jun 19 16:08:29 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA18348 for ; Tue, 19 Jun 2001 16:08:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF7008FI423X0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Jun 2001 16:08:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D8D0@listserv.fnal.gov>; Tue, 19 Jun 2001 16:08:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120970 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 19 Jun 2001 16:08:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D8CF@listserv.fnal.gov>; Tue, 19 Jun 2001 16:08:28 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF700A8X421DX@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 19 Jun 2001 16:08:27 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 19 Jun 2001 16:08:25 -0500 Content-return: allowed Date: Tue, 19 Jun 2001 16:08:18 -0500 From: ARSystem Subject: 000000000019141 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182344@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1318 CRAWFORD, MATT, Help Desk Ticket #000000000019141 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: telnet Badge # (+) : 03098N First Name : CARLOS Last Name (+) : HOJVAT Phone : 4400 E-Mail Address : HOJVAT@FNAL.GOV Incident Time : 6/19/01 12:46:06 PM System Name : FNALU Urgency : Medium Public Work Log : 6/19/01 1:05:19 PM marih The following was e-mailed to the Requester: What system are you trying to connect to? 6/19/01 4:07:02 PM blomberg From: "Carlos Hojvat" To: "ARSystem" Subject: Re: Additional info for 000000000019141 Date: Tuesday, June 19, 2001 4:02 PM fsgi01 or any fnalU (perhaps it is carlosf@mcs.net, I will check it) Can you assist? Problem Description : I tried to telnet from my service provider account. It appears that kerberos does not recognize it. I believe that I am carlosf@mcsnet.com whom should I contact ? Thanks, Carlos From kreymer@fnal.gov Tue Jun 19 16:08:31 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA18352 for ; Tue, 19 Jun 2001 16:08:31 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF7008FI423X0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Jun 2001 16:08:30 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D8D2@listserv.fnal.gov>; Tue, 19 Jun 2001 16:08:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 120972 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 19 Jun 2001 16:08:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D8D1@listserv.fnal.gov>; Tue, 19 Jun 2001 16:08:28 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF700AAW4221B@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 19 Jun 2001 16:08:27 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 19 Jun 2001 16:08:25 -0500 Content-return: allowed Date: Tue, 19 Jun 2001 16:08:18 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19141 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182345@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1319 19141 has been updated by blomberg. Short Description : telnet New Work Log Entry : From: "Carlos Hojvat" To: "ARSystem" Subject: Re: Additional info for 000000000019141 Date: Tuesday, June 19, 2001 4:02 PM fsgi01 or any fnalU (perhaps it is carlosf@mcs.net, I will check it) Can you assist? From kreymer@fnal.gov Tue Jun 19 16:16:53 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA18366 for ; Tue, 19 Jun 2001 16:16:52 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF7008KQ4G3X0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Jun 2001 16:16:52 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D915@listserv.fnal.gov>; Tue, 19 Jun 2001 16:16:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121049 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 19 Jun 2001 16:16:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D914@listserv.fnal.gov>; Tue, 19 Jun 2001 16:16:51 -0500 Received: from fnal.gov ([131.225.82.243]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF7008KP4G26N@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 19 Jun 2001 16:16:50 -0500 (CDT) Date: Tue, 19 Jun 2001 16:16:50 -0500 From: Margaret Votava Subject: kerberos on win2k Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <3B2FC142.7E625349@fnal.gov> Organization: Fermi National Accelerator Laboratory MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1320 Hi, I am running wrq on my Windows 2000 box and am creating telnet sessions. How do I know if this telnet session is encrypted? I would like to to be. Thanks, Margaret From kreymer@fnal.gov Tue Jun 19 16:18:43 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA18370 for ; Tue, 19 Jun 2001 16:18:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF7007HM4J6XR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Jun 2001 16:18:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D91D@listserv.fnal.gov>; Tue, 19 Jun 2001 16:18:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121057 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 19 Jun 2001 16:18:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D91C@listserv.fnal.gov>; Tue, 19 Jun 2001 16:18:42 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF700ABQ4J53D@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 19 Jun 2001 16:18:41 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f5JLIdZ18857; Tue, 19 Jun 2001 16:18:39 -0500 (CDT) Date: Tue, 19 Jun 2001 16:18:39 -0500 From: Anne Heavey Subject: Re: kerberos on win2k In-reply-to: "Your message of Tue, 19 Jun 2001 16:16:50 CDT." <3B2FC142.7E625349@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Margaret Votava Cc: kerberos-users@fnal.gov, aheavey@fsui02.fnal.gov Message-id: <200106192118.f5JLIdZ18857@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1321 > Hi, > > I am running wrq on my Windows 2000 box and am creating telnet > sessions. How do I know if this telnet session is encrypted? > I would like to to be. > > Thanks, > Margaret See http://www.fnal.gov/docs/strongauth/htmlpost1_0b/encryptconn.html#63150 -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Tue Jun 19 16:28:19 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA18384 for ; Tue, 19 Jun 2001 16:28:19 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF700ABO4Z5DX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Jun 2001 16:28:19 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D94D@listserv.fnal.gov>; Tue, 19 Jun 2001 16:28:18 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121110 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 19 Jun 2001 16:28:18 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D94C@listserv.fnal.gov>; Tue, 19 Jun 2001 16:28:18 -0500 Received: from RALPH.fnal.gov ([131.225.82.167]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF7007MG4Z4ZZ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 19 Jun 2001 16:28:17 -0500 (CDT) Date: Tue, 19 Jun 2001 16:28:13 -0500 From: rreitz Subject: Re: kerberos on win2k In-reply-to: <3B2FC142.7E625349@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov X-Sender: rreitz@imapserver2.fnal.gov (Unverified) To: Margaret Votava , kerberos-users@fnal.gov Message-id: <5.1.0.14.2.20010619162631.033ea440@imapserver2.fnal.gov> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Content-type: text/plain; charset=us-ascii; format=flowed Status: RO X-Status: X-Keywords: X-UID: 1322 The "status bar" (at the bottom of the telnet window) will display a "key" icon when the session is encrypted. If you don't see a status bar, use the menu item "Setup|Display" to display a dialog box. Select the "Options" tab and be sure the "Status bar" item is checked. Randy At 04:16 PM 6/19/2001 -0500, Margaret Votava wrote: >Hi, > >I am running wrq on my Windows 2000 box and am creating telnet >sessions. How do I know if this telnet session is encrypted? >I would like to to be. > >Thanks, >Margaret From kreymer@fnal.gov Tue Jun 19 16:35:12 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA18406 for ; Tue, 19 Jun 2001 16:35:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF700AFT5AM3D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Jun 2001 16:35:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D96A@listserv.fnal.gov>; Tue, 19 Jun 2001 16:35:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121143 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 19 Jun 2001 16:35:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015D969@listserv.fnal.gov>; Tue, 19 Jun 2001 16:35:11 -0500 Received: from RALPH.fnal.gov ([131.225.82.167]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF700ADU5ALDX@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 19 Jun 2001 16:35:10 -0500 (CDT) Date: Tue, 19 Jun 2001 16:35:07 -0500 From: rreitz Subject: Re: kerberos on win2k In-reply-to: <3B2FC142.7E625349@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov X-Sender: rreitz@imapserver2.fnal.gov (Unverified) To: Margaret Votava , kerberos-users@fnal.gov Message-id: <5.1.0.14.2.20010619163129.00b0eba8@imapserver2.fnal.gov> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Content-type: text/plain; charset=us-ascii; format=flowed Status: RO X-Status: X-Keywords: X-UID: 1323 Ooops, it's the "lock" icon in the status bar that indicates the session is encrypted. The "key" icon indicates the session is authenticated. Also, the text in the status bar describes the session parameters. You need to check the "Encrypt Data Stream" item on the Kerberos tab of the Security Properties dialog. This dialog box is obtained by clicking the "Security..." button on the Connection|Connection Setup menu thingie. Whew! Randy At 04:16 PM 6/19/2001 -0500, Margaret Votava wrote: >Hi, > >I am running wrq on my Windows 2000 box and am creating telnet >sessions. How do I know if this telnet session is encrypted? >I would like to to be. > >Thanks, >Margaret From kreymer@fnal.gov Tue Jun 19 17:05:36 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA18452 for ; Tue, 19 Jun 2001 17:05:36 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF7008SL6PBX0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 19 Jun 2001 17:05:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015DA06@listserv.fnal.gov>; Tue, 19 Jun 2001 17:05:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 121320 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 19 Jun 2001 17:05:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015DA05@listserv.fnal.gov>; Tue, 19 Jun 2001 17:05:35 -0500 Received: from fnal.gov ([131.225.82.243]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF7009JZ6PA7O@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 19 Jun 2001 17:05:34 -0500 (CDT) Date: Tue, 19 Jun 2001 17:05:35 -0500 From: Margaret Votava Subject: Re: kerberos on win2k Sender: owner-kerberos-users@listserv.fnal.gov To: Anne Heavey Cc: kerberos-users@fnal.gov, aheavey@fsui02.fnal.gov, adamo@fnal.gov Message-id: <3B2FCCAF.8ABE6F60@fnal.gov> Organization: Fermi National Accelerator Laboratory MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200106192118.f5JLIdZ18857@fsui02.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1324 Hi Anne, It turns out that my problem was that I didn't install reflections signature. sigh. Incindentally, the signature instructions point to the pilot realm. Do we want to update that to the production realm? Thanks, Margaret Anne Heavey wrote: > > > Hi, > > > > I am running wrq on my Windows 2000 box and am creating telnet > > sessions. How do I know if this telnet session is encrypted? > > I would like to to be. > > > > Thanks, > > Margaret > > See http://www.fnal.gov/docs/strongauth/htmlpost1_0b/encryptconn.html#63150 > > -- Anne > > Anne Heavey | Fermilab Computing Division | WWW Group > Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 -- Margaret Votava votava@fnal.gov Computing Division/Online and Database Systems 630-840-2625 (office) Fermi National Accelerator Laboratory 630-840-6345 (fax) http://www.fnal.gov 630-612-8220 (pager) From kreymer@fnal.gov Wed Jun 20 09:14:58 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA19178 for ; Wed, 20 Jun 2001 09:14:58 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF8004LNFKWQ3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 09:14:58 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E101@listserv.fnal.gov>; Wed, 20 Jun 2001 09:14:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 123338 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 09:14:56 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E100@listserv.fnal.gov>; Wed, 20 Jun 2001 09:14:56 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF8005JUFKWEE@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 09:14:56 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 20 Jun 2001 09:14:57 -0500 Content-return: allowed Date: Wed, 20 Jun 2001 09:14:50 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 18992 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182386@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1325 18992 has been updated by richt. Short Description : kerberized FTP New Work Log Entry : Hi Kerberos-Users List, Sorry to blast to the list for this question but we don't currently have a better mechanism. Looking for someone with WRQ expertise. The question is: "... how to switch from using PILOT.FNAL.GOV to the FNAL.GOV realm?" Could someone point us to documentation? We will then add this information to our knowledge base. Thanks, Rich Thompson x4846 From kreymer@fnal.gov Wed Jun 20 09:14:59 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA19182 for ; Wed, 20 Jun 2001 09:14:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF8004LNFKWQ3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 09:14:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E103@listserv.fnal.gov>; Wed, 20 Jun 2001 09:14:57 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 123340 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 09:14:57 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E102@listserv.fnal.gov>; Wed, 20 Jun 2001 09:14:57 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF8005JUFKWEE@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 09:14:56 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 20 Jun 2001 09:14:57 -0500 Content-return: allowed Date: Wed, 20 Jun 2001 09:14:50 -0500 From: ARSystem Subject: Resend 18992 CRAWFORD, MATT Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182387@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain; charset=iso-8859-1 Status: RO X-Status: X-Keywords: X-UID: 1326 This ticket resent on 6/20/01 9:12:40 AM Ticket 18992 is being resent to you in its entirety. It is a(n) Medium priority Software/Utilities/Kerberos type of problem. Short description: kerberized FTP First Name : MARC Last Name (+) : PATERNO Phone : 4532 E-Mail Address : PATERNO@FNAL.GOV Assigned To Group : CD-DC Incident Time : 6/12/01 11:29:45 AM System Name : D0LXBLD7 Urgency : Medium Public Work Log : 6/12/01 11:56:38 AM trb Jason, can you help ? 6/12/01 1:53:44 PM marih From: "Jason Allen" To: "ARSystem" Subject: Re: 000000000018992 Assigned to ALLEN, JASON. Date: Tuesday, June 12, 2001 1:47 PM Please reassign to Matt Crawford as a Kerberos documentation issue. 6/12/01 2:32:53 PM marih From: "Matt Crawford" To: "ARSystem" ; Cc: Subject: Re: 000000000018992 Assigned to CRAWFORD, MATT. Date: Tuesday, June 12, 2001 2:19 PM > I'm trying to use Reflection FTP Client to do a kerberized FTP > from d0lxbld7 to my laptop. I'm no longer able to do so. I suspect > it may be because I'm still using paterno@PILOT.FNAL.GOV as my > Kerberos principal. It doesn't matter what realm your own ticket is in (although it's probably about time to switch to FNAL.GOV for regular use), it matters what realm your host thinks the server considers itself to be in. To put it another way, the client host and the server host have to agree about which realm the server is in. d0lxbld7 used to be in the PILOT.FNAL.GOV realm but is now in FNAL.GOV and you need to stop WRQ from believing otherwise. It's done under Configure Realms somewhere, but that's where my WRQ knowledge fizzles out. Someone else on the kerberos-users list can be more specific. 6/18/01 2:26:29 PM marih From: "Matt Crawford" To: "ARSystem" Subject: Re: CRAWFORD, MATT, Reminder for 18992 Date: Monday, June 18, 2001 2:14 PM Did the requester find my message of June 12 insufficient? I never heard anything back? The following was e-mailed to the Requester: Per the expert: "Did the requester find my message of June 12 insufficient? I never heard anything back?" 6/18/01 2:38:05 PM marih From: "Marc Paterno" To: "ARSystem" Subject: RE: Additional info for 000000000018992 Date: Monday, June 18, 2001 2:32 PM Hello, I don't think I received the message sent on June 12, but I was able to find it on the web. The answer is not quite sufficient: can someone with WRQ expertise tell me where to find the documentation of how to switch from using PILOT.FNAL.GOV to the FNAL.GOV realm? thanks, Marc 6/20/01 9:12:40 AM richt Hi Kerberos-Users List, Sorry to blast to the list for this question but we don't currently have a better mechanism. Looking for someone with WRQ expertise. The question is: "... how to switch from using PILOT.FNAL.GOV to the FNAL.GOV realm?" Could someone point us to documentation? We will then add this information to our knowledge base. Thanks, Rich Thompson x4846 Problem Description : Hello, I'm trying to use Reflection FTP Client to do a kerberized FTP from d0lxbld7 to my laptop. I'm no longer able to do so. I suspect it may be because I'm still using paterno@PILOT.FNAL.GOV as my Kerberos principal. I tried looking in the documentation at http://www.fnal.gov/docs/strongauth/, but was unable to find instructions for how to switch my principal. The installation instructions for WRQ Reflection still say to use PILOT.FNAL.GOV. Could someone please tell me where I can find the appropriate instructions? thanks, Marc -- Marc Paterno FNAL/CD Special Assignments (630) 840-4532 (WH 6E, 645) (630) 840-6457 (CDF Trailer 169F) (630) 840-6689 (DAB 5) Create Date : 6/12/01 11:56:38 AM From kreymer@fnal.gov Wed Jun 20 09:45:50 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA19320 for ; Wed, 20 Jun 2001 09:45:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E25H0C47@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 09:45:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E18D@listserv.fnal.gov>; Wed, 20 Jun 2001 09:45:48 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 123485 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 09:45:48 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E18C@listserv.fnal.gov>; Wed, 20 Jun 2001 09:45:48 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E3MH0B3Z@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 09:45:48 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 20 Jun 2001 09:45:48 -0500 Content-return: allowed Date: Wed, 20 Jun 2001 09:45:38 -0500 From: ARSystem Subject: 000000000019158 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182390@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1327 CRAWFORD, MATT, Help Desk Ticket #000000000019158 has been assigned to you. It is a(n) Medium priority Software/Utilities /Cryptocard type of problem. Short description: how do I exit from the cryptocard prompt ? Badge # (+) : 12347N First Name : ELIZABETH Last Name (+) : GALLAS Phone : 8599 E-Mail Address : EGGS@FNAL.GOV Incident Time : 6/20/01 9:23:47 AM System Name : Urgency : Medium Public Work Log : Problem Description : If I am unaware that my ticket has expired and I telnet to another machine, I get a cryptocard number prompt. I don't want to use my cryptocard, so I want OUT of this, but there seems to be no way to exit from the prompt except by waiting for the time-out. Is there a method for exiting from the cryptocard prompt? Thanks, Elizabeth x8599 From kreymer@fnal.gov Wed Jun 20 09:53:32 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA19443 for ; Wed, 20 Jun 2001 09:53:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E4XHD64W@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 09:53:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E1AC@listserv.fnal.gov>; Wed, 20 Jun 2001 09:53:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 123519 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 09:53:30 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E1AB@listserv.fnal.gov>; Wed, 20 Jun 2001 09:53:30 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GF800F01HD6MX@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 09:53:30 -0500 (CDT) Received: from smtp1.cern.ch ([137.138.128.38]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E4THD54N@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 09:53:30 -0500 (CDT) Received: from [137.138.206.46] (pb-d-137-138-206-46.cern.ch [137.138.206.46]) by smtp1.cern.ch (8.9.3/8.9.3) with ESMTP id QAA25075 for ; Wed, 20 Jun 2001 16:53:28 +0200 (MET DST) Date: Wed, 20 Jun 2001 16:53:21 +0200 From: Benn Tannenbaum Subject: Kerberos & DHCP In-reply-to: <5.1.0.14.2.20010619162631.033ea440@imapserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 X-Authentication-warning: smtp1.cern.ch: Host pb-d-137-138-206-46.cern.ch [137.138.206.46] claimed to be [137.138.206.46] Status: RO X-Status: X-Keywords: X-UID: 1328 This is a problem that I don't think I've seen addressed here. I am based at UCLA, but travel to FNAL frequently. I bring my laptop and use DHCP to connect to lab computers. I have found, that after about 24 hours or so I am no longer able to get new Kerberos tickets. A reboot solves this problem. If I use the same computer at UCLA, where it has a fixed IP address, this is not a problem. If I use the computer at CERN, where again I use DHCP, I have the problem. I am not completely familiar with the inner working of DHCP, but in the dim recesses of my mind I seem to recall that one is really only assigned the IP address for a period of some hours (perhaps 24!) and that after that there is the possibility of someone else getting that IP address. That certainly would explain this.... Is there a solution/workaround for this? I tire of using my cryptocard. -Benn From kreymer@fnal.gov Wed Jun 20 09:53:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA19447 for ; Wed, 20 Jun 2001 09:53:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E73HDE4K@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 09:53:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E1AE@listserv.fnal.gov>; Wed, 20 Jun 2001 09:53:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 123521 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 09:53:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E1AD@listserv.fnal.gov>; Wed, 20 Jun 2001 09:53:38 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E5IHDE47@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 09:53:38 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA20964; Wed, 20 Jun 2001 09:53:38 -0500 Date: Wed, 20 Jun 2001 09:53:37 -0500 (CDT) From: Steven Timm Subject: Re: 000000000019158 Assigned to CRAWFORD, MATT. In-reply-to: <318CC3D38BE0D211BB1200105A093F76182390@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" , eggs@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1329 Use the telnet escape character, usually control-right square bracket (]^) then at the telnet> prompt say c to close the connection. (With a cryptocard ssh login, however, this will not work). Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Wed, 20 Jun 2001, ARSystem wrote: > CRAWFORD, MATT, Help Desk Ticket #000000000019158 > has been assigned to you. > > It is a(n) Medium priority Software/Utilities > /Cryptocard type of problem. > Short description: how do I exit from the cryptocard prompt ? > > > > Badge # (+) : 12347N > First Name : ELIZABETH > Last Name (+) : GALLAS > Phone : 8599 > E-Mail Address : EGGS@FNAL.GOV > Incident Time : 6/20/01 9:23:47 AM > System Name : > Urgency : Medium > Public Work Log : > Problem Description : If I am unaware that my ticket has expired and I > telnet to another machine, > I get a cryptocard number prompt. > I don't want to use my cryptocard, so I want OUT of this, > but there seems to be no way to exit from the prompt except by > waiting > for the time-out. > Is there a method for exiting from the cryptocard prompt? > > Thanks, > Elizabeth > x8599 > From kreymer@fnal.gov Wed Jun 20 09:58:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA19455 for ; Wed, 20 Jun 2001 09:58:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E9VHLV4K@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 09:58:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E1C7@listserv.fnal.gov>; Wed, 20 Jun 2001 09:58:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 123548 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 09:58:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E1C6@listserv.fnal.gov>; Wed, 20 Jun 2001 09:58:43 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E8UHLV51@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 09:58:43 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21017; Wed, 20 Jun 2001 09:58:39 -0500 Date: Wed, 20 Jun 2001 09:58:38 -0500 (CDT) From: Steven Timm Subject: Re: Kerberos & DHCP In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1330 Ben... Can you tell us if this is a Linux laptop or a Windows laptop and what software you are using? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Wed, 20 Jun 2001, Benn Tannenbaum wrote: > This is a problem that I don't think I've seen addressed here. > > I am based at UCLA, but travel to FNAL frequently. I bring my laptop and use > DHCP to connect to lab computers. I have found, that after about 24 hours or > so I am no longer able to get new Kerberos tickets. A reboot solves this > problem. If I use the same computer at UCLA, where it has a fixed IP > address, this is not a problem. If I use the computer at CERN, where again I > use DHCP, I have the problem. > > I am not completely familiar with the inner working of DHCP, but in the dim > recesses of my mind I seem to recall that one is really only assigned the IP > address for a period of some hours (perhaps 24!) and that after that there > is the possibility of someone else getting that IP address. That certainly > would explain this.... > > Is there a solution/workaround for this? I tire of using my cryptocard. > > -Benn > From kreymer@fnal.gov Wed Jun 20 10:01:10 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA19463 for ; Wed, 20 Jun 2001 10:01:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E9FHPX51@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 10:01:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E1CF@listserv.fnal.gov>; Wed, 20 Jun 2001 10:01:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 123556 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 10:01:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E1CE@listserv.fnal.gov>; Wed, 20 Jun 2001 10:01:09 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E79HPV3Y@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 10:01:08 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 20 Jun 2001 10:01:07 -0500 Content-return: allowed Date: Wed, 20 Jun 2001 10:01:04 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19158 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182396@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1331 19158 has been updated by marih. Short Description : how do I exit from the cryptocard prompt ? New Work Log Entry : From: "Steven Timm" To: "ARSystem" Cc: ; Subject: Re: 000000000019158 Assigned to CRAWFORD, MATT. Date: Wednesday, June 20, 2001 9:53 AM Use the telnet escape character, usually control-right square bracket (]^) then at the telnet> prompt say c to close the connection. (With a cryptocard ssh login, however, this will not work). Steve From kreymer@fnal.gov Wed Jun 20 10:05:26 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA19467 for ; Wed, 20 Jun 2001 10:05:26 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E5NHX04D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 10:05:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E1E2@listserv.fnal.gov>; Wed, 20 Jun 2001 10:05:24 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 123575 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 10:05:24 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E1E1@listserv.fnal.gov>; Wed, 20 Jun 2001 10:05:24 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GF800G01HX0K8@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 10:05:24 -0500 (CDT) Received: from smtp1.cern.ch ([137.138.128.38]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800E7WHWZ47@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 10:05:24 -0500 (CDT) Received: from [137.138.206.46] (pb-d-137-138-206-46.cern.ch [137.138.206.46]) by smtp1.cern.ch (8.9.3/8.9.3) with ESMTP id RAA06496 for ; Wed, 20 Jun 2001 17:05:22 +0200 (MET DST) Date: Wed, 20 Jun 2001 17:05:13 +0200 From: Benn Tannenbaum Subject: Re: Kerberos & DHCP In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 X-Authentication-warning: smtp1.cern.ch: Host pb-d-137-138-206-46.cern.ch [137.138.206.46] claimed to be [137.138.206.46] Status: RO X-Status: X-Keywords: X-UID: 1332 Hi Steve, I am using a Macintosh laptop, running OS 8.6 (although soon to be 9.1 and eventually X). I am using the MIT release of the Kerberos software for the Mac. -Benn on 20/6/01 4:58 PM, Steven Timm spake thusly: > Ben... Can you tell us if this is a Linux laptop or a Windows laptop > and what software you are using? > > Steve > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Wed, 20 Jun 2001, Benn Tannenbaum wrote: > >> This is a problem that I don't think I've seen addressed here. >> >> I am based at UCLA, but travel to FNAL frequently. I bring my laptop and use >> DHCP to connect to lab computers. I have found, that after about 24 hours or >> so I am no longer able to get new Kerberos tickets. A reboot solves this >> problem. If I use the same computer at UCLA, where it has a fixed IP >> address, this is not a problem. If I use the computer at CERN, where again I >> use DHCP, I have the problem. >> >> I am not completely familiar with the inner working of DHCP, but in the dim >> recesses of my mind I seem to recall that one is really only assigned the IP >> address for a period of some hours (perhaps 24!) and that after that there >> is the possibility of someone else getting that IP address. That certainly >> would explain this.... >> >> Is there a solution/workaround for this? I tire of using my cryptocard. >> >> -Benn >> > -Benn From kreymer@fnal.gov Wed Jun 20 10:19:23 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA19477 for ; Wed, 20 Jun 2001 10:19:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800EB8IK94D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 10:19:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E263@listserv.fnal.gov>; Wed, 20 Jun 2001 10:19:21 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 123715 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 10:19:21 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E262@listserv.fnal.gov>; Wed, 20 Jun 2001 10:19:21 -0500 Received: from ncdf30.fnal.gov ([131.225.233.153]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800ECTIK94P@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 10:19:21 -0500 (CDT) Received: from ts.infn.it (localhost.localdomain [127.0.0.1]) by ncdf30.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA14765; Wed, 20 Jun 2001 10:19:20 -0500 Date: Wed, 20 Jun 2001 10:19:20 -0500 From: Stefano Belforte Subject: Re: 000000000019158 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: ARSystem , "'kerberos-users@fnal.gov'" , eggs@fnal.gov Message-id: <3B30BEF8.CA3B601D@ts.infn.it> MIME-version: 1.0 X-Mailer: Mozilla 4.73 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1333 A few Ctrl-D usually work for ssh as well. Stefano Steven Timm wrote: > > Use the telnet escape character, usually control-right square bracket > (]^) then at the telnet> prompt say c > to close the connection. (With a cryptocard ssh login, however, this > will not work). > > Steve > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Wed, 20 Jun 2001, ARSystem wrote: > > > CRAWFORD, MATT, Help Desk Ticket #000000000019158 > > has been assigned to you. > > > > It is a(n) Medium priority Software/Utilities > > /Cryptocard type of problem. > > Short description: how do I exit from the cryptocard prompt ? > > > > > > > > Badge # (+) : 12347N > > First Name : ELIZABETH > > Last Name (+) : GALLAS > > Phone : 8599 > > E-Mail Address : EGGS@FNAL.GOV > > Incident Time : 6/20/01 9:23:47 AM > > System Name : > > Urgency : Medium > > Public Work Log : > > Problem Description : If I am unaware that my ticket has expired and I > > telnet to another machine, > > I get a cryptocard number prompt. > > I don't want to use my cryptocard, so I want OUT of this, > > but there seems to be no way to exit from the prompt except by > > waiting > > for the time-out. > > Is there a method for exiting from the cryptocard prompt? > > > > Thanks, > > Elizabeth > > x8599 > > From kreymer@fnal.gov Wed Jun 20 10:26:52 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA19483 for ; Wed, 20 Jun 2001 10:26:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800EI0IWQ51@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 10:26:51 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E27D@listserv.fnal.gov>; Wed, 20 Jun 2001 10:26:50 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 123742 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 10:26:50 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E27B@listserv.fnal.gov>; Wed, 20 Jun 2001 10:26:50 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800EHHIWP4K@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 10:26:50 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 20 Jun 2001 10:26:49 -0500 Content-return: allowed Date: Wed, 20 Jun 2001 10:26:46 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19158 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761823A0@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1334 19158 has been updated by marih. Short Description : how do I exit from the cryptocard prompt ? New Work Log Entry : From: "Stefano Belforte" To: "Steven Timm" Cc: "ARSystem" ; ; Subject: Re: 000000000019158 Assigned to CRAWFORD, MATT. Date: Wednesday, June 20, 2001 10:19 AM A few Ctrl-D usually work for ssh as well. Stefano From kreymer@fnal.gov Wed Jun 20 10:52:57 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA19510 for ; Wed, 20 Jun 2001 10:52:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800EKWK4747@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 10:52:56 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E318@listserv.fnal.gov>; Wed, 20 Jun 2001 10:52:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 123920 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 10:52:56 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E315@listserv.fnal.gov>; Wed, 20 Jun 2001 10:52:40 -0500 Received: from thunderbird ([131.225.80.5]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GF800EKZK3S4H@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 10:52:40 -0500 (CDT) Date: Wed, 20 Jun 2001 10:52:39 -0500 From: Vyto Grigaliunas Subject: Re: Kerberos & DHCP Sender: owner-kerberos-users@listserv.fnal.gov To: Benn Tannenbaum , kerberos-users@fnal.gov Reply-to: Vyto Grigaliunas Message-id: <000601c0f9a1$08a250c0$0550e183@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: Status: RO X-Status: X-Keywords: X-UID: 1335 Hi... It's been my experience that Mac OS will use a DHCP address only for as long as it needs it, then release it. For example, to read or download your mail, it will request a DHCP address, use it for as long as it takes for the session to the mail server, then release it, which means that address is available for some other DHCP client to use and that your Mac may not get the same address the next time. I believe there may a setting somewhere which tells the Mac to keep the address for the whole DHCP lease time (currently 24 hours) - not sure...I'm not a Mac expert and don't know whether there's any support for them anymore here. Anyway, since you say this occurs every 24 hours or so, it looks like your Mac isn't exhibiting the above behavior. You are correct that the DHCP address is leased for 24 hours, after which it is available for someone else to use unless your Mac renews it. Is your Mac on continuously for the 24 hour period (in which case it may be that your Mac isn't renewing the IP address properly) ??? Perhaps it's a timing issue between the default Kerberos ticket lifetime and the DHCP lease time...does your Mac release the DHCP address upon shutdown (which means it may not get the same address next time), but your Kerberos ticket are still valid ??? Do you clear your Kerberos tickets upon shutdown ??? Thanks... Vyto %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Vyto Grigaliunas - Fermi National Accelerator Lab Data Comm. Group E-mail : vyto@fnal.gov Voice : 630-840-2539 "The airlines are facing strike threats from a number of key unions, including the Brotherhood of Luggage Misplacers; the Airline Seat Shrinkers Guild; and the International Association of Workers Who Make Sure That No Coach Passenger's Inflight Snack Packet Contains More Than Four Pretzels." - Dave Barry ----- Original Message ----- From: "Benn Tannenbaum" To: Sent: Wednesday, June 20, 2001 10:05 AM Subject: Re: Kerberos & DHCP > Hi Steve, > > I am using a Macintosh laptop, running OS 8.6 (although soon to be 9.1 and > eventually X). I am using the MIT release of the Kerberos software for the > Mac. > > -Benn > > on 20/6/01 4:58 PM, Steven Timm spake thusly: > > > Ben... Can you tell us if this is a Linux laptop or a Windows laptop > > and what software you are using? > > > > Steve > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > > > On Wed, 20 Jun 2001, Benn Tannenbaum wrote: > > > >> This is a problem that I don't think I've seen addressed here. > >> > >> I am based at UCLA, but travel to FNAL frequently. I bring my laptop and use > >> DHCP to connect to lab computers. I have found, that after about 24 hours or > >> so I am no longer able to get new Kerberos tickets. A reboot solves this > >> problem. If I use the same computer at UCLA, where it has a fixed IP > >> address, this is not a problem. If I use the computer at CERN, where again I > >> use DHCP, I have the problem. > >> > >> I am not completely familiar with the inner working of DHCP, but in the dim > >> recesses of my mind I seem to recall that one is really only assigned the IP > >> address for a period of some hours (perhaps 24!) and that after that there > >> is the possibility of someone else getting that IP address. That certainly > >> would explain this.... > >> > >> Is there a solution/workaround for this? I tire of using my cryptocard. > >> > >> -Benn > >> > > > > > -Benn From kreymer@fnal.gov Wed Jun 20 11:17:08 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA19522 for ; Wed, 20 Jun 2001 11:17:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800EN9L8J52@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 11:17:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E367@listserv.fnal.gov>; Wed, 20 Jun 2001 11:17:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 124003 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 11:17:07 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E366@listserv.fnal.gov>; Wed, 20 Jun 2001 11:17:07 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GF800M01L8IOK@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 11:17:06 -0500 (CDT) Received: from smtp1.cern.ch ([137.138.128.38]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800EJ3L8H48@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 11:17:06 -0500 (CDT) Received: from [137.138.206.46] (pb-d-137-138-206-46.cern.ch [137.138.206.46]) by smtp1.cern.ch (8.9.3/8.9.3) with ESMTP id SAA12484 for ; Wed, 20 Jun 2001 18:17:04 +0200 (MET DST) Date: Wed, 20 Jun 2001 18:17:03 +0200 From: Benn Tannenbaum Subject: Re: Kerberos & DHCP In-reply-to: <000601c0f9a1$08a250c0$0550e183@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 X-Authentication-warning: smtp1.cern.ch: Host pb-d-137-138-206-46.cern.ch [137.138.206.46] claimed to be [137.138.206.46] Status: RO X-Status: X-Keywords: X-UID: 1336 Hi, No, like most people, I prefer to leave my computer running as long as possible. I'd like to turn it on when I get to FNAL, and turn it off when I leave n days later. If I reboot, all is well. Benn on 20/6/01 5:52 PM, Vyto Grigaliunas spake thusly: > Hi... > > It's been my experience that Mac OS will use a DHCP address only for as long > as it needs it, then release it. For example, to read or download your mail, > it will request a DHCP address, use it for as long as it takes for the session > to the mail server, then release it, which means that address is available for > some other DHCP client to use and that your Mac may not get the same address > the next time. > > I believe there may a setting somewhere which tells the Mac to keep the > address for the whole DHCP lease time (currently 24 hours) - not sure...I'm > not a Mac expert and don't know whether there's any support for them anymore > here. > > Anyway, since you say this occurs every 24 hours or so, it looks like your Mac > isn't exhibiting the above behavior. You are correct that the DHCP address is > leased for 24 hours, after which it is available for someone else to use > unless your Mac renews it. Is your Mac on continuously for the 24 hour period > (in which case it may be that your Mac isn't renewing the IP address properly) > ??? > > Perhaps it's a timing issue between the default Kerberos ticket lifetime and > the DHCP lease time...does your Mac release the DHCP address upon shutdown > (which means it may not get the same address next time), but your Kerberos > ticket are still valid ??? Do you clear your Kerberos tickets upon shutdown > ??? > > Thanks... > > Vyto > > %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% > > Vyto Grigaliunas - Fermi National Accelerator Lab Data Comm. Group > E-mail : vyto@fnal.gov Voice : 630-840-2539 > > "The airlines are facing strike threats from a number of key > unions, including the Brotherhood of Luggage Misplacers; the > Airline Seat Shrinkers Guild; and the International > Association of Workers Who Make Sure That No Coach > Passenger's Inflight Snack Packet Contains More Than Four > Pretzels." > > - Dave Barry > > ----- Original Message ----- > From: "Benn Tannenbaum" > To: > Sent: Wednesday, June 20, 2001 10:05 AM > Subject: Re: Kerberos & DHCP > > >> Hi Steve, >> >> I am using a Macintosh laptop, running OS 8.6 (although soon to be 9.1 and >> eventually X). I am using the MIT release of the Kerberos software for the >> Mac. >> >> -Benn >> >> on 20/6/01 4:58 PM, Steven Timm spake thusly: >> >>> Ben... Can you tell us if this is a Linux laptop or a Windows laptop >>> and what software you are using? >>> >>> Steve >>> >>> >>> ------------------------------------------------------------------ >>> Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ >>> Fermilab Computing Division/Operating Systems Support >>> Scientific Computing Support Group--Computing Farms Operations >>> >>> On Wed, 20 Jun 2001, Benn Tannenbaum wrote: >>> >>>> This is a problem that I don't think I've seen addressed here. >>>> >>>> I am based at UCLA, but travel to FNAL frequently. I bring my laptop and > use >>>> DHCP to connect to lab computers. I have found, that after about 24 hours > or >>>> so I am no longer able to get new Kerberos tickets. A reboot solves this >>>> problem. If I use the same computer at UCLA, where it has a fixed IP >>>> address, this is not a problem. If I use the computer at CERN, where > again I >>>> use DHCP, I have the problem. >>>> >>>> I am not completely familiar with the inner working of DHCP, but in the > dim >>>> recesses of my mind I seem to recall that one is really only assigned the > IP >>>> address for a period of some hours (perhaps 24!) and that after that > there >>>> is the possibility of someone else getting that IP address. That > certainly >>>> would explain this.... >>>> >>>> Is there a solution/workaround for this? I tire of using my cryptocard. >>>> >>>> -Benn >>>> >>> >> >> >> -Benn > -Benn From kreymer@fnal.gov Wed Jun 20 13:01:13 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA19658 for ; Wed, 20 Jun 2001 13:01:13 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF8000HCQ1ZQN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 13:01:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E5A1@listserv.fnal.gov>; Wed, 20 Jun 2001 13:01:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 124629 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 13:01:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E5A0@listserv.fnal.gov>; Wed, 20 Jun 2001 13:01:11 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF8001HDQ1YGT@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 13:01:11 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 20 Jun 2001 13:01:10 -0500 Content-return: allowed Date: Wed, 20 Jun 2001 13:01:09 -0500 From: ARSystem Subject: 000000000019173 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761823DB@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1337 CRAWFORD, MATT, Help Desk Ticket #000000000019173 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Unable to kinit Badge # (+) : 01798C First Name : RICHARD Last Name (+) : WELLNER Phone : 6805 E-Mail Address : WELLNER@FNAL.GOV Incident Time : 6/20/01 12:57:33 PM System Name : Urgency : Medium Public Work Log : Problem Description : I just got back in town after a few days vacation and am unable to kinit. Everything seemed fine a week ago. fndaph:wellner > kinit wellner@FNAL.GOV Password for wellner@FNAL.GOV: aklog: unable to obtain tokens for cell fnal.gov (status: 11862791). libprot: a pioctl failed Could not get afs tokens, running unauthenticated. aklog: Permission denied so unable to create remote PTS user wellner@fnal.gov in cell fnal.gov (status: 267269). aklog: unable to obtain tokens for cell fnal.gov (status: 11862791). From kreymer@fnal.gov Wed Jun 20 15:48:39 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA19867 for ; Wed, 20 Jun 2001 15:48:39 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF8008NYXSYTU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 15:48:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E86C@listserv.fnal.gov>; Wed, 20 Jun 2001 15:48:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125388 for LINUX-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 15:48:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E869@listserv.fnal.gov>; Wed, 20 Jun 2001 15:48:34 -0500 Received: from fnal.gov ([131.225.81.186]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF8009JYXSXX7@smtp.fnal.gov>; Wed, 20 Jun 2001 15:48:33 -0500 (CDT) Date: Wed, 20 Jun 2001 15:48:31 -0500 From: Yuyi Guo Subject: Re: fndau* passwords Sender: owner-linux-users@listserv.fnal.gov To: Margaret Votava , kerberos-users@fnal.gov, linux-users , ods-admin@fnal.gov Cc: berg@fnal.gov, ruth@fnal.gov, berman@fnal.gov, moore@fnal.gov, slimmer@fnal.gov, vittone@fnal.gov, mengel@fnal.gov, pcanal@fnal.gov, lauri@fnal.gov, nho@fnal.gov, dbox@fnal.gov, nahn@fnal.gov, ettab@fnal.gov, gug@fnal.gov, amundson@fnal.gov, litmaath@fnal.gov, marih@fnal.gov, piccoli@fnal.gov, muzaffar@fnal.gov, ichiro@fnal.gov Cc: arossi@fnal.gov, fspaldin@fnal.gov, nuhae@fnal.gov, ritchie@fnal.gov, bgreen@fnal.gov, kerberos-users@fnal.gov Message-id: <3B310C1F.D4C5ECEA@fnal.gov> Organization: Fermi Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B2FB1BC.6A51F06B@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1338 Hi, All: After the password was changed to afs password, I was unable login to my machine (fndapm) any more. Margaret suggested that I should install/upgrade afs-fermi and afs-pam-nonis packages. I got the two rpm packages from two different locations which I think they are the right places to get ( Troy, Could you confirm this?). Then I update/installed them as root. One is //linux1.fnal.gov/linux/6xtest/i386/DONOTEXPORT/storage/afs-fermi-3.6-9.i386.rpm. The other is ~dawson/afs/afs-pam-nonis-1.rpm After I did rpm install/update and reboot, I am able to login the machine as myself (yuyi). However, I am getting other problems with the actions I took. (1) The most immediate problem affect on me. I am no longer getting linux ups products which is auto mount on fndaut. (2) I cannot unlock a locked window . (3) I don't know if there is any other problems which I haven't found yet. Any ideas what I should looking into are highly appreciated. Thanks, Yuyi Margaret Votava wrote: > > Hi, > > Your fndau* password should now be your afs password. I know I said > I was going to do this last night, but I did it today instead. > > I have also disabled logins for dart, tapestat, dart6, wwwods, wwwdart, logbook, > products. > > Good luck, > Margaret > > -- > Margaret Votava votava@fnal.gov > Computing Division/Online and Database Systems 630-840-2625 (office) > Fermi National Accelerator Laboratory 630-840-6345 (fax) > http://www.fnal.gov 630-612-8220 (pager) -- Yuyi ----------------------------------------------- Yuyi Guo (630)840-4186(phone), (630)840-6345(Fax) Fermi National Accelerator Laboratory Computing Division, Online and Database System MS 369, P.O. Box 500 Batavia, IL 60510 From kreymer@fnal.gov Wed Jun 20 15:51:14 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA19877 for ; Wed, 20 Jun 2001 15:51:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF8008S3XX0TU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 15:51:13 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E898@listserv.fnal.gov>; Wed, 20 Jun 2001 15:51:04 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125445 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 15:51:04 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E897@listserv.fnal.gov>; Wed, 20 Jun 2001 15:51:04 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800BJ0XX2EE@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 15:51:03 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 20 Jun 2001 15:51:03 -0500 Content-return: allowed Date: Wed, 20 Jun 2001 15:51:02 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19145 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618241F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1339 19145 has been updated by ARWeb User. Short Description : Cannot activate host/ftp principals New Work Log Entry : Igor Terekhov added this information: Kerberos installation has left the system in an inaccessible, i.e., unusable state. I can no longer ssh into the system because kerberos install killed it. Please let us have the systems back. Thank you. From kreymer@fnal.gov Wed Jun 20 16:20:29 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA19919 for ; Wed, 20 Jun 2001 16:20:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF800I7SZA0I6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 16:20:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E91B@listserv.fnal.gov>; Wed, 20 Jun 2001 16:20:24 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125587 for LINUX-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 16:20:24 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E918@listserv.fnal.gov>; Wed, 20 Jun 2001 16:20:24 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF8009Q9Z9ZX7@smtp.fnal.gov>; Wed, 20 Jun 2001 16:20:23 -0500 (CDT) Date: Wed, 20 Jun 2001 16:20:21 -0500 From: Troy Dawson Subject: Re: fndau* passwords Sender: owner-linux-users@listserv.fnal.gov To: Yuyi Guo Cc: Margaret Votava , kerberos-users@fnal.gov, linux-users , ods-admin@fnal.gov, berg@fnal.gov, ruth@fnal.gov, berman@fnal.gov, moore@fnal.gov, slimmer@fnal.gov, vittone@fnal.gov, mengel@fnal.gov, pcanal@fnal.gov, lauri@fnal.gov, nho@fnal.gov, dbox@fnal.gov, nahn@fnal.gov, ettab@fnal.gov, gug@fnal.gov, amundson@fnal.gov, litmaath@fnal.gov Cc: marih@fnal.gov, piccoli@fnal.gov, muzaffar@fnal.gov, ichiro@fnal.gov, arossi@fnal.gov, fspaldin@fnal.gov, nuhae@fnal.gov, ritchie@fnal.gov, bgreen@fnal.gov Message-id: <3B311395.B55BBF8B@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B2FB1BC.6A51F06B@fnal.gov> <3B310C1F.D4C5ECEA@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1340 Hi Yuyi, It looks like you installed everything right. But let me tell you what's happening. Yuyi Guo wrote: ..snip.. afs-fermi-3.6-9.i386.rpm. ..snip.. afs-pam-nonis-1.rpm ..snip > (1) The most immediate problem affect on me. I am no longer > getting linux ups products which is auto mount on fndaut. This has been seen before. It is a KDE2 problem, but hasn't been investigated enough to figure out the problem. That's a very unsatisfactory answer I know, but right now the only one I have. Perhaps others would wish to say how they overcame this. > > (2) I cannot unlock a locked window . I apologize for that one. I need to make a new batch of afs-pam rpm's. Basically you installed KDE2.1. For it's screensaver it uses the config file /etc/pam.d/kscreensaver, which I don't have in my afs-pam rpm's. To fix this do this cp /etc/pam.d/kscreensaver /etc/pam.d/kscreensaver.original cp -f /etc/pam.d/xscreensaver /etc/pam.d/kscreensaver > > (3) I don't know if there is any other problems which I > haven't found yet. I can't think of anything off the top of my head. > > Any ideas what I should looking into are highly appreciated. > > Thanks, Yuyi -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Wed Jun 20 16:48:01 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA19943 for ; Wed, 20 Jun 2001 16:48:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF900L340K020@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 16:48:01 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E9A1@listserv.fnal.gov>; Wed, 20 Jun 2001 16:48:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125736 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 16:48:00 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E9A0@listserv.fnal.gov>; Wed, 20 Jun 2001 16:48:00 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF900IEW0JZI6@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 16:47:59 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Wed, 20 Jun 2001 16:48:00 -0500 Content-return: allowed Date: Wed, 20 Jun 2001 16:47:59 -0500 From: ARSystem Subject: CRAWFORD, MATT #19158 Resolved. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618244D@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1341 Thank you for your assistance. Help Desk ticket #000000000019158 has been resolved on 6/20/01 4:43:14 PM Resolution Timestamp: : 6/20/01 4:41:04 PM Solution Category : Information Request Problem Category : Software Item : Cryptocard Type : Utilities Short Description : how do I exit from the cryptocard prompt ? Solution : Is there a method for exiting from the cryptocard prompt? Control-D seems to do it on the flavors I've tried. You'll get some more noise about "Cannot read password" and then a new "login:" prompt, at which point a second Control-D should get you out. Alternatively, there's the telnet client's own break character, which is almost alwas control-]. Problem Description : If I am unaware that my ticket has expired and I telnet to another machine, I get a cryptocard number prompt. I don't want to use my cryptocard, so I want OUT of this, but there seems to be no way to exit from the prompt except by waiting for the time-out. Is there a method for exiting from the cryptocard prompt? Thanks, Elizabeth x8599 From kreymer@fnal.gov Wed Jun 20 17:11:21 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA19971 for ; Wed, 20 Jun 2001 17:11:21 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF900L4S1MUON@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 17:11:20 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E9EE@listserv.fnal.gov>; Wed, 20 Jun 2001 17:11:19 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 125822 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 17:11:19 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015E9ED@listserv.fnal.gov>; Wed, 20 Jun 2001 17:11:19 -0500 Received: from fnal.gov ([131.225.81.186]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF900L1T1MTO0@smtp.fnal.gov>; Wed, 20 Jun 2001 17:11:17 -0500 (CDT) Date: Wed, 20 Jun 2001 17:11:17 -0500 From: Yuyi Guo Subject: Re: fndau* passwords Sender: owner-kerberos-users@listserv.fnal.gov To: Troy Dawson Cc: Margaret Votava , kerberos-users@fnal.gov, linux-users , ods-admin@fnal.gov, berg@fnal.gov, ruth@fnal.gov, berman@fnal.gov, moore@fnal.gov, slimmer@fnal.gov, vittone@fnal.gov, mengel@fnal.gov, pcanal@fnal.gov, lauri@fnal.gov, nho@fnal.gov, dbox@fnal.gov, nahn@fnal.gov, ettab@fnal.gov, gug@fnal.gov, amundson@fnal.gov, litmaath@fnal.gov Cc: marih@fnal.gov, piccoli@fnal.gov, muzaffar@fnal.gov, ichiro@fnal.gov, arossi@fnal.gov, fspaldin@fnal.gov, nuhae@fnal.gov, ritchie@fnal.gov, bgreen@fnal.gov Message-id: <3B311F85.88C15315@fnal.gov> Organization: Fermi Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B2FB1BC.6A51F06B@fnal.gov> <3B310C1F.D4C5ECEA@fnal.gov> <3B311395.B55BBF8B@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1342 Thanks, Troy. The second problem was fixed right after I copied a new kscreensaver. But I don't understand why you think the auto mount problem is caused by KDE 2.1. A week ago, I rebooted my machine after install kde 2.1 and the auto mount came up. Then today I updated/installed afs-fermi and afs-pam-nonis and rebooted, the auto mount did not come up. What in the afs-fermi or afs-pam-nonis stops auto mount? Yuyi Troy Dawson wrote: > > Hi Yuyi, > It looks like you installed everything right. But let me tell you what's > happening. > > Yuyi Guo wrote: > ..snip.. > afs-fermi-3.6-9.i386.rpm. > ..snip.. > afs-pam-nonis-1.rpm > ..snip > > (1) The most immediate problem affect on me. I am no longer > > getting linux ups products which is auto mount on fndaut. > > This has been seen before. It is a KDE2 problem, but hasn't been investigated > enough to figure out the problem. That's a very unsatisfactory answer I know, > but right now the only one I have. Perhaps others would wish to say how they > overcame this. > > > > > (2) I cannot unlock a locked window . > > I apologize for that one. I need to make a new batch of afs-pam rpm's. > Basically you installed KDE2.1. For it's screensaver it uses the config file > /etc/pam.d/kscreensaver, which I don't have in my afs-pam rpm's. > To fix this do this > cp /etc/pam.d/kscreensaver /etc/pam.d/kscreensaver.original > cp -f /etc/pam.d/xscreensaver /etc/pam.d/kscreensaver > > > > > (3) I don't know if there is any other problems which I > > haven't found yet. > > I can't think of anything off the top of my head. > > > > > Any ideas what I should looking into are highly appreciated. > > > > Thanks, Yuyi > > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ -- Yuyi ----------------------------------------------- Yuyi Guo (630)840-4186(phone), (630)840-6345(Fax) Fermi National Accelerator Laboratory Computing Division, Online and Database System MS 369, P.O. Box 500 Batavia, IL 60510 From kreymer@fnal.gov Wed Jun 20 20:31:42 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id UAA20270 for ; Wed, 20 Jun 2001 20:31:42 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF900MKDAWSRH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 20 Jun 2001 20:31:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EBEE@listserv.fnal.gov>; Wed, 20 Jun 2001 20:31:40 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 126411 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 20 Jun 2001 20:31:40 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EBED@listserv.fnal.gov>; Wed, 20 Jun 2001 20:31:40 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GF900701AWSH9@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 20:31:40 -0500 (CDT) Received: from [192.168.1.100] ([169.207.20.41]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GF9000KWAWRCI@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 20 Jun 2001 20:31:40 -0500 (CDT) Date: Wed, 20 Jun 2001 20:31:39 -0500 From: "Frank J. Nagy" Subject: Re: Kerberos & DHCP In-reply-to: <000601c0f9a1$08a250c0$0550e183@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Vyto Grigaliunas , Benn Tannenbaum , kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 1343 I did a little bit of poking about on Apple's Technical Support site looking for information on DHCP. I did find a note that there is a problem with the DHCP Lease not being renewed when the renewal time is an hour or over. This occurs in MacOS 8.6 and 9.0 with Open Transport versions 2.5.1 and 2.5.2. The solution is to upgrade to Open Transport 2.6 which I think will happen automatically when you upgrade to 9.1 so you might want to consider doing so earlier. -- = Dr. Frank J. Nagy [Applied Scientist] 630-840-4935 = Fermilab Computing Division/Distributed Computing Dept/Technology = nagy@fnal.gov (Alt: nagy@mad.scientist.com -or- nagy@inil.com) = Web site: http://home.fnal.gov/~nagy/ = USnail: Fermilab POB 500 MS/369 Batavia, IL 60510 From kreymer@fnal.gov Thu Jun 21 08:01:01 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA20848 for ; Thu, 21 Jun 2001 08:01:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00JF46TL9K@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 08:01:00 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EEE5@listserv.fnal.gov>; Thu, 21 Jun 2001 08:00:57 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127257 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 08:00:57 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EEE2@listserv.fnal.gov>; Thu, 21 Jun 2001 08:00:57 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00MA26TJLU@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 08:00:56 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 21 Jun 2001 08:00:55 -0500 Content-return: allowed Date: Thu, 21 Jun 2001 08:00:54 -0500 From: ARSystem Subject: CRAWFORD, MATT #19173 Resolved. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182480@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1344 Thank you for your assistance. Help Desk ticket #000000000019173 has been resolved on 6/21/01 7:56:00 AM Resolution Timestamp: : 6/21/01 5:17:52 PM Solution Category : Information Request Problem Category : Software Item : Kerberos Type : Utilities Short Description : Unable to kinit Solution : Your kinit was fine, and you probably even got a valid AFS token, even though the aklog program thought there was a problem. According to DNS info, fndaph is still in the PILOT.FNAL.GOV realm. (If this is not so, we need to update that!) You need to make sure it believes that fsus01.fnal.gov, fsus03.fnal.gov and fsus04.fnal.gov (the AFS servers) are also in that realm. Problem Description : I just got back in town after a few days vacation and am unable to kinit. Everything seemed fine a week ago. fndaph:wellner > kinit wellner@FNAL.GOV Password for wellner@FNAL.GOV: aklog: unable to obtain tokens for cell fnal.gov (status: 11862791). libprot: a pioctl failed Could not get afs tokens, running unauthenticated. aklog: Permission denied so unable to create remote PTS user wellner@fnal.gov in cell fnal.gov (status: 267269). aklog: unable to obtain tokens for cell fnal.gov (status: 11862791). From kreymer@fnal.gov Thu Jun 21 08:15:17 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA21292 for ; Thu, 21 Jun 2001 08:15:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00MDE7HF25@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 08:15:16 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EEF9@listserv.fnal.gov>; Thu, 21 Jun 2001 08:15:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127279 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 08:15:15 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EEF8@listserv.fnal.gov>; Thu, 21 Jun 2001 08:15:15 -0500 Received: from localhost ([131.225.30.105]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00IJG7HFIV@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 08:15:15 -0500 (CDT) Date: Thu, 21 Jun 2001 08:15:04 -0500 From: Thomas Jordan Subject: Re: Kerberos & DHCP In-reply-to: <000601c0f9a1$08a250c0$0550e183@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Vyto Grigaliunas Cc: Benn Tannenbaum , kerberos-users@fnal.gov Message-id: <0GFA00IJH7HFIV@smtp.fnal.gov> MIME-version: 1.0 (Apple Message framework v387) X-Mailer: Apple Mail (2.387) Content-type: text/plain; format=flowed; charset=us-ascii Content-transfer-encoding: 7bit Status: RO X-Status: X-Keywords: X-UID: 1345 On Wednesday, June 20, 2001, at 10:52 AM, Vyto Grigaliunas wrote: > Hi... > > It's been my experience that Mac OS will use a DHCP address only for as > long > as it needs it, then release it. For example, to read or download your > mail, > it will request a DHCP address, use it for as long as it takes for the > session > to the mail server, then release it, which means that address is > available for > some other DHCP client to use and that your Mac may not get the same > address > the next time. > Sorry, but this statement about the use of DHCP on the Mac is incorrect. I use dhcp and the five Macs in my office always have the same ip address. I leave them on 24/7. They must keep the addres or I could not: ping them, login to them, fileshare on that ip address, or use them as dummy webservers to test a script. I have not used kerberos enough to replicate Benn's problem but wonder if it is a "feature" of the MIT package... Best, Tom Thomas Jordan Fermi National Accelerator Laboratory PO Box 500, MS 226 WH15W Batavia, Il 60510-0500 ofc:630.840.4035 fax:630.840.8248 From kreymer@fnal.gov Thu Jun 21 08:44:08 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA21434 for ; Thu, 21 Jun 2001 08:44:07 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00MJH8TI25@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 08:44:07 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EF38@listserv.fnal.gov>; Thu, 21 Jun 2001 08:44:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127351 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 08:44:05 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EF37@listserv.fnal.gov>; Thu, 21 Jun 2001 08:44:05 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00MHU8THGF@smtp.fnal.gov>; Thu, 21 Jun 2001 08:44:05 -0500 (CDT) Date: Thu, 21 Jun 2001 08:44:05 -0500 From: Troy Dawson Subject: Re: fndau* passwords Sender: owner-kerberos-users@listserv.fnal.gov To: Yuyi Guo Cc: kerberos-users@fnal.gov, linux-users , ods-admin@fnal.gov, ettab@fnal.gov Message-id: <3B31FA25.A2A80A8C@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B2FB1BC.6A51F06B@fnal.gov> <3B310C1F.D4C5ECEA@fnal.gov> <3B311395.B55BBF8B@fnal.gov> <3B311F85.88C15315@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1346 Hi, I guess I had read that wrong, I was getting it confused with our clusters policies. As for the automount, I'm not sure about what happened, but here's a few troubleshooting tips. After each step see if things are better First - make sure that it's set to start on reboot. /sbin/chkconfig --list autofs if it isn't set to be on on reboot, set it on /sbin/chkconfig --level 345 autofs on and then turn it on /etc/rc.d/init.d/autofs start Second - Try turning it off and on by hand /etc/rc.d/init.d/autofs stop /etc/rc.d/init.d/autofs start Third - Occasionally the auto maps get messed up, and while they are supposed to reload themselve, sometimes they get stuck. Try reloading them /etc/rc.d/init.d/autofs reload and it's always good to stop and start it after a reload (though not always neccessary. /etc/rc.d/init.d/autofs stop /etc/rc.d/init.d/autofs start Fourth - talk to whoever is in charge of fndaut. (I'm sure they are cc'd in this) I hope that helps. Troy p.s. I'm trimming down the cc list on this. I hope you don't mind. Yuyi Guo wrote: > > Thanks, Troy. > The second problem was fixed right after I copied a new > kscreensaver. But I don't understand why you think the auto > mount problem is caused by KDE 2.1. A week ago, I rebooted my > machine after install kde 2.1 and the auto mount came up. Then > today I updated/installed afs-fermi and afs-pam-nonis and > rebooted, the auto mount did not come up. What in the > afs-fermi or afs-pam-nonis stops auto mount? > Yuyi > > Troy Dawson wrote: > > > > Hi Yuyi, > > It looks like you installed everything right. But let me tell you what's > > happening. > > > > Yuyi Guo wrote: > > ..snip.. > > afs-fermi-3.6-9.i386.rpm. > > ..snip.. > > afs-pam-nonis-1.rpm > > ..snip > > > (1) The most immediate problem affect on me. I am no longer > > > getting linux ups products which is auto mount on fndaut. > > > > This has been seen before. It is a KDE2 problem, but hasn't been investigated > > enough to figure out the problem. That's a very unsatisfactory answer I know, > > but right now the only one I have. Perhaps others would wish to say how they > > overcame this. > > > > > > > > (2) I cannot unlock a locked window . > > > > I apologize for that one. I need to make a new batch of afs-pam rpm's. > > Basically you installed KDE2.1. For it's screensaver it uses the config file > > /etc/pam.d/kscreensaver, which I don't have in my afs-pam rpm's. > > To fix this do this > > cp /etc/pam.d/kscreensaver /etc/pam.d/kscreensaver.original > > cp -f /etc/pam.d/xscreensaver /etc/pam.d/kscreensaver > > > > > > > > (3) I don't know if there is any other problems which I > > > haven't found yet. > > > > I can't think of anything off the top of my head. > > > > > > > > Any ideas what I should looking into are highly appreciated. > > > > > > Thanks, Yuyi > > > > -- > > __________________________________________________ > > Troy Dawson dawson@fnal.gov (630)840-6468 > > Fermilab ComputingDivision/OSS SCS Group > > __________________________________________________ > > -- > Yuyi > ----------------------------------------------- > Yuyi Guo > (630)840-4186(phone), (630)840-6345(Fax) > Fermi National Accelerator Laboratory > Computing Division, Online and Database System > MS 369, P.O. Box 500 > Batavia, IL 60510 -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Thu Jun 21 08:58:13 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA21451 for ; Thu, 21 Jun 2001 08:58:13 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA0039K9GXJY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 08:58:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EF74@listserv.fnal.gov>; Thu, 21 Jun 2001 08:58:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127422 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 08:58:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EF73@listserv.fnal.gov>; Thu, 21 Jun 2001 08:58:09 -0500 Received: from thunderbird ([131.225.80.5]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GFA002BX9GWD3@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 08:58:08 -0500 (CDT) Date: Thu, 21 Jun 2001 08:58:08 -0500 From: Vyto Grigaliunas Subject: Re: Kerberos & DHCP Sender: owner-kerberos-users@listserv.fnal.gov To: Benn Tannenbaum Cc: kerberos-users@fnal.gov Reply-to: Vyto Grigaliunas Message-id: <002801c0fa5a$33cce300$0550e183@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: Status: RO X-Status: X-Keywords: X-UID: 1347 Hi Benn... > I'm guessing you saw that email from Fred Nagy? Yes I did... > I was last at FNAL on 13 June, if that helps! Yes...I was able to find your hardware address in the DHCP server logs for the 13th, but it wasn't really conclusive - I saw the DHCP server grant your Mac an address, your Mac renewed that address about 5 minutes later (which is strange, since with a lease time of 24 hours, the DHCP client shouldn't start attempting renewal until half the lease time has expired, 12 hours, unless you rebooted within that timeframe), then nothing... I guess maybe you should go ahead and try upgrading when you're back here and we can go from there, although... > BTW, I get great connectivity with telnet, email, netscape, etc. The only > problem is with Kerberos... ...this would suggest that you actually still had an address and network connectivity during the Kerberos problem... Thanks... Vyto ----- Original Message ----- From: "Benn Tannenbaum" To: "Vyto Grigaliunas" Sent: Thursday, June 21, 2001 2:12 AM Subject: Re: Kerberos & DHCP > Hi Vyto, > > I'm guessing you saw that email from Fred Nagy? That sounds to me like it's > the problem. I'm not really willing to upgrade my system whilst I'm at CERN, > but I'll see what I can do when I get back to the states. > > I was last at FNAL on 13 June, if that helps! > > BTW, I get great connectivity with telnet, email, netscape, etc. The only > problem is with Kerberos... > > on 20/6/01 10:33 PM, Vyto Grigaliunas spake thusly: > > > Hi... > > > >> I'll let you know when I get back to FNAL, if you'd like. > > > > That would be fine...I'll check the DHCP server logs for your hardware address > > anyway, depending upon how long ago it was you were at FNAL... > > > > Thanks... > > > > Vyto > > > > ----- Original Message ----- > > From: "Benn Tannenbaum" > > To: "Vyto Grigaliunas" > > Sent: Wednesday, June 20, 2001 12:58 PM > > Subject: Re: Kerberos & DHCP > > > > > >> Hi, > >> > >> That's be a good trick now-- I'm at CERN for another 10 days ;-). I am using > >> DHCP now, and my Ethernet address is 00 05 02 d7 b4 c1. > >> > >> I'll let you know when I get back to FNAL, if you'd like. > >> > >> on 20/6/01 7:56 PM, Vyto Grigaliunas spake thusly: > >> > >>> Can you give me either the current IP address and/or hardware address of > > your > >>> Mac ??? I'll see if I can track it through the DHCP server to see if it's > > a > >>> DHCP renewal problem... > >> > >> > >> -Benn > >> > > > > > -Benn > From kreymer@fnal.gov Thu Jun 21 09:06:31 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21471 for ; Thu, 21 Jun 2001 09:06:31 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA0062P9UTP2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 09:06:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EF98@listserv.fnal.gov>; Thu, 21 Jun 2001 09:06:29 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127460 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 09:06:29 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EF97@listserv.fnal.gov>; Thu, 21 Jun 2001 09:06:29 -0500 Received: from thunderbird ([131.225.80.5]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GFA0061T9UTOO@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 09:06:29 -0500 (CDT) Date: Thu, 21 Jun 2001 09:06:28 -0500 From: Vyto Grigaliunas Subject: Re: Kerberos & DHCP Sender: owner-kerberos-users@listserv.fnal.gov To: Thomas Jordan Cc: Benn Tannenbaum , kerberos-users@fnal.gov Reply-to: Vyto Grigaliunas Message-id: <002f01c0fa5b$5de1f030$0550e183@fnal.gov> Organization: Fermilab MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: <0GFA00IJH7HFIV@smtp.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1348 Hi... > Sorry, but this statement about the use of DHCP on the Mac is incorrect. No, I'm sorry...I have DHCP server logs and LANanalyzer trace data that proves it (well, maybe I do since, since it's been several years when I did this and I MAY still have it somewhere)... I assume you're not running Mac OS version "whatever" from several years ago ;-) (although I still see the behavior I described in the DHCP server logs from time to time)... Vyto ----- Original Message ----- From: "Thomas Jordan" To: "Vyto Grigaliunas" Cc: "Benn Tannenbaum" ; Sent: Thursday, June 21, 2001 8:15 AM Subject: Re: Kerberos & DHCP > > On Wednesday, June 20, 2001, at 10:52 AM, Vyto Grigaliunas wrote: > > > Hi... > > > > It's been my experience that Mac OS will use a DHCP address only for as > > long > > as it needs it, then release it. For example, to read or download your > > mail, > > it will request a DHCP address, use it for as long as it takes for the > > session > > to the mail server, then release it, which means that address is > > available for > > some other DHCP client to use and that your Mac may not get the same > > address > > the next time. > > > > > Sorry, but this statement about the use of DHCP on the Mac is incorrect. > I use dhcp and the five Macs in my office always have the same ip > address. I leave them on 24/7. They must keep the addres or I could not: > ping them, login to them, fileshare on that ip address, or use them as > dummy webservers to test a script. > > I have not used kerberos enough to replicate Benn's problem but wonder > if it is a "feature" of the MIT package... > > Best, > Tom > > > Thomas Jordan > Fermi National Accelerator Laboratory > PO Box 500, MS 226 WH15W > Batavia, Il > 60510-0500 > ofc:630.840.4035 fax:630.840.8248 From kreymer@fnal.gov Thu Jun 21 09:23:56 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21503 for ; Thu, 21 Jun 2001 09:23:56 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00650ANUP4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 09:23:56 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EFEB@listserv.fnal.gov>; Thu, 21 Jun 2001 09:23:54 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127550 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 09:23:54 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015EFEA@listserv.fnal.gov>; Thu, 21 Jun 2001 09:23:54 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GFA00801ANUGK@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 09:23:54 -0500 (CDT) Received: from smtp1.cern.ch ([137.138.128.38]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00659ANTOI@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 09:23:54 -0500 (CDT) Received: from [137.138.206.46] (pb-d-137-138-206-46.cern.ch [137.138.206.46]) by smtp1.cern.ch (8.9.3/8.9.3) with ESMTP id QAA19922 for ; Thu, 21 Jun 2001 16:23:52 +0200 (MET DST) Date: Thu, 21 Jun 2001 16:23:32 +0200 From: Benn Tannenbaum Subject: Re: Kerberos & DHCP In-reply-to: <002f01c0fa5b$5de1f030$0550e183@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 X-Authentication-warning: smtp1.cern.ch: Host pb-d-137-138-206-46.cern.ch [137.138.206.46] claimed to be [137.138.206.46] Status: RO X-Status: X-Keywords: X-UID: 1349 on 21/6/01 4:06 PM, Vyto Grigaliunas spake thusly: > > I assume you're not running Mac OS version "whatever" from several years ago > ;-) (although I still see the behavior I described in the DHCP server logs > from time to time)... I am-- 8.6 seems to be the last of the "bad" DHCP systems. Once I upgrade I'll let you know.... -Benn From kreymer@fnal.gov Thu Jun 21 10:31:21 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA21629 for ; Thu, 21 Jun 2001 10:31:21 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA006JFDS7PB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 10:31:21 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F138@listserv.fnal.gov>; Thu, 21 Jun 2001 10:31:19 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127909 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 10:31:19 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F137@listserv.fnal.gov>; Thu, 21 Jun 2001 10:31:19 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA006M3DS7ON@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 10:31:19 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5LFUl305786; Thu, 21 Jun 2001 10:30:47 -0500 (CDT) Date: Thu, 21 Jun 2001 10:30:47 -0500 From: Matt Crawford Subject: Re: CRAWFORD, MATT AR ticket 19145 Has Been Updated. In-reply-to: "20 Jun 2001 15:51:02 CDT." <318CC3D38BE0D211BB1200105A093F7618241F@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: kerberos-users@fnal.gov Message-id: <200106211530.f5LFUl305786@gungnir.fnal.gov> Content-id: <5782.993137447.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 1350 It appears that Igor has deleted /etc/krb5.keytab. I left him voicemail about recreating it. He needs to call me back. From kreymer@fnal.gov Thu Jun 21 10:35:28 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA21633 for ; Thu, 21 Jun 2001 10:35:28 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA006K0DZ2OS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 10:35:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F14E@listserv.fnal.gov>; Thu, 21 Jun 2001 10:35:26 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 127935 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 10:35:26 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F14D@listserv.fnal.gov>; Thu, 21 Jun 2001 10:35:26 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA006NXDYZOR@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 10:35:26 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 21 Jun 2001 10:35:23 -0500 Content-return: allowed Date: Thu, 21 Jun 2001 10:35:21 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000019145 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761824CE@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1351 The following note has been sent to the requester: TEREKHOV, IGOR Short Description : Cannot activate host/ftp principals Notes to Requester : It appears that Igor has deleted /etc/krb5.keytab. I left him voicemail about recreating it. He needs to call me back. From kreymer@fnal.gov Thu Jun 21 11:09:54 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA21740 for ; Thu, 21 Jun 2001 11:09:54 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00G2EFKG0P@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 11:09:53 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F206@listserv.fnal.gov>; Thu, 21 Jun 2001 11:09:52 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128148 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 11:09:52 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F205@listserv.fnal.gov>; Thu, 21 Jun 2001 11:09:52 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA006Q2FKGPE@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 11:09:52 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5LG9K305965; Thu, 21 Jun 2001 11:09:20 -0500 (CDT) Date: Thu, 21 Jun 2001 11:09:20 -0500 From: Matt Crawford Subject: Re: 000000000019141 Assigned to CRAWFORD, MATT. In-reply-to: "19 Jun 2001 16:08:18 CDT." <318CC3D38BE0D211BB1200105A093F76182344@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200106211609.f5LG9K305965@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1352 > Problem Description : I tried to telnet from my service provider > account. It appears that kerberos does not recognize it. > I believe that I am carlosf@mcsnet.com Kerberos does not know or care what your ISP or email address is. If you want to connect to a Kerberized fermi system "blah.fnal.gov", then choose one of the following: If you have Kerberos on the system under your fingers, you do kinit hojvat telnet blah.fnal.gov If you do not have Kerberos software telnet blah.fnal.gov and use your cryptocard to respond to the challenge it presents. If you really are connecting to fsgi01 or any other fnalu host, Kerberos has nothing to do with it -- Kerberos is NOT installed on fnalu! (Except one new Linux 7.1 node for testing.) From kreymer@fnal.gov Thu Jun 21 11:16:57 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA21751 for ; Thu, 21 Jun 2001 11:16:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00G3LFW66I@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 11:16:56 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F236@listserv.fnal.gov>; Thu, 21 Jun 2001 11:16:55 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128202 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 11:16:55 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F235@listserv.fnal.gov>; Thu, 21 Jun 2001 11:16:54 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00G28FW5QL@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 11:16:54 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 21 Jun 2001 11:16:53 -0500 Content-return: allowed Date: Thu, 21 Jun 2001 11:16:52 -0500 From: ARSystem Subject: CRAWFORD, MATT #19141 Resolved. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761824E7@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1353 Thank you for your assistance. Help Desk ticket #000000000019141 has been resolved on 6/21/01 11:14:45 AM Resolution Timestamp: : 6/21/01 11:09:33 AM Solution Category : Information Request Problem Category : Software Item : Kerberos Type : Utilities Short Description : telnet Solution : Kerberos does not know or care what your ISP or email address is. If you want to connect to a Kerberized fermi system "blah.fnal.gov", then choose one of the following: If you have Kerberos on the system under your fingers, you do kinit hojvat telnet blah.fnal.gov If you do not have Kerberos software telnet blah.fnal.gov and use your cryptocard to respond to the challenge it presents. If you really are connecting to fsgi01 or any other fnalu host, Kerberos has nothing to do with it -- Kerberos is NOT installed on fnalu! (Except one new Linux 7.1 node for testing.) Problem Description : I tried to telnet from my service provider account. It appears that kerberos does not recognize it. I believe that I am carlosf@mcsnet.com whom should I contact ? Thanks, Carlos From kreymer@fnal.gov Thu Jun 21 11:19:08 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA21759 for ; Thu, 21 Jun 2001 11:19:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00G29FZUSR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 11:19:07 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F245@listserv.fnal.gov>; Thu, 21 Jun 2001 11:19:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128220 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 11:19:06 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F244@listserv.fnal.gov>; Thu, 21 Jun 2001 11:19:06 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00G4OFZU1N@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 11:19:06 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5LGIY306036; Thu, 21 Jun 2001 11:18:34 -0500 (CDT) Date: Thu, 21 Jun 2001 11:18:34 -0500 From: Matt Crawford Subject: Re: CRAWFORD, MATT, Reminder for 19036 In-reply-to: "18 Jun 2001 12:03:51 CDT." <318CC3D38BE0D211BB1200105A093F76182134@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200106211618.f5LGIY306036@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1354 Discussing this with Maarten, I concluded that it is most probably due to a combination of TCP keepalives and occasional routing interruptions in the internet. He will watch for further evidence that supports or refutes that diagnosis. From kreymer@fnal.gov Thu Jun 21 11:22:10 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA21769 for ; Thu, 21 Jun 2001 11:22:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00G5EG4X6I@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 11:22:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F251@listserv.fnal.gov>; Thu, 21 Jun 2001 11:22:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128232 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 11:22:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F250@listserv.fnal.gov>; Thu, 21 Jun 2001 11:22:09 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA006SSG4UOD@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 11:22:09 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 21 Jun 2001 11:22:06 -0500 Content-return: allowed Date: Thu, 21 Jun 2001 11:22:03 -0500 From: ARSystem Subject: CRAWFORD, MATT #19036 Resolved. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761824FB@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1355 Thank you for your assistance. Help Desk ticket #000000000019036 has been resolved on 6/21/01 11:20:57 AM Resolution Timestamp: : 6/21/01 11:19:50 AM Solution Category : Information Request Problem Category : Software Item : Kerberos Type : Utilities Short Description : Kerberos telnet/ssh hangs or crashes Solution : Discussing this with Maarten, I concluded that it is most probably due to a combination of TCP keepalives and occasional routing interruptions in the internet. He will watch for further evidence that supports or refutes that diagnosis. Problem Description : I have repeatedly observed that a /usr/krb5/bin/telnet to a non-Kerberos host at CERN after some period of inactivity (>~ 30 min.) just hangs and has to be killed. Similarly an inactive /usr/krb5/bin/ssh to a non-Kerberos host at CERN crashed various times on me, the last time accompanied by this error message: Local: Corrupted check bytes on input. This happens on 3 Kerberized nodes: fndaub (IRIX), fndaut (Solaris) and fndapt (Linux). Needless to say this is extremely annoying. Thanks, Maarten From kreymer@fnal.gov Thu Jun 21 12:13:57 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA21830 for ; Thu, 21 Jun 2001 12:13:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00GDUIJ7PU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 12:13:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F372@listserv.fnal.gov>; Thu, 21 Jun 2001 12:13:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 128565 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 12:13:55 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F371@listserv.fnal.gov>; Thu, 21 Jun 2001 12:13:55 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00GIWIJ6SR@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 12:13:55 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 21 Jun 2001 12:13:54 -0500 Content-return: allowed Date: Thu, 21 Jun 2001 12:13:54 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19141 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182511@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1356 19141 has been updated by blomberg. Short Description : telnet New Work Log Entry : From: "Carlos Hojvat" To: "ARSystem" Subject: Ticket 19141 Date: Thursday, June 21, 2001 12:10 PM Dear ARSystem, Criptocard? I only have Visa and Mastercard! I telnet to fsgi01.fnal.gov and responded with a message indicating "kerberos" and "not in some list". I did not copy the message but somehow fsgi01 wanted some secure access. There must be some security request despite your statement that telnet is good enough for fsgi01. Thanks, Carlos Hojvat Ticket ReOpened the Previous Solution was :Kerberos does not know or care what your ISP or email address is. If you want to connect to a Kerberized fermi system "blah.fnal.gov", then choose one of the following: If you have Kerberos on the system under your fingers, you do kinit hojvat telnet blah.fnal.gov If you do not have Kerberos software telnet blah.fnal.gov and use your cryptocard to respond to the challenge it presents. If you really are connecting to fsgi01 or any other fnalu host, Kerberos has nothing to do with it -- Kerberos is NOT installed on fnalu! (Except one new Linux 7.1 node for testing.) From kreymer@fnal.gov Thu Jun 21 15:01:10 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA22158 for ; Thu, 21 Jun 2001 15:01:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA005EQQ9XE1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 15:01:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F6BB@listserv.fnal.gov>; Thu, 21 Jun 2001 15:01:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 129478 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 15:01:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F6BA@listserv.fnal.gov>; Thu, 21 Jun 2001 15:01:09 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA004J3Q9WQB@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 15:01:08 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5LK0b307302; Thu, 21 Jun 2001 15:00:37 -0500 (CDT) Date: Thu, 21 Jun 2001 15:00:36 -0500 From: Matt Crawford Subject: Re: CRAWFORD, MATT AR ticket 19141 Has Been Updated. In-reply-to: "21 Jun 2001 12:13:54 CDT." <318CC3D38BE0D211BB1200105A093F76182511@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200106212000.f5LK0b307302@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1357 I said that fsgi01 does not have Kerberos installed. That was hours ago and things sometimes change quickly, but this thing hasn't. It still does not have Kerberos installed. (Kebreros as we know it, that is. Obviously it has AFS, which incorporates some parts of an old version of kerberos.) Any problems logging in to fsgi01 should be taken to a fnalu admin. From kreymer@fnal.gov Thu Jun 21 16:13:51 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA22341 for ; Thu, 21 Jun 2001 16:13:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00D3MTN1Q5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 16:13:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F7E1@listserv.fnal.gov>; Thu, 21 Jun 2001 16:13:50 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 129796 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 16:13:50 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F7E0@listserv.fnal.gov>; Thu, 21 Jun 2001 16:13:50 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA004RSTN1DG@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 16:13:49 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA29534 for ; Thu, 21 Jun 2001 16:13:49 -0500 Date: Thu, 21 Jun 2001 16:13:48 -0500 (CDT) From: Steven Timm Subject: Problems with kerberos-supplied login on OSF1+V4 Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1358 I have installed the kerberos product, including the automatic replacement of the /bin/login, on four nodes, kpasa, ksera,klik,and klak. I found to my surprise that it was no longer possible to log in as root on the console. Other non-privileged accounts work, but not root. This needs to get fixed as soon as possible, please. Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Thu Jun 21 16:39:16 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA22402 for ; Thu, 21 Jun 2001 16:39:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00F3AUTFNO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 16:39:15 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F874@listserv.fnal.gov>; Thu, 21 Jun 2001 16:39:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 129973 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 16:39:15 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F873@listserv.fnal.gov>; Thu, 21 Jun 2001 16:39:15 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00DGNUTEWZ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 16:39:14 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5LLcg308051; Thu, 21 Jun 2001 16:38:42 -0500 (CDT) Date: Thu, 21 Jun 2001 16:38:42 -0500 From: Matt Crawford Subject: Re: Problems with kerberos-supplied login on OSF1+V4 In-reply-to: "21 Jun 2001 16:13:48 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: <200106212138.f5LLcg308051@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1359 > I have installed the kerberos product, including the automatic > replacement of the /bin/login, on four nodes, kpasa, ksera,klik,and > klak. > > I found to my surprise that it was no longer possible to log in > as root on the console. Other non-privileged accounts work, > but not root. Was it possible to do so before the installation? login.krb5 will respect the root login restrictions in /etc/ttys, /etc/default/login or wherever your particular OS may keep them. From kreymer@fnal.gov Thu Jun 21 16:53:58 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA22418 for ; Thu, 21 Jun 2001 16:53:58 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00F5LVHWNO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 21 Jun 2001 16:53:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F89C@listserv.fnal.gov>; Thu, 21 Jun 2001 16:53:57 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 130013 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 21 Jun 2001 16:53:57 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0015F89B@listserv.fnal.gov>; Thu, 21 Jun 2001 16:53:57 -0500 Received: from fnpspb.fnal.gov ([131.225.81.79]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFA00EA4VHW96@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 21 Jun 2001 16:53:56 -0500 (CDT) Received: from localhost (garren@localhost) by fnpspb.fnal.gov (8.9.3/8.9.3) with SMTP id QAA06274 for ; Thu, 21 Jun 2001 16:53:56 -0500 (CDT) Date: Thu, 21 Jun 2001 16:53:55 -0500 From: Lynn Garren Subject: draft manual Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Reply-to: garren@fnal.gov Message-id: <200106212153.QAA06274@fnpspb.fnal.gov> MIME-version: 1.0 X-Mailer: exmh version 2.0.2 2/24/98 Content-type: text/plain; charset=us-ascii X-Authentication-warning: fnpspb.fnal.gov: garren@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1360 I notice that the "Kerberized Network Programs" chapter has been removed from the draft document. Is this intentional or an oversight? I find that chapter useful. Lynn From kreymer@fnal.gov Fri Jun 22 09:09:06 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA23294 for ; Fri, 22 Jun 2001 09:09:06 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFC00L9T4N5SM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 22 Jun 2001 09:09:06 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016006A@listserv.fnal.gov>; Fri, 22 Jun 2001 09:09:05 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 132200 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 22 Jun 2001 09:09:05 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00160069@listserv.fnal.gov>; Fri, 22 Jun 2001 09:09:05 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFC0011U4N49Q@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 22 Jun 2001 09:09:04 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA31129; Fri, 22 Jun 2001 09:09:04 -0500 Date: Fri, 22 Jun 2001 09:09:04 -0500 (CDT) From: Steven Timm Subject: Re: Problems with kerberos-supplied login on OSF1+V4 In-reply-to: <200106212138.f5LLcg308051@gungnir.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1361 On Thu, 21 Jun 2001, Matt Crawford wrote: > > I have installed the kerberos product, including the automatic > > replacement of the /bin/login, on four nodes, kpasa, ksera,klik,and > > klak. > > > > I found to my surprise that it was no longer possible to log in > > as root on the console. Other non-privileged accounts work, > > but not root. > > Was it possible to do so before the installation? login.krb5 will > respect the root login restrictions in /etc/ttys, /etc/default/login > or wherever your particular OS may keep them. > Yes it was possible.. I'm informed that it is still possible to do so on the build cluster machine where this same software is installed. My question.. does login.krb5 put you on a different tty than the console? Steve From kreymer@fnal.gov Fri Jun 22 09:42:34 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA23386 for ; Fri, 22 Jun 2001 09:42:34 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFC00MEM66V4D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 22 Jun 2001 09:42:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001600F2@listserv.fnal.gov>; Fri, 22 Jun 2001 09:42:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 132350 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 22 Jun 2001 09:42:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001600F1@listserv.fnal.gov>; Fri, 22 Jun 2001 09:42:31 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFC0019O66U9Q@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 22 Jun 2001 09:42:30 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5MEfv309734; Fri, 22 Jun 2001 09:41:57 -0500 (CDT) Date: Fri, 22 Jun 2001 09:41:57 -0500 From: Matt Crawford Subject: Re: Problems with kerberos-supplied login on OSF1+V4 In-reply-to: "22 Jun 2001 09:09:04 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: <200106221441.f5MEfv309734@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1362 > > Was it possible to do so before the installation? login.krb5 will > > respect the root login restrictions ... > > Yes it was possible.. I'm informed that it is still possible to > do so on the build cluster machine where this same software is > installed. > > My question.. does login.krb5 put you on a different tty than the > console? No, it couldn't do that. Let's see ... OSF/1 ... what does your /etc/securettys look like? From kreymer@fnal.gov Fri Jun 22 09:58:25 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA23525 for ; Fri, 22 Jun 2001 09:58:25 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFC001BS6XCJ2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 22 Jun 2001 09:58:25 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00160130@listserv.fnal.gov>; Fri, 22 Jun 2001 09:58:24 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 132418 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 22 Jun 2001 09:58:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016012E@listserv.fnal.gov>; Fri, 22 Jun 2001 09:57:08 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFC001BO6V79Q@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 22 Jun 2001 09:57:07 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA31279; Fri, 22 Jun 2001 09:57:07 -0500 Date: Fri, 22 Jun 2001 09:57:06 -0500 (CDT) From: Steven Timm Subject: Re: Problems with kerberos-supplied login on OSF1+V4 In-reply-to: <200106221441.f5MEfv309734@gungnir.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1363 >From /etc/securettys /dev/console local:0 :0 ptys ----------------------------------- by comparing against securettys on bldosf1v40d I found that I need to add "console" to /etc/securettys and then the login works. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Fri, 22 Jun 2001, Matt Crawford wrote: > > > Was it possible to do so before the installation? login.krb5 will > > > respect the root login restrictions ... > > > > Yes it was possible.. I'm informed that it is still possible to > > do so on the build cluster machine where this same software is > > installed. > > > > My question.. does login.krb5 put you on a different tty than the > > console? > > No, it couldn't do that. Let's see ... OSF/1 ... what does your > /etc/securettys look like? > From kreymer@fnal.gov Fri Jun 22 12:23:11 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA23645 for ; Fri, 22 Jun 2001 12:23:11 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFC007KLDMMKO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 22 Jun 2001 12:23:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00160376@listserv.fnal.gov>; Fri, 22 Jun 2001 12:23:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 133046 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 22 Jun 2001 12:23:10 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00160375@listserv.fnal.gov>; Fri, 22 Jun 2001 12:23:10 -0500 Received: from fndapc ([131.225.82.247]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GFC007NGDMLL0@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov; Fri, 22 Jun 2001 12:23:09 -0500 (CDT) Date: Fri, 22 Jun 2001 12:23:09 -0500 From: slimmer@fnal.gov Subject: (Fwd) Re: WRQ and fnods login Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@heffalump.fnal.gov Cc: slimmer@fnal.gov Reply-to: slimmer@fnal.gov Message-id: <0GFC007NHDMLL0@smtp.fnal.gov> MIME-version: 1.0 X-Mailer: Pegasus Mail for Win32 (v3.01b) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Priority: normal Status: RO X-Status: X-Keywords: X-UID: 1364 hi, The e-mail on fnods and follow-up on fndaut both describe a problem trying to access kerberized _x machines. The error in both cases is > Server principle not found in Kerberos database > (KDC007) Any ideas on a solution? thanks, Dave ------- Forwarded Message Follows ------- Date sent: Fri, 22 Jun 2001 10:24:52 -0500 From: Diana Bonham Subject: Re: WRQ and fnods login To: slimmer@fnal.gov Copies to: Margaret Votava , ods-admin@smtp.fnal.gov Organization: Fermi National Accelerator Laboratory Hi Dave. I don't consider myself a "trail blazer", but I also get this same error when trying to access fndaut from WRQ. However, I know that fndaut accepts principles from both the PILOT and FNAL domains. This apparently isn't obvious with the klist -k command, because when I issue this command on fndaut, I get similar to what you noted below. However, if you look in /etc/krb5.conf under the "realms" section, you'll see a heading for each realm it accepts from. FNDAUT has a heading for both PILOT and FNAL, so one would expect that even though my WRQ is set up to access the PILOT realm, fndaut should still accept my credentials. But I get the same error you get... As Margaret suggested, I changed my kerberos password, but I still get the error. Diana slimmer@fnal.gov wrote: > > After more investigation, it appears that the fnods is setup for the > FNAL.GOV realm only. > > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > ------------------------------------------------------------------------ > -- > 2 ftp/fnods.fnal.gov@FNAL.GOV > 2 host/fnods.fnal.gov@FNAL.GOV > > I was trying to use my default WRQ slimmer@PILOT.FNAL.GOV principle, so > I setup a new realm configuration in WRQ for slimmer@FNAL.GOV using the > new KDC nodes. I also logged into fndaub and changed my password for the > slimmer@FNAL.GOV principle as suggested by the "Migration to FNAL.GOV > realm started May 7" link on the Kerberos web page. > I then obtained a krbtgt in the FNAL.GOV realm, and tried starting a > telnet > session with WRQ to fnods. I still get the same error shown in my first > message. > > Server principle not found in Kerberos database > (KDC007) > > So my only method of login remains using the cripto card with a > F-secure > window. > No other trail blazers out there? > > Dave > > > try changing your kerberos password. think there was a bug with > > wrq when going from the pilot to production realm. > > > > slimmer@fnal.gov wrote: > > > > > > hi, > > > WRQ gives this error: > > > > > > Server principle not found in Kerberos database > > > (KDC007) > > > > > > I think my configuration for the fnods login should be ok since I > > > copied it > > > from another kerberized machine login configuration that still > > > works. > > > > > > Any ideas? > > > > > > Dave > > > > -- > > Margaret Votava votava@fnal.gov > > Computing Division/Online and Database Systems 630-840-2625 (office) > > Fermi National Accelerator Laboratory 630-840-6345 (fax) > > http://www.fnal.gov 630-612-8220 (pager) From kreymer@fnal.gov Fri Jun 22 16:05:14 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA24010 for ; Fri, 22 Jun 2001 16:05:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFC0053GNWPG3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 22 Jun 2001 16:05:14 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001607B6@listserv.fnal.gov>; Fri, 22 Jun 2001 16:05:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 134244 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 22 Jun 2001 16:05:13 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001607B5@listserv.fnal.gov>; Fri, 22 Jun 2001 16:05:13 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFC00453NWON2@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@heffalump.fnal.gov) ; Fri, 22 Jun 2001 16:05:12 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5ML4c310863; Fri, 22 Jun 2001 16:04:38 -0500 (CDT) Date: Fri, 22 Jun 2001 16:04:38 -0500 From: Matt Crawford Subject: Re: (Fwd) Re: WRQ and fnods login In-reply-to: "22 Jun 2001 12:23:09 CDT." <0GFC007NHDMLL0@smtp.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: slimmer@fnal.gov Cc: kerberos-users@heffalump.fnal.gov Message-id: <200106222104.f5ML4c310863@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1365 It looks like you're mapping the target hostname (fndaut.fnal.gov or fnods.fnal.gov) to the wrong realm and attempting cross-realm authentication to a non-existent realm. Check the "Hosts" tab of the Kerberos Manager's Configure>Realms item. (I think that's where it is.) Hmm, and make sure your system doesn't think the official hostname is the one-word portion (fndaut or fnods, without the fnal.gov). But I don't know how you can get that wrong on a windows machine ... it would take deliberate entry in a hosts file someplace, I think. From kreymer@fnal.gov Mon Jun 25 12:08:18 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA31438 for ; Mon, 25 Jun 2001 12:08:18 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFH00GTXWXQL2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 12:08:16 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016228B@listserv.fnal.gov>; Mon, 25 Jun 2001 12:08:14 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 141989 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 25 Jun 2001 12:08:14 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016228A@listserv.fnal.gov>; Mon, 25 Jun 2001 12:08:14 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFH00II9WXDKQ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 25 Jun 2001 12:08:14 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Jun 2001 12:07:57 -0500 Content-return: allowed Date: Mon, 25 Jun 2001 12:07:53 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 18992 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182764@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1366 This reminder created on 6/25/01 12:03:08 PM Ticket 18992 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : MARC Last Name (+) : PATERNO Phone : 4532 E-Mail Address : PATERNO@FNAL.GOV Incident Time : 6/12/01 11:29:45 AM System Name : D0LXBLD7 Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : kerberized FTP Problem Description : Hello, I'm trying to use Reflection FTP Client to do a kerberized FTP from d0lxbld7 to my laptop. I'm no longer able to do so. I suspect it may be because I'm still using paterno@PILOT.FNAL.GOV as my Kerberos principal. I tried looking in the documentation at http://www.fnal.gov/docs/strongauth/, but was unable to find instructions for how to switch my principal. The installation instructions for WRQ Reflection still say to use PILOT.FNAL.GOV. Could someone please tell me where I can find the appropriate instructions? thanks, Marc -- Marc Paterno FNAL/CD Special Assignments (630) 840-4532 (WH 6E, 645) (630) 840-6457 (CDF Trailer 169F) (630) 840-6689 (DAB 5) From kreymer@fnal.gov Mon Jun 25 12:48:34 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA31485 for ; Mon, 25 Jun 2001 12:48:34 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFH00IRFYSWRC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 12:48:34 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001623E1@listserv.fnal.gov>; Mon, 25 Jun 2001 12:48:33 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 142345 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 25 Jun 2001 12:48:33 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001623E0@listserv.fnal.gov>; Mon, 25 Jun 2001 12:48:32 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFH00IQ9YSWKQ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 25 Jun 2001 12:48:32 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Jun 2001 12:48:32 -0500 Content-return: allowed Date: Mon, 25 Jun 2001 12:48:31 -0500 From: ARSystem Subject: 000000000018977 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761827F3@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1367 CRAWFORD, MATT, Help Desk Ticket #000000000018977 has been assigned to you. It is a(n) Medium priority Operating System/Unix /I/O Errors type of problem. Short description: scp / fndaub migration Badge # (+) : 05713N First Name : DAVID Last Name (+) : SLIMMER Phone : 4334 E-Mail Address : SLIMMER@FNAL.GOV Incident Time : 6/12/01 8:34:07 AM System Name : FNDAUB Urgency : Medium Public Work Log : 6/25/01 12:43:48 PM marih From: "Margaret Votava" To: "ARSystem" Cc: Subject: Re: RITCHIE, DAVID, Reminder for 18977 Date: Monday, June 25, 2001 12:31 PM hi, i think this is a kerberos question and should be routed to kerberos-users. thanks, margaret Problem Description : The scp command is giving the following error: scp -pr slimmer@fndaub:/vxols slimmer@fnods:/usr/products/vxols slimmer@fndaub's password: You have no controlling tty and no DISPLAY. Cannot read passphrase. lost connection which ssh /usr/krb5/bin/ssh which scp /usr/krb5/bin/scp which scp /usr/bin/scp which ssh /usr/bin/ssh The scp man page does not describe the "controlling tty" and "DISPLAY" requirements. Do both machine have to be using the krb5 scp and ssh? Dave From kreymer@fnal.gov Mon Jun 25 12:48:35 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA31489 for ; Mon, 25 Jun 2001 12:48:35 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFH00IRFYSWRC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 12:48:35 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001623E3@listserv.fnal.gov>; Mon, 25 Jun 2001 12:48:33 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 142347 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 25 Jun 2001 12:48:33 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001623E2@listserv.fnal.gov>; Mon, 25 Jun 2001 12:48:33 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFH00IQ9YSWKQ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 25 Jun 2001 12:48:32 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Jun 2001 12:48:32 -0500 Content-return: allowed Date: Mon, 25 Jun 2001 12:48:31 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 18977 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761827F4@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1368 18977 has been updated by marih. Short Description : scp / fndaub migration New Work Log Entry : From: "Margaret Votava" To: "ARSystem" Cc: Subject: Re: RITCHIE, DAVID, Reminder for 18977 Date: Monday, June 25, 2001 12:31 PM hi, i think this is a kerberos question and should be routed to kerberos-users. thanks, margaret From kreymer@fnal.gov Mon Jun 25 13:06:03 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA31502 for ; Mon, 25 Jun 2001 13:06:03 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFH0053HZM1DP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 13:06:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016244C@listserv.fnal.gov>; Mon, 25 Jun 2001 13:06:02 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 142457 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 25 Jun 2001 13:06:02 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016244B@listserv.fnal.gov>; Mon, 25 Jun 2001 13:06:02 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFH00530ZM1C7@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 25 Jun 2001 13:06:01 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA06534; Mon, 25 Jun 2001 13:06:02 -0500 Date: Mon, 25 Jun 2001 13:06:02 -0500 (CDT) From: Steven Timm Subject: Re: 000000000018977 Assigned to CRAWFORD, MATT. In-reply-to: <318CC3D38BE0D211BB1200105A093F761827F3@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1369 Need some basic information... I presume that this is inside some command procedure. How was this scp command working before kerberos? Was it relying on a .rhosts file on fnods? Or an identity key pair? If either of those, by default these will not work with the kerberos ssh client because it's not setuid-root as the old one was. Also, is fnods running a kerberized sshd as yet? If so, the right thing to do is just to make sure you kinit at the beginning of your process--I would suggest kcron, and then things will be fine. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Mon, 25 Jun 2001, ARSystem wrote: > CRAWFORD, MATT, Help Desk Ticket #000000000018977 > has been assigned to you. > > It is a(n) Medium priority Operating System/Unix > /I/O Errors type of problem. > Short description: scp / fndaub migration > > > > Badge # (+) : 05713N > First Name : DAVID > Last Name (+) : SLIMMER > Phone : 4334 > E-Mail Address : SLIMMER@FNAL.GOV > Incident Time : 6/12/01 8:34:07 AM > System Name : FNDAUB > Urgency : Medium > Public Work Log : > 6/25/01 12:43:48 PM marih > From: "Margaret Votava" > To: "ARSystem" > Cc: > Subject: Re: RITCHIE, DAVID, Reminder for 18977 > Date: Monday, June 25, 2001 12:31 PM > > > hi, > > i think this is a kerberos question and should be routed > to kerberos-users. > > thanks, > margaret > > > Problem Description : The scp command is giving the following error: > > scp -pr slimmer@fndaub:/vxols > slimmer@fnods:/usr/products/vxols > slimmer@fndaub's password: > You have no controlling tty and no DISPLAY. Cannot read passphrase. > lost connection > > which ssh > /usr/krb5/bin/ssh > which scp > /usr/krb5/bin/scp > > which scp > /usr/bin/scp > which ssh > /usr/bin/ssh > > The scp man page does not describe the "controlling tty" and > "DISPLAY" > requirements. Do both machine have to be using the krb5 scp and ssh? > > Dave > From kreymer@fnal.gov Mon Jun 25 13:14:29 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA31512 for ; Mon, 25 Jun 2001 13:14:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI00569003E5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 13:14:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00162476@listserv.fnal.gov>; Mon, 25 Jun 2001 13:14:27 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 142501 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 25 Jun 2001 13:14:27 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00162475@listserv.fnal.gov>; Mon, 25 Jun 2001 13:14:27 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI0055K002DP@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 25 Jun 2001 13:14:27 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Jun 2001 13:14:26 -0500 Content-return: allowed Date: Mon, 25 Jun 2001 13:14:24 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000018977 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618280D@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1370 The following note has been sent to the requester: SLIMMER, DAVID Short Description : scp / fndaub migration Notes to Requester : Need some basic information... I presume that this is inside some command procedure. How was this scp command working before kerberos? Was it relying on a .rhosts file on fnods? Or an identity key pair? If either of those, by default these will not work with the kerberos ssh client because it's not setuid-root as the old one was. Also, is fnods running a kerberized sshd as yet? If so, the right thing to do is just to make sure you kinit at the beginning of your process--I would suggest kcron, and then things will be fine. From kreymer@fnal.gov Mon Jun 25 13:29:56 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA31518 for ; Mon, 25 Jun 2001 13:29:56 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI005400PVWZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 13:29:56 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001624DB@listserv.fnal.gov>; Mon, 25 Jun 2001 13:29:55 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 142618 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 25 Jun 2001 13:29:55 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001624DA@listserv.fnal.gov>; Mon, 25 Jun 2001 13:29:55 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI003EF0PUBR@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 25 Jun 2001 13:29:54 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Jun 2001 13:29:54 -0500 Content-return: allowed Date: Mon, 25 Jun 2001 13:29:54 -0500 From: ARSystem Subject: CRAWFORD, MATT #18977 Resolved. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182818@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1371 Thank you for your assistance. Help Desk ticket #000000000018977 has been resolved on 6/25/01 1:29:19 PM Resolution Timestamp: : 6/25/01 1:22:25 PM Solution Category : Service Request Problem Category : Operating System Item : I/O Errors Type : Unix Short Description : scp / fndaub migration Solution : Though not solved, the answer to this question is no longer needed. I've employed a work around. Problem Description : The scp command is giving the following error: scp -pr slimmer@fndaub:/vxols slimmer@fnods:/usr/products/vxols slimmer@fndaub's password: You have no controlling tty and no DISPLAY. Cannot read passphrase. lost connection which ssh /usr/krb5/bin/ssh which scp /usr/krb5/bin/scp which scp /usr/bin/scp which ssh /usr/bin/ssh The scp man page does not describe the "controlling tty" and "DISPLAY" requirements. Do both machine have to be using the krb5 scp and ssh? Dave From kreymer@fnal.gov Mon Jun 25 14:11:04 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31585 for ; Mon, 25 Jun 2001 14:11:04 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI003PL2MERA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 14:11:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001625C3@listserv.fnal.gov>; Mon, 25 Jun 2001 14:11:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 142870 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 25 Jun 2001 14:11:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001625C2@listserv.fnal.gov>; Mon, 25 Jun 2001 14:11:03 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI005L72ME7K@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 25 Jun 2001 14:11:02 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5PJANi00939; Mon, 25 Jun 2001 14:10:23 -0500 (CDT) Date: Mon, 25 Jun 2001 14:10:23 -0500 From: Matt Crawford Subject: Re: 000000000018977 Assigned to CRAWFORD, MATT. In-reply-to: "25 Jun 2001 12:48:31 CDT." <318CC3D38BE0D211BB1200105A093F761827F3@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200106251910.f5PJANi00939@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1372 > i think this is a kerberos question and should be routed > to kerberos-users. > > Problem Description : The scp command is giving the following error: > scp -pr slimmer@fndaub:/vxols slimmer@fnods:/usr/products/vxols > slimmer@fndaub's password: > You have no controlling tty and no DISPLAY. Cannot read passphrase. > lost connection If he were using Kerberos, it would not be trying to read a pass phrase. Therefore, it is not a Kerberos problem. It could be a problem in the ssh product *maybe*, or a straightforward problem in the invocation environment. For instance, is the message correct that the user has no controlling tty? This should go to either the ssh maintainer or general unix support. From kreymer@fnal.gov Mon Jun 25 14:11:08 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31589 for ; Mon, 25 Jun 2001 14:11:08 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI006IT2MK4J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 14:11:08 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Jun 2001 14:11:08 -0500 Content-return: allowed Date: Mon, 25 Jun 2001 14:11:07 -0500 From: ARSystem Subject: Help Desk Ticket 19085 Has Been Resolved. To: "'KREYMER@FNAL.GOV'" Message-id: <318CC3D38BE0D211BB1200105A093F7618282D@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1373 We have received a resolution from our support staff. If you find the resolution inadequate in any way, please contact us. If we do not hear from you within 14 days, we will close the problem. However, the report can easily be re-opened if necessary. Short Description : ssh v1_2_27f signal-11 crashes Solution : Node cdfpca is available via Kerberized methods only. Problem Description : I have been having frequent problems with ssh v1_2_17f crashing on making outgoing connections, depending on the name of the remote node, and on the exact command being executed. The problem has been observed on cdfpca Fermi Linux Release 6.1.2 (Strange) Linux cdfpca.fnal.gov 2.2.16-3smp #1 SMP Mon Jun 19 19:00:35 EDT 2000 i686 unknown fcdflnx1 Fermi Linux Release 6.1.1 (Strange) Linux fcdflnx1.fnal.gov 2.4.4 #2 SMP Fri May 4 12:08:15 CDT 2001 i686 unknown Here's an example FCDFLNX1 > ssh -l cdfsoft photon.hep.upenn.edu Received signal 11. Turning on verification with -v often helps. The crashes can occur even when the target node is not on the network. AHA! I have just discovered a case which seems to ALWAYS crash : ssh ' ' even when the host does not exist at all. I cannot test this on flxi01 or flxi02, as they do not have ssh v1_2_27f. When I copy the v1_2_27f ssh into /afs/fnal.gov/files/home/room1/kreymer/ssh, I see this : FLXI02 > ./ssh cdfpca.fnal.gov Kerberos V5: Can't open/find Kerberos configuration file while initializing krb5. FLXI02 > ./ssh cdfpca.fnal.gov -o "KerberosAuthentication=no" Kerberos V5: Can't open/find Kerberos configuration file while initializing krb5. And I do not see these crashed on bldlinux61. But that system is not running Fermi RedHat. From kreymer@fnal.gov Mon Jun 25 14:31:43 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31641 for ; Mon, 25 Jun 2001 14:31:42 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI005PX3KTDP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 14:31:42 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016264B@listserv.fnal.gov>; Mon, 25 Jun 2001 14:31:41 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 143027 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 25 Jun 2001 14:31:41 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016264A@listserv.fnal.gov>; Mon, 25 Jun 2001 14:31:41 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI005PX3KRE5@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 25 Jun 2001 14:31:41 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Jun 2001 14:31:39 -0500 Content-return: allowed Date: Mon, 25 Jun 2001 14:31:38 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 18977 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182833@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1374 18977 has been updated by marih. Short Description : scp / fndaub migration New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: 000000000018977 Assigned to CRAWFORD, MATT. Date: Monday, June 25, 2001 2:11 PM If he were using Kerberos, it would not be trying to read a pass phrase. Therefore, it is not a Kerberos problem. It could be a problem in the ssh product *maybe*, or a straightforward problem in the invocation environment. For instance, is the message correct that the user has no controlling tty? This should go to either the ssh maintainer or general unix support. Ticket ReOpened the Previous Solution was :Though not solved, the answer to this question is no longer needed. I've employed a work around. From kreymer@fnal.gov Mon Jun 25 14:31:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31645 for ; Mon, 25 Jun 2001 14:31:44 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI00C3B3KV0V@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 14:31:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016264D@listserv.fnal.gov>; Mon, 25 Jun 2001 14:31:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 143029 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 25 Jun 2001 14:31:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016264C@listserv.fnal.gov>; Mon, 25 Jun 2001 14:31:43 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI005IP3KTWZ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 25 Jun 2001 14:31:42 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Jun 2001 14:31:42 -0500 Content-return: allowed Date: Mon, 25 Jun 2001 14:31:38 -0500 From: ARSystem Subject: CRAWFORD, MATT #18977 Resolved. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182835@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1375 Thank you for your assistance. Help Desk ticket #000000000018977 has been resolved on 6/25/01 2:30:43 PM Resolution Timestamp: : 6/25/01 1:22:49 PM Solution Category : Service Request Problem Category : Operating System Item : I/O Errors Type : Unix Short Description : scp / fndaub migration Solution : Though not solved, the answer to this question is no longer needed. I've employed a work around. Problem Description : The scp command is giving the following error: scp -pr slimmer@fndaub:/vxols slimmer@fnods:/usr/products/vxols slimmer@fndaub's password: You have no controlling tty and no DISPLAY. Cannot read passphrase. lost connection which ssh /usr/krb5/bin/ssh which scp /usr/krb5/bin/scp which scp /usr/bin/scp which ssh /usr/bin/ssh The scp man page does not describe the "controlling tty" and "DISPLAY" requirements. Do both machine have to be using the krb5 scp and ssh? Dave From kreymer@fnal.gov Mon Jun 25 15:38:48 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA32024 for ; Mon, 25 Jun 2001 15:38:48 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI00FB16OL7S@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 15:38:48 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016279A@listserv.fnal.gov>; Mon, 25 Jun 2001 15:38:46 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 143379 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 25 Jun 2001 15:38:46 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00162795@listserv.fnal.gov>; Mon, 25 Jun 2001 15:38:45 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI00EFY6OJGO@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 25 Jun 2001 15:38:44 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Jun 2001 15:38:44 -0500 Content-return: allowed Date: Mon, 25 Jun 2001 15:38:42 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19255 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182857@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1376 19255 has been updated by marih. Short Description : Kerberos New Work Log Entry : From: "Joseph Boyd" To: "ARSystem" Cc: Subject: Re: 000000000019255 Assigned to KOVICH, STEVEN. Date: Monday, June 25, 2001 3:23 PM Helpdesk, This is the known problem where the WRQ software needs to be told to use the FNAL.GOV realm by default instead of the PILOT.FNAL.GOV realm since d0mino is now in the FNAL.GOV realm. Did the kerberos or NT folks ever put up a web page showing people how to do that? Please forward this to either the NT or kerberos folks who should have this documented somewhere. joe From kreymer@fnal.gov Mon Jun 25 15:38:49 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA32028 for ; Mon, 25 Jun 2001 15:38:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI00FB16OL7S@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 25 Jun 2001 15:38:49 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016279B@listserv.fnal.gov>; Mon, 25 Jun 2001 15:38:46 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 143381 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 25 Jun 2001 15:38:46 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00162797@listserv.fnal.gov>; Mon, 25 Jun 2001 15:38:45 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFI00EDF6OJYK@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 25 Jun 2001 15:38:45 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 25 Jun 2001 15:38:44 -0500 Content-return: allowed Date: Mon, 25 Jun 2001 15:38:42 -0500 From: ARSystem Subject: 000000000019255 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182856@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1377 CRAWFORD, MATT, Help Desk Ticket #000000000019255 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Kerberos Badge # (+) : 11965N First Name : DONALD Last Name (+) : LINCOLN Phone : 5218 E-Mail Address : LUCIFER@FNAL.GOV Incident Time : 6/25/01 3:02:38 PM System Name : D0MINO Urgency : Medium Public Work Log : 6/25/01 3:33:54 PM marih From: "Joseph Boyd" To: "ARSystem" Cc: Subject: Re: 000000000019255 Assigned to KOVICH, STEVEN. Date: Monday, June 25, 2001 3:23 PM Helpdesk, This is the known problem where the WRQ software needs to be told to use the FNAL.GOV realm by default instead of the PILOT.FNAL.GOV realm since d0mino is now in the FNAL.GOV realm. Did the kerberos or NT folks ever put up a web page showing people how to do that? Please forward this to either the NT or kerberos folks who should have this documented somewhere. joe Problem Description : I am having trouble running Kerberized FTP from my D0 NT (D0NT50) box trying to attach to D0Mino. I can attach to D0mino via kerberized telnet without difficulty. But when I try to connect with the FTP utility, it doesn't work. I have been able to do this in the past. It has not worked for quite a long while and I haven't reported it because I can still use my cryptocard. I have had identical problems using my laptop. Is this a known problem? Don Lincoln From kreymer@fnal.gov Tue Jun 26 09:22:30 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA02115 for ; Tue, 26 Jun 2001 09:22:30 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ006MDJXG47@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Jun 2001 09:22:30 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163218@listserv.fnal.gov>; Tue, 26 Jun 2001 09:22:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146401 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 26 Jun 2001 09:22:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163217@listserv.fnal.gov>; Tue, 26 Jun 2001 09:22:28 -0500 Received: from cuervo ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GFJ006RNJXF2Z@smtp.fnal.gov>; Tue, 26 Jun 2001 09:22:28 -0500 (CDT) Date: Tue, 26 Jun 2001 09:22:27 -0500 From: "Mark O. Kaletka" Subject: RE: 000000000019255 Assigned to CRAWFORD, MATT. In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem , kerberos-users@fnal.gov, wrq-users@fnal.gov Cc: JOE BOYD , lucifer@fnal.gov, STEVEN KOVICH Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1378 It (the procedure for adding the production realm to WRQ) is documented in the archives of both wrq-users and kerberos-users; since a new version of WRQ is very imminent, we'll document the whole upgrade procedure when it's available. In the meantime please refer here: http://listserv.fnal.gov/scripts/wa.exe?A2=ind0106&L=wrq-users&F=&S=&P=61 or here: http://listserv.fnal.gov/scripts/wa.exe?A2=ind0106c&L=kerberos-users&F=&S=&X =30D9D33D0AFD10B18B&Y=kaletka@fnal.gov&P=2165 > -----Original Message----- > From: ARSystem [mailto:helpdesk@FNAL.GOV] > Sent: Monday, June 25, 2001 3:39 PM > Subject: 000000000019255 Assigned to CRAWFORD, MATT. > > > CRAWFORD, MATT, Help Desk Ticket #000000000019255 > has been assigned to you. > > It is a(n) Medium priority Software/Utilities > /Kerberos type of problem. > Short description: Kerberos > > > > Badge # (+) : 11965N > First Name : DONALD > Last Name (+) : LINCOLN > Phone : 5218 > E-Mail Address : LUCIFER@FNAL.GOV > Incident Time : 6/25/01 3:02:38 PM > System Name : D0MINO > Urgency : Medium > Public Work Log : > 6/25/01 3:33:54 PM marih > From: "Joseph Boyd" > To: "ARSystem" > Cc: > Subject: Re: 000000000019255 Assigned to KOVICH, STEVEN. > Date: Monday, June 25, 2001 3:23 PM > > Helpdesk, > This is the known problem where the WRQ software needs to be > told to > use the FNAL.GOV realm by default instead of the PILOT.FNAL.GOV > realm > since d0mino is now in the FNAL.GOV realm. Did the kerberos or NT > folks > ever put up a web page showing people how to do that? > > Please forward this to either the NT or kerberos folks who should > have > this documented somewhere. > > joe > > > Problem Description : I am having trouble running Kerberized FTP from my > D0 NT (D0NT50) box trying > to attach to D0Mino. I can attach to D0mino via kerberized telnet > without > difficulty. But when I try to connect with the FTP utility, it > doesn't > work. I have been able to do this in the past. It has not worked > for quite > a long while and I haven't reported it because I can still use my > cryptocard. > > I have had identical problems using my laptop. > > Is this a known problem? > > Don Lincoln > From kreymer@fnal.gov Tue Jun 26 10:16:41 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA02176 for ; Tue, 26 Jun 2001 10:16:41 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00GAKMFS9L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Jun 2001 10:16:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163327@listserv.fnal.gov>; Tue, 26 Jun 2001 10:16:40 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146709 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 26 Jun 2001 10:16:40 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163326@listserv.fnal.gov>; Tue, 26 Jun 2001 10:16:39 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00G6NMFRPR@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 26 Jun 2001 10:16:39 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 26 Jun 2001 10:16:40 -0500 Content-return: allowed Date: Tue, 26 Jun 2001 10:16:34 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000019255 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182893@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1379 The following note has been sent to the requester: LINCOLN, DONALD Short Description : Kerberos Notes to Requester : please refer here: http://listserv.fnal.gov/scripts/wa.exe?A2=ind0106&L=wrq-users&F=&S=&P=6 1 or here: http://listserv.fnal.gov/scripts/wa.exe?A2=ind0106c&L=kerberos-users&F=& S=&X =30D9D33D0AFD10B18B&Y=kaletka@fnal.gov&P=2165 Let us know if you continue to have problems. From kreymer@fnal.gov Tue Jun 26 10:29:49 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA02190 for ; Tue, 26 Jun 2001 10:29:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00H74N1NLO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Jun 2001 10:29:48 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163378@listserv.fnal.gov>; Tue, 26 Jun 2001 10:29:47 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146798 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 26 Jun 2001 10:29:47 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163377@listserv.fnal.gov>; Tue, 26 Jun 2001 10:29:47 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00G9SN1MS7@smtp.fnal.gov>; Tue, 26 Jun 2001 10:29:46 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f5QFTga01293; Tue, 26 Jun 2001 10:29:42 -0500 (CDT) Date: Tue, 26 Jun 2001 10:29:42 -0500 From: Anne Heavey Subject: Re: 000000000019255 Assigned to CRAWFORD, MATT. In-reply-to: "Your message of Tue, 26 Jun 2001 09:22:27 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: "Mark O. Kaletka" Cc: ARSystem , kerberos-users@fnal.gov, wrq-users@fnal.gov, JOE BOYD , lucifer@fnal.gov, STEVEN KOVICH , aheavey@fsui02.fnal.gov Message-id: <200106261529.f5QFTga01293@fsui02.fnal.gov> MIME-version: 1.0 Content-type: TEXT/PLAIN X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from QUOTED-PRINTABLE to 8bit by patnt2.fnal.gov id KAA02190 Status: RO X-Status: X-Keywords: X-UID: 1380 Thanks for pointing this out. I've now added this info to the online manual at: 8.4 WRQ Reflection Issues http://www.fnal.gov/docs/strongauth/html062201/migrationuser.html#65413 It's also in the PDF file available via link from same page. Note that information for doing this by hand is documented in the 6/8/01 draft release of the manual. See: 12.3 Configuring WRQ® Reflection Signature http://www.fnal.gov/docs/strongauth/html062201/winadmin.html#24628 -- Anne > It (the procedure for adding the production realm to WRQ) is documented in > the archives of both wrq-users and kerberos-users; since a new version of > WRQ is very imminent, we'll document the whole upgrade procedure when it's > available. In the meantime please refer here: > > http://listserv.fnal.gov/scripts/wa.exe?A2=ind0106&L=wrq-users&F=&S=&P=61 > > or here: > > http://listserv.fnal.gov/scripts/wa.exe?A2=ind0106c&L=kerberos-users&F=&S=&X > =30D9D33D0AFD10B18B&Y=kaletka@fnal.gov&P=2165 > > > -----Original Message----- > > From: ARSystem [mailto:helpdesk@FNAL.GOV] > > Sent: Monday, June 25, 2001 3:39 PM > > Subject: 000000000019255 Assigned to CRAWFORD, MATT. > > > > > > CRAWFORD, MATT, Help Desk Ticket #000000000019255 > > has been assigned to you. > > > > It is a(n) Medium priority Software/Utilities > > /Kerberos type of problem. > > Short description: Kerberos > > > > > > > > Badge # (+) : 11965N > > First Name : DONALD > > Last Name (+) : LINCOLN > > Phone : 5218 > > E-Mail Address : LUCIFER@FNAL.GOV > > Incident Time : 6/25/01 3:02:38 PM > > System Name : D0MINO > > Urgency : Medium > > Public Work Log : > > 6/25/01 3:33:54 PM marih > > From: "Joseph Boyd" > > To: "ARSystem" > > Cc: > > Subject: Re: 000000000019255 Assigned to KOVICH, STEVEN. > > Date: Monday, June 25, 2001 3:23 PM > > > > Helpdesk, > > This is the known problem where the WRQ software needs to be > > told to > > use the FNAL.GOV realm by default instead of the PILOT.FNAL.GOV > > realm > > since d0mino is now in the FNAL.GOV realm. Did the kerberos or NT > > folks > > ever put up a web page showing people how to do that? > > > > Please forward this to either the NT or kerberos folks who should > > have > > this documented somewhere. > > > > joe > > > > > > Problem Description : I am having trouble running Kerberized FTP from my > > D0 NT (D0NT50) box trying > > to attach to D0Mino. I can attach to D0mino via kerberized telnet > > without > > difficulty. But when I try to connect with the FTP utility, it > > doesn't > > work. I have been able to do this in the past. It has not worked > > for quite > > a long while and I haven't reported it because I can still use my > > cryptocard. > > > > I have had identical problems using my laptop. > > > > Is this a known problem? > > > > Don Lincoln > > -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Tue Jun 26 10:37:24 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA02200 for ; Tue, 26 Jun 2001 10:37:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00HASNEA8V@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Jun 2001 10:37:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001633A4@listserv.fnal.gov>; Tue, 26 Jun 2001 10:37:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146847 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 26 Jun 2001 10:37:22 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001633A2@listserv.fnal.gov>; Tue, 26 Jun 2001 10:37:22 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00GBONE9S7@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 26 Jun 2001 10:37:21 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 26 Jun 2001 10:37:22 -0500 Content-return: allowed Date: Tue, 26 Jun 2001 10:37:21 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 18992 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761828A6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1381 18992 has been updated by ARWeb User. Short Description : kerberized FTP New Work Log Entry : Marc Paterno added this information: Hello, Has anyone found documentation on how to switch Reflection Kerberos from using the PILOT.FNAL.GOV realm to the FNAL.GOV realm? My need has now become more urgent, because my main D0 Linux machine has been reconfigured and is now part of the FNAL.GOV realm. best regards, Marc From kreymer@fnal.gov Tue Jun 26 10:37:25 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA02204 for ; Tue, 26 Jun 2001 10:37:25 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00HASNEA8V@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Jun 2001 10:37:25 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001633A5@listserv.fnal.gov>; Tue, 26 Jun 2001 10:37:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146849 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 26 Jun 2001 10:37:22 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001633A3@listserv.fnal.gov>; Tue, 26 Jun 2001 10:37:22 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00H9MNE9LO@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 26 Jun 2001 10:37:21 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 26 Jun 2001 10:37:22 -0500 Content-return: allowed Date: Tue, 26 Jun 2001 10:37:21 -0500 From: ARSystem Subject: Resend 18992 CRAWFORD, MATT Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761828A7@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain; charset=iso-8859-1 Status: RO X-Status: X-Keywords: X-UID: 1382 This ticket resent on 6/26/01 10:37:06 AM Ticket 18992 is being resent to you in its entirety. It is a(n) Medium priority Software/Utilities/Kerberos type of problem. Short description: kerberized FTP First Name : MARC Last Name (+) : PATERNO Phone : 4532 E-Mail Address : PATERNO@FNAL.GOV Assigned To Group : CD-DC Incident Time : 6/12/01 11:29:45 AM System Name : D0LXBLD7 Urgency : Medium Public Work Log : 6/12/01 11:56:38 AM trb Jason, can you help ? 6/12/01 1:53:44 PM marih From: "Jason Allen" To: "ARSystem" Subject: Re: 000000000018992 Assigned to ALLEN, JASON. Date: Tuesday, June 12, 2001 1:47 PM Please reassign to Matt Crawford as a Kerberos documentation issue. 6/12/01 2:32:53 PM marih From: "Matt Crawford" To: "ARSystem" ; Cc: Subject: Re: 000000000018992 Assigned to CRAWFORD, MATT. Date: Tuesday, June 12, 2001 2:19 PM > I'm trying to use Reflection FTP Client to do a kerberized FTP > from d0lxbld7 to my laptop. I'm no longer able to do so. I suspect > it may be because I'm still using paterno@PILOT.FNAL.GOV as my > Kerberos principal. It doesn't matter what realm your own ticket is in (although it's probably about time to switch to FNAL.GOV for regular use), it matters what realm your host thinks the server considers itself to be in. To put it another way, the client host and the server host have to agree about which realm the server is in. d0lxbld7 used to be in the PILOT.FNAL.GOV realm but is now in FNAL.GOV and you need to stop WRQ from believing otherwise. It's done under Configure Realms somewhere, but that's where my WRQ knowledge fizzles out. Someone else on the kerberos-users list can be more specific. 6/18/01 2:26:29 PM marih From: "Matt Crawford" To: "ARSystem" Subject: Re: CRAWFORD, MATT, Reminder for 18992 Date: Monday, June 18, 2001 2:14 PM Did the requester find my message of June 12 insufficient? I never heard anything back? The following was e-mailed to the Requester: Per the expert: "Did the requester find my message of June 12 insufficient? I never heard anything back?" 6/18/01 2:38:05 PM marih From: "Marc Paterno" To: "ARSystem" Subject: RE: Additional info for 000000000018992 Date: Monday, June 18, 2001 2:32 PM Hello, I don't think I received the message sent on June 12, but I was able to find it on the web. The answer is not quite sufficient: can someone with WRQ expertise tell me where to find the documentation of how to switch from using PILOT.FNAL.GOV to the FNAL.GOV realm? thanks, Marc 6/20/01 9:12:40 AM richt Hi Kerberos-Users List, Sorry to blast to the list for this question but we don't currently have a better mechanism. Looking for someone with WRQ expertise. The question is: "... how to switch from using PILOT.FNAL.GOV to the FNAL.GOV realm?" Could someone point us to documentation? We will then add this information to our knowledge base. Thanks, Rich Thompson x4846 6/26/01 10:37:06 AM ARWeb User Marc Paterno added this information: Hello, Has anyone found documentation on how to switch Reflection Kerberos from using the PILOT.FNAL.GOV realm to the FNAL.GOV realm? My need has now become more urgent, because my main D0 Linux machine has been reconfigured and is now part of the FNAL.GOV realm. best regards, Marc Problem Description : Hello, I'm trying to use Reflection FTP Client to do a kerberized FTP from d0lxbld7 to my laptop. I'm no longer able to do so. I suspect it may be because I'm still using paterno@PILOT.FNAL.GOV as my Kerberos principal. I tried looking in the documentation at http://www.fnal.gov/docs/strongauth/, but was unable to find instructions for how to switch my principal. The installation instructions for WRQ Reflection still say to use PILOT.FNAL.GOV. Could someone please tell me where I can find the appropriate instructions? thanks, Marc -- Marc Paterno FNAL/CD Special Assignments (630) 840-4532 (WH 6E, 645) (630) 840-6457 (CDF Trailer 169F) (630) 840-6689 (DAB 5) Create Date : 6/12/01 11:56:38 AM From kreymer@fnal.gov Tue Jun 26 10:42:34 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA02228 for ; Tue, 26 Jun 2001 10:42:34 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00GCUNMWY0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Jun 2001 10:42:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001633CE@listserv.fnal.gov>; Tue, 26 Jun 2001 10:42:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146895 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 26 Jun 2001 10:42:32 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001633CC@listserv.fnal.gov>; Tue, 26 Jun 2001 10:42:32 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00FH5NMVLC@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 26 Jun 2001 10:42:32 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 26 Jun 2001 10:42:32 -0500 Content-return: allowed Date: Tue, 26 Jun 2001 10:42:29 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19255 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761828A9@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1383 19255 has been updated by marih. Short Description : Kerberos New Work Log Entry : From: "Anne Heavey" To: "Mark O. Kaletka" Cc: "ARSystem" ; ; ; "JOE BOYD" ; ; "STEVEN KOVICH" ; Subject: Re: 000000000019255 Assigned to CRAWFORD, MATT. Date: Tuesday, June 26, 2001 10:29 AM Thanks for pointing this out. I've now added this info to the online manual at: 8.4 WRQ Reflection Issues http://www.fnal.gov/docs/strongauth/html062201/migrationuser.html#65413 It's also in the PDF file available via link from same page. Note that information for doing this by hand is documented in the 6/8/01 draft release of the manual. See: 12.3 Configuring WRQ? Reflection Signature http://www.fnal.gov/docs/strongauth/html062201/winadmin.html#24628 -- Anne From kreymer@fnal.gov Tue Jun 26 10:52:55 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA02235 for ; Tue, 26 Jun 2001 10:52:55 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00FK3O45LC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Jun 2001 10:52:54 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001633FD@listserv.fnal.gov>; Tue, 26 Jun 2001 10:52:53 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 146947 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 26 Jun 2001 10:52:53 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001633FC@listserv.fnal.gov>; Tue, 26 Jun 2001 10:52:53 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00HFYO448V@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 26 Jun 2001 10:52:53 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 26 Jun 2001 10:52:53 -0500 Content-return: allowed Date: Tue, 26 Jun 2001 10:52:52 -0500 From: ARSystem Subject: 000000000019267 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761828B3@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1384 CRAWFORD, MATT, Help Desk Ticket #000000000019267 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Reflection Kerberos Error Badge # (+) : 05316N First Name : STANISLAW Last Name (+) : KRZYWDZINSKI Phone : 2680 E-Mail Address : KRZYW@FNAL.GOV Incident Time : 6/26/01 10:32:07 AM System Name : Urgency : Medium Public Work Log : Problem Description : I switched WRQ on D0 NT box, d0nt37, from PILOT.FNAL.GOV realm to FNAL.GOV realm. There is a small problem, however, each time when I connect to d0mino for the first time in a day, after entering my password for the principal krzyw@FNAL.GOV, a "Reflection Kerberos Error" occurs, which says: "Difference between expected and actual KDC reply time is too great (KRB105)". The error does not seem to be fatal, after acknowledging it and hiting CR all is fine, but it's annoying! I tried to Synchronize (Programs -> Reflection -> TimeSync, then Synchronize tab and Synchronize Now) several times, but to no avail. I had no such problem under PILOT.FNAL.GOV realm ... Is there a remedy ? Thanks Stan From kreymer@fnal.gov Tue Jun 26 12:35:39 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA02425 for ; Tue, 26 Jun 2001 12:35:39 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ003AWSVDJL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Jun 2001 12:35:38 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163643@listserv.fnal.gov>; Tue, 26 Jun 2001 12:35:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 147609 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 26 Jun 2001 12:35:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163642@listserv.fnal.gov>; Tue, 26 Jun 2001 12:35:38 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ00630SVDGU@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 26 Jun 2001 12:35:37 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 26 Jun 2001 12:35:37 -0500 Content-return: allowed Date: Tue, 26 Jun 2001 12:35:30 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19255 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761828CC@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1385 19255 has been updated by marih. Short Description : Kerberos New Work Log Entry : From: "Don Lincoln" To: "Anne Heavey" ; "Mark O. Kaletka" Cc: "ARSystem" ; "JOE BOYD" ; "STEVEN KOVICH" ; Subject: Re: 000000000019255 Assigned to CRAWFORD, MATT. Date: Tuesday, June 26, 2001 12:31 PM I hate to be a pain in the neck, but as a person who knows nothing about these Kerberos things, I must say that the messages I have received regarding this question are completely opaque. I tried to follow the instructions in http://www.fnal.gov/docs/strongauth/html062201/winadmin.html#24628 and rather than connecting to lucifer@PILOT.FNAL.GOV I now try to connect to lucifer@FNAL.GOV and I get an error message: Client principal not found in Kerberos database (KDC006). I infer from what I read that my original problem has something to do with the change from the PILOT.FNAL.GOV realm to the FNAL.GOV realm. It doesn't tell me why I could continue to connect via kerberized telnet, but not ftp. At any rate, now I can't do either... Sigh.....so what now? Don Lincoln From kreymer@fnal.gov Tue Jun 26 13:20:09 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA02574 for ; Tue, 26 Jun 2001 13:20:09 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ003LGUXK6V@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Jun 2001 13:20:09 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163735@listserv.fnal.gov>; Tue, 26 Jun 2001 13:20:08 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 147871 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 26 Jun 2001 13:20:08 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163734@listserv.fnal.gov>; Tue, 26 Jun 2001 13:20:08 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ003MOUXJKY@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 26 Jun 2001 13:20:07 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5QIJPX04253; Tue, 26 Jun 2001 13:19:25 -0500 (CDT) Date: Tue, 26 Jun 2001 13:19:25 -0500 From: Matt Crawford Subject: Re: CRAWFORD, MATT, Reminder for 18992 In-reply-to: "25 Jun 2001 12:07:53 CDT." <318CC3D38BE0D211BB1200105A093F76182764@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200106261819.f5QIJPX04253@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1386 > I tried looking in the documentation at > http://www.fnal.gov/docs/strongauth/, but was unable to find > instructions for how to switch my principal. The installation > instructions for WRQ Reflection still say to use PILOT.FNAL.GOV. Look again -- it's there ... http://www/docs/strongauth/html062201/migrationuser.html#65413 From kreymer@fnal.gov Tue Jun 26 13:27:02 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA02578 for ; Tue, 26 Jun 2001 13:27:02 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ003LVV90WY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Jun 2001 13:27:02 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163754@listserv.fnal.gov>; Tue, 26 Jun 2001 13:27:01 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 147903 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 26 Jun 2001 13:27:01 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00163753@listserv.fnal.gov>; Tue, 26 Jun 2001 13:27:01 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ006CVV8ZGU@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 26 Jun 2001 13:27:00 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 26 Jun 2001 13:26:59 -0500 Content-return: allowed Date: Tue, 26 Jun 2001 13:26:50 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000018992 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F761828D8@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1387 The following note has been sent to the requester: PATERNO, MARC Short Description : kerberized FTP Notes to Requester : Per the expert: "Look again -- it's there ..." From kreymer@fnal.gov Tue Jun 26 13:31:56 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA02588 for ; Tue, 26 Jun 2001 13:31:56 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ006EDVH5GU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 26 Jun 2001 13:31:55 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001637FD@listserv.fnal.gov>; Tue, 26 Jun 2001 13:31:54 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 148094 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 26 Jun 2001 13:31:54 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001637FA@listserv.fnal.gov>; Tue, 26 Jun 2001 13:31:54 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFJ003NIVH5JL@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 26 Jun 2001 13:31:53 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5QIVBX04369; Tue, 26 Jun 2001 13:31:11 -0500 (CDT) Date: Tue, 26 Jun 2001 13:31:11 -0500 From: Matt Crawford Subject: Re: 000000000019267 Assigned to CRAWFORD, MATT. In-reply-to: "26 Jun 2001 10:52:52 CDT." <318CC3D38BE0D211BB1200105A093F761828B3@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200106261831.f5QIVBX04369@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1388 Send this case to d0_nt-admin. From kreymer@fnal.gov Thu Jun 28 07:58:02 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA09214 for ; Thu, 28 Jun 2001 07:58:02 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFN0036Z5CFRC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 28 Jun 2001 07:57:52 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00165389@listserv.fnal.gov>; Thu, 28 Jun 2001 07:57:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 155980 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 28 Jun 2001 07:57:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00165388@listserv.fnal.gov>; Thu, 28 Jun 2001 07:57:51 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GFN006015C5LO@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 28 Jun 2001 07:57:41 -0500 (CDT) Received: from janus.physics.ox.ac.uk ([163.1.244.140]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFN0038O5C4RF@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 28 Jun 2001 07:57:40 -0500 (CDT) Received: from amavis by janus.physics.ox.ac.uk with scanned-ok (Exim 3.16 #7) id 15FbMa-0001HV-00 for kerberos-users@fnal.gov; Thu, 28 Jun 2001 13:57:40 +0100 Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by janus.physics.ox.ac.uk with smtp (Exim 3.16 #7) id 15FbMZ-0001G7-00 for kerberos-users@fnal.gov; Thu, 28 Jun 2001 13:57:39 +0100 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 15FbMZ-0006Nh-00 for kerberos-users@fnal.gov; Thu, 28 Jun 2001 13:57:39 +0100 Date: Thu, 28 Jun 2001 13:57:39 +0100 (BST) From: "Todd Huffman (CDF/ATLAS)" Subject: OK I probably missed something important...but... Sender: owner-kerberos-users@listserv.fnal.gov To: "Kerberos User's group" Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-AVtransport: scanmails_remote X-AVwrapper: AMaViS (http://www.amavis.org/) X-AVscanner: Sophos sweep (http://www.sophos.com/) Status: RO X-Status: X-Keywords: X-UID: 1389 I just tried again, after some hiatus, to authenticate via kerberos on oxpc01 again. first I slogin to oxpc01 and then type: [huffman@oxpc01 ~]$ kinit niimi Password for niimi@FNAL.GOV: kinit: Preauthentication failed while getting initial credentials So I then tried: [huffman@oxpc01 ~]$ kinit niimi@PILOT.FNAL.GOV Password for niimi@PILOT.FNAL.GOV: kinit: Preauthentication failed while getting initial credentials any suggestions as to what to try next? Cheers, Todd ************************************************* ~ Dr. B. Todd Huffman ~ ~ Particle and Nuclear Physics ~ ~ University of Oxford ~ ~ Rm 631 ~ ~ Keble Rd ~ ~ Oxford OX1 3RH UK ~ ~ ~ ~ Phone: 44 - 1865 - 273402 ~ ~ LMH: 44 - 1865 - 274307 ~ ~ FAX: 44 - 1865 - 273418 ~ ~ Home: 44 - 1865 - 450240 ~ ~ URL of my home page: ~ ~ http://www-pnp.physics.ox.ac.uk/~huffman/ ************************************************* From kreymer@fnal.gov Thu Jun 28 09:23:29 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA09375 for ; Thu, 28 Jun 2001 09:23:28 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFN003K19B3QH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 28 Jun 2001 09:23:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00165615@listserv.fnal.gov>; Thu, 28 Jun 2001 09:23:27 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 156652 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 28 Jun 2001 09:23:27 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00165614@listserv.fnal.gov>; Thu, 28 Jun 2001 09:23:27 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFN003RE9B2QT@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 28 Jun 2001 09:23:26 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5SENOr06976; Thu, 28 Jun 2001 09:23:24 -0500 (CDT) Date: Thu, 28 Jun 2001 09:23:24 -0500 From: Matt Crawford Subject: Re: OK I probably missed something important...but... In-reply-to: "28 Jun 2001 13:57:39 BST." Sender: owner-kerberos-users@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: "Kerberos User's group" Message-id: <200106281423.f5SENOr06976@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1390 In the pilot realm, you changed your password on May 29 and never used it until today. Perhaps you forgot the new one. In the production realm, your password is still whatever it was in the pilot realm on May 10, which would be the one you set on March 30. But you seem to have used this one successfully several times in the last week so perhaps you just typoed it once today. (Incidently, this old production realm password won't work from WRQ until you change it once. But that's not the problem today.) From kreymer@fnal.gov Thu Jun 28 13:50:29 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA10164 for ; Thu, 28 Jun 2001 13:50:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFN00NORLO30X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 28 Jun 2001 13:50:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00165B19@listserv.fnal.gov>; Thu, 28 Jun 2001 13:50:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 158063 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 28 Jun 2001 13:50:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00165B17@listserv.fnal.gov>; Thu, 28 Jun 2001 13:50:28 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFN003CKLO2WE@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 28 Jun 2001 13:50:27 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 28 Jun 2001 13:50:26 -0500 Content-return: allowed Date: Thu, 28 Jun 2001 13:50:25 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000019255 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182ABA@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1391 The following note has been sent to the requester: LINCOLN, DONALD Short Description : Kerberos Notes to Requester : Are you still having the original problem, i.e. you're able to connect with Kerberized telnet but not ftp? If so, what is the error the ftp client is giving you? Does the Kerberos Manager list a service ticket for ftp/d0mino.fnal.gov@FNAL.GOV after you try to connect with the ftp client? (You should also always see a krbtgt for your principle, and may also see host/d0mino.fnal.gov@FNAL.GOV if you've connected with telnet.) -- Mark K. From kreymer@fnal.gov Thu Jun 28 14:41:56 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA10842 for ; Thu, 28 Jun 2001 14:41:56 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFN0094RO1UZX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 28 Jun 2001 14:41:55 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00165BE4@listserv.fnal.gov>; Thu, 28 Jun 2001 14:41:54 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 158277 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 28 Jun 2001 14:41:54 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00165BE1@listserv.fnal.gov>; Thu, 28 Jun 2001 14:41:54 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFN002UTO1S96@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 28 Jun 2001 14:41:54 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Thu, 28 Jun 2001 14:41:52 -0500 Content-return: allowed Date: Thu, 28 Jun 2001 14:41:50 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000019255 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182AC8@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1392 The following note has been sent to the requester: LINCOLN, DONALD Short Description : Kerberos Notes to Requester : We will leave this ticket open, until we know if your laptop is ok. From kreymer@fnal.gov Fri Jun 29 14:12:23 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA13843 for ; Fri, 29 Jun 2001 14:12:22 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFP0051THCLKW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 29 Jun 2001 14:12:22 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00166EDB@listserv.fnal.gov>; Fri, 29 Jun 2001 14:12:21 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 163882 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 29 Jun 2001 14:12:21 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00166EDA@listserv.fnal.gov>; Fri, 29 Jun 2001 14:12:21 -0500 Received: from yale.edu ([131.225.232.5]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFP0051QHCKZE@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 29 Jun 2001 14:12:20 -0500 (CDT) Date: Fri, 29 Jun 2001 14:16:10 -0500 From: Colin Gay Subject: ftp, usernames and kerberos Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <3B3CD3FA.2DD16026@yale.edu> Organization: Yale University MIME-version: 1.0 X-Mailer: Mozilla 4.72 [en] (X11; U; Linux 2.2.14-1.3.0f2 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1393 Hi, Can someone tell me if I'm doing something wrong here, or missing something obvious? Here's the situation .... At Yale, my username is "gay", but at FNAL, it is "colin", so I "kinit colin" on my local machine at Yale and get my kerberos principal on FNAL.GOV just fine. To login to a fnal computer I can then "telnet -l colin fcdfsgi2" or "rlogin -l colin fcdfsgi2". It seems that because my usernames don't match on the two systems, I have to put them in by hand. But then I don't understand how I can ftp to a fnal machine -- at least I can't see a way to override the username the kerberized ftp uses to log you in. I'm assuming kerberos doesn't require us all to have synchronized usernames on every machine in the world ... Thanks for any insight, -Colin Gay From kreymer@fnal.gov Fri Jun 29 14:18:34 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA13847 for ; Fri, 29 Jun 2001 14:18:34 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFP0053RHMWKW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 29 Jun 2001 14:18:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00166EF9@listserv.fnal.gov>; Fri, 29 Jun 2001 14:18:33 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 163915 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 29 Jun 2001 14:18:32 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00166EF8@listserv.fnal.gov>; Fri, 29 Jun 2001 14:18:32 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFP00IQ2HMWWX@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 29 Jun 2001 14:18:32 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA15324; Fri, 29 Jun 2001 14:18:31 -0500 Date: Fri, 29 Jun 2001 14:18:31 -0500 (CDT) From: Steven Timm Subject: Re: ftp, usernames and kerberos In-reply-to: <3B3CD3FA.2DD16026@yale.edu> Sender: owner-kerberos-users@listserv.fnal.gov To: Colin Gay Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1394 The -n option of ftp claims that it will restrain ftp from attempting auto-login. ftp -n hostname.fnal.gov I tried it, works for me. (Be sure you are authenticated in the same realm as the host you are ftp'ing to.) Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Fri, 29 Jun 2001, Colin Gay wrote: > Hi, > Can someone tell me if I'm doing something wrong here, or missing > something obvious? Here's the situation .... > At Yale, my username is "gay", but at FNAL, it is "colin", so I "kinit > colin" on my local machine at Yale and get my kerberos principal on > FNAL.GOV just fine. > > To login to a fnal computer I can then "telnet -l colin fcdfsgi2" or > "rlogin -l colin fcdfsgi2". It seems that because my usernames don't > match on the two systems, I have to put them in by hand. But then I > don't understand how I can ftp to a fnal machine -- at least I can't see > a way to override the username the kerberized ftp uses to log you in. > I'm assuming kerberos doesn't require us all to have synchronized > usernames on every machine in the world ... > > Thanks for any insight, > -Colin Gay > From kreymer@fnal.gov Fri Jun 29 14:40:16 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA13889 for ; Fri, 29 Jun 2001 14:40:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFP00720IN3DJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 29 Jun 2001 14:40:16 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00166F83@listserv.fnal.gov>; Fri, 29 Jun 2001 14:40:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 164072 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 29 Jun 2001 14:40:15 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00166F82@listserv.fnal.gov>; Fri, 29 Jun 2001 14:40:15 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFP0057VIN2KW@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 29 Jun 2001 14:40:14 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f5TJeDr12048; Fri, 29 Jun 2001 14:40:13 -0500 (CDT) Date: Fri, 29 Jun 2001 14:40:13 -0500 From: Matt Crawford Subject: Re: ftp, usernames and kerberos In-reply-to: "29 Jun 2001 14:16:10 CDT." <3B3CD3FA.2DD16026@yale.edu> Sender: owner-kerberos-users@listserv.fnal.gov To: Colin Gay Cc: kerberos-users@fnal.gov Message-id: <200106291940.f5TJeDr12048@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1395 > To login to a fnal computer I can then "telnet -l colin fcdfsgi2" or > "rlogin -l colin fcdfsgi2". It seems that because my usernames don't > match on the two systems, I have to put them in by hand. But then I > don't understand how I can ftp to a fnal machine -- at least I can't see > a way to override the username the kerberized ftp uses to log you in. You can't do it on the ftp command line, but after you see 334 Using authentication type GSSAPI; ADAT must follow GSSAPI accepted as authentication type GSSAPI authentication succeeded You should see a prompt for a remote username, with your local name offered as a default. Enter your remote username ... Name (gungnir:crawdad): matt 232 GSSAPI user crawdad@FNAL.GOV is authorized as matt Remote system type is UNIX. Using binary mode to transfer files. ftp> pwd 257 "/export/home/matt" is current directory. From kreymer@fnal.gov Mon Jul 2 11:20:17 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA20099 for ; Mon, 2 Jul 2001 11:20:17 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU00002TDQBP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 11:20:16 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168EAF@listserv.fnal.gov>; Mon, 02 Jul 2001 11:20:14 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 172871 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 11:20:14 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168EAD@listserv.fnal.gov>; Mon, 02 Jul 2001 11:20:14 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU00M22TDPY1@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 11:20:14 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Jul 2001 11:20:14 -0500 Content-return: allowed Date: Mon, 02 Jul 2001 11:20:12 -0500 From: ARSystem Subject: 000000000019313 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182CC5@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1396 CRAWFORD, MATT, Help Desk Ticket #000000000019313 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: kpilot@cdcvs.fnal.gov Badge # (+) : 13031N First Name : ALEXANDER Last Name (+) : SKIBA Phone : 8240 E-Mail Address : SKIBA@FNAL.GOV Incident Time : 6/28/01 7:49:45 PM System Name : Urgency : Medium Public Work Log : 6/28/01 8:32:34 AM blomberg The following was e-mailed to the Requester: Could you please give us more details about what you are looking for? Do you have a kerberos account? Do you need a password reset? 7/2/01 11:17:16 AM marih He is looking on how to install kerberos on a remote system from CVS. For this he needs a password. He does have a kerberos account, he only needs the password so it can be installed on the machine he is working at In the University in Germany. Problem Description : please tell me the password of kpilot on the cd cvs server so that I can install kerberos as describet at http://www.fnal.gov/docs/strongauth/html062201/nonfermi_install.html Thanks, Alexander. Alexander Skiba ______________________________________________ Institut fur Experimentelle Kernphysik From kreymer@fnal.gov Mon Jul 2 11:20:19 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA20103 for ; Mon, 2 Jul 2001 11:20:19 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU00002TDQBP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 11:20:18 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168EB1@listserv.fnal.gov>; Mon, 02 Jul 2001 11:20:14 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 172874 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 11:20:14 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168EAE@listserv.fnal.gov>; Mon, 02 Jul 2001 11:20:14 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU0000OTDP3H@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 11:20:14 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Jul 2001 11:20:14 -0500 Content-return: allowed Date: Mon, 02 Jul 2001 11:20:12 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19313 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182CC6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1397 19313 has been updated by marih. Short Description : kpilot@cdcvs.fnal.gov New Work Log Entry : He is looking on how to install kerberos on a remote system from CVS. For this he needs a password. He does have a kerberos account, he only needs the password so it can be installed on the machine he is working at In the University in Germany. From kreymer@fnal.gov Mon Jul 2 11:20:20 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA20107 for ; Mon, 2 Jul 2001 11:20:20 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU00002TDQBP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 11:20:20 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168EB4@listserv.fnal.gov>; Mon, 02 Jul 2001 11:20:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 172877 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 11:20:15 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168EB3@listserv.fnal.gov>; Mon, 02 Jul 2001 11:20:15 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU00M22TDPY1@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 11:20:15 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Jul 2001 11:20:14 -0500 Content-return: allowed Date: Mon, 02 Jul 2001 11:20:12 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19313 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182CC7@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1398 19313 has been updated by marih. Short Description : kpilot@cdcvs.fnal.gov New Work Log Entry : He is referring to topic 10.2 on the Strong Authentication web page. From kreymer@fnal.gov Mon Jul 2 11:31:22 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA20122 for ; Mon, 2 Jul 2001 11:31:21 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU0005QTW8BP@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 11:31:21 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168EED@listserv.fnal.gov>; Mon, 02 Jul 2001 11:31:20 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 172942 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 11:31:20 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168EEC@listserv.fnal.gov>; Mon, 02 Jul 2001 11:31:20 -0500 Received: from fnal.gov ([131.225.84.209]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU00041TW77A@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 11:31:19 -0500 (CDT) Date: Mon, 02 Jul 2001 11:31:18 -0500 From: muzaffar@fnal.gov Subject: problem with kerberos installation Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <3B40A1D6.61D9F4E6@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1399 Hi, I have installed kerberos usng the following rpms krb5-fermi-1.3a-2.i386.rpm krb5-fermi-config-1.4-6.i386.rpm krb5-fermi-login-1.3a-2.i386.rpm I have my principal, password and service principals for host and ftp. when i tried to login to my system, i get this error telnet shahzad .. ... .. [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Trying KERBEROS4 ... ] mk_req failed: Principal unknown (kerberos) [ Trying KERBEROS4 ... ] mk_req failed: Principal unknown (kerberos) Fermi Linux Release 6.1.2 (Strange) Kernel 2.2.16-3 on an i686 login: No such file or directory while getting initial credentials Login incorrect login: muzaffar login: No such file or directory while getting initial credentials Login incorrect Connection closed by foreign host. What am i doing wrong? Can any body help me. I have Fermi RH6.1.2 installed on my system. thanks, --shahzad From kreymer@fnal.gov Mon Jul 2 11:53:46 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA20165 for ; Mon, 2 Jul 2001 11:53:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU00M7XUXKXQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 11:53:46 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168F59@listserv.fnal.gov>; Mon, 02 Jul 2001 11:53:45 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 173054 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 11:53:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168F58@listserv.fnal.gov>; Mon, 02 Jul 2001 11:53:44 -0500 Received: from fnal.gov ([131.225.82.243]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU000BZUXKBP@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 11:53:44 -0500 (CDT) Date: Mon, 02 Jul 2001 11:53:44 -0500 From: Margaret Votava Subject: afs inetd and kerberos Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Cc: bgreen@fnal.gov, slimmer@fnal.gov Message-id: <3B40A718.C7618BB2@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.17-14 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1400 Hi, Bruce Greenway had a configuration issue with afs and kerberos on his recent install of Fermi Red Hat Linux, afs, and kerberos. It turns out that in the end, he needed to: >Basically, I edited /etc/rc.d/init.d/afs >to comment out the lines: >> # Start AFS version of inetd.conf if present. >> if test -f /usr/afsws/etc/inetd.conf -a -x /usr/afsws/etc/inetd.afs >> ; then >> /usr/afsws/etc/inetd.afs /usr/afsws/etc/inetd.conf >> fi to disable afs rsh access to his machine (do i have the terminology right?). Note that this seems to have been automatically on my laptop (a recent install), but was NOT done automatically on fnods (an even more recent install of kerberos). This seems to me to be a real point of confusion. What have we not done correctly on the fnods install so that this didn't happen automatically? Thanks, Margaret From kreymer@fnal.gov Mon Jul 2 12:06:48 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA20199 for ; Mon, 2 Jul 2001 12:06:48 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU000AVVJA0R@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 12:06:47 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168FA6@listserv.fnal.gov>; Mon, 02 Jul 2001 12:06:46 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 173138 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 12:06:46 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00168FA4@listserv.fnal.gov>; Mon, 02 Jul 2001 12:06:46 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU0008BVJ3M4@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 12:06:45 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Mon, 02 Jul 2001 12:06:39 -0500 Content-return: allowed Date: Mon, 02 Jul 2001 12:06:36 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 19313 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182CE3@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1401 This reminder created on 7/2/01 12:03:01 PM Ticket 19313 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : ALEXANDER Last Name (+) : SKIBA Phone : 8240 E-Mail Address : SKIBA@FNAL.GOV Incident Time : 6/28/01 7:49:45 PM System Name : Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : kpilot@cdcvs.fnal.gov Problem Description : please tell me the password of kpilot on the cd cvs server so that I can install kerberos as describet at http://www.fnal.gov/docs/strongauth/html062201/nonfermi_install.html Thanks, Alexander. Alexander Skiba ______________________________________________ Institut fur Experimentelle Kernphysik From kreymer@fnal.gov Mon Jul 2 13:04:53 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA20456 for ; Mon, 2 Jul 2001 13:04:53 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU00MMFY83XQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 13:04:53 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169132@listserv.fnal.gov>; Mon, 02 Jul 2001 13:04:52 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 173556 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 13:04:52 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169131@listserv.fnal.gov>; Mon, 02 Jul 2001 13:04:52 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU000PXY830R@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 13:04:51 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA16406; Mon, 02 Jul 2001 13:04:51 -0500 Date: Mon, 02 Jul 2001 13:04:50 -0500 (CDT) From: Steven Timm Subject: Re: problem with kerberos installation In-reply-to: <3B40A1D6.61D9F4E6@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: muzaffar@fnal.gov Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1402 Shazad...first try doing a kdestroy on the system you are trying to telnet from, and then a fresh kinit. Then telnet again. If this doesn't work, then send the output of klist -k on the machine that you have just kerberized. It is either a problem that you have old tickets for this machine in your cache that you need to reset, or that the /etc/krb5.keytab file wasn't made correctly. (there is a script that comes along with the RPM's that can make it for you.) If it was not made correctly, klist -k will return error of "no such file or directory" Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Mon, 2 Jul 2001 muzaffar@fnal.gov wrote: > Hi, > I have installed kerberos usng the following rpms > krb5-fermi-1.3a-2.i386.rpm > krb5-fermi-config-1.4-6.i386.rpm > krb5-fermi-login-1.3a-2.i386.rpm > > I have my principal, password and service principals for host and ftp. when i > tried to login to my system, i get this error > > telnet shahzad > .. > ... > .. > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > such file or directory ] > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > such file or directory ] > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > such file or directory ] > [ Trying KERBEROS4 ... ] > mk_req failed: Principal unknown (kerberos) > [ Trying KERBEROS4 ... ] > mk_req failed: Principal unknown (kerberos) > > Fermi Linux Release 6.1.2 (Strange) > Kernel 2.2.16-3 on an i686 > > login: No such file or directory while getting initial credentials > Login incorrect > login: muzaffar > login: No such file or directory while getting initial credentials > Login incorrect > Connection closed by foreign host. > > > What am i doing wrong? Can any body help me. I have Fermi RH6.1.2 installed on > my system. > > thanks, > --shahzad > From kreymer@fnal.gov Mon Jul 2 13:14:14 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA20462 for ; Mon, 2 Jul 2001 13:14:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU001N1YNPEK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 13:14:14 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169155@listserv.fnal.gov>; Mon, 02 Jul 2001 13:14:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 173596 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 13:14:13 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169154@listserv.fnal.gov>; Mon, 02 Jul 2001 13:14:13 -0500 Received: from fnal.gov ([131.225.84.209]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU001N2YNO3J@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 13:14:12 -0500 (CDT) Date: Mon, 02 Jul 2001 13:14:11 -0500 From: muzaffar@fnal.gov Subject: Re: problem with kerberos installation Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: <3B40B9F3.DB1ECF06@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1403 My system name is : shahzad The account which i am currently logged in is a local account on this system : User name : shahzad now i have done /home/shahzad> whoami shahzad /home/shahzad> uname -a Linux shahzad.fnal.gov 2.2.16-3 #1 Mon Jun 19 19:11:44 EDT 2000 i686 unknown /home/shahzad> kdestroy /home/shahzad> kinit muzaffar Password for muzaffar@FNAL.GOV: /home/shahzad> klist -k Keytab name: FILE:/etc/krb5.keytab klist: No such file or directory while starting keytab scan /home/shahzad> telnet shahzad ... .. [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Trying KERBEROS4 ... ] same errors? how can i run the script which you have mentioned in you last email, and where is this script located? thanks, --shahzad Steven Timm wrote: > Shazad...first try doing a kdestroy on the system you are trying > to telnet from, and then a fresh kinit. Then telnet again. > If this doesn't work, then send the output of klist -k on the > machine that you have just kerberized. It is either a problem > that you have old tickets for this machine in your cache that > you need to reset, or that the /etc/krb5.keytab file wasn't made > correctly. (there is a script that comes along with the RPM's that > can make it for you.) > If it was not made correctly, klist -k will return error of "no such > file or directory" > > Steve > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Mon, 2 Jul 2001 muzaffar@fnal.gov wrote: > > > Hi, > > I have installed kerberos usng the following rpms > > krb5-fermi-1.3a-2.i386.rpm > > krb5-fermi-config-1.4-6.i386.rpm > > krb5-fermi-login-1.3a-2.i386.rpm > > > > I have my principal, password and service principals for host and ftp. when i > > tried to login to my system, i get this error > > > > telnet shahzad > > .. > > ... > > .. > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > such file or directory ] > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > such file or directory ] > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > such file or directory ] > > [ Trying KERBEROS4 ... ] > > mk_req failed: Principal unknown (kerberos) > > [ Trying KERBEROS4 ... ] > > mk_req failed: Principal unknown (kerberos) > > > > Fermi Linux Release 6.1.2 (Strange) > > Kernel 2.2.16-3 on an i686 > > > > login: No such file or directory while getting initial credentials > > Login incorrect > > login: muzaffar > > login: No such file or directory while getting initial credentials > > Login incorrect > > Connection closed by foreign host. > > > > > > What am i doing wrong? Can any body help me. I have Fermi RH6.1.2 installed on > > my system. > > > > thanks, > > --shahzad > > From kreymer@fnal.gov Mon Jul 2 13:38:35 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA20494 for ; Mon, 2 Jul 2001 13:38:35 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU0092EZS9DR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 13:38:34 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016921A@listserv.fnal.gov>; Mon, 02 Jul 2001 13:38:33 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 173802 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 13:38:33 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169219@listserv.fnal.gov>; Mon, 02 Jul 2001 13:38:33 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GFU00901ZS8U1@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 13:38:32 -0500 (CDT) Received: from hepvms2.physics.yale.edu ([198.125.138.2]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFU00MSTZS8UK@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 13:38:32 -0500 (CDT) Received: from CONVERSION-DAEMON.hepmail.physics.yale.edu by hepmail.physics.yale.edu (PMDF V6.0-24 #46730) id <01K5GJ9IZ8HCAKUBWE@hepmail.physics.yale.edu>; Mon, 02 Jul 2001 14:38:31 -0400 (EDT) Received: from yale.edu ([198.125.138.80]) by hepmail.physics.yale.edu (PMDF V6.0-24 #46730) with ESMTP id <01K5GJ9GZSC4AKU7W3@hepmail.physics.yale.edu>; Mon, 02 Jul 2001 14:38:28 -0400 (EDT) Date: Mon, 02 Jul 2001 14:40:57 -0400 From: Colin Gay Subject: Re: ftp, usernames and kerberos Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov Message-id: <3B40C039.C02DAA8D@yale.edu> MIME-version: 1.0 X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.3-12 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en References: <200106291940.f5TJeDr12048@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1404 Matt Crawford wrote: > > > To login to a fnal computer I can then "telnet -l colin fcdfsgi2" or > > "rlogin -l colin fcdfsgi2". It seems that because my usernames don't > > match on the two systems, I have to put them in by hand. But then I > > don't understand how I can ftp to a fnal machine -- at least I can't see > > a way to override the username the kerberized ftp uses to log you in. > > You can't do it on the ftp command line, but after you see > > 334 Using authentication type GSSAPI; ADAT must follow > GSSAPI accepted as authentication type > GSSAPI authentication succeeded > > You should see a prompt for a remote username, with your local name > offered as a default. Enter your remote username ... > > Name (gungnir:crawdad): matt > 232 GSSAPI user crawdad@FNAL.GOV is authorized as matt > Remote system type is UNIX. > Using binary mode to transfer files. > ftp> pwd > 257 "/export/home/matt" is current directory. Thanks for all the suggestions. I had tried the -n flag, followed by a 'user colin', but it didn't work. I tried letting it fail as Matt suggested, then typing my username 'colin'. In both these cases, it then asks for a password, and I'm stuck. (In fact, I could have sworn that last week when I tried it, it asked for a cryptocard authentication, but today it only gives a straight "Password:" prompt). Perhaps we have a slightly different ftp client? Our sysadmin is out until Wednesday, so I can't do much checking for a couple of days. Cheers, -Colin -- _______________________________________ Colin Gay Yale University, 509 JWG, Box 208121 260 Whitney Ave. New Haven, CT, 06515 Tel: (203)432-3364 Fax: (203)432-6125 _______________________________________ From kreymer@fnal.gov Mon Jul 2 13:50:06 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA20510 for ; Mon, 2 Jul 2001 13:50:06 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV001PE0BHSB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 13:50:06 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169279@listserv.fnal.gov>; Mon, 02 Jul 2001 13:50:05 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 173904 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 13:50:05 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169278@listserv.fnal.gov>; Mon, 02 Jul 2001 13:50:05 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV00A1P0BG4X@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 13:50:04 -0500 (CDT) Date: Mon, 02 Jul 2001 13:50:04 -0500 From: Troy Dawson Subject: Re: problem with kerberos installation Sender: owner-kerberos-users@listserv.fnal.gov To: muzaffar@fnal.gov Cc: Steven Timm , kerberos-users@fnal.gov Message-id: <3B40C25C.72720F0D@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B40B9F3.DB1ECF06@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1405 Hi, The scripts name is /usr/krb5/config/makehostkeys Be sure that you have the host and ftp password for your machine before running the script. You can get those from http://www.fnal.gov/cd/forms/strongauth.html Another thing do to is to check and see if you have telnet and ftp turned on (from the error it looks like you do). You can see by doing a 'tail -n 15 /etc/inetd.conf" and see if the kerberized telnet and ftp are commented out or not. Troy muzaffar@fnal.gov wrote: > > My system name is : shahzad > The account which i am currently logged in is a local account on this system : User > name : shahzad > > now i have done > /home/shahzad> whoami > shahzad > /home/shahzad> uname -a > Linux shahzad.fnal.gov 2.2.16-3 #1 Mon Jun 19 19:11:44 EDT 2000 i686 unknown > /home/shahzad> kdestroy > /home/shahzad> kinit muzaffar > Password for muzaffar@FNAL.GOV: > /home/shahzad> klist -k > Keytab name: FILE:/etc/krb5.keytab > klist: No such file or directory while starting keytab scan > /home/shahzad> telnet shahzad > ... > .. > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > file or directory ] > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > file or directory ] > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > file or directory ] > [ Trying KERBEROS4 ... ] > > same errors? > > how can i run the script which you have mentioned in you last email, and where is > this script located? > > thanks, > --shahzad > > Steven Timm wrote: > > > Shazad...first try doing a kdestroy on the system you are trying > > to telnet from, and then a fresh kinit. Then telnet again. > > If this doesn't work, then send the output of klist -k on the > > machine that you have just kerberized. It is either a problem > > that you have old tickets for this machine in your cache that > > you need to reset, or that the /etc/krb5.keytab file wasn't made > > correctly. (there is a script that comes along with the RPM's that > > can make it for you.) > > If it was not made correctly, klist -k will return error of "no such > > file or directory" > > > > Steve > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > > > On Mon, 2 Jul 2001 muzaffar@fnal.gov wrote: > > > > > Hi, > > > I have installed kerberos usng the following rpms > > > krb5-fermi-1.3a-2.i386.rpm > > > krb5-fermi-config-1.4-6.i386.rpm > > > krb5-fermi-login-1.3a-2.i386.rpm > > > > > > I have my principal, password and service principals for host and ftp. when i > > > tried to login to my system, i get this error > > > > > > telnet shahzad > > > .. > > > ... > > > .. > > > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > such file or directory ] > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > such file or directory ] > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > such file or directory ] > > > [ Trying KERBEROS4 ... ] > > > mk_req failed: Principal unknown (kerberos) > > > [ Trying KERBEROS4 ... ] > > > mk_req failed: Principal unknown (kerberos) > > > > > > Fermi Linux Release 6.1.2 (Strange) > > > Kernel 2.2.16-3 on an i686 > > > > > > login: No such file or directory while getting initial credentials > > > Login incorrect > > > login: muzaffar > > > login: No such file or directory while getting initial credentials > > > Login incorrect > > > Connection closed by foreign host. > > > > > > > > > What am i doing wrong? Can any body help me. I have Fermi RH6.1.2 installed on > > > my system. > > > > > > thanks, > > > --shahzad > > > -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Mon Jul 2 13:51:23 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA20514 for ; Mon, 2 Jul 2001 13:51:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV0092O0DLV5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 13:51:22 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016928C@listserv.fnal.gov>; Mon, 02 Jul 2001 13:51:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 173923 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 13:51:21 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016928B@listserv.fnal.gov>; Mon, 02 Jul 2001 13:51:21 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV0094Y0DL95@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 13:51:21 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f62IpKr21328; Mon, 02 Jul 2001 13:51:20 -0500 (CDT) Date: Mon, 02 Jul 2001 13:51:20 -0500 From: Matt Crawford Subject: Re: 000000000019313 Assigned to CRAWFORD, MATT. In-reply-to: "02 Jul 2001 11:20:12 CDT." <318CC3D38BE0D211BB1200105A093F76182CC5@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200107021851.f62IpKr21328@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1406 The user refers to this text ... 10.2 Installing Fermi Kerberos from CVS This source has all of the Fermi enhancements such as CRYPTOCard support, cron jobs, etc. To get the Fermi source, find out the CVS password (we don't want to publish it here!), and run (the version shown here may change): % cvs -d :pserver:kpilot@cdcvs.fnal.gov:/cvs/cd login I do not know or control the password in question. That's a CVS matter. From kreymer@fnal.gov Mon Jul 2 13:55:41 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA20521 for ; Mon, 2 Jul 2001 13:55:41 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV000RW0KS3H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 13:55:41 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001692AE@listserv.fnal.gov>; Mon, 02 Jul 2001 13:55:40 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 173960 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 13:55:40 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001692AD@listserv.fnal.gov>; Mon, 02 Jul 2001 13:55:40 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV009580KR5V@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 13:55:39 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f62Itcr21385; Mon, 02 Jul 2001 13:55:38 -0500 (CDT) Date: Mon, 02 Jul 2001 13:55:38 -0500 From: Matt Crawford Subject: Re: problem with kerberos installation In-reply-to: "02 Jul 2001 11:31:18 CDT." <3B40A1D6.61D9F4E6@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: muzaffar@fnal.gov Cc: kerberos-users@fnal.gov, dawson@fnal.gov Message-id: <200107021855.f62Itcr21385@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1407 > [ Kerberos V5 refuses authentication because telnetd: > krb5_rd_req failed: No such file or directory ] It looks like you did not perform the step which creates /etc/krb5.keytab. I don't know how the RPM mechanism is supposed to do that. Troy? From kreymer@fnal.gov Mon Jul 2 14:16:32 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20578 for ; Mon, 2 Jul 2001 14:16:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV009AX1JI95@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 14:16:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169350@listserv.fnal.gov>; Mon, 02 Jul 2001 14:16:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174131 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 14:16:30 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016934F@listserv.fnal.gov>; Mon, 02 Jul 2001 14:16:30 -0500 Received: from fnal.gov ([131.225.84.209]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV0099U1JHRM@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 14:16:29 -0500 (CDT) Date: Mon, 02 Jul 2001 14:16:28 -0500 From: muzaffar@fnal.gov Subject: Re: problem with kerberos installation Sender: owner-kerberos-users@listserv.fnal.gov To: Troy Dawson Cc: Steven Timm , kerberos-users@fnal.gov Message-id: <3B40C88C.B9EF2EF7@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B40B9F3.DB1ECF06@fnal.gov> <3B40C25C.72720F0D@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1408 Thanks allot, it worked. --shahzad Troy Dawson wrote: > Hi, > > The scripts name is /usr/krb5/config/makehostkeys > > Be sure that you have the host and ftp password for your machine before > running the script. You can get those from > > http://www.fnal.gov/cd/forms/strongauth.html > > Another thing do to is to check and see if you have telnet and ftp turned on > (from the error it looks like you do). You can see by doing a 'tail -n 15 > /etc/inetd.conf" and see if the kerberized telnet and ftp are commented out or > not. > > Troy > > muzaffar@fnal.gov wrote: > > > > My system name is : shahzad > > The account which i am currently logged in is a local account on this system : User > > name : shahzad > > > > now i have done > > /home/shahzad> whoami > > shahzad > > /home/shahzad> uname -a > > Linux shahzad.fnal.gov 2.2.16-3 #1 Mon Jun 19 19:11:44 EDT 2000 i686 unknown > > /home/shahzad> kdestroy > > /home/shahzad> kinit muzaffar > > Password for muzaffar@FNAL.GOV: > > /home/shahzad> klist -k > > Keytab name: FILE:/etc/krb5.keytab > > klist: No such file or directory while starting keytab scan > > /home/shahzad> telnet shahzad > > ... > > .. > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > file or directory ] > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > file or directory ] > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > file or directory ] > > [ Trying KERBEROS4 ... ] > > > > same errors? > > > > how can i run the script which you have mentioned in you last email, and where is > > this script located? > > > > thanks, > > --shahzad > > > > Steven Timm wrote: > > > > > Shazad...first try doing a kdestroy on the system you are trying > > > to telnet from, and then a fresh kinit. Then telnet again. > > > If this doesn't work, then send the output of klist -k on the > > > machine that you have just kerberized. It is either a problem > > > that you have old tickets for this machine in your cache that > > > you need to reset, or that the /etc/krb5.keytab file wasn't made > > > correctly. (there is a script that comes along with the RPM's that > > > can make it for you.) > > > If it was not made correctly, klist -k will return error of "no such > > > file or directory" > > > > > > Steve > > > > > > ------------------------------------------------------------------ > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > Fermilab Computing Division/Operating Systems Support > > > Scientific Computing Support Group--Computing Farms Operations > > > > > > On Mon, 2 Jul 2001 muzaffar@fnal.gov wrote: > > > > > > > Hi, > > > > I have installed kerberos usng the following rpms > > > > krb5-fermi-1.3a-2.i386.rpm > > > > krb5-fermi-config-1.4-6.i386.rpm > > > > krb5-fermi-login-1.3a-2.i386.rpm > > > > > > > > I have my principal, password and service principals for host and ftp. when i > > > > tried to login to my system, i get this error > > > > > > > > telnet shahzad > > > > .. > > > > ... > > > > .. > > > > > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > such file or directory ] > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > such file or directory ] > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > such file or directory ] > > > > [ Trying KERBEROS4 ... ] > > > > mk_req failed: Principal unknown (kerberos) > > > > [ Trying KERBEROS4 ... ] > > > > mk_req failed: Principal unknown (kerberos) > > > > > > > > Fermi Linux Release 6.1.2 (Strange) > > > > Kernel 2.2.16-3 on an i686 > > > > > > > > login: No such file or directory while getting initial credentials > > > > Login incorrect > > > > login: muzaffar > > > > login: No such file or directory while getting initial credentials > > > > Login incorrect > > > > Connection closed by foreign host. > > > > > > > > > > > > What am i doing wrong? Can any body help me. I have Fermi RH6.1.2 installed on > > > > my system. > > > > > > > > thanks, > > > > --shahzad > > > > > > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ From kreymer@fnal.gov Mon Jul 2 14:25:24 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20596 for ; Mon, 2 Jul 2001 14:25:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV009CC1YBV5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 14:25:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169380@listserv.fnal.gov>; Mon, 02 Jul 2001 14:25:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174180 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 14:25:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016937F@listserv.fnal.gov>; Mon, 02 Jul 2001 14:25:23 -0500 Received: from fnal.gov ([131.225.84.209]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV0094B1YAU0@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 14:25:22 -0500 (CDT) Date: Mon, 02 Jul 2001 14:25:21 -0500 From: muzaffar@fnal.gov Subject: Re: problem with kerberos installation Sender: owner-kerberos-users@listserv.fnal.gov To: Troy Dawson Cc: Steven Timm , kerberos-users@fnal.gov Message-id: <3B40CAA1.69E8D8E4@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B40B9F3.DB1ECF06@fnal.gov> <3B40C25C.72720F0D@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1409 I still have a small problem, that when i used the /home/shahzad> telnet -l muzaffar shahzad ... .. /bin/touch: /afs/fnal.gov/files/home/room1/muzaffar/.Info: Permission denied I still have to do the "klog" to get the afs token. and also i can not open any graphical windows like "nedit" nedit .cshrc Xlib: connection to "shahzad.fnal.gov:0.0" refused by server Xlib: Client is not authorized to connect to Server NEdit: Can't open display I have tried both rsh and telnet but same problem, If i use ssh then i can log in and run applications like nedit or netscape and i also get the AFS token , but i have to type my passphrase for RSA key 'muzaffar@shahzad.fnal.gov'. am i missing any configuration? thanks, --shahzad Troy Dawson wrote: > Hi, > > The scripts name is /usr/krb5/config/makehostkeys > > Be sure that you have the host and ftp password for your machine before > running the script. You can get those from > > http://www.fnal.gov/cd/forms/strongauth.html > > Another thing do to is to check and see if you have telnet and ftp turned on > (from the error it looks like you do). You can see by doing a 'tail -n 15 > /etc/inetd.conf" and see if the kerberized telnet and ftp are commented out or > not. > > Troy > > muzaffar@fnal.gov wrote: > > > > My system name is : shahzad > > The account which i am currently logged in is a local account on this system : User > > name : shahzad > > > > now i have done > > /home/shahzad> whoami > > shahzad > > /home/shahzad> uname -a > > Linux shahzad.fnal.gov 2.2.16-3 #1 Mon Jun 19 19:11:44 EDT 2000 i686 unknown > > /home/shahzad> kdestroy > > /home/shahzad> kinit muzaffar > > Password for muzaffar@FNAL.GOV: > > /home/shahzad> klist -k > > Keytab name: FILE:/etc/krb5.keytab > > klist: No such file or directory while starting keytab scan > > /home/shahzad> telnet shahzad > > ... > > .. > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > file or directory ] > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > file or directory ] > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > file or directory ] > > [ Trying KERBEROS4 ... ] > > > > same errors? > > > > how can i run the script which you have mentioned in you last email, and where is > > this script located? > > > > thanks, > > --shahzad > > > > Steven Timm wrote: > > > > > Shazad...first try doing a kdestroy on the system you are trying > > > to telnet from, and then a fresh kinit. Then telnet again. > > > If this doesn't work, then send the output of klist -k on the > > > machine that you have just kerberized. It is either a problem > > > that you have old tickets for this machine in your cache that > > > you need to reset, or that the /etc/krb5.keytab file wasn't made > > > correctly. (there is a script that comes along with the RPM's that > > > can make it for you.) > > > If it was not made correctly, klist -k will return error of "no such > > > file or directory" > > > > > > Steve > > > > > > ------------------------------------------------------------------ > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > Fermilab Computing Division/Operating Systems Support > > > Scientific Computing Support Group--Computing Farms Operations > > > > > > On Mon, 2 Jul 2001 muzaffar@fnal.gov wrote: > > > > > > > Hi, > > > > I have installed kerberos usng the following rpms > > > > krb5-fermi-1.3a-2.i386.rpm > > > > krb5-fermi-config-1.4-6.i386.rpm > > > > krb5-fermi-login-1.3a-2.i386.rpm > > > > > > > > I have my principal, password and service principals for host and ftp. when i > > > > tried to login to my system, i get this error > > > > > > > > telnet shahzad > > > > .. > > > > ... > > > > .. > > > > > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > such file or directory ] > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > such file or directory ] > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > such file or directory ] > > > > [ Trying KERBEROS4 ... ] > > > > mk_req failed: Principal unknown (kerberos) > > > > [ Trying KERBEROS4 ... ] > > > > mk_req failed: Principal unknown (kerberos) > > > > > > > > Fermi Linux Release 6.1.2 (Strange) > > > > Kernel 2.2.16-3 on an i686 > > > > > > > > login: No such file or directory while getting initial credentials > > > > Login incorrect > > > > login: muzaffar > > > > login: No such file or directory while getting initial credentials > > > > Login incorrect > > > > Connection closed by foreign host. > > > > > > > > > > > > What am i doing wrong? Can any body help me. I have Fermi RH6.1.2 installed on > > > > my system. > > > > > > > > thanks, > > > > --shahzad > > > > > > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ From kreymer@fnal.gov Mon Jul 2 14:27:32 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20604 for ; Mon, 2 Jul 2001 14:27:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV00A9921UX2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 14:27:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169389@listserv.fnal.gov>; Mon, 02 Jul 2001 14:27:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174189 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 14:27:30 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169388@listserv.fnal.gov>; Mon, 02 Jul 2001 14:27:30 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV009FG21TDR@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 14:27:29 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f62JRSr21608; Mon, 02 Jul 2001 14:27:28 -0500 (CDT) Date: Mon, 02 Jul 2001 14:27:28 -0500 From: Matt Crawford Subject: Re: ftp, usernames and kerberos In-reply-to: "02 Jul 2001 14:40:57 EDT." <3B40C039.C02DAA8D@yale.edu> Sender: owner-kerberos-users@listserv.fnal.gov To: Colin Gay Cc: kerberos-users@fnal.gov Message-id: <200107021927.f62JRSr21608@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1410 > Perhaps we have a slightly different ftp client? Our sysadmin is out > until Wednesday, so I can't do much checking for a couple of days. Ah, I assumed you were using Fermi Kerberos clients. But any other Kerberos client ftp should work. Older MIT-derived clients will turn off the Kerberos authentication if you give -n, sort of throwing out the baby with the bath. Also, some ftp clients will prompt you for a password whenever you send a USER just because they think it will be needed. Try giving any old junk if that happens. Hmm, what if you put this in your $HOME/.netrc file machine fcdfsgi2.fnal.gov login colin password anything From kreymer@fnal.gov Mon Jul 2 14:33:57 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20622 for ; Mon, 2 Jul 2001 14:33:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV009GR2CKV5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 14:33:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169493@listserv.fnal.gov>; Mon, 02 Jul 2001 14:33:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174457 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 14:33:56 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169492@listserv.fnal.gov>; Mon, 02 Jul 2001 14:33:56 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV009EA2CJ5V@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 14:33:55 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f62JXsr21655; Mon, 02 Jul 2001 14:33:54 -0500 (CDT) Date: Mon, 02 Jul 2001 14:33:54 -0500 From: Matt Crawford Subject: Re: problem with kerberos installation In-reply-to: "02 Jul 2001 14:25:21 CDT." <3B40CAA1.69E8D8E4@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: muzaffar@fnal.gov Cc: kerberos-users@fnal.gov Message-id: <200107021933.f62JXsr21655@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1411 It looks like the installation process was unaware that you have AFS. It took us a while to get the test just right in the UPD installation script, the RPM may just need more tuning. Edit /etc/krb5.conf and change all "krb5_run_aklog = false" to "krb5_run_aklog = true". The X authorization is another matter. One low-tech way to fix it up is to do "xauth list" in a window on your desktop machine, select the full line for yourhost:0, and paste it onto the end of an "xauth add" command on the remote machine like so: xauth add gungnir.fnal.gov:0 MIT-MAGIC-COOKIE-1 4dc790662e18ac06adae923e925bd6e0 From kreymer@fnal.gov Mon Jul 2 14:42:13 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20632 for ; Mon, 2 Jul 2001 14:42:13 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV00AFG2QB4X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 14:42:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169507@listserv.fnal.gov>; Mon, 02 Jul 2001 14:42:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174575 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 14:42:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169506@listserv.fnal.gov>; Mon, 02 Jul 2001 14:42:11 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV009JX2QB95@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 14:42:11 -0500 (CDT) Date: Mon, 02 Jul 2001 14:42:09 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: CRAWFORD, MATT AR ticket 19313 Has Been Updated. In-reply-to: <318CC3D38BE0D211BB1200105A093F76182CC6@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1412 "curiosity" On Mon, 2 Jul 2001, ARSystem wrote: > Short Description : kpilot@cdcvs.fnal.gov > New Work Log Entry : He is looking on how to install kerberos on a > remote system from CVS. > For this he needs a password. He does have a kerberos account, he > only needs the password so it can be installed on the machine he is > working at > In the University in Germany. From kreymer@fnal.gov Mon Jul 2 14:43:14 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20636 for ; Mon, 2 Jul 2001 14:43:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV00B962S0DI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 14:43:13 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016950E@listserv.fnal.gov>; Mon, 02 Jul 2001 14:43:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174582 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 14:43:12 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016950D@listserv.fnal.gov>; Mon, 02 Jul 2001 14:43:12 -0500 Received: from fnal.gov ([131.225.84.209]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV00B8X2S09W@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 14:43:12 -0500 (CDT) Date: Mon, 02 Jul 2001 14:43:10 -0500 From: muzaffar@fnal.gov Subject: Re: problem with kerberos installation Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov Message-id: <3B40CECE.CB0FF543@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200107021933.f62JXsr21655@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1413 Matt Crawford wrote: > It looks like the installation process was unaware that you have > AFS. It took us a while to get the test just right in the UPD > installation script, the RPM may just need more tuning. > > Edit /etc/krb5.conf and change all "krb5_run_aklog = false" to > "krb5_run_aklog = true". all krb5_run_aklog are already true, > > > The X authorization is another matter. One low-tech way to fix it up > is to do "xauth list" in a window on your desktop machine, select the > full line for yourhost:0, and paste it onto the end of an "xauth add" > command on the remote machine like so: > > xauth add gungnir.fnal.gov:0 MIT-MAGIC-COOKIE-1 4dc790662e18ac06adae923e925bd6e0 it did not work, xauth list localhost.localdomain:0 MIT-MAGIC-COOKIE-1 31b73b90dcd1c1273f8bde3ec1d17754 131.225.110.40:0 MIT-MAGIC-COOKIE-1 31b73b90dcd1c1273f8bde3ec1d17754 cmsun1/unix:0 MIT-MAGIC-COOKIE-1 31b73b90dcd1c1273f8bde3ec1d17754 shahzad.fnal.gov/unix:0 MIT-MAGIC-COOKIE-1 75ec50ced4cb4ecf5b8e79360ac32765 cmsvcf.fnal.gov:0 MIT-MAGIC-COOKIE-1 75ec50ced4cb4ecf5b8e79360ac32765 xauth add shahzad.fnal.gov/unix:0 MIT-MAGIC-COOKIE-1 75ec50ced4cb4ecf5b8e79360ac32765 nedit Xlib: connection to "shahzad.fnal.gov:0.0" refused by server Xlib: Client is not authorized to connect to Server NEdit: Can't open display From kreymer@fnal.gov Mon Jul 2 14:46:09 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA20648 for ; Mon, 2 Jul 2001 14:46:09 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV00AH72WV4X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 14:46:09 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016951C@listserv.fnal.gov>; Mon, 02 Jul 2001 14:46:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174596 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 14:46:07 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016951B@listserv.fnal.gov>; Mon, 02 Jul 2001 14:46:07 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV00CCA2WU5R@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 14:46:06 -0500 (CDT) Date: Mon, 02 Jul 2001 14:46:05 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: Strong Auth manual Sec. 11.3 In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1414 Actually, that's a read-only access to the repository, and with the password that goes with that account, "curiosity", which ought to be published with it, anyone *can* check out from that area. On Thu, 14 Jun 2001, Steven Timm wrote: > Date: Thu, 14 Jun 2001 13:10:41 -0500 (CDT) > From: Steven Timm > To: kerberos-users@fnal.gov > Subject: Strong Auth manual Sec. 11.3 > > On the web page > > http://www.fnal.gov/docs/strongauth/htmlpost1_0b/nonfermi_install.html > > there is a section 11.3 which says > > > If you're running an OS that's not supported at Fermilab, to enable > the locally-added features of Kerberos, including CRYPTOCard and cron job > support, > download the modified source from the Computing Division CVS > repository: > > % cvs -d :pserver:kpilot@cdcvs.fnal.gov:/cvs/cd co kerberos > > What this doesn't tell you is that Joe Average User can't just log into > the CDCVS server. Who is it that we are supposed to ask for a login > to same? And isn't this server supposed to be supporting kerberos > logins now? > > Also there are the following comments in section 11.4 > > > > dawson 3/26 14:56 > > use pam module that does authenticating (e.g., > > /lib/security/pam_krb5.so) > > Only problem...this module doesn't exist in the normal Fermi > Linux distribution or the Fermi Kerberos distribution. Unless > I much mistake, someone is going to have to actually write it. > > > > Edit different files that use the module (in /etc/pam.d/) > > in /etc/pam.d/xscreensaver, change > > auth required /lib/security/pam_pwdb.so shadow nullok > > to > > auth required /lib/security/pam_pam_krb5.so [keep_cred > ignore_root] > > ( the [...] part from Dane, renews creds) > > then whenever do an xlock, type kerb pw. > > Then fix lines in /etc/pam.d/login > > None of this is actually going to work until the pam_krb5.so module > is made but I am pretty sure that once it is here it should be > pam_krb5.so and not pam_pam_krb5.so above. > > Steve > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > From kreymer@fnal.gov Mon Jul 2 15:01:33 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA20776 for ; Mon, 2 Jul 2001 15:01:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV009N43MJRM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 15:01:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001695AD@listserv.fnal.gov>; Mon, 02 Jul 2001 15:01:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174753 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 15:01:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001695AC@listserv.fnal.gov>; Mon, 02 Jul 2001 15:01:31 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GFV00G013MIMB@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 15:01:30 -0500 (CDT) Received: from hepvms2.physics.yale.edu ([198.125.138.2]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV001M33MHWT@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 15:01:30 -0500 (CDT) Received: from CONVERSION-DAEMON.hepmail.physics.yale.edu by hepmail.physics.yale.edu (PMDF V6.0-24 #46730) id <01K5GM6CEULSAKUBTL@hepmail.physics.yale.edu>; Mon, 02 Jul 2001 16:01:27 -0400 (EDT) Received: from yale.edu ([198.125.138.80]) by hepmail.physics.yale.edu (PMDF V6.0-24 #46730) with ESMTP id <01K5GM6BDS12AKU7W3@hepmail.physics.yale.edu>; Mon, 02 Jul 2001 16:01:26 -0400 (EDT) Date: Mon, 02 Jul 2001 16:03:54 -0400 From: Colin Gay Subject: Re: ftp, usernames and kerberos Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov Message-id: <3B40D3AA.F9AA3CB0@yale.edu> MIME-version: 1.0 X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.3-12 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT X-Accept-Language: en References: <200107021927.f62JRSr21608@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1415 Matt Crawford wrote: > > > Perhaps we have a slightly different ftp client? Our sysadmin is out > > until Wednesday, so I can't do much checking for a couple of days. > > Ah, I assumed you were using Fermi Kerberos clients. But any other > Kerberos client ftp should work. Older MIT-derived clients will turn > off the Kerberos authentication if you give -n, sort of throwing out > the baby with the bath. Also, some ftp clients will prompt you for a > password whenever you send a USER just because they think it will be > needed. Try giving any old junk if that happens. > > Hmm, what if you put this in your $HOME/.netrc file > > machine fcdfsgi2.fnal.gov login colin password anything Good idea ... I just tried this, and got: GSSAPI error minor: Wrong principal in request then the usual fail messages for the next authentication type ... It didn't ask for my username though :) Cheers, -Colin -- _______________________________________ Colin Gay Yale University, 509 JWG, Box 208121 260 Whitney Ave. New Haven, CT, 06515 Tel: (203)432-3364 Fax: (203)432-6125 _______________________________________ From kreymer@fnal.gov Mon Jul 2 15:21:52 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA20825 for ; Mon, 2 Jul 2001 15:21:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV00ASM4K74X@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 15:21:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169617@listserv.fnal.gov>; Mon, 02 Jul 2001 15:21:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174867 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 15:21:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169616@listserv.fnal.gov>; Mon, 02 Jul 2001 15:21:43 -0500 Received: from fsgi03.fnal.gov ([131.225.68.48]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV00BHV4K6DI@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 15:21:42 -0500 (CDT) Received: from localhost (timm@localhost) by fsgi03.fnal.gov (8.11.0/8.11.0) with ESMTP id f62KLfV16068664; Mon, 02 Jul 2001 15:21:41 -0500 (CDT) Date: Mon, 02 Jul 2001 15:21:40 -0500 From: Steven Timm Subject: Re: problem with kerberos installation In-reply-to: <3B40CAA1.69E8D8E4@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: muzaffar@fnal.gov Cc: Troy Dawson , kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsgi03.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1416 ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Mon, 2 Jul 2001 muzaffar@fnal.gov wrote: > I still have a small problem, that when i used the > /home/shahzad> telnet -l muzaffar shahzad > ... > .. > /bin/touch: /afs/fnal.gov/files/home/room1/muzaffar/.Info: Permission denied > > > I still have to do the "klog" to get the afs token. > and also i can not open any graphical windows like "nedit" telnet -f will forward your tickets and then you should be able to get an afs token. IF you are already on the machine then you can do /usr/krb5/bin/aklog and it will get you AFS tokens. For the x11 problem, have to set the privileges on your host display properly. Steve > nedit .cshrc > Xlib: connection to "shahzad.fnal.gov:0.0" refused by server > Xlib: Client is not authorized to connect to Server > NEdit: Can't open display > > I have tried both rsh and telnet but same problem, If i use ssh then i can log in and > run applications like nedit or netscape and i also get the AFS token , but i have to > type my passphrase for RSA key 'muzaffar@shahzad.fnal.gov'. > am i missing any configuration? > > thanks, > --shahzad > > Troy Dawson wrote: > > > Hi, > > > > The scripts name is /usr/krb5/config/makehostkeys > > > > Be sure that you have the host and ftp password for your machine before > > running the script. You can get those from > > > > http://www.fnal.gov/cd/forms/strongauth.html > > > > Another thing do to is to check and see if you have telnet and ftp turned on > > (from the error it looks like you do). You can see by doing a 'tail -n 15 > > /etc/inetd.conf" and see if the kerberized telnet and ftp are commented out or > > not. > > > > Troy > > > > muzaffar@fnal.gov wrote: > > > > > > My system name is : shahzad > > > The account which i am currently logged in is a local account on this system : User > > > name : shahzad > > > > > > now i have done > > > /home/shahzad> whoami > > > shahzad > > > /home/shahzad> uname -a > > > Linux shahzad.fnal.gov 2.2.16-3 #1 Mon Jun 19 19:11:44 EDT 2000 i686 unknown > > > /home/shahzad> kdestroy > > > /home/shahzad> kinit muzaffar > > > Password for muzaffar@FNAL.GOV: > > > /home/shahzad> klist -k > > > Keytab name: FILE:/etc/krb5.keytab > > > klist: No such file or directory while starting keytab scan > > > /home/shahzad> telnet shahzad > > > ... > > > .. > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > > file or directory ] > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > > file or directory ] > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > > file or directory ] > > > [ Trying KERBEROS4 ... ] > > > > > > same errors? > > > > > > how can i run the script which you have mentioned in you last email, and where is > > > this script located? > > > > > > thanks, > > > --shahzad > > > > > > Steven Timm wrote: > > > > > > > Shazad...first try doing a kdestroy on the system you are trying > > > > to telnet from, and then a fresh kinit. Then telnet again. > > > > If this doesn't work, then send the output of klist -k on the > > > > machine that you have just kerberized. It is either a problem > > > > that you have old tickets for this machine in your cache that > > > > you need to reset, or that the /etc/krb5.keytab file wasn't made > > > > correctly. (there is a script that comes along with the RPM's that > > > > can make it for you.) > > > > If it was not made correctly, klist -k will return error of "no such > > > > file or directory" > > > > > > > > Steve > > > > > > > > ------------------------------------------------------------------ > > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > > Fermilab Computing Division/Operating Systems Support > > > > Scientific Computing Support Group--Computing Farms Operations > > > > > > > > On Mon, 2 Jul 2001 muzaffar@fnal.gov wrote: > > > > > > > > > Hi, > > > > > I have installed kerberos usng the following rpms > > > > > krb5-fermi-1.3a-2.i386.rpm > > > > > krb5-fermi-config-1.4-6.i386.rpm > > > > > krb5-fermi-login-1.3a-2.i386.rpm > > > > > > > > > > I have my principal, password and service principals for host and ftp. when i > > > > > tried to login to my system, i get this error > > > > > > > > > > telnet shahzad > > > > > .. > > > > > ... > > > > > .. > > > > > > > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > > such file or directory ] > > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > > such file or directory ] > > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > > such file or directory ] > > > > > [ Trying KERBEROS4 ... ] > > > > > mk_req failed: Principal unknown (kerberos) > > > > > [ Trying KERBEROS4 ... ] > > > > > mk_req failed: Principal unknown (kerberos) > > > > > > > > > > Fermi Linux Release 6.1.2 (Strange) > > > > > Kernel 2.2.16-3 on an i686 > > > > > > > > > > login: No such file or directory while getting initial credentials > > > > > Login incorrect > > > > > login: muzaffar > > > > > login: No such file or directory while getting initial credentials > > > > > Login incorrect > > > > > Connection closed by foreign host. > > > > > > > > > > > > > > > What am i doing wrong? Can any body help me. I have Fermi RH6.1.2 installed on > > > > > my system. > > > > > > > > > > thanks, > > > > > --shahzad > > > > > > > > > -- > > __________________________________________________ > > Troy Dawson dawson@fnal.gov (630)840-6468 > > Fermilab ComputingDivision/OSS SCS Group > > __________________________________________________ > > From kreymer@fnal.gov Mon Jul 2 15:30:58 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA20947 for ; Mon, 2 Jul 2001 15:30:58 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV009X84ZKDR@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 15:30:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016965A@listserv.fnal.gov>; Mon, 02 Jul 2001 15:30:57 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 174937 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 15:30:57 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169659@listserv.fnal.gov>; Mon, 02 Jul 2001 15:30:57 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV009ND4ZK55@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 15:30:56 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f62KUsr21860; Mon, 02 Jul 2001 15:30:54 -0500 (CDT) Date: Mon, 02 Jul 2001 15:30:54 -0500 From: Matt Crawford Subject: Re: ftp, usernames and kerberos In-reply-to: "02 Jul 2001 16:03:54 EDT." <3B40D3AA.F9AA3CB0@yale.edu> Sender: owner-kerberos-users@listserv.fnal.gov To: Colin Gay Cc: kerberos-users@fnal.gov Message-id: <200107022030.f62KUsr21860@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1417 > > Hmm, what if you put this in your $HOME/.netrc file > > machine fcdfsgi2.fnal.gov login colin password anything > > Good idea ... I just tried this, and got: > GSSAPI error minor: Wrong principal in request Well, um, hrm. Perhaps we're getting somewhere, perhaps not. After you've done that, look at your ticket cache with "klist" and see which realm the ftp/fcdfsgi2.fnal.gov ticket came from. When I ftp from fcdfsgi2 to itself, I get a ticket for ftp/fcdfsgi2.fnal.gov@FNAL.GOV and it works. If your ticket is comeing from PILOT.FNAL.GOV, that's the problem. You need to fix up the [domain_realm] section of your /etc/krb5.conf to remove any fcdfsgi2.fnal.gov = PILOT.FNAL.GOV or .fnal.gov = PILOT.FNAL.GOV and leave just a .fnal.gov = FNAL.GOV plus perhaps a hostname.fnal.gov = PILOT.FNAL.GOV for any hosts you know are still in the pilot realm. If you don't have write access to your machines /etc/krb5.conf and your sysadmin isn't available, make a copy, say in $HOME/krb5.conf, edit that, and setenv KRB5_CONFIG $HOME/krb5.conf (or the other incantation if your shell is Bournish) then try ftp again. From kreymer@fnal.gov Mon Jul 2 15:56:32 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA20972 for ; Mon, 2 Jul 2001 15:56:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV00CRN6678K@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 02 Jul 2001 15:56:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169709@listserv.fnal.gov>; Mon, 02 Jul 2001 15:56:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 175114 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 02 Jul 2001 15:56:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00169708@listserv.fnal.gov>; Mon, 02 Jul 2001 15:56:31 -0500 Received: from fnal.gov ([131.225.84.209]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFV00AUH666X2@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 02 Jul 2001 15:56:30 -0500 (CDT) Date: Mon, 02 Jul 2001 15:56:29 -0500 From: muzaffar@fnal.gov Subject: Re: problem with kerberos installation Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: Troy Dawson , kerberos-users@fnal.gov Message-id: <3B40DFFD.21C6@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1418 Steven Timm wrote: > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Mon, 2 Jul 2001 muzaffar@fnal.gov wrote: > > > I still have a small problem, that when i used the > > /home/shahzad> telnet -l muzaffar shahzad > > ... > > .. > > /bin/touch: /afs/fnal.gov/files/home/room1/muzaffar/.Info: Permission denied > > > > > > I still have to do the "klog" to get the afs token. > > and also i can not open any graphical windows like "nedit" > > telnet -f will forward your tickets and then you should be able to > get an afs token. IF you are already on the machine then > you can do /usr/krb5/bin/aklog > and it will get you AFS tokens. thanks, telnet -f option worked. > > > For the x11 problem, have to set the privileges on your host display > properly. > any idea, how can i set the host display properly. thanks, --shahzad > > Steve > > > nedit .cshrc > > Xlib: connection to "shahzad.fnal.gov:0.0" refused by server > > Xlib: Client is not authorized to connect to Server > > NEdit: Can't open display > > > > I have tried both rsh and telnet but same problem, If i use ssh then i can log in and > > run applications like nedit or netscape and i also get the AFS token , but i have to > > type my passphrase for RSA key 'muzaffar@shahzad.fnal.gov'. > > am i missing any configuration? > > > > thanks, > > --shahzad > > > > Troy Dawson wrote: > > > > > Hi, > > > > > > The scripts name is /usr/krb5/config/makehostkeys > > > > > > Be sure that you have the host and ftp password for your machine before > > > running the script. You can get those from > > > > > > http://www.fnal.gov/cd/forms/strongauth.html > > > > > > Another thing do to is to check and see if you have telnet and ftp turned on > > > (from the error it looks like you do). You can see by doing a 'tail -n 15 > > > /etc/inetd.conf" and see if the kerberized telnet and ftp are commented out or > > > not. > > > > > > Troy > > > > > > muzaffar@fnal.gov wrote: > > > > > > > > My system name is : shahzad > > > > The account which i am currently logged in is a local account on this system : User > > > > name : shahzad > > > > > > > > now i have done > > > > /home/shahzad> whoami > > > > shahzad > > > > /home/shahzad> uname -a > > > > Linux shahzad.fnal.gov 2.2.16-3 #1 Mon Jun 19 19:11:44 EDT 2000 i686 unknown > > > > /home/shahzad> kdestroy > > > > /home/shahzad> kinit muzaffar > > > > Password for muzaffar@FNAL.GOV: > > > > /home/shahzad> klist -k > > > > Keytab name: FILE:/etc/krb5.keytab > > > > klist: No such file or directory while starting keytab scan > > > > /home/shahzad> telnet shahzad > > > > ... > > > > .. > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > > > file or directory ] > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > > > file or directory ] > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such > > > > file or directory ] > > > > [ Trying KERBEROS4 ... ] > > > > > > > > same errors? > > > > > > > > how can i run the script which you have mentioned in you last email, and where is > > > > this script located? > > > > > > > > thanks, > > > > --shahzad > > > > > > > > Steven Timm wrote: > > > > > > > > > Shazad...first try doing a kdestroy on the system you are trying > > > > > to telnet from, and then a fresh kinit. Then telnet again. > > > > > If this doesn't work, then send the output of klist -k on the > > > > > machine that you have just kerberized. It is either a problem > > > > > that you have old tickets for this machine in your cache that > > > > > you need to reset, or that the /etc/krb5.keytab file wasn't made > > > > > correctly. (there is a script that comes along with the RPM's that > > > > > can make it for you.) > > > > > If it was not made correctly, klist -k will return error of "no such > > > > > file or directory" > > > > > > > > > > Steve > > > > > > > > > > ------------------------------------------------------------------ > > > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > > > Fermilab Computing Division/Operating Systems Support > > > > > Scientific Computing Support Group--Computing Farms Operations > > > > > > > > > > On Mon, 2 Jul 2001 muzaffar@fnal.gov wrote: > > > > > > > > > > > Hi, > > > > > > I have installed kerberos usng the following rpms > > > > > > krb5-fermi-1.3a-2.i386.rpm > > > > > > krb5-fermi-config-1.4-6.i386.rpm > > > > > > krb5-fermi-login-1.3a-2.i386.rpm > > > > > > > > > > > > I have my principal, password and service principals for host and ftp. when i > > > > > > tried to login to my system, i get this error > > > > > > > > > > > > telnet shahzad > > > > > > .. > > > > > > ... > > > > > > .. > > > > > > > > > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > > > such file or directory ] > > > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > > > such file or directory ] > > > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No > > > > > > such file or directory ] > > > > > > [ Trying KERBEROS4 ... ] > > > > > > mk_req failed: Principal unknown (kerberos) > > > > > > [ Trying KERBEROS4 ... ] > > > > > > mk_req failed: Principal unknown (kerberos) > > > > > > > > > > > > Fermi Linux Release 6.1.2 (Strange) > > > > > > Kernel 2.2.16-3 on an i686 > > > > > > > > > > > > login: No such file or directory while getting initial credentials > > > > > > Login incorrect > > > > > > login: muzaffar > > > > > > login: No such file or directory while getting initial credentials > > > > > > Login incorrect > > > > > > Connection closed by foreign host. > > > > > > > > > > > > > > > > > > What am i doing wrong? Can any body help me. I have Fermi RH6.1.2 installed on > > > > > > my system. > > > > > > > > > > > > thanks, > > > > > > --shahzad > > > > > > > > > > > > -- > > > __________________________________________________ > > > Troy Dawson dawson@fnal.gov (630)840-6468 > > > Fermilab ComputingDivision/OSS SCS Group > > > __________________________________________________ > > > > From kreymer@fnal.gov Tue Jul 3 07:56:04 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id HAA22980 for ; Tue, 3 Jul 2001 07:56:04 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00JGQELFNF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Jul 2001 07:56:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A0AA@listserv.fnal.gov>; Tue, 03 Jul 2001 07:56:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 178055 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 07:56:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A0A9@listserv.fnal.gov>; Tue, 03 Jul 2001 07:56:03 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00JHNELD1U@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 03 Jul 2001 07:56:02 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 03 Jul 2001 07:56:01 -0500 Content-return: allowed Date: Tue, 03 Jul 2001 07:55:59 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19036 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182DE6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1419 19036 has been updated by marih. Short Description : Kerberos telnet/ssh hangs or crashes New Work Log Entry : From: "Maarten Litmaath" To: "ARSystem" Cc: Subject: Re: Help Desk Ticket 19036 Has Been Resolved. Date: Monday, July 02, 2001 6:16 PM Please add the following info to the ticket's resolution, for future reference: The problem has been found to be due to CERN's (AFAIK unannounced) change of their firewall from being stateless to stateful, for reasons of security. They have had complaints from other sites and are trying to understand how to improve the timeout behavior of the new firewall; they have increased the value and the behavior already has improved dramatically. From kreymer@fnal.gov Tue Jul 3 09:52:04 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA23192 for ; Tue, 3 Jul 2001 09:52:04 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00799JYQH1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Jul 2001 09:52:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A246@listserv.fnal.gov>; Tue, 03 Jul 2001 09:52:02 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 178525 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 09:52:02 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A245@listserv.fnal.gov>; Tue, 03 Jul 2001 09:52:02 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW006DTJYPGC@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 03 Jul 2001 09:52:01 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f63Eq1r25216 for ; Tue, 03 Jul 2001 09:52:01 -0500 (CDT) Date: Tue, 03 Jul 2001 09:52:01 -0500 From: Matt Crawford Subject: Re: CRAWFORD, MATT AR ticket 19036 Has Been Updated. In-reply-to: "03 Jul 2001 07:55:59 CDT." <318CC3D38BE0D211BB1200105A093F76182DE6@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <200107031452.f63Eq1r25216@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1420 > Please add the following info to the ticket's resolution, for future > reference: > > The problem has been found to be due to CERN's (AFAIK unannounced) > change of their firewall from being stateless to stateful, for > reasons of security. Which is just the theory I advanced in my first reply to this problem, but I was told, "oh, no, they haven't done that!" From kreymer@fnal.gov Tue Jul 3 10:56:20 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA23345 for ; Tue, 3 Jul 2001 10:56:20 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00C6LMXUJD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Jul 2001 10:56:19 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A387@listserv.fnal.gov>; Tue, 03 Jul 2001 10:56:18 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 178881 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 10:56:18 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A385@listserv.fnal.gov>; Tue, 03 Jul 2001 10:56:18 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00C7HMXSJ3@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 03 Jul 2001 10:56:17 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 03 Jul 2001 10:56:17 -0500 Content-return: allowed Date: Tue, 03 Jul 2001 10:56:15 -0500 From: ARSystem Subject: 000000000019403 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182E40@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1421 CRAWFORD, MATT, Help Desk Ticket #000000000019403 has been assigned to you. It is a(n) Medium priority Operating System/Unix /Node Down type of problem. Short description: I- krb -1 showing down in xfalive. Badge # (+) : 06583N First Name : DIANA Last Name (+) : PEGUES Phone : 2360 E-Mail Address : DPEGUES@FNAL.GOV Incident Time : 7/3/01 10:32:17 AM System Name : I-KRB-1 Urgency : Medium Public Work Log : Problem Description : i- krb-1 showing down in the xfalive window as failed connection. Ping system received message 100% packet loss. From kreymer@fnal.gov Tue Jul 3 11:03:29 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA23373 for ; Tue, 3 Jul 2001 11:03:29 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00C93N9RJ3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Jul 2001 11:03:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A3AD@listserv.fnal.gov>; Tue, 03 Jul 2001 11:03:27 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 178927 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 11:03:27 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A3AC@listserv.fnal.gov>; Tue, 03 Jul 2001 11:03:27 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00C7NN9RJM@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 03 Jul 2001 11:03:27 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f63G3Q501847; Tue, 03 Jul 2001 11:03:26 -0500 (CDT) Date: Tue, 03 Jul 2001 11:03:26 -0500 From: Matt Crawford Subject: Re: 000000000019403 Assigned to CRAWFORD, MATT. In-reply-to: "03 Jul 2001 10:56:15 CDT." <318CC3D38BE0D211BB1200105A093F76182E40@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200107031603.f63G3Q501847@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1422 > Problem Description : i- krb-1 showing down in the xfalive window as > failed connection. Ping system received message 100% packet loss. Sorry, it was down temporarily for diagnosis of an unrelated problem. Since it is no longer mentioned in recent Kerberos configuration files, and it has not received any requests to handle for over eight weeks, it will soon be shut down permanently. I will send DCS an update on Kerberos servers to be monitored. Matt Crawford From kreymer@fnal.gov Tue Jul 3 12:51:02 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA23707 for ; Tue, 3 Jul 2001 12:51:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00L47S90G9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Jul 2001 12:51:01 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A57A@listserv.fnal.gov>; Tue, 03 Jul 2001 12:51:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 179424 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 12:51:00 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A579@listserv.fnal.gov>; Tue, 03 Jul 2001 12:51:00 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00L39S8ZTT@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 03 Jul 2001 12:50:59 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA22341 for ; Tue, 03 Jul 2001 12:50:59 -0500 Date: Tue, 03 Jul 2001 12:50:59 -0500 (CDT) From: Liz Buckley-Geer Subject: rpm instructions Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1423 Hi, I am about to embark on installing the rpms for kerberos on my linux desktop (as soon as I get my host/ftp principal). I notice that the web page http://www.fnal.gov/docs/strongauth/ has no instructions for the rpm install. Could we put a link to Troy's page http://home.fnal.gov/~dawson/rpms/kerberos.html so that all the instructions are in one place. I would like to leave ssh running for a while. Once I have installed all the kerberos rpms what should I do to ensure that ssh remains open. On an unrelated topic I just went to search the mail list archive for this group and it wanted my listserv password! Is this normal. I usually only use that password to admin the lists I own. Thanks Liz From kreymer@fnal.gov Tue Jul 3 13:04:08 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA23726 for ; Tue, 3 Jul 2001 13:04:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00L51SUUTT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Jul 2001 13:04:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A5A7@listserv.fnal.gov>; Tue, 03 Jul 2001 13:04:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 179469 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 13:04:07 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A5A6@listserv.fnal.gov>; Tue, 03 Jul 2001 13:04:07 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00M3ESUUR4@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 03 Jul 2001 13:04:06 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA18553; Tue, 03 Jul 2001 13:04:06 -0500 Date: Tue, 03 Jul 2001 13:04:06 -0500 (CDT) From: Steven Timm Subject: Re: rpm instructions In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1424 ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 3 Jul 2001, Liz Buckley-Geer wrote: > Hi, I am about to embark on installing the rpms for kerberos on my linux > desktop (as soon as I get my host/ftp principal). I notice that the web > page > > http://www.fnal.gov/docs/strongauth/ > > has no instructions for the rpm install. Could we put a link to Troy's > page > > http://home.fnal.gov/~dawson/rpms/kerberos.html > > so that all the instructions are in one place. > > I would like to leave ssh running for a while. Once I have installed all > the kerberos rpms what should I do to ensure that ssh remains open. > Look at /etc/sshd_config to make sure that Password Authentication is "yes"--if it's not, change it and do kill -HUP on the sshd. However, this depends partly on what version of ssh you are running. With the newer versions (v1_2_27f) you can either have password-based ssh logins to an AFS machine or kerberos-based logins via ssh, but not both at the same time. Steve Timm > On an unrelated topic I just went to search the mail list archive for this > group and it wanted my listserv password! Is this normal. I usually only > use that password to admin the lists I own. > > Thanks Liz > From kreymer@fnal.gov Tue Jul 3 13:35:59 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA23760 for ; Tue, 3 Jul 2001 13:35:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00N9PUBX3G@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Jul 2001 13:35:58 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A62D@listserv.fnal.gov>; Tue, 03 Jul 2001 13:35:58 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 179610 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 13:35:58 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A62C@listserv.fnal.gov>; Tue, 03 Jul 2001 13:35:57 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00MBMUBWPY@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 03 Jul 2001 13:35:57 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id ; Tue, 03 Jul 2001 13:35:56 -0500 Content-return: allowed Date: Tue, 03 Jul 2001 13:35:53 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19255 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F76182E88@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1425 19255 has been updated by marih. Short Description : Kerberos New Work Log Entry : From: "Anne Heavey" To: "ARSystem" Cc: ; Subject: Re: CRAWFORD, MATT AR ticket 19255 Has Been Updated. Date: Tuesday, July 03, 2001 1:16 PM WRQ config documented at: http://www.fnal.gov/docs/strongauth/html/migrationuser.html#65413 From kreymer@fnal.gov Tue Jul 3 13:40:03 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA23766 for ; Tue, 3 Jul 2001 13:40:03 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00MC5UHWHW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@FNAL.GOV); Tue, 03 Jul 2001 13:40:02 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A63C@listserv.fnal.gov>; Tue, 03 Jul 2001 13:39:32 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 179626 for KERBEROS-ANNOUNCE@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 13:39:32 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A639@listserv.fnal.gov>; Tue, 03 Jul 2001 13:39:32 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00MC6UHWR4@smtp.fnal.gov> for kerberos-announce@listserv.fnal.gov (ORCPT kerberos-announce@fnal.gov); Tue, 03 Jul 2001 13:39:32 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f63IdU502348 for ; Tue, 03 Jul 2001 13:39:30 -0500 (CDT) Date: Tue, 03 Jul 2001 13:39:30 -0500 From: Matt Crawford Subject: phasing out the PILOT.FNAL.GOV realm Sender: owner-kerberos-announce@listserv.fnal.gov To: kerberos-announce@fnal.gov Message-id: <200107031839.f63IdU502348@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1426 The Kerberos pilot realm will be phased out as soon as it is politely feasible to do so. We will NOT pull the plug while some group still must rely on the pilot realm, but we do not want to wait too long for stragglers either. If the Kerberos installations you use are all defaulting to the production realm FNAL.GOV already, or if they are all looked after by someone else, you do not need to do anything. (If you installed Kerberos after May 10 and didn't specifically request to have your machine put in the pilot realm, you're probably all set already.) But if you are (or might be!) the admin of a machine still using the PILOT.FNAL.GOV realm as a deault, you should subscribe to kerberos-users for information about the rest of the phasing out, or look at the archives through this URL: http://listserv.fnal.gov/archives/kerberos-users.html Messages on particular realm-migration topices are listed below with direct pointers ... Information for users who are not yet using their FNAL.GOV principal - http://listserv.fnal.gov/scripts/wa.exe?A2=ind0105b&L=kerberos-users&P=73 Information for sysadmins who have not yet moved their systems to the production realm - http://listserv.fnal.gov/scripts/wa.exe?A2=ind0105b&L=kerberos-users&P=179 From kreymer@fnal.gov Tue Jul 3 13:40:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA23770 for ; Tue, 3 Jul 2001 13:40:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00MC5UHWHW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Jul 2001 13:40:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A642@listserv.fnal.gov>; Tue, 03 Jul 2001 13:39:37 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 179635 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 13:39:37 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A641@listserv.fnal.gov>; Tue, 03 Jul 2001 13:39:36 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00090UI0B4@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 03 Jul 2001 13:39:36 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f63IdY502358 for ; Tue, 03 Jul 2001 13:39:34 -0500 (CDT) Date: Tue, 03 Jul 2001 13:39:34 -0500 From: Matt Crawford Subject: phasing out the PILOT.FNAL.GOV realm Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <200107031839.f63IdY502358@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1427 I would like to phase out the pilot realm as soon as it is reasonable to do so. We will NOT pull the plug while some group still must rely on it, but I do not want to wait too long for stragglers. If you have been snoozing through the transition up until now, have a look at these two messages in the kerberos-users archive, please. Information for users who are not yet using their FNAL.GOV principal - http://listserv.fnal.gov/scripts/wa.exe?A2=ind0105b&L=kerberos-users&P=73 Information for sysadmins who have not yet moved their systems to the production realm - http://listserv.fnal.gov/scripts/wa.exe?A2=ind0105b&L=kerberos-users&P=179 The start of the transition to FNAL.GOV was gratifyingly quick, but progress seems to have slowed. On May 10 there were 942 hosts (counting only the fnal.gov DNS domain) believed to be using the pilot realm as their default, now there are only 413 listed. 58 of those turn out not to be in DNS at all any more, so those will be dropped from Kerberos entirely. A list of their names is at the end of this message. Write quickly to nightwatch@fnal.gov if you see a hostname there that should be kept. A lot of the systems that do exist and are still tagged as being in the pilot realm fall into one of these large groups: *-clued0 b0da* bld* d0en* d0lx* d0ol* fnda* ncdf* rip* stken* Not every host matching one of those patterns is still in the pilot realm, and not every machine in the pilot realm matches one of the patterns, but the patterns catch most of them. See the first list below for the complete rundown. When you have converted some hosts to the production realm, or if you see some listed which you know are no longer in service, send a list of them to nightwatch@fnal.gov. ================================ Hosts which are in DNS and seem to still be in the pilot realm (355) abacus adelphi-clued0 ahrkron airedale ampere-clued0 arizona-clued0 arkroyal-clued0 arlington-clued0 askrigg-clued0 athens-clued0 augusta b0dap01 b0dap02 b0dap04 b0dap05 b0dap06 b0dap07 b0dap08 b0dap09 b0dap10 b0dap11 b0dap12 b0dap13 b0dap14 b0dap15 b0dap16 b0dap17 b0dap18 b0dap19 b0dap20 b0dap21 b0dap22 b0dap23 b0dap24 b0dap25 b0dap26 b0dap27 b0dap28 b0dap29 b0dap30 b0dap31 b0dap40 b0dap50 b0dap51 b0dap52 b0dap55 b0dap56 b0dap57 b0dap58 b0dap59 b0dap60 b0dap61 b0dap62 b0dap63 b0dap64 b0dap65 b0dap66 b0dap67 b0dau01 b0dau02 b0dau03 b0dau30 b0dau31 b0dau32 b0dau35 b0dau36 b0l3pcom1 b0l3pcom2 b0nd13 b0nd20 b0pc04 b0pcucla6 b0rv02 b0rv05 b0rv07 b0rv10 b0sun01 b0sun02 bel-kwinth benjamin bldirix62 bldirix65 bldlinux52 bldlinux61 bldosf1v40d bldsunos26 bldsunos27 bldsunos28 boise boxer broglie-clued0 bssauthscan bsscons cabj cards casey cdfserv0 cdusrv1 cdusrv2 clouds-clued0 clued0 cob condor corn cuervo curie-clued0 d0chb d0com1 d0decmsu2 d0enmvr10a d0enmvr11a d0enmvr12a d0enmvr13a d0enmvr14a d0enmvr15a d0enmvr16a d0enmvr17a d0enmvr18a d0enmvr19a d0enmvr1a d0enmvr20a d0enmvr21a d0enmvr22a d0enmvr2a d0enmvr3a d0enmvr4a d0enmvr5a d0enmvr6a d0enmvr7a d0enmvr8a d0enmvr9a d0ensrv1 d0ensrv2 d0ensrv3 d0ensrv4 d0ensrv5 d0hs19 d0l2server1 d0lx137 d0lxfm02 d0lxfm05 d0lxfm1 d0lxfm10 d0lxfm102 d0lxfm28 d0lxfm40 d0lxfm96 d0lxfm99 d0lxisu1 d0lxisu2 d0lxnd01 d0lxnu02 d0lxpr1 d0lxtt01 d0lxuba01 d0lxucr04 d0lxur1 d0lxur2 d0lxur3 d0lxur4 d0lxur5 d0lxur6 d0lxur7 d0lxur8 d0lxur9 d0nee d0nor d0nt90 d0ntur3 d0ol01 d0ol02 d0ol03 d0ol04 d0ol05 d0ol06 d0ol07 d0ol08 d0ol09 d0ol10 d0ol11 d0ol12 d0ol13 d0ol14 d0ol15 d0ol16 d0ola d0olb d0olc d0olcluster d0ora2 d0sgicu02 d0sgiucr2 d0ubt dahts2 darlington daspc0 daytona dcdmbl dcdrjh descartes-clued0 dogbert-clued0 doofus dpsi-clued0 dryheat-clued0 dunker-clued0 erwin fanny-clued0 fcdflnx1 flm1 flm2 flm3 flxi01 fncduh fndao2 fndapc fndapg fndaph fndapl fndapm fndapp fndapq fndapr fndapu fndapv fndaub fndds fnhpss2 fnkits fnklg1 fnmwla fnmwlb fnpx15 frodo-clued0 frosty fsgb01 fsub01 fsus07 fsus08 gobi gspc gul-clued0 habana-clued0 hamshack hans-clued0 happy hawes-clued0 heffalump hellion hermes-clued0 hood-clued0 hrothgar i-krb-1 i-krb-2 ibyte imperial imya ivelet-clued0 iveno-clued0 keld-clued0 large mandrake manon-clued0 margaux-clued0 marius-clued0 miami-clued0 moe monsoon-clued0 myplace nascar ncdf08 ncdf107 ncdf108 ncdf13 ncdf29 ncdf36 ncdf68 ncdf81 ncdf84 ncdf88 ncdf92 ncdf95 ncdf96 ncdf98 ngop nkchep3 nkchep5 npisa03 npit01 ocala-clued0 odets3 odsmev oliver opus02 orlando-clued0 ossbud panisse-clued0 patlxlg patnt2 pinky pretorian ptrtest r-cd-dcg-lab raven reeth-clued0 replacement rip1 rip10 rip2 rip3 rip4 rip5 rip6 rip7 rip9 ripcon ripon-clued0 ripsgi rutpc7 samiam sarkovy-clued0 solarisprt stkenmvr1a stkenmvr2a stkenmvr3a stkenmvr4a stkenmvr5a stkenmvr6a stkensrv1 stkensrv2 stkensrv3 stkensrv4 stockholm-clued0 stuart-clued0 swale-clued0 talladega tampa-clued0 thamber-clued0 thebrain thwaite-clued0 tinman-clued0 toto-clued0 trek trocious txpc1 txpc2 uppsala-clued0 upton-clued0 vb-d0 victor-clued0 victory-clued0 wensley-clued0 whitworth-clued0 willow woozle yaphank-clued0 ================================ Hosts listed as being in the pilot realm but which are not in DNS (58) b0pc07 b0urpctest d-cd-201 d0linux01 d0lxbnl1 d0lxfm03 d0lxfm04 d0lxfm06 d0lxfm101 d0lxfm113 d0lxfm141 d0lxfm94 d0lxfm95 d0lxfm97 d0lxfman01 d0lxfmd05 d0lxfmd06 d0lxfmd07 d0lxfsu8 d0lxfsu9 d0lxftt01 d0lxftt03 d0lxfua01 d0lxfua02 d0lxfum01 d0lxman01 d0lxman02 d0lxmd06 d0lxmz01 d0lxnu01 d0lxsb02 d0lxua02 d0ntnd01 d0pilio d0rian d0sgi08 d0sgifm96 dcdkc fcdf90 fcdforal fdeb01 garnet machine muker-clued0 mynode ncdf05 ncdf22 ncdf59 ncdftf01 nkchep4 nncdf79 odsclm ond0lxnu02 oss-55852 outland pcmu1-d0 pcmu2-d0 svxiia From kreymer@fnal.gov Tue Jul 3 15:28:30 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA23979 for ; Tue, 3 Jul 2001 15:28:30 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00851ZJGEQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Jul 2001 15:28:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A7DE@listserv.fnal.gov>; Tue, 03 Jul 2001 15:28:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 180091 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 15:28:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A7DD@listserv.fnal.gov>; Tue, 03 Jul 2001 15:28:28 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFW00945ZJF6C@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 03 Jul 2001 15:28:27 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f63KSQ712158 for ; Tue, 03 Jul 2001 15:28:26 -0500 (CDT) Date: Tue, 03 Jul 2001 15:28:26 -0500 From: Anne Heavey Subject: transition from pilot to production realm In-reply-to: "Your message of Tue, 03 Jul 2001 13:39:34 CDT." <200107031839.f63IdY502358@gungnir.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <200107032028.f63KSQ712158@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1428 > I would like to phase out the pilot realm as soon as it is reasonable > to do so. We will NOT pull the plug while some group still must rely > on it, but I do not want to wait too long for stragglers. > > If you have been snoozing through the transition up until now, have a > look at these two messages in the kerberos-users archive, please. > > Information for users who are not yet using their FNAL.GOV principal - > http://listserv.fnal.gov/scripts/wa.exe?A2=ind0105b&L=kerberos-users&P=73 > > Information for sysadmins who have not yet moved their systems to the > production realm - > http://listserv.fnal.gov/scripts/wa.exe?A2=ind0105b&L=kerberos-users&P=179 > Transition information for users is at: http://www.fnal.gov/docs/strongauth/html/migrationuser.html and for sysadmins at: http://www.fnal.gov/docs/strongauth/html/migrationadmin.html > -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Tue Jul 3 16:52:50 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA24218 for ; Tue, 3 Jul 2001 16:52:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFX00AHS3G17B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Jul 2001 16:52:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A93C@listserv.fnal.gov>; Tue, 03 Jul 2001 16:52:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 180477 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 16:52:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A93B@listserv.fnal.gov>; Tue, 03 Jul 2001 16:52:49 -0500 Received: from mayne.dyndns.org ([131.225.248.146]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFX009HQ3G08F@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 03 Jul 2001 16:52:49 -0500 (CDT) Received: (from wellner@localhost) by mayne.dyndns.org (8.11.0/8.11.0) id f63Lqmt01828; Tue, 03 Jul 2001 16:52:48 -0500 Date: Tue, 03 Jul 2001 16:52:48 -0500 From: Rich Wellner Subject: transition from pilot to production realm In-reply-to: Anne Heavey's message of "Tue, 03 Jul 2001 15:28:26 -0500" Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: Organization: Fermilab (the coolest place on earth) MIME-version: 1.0 Content-type: text/plain; charset=us-ascii User-Agent: Gnus/5.070099 (Pterodactyl Gnus v0.99) XEmacs/21.1 (Channel Islands) X-Stock-Tip: PTN X-MBTI: ESTJ Lines: 40 Status: RO X-Status: X-Keywords: X-UID: 1429 Well now I've done it I guess. I followed the directions in the previous messages, got a new password for my ftp and host services in order to install them, but now I'm totally dead. If I try to telnet in from fcdfsun1 to fndaph I see: bash-2.02$ klist Ticket cache: /tmp/krb5cc_p24988 Default principal: wellner@FNAL.GOV Valid starting Expires Service principal 07/03/01 16:43:43 07/04/01 02:29:22 krbtgt/FNAL.GOV@FNAL.GOV bash-2.02$ telnet fndaph Trying 131.225.80.217... Connected to fndaph.fnal.gov (131.225.80.217). Escape character is '^]'. [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: No such file or directory ] [ Trying KERBEROS4 ... ] mk_req failed: You have no tickets cached [ Trying KERBEROS4 ... ] mk_req failed: You have no tickets cached and in the /var/log/messages on fndaph I get the single line: Jul 3 16:31:49 fndaph telnetd[3826]: krb5_rd_req failed: Key table entry not found Worse yet is that if I try to telnet from fndaph to fndaph the whole system locks hard! Ouch! rw2 -- Keep Manhattan, just give me that countryside -Vic Mizzy From kreymer@fnal.gov Tue Jul 3 17:17:20 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA24378 for ; Tue, 3 Jul 2001 17:17:20 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFX008P74KVG9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 03 Jul 2001 17:17:20 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A9B0@listserv.fnal.gov>; Tue, 03 Jul 2001 17:17:20 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 180617 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 03 Jul 2001 17:17:20 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016A9AF@listserv.fnal.gov>; Tue, 03 Jul 2001 17:17:19 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFX009NY4KVOT@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 03 Jul 2001 17:17:19 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f63MHH503703; Tue, 03 Jul 2001 17:17:17 -0500 (CDT) Date: Tue, 03 Jul 2001 17:17:17 -0500 From: Matt Crawford Subject: Re: transition from pilot to production realm In-reply-to: "03 Jul 2001 16:52:48 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Rich Wellner Cc: kerberos-users@fnal.gov Message-id: <200107032217.f63MHH503703@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1430 Show me the result of ls -l /etc/krb5.keytab /usr/krb5/bin/klist -k as root on fndaph. It *looks* as if you have no keytab file at all, or at least no PILOT realm keys left in it, and I can't see any way for that to be caused by the installation script. (You didn't NEED to get a new host & ftp password unless you ditched your old keytab file. "ups add-new-realm kerberos" would take care of converting your old keytab entries.) What happens if you telnet -k FNAL.GOV fndaph ? From kreymer@fnal.gov Wed Jul 4 00:23:53 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id AAA24713 for ; Wed, 4 Jul 2001 00:23:53 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFX00HQNOBSVD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 04 Jul 2001 00:23:53 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016AC0C@listserv.fnal.gov>; Wed, 04 Jul 2001 00:23:52 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 181288 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 04 Jul 2001 00:23:52 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016AC0B@listserv.fnal.gov>; Wed, 04 Jul 2001 00:23:52 -0500 Received: from d0mino.fnal.gov ([131.225.224.45]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFX00KIIOBRD8@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov; Wed, 04 Jul 2001 00:23:51 -0500 (CDT) Date: Wed, 04 Jul 2001 00:23:51 -0500 From: "Alan L. Stone" Subject: Re: Strong Auth. 8.4 Reflection Issues Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@listserv.fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1431 I set up Exceed 6.1 on my NT a year ago, and set up WRQ Reflection Signature 8.0.3 about six months ago. I was part of the PILOT program. All was well, as I could easily telnet and FTP from the PC to d0mino. I have not been able to FTP for several weeks now. I suspect I had trouble around the time the production realm was launched. I am rereading the Strong Authentication at Fermilab document, dated June 8, 2001, looking for clues on how to solve my problem. When I open the Kerberos Manager, I see my principal name is still alstone@PILOT.FNAL.GOV Perhaps this needs to be changed. I don't know. I am still able to telnet between the NT (D0NTLAT1) and d0mino, assuming I have a valid ticket. As explained in the document, once I am on d0mino, I can do a "kinit". The default apparently is whatever I have in .kcache. So, I can move transparently between PILOT.FNAL.GOV and FNAL.GOV. Back to the document...in section 8.4 on WRQ Reflection Issues, I see that maybe I need to proactively add FNAL.GOV to the configuration. First, I think \\pckits\WRQ\ should be changed to: \\D0server4\APPS\WRQ\ Second, there is no FNAL.GOV.reg file to execute. Then I see as the last sentence of that page that the update is NOT valid for the v8.0 Kerberos Manager. I turn the page, and find myself left hanging. So what do I do? thanks, alan ------------------------------------------- | Alan L. Stone | Office: PK177 #57 | | Fermilab | Work: (630) 840-8581 | | PO Box 500 | Page: (630) 218-8991 | | D0/MS 352 | Fax: (630) 840-8886 | | Batavia, IL 60510 | alstone@fnal.gov | | http://www-d0.fnal.gov/~alstone | ------------------------------------------- From kreymer@fnal.gov Wed Jul 4 01:41:58 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id BAA24758 for ; Wed, 4 Jul 2001 01:41:58 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFX0051VRXWBK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 04 Jul 2001 01:41:58 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016ACD6@listserv.fnal.gov>; Wed, 04 Jul 2001 01:41:57 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 181545 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 04 Jul 2001 01:41:57 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016ACD5@listserv.fnal.gov>; Wed, 04 Jul 2001 01:41:57 -0500 Received: from d0mino.fnal.gov ([131.225.224.45]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GFX00JQPRXW7Q@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 04 Jul 2001 01:41:56 -0500 (CDT) Date: Wed, 04 Jul 2001 01:41:56 -0500 From: "Alan L. Stone" Subject: Reinstall WRQ Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1432 A follow-up to my previous email... I did a kinit alstone@FNAL.GOV while logged into d0mino. I then followed that with a kpasswd. After which, I went to the WRQ folder on the NT, and clicked on the setup executable. This way I was able to follow the instructions in Chapter 12 of the Strong Authentication document. Perhaps I am incorrect, but I had tried earlier to add FNAL.GOV and make it the default realm without success in the Kerberos Manager. Perhaps, I had chosen "Require administrator privileges" in step 14 (of 12.2), but I can't be sure. On the second pass, I did not do this. Anyways, I have fixed all my problems. I have reconfigured so FNAL.GOV is the default realm, I changed my password so I can now connect to the realm, and I now can telnet and FTP to d0mino from my NT after getting a ticket. cheers,alan ------------------------------------------- | Alan L. Stone | Office: PK177 #57 | | Fermilab | Work: (630) 840-8581 | | PO Box 500 | Page: (630) 218-8991 | | D0/MS 352 | Fax: (630) 840-8886 | | Batavia, IL 60510 | alstone@fnal.gov | | http://www-d0.fnal.gov/~alstone | ------------------------------------------- From kreymer@fnal.gov Thu Jul 5 09:00:16 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA27800 for ; Thu, 5 Jul 2001 09:00:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG000FNY6WEFT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Jul 2001 09:00:16 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016B54E@listserv.fnal.gov>; Thu, 05 Jul 2001 09:00:14 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 183953 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 05 Jul 2001 09:00:14 -0500 Received: from gungnir.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016B54D@listserv.fnal.gov>; Thu, 05 Jul 2001 09:00:14 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f65E08508885; Thu, 05 Jul 2001 09:00:08 -0500 (CDT) Date: Thu, 05 Jul 2001 09:00:08 -0500 From: Matt Crawford Subject: Re: Strong Auth. 8.4 Reflection Issues In-reply-to: "04 Jul 2001 00:23:51 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: "Alan L. Stone" Cc: kerberos-users@listserv.fnal.gov Message-id: <200107051400.f65E08508885@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1433 > ... > I have not been able to FTP for several weeks now. > I suspect I had trouble around the time the production > realm was launched. > ... I see by later mail that you've solved your problem, but here's what the trouble was: for FTP to work properly, your system has to know what realm d0mino considers itself to be in. In the course of reinstalling WRQ you probably changed your PC's notion that "everything in DNS domain fnal.gov is in Kerberos realm PILOT.FNAL.GOV" to "... is in Kerberos realm FNAL.GOV." From kreymer@fnal.gov Thu Jul 5 10:47:09 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA28009 for ; Thu, 5 Jul 2001 10:47:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG0004E0BUJ6J@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Jul 2001 10:47:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016B888@listserv.fnal.gov>; Thu, 05 Jul 2001 10:47:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 184853 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 05 Jul 2001 10:47:07 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016B887@listserv.fnal.gov>; Thu, 05 Jul 2001 10:47:07 -0500 Received: from b0rv11.fnal.gov ([131.225.232.239]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GG0004FTBUI75@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 05 Jul 2001 10:47:06 -0500 (CDT) Received: from localhost (gcooper@localhost) by b0rv11.fnal.gov (950413.SGI.8.6.12/950213.SGI.AUTOCF) via ESMTP id KAA27157 for ; Thu, 05 Jul 2001 10:47:06 -0500 Date: Thu, 05 Jul 2001 10:47:06 -0500 From: Glenn Cooper Subject: Changing default realm if no keytab file is present Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Reply-to: gcooper@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1434 Many remote sites and home machines have never obtained host keys, since they need Kerberos authentication only to connect to Fermilab machines, not the other direction. However, they would like to change their default realm to FNAL.GOV; but the change-realm script appears to fail if it can't find /etc/krb5.keytab. What's the simplest/cleanest way to do this? Edit /etc/krb5.conf directly? Uninstall and then reinstall the krb5conf product? Copy /etc/krb5.conf from an fnal.gov node? What do the experts recommend? Thanks, Glenn From kreymer@fnal.gov Thu Jul 5 11:02:11 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA28126 for ; Thu, 5 Jul 2001 11:02:11 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG0004JTCJL6Z@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Jul 2001 11:02:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016B90D@listserv.fnal.gov>; Thu, 05 Jul 2001 11:02:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 185005 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 05 Jul 2001 11:02:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016B90C@listserv.fnal.gov>; Thu, 05 Jul 2001 11:02:09 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GG000A01CJKHO@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 05 Jul 2001 11:02:08 -0500 (CDT) Received: from pcl4.hep.anl.gov ([146.139.180.71]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG0004G8CJK6F@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 05 Jul 2001 11:02:08 -0500 (CDT) Received: from localhost (rgwcdf@localhost) by pcl4.hep.anl.gov (8.9.3/8.9.3) with ESMTP id LAA05683; Thu, 05 Jul 2001 11:04:23 -0500 Date: Thu, 05 Jul 2001 11:04:23 -0500 (CDT) From: "Robert G. Wagner (ANL) 630-252-6321" Subject: Re: Changing default realm if no keytab file is present In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-users@fnal.gov Reply-to: rgwcdf@anl.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1435 Hello Everyone, I performed the switchover this morning and it seems to work fine. I got my kerberos software from a RedHat mirror site and originally modified the krb5.conf file that came with it to use the PILOT.FNAL.GOV realm. Here is what I did to make things work: 1) in [libdefaults] change PILOT.FNAL.GOV to FNAL.GOV 2) in [domain_realm] change PILOT.FNAL.GOV to FNAL.GOV 3) in [realms] add in the lines for FNAL.GOV. These I copied from fcdfsgi2::/etc/krb5.conf except for auth_to_local lines which I ignored. Here is what I added to [realms]: FNAL.GOV = { kdc = krb-fnal-1.fnal.gov:88 kdc = krb-fnal-2.fnal.gov:88 kdc = krb-fnal-3.fnal.gov:88 kdc = krb-fnal-4.fnal.gov:88 kdc = krb-fnal-5.fnal.gov:88 admin_server = krb-fnal-admin.fnal.gov default_domain = fnal.gov } After doing this, I did a kinit and things worked fine. Regards, Bob On Thu, 5 Jul 2001, Glenn Cooper wrote: > Many remote sites and home machines have never obtained host keys, > since they need Kerberos authentication only to connect to Fermilab > machines, not the other direction. However, they would like to change > their default realm to FNAL.GOV; but the change-realm script appears > to fail if it can't find /etc/krb5.keytab. > > What's the simplest/cleanest way to do this? Edit /etc/krb5.conf > directly? Uninstall and then reinstall the krb5conf product? Copy > /etc/krb5.conf from an fnal.gov node? What do the experts recommend? > > Thanks, > Glenn > From kreymer@fnal.gov Thu Jul 5 14:10:24 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA28690 for ; Thu, 5 Jul 2001 14:10:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG000FO2L9A54@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Jul 2001 14:10:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BCAF@listserv.fnal.gov>; Thu, 05 Jul 2001 14:10:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 186029 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 05 Jul 2001 14:10:22 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BCAE@listserv.fnal.gov>; Thu, 05 Jul 2001 14:10:22 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG000DREL9ASY@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 05 Jul 2001 14:10:22 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f65JAGF02420; Thu, 05 Jul 2001 14:10:16 -0500 (CDT) Date: Thu, 05 Jul 2001 14:10:16 -0500 From: Matt Crawford Subject: Re: Changing default realm if no keytab file is present In-reply-to: "05 Jul 2001 10:47:06 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: gcooper@fnal.gov Cc: kerberos-users@fnal.gov Message-id: <200107051910.f65JAGF02420@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1436 > Many remote sites and home machines have never obtained host keys, > since they need Kerberos authentication only to connect to Fermilab > machines, not the other direction. However, they would like to change > their default realm to FNAL.GOV; but the change-realm script appears > to fail if it can't find /etc/krb5.keytab. Hmm, that is a bit harsh, yes. But by the time it dies, it has already taken care of krb5.conf. It won't go on to do the .k5login files, but if you don't have a keytab, those are moot. > What's the simplest/cleanest way to do this? I suggest either ignore the "ABORT: keytab-convert failed" error and consider the job done, or tell people to simply edit krb5.conf directly. From kreymer@fnal.gov Thu Jul 5 14:47:41 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA28773 for ; Thu, 5 Jul 2001 14:47:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG00013EMZE3K@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Jul 2001 14:47:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BDA1@listserv.fnal.gov>; Thu, 05 Jul 2001 14:47:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 186287 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 05 Jul 2001 14:47:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BDA0@listserv.fnal.gov>; Thu, 05 Jul 2001 14:47:38 -0500 Received: from cd88191 ([131.225.248.55]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GG00010VMZDLP@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 05 Jul 2001 14:47:38 -0500 (CDT) Date: Thu, 05 Jul 2001 14:48:31 -0500 From: Liz Buckley-Geer Subject: help!! Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <000901c1058b$7859d230$37f8e183@cd88191> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1437 Hi all, I just installed the rpms for kerberos on my linux machine. All seemed to go well (Anne Heavey is here watching me). We logged out and logged back in okay several times. On the third try I seem to have lost my RedHat login screen and can only login via ctrl-alt-f4 to get the text window. Any clues as to what might have happened? Thanks Liz From kreymer@fnal.gov Thu Jul 5 14:49:26 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA28777 for ; Thu, 5 Jul 2001 14:49:26 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG00010BN2DZ5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Jul 2001 14:49:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BDAB@listserv.fnal.gov>; Thu, 05 Jul 2001 14:49:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 186297 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 05 Jul 2001 14:49:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BDAA@listserv.fnal.gov>; Thu, 05 Jul 2001 14:49:25 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG000138N2CEO@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 05 Jul 2001 14:49:24 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA23614; Thu, 05 Jul 2001 14:49:25 -0500 Date: Thu, 05 Jul 2001 14:49:25 -0500 (CDT) From: Steven Timm Subject: Re: help!! In-reply-to: <000901c1058b$7859d230$37f8e183@cd88191> Sender: owner-kerberos-users@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1438 The kerberos rpms don't touch the red hat login screen so something else must have happened. In fact, unless you do other modifications, it is still possible to log in at the graphical login screen with a unix password. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Thu, 5 Jul 2001, Liz Buckley-Geer wrote: > Hi all, I just installed the rpms for kerberos on my linux machine. All > seemed to go well (Anne Heavey is here watching me). We logged out and > logged back in okay several times. On the third try I seem to have lost my > RedHat login screen and can only login via ctrl-alt-f4 to get the text > window. > > Any clues as to what might have happened? > > Thanks Liz > From kreymer@fnal.gov Thu Jul 5 15:17:19 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28870 for ; Thu, 5 Jul 2001 15:17:19 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG00018LOCT2Y@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Jul 2001 15:17:19 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BE20@listserv.fnal.gov>; Thu, 05 Jul 2001 15:17:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 186422 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 05 Jul 2001 15:17:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BE1F@listserv.fnal.gov>; Thu, 05 Jul 2001 15:17:17 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG00014LOCTK5@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 05 Jul 2001 15:17:17 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA01266; Thu, 05 Jul 2001 15:17:17 -0500 Date: Thu, 05 Jul 2001 15:17:16 -0500 (CDT) From: Liz Buckley-Geer Subject: Re: help!! In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1439 Thanks Steve, rebooting seems to have done the trick. A couple more questions. I am running an ssh agent to connect to the minos cvs repository (which isn't kerberized yet but will be). Which if these options in sshd-config do I need to turn on for that to continue to work? ## MODIFIED by krb5-fermi-config 1.4 05Jul2001 ##RhostsRSAAuthentication yes RhostsRSAAuthentication no ## MODIFIED by krb5-fermi-config 1.4 05Jul2001 ##RSAAuthentication yes RSAAuthentication no Also I am using gnome + enlightenment. If I make a .logout file and put kdestroy into it will that apply when I logoff the machine or just when I logout of a window on the machine. I usually logoff on a Friday evening so I would like to destroy all my tickets when I do that. If I want to have telnet automatically forward tickets I need to set the forward = true in krb5.conf correct? Also does the kerberized ssh include a kerberized scp? By the way, the rpms were pretty painless to install. Thanks Liz On Thu, 5 Jul 2001, Steven Timm wrote: > Date: Thu, 05 Jul 2001 14:53:09 -0500 (CDT) > From: Steven Timm > To: Liz Buckley-Geer > Subject: Re: help!! > > Reboot and everything should come back. > > Steve > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Thu, 5 Jul 2001, Liz Buckley-Geer wrote: > > > Yes infact we used the local password. > > > > Liz > > ----- Original Message ----- > > From: "Steven Timm" > > To: "Liz Buckley-Geer" > > Cc: > > Sent: Thursday, July 05, 2001 2:49 PM > > Subject: Re: help!! > > > > > > > The kerberos rpms don't touch the red hat login screen > > > so something else must have happened. In fact, unless you > > > do other modifications, it is still possible to log in > > > at the graphical login screen with a unix password. > > > > > > Steve > > > > > > > > > ------------------------------------------------------------------ > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > Fermilab Computing Division/Operating Systems Support > > > Scientific Computing Support Group--Computing Farms Operations > > > > > > On Thu, 5 Jul 2001, Liz Buckley-Geer wrote: > > > > > > > Hi all, I just installed the rpms for kerberos on my linux machine. All > > > > seemed to go well (Anne Heavey is here watching me). We logged out and > > > > logged back in okay several times. On the third try I seem to have lost > > my > > > > RedHat login screen and can only login via ctrl-alt-f4 to get the text > > > > window. > > > > > > > > Any clues as to what might have happened? > > > > > > > > Thanks Liz > > > > > > > > > > > > > > > > From kreymer@fnal.gov Thu Jul 5 15:36:07 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28917 for ; Thu, 5 Jul 2001 15:36:06 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG0000DXP85X9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Jul 2001 15:36:06 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BE9F@listserv.fnal.gov>; Thu, 05 Jul 2001 15:36:05 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 186561 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 05 Jul 2001 15:36:05 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BE9E@listserv.fnal.gov>; Thu, 05 Jul 2001 15:36:05 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG0000CUP84WB@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 05 Jul 2001 15:36:05 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA23823; Thu, 05 Jul 2001 15:36:05 -0500 Date: Thu, 05 Jul 2001 15:36:04 -0500 (CDT) From: Steven Timm Subject: Re: help!! In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1440 ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Thu, 5 Jul 2001, Liz Buckley-Geer wrote: > Thanks Steve, rebooting seems to have done the trick. > > A couple more questions. I am running an ssh agent to connect to the > minos cvs repository (which isn't kerberized yet but will be). Which if > these options in sshd-config do I need to turn on for that to continue to > work? sshd_config controls only the inbound ssh to your machine. It has nothing to do with outbound ssh from your machine. You should ask Karen what these options are set to on the minos1 machine. Also-- which ssh client rpm are you using at the moment? If it is the new kerberos-capable one it won't support either of these two options (for non-root users) whether they are turned on or not. > > ## MODIFIED by krb5-fermi-config 1.4 05Jul2001 > ##RhostsRSAAuthentication yes > RhostsRSAAuthentication no > ## MODIFIED by krb5-fermi-config 1.4 05Jul2001 > ##RSAAuthentication yes > RSAAuthentication no > > Also I am using gnome + enlightenment. If I make a .logout file and put > kdestroy into it will that apply when I logoff the machine or just when I > logout of a window on the machine. I usually logoff on a Friday evening > so I would like to destroy all my tickets when I do that. I don't know about this. > > If I want to have telnet automatically forward tickets I need to set the > forward = true in krb5.conf correct? > Yes > Also does the kerberized ssh include a kerberized scp? > Yes. > By the way, the rpms were pretty painless to install. > > Thanks Liz > > On Thu, 5 Jul 2001, Steven Timm wrote: > > > Date: Thu, 05 Jul 2001 14:53:09 -0500 (CDT) > > From: Steven Timm > > To: Liz Buckley-Geer > > Subject: Re: help!! > > > > Reboot and everything should come back. > > > > Steve > > > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > > > On Thu, 5 Jul 2001, Liz Buckley-Geer wrote: > > > > > Yes infact we used the local password. > > > > > > Liz > > > ----- Original Message ----- > > > From: "Steven Timm" > > > To: "Liz Buckley-Geer" > > > Cc: > > > Sent: Thursday, July 05, 2001 2:49 PM > > > Subject: Re: help!! > > > > > > > > > > The kerberos rpms don't touch the red hat login screen > > > > so something else must have happened. In fact, unless you > > > > do other modifications, it is still possible to log in > > > > at the graphical login screen with a unix password. > > > > > > > > Steve > > > > > > > > > > > > ------------------------------------------------------------------ > > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > > Fermilab Computing Division/Operating Systems Support > > > > Scientific Computing Support Group--Computing Farms Operations > > > > > > > > On Thu, 5 Jul 2001, Liz Buckley-Geer wrote: > > > > > > > > > Hi all, I just installed the rpms for kerberos on my linux machine. All > > > > > seemed to go well (Anne Heavey is here watching me). We logged out and > > > > > logged back in okay several times. On the third try I seem to have lost > > > my > > > > > RedHat login screen and can only login via ctrl-alt-f4 to get the text > > > > > window. > > > > > > > > > > Any clues as to what might have happened? > > > > > > > > > > Thanks Liz > > > > > > > > > > > > > > > > > > > > > > > > > From kreymer@fnal.gov Thu Jul 5 15:36:52 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA28924 for ; Thu, 5 Jul 2001 15:36:52 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG0000HLP9F80@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Jul 2001 15:36:52 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BEA2@listserv.fnal.gov>; Thu, 05 Jul 2001 15:36:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 186564 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 05 Jul 2001 15:36:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BEA1@listserv.fnal.gov>; Thu, 05 Jul 2001 15:36:51 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GG000501P9E8P@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 05 Jul 2001 15:36:50 -0500 (CDT) Received: from helios.physics.utoronto.ca ([128.100.75.10]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG0001DNP9E2Y@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 05 Jul 2001 15:36:50 -0500 (CDT) Received: from localhost (dmacqueen@localhost) by helios.physics.utoronto.ca (8.9.3/8.9.3) with ESMTP id QAA2291672 for ; Thu, 05 Jul 2001 16:36:50 -0400 (EDT) Date: Thu, 05 Jul 2001 16:36:49 -0400 From: Dan MacQueen Subject: Re: help!! In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1441 On Thu, 5 Jul 2001, Liz Buckley-Geer wrote: > A couple more questions. I am running an ssh agent to connect to the > minos cvs repository (which isn't kerberized yet but will be). Which if > these options in sshd-config do I need to turn on for that to continue to > work? > > ## MODIFIED by krb5-fermi-config 1.4 05Jul2001 > ##RhostsRSAAuthentication yes > RhostsRSAAuthentication no > ## MODIFIED by krb5-fermi-config 1.4 05Jul2001 > ##RSAAuthentication yes > RSAAuthentication no Correct me if I'm wrong, but I think setting those two options to "no" prohibits incoming ssh connections from remote hosts. Outgoing ssh connections should continue to work, even with them set to no. At least, that's what I found. (I hope that I'm right about this -- I set those options, as well as PasswordAuthentication, to "yes" in order to allow ssh connections to my machine from other computers in the .physics.utoronto.ca domain.) Cheers, ------------------------------------------------------ Dan MacQueen -- Ph.D. student -- University of Toronto --- (416)978-6632 -- dmacqueen@physics.utoronto.ca --- ------------------------------------------------------ From kreymer@fnal.gov Thu Jul 5 16:17:54 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA29071 for ; Thu, 5 Jul 2001 16:17:54 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG0001KER5SJS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 05 Jul 2001 16:17:53 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BF9B@listserv.fnal.gov>; Thu, 05 Jul 2001 16:17:52 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 186832 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 05 Jul 2001 16:17:52 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016BF9A@listserv.fnal.gov>; Thu, 05 Jul 2001 16:17:52 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG0001PBR5SHQ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 05 Jul 2001 16:17:52 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA01988; Thu, 05 Jul 2001 16:17:52 -0500 Date: Thu, 05 Jul 2001 16:17:51 -0500 (CDT) From: Liz Buckley-Geer Subject: Re: help!! In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1442 Hi all > sshd_config controls only the inbound ssh to your machine. It has > nothing to do with outbound ssh from your machine. You should ask > Karen what these options are set to on the minos1 machine. Also-- > which ssh client rpm are you using at the moment? If it is the > new kerberos-capable one it won't support either of these > two options (for non-root users) whether they are turned on or not. Hmm, seems to have mysteriously fixed itself - I hate it when that happens. > Liz From kreymer@fnal.gov Fri Jul 6 12:20:39 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA31482 for ; Fri, 6 Jul 2001 12:20:39 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG200JOWAUD17@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 12:20:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016C9AA@listserv.fnal.gov>; Fri, 06 Jul 2001 12:20:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 189637 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 12:20:37 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016C9A9@listserv.fnal.gov>; Fri, 06 Jul 2001 12:20:37 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG20024JAUDHG@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 12:20:37 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA04042 for ; Fri, 06 Jul 2001 12:20:37 -0500 Date: Fri, 06 Jul 2001 12:20:34 -0500 (CDT) From: Liz Buckley-Geer Subject: From Peter Shanahan Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1443 HI all, Peter is at Snowmass and is having problems getting into minos1 using his cryptocard from his linux laptop. He is also having trouble with write access to his files - see below. I have successfully used my cryptocard to telnet to minos1 and I can telnet with my tickets also. Is there anyone out at Snowmass who understands this stuff that could help him. Thanks Liz ---------- Forwarded message ---------- Date: Thu, 05 Jul 2001 22:41:03 -0500 From: Peter Shanahan To: Liz Buckley-Geer Subject: more kerberos problems Hi Liz, When I use my kryptocard to get to kpasa, and then telnet over to minos1, I don't have write permission to my own files. If I log on to fsgi03 via insecure telnet, and then ssh to minos1, all is OK. Does afs somehow not recognize "shanahan@FNAL.GOV"? I thought this was the point of having the principal name equal to one's standard user name. Regards, Peter ======================================================================= Fermilab MS-220 Phone: (+1) 630 840 8378 P.O. Box 500 Fax: (+1) 630 840 6039 Batavia, IL 60510 USA From kreymer@fnal.gov Fri Jul 6 14:20:50 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31648 for ; Fri, 6 Jul 2001 14:20:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2006CJGEOTD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 14:20:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CBEF@listserv.fnal.gov>; Fri, 06 Jul 2001 14:20:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190270 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 14:20:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CBEE@listserv.fnal.gov>; Fri, 06 Jul 2001 14:20:49 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2005GEGEON0@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 14:20:48 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f66JKfF05916; Fri, 06 Jul 2001 14:20:41 -0500 (CDT) Date: Fri, 06 Jul 2001 14:20:41 -0500 From: Matt Crawford Subject: Re: From Peter Shanahan In-reply-to: "06 Jul 2001 12:20:34 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-users@fnal.gov, shanahan@fnal.gov Message-id: <200107061920.f66JKfF05916@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1444 > Peter is at Snowmass and is having problems getting into minos1 using his > cryptocard from his linux laptop. He is also having trouble with write > access to his files - see below. > > > When I use my kryptocard to get to kpasa, and then telnet > > over to minos1, I don't have write permission to my own files. You could go to minos1 directly with your cryptocard -- but you shouldn't have to. It seems to me that your Kerberos credentials are not being forwarded from kpasa to minos1. When you make that connection, watch for two lines like the following: [ Kerberos V5 accepts you as ``crawdad@FNAL.GOV'' ] [ Kerberos V5 accepted forwarded credentials ] If you don't see the second, log out of minos1 and run telnet again with a "-F" flag. The /etc/krb5.conf on kpasa sets the default behavior of telnet, and if the default is not to forward, you have to make it happen with this command line flag. > Is there anyone out at Snowmass who understands this stuff that > could help him. You tell me. From kreymer@fnal.gov Fri Jul 6 14:27:32 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31672 for ; Fri, 6 Jul 2001 14:27:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2005J9GPVBO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 14:27:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CC38@listserv.fnal.gov>; Fri, 06 Jul 2001 14:27:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190347 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 14:27:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CC37@listserv.fnal.gov>; Fri, 06 Jul 2001 14:27:31 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2004MQGPUOR@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 14:27:30 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA04203; Fri, 06 Jul 2001 14:27:30 -0500 Date: Fri, 06 Jul 2001 14:27:30 -0500 (CDT) From: Liz Buckley-Geer Subject: Re: From Peter Shanahan In-reply-to: <200107061920.f66JKfF05916@gungnir.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1445 This brings up a question. I have edited krb5.conf on my desktop to allow telnet to forward tickets. I assume this is a reasonable thing to do so that I don't have to keep remembering the -F. I was going to include this change in the instructions I was writing for the minos collaborators. Is this recommended? Thanks Liz On Fri, 6 Jul 2001, Matt Crawford wrote: > Date: Fri, 06 Jul 2001 14:20:41 -0500 > From: Matt Crawford > To: Liz Buckley-Geer > Cc: kerberos-users@fnal.gov, shanahan@fnal.gov > Subject: Re: From Peter Shanahan > > > Peter is at Snowmass and is having problems getting into minos1 using his > > cryptocard from his linux laptop. He is also having trouble with write > > access to his files - see below. > > > > > When I use my kryptocard to get to kpasa, and then telnet > > > over to minos1, I don't have write permission to my own files. > > You could go to minos1 directly with your cryptocard -- but you > shouldn't have to. It seems to me that your Kerberos credentials are > not being forwarded from kpasa to minos1. When you make that > connection, watch for two lines like the following: > > [ Kerberos V5 accepts you as ``crawdad@FNAL.GOV'' ] > [ Kerberos V5 accepted forwarded credentials ] > > If you don't see the second, log out of minos1 and run telnet again > with a "-F" flag. The /etc/krb5.conf on kpasa sets the default > behavior of telnet, and if the default is not to forward, you have to > make it happen with this command line flag. > > > Is there anyone out at Snowmass who understands this stuff that > > could help him. > > You tell me. > From kreymer@fnal.gov Fri Jul 6 14:31:27 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31678 for ; Fri, 6 Jul 2001 14:31:27 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2006HNGWEBG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 14:31:27 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CC93@listserv.fnal.gov>; Fri, 06 Jul 2001 14:31:26 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190440 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 14:31:26 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CC92@listserv.fnal.gov>; Fri, 06 Jul 2001 14:31:26 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2008CSGWD8H@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 14:31:25 -0500 (CDT) Date: Fri, 06 Jul 2001 14:31:26 -0500 (CDT) From: Dane Skow Subject: Re: From Peter Shanahan In-reply-to: <200107061920.f66JKfF05916@gungnir.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: Liz Buckley-Geer , kerberos-users@fnal.gov, shanahan@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1446 On Fri, 6 Jul 2001, Matt Crawford wrote: > > Peter is at Snowmass and is having problems getting into minos1 using his > > cryptocard from his linux laptop. He is also having trouble with write > > access to his files - see below. > > > > > When I use my kryptocard to get to kpasa, and then telnet > > > over to minos1, I don't have write permission to my own files. Another possibility could be that he doesn't have an AFS token (since I think minos1 home areas are in AFS). Issue the command "aklog" should get one directly without having to type a password (if he has valid Kerberos ticket). (the command "tokens" will show whether he has an AFS token or not). > > You could go to minos1 directly with your cryptocard -- but you > shouldn't have to. It seems to me that your Kerberos credentials are > not being forwarded from kpasa to minos1. When you make that > connection, watch for two lines like the following: > > [ Kerberos V5 accepts you as ``crawdad@FNAL.GOV'' ] > [ Kerberos V5 accepted forwarded credentials ] > > If you don't see the second, log out of minos1 and run telnet again > with a "-F" flag. The /etc/krb5.conf on kpasa sets the default > behavior of telnet, and if the default is not to forward, you have to > make it happen with this command line flag. > > > Is there anyone out at Snowmass who understands this stuff that > > could help him. > > You tell me. > Dane Skow, Fermilab, MS369, Kirk and Pine St., Batavia, IL 60510 From kreymer@fnal.gov Fri Jul 6 14:31:58 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31682 for ; Fri, 6 Jul 2001 14:31:58 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2006DYGX8XM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 14:31:58 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CC9A@listserv.fnal.gov>; Fri, 06 Jul 2001 14:31:57 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190447 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 14:31:57 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CC99@listserv.fnal.gov>; Fri, 06 Jul 2001 14:31:57 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2005GMGX8VJ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 14:31:56 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA04209 for ; Fri, 06 Jul 2001 14:31:56 -0500 Date: Fri, 06 Jul 2001 14:31:55 -0500 (CDT) From: Liz Buckley-Geer Subject: rpms Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1447 Are the rpms known to work with non-Fermi RedHat installs? Liz From kreymer@fnal.gov Fri Jul 6 14:35:52 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31688 for ; Fri, 6 Jul 2001 14:35:52 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2003UKH3QQK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 14:35:52 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CCAA@listserv.fnal.gov>; Fri, 06 Jul 2001 14:35:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190462 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 14:35:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CCA7@listserv.fnal.gov>; Fri, 06 Jul 2001 14:34:37 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2006HEH1O63@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 14:34:36 -0500 (CDT) Date: Fri, 06 Jul 2001 14:34:36 -0500 From: Troy Dawson Subject: forwardable tickets Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <3B4612CC.82993A2D@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1448 Howdy, I believe I'm going to stir up a bee's nest, but here goes. I'm questioning the reason behind the default for tickets to be not forwardable. I believe they should be forwardable by default unless the sys-admin feels that they shouldn't be on thier machine. Why do I think this? Because I think this is really only hurting the nieve user, the one's who don't understand kerberos. The people who do understand kerberos are just turning this on, or getting so used to putting a -f when they telnet that it's instinctive. So you say, 'no they aren't' But then how are they getting into a computer with AFS, they have to put the -f on there. And how many of our machines use AFS. A WHOLE LOT of them. So how many people ask me what is the problem with their machine because they can't log in and they think it's an AFS problem. Several. How many of the questions to this mailling list (kerberos-users) are really just problems with their tickets not being forwarded. About 1/4. Think about it for a little bit. We are just starting to wade into the pool and hit the chilly spot, and this is the one thing that keeps popping up. I vote that the default for tickets is for them to be forwardable. Troy p.s. I actually got most of this letter done BEFORE liz wrote her e-mail that she was planning on telling Minos folks to do this. -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Fri Jul 6 14:35:54 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31692 for ; Fri, 6 Jul 2001 14:35:54 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2003UKH3QQK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 14:35:53 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CCAC@listserv.fnal.gov>; Fri, 06 Jul 2001 14:35:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190465 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 14:35:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CCA8@listserv.fnal.gov>; Fri, 06 Jul 2001 14:35:16 -0500 Received: from fnppd.fnal.gov ([131.225.107.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2004OIH2ROR@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 14:35:15 -0500 (CDT) Received: from localhost (shanahan@localhost) by fnppd.fnal.gov (8.10.1/8.10.1) with ESMTP id f66JZEf4213843; Fri, 06 Jul 2001 14:35:14 -0500 (CDT) Date: Fri, 06 Jul 2001 14:35:14 -0500 From: Peter Shanahan Subject: Re: From Peter Shanahan In-reply-to: <200107061920.f66JKfF05916@gungnir.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: Liz Buckley-Geer , kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fnppd.fnal.gov: shanahan owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1449 Hi Matt, Actually, I would prefer to go directly into minos1 with my cryptocard, since I don't want the extra overhead of transmitting data through kpasa. kpasa was just an attempted work-around, which doesn't work due to the unexplained failure of my credentials to get forwarded to minos1. (Steve Timm has been working with me on that). Thanks, Peter Shanahan From kreymer@fnal.gov Fri Jul 6 14:35:56 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31696 for ; Fri, 6 Jul 2001 14:35:56 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2003UKH3QQK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 14:35:56 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CCB0@listserv.fnal.gov>; Fri, 06 Jul 2001 14:35:54 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190470 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 14:35:54 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CCAF@listserv.fnal.gov>; Fri, 06 Jul 2001 14:35:54 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2006FRH3STD@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 14:35:52 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA26335; Fri, 06 Jul 2001 14:35:53 -0500 Date: Fri, 06 Jul 2001 14:35:51 -0500 (CDT) From: Steven Timm Subject: Re: From Peter Shanahan (fwd) In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Peter Shanahan Cc: kerberos-users@fnal.gov, shepelak@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1450 This output is indicating that for some reason the tickets you are obtaining via the cryptocard on kpasa aren't forwardable. I will play with this some and check it out. Of course you could do a kinit on kpasa like Karen said and that would fix the problem but for the long term that is frowned upon. Steve Timm ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Fri, 6 Jul 2001, Peter Shanahan wrote: > Hi Steve, > > ssh does work. I can do that for now. > > As for klist.... > > klist -f > Ticket cache: /tmp/krb5cc_ttyp3 > Default principal: shanahan@FNAL.GOV > > Valid starting Expires Service principal > 07/06/01 13:05:42 07/07/01 15:05:42 krbtgt/FNAL.GOV@FNAL.GOV > renew until 07/13/01 13:05:27, Flags: RIHA > 07/06/01 13:06:10 07/07/01 15:05:42 host/minos1.fnal.gov@FNAL.GOV > renew until 07/13/01 13:05:27, Flags: RHA > 07/06/01 13:10:59 07/07/01 15:05:42 krbtgt/PILOT.FNAL.GOV@FNAL.GOV > renew until 07/13/01 13:05:27, Flags: RHA > > Thanks, > > Peter > > > From kreymer@fnal.gov Fri Jul 6 14:47:01 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31710 for ; Fri, 6 Jul 2001 14:47:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2006LKHMCBG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 14:47:01 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CD09@listserv.fnal.gov>; Fri, 06 Jul 2001 14:47:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190561 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 14:47:00 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CD08@listserv.fnal.gov>; Fri, 06 Jul 2001 14:47:00 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG200C0EHMBJS@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 14:46:59 -0500 (CDT) Date: Fri, 06 Jul 2001 14:46:59 -0500 From: Troy Dawson Subject: Re: rpms Sender: owner-kerberos-users@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-users@fnal.gov Message-id: <3B4615B3.D922C614@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1451 Hi Liz, So far they have been tested succesfully to work on Fermi Linux 6.1.2 and out of the box RedHat 7.1. (I was very pleasantly supprised about 7.1) Since it works on those two different platforms, I'm confident it will work on others, but it hasn't been tested. Troy Liz Buckley-Geer wrote: > > Are the rpms known to work with non-Fermi RedHat installs? > > Liz -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Fri Jul 6 14:58:38 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA31721 for ; Fri, 6 Jul 2001 14:58:38 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2007M1I5P2Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 14:58:38 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CD45@listserv.fnal.gov>; Fri, 06 Jul 2001 14:58:37 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190623 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 14:58:37 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CD44@listserv.fnal.gov>; Fri, 06 Jul 2001 14:58:37 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2008I1I5P8H@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 14:58:37 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA04223 for ; Fri, 06 Jul 2001 14:58:36 -0500 Date: Fri, 06 Jul 2001 14:58:36 -0500 (CDT) From: Liz Buckley-Geer Subject: pocket reference guide Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1452 Has any thought been given to producing a pocket reference guide like we have for other things? Liz From kreymer@fnal.gov Fri Jul 6 15:00:47 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA31727 for ; Fri, 6 Jul 2001 15:00:47 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2006SLI97BG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 15:00:46 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CD5B@listserv.fnal.gov>; Fri, 06 Jul 2001 15:00:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190647 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 15:00:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CD5A@listserv.fnal.gov>; Fri, 06 Jul 2001 15:00:44 -0500 Received: from bester ([131.225.5.10]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GG2004P6I97NY@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 15:00:43 -0500 (CDT) Date: Fri, 06 Jul 2001 15:00:43 -0500 From: "Frank J. Nagy" Subject: Re: pocket reference guide Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <066301c10656$56c093e0$0a05e183@FNAL.GOV> Organization: Fermilab Computing/Data Communications MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 X-Mailer: Microsoft Outlook Express 5.50.4522.1200 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal References: Status: RO X-Status: X-Keywords: X-UID: 1453 >Has any thought been given to producing a pocket reference guide like we >have for other things? And a small (?), easy-to-use online version as well. = Dr. Frank J. Nagy [Applied Scientist] 630-840-4935 FAX 840-6345 = Fermilab Computing Division/Data Communications Dept = nagy@fnal.gov (Alternate: nagy@mad.scientist.com -or- nagy@inil.com) = Web page: http://home.fnal.gov/~nagy/ = USnail: Fermilab POB 500 MS/369 Batavia, IL 60510 From kreymer@fnal.gov Fri Jul 6 15:01:56 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA31733 for ; Fri, 6 Jul 2001 15:01:56 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2005RHIB6BO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 15:01:55 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CD6A@listserv.fnal.gov>; Fri, 06 Jul 2001 15:01:54 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190662 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 15:01:54 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CD69@listserv.fnal.gov>; Fri, 06 Jul 2001 15:01:54 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG200C3GIB5JS@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 15:01:53 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f66K1kF06123; Fri, 06 Jul 2001 15:01:46 -0500 (CDT) Date: Fri, 06 Jul 2001 15:01:46 -0500 From: Matt Crawford Subject: Re: From Peter Shanahan In-reply-to: "06 Jul 2001 14:27:30 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-users@fnal.gov Message-id: <200107062001.f66K1kF06123@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1454 > This brings up a question. I have edited krb5.conf on my desktop to allow > telnet to forward tickets. I assume this is a reasonable thing to do so > that I don't have to keep remembering the -F. I was going to include this > change in the instructions I was writing for the minos collaborators. Is > this recommended? It's neither recommended nor discouraged -- it's a matter completely between the sysadmins and the users. One way, mos to fthe users have to remember to explicitly forward. (And by the way, remember that "-f" to telnet, rsh, rlogin will forward your credential in a form that is not further forwardable. (Say that three times fast.)) The other way, the fanatics of the unforwardable "/root" principals have to remember a "-N" to turn off forwarding. The latter group is usualy smaller and expected to be more disciplined and learned in the arcana. NOTE! It's possible to set your krb5.conf so the incoming cryptocard user gets an UNforwardable ticket. You probably DON'T want to do this, but if you do, it would be done by putting "forwardable = false" in the login = { ... } section of [appdefaults]. From kreymer@fnal.gov Fri Jul 6 15:04:16 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA31737 for ; Fri, 6 Jul 2001 15:04:16 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2005QLIF2IX@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 15:04:15 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CD75@listserv.fnal.gov>; Fri, 06 Jul 2001 15:04:15 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190673 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 15:04:15 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CD74@listserv.fnal.gov>; Fri, 06 Jul 2001 15:04:15 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2006IWIF2TD@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 15:04:14 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f66K47U17147; Fri, 06 Jul 2001 15:04:07 -0500 (CDT) Date: Fri, 06 Jul 2001 15:04:07 -0500 From: Anne Heavey Subject: Re: pocket reference guide In-reply-to: "Your message of Fri, 06 Jul 2001 14:58:36 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-users@fnal.gov, aheavey@fsui02.fnal.gov Message-id: <200107062004.f66K47U17147@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1455 > Has any thought been given to producing a pocket reference guide like we > have for other things? > > Liz I'll put it on my list! -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Fri Jul 6 15:52:27 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA31795 for ; Fri, 6 Jul 2001 15:52:27 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2006PEKNDTD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 15:52:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CE4D@listserv.fnal.gov>; Fri, 06 Jul 2001 15:52:26 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190916 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 15:52:26 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CE4C@listserv.fnal.gov>; Fri, 06 Jul 2001 15:52:26 -0500 Received: from buckleypc.fnal.gov ([131.225.52.156]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2006THKNDXM@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 15:52:25 -0500 (CDT) Received: from localhost (buckley@localhost) by buckleypc.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA04269 for ; Fri, 06 Jul 2001 15:52:25 -0500 Date: Fri, 06 Jul 2001 15:52:25 -0500 (CDT) From: Liz Buckley-Geer Subject: kinit -R fails Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: buckleypc.fnal.gov: buckley owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1456 HI, I am probably doing something stupid. I have the following tickets on minos1 klist Ticket cache: /tmp/krb5cc_p3001745 Default principal: buckley@FNAL.GOV Valid starting Expires Service principal 07/05/01 16:57:54 07/06/01 16:36:50 krbtgt/FNAL.GOV@FNAL.GOV 07/05/01 16:57:54 07/06/01 16:36:50 afs@FNAL.GOV I try kinit -R kinit: KDC can't fulfill requested option renewing tgt and I get this error. The same happens on my PC. What am I doing wrong? Liz From kreymer@fnal.gov Fri Jul 6 15:56:04 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA31802 for ; Fri, 6 Jul 2001 15:56:04 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG2005V9KTFVJ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 15:56:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CE88@listserv.fnal.gov>; Fri, 06 Jul 2001 15:56:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 190975 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 15:56:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CE87@listserv.fnal.gov>; Fri, 06 Jul 2001 15:56:03 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG200E94KTE5O@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 15:56:02 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA26934; Fri, 06 Jul 2001 15:56:03 -0500 Date: Fri, 06 Jul 2001 15:56:02 -0500 (CDT) From: Steven Timm Subject: Re: kinit -R fails In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1457 Liz--likely what is happening is that your ticket isn't renewable. If it is renewable, klist -f will show "R" flag, among others. You have to specify the -r 96h option when you kinit to get a renewable ticket. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Fri, 6 Jul 2001, Liz Buckley-Geer wrote: > HI, I am probably doing something stupid. I have the following tickets on > minos1 > > klist > Ticket cache: /tmp/krb5cc_p3001745 > Default principal: buckley@FNAL.GOV > > Valid starting Expires Service principal > 07/05/01 16:57:54 07/06/01 16:36:50 krbtgt/FNAL.GOV@FNAL.GOV > 07/05/01 16:57:54 07/06/01 16:36:50 afs@FNAL.GOV > > I try > > kinit -R > kinit: KDC can't fulfill requested option renewing tgt > > and I get this error. The same happens on my PC. What am I doing wrong? > > Liz > From kreymer@fnal.gov Fri Jul 6 16:35:46 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA31917 for ; Fri, 6 Jul 2001 16:35:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG200FEBMNJ1E@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 06 Jul 2001 16:35:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CF75@listserv.fnal.gov>; Fri, 06 Jul 2001 16:35:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 191240 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 06 Jul 2001 16:35:44 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016CF73@listserv.fnal.gov>; Fri, 06 Jul 2001 16:35:44 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG200J12MNJA5@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 06 Jul 2001 16:35:43 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f66LZZF07055; Fri, 06 Jul 2001 16:35:35 -0500 (CDT) Date: Fri, 06 Jul 2001 16:35:35 -0500 From: Matt Crawford Subject: Re: kinit -R fails In-reply-to: "06 Jul 2001 15:52:25 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Liz Buckley-Geer Cc: kerberos-users@fnal.gov Message-id: <200107062135.f66LZZF07055@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1458 Probably your ticket is not renewable. "klist -f" will show you an "R" flag if it is. There's a "renewable = {true|false}" appdefault for login just as there's a "forwardable = ..." > HI, I am probably doing something stupid. I have the following tickets on > minos1 > > klist > Ticket cache: /tmp/krb5cc_p3001745 > Default principal: buckley@FNAL.GOV > > Valid starting Expires Service principal > 07/05/01 16:57:54 07/06/01 16:36:50 krbtgt/FNAL.GOV@FNAL.GOV > 07/05/01 16:57:54 07/06/01 16:36:50 afs@FNAL.GOV > > I try > > kinit -R > kinit: KDC can't fulfill requested option renewing tgt > > and I get this error. The same happens on my PC. What am I doing wrong? > > Liz From kreymer@fnal.gov Sat Jul 7 15:43:00 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA01682 for ; Sat, 7 Jul 2001 15:43:00 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG400L0CEVNPD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 07 Jul 2001 15:43:00 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016D684@listserv.fnal.gov>; Sat, 07 Jul 2001 15:42:59 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 193276 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Sat, 07 Jul 2001 15:42:59 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016D683@listserv.fnal.gov>; Sat, 07 Jul 2001 15:42:59 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GG400L01EVNTN@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Sat, 07 Jul 2001 15:42:59 -0500 (CDT) Received: from librettoig ([204.144.162.62]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GG400DN8EVMWG@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Sat, 07 Jul 2001 15:42:58 -0500 (CDT) Date: Sat, 07 Jul 2001 15:43:53 -0500 From: Irwin Gaines Subject: Problem with WRQ reflection telnet Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <005601c10725$896d2360$80e9a8c0@librettoig> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 X-Mailer: Microsoft Outlook Express 5.00.3018.1300 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit X-Priority: 3 X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1459 There are two different connections from Snowmass. Using one of them (the one in the computer center at the top of the mountain) I have no trouble getting a kerberos connection (I am using WRQ reflection on a W95 laptop; I do my local kerberos authentication, then I run the reflection version of telnet and everything works fine). this is from IP address 66.62.175.105 However, when I am connected from the other IP server (at the conference center at the bottom of the mountain) and I do exactly the same thing I get an error when I try to do the reflection telnet: Incorrect network address (KDC038) this is from IP address 192.168.233.128 In both cases I am using my aironet wireless card. I can do a normal telnet and a portal login using my cryptocard, so this does not affect my functionality, but I thought reflection was supposed to work from anywhere. Any ideas what might be wrong? Irwin From kreymer@fnal.gov Sat Jul 7 16:21:48 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA01714 for ; Sat, 7 Jul 2001 16:21:48 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG400ENTGOAQA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sat, 07 Jul 2001 16:21:47 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016D69C@listserv.fnal.gov>; Sat, 07 Jul 2001 16:21:46 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 193303 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Sat, 07 Jul 2001 16:21:46 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016D69B@listserv.fnal.gov>; Sat, 07 Jul 2001 16:21:46 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG400GIKGO92H@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Sat, 07 Jul 2001 16:21:45 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f67LLbF11396; Sat, 07 Jul 2001 16:21:37 -0500 (CDT) Date: Sat, 07 Jul 2001 16:21:37 -0500 From: Matt Crawford Subject: Re: Problem with WRQ reflection telnet In-reply-to: "07 Jul 2001 15:43:53 CDT." <005601c10725$896d2360$80e9a8c0@librettoig> Sender: owner-kerberos-users@listserv.fnal.gov To: Irwin Gaines Cc: kerberos-users@fnal.gov Message-id: <200107072121.f67LLbF11396@gungnir.fnal.gov> Content-id: <11392.994540897.1@gungnir.fnal.gov> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Status: RO X-Status: X-Keywords: X-UID: 1460 > However, when I am connected from the other IP server ... > Incorrect network address (KDC038) > this is from IP address 192.168.233.128 > ... > Any ideas what might be wrong? NAT. The address is an immediate tip-off to anyone who has read RFC 1918. Sue somebody for not providing INTERNET SERVICE when, no doubt, they advertised their service as INTERNET SERVICE. Some box in the network is fraudulently altering the packets you send and the packets sent to you. Lots of things aren't going to work in such circumstances. From kreymer@fnal.gov Mon Jul 9 10:07:24 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05592 for ; Mon, 9 Jul 2001 10:07:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700FM9OOA03@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 10:07:23 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E2F8@listserv.fnal.gov>; Mon, 09 Jul 2001 10:07:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 196871 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 10:07:22 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E2F7@listserv.fnal.gov>; Mon, 09 Jul 2001 10:07:22 -0500 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700FK4OO98M@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 10:07:21 -0500 (CDT) Date: Mon, 09 Jul 2001 10:07:19 -0500 From: "Laurelin of Middle Earth, 630-840-2214" Subject: What is the Officially Acceptable Way of .... ??? Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <3B49C8A7.3B9D987C@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1461 What is the Officially Acceptable Way of running an authenticated cron job under an account for which there is no kerberos principal? The situation: the generic 'products' account (no principal) needs to run cron jobs to update various products from the CVS repository (specifically in our case, various documentation products). This was working in the past, but recently broke; I suspect the breakage is connected with the move of the cd cvs repository and the correlated change in access mechanisms. I can do this interactively, via: kinit lauri@FNAL.GOV ... ksu products runTheJob But for maintainability, we want this to be run as a cron job under the 'products' account. Thanks for any help, lauri From kreymer@fnal.gov Mon Jul 9 10:11:01 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05598 for ; Mon, 9 Jul 2001 10:11:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700K6LOUCDW@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 10:11:01 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E30A@listserv.fnal.gov>; Mon, 09 Jul 2001 10:11:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 196890 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 10:11:00 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E309@listserv.fnal.gov>; Mon, 09 Jul 2001 10:11:00 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700EQMOUBF6@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 10:10:59 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA32535 for ; Mon, 09 Jul 2001 10:10:59 -0500 Date: Mon, 09 Jul 2001 10:10:59 -0500 (CDT) From: Steven Timm Subject: cryptocard and forwardable tickets Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1462 Is it possible to change the krb5.conf file so that tickets that are obtained via a cryptocard will be forwardable? I thought this was supposed to be the idea...you log in to one system via cryptocard and then go where you need to go. I was investigating problems on one system I manage, but then found that this is happening by default everywhere...e.g., the tickets are not forwardable. klist -f Ticket cache: /tmp/krb5cc_ttyq3 Default principal: timm@FNAL.GOV Valid starting Expires Service principal 07/09/01 10:08:35 07/10/01 12:08:35 krbtgt/FNAL.GOV@FNAL.GOV renew until 07/16/01 10:08:11, Flags: RIHA Here's the sample section of krb5.conf [appdefaults] default_lifetime = 7d retain_ccache = false autologin = true forward = false renewable = true encrypt = true krb5_aklog_path = /usr/krb5/bin/aklog telnet = { } rcp = { forward = false encrypt = false allow_fallback = true } rsh = { allow_fallback = true } rlogin = { allow_fallback = false } login = { krb5_run_aklog = false krb5_get_tickets = true krb4_get_tickets = false krb4_convert = false } kinit = { forwardable = true krb5_run_aklog = false } rshd = { krb5_run_aklog = false } ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Mon Jul 9 10:13:50 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05606 for ; Mon, 9 Jul 2001 10:13:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700JB0OZ1YG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 10:13:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E31C@listserv.fnal.gov>; Mon, 09 Jul 2001 10:13:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 196908 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 10:13:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E31B@listserv.fnal.gov>; Mon, 09 Jul 2001 10:13:49 -0500 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700ENEOZ0TB@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 10:13:48 -0500 (CDT) Date: Mon, 09 Jul 2001 10:13:46 -0500 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: What is the Officially Acceptable Way of .... ??? Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <3B49CA2A.19BEC615@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B49C8A7.3B9D987C@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1463 I think I found the answer to this, in http://www.fnal.gov/docs/strongauth/html/spectopics.html#51138 I will follow the documentation and see if it all works as advertised. Sorry for the interruption.... -- lauri "Laurelin of Middle Earth, 630-840-2214" wrote: > > What is the Officially Acceptable Way of running an > authenticated cron job under an account for which there > is no kerberos principal? > > The situation: the generic 'products' account (no > principal) needs to run cron jobs to update various > products from the CVS repository (specifically in our > case, various documentation products). > > This was working in the past, but recently broke; I > suspect the breakage is connected with the move of the > cd cvs repository and the correlated change in access > mechanisms. > > I can do this interactively, via: > > kinit lauri@FNAL.GOV > ... > ksu products > runTheJob > > But for maintainability, we want this to be run as > a cron job under the 'products' account. > > Thanks for any help, lauri From kreymer@fnal.gov Mon Jul 9 10:17:08 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05610 for ; Mon, 9 Jul 2001 10:17:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700JCTP4IYG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 10:17:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E339@listserv.fnal.gov>; Mon, 09 Jul 2001 10:17:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 196937 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 10:17:06 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E338@listserv.fnal.gov>; Mon, 09 Jul 2001 10:17:06 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700FPGP4HHM@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 10:17:05 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f69FGrF16912; Mon, 09 Jul 2001 10:16:53 -0500 (CDT) Date: Mon, 09 Jul 2001 10:16:53 -0500 From: Matt Crawford Subject: Re: cryptocard and forwardable tickets In-reply-to: "09 Jul 2001 10:10:59 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: <200107091516.f69FGrF16912@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1464 > Is it possible to change the krb5.conf file so that tickets > that are obtained via a cryptocard will be forwardable? But of course! See "+++" below ... > Here's the sample section of krb5.conf > > [appdefaults] > default_lifetime = 7d > retain_ccache = false > autologin = true > forward = false > renewable = true > encrypt = true > krb5_aklog_path = /usr/krb5/bin/aklog > > telnet = { > } > > rcp = { > forward = false > encrypt = false > allow_fallback = true > } > > rsh = { > allow_fallback = true > } > > rlogin = { > allow_fallback = false > } > > login = { +++ forwardable = true > krb5_run_aklog = false > krb5_get_tickets = true > krb4_get_tickets = false > krb4_convert = false > } > > kinit = { > forwardable = true > krb5_run_aklog = false > } > > rshd = { > krb5_run_aklog = false > } From kreymer@fnal.gov Mon Jul 9 10:20:46 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05616 for ; Mon, 9 Jul 2001 10:20:46 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700EV5PAJG9@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 10:20:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E391@listserv.fnal.gov>; Mon, 09 Jul 2001 10:20:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 197044 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 10:20:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E390@listserv.fnal.gov>; Mon, 09 Jul 2001 10:20:43 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700N0TPAJ3P@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 10:20:43 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA32550; Mon, 09 Jul 2001 10:20:43 -0500 Date: Mon, 09 Jul 2001 10:20:43 -0500 (CDT) From: Steven Timm Subject: Re: cryptocard and forwardable tickets In-reply-to: <200107091516.f69FGrF16912@gungnir.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1465 Thanks. That works. Any reason why this isn't the default? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Mon, 9 Jul 2001, Matt Crawford wrote: > > Is it possible to change the krb5.conf file so that tickets > > that are obtained via a cryptocard will be forwardable? > > But of course! See "+++" below ... > > > Here's the sample section of krb5.conf > > > > [appdefaults] > > default_lifetime = 7d > > retain_ccache = false > > autologin = true > > forward = false > > renewable = true > > encrypt = true > > krb5_aklog_path = /usr/krb5/bin/aklog > > > > telnet = { > > } > > > > rcp = { > > forward = false > > encrypt = false > > allow_fallback = true > > } > > > > rsh = { > > allow_fallback = true > > } > > > > rlogin = { > > allow_fallback = false > > } > > > > login = { > +++ forwardable = true > > krb5_run_aklog = false > > krb5_get_tickets = true > > krb4_get_tickets = false > > krb4_convert = false > > } > > > > kinit = { > > forwardable = true > > krb5_run_aklog = false > > } > > > > rshd = { > > krb5_run_aklog = false > > } > From kreymer@fnal.gov Mon Jul 9 10:21:28 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05620 for ; Mon, 9 Jul 2001 10:21:28 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700L8CPBR4L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 10:21:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E396@listserv.fnal.gov>; Mon, 09 Jul 2001 10:21:27 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 197049 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 10:21:27 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E395@listserv.fnal.gov>; Mon, 09 Jul 2001 10:21:27 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700DVKPBR4K@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 10:21:27 -0500 (CDT) Date: Mon, 09 Jul 2001 10:21:25 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: What is the Officially Acceptable Way of .... ??? In-reply-to: <3B49CA2A.19BEC615@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1466 Cool. For CVS, the other option is to make an anonymous, readonly, pserver account for things like "products" to be able to check things out. On Mon, 9 Jul 2001, Laurelin of Middle Earth, 630-840-2214 wrote: > > I think I found the answer to this, in > http://www.fnal.gov/docs/strongauth/html/spectopics.html#51138 > > I will follow the documentation and see if it all > works as advertised. > > Sorry for the interruption.... -- lauri > > "Laurelin of Middle Earth, 630-840-2214" wrote: > > > > What is the Officially Acceptable Way of running an > > authenticated cron job under an account for which there > > is no kerberos principal? > > > > The situation: the generic 'products' account (no > > principal) needs to run cron jobs to update various > > products from the CVS repository (specifically in our > > case, various documentation products). > > > > This was working in the past, but recently broke; I > > suspect the breakage is connected with the move of the > > cd cvs repository and the correlated change in access > > mechanisms. > > > > I can do this interactively, via: > > > > kinit lauri@FNAL.GOV > > ... > > ksu products > > runTheJob > > > > But for maintainability, we want this to be run as > > a cron job under the 'products' account. > > > > Thanks for any help, lauri > From kreymer@fnal.gov Mon Jul 9 10:22:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05624 for ; Mon, 9 Jul 2001 10:22:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700LAAPDQ9H@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 10:22:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E39F@listserv.fnal.gov>; Mon, 09 Jul 2001 10:22:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 197058 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 10:22:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E39E@listserv.fnal.gov>; Mon, 09 Jul 2001 10:22:38 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700EQSPDPYK@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 10:22:37 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f69FMPF16958; Mon, 09 Jul 2001 10:22:25 -0500 (CDT) Date: Mon, 09 Jul 2001 10:22:25 -0500 From: Matt Crawford Subject: Re: What is the Officially Acceptable Way of .... ??? In-reply-to: "09 Jul 2001 10:13:46 CDT." <3B49CA2A.19BEC615@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-users@fnal.gov Message-id: <200107091522.f69FMPF16958@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1467 > I think I found the answer to this, in > http://www.fnal.gov/docs/strongauth/html/spectopics.html#51138 Another way which suits SOME, but not all needs, is 1. Make sure that an unprivileged user cannot alter the script you want to run as products. 2. Run a script like this from root's crontab: #!/bin/sh PATH=/usr/krb5/bin:$PATH export PATH KRB5CCNAME=/tmp/krb5cc_products.$$ export KRB5CCNAME kinit -k ;: gets creds as host/thisnode.fnal.gov@DEFAULTREALM chown products $KRB5CCNAME su products -c /path/to/real/job status=$? kdestroy exit $status From kreymer@fnal.gov Mon Jul 9 10:27:54 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05632 for ; Mon, 9 Jul 2001 10:27:54 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700KAHPMH1Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 10:27:54 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E3B6@listserv.fnal.gov>; Mon, 09 Jul 2001 10:27:53 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 197082 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 10:27:53 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E3B5@listserv.fnal.gov>; Mon, 09 Jul 2001 10:27:53 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700L2SPMGZI@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 10:27:52 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f69FReF16985; Mon, 09 Jul 2001 10:27:40 -0500 (CDT) Date: Mon, 09 Jul 2001 10:27:40 -0500 From: Matt Crawford Subject: Re: cryptocard and forwardable tickets In-reply-to: "09 Jul 2001 10:20:43 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: <200107091527.f69FReF16985@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1468 > Thanks. That works. Any reason why this isn't the default? It is included in the krb5.conf template. But if anyone takes it out, subsequent updates of krb5conf respect the change. Someone must have taken it out on your machines. It's not a default wired into the login program itself, probably because then if some user principal were not allowed forwardable ticket for some reason, that user could never log in locally or via cryptocard. From kreymer@fnal.gov Mon Jul 9 10:28:39 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05636 for ; Mon, 9 Jul 2001 10:28:39 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700L31PNOZI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 10:28:38 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E3BD@listserv.fnal.gov>; Mon, 09 Jul 2001 10:28:36 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 197089 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 10:28:36 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E3BC@listserv.fnal.gov>; Mon, 09 Jul 2001 10:28:36 -0500 Received: from fnal.gov ([131.225.81.83]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700EQQPNOTB@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 10:28:36 -0500 (CDT) Date: Mon, 09 Jul 2001 10:28:34 -0500 From: "Laurelin of Middle Earth, 630-840-2214" Subject: Re: What is the Officially Acceptable Way of .... ??? Sender: owner-kerberos-users@listserv.fnal.gov To: "Marc W. Mengel" Cc: kerberos-users@fnal.gov Message-id: <3B49CDA2.5ECC83E1@fnal.gov> Organization: Fermi National Accelerator Lab MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (WinNT; U) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1469 Is the pserver mechanism node-sensitive? (I mean: if using the pserver mechanism so that products@d0ora1/3 can check things out, does this imply that products@any.other.node would also be able to check things out?) -- lauri "Marc W. Mengel" wrote: > > Cool. For CVS, the other option is to make an anonymous, readonly, > pserver account for things like "products" to be able to check things out. > > On Mon, 9 Jul 2001, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > I think I found the answer to this, in > > http://www.fnal.gov/docs/strongauth/html/spectopics.html#51138 > > > > I will follow the documentation and see if it all > > works as advertised. > > > > Sorry for the interruption.... -- lauri > > > > "Laurelin of Middle Earth, 630-840-2214" wrote: > > > > > > What is the Officially Acceptable Way of running an > > > authenticated cron job under an account for which there > > > is no kerberos principal? > > > > > > The situation: the generic 'products' account (no > > > principal) needs to run cron jobs to update various > > > products from the CVS repository (specifically in our > > > case, various documentation products). > > > > > > This was working in the past, but recently broke; I > > > suspect the breakage is connected with the move of the > > > cd cvs repository and the correlated change in access > > > mechanisms. > > > > > > I can do this interactively, via: > > > > > > kinit lauri@FNAL.GOV > > > ... > > > ksu products > > > runTheJob > > > > > > But for maintainability, we want this to be run as > > > a cron job under the 'products' account. > > > > > > Thanks for any help, lauri > > From kreymer@fnal.gov Mon Jul 9 10:32:53 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA05646 for ; Mon, 9 Jul 2001 10:32:52 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700FT2PUR61@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 10:32:52 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E3CB@listserv.fnal.gov>; Mon, 09 Jul 2001 10:32:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 197103 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 10:32:51 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E3CA@listserv.fnal.gov>; Mon, 09 Jul 2001 10:32:51 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700FVNPUQ8M@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 10:32:50 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA32563; Mon, 09 Jul 2001 10:32:50 -0500 Date: Mon, 09 Jul 2001 10:32:50 -0500 (CDT) From: Steven Timm Subject: Re: cryptocard and forwardable tickets In-reply-to: <200107091527.f69FReF16985@gungnir.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Matt Crawford Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1470 ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Mon, 9 Jul 2001, Matt Crawford wrote: > > Thanks. That works. Any reason why this isn't the default? > > It is included in the krb5.conf template. But if anyone takes it > out, subsequent updates of krb5conf respect the change. Someone must > have taken it out on your machines. >From what version of krb5conf was it included? The machine in question only had kerberos installed a couple of weeks ago and any work that has been done was done by me. As far as I can tell, all of the 200-some machines I have kerberized do not have the "forwardable = true" line under the login section of appdefaults. Steve From kreymer@fnal.gov Mon Jul 9 11:15:24 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA05793 for ; Mon, 9 Jul 2001 11:15:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700LEORTNZI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 11:15:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E45A@listserv.fnal.gov>; Mon, 09 Jul 2001 11:15:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 197266 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 11:15:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E459@listserv.fnal.gov>; Mon, 09 Jul 2001 11:15:23 -0500 Received: from bel-kwinth.fnal.gov ([131.225.81.121]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG7000C2RTMCK@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 11:15:22 -0500 (CDT) Date: Mon, 09 Jul 2001 11:15:21 -0500 (CDT) From: "Marc W. Mengel" Subject: Re: What is the Officially Acceptable Way of .... ??? In-reply-to: <3B49CDA2.5ECC83E1@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: "Laurelin of Middle Earth, 630-840-2214" Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1471 It means whoever has the password for it can use it, really. You set CVSROOT=:pserver:user@cdcvs.fnal.gov/cvs/cd and then do a cvs login, give the password, and then you can do cvs commands. On Mon, 9 Jul 2001, Laurelin of Middle Earth, 630-840-2214 wrote: > Is the pserver mechanism node-sensitive? (I mean: > if using the pserver mechanism so that products@d0ora1/3 > can check things out, does this imply that products@any.other.node > would also be able to check things out?) > > -- lauri > > "Marc W. Mengel" wrote: > > > > Cool. For CVS, the other option is to make an anonymous, readonly, > > pserver account for things like "products" to be able to check things out. > > > > On Mon, 9 Jul 2001, Laurelin of Middle Earth, 630-840-2214 wrote: > > > > > > I think I found the answer to this, in > > > http://www.fnal.gov/docs/strongauth/html/spectopics.html#51138 > > > > > > I will follow the documentation and see if it all > > > works as advertised. > > > > > > Sorry for the interruption.... -- lauri > > > > > > "Laurelin of Middle Earth, 630-840-2214" wrote: > > > > > > > > What is the Officially Acceptable Way of running an > > > > authenticated cron job under an account for which there > > > > is no kerberos principal? > > > > > > > > The situation: the generic 'products' account (no > > > > principal) needs to run cron jobs to update various > > > > products from the CVS repository (specifically in our > > > > case, various documentation products). > > > > > > > > This was working in the past, but recently broke; I > > > > suspect the breakage is connected with the move of the > > > > cd cvs repository and the correlated change in access > > > > mechanisms. > > > > > > > > I can do this interactively, via: > > > > > > > > kinit lauri@FNAL.GOV > > > > ... > > > > ksu products > > > > runTheJob > > > > > > > > But for maintainability, we want this to be run as > > > > a cron job under the 'products' account. > > > > > > > > Thanks for any help, lauri > > > > From kreymer@fnal.gov Mon Jul 9 11:32:29 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA05810 for ; Mon, 9 Jul 2001 11:32:28 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG7001EBSM3HB@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 11:32:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E4C2@listserv.fnal.gov>; Mon, 09 Jul 2001 11:32:27 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 197383 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 11:32:27 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E4C1@listserv.fnal.gov>; Mon, 09 Jul 2001 11:32:27 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG700MJ4SM2I6@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 11:32:26 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f69GWEF17222; Mon, 09 Jul 2001 11:32:14 -0500 (CDT) Date: Mon, 09 Jul 2001 11:32:14 -0500 From: Matt Crawford Subject: Re: cryptocard and forwardable tickets In-reply-to: "09 Jul 2001 10:32:50 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: <200107091632.f69GWEF17222@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1472 > > > Thanks. That works. Any reason why this isn't the default? > > > > It is included in the krb5.conf template. But if anyone takes it > > From what version of krb5conf was it included? It seems to have been added in krb5conf v1_2, which dates from about April 10. From kreymer@fnal.gov Mon Jul 9 14:15:10 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA06360 for ; Mon, 9 Jul 2001 14:15:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG8009VC059QU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 14:15:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E99C@listserv.fnal.gov>; Mon, 09 Jul 2001 14:15:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 198754 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 14:15:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016E99B@listserv.fnal.gov>; Mon, 09 Jul 2001 14:15:09 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG8007RN0584R@smtp.fnal.gov>; Mon, 09 Jul 2001 14:15:09 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA01794; Mon, 09 Jul 2001 14:15:09 -0500 Date: Mon, 09 Jul 2001 14:15:08 -0500 (CDT) From: Steven Timm Subject: pam_krb5.so questions Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Cc: linux-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1473 The pam_krb5.so from RH 6.1 is working OK for me but there are a couple glitches. One--initially the pam authentication worked fine at a kdm login screen (KDE 2) for runlevel 5. If I look at /tmp/pam-debug.log now when I attempt one of these logins, I see the following message: [pam_krb5.c:pam_sm_setcred(37)] called. [pam_krb5.c:pam_sm_setcred(37)] called. [pam_krb5.c:pam_sm_authenticate(25)] called with argc=1 [support.c:_krb5_verify_password(538)] forwardable flag = 1 [support.c:_krb5_verify_password(610)] destroy TGT I log in, it takes the password, but doesn't start the X session. If I log in by other means afterwards, I can see that there were indeed kerberos credentials made in my usual cache location at the time that the password was entered. /etc/pam.d/kde looks like this right now: [root@snowball pam.d]# cat kde #%PAM-1.0 auth required /lib/security/pam_nologin.so auth sufficient /lib/security/pam_krb5.so try_first_pass auth required /lib/security/pam_pwdb.so try_first_pass shadow nullok account required /lib/security/pam_pwdb.so password required /lib/security/pam_cracklib.so password required /lib/security/pam_pwdb.so shadow nullok use_authtok session required /lib/security/pam_pwdb.so session optional /lib/security/pam_console.so --------------------------------------------- Any idea what is wrong? By the way, root can log in at the kde login screen just fine. Two--the kscreensaver works to a certain extent. It takes my kerberos password and unlocks the screen. If the ticket had expired it gets renewed. But it changes the ownership of the credentials cache to root instead of to me. Any ideas here? /etc/pam.d/kscreensaver is below. [root@snowball pam.d]# cat kscreensaver #%PAM-1.0 auth required /lib/security/pam_krb5.so keep_cred ignore_root [root@snowball pam.d]# Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations From kreymer@fnal.gov Mon Jul 9 15:30:53 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06627 for ; Mon, 9 Jul 2001 15:30:53 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG800JBQ3NGKI@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 15:30:53 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016EB0B@listserv.fnal.gov>; Mon, 09 Jul 2001 15:30:52 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 199169 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 15:30:52 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016EB09@listserv.fnal.gov>; Mon, 09 Jul 2001 15:30:52 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG800HI03NFUM@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 15:30:51 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <3QJD4Y06>; Mon, 09 Jul 2001 15:30:51 -0500 Content-return: allowed Date: Mon, 09 Jul 2001 15:30:50 -0500 From: ARSystem Subject: 000000000019511 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618CF0F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1474 CRAWFORD, MATT, Help Desk Ticket #000000000019511 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Pre Authentication failed KDC024 Badge # (+) : 10570 First Name : CELE Last Name (+) : BRUCE Phone : 3931 E-Mail Address : CELEBRUCE@FNAL.GOV Incident Time : 7/9/01 3:12:28 PM System Name : WHITE Urgency : Medium Public Work Log : Problem Description : Having problems with authenticating against the FNAL.GOV realm. I have made sure that we are using encrypted timestamp and the time on the pc is correct. I tried to authenticate at ~3:15. I tried to authenticate for white as well as celebruc. Could you please check in the logs and help us out? From kreymer@fnal.gov Mon Jul 9 15:52:40 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA06644 for ; Mon, 9 Jul 2001 15:52:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG800L7M4NQPM@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 15:52:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016EBA2@listserv.fnal.gov>; Mon, 09 Jul 2001 15:52:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 199330 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 15:52:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016EBA1@listserv.fnal.gov>; Mon, 09 Jul 2001 15:52:38 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG800N7I4NQ1N@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 15:52:38 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f69KqQF18254; Mon, 09 Jul 2001 15:52:26 -0500 (CDT) Date: Mon, 09 Jul 2001 15:52:25 -0500 From: Matt Crawford Subject: Re: 000000000019511 Assigned to CRAWFORD, MATT. In-reply-to: "09 Jul 2001 15:30:50 CDT." <318CC3D38BE0D211BB1200105A093F7618CF0F@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200107092052.f69KqQF18254@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1475 > Problem Description : Having problems with authenticating against the > FNAL.GOV realm. I have made sure that we are using encrypted timestamp > and the time on the pc is correct. I tried to authenticate at ~3:15. I > tried to authenticate for white as well as celebruc. Could you please > check in the logs and help us out? Authentication as white@FNAL.GOV failed at 14:54:34 from d0mino (cryptocard?) and was successful at 14:53:14 from d0mino 14:54:01 from d0mino 14:55:19 from d0mino 15:08:21 from d0mino 15:32:16 from WHITE-00065983-dp.dhcp.fnal.gov The last looks like a WRQ interaction since it did not send a equest without the timestamp preauth before sending one with it. I see no authentication attempts for celebruc today on the primary FNAL.GOV KDC, but I do see six failed attempts on krb-fnal-2, all from dustpuppy. In this case it's the usual problem of a principal that was migrated from PILOT.FNAL.GOV to FNAL.GOV and has to have the password changed at least once before it can be used from WRQ. The slave KDCs show no requests as white@FNAL.GOV this week. From kreymer@fnal.gov Mon Jul 9 16:01:38 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA06661 for ; Mon, 9 Jul 2001 16:01:38 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG800KJ252OVE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 16:01:38 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016EBCE@listserv.fnal.gov>; Mon, 09 Jul 2001 16:01:37 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 199378 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 16:01:37 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016EBCC@listserv.fnal.gov>; Mon, 09 Jul 2001 16:01:37 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG800IFV52NWL@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 09 Jul 2001 16:01:36 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <3QJD4ZA8>; Mon, 09 Jul 2001 16:01:35 -0500 Content-return: allowed Date: Mon, 09 Jul 2001 16:01:32 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000019511 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618CF2F@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1476 The following note has been sent to the requester: BRUCE, CELE Short Description : Pre Authentication failed KDC024 Notes to Requester : Authentication as white@FNAL.GOV failed at 14:54:34 from d0mino (cryptocard?) and was successful at 14:53:14 from d0mino 14:54:01 from d0mino 14:55:19 from d0mino 15:08:21 from d0mino 15:32:16 from WHITE-00065983-dp.dhcp.fnal.gov The last looks like a WRQ interaction since it did not send a equest without the timestamp preauth before sending one with it. I see no authentication attempts for celebruc today on the primary FNAL.GOV KDC, but I do see six failed attempts on krb-fnal-2, all from dustpuppy. In this case it's the usual problem of a principal that was migrated from PILOT.FNAL.GOV to FNAL.GOV and has to have the password changed at least once before it can be used from WRQ. The slave KDCs show no requests as white@FNAL.GOV this week. From kreymer@fnal.gov Mon Jul 9 17:01:25 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA06821 for ; Mon, 9 Jul 2001 17:01:25 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG80043B7UC3U@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 09 Jul 2001 17:01:25 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016ECBD@listserv.fnal.gov>; Mon, 09 Jul 2001 17:01:24 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 199644 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 09 Jul 2001 17:01:24 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016ECBC@listserv.fnal.gov>; Mon, 09 Jul 2001 17:01:24 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG800KVQ7UBVE@smtp.fnal.gov>; Mon, 09 Jul 2001 17:01:23 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA09542; Mon, 09 Jul 2001 17:01:24 -0500 Date: Mon, 09 Jul 2001 17:01:24 -0500 (CDT) From: Steven Timm Subject: Re: pam_krb5.so questions In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Cc: linux-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1477 On Mon, 9 Jul 2001, Steven Timm wrote: > > The pam_krb5.so from RH 6.1 is working OK for me but there are > a couple glitches. > > One--initially the pam authentication worked fine at a kdm login > screen (KDE 2) for runlevel 5. The first problem is due to the fact that the pam_krb5.so is not getting me an AFS token--thus all the startup scripts of KDE fail because they can't write an AFS home area. If a token is secured by other means, the login works fine. (this is why I didn't notice the problem at first, there were AFS tokens hanging around from before that weren't wiped out even with kdestroy.) Has anyone managed to cajole the pam_krb5.so into giving tokens? For further information, /tmp/xses-username gives info about an X session that is failing. Steve > > If I look at /tmp/pam-debug.log now when I attempt one of these logins, > I see the following message: > > [pam_krb5.c:pam_sm_setcred(37)] called. > [pam_krb5.c:pam_sm_setcred(37)] called. > [pam_krb5.c:pam_sm_authenticate(25)] called with argc=1 > [support.c:_krb5_verify_password(538)] forwardable flag = 1 > [support.c:_krb5_verify_password(610)] destroy TGT > > I log in, it takes the password, but doesn't start the X session. > If I log in by other means afterwards, I can see that there were > indeed kerberos credentials made in my usual cache location at the > time that the password was entered. > > /etc/pam.d/kde looks like this right now: > > [root@snowball pam.d]# cat kde > #%PAM-1.0 > auth required /lib/security/pam_nologin.so > auth sufficient /lib/security/pam_krb5.so try_first_pass > auth required /lib/security/pam_pwdb.so try_first_pass shadow nullok > account required /lib/security/pam_pwdb.so > password required /lib/security/pam_cracklib.so > password required /lib/security/pam_pwdb.so shadow nullok use_authtok > session required /lib/security/pam_pwdb.so > session optional /lib/security/pam_console.so > > --------------------------------------------- > > Any idea what is wrong? By the way, root can log in at the kde login > screen just fine. > > Two--the kscreensaver works to a certain extent. It takes my kerberos > password and unlocks the screen. If the ticket had expired it gets > renewed. But it changes the ownership of the credentials cache to > root instead of to me. > > Any ideas here? > > /etc/pam.d/kscreensaver is below. > > [root@snowball pam.d]# cat kscreensaver > #%PAM-1.0 > auth required /lib/security/pam_krb5.so keep_cred ignore_root > [root@snowball pam.d]# > > Steve > > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > From kreymer@fnal.gov Tue Jul 10 08:52:32 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id IAA08608 for ; Tue, 10 Jul 2001 08:52:32 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG900A75FVGY3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 08:52:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F450@listserv.fnal.gov>; Tue, 10 Jul 2001 08:52:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 201808 for LINUX-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 08:52:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F44F@listserv.fnal.gov>; Tue, 10 Jul 2001 08:52:28 -0500 Received: from imapserver2.fnal.gov ([131.225.9.7]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG900A7HFVFYO@smtp.fnal.gov> for linux-users@listserv.fnal.gov (ORCPT linux-users@fnal.gov); Tue, 10 Jul 2001 08:52:27 -0500 (CDT) Received: from imapserver2.fnal.gov ([131.225.9.7]) by imapserver2.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 487 for ; Tue, 10 Jul 2001 08:52:27 -0500 Received: from fnal.gov ([131.225.7.82]) by imapserver2.fnal.gov (NAVIEG 2.1 bld 63) with SMTP id M2001071008522607915 ; Tue, 10 Jul 2001 08:52:26 -0500 Date: Tue, 10 Jul 2001 08:53:03 -0500 From: yocum@fnal.gov Subject: Re: krb5 and FL7.1.x (xinetd) Sender: owner-linux-users@listserv.fnal.gov To: owner-linux-users@listserv.fnal.gov Cc: "linux-users@fnal.gov" , kerberos-users@listserv.fnal.gov Message-id: <3B4B08BF.AFA0C4C@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.2-SGI_XFS_1.0 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1478 I'll migrate this to kerberos-users, too. oneil@fnal.gov wrote: > > Hi Dan, > Try > > /sbin/chkconfig --list > > If you see > xinetd based services: > . > . > krb5-telnet: off Nope, doesn't exist. Bummer. :( > . > . > > You need to do > > /sbin/chkconfig --level 345 krb5-telnet on I like this. I like this a lot! I heard someone compare xinet to rc startup scripts, but didn't realize that you could actually control it with chkconfig. Very cool. So, basically, what needs to be done is to include the xinet files from the default krb that comes with Red Hat, modified for Fermi's special krb5, as Troy included in another email. Troy: what other kerberized services should be in there? klogin? ftpd? So, why aren't we using the default kerberos packages that come from Red Hat, at least on the Linux machines? What changes have been made to ours? Cheers, Dan > > This will turn on kerberos telnet access at runlevels 3, 4 and 5. > > Cheers, > Dugan. > > PS. it should create files in /etc/xinetd.d/ for you.... > > On Mon, 9 Jul 2001 yocum@fnal.gov wrote: > > > Hi all, > > > > What's the correct way to set up xinetd to work with kerberos? There's no > > more /etc/inetd.conf file - everything is in /etc/xinetd.d in separate > > files. I thought it might be as easy as enabling (for instance) telnet and > > telling it to use the kerberized telnetd but that doesn't seem to be the > > case (it allows people to telnet in from non-kerberized machines w/o > > challenging them). > > > > Thanks, > > Dan > > > > > > > > -- > > Dan Yocum > > Sloan Digital Sky Survey, Fermilab 630.840.6509 > > yocum@fnal.gov, http://www.sdss.org > > SDSS. Mapping the Universe. > > > > ---------------------------------------------------------------------------- > Dugan O'Neil E-mail : oneil@fnal.gov > Dugan.O'Neil@cern.ch > Dept. of Physics and Astronomy web : http://www-d0.fnal.gov/~oneil > Michigan State University > > phone:(630)840-2829 It's too bad that whole families > fax :(630)840-8886 have to be torn apart by something > as simple as wild dogs. > - Jack Handey > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Mail: Couriers: > MS 352 Kirk and Wilson Streets > Fermilab Mail Station 352 > P.O.Box 500 Fermilab > Batavia, IL 60510-0500 Batavia, IL 60510-0500 > ---------------------------------------------------------------------------- -- Dan Yocum Sloan Digital Sky Survey, Fermilab 630.840.6509 yocum@fnal.gov, http://www.sdss.org SDSS. Mapping the Universe. From kreymer@fnal.gov Tue Jul 10 09:10:49 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA08620 for ; Tue, 10 Jul 2001 09:10:49 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG900AC6GPZYA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 09:10:48 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F499@listserv.fnal.gov>; Tue, 10 Jul 2001 09:10:47 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 201887 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 09:10:47 -0500 Received: from nova.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F498@listserv.fnal.gov>; Tue, 10 Jul 2001 09:10:47 -0500 Received: from localhost (tez@localhost) by nova.fnal.gov (8.9.3+Sun/8.9.3) with ESMTP id JAA07336; Tue, 10 Jul 2001 09:10:44 -0500 (CDT) Date: Tue, 10 Jul 2001 09:10:44 -0500 (CDT) From: Tim Zingelman Subject: Re: krb5 and FL7.1.x (xinetd) In-reply-to: <3B4B08BF.AFA0C4C@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov X-Sender: To: yocum@fnal.gov Cc: owner-kerberos-users@listserv.fnal.gov, "linux-users@fnal.gov" , kerberos-users@listserv.fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: nova.fnal.gov: tez owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1479 On Tue, 10 Jul 2001 yocum@fnal.gov wrote: > So, why aren't we using the default kerberos packages that come from Red > Hat, at least on the Linux machines? What changes have been made to ours? > Dan To quote from old messages from the kerberos list (but not in the archives since they don't start until about March 7th...) Sorry, but I didn't take the effort to attribute the quotes. - Tim --begin excerpts-- > What are the 'locally-added or configured' features in the ups/upd > distribution that we might want to implement? Others are better qualified to answer this than me, but they certainly include putting all the right KDC names and IP numbers into /etc/krb5.conf, fixing your inetd.conf and services correctly, and some of the portal services such as portal mode telnet and ftp. The UPS/UPD version of the product is ready to be installed and put into service. The manual tells you what you need to know about the changes to your system (which services are affected, etc.). If there are specific details you don't find documented, that's what this list is for. Ask what you specifically need to know, someone will know the answer. As the right questions are asked, I expect that the document will be updated with the appropriate information (at least that information that can be published). Don't forget that this is security related software and not all the details may be appropriate for publishing on-line or sharing via a mailing list. Answering what seems to be a question of "what do we lose if we just go and get Kerberos from MIT, or an existing FreeBSD port, or an existing Redhat rpm?" I can cite off the top of my head: 1. Cryptocard logins through telnet and ftp. (And I would add cryptocard login via ssh as well.) That's the big one. But there's also 2. The tools to do authentication of users' cron jobs. (You could do the same job without them, but it would amount to either reinventing the wheel or doing something dreadfully insecure.) 3. Flexible fallback to a non-Kerberized client if you default to encryption "on" but connect to a non-Kerberos server. 4. An ftp client that plays nicely with Emacs' efs mode. 5. Depending which MIT version your software base comes from, it may have buffer overflows or other bugs which are fixed here. (All but one of those bugs are fixed in MIT 1.2.2, but that's only been out for two days.) There are probably a few other minor things. --end excerpts-- From kreymer@fnal.gov Tue Jul 10 10:06:57 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA08706 for ; Tue, 10 Jul 2001 10:06:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG900ASGJBFWS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 10:06:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F550@listserv.fnal.gov>; Tue, 10 Jul 2001 10:06:51 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 202089 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 10:06:50 -0500 Received: from snowball.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F54C@listserv.fnal.gov>; Tue, 10 Jul 2001 10:06:50 -0500 Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA17946; Tue, 10 Jul 2001 10:06:50 -0500 Date: Tue, 10 Jul 2001 10:06:49 -0500 (CDT) From: Steven Timm Subject: Re: krb5 and FL7.1.x (xinetd) In-reply-to: <3B4B08BF.AFA0C4C@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: yocum@fnal.gov Cc: linux-users@fnal.gov, kerberos-users@listserv.fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1480 What Fermi kerberos gives you that the straight red hat doesn't is the support for the cryptocard logins. Having said that, it is possible to do a straight install of red hat 7.1, configure the kerberos to point to the Fermi KDC's, and everything will work including the PAM modules. Other differences between Fermi and RH kerberos include that all the libraries are in different places. I tried to compile the pam_krb5.so against the Fermi kerberos header files and libraries and never made it. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Tue, 10 Jul 2001 yocum@fnal.gov wrote: > I'll migrate this to kerberos-users, too. > > oneil@fnal.gov wrote: > > > > Hi Dan, > > Try > > > > /sbin/chkconfig --list > > > > If you see > > xinetd based services: > > . > > . > > krb5-telnet: off > > > Nope, doesn't exist. Bummer. :( > > > . > > . > > > > You need to do > > > > /sbin/chkconfig --level 345 krb5-telnet on > > > I like this. I like this a lot! I heard someone compare xinet to rc > startup scripts, but didn't realize that you could actually control it with > chkconfig. Very cool. > > So, basically, what needs to be done is to include the xinet files from the > default krb that comes with Red Hat, modified for Fermi's special krb5, as > Troy included in another email. > > Troy: what other kerberized services should be in there? klogin? ftpd? > > So, why aren't we using the default kerberos packages that come from Red > Hat, at least on the Linux machines? What changes have been made to ours? > > Cheers, > Dan > > > > > > This will turn on kerberos telnet access at runlevels 3, 4 and 5. > > > > Cheers, > > Dugan. > > > > PS. it should create files in /etc/xinetd.d/ for you.... > > > > On Mon, 9 Jul 2001 yocum@fnal.gov wrote: > > > > > Hi all, > > > > > > What's the correct way to set up xinetd to work with kerberos? There's no > > > more /etc/inetd.conf file - everything is in /etc/xinetd.d in separate > > > files. I thought it might be as easy as enabling (for instance) telnet and > > > telling it to use the kerberized telnetd but that doesn't seem to be the > > > case (it allows people to telnet in from non-kerberized machines w/o > > > challenging them). > > > > > > Thanks, > > > Dan > > > > > > > > > > > > -- > > > Dan Yocum > > > Sloan Digital Sky Survey, Fermilab 630.840.6509 > > > yocum@fnal.gov, http://www.sdss.org > > > SDSS. Mapping the Universe. > > > > > > > ---------------------------------------------------------------------------- > > Dugan O'Neil E-mail : oneil@fnal.gov > > Dugan.O'Neil@cern.ch > > Dept. of Physics and Astronomy web : http://www-d0.fnal.gov/~oneil > > Michigan State University > > > > phone:(630)840-2829 It's too bad that whole families > > fax :(630)840-8886 have to be torn apart by something > > as simple as wild dogs. > > - Jack Handey > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Mail: Couriers: > > MS 352 Kirk and Wilson Streets > > Fermilab Mail Station 352 > > P.O.Box 500 Fermilab > > Batavia, IL 60510-0500 Batavia, IL 60510-0500 > > ---------------------------------------------------------------------------- > > -- > Dan Yocum > Sloan Digital Sky Survey, Fermilab 630.840.6509 > yocum@fnal.gov, http://www.sdss.org > SDSS. Mapping the Universe. > From kreymer@fnal.gov Tue Jul 10 13:56:11 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA09207 for ; Tue, 10 Jul 2001 13:56:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG900A89TXKMQ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 13:56:10 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F986@listserv.fnal.gov>; Tue, 10 Jul 2001 13:56:08 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 203329 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 13:56:08 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F985@listserv.fnal.gov>; Tue, 10 Jul 2001 13:56:08 -0500 Received: from fnal.gov ([131.225.85.99]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG9005NTTXKY5@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 10 Jul 2001 13:56:08 -0500 (CDT) Date: Tue, 10 Jul 2001 13:56:08 -0500 From: Bruce Greenway Subject: kcroninit Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <3B4B4FC8.2D2650F8@fnal.gov> Organization: ODS MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1481 I am trying to do a kcroninit on a kerberized machine and get the following: -------------------------------------------------------- Are you on a secure channel? (default = y): What is your kerberos principal (default = bgreen@FNAL.GOV): Enter the password for bgreen@FNAL.GOV: Now adding principal bgreen/cron/sdsslnx3.fnal.gov@FNAL.GOV... add_principal: Principal or policy already exists while creating "bgreen/cron/sdsslnx3.fnal.gov@FNAL.GOV". Now creating empty keytab file for bgreen/cron/sdsslnx3.fnal.gov@FNAL.GOV... Now writing temporary keytab for bgreen/cron/sdsslnx3.fnal.gov@FNAL.GOV... Temporary keytab created. Now transferring temporary keytab file contents... ERROR transferring keytab file contents; ABORT. All done. ------------------------------------------------------ Any one have any idea where to start debugging this problem. Thanks, Bruce -- ********************************************************************** Bruce Greenway Fermilab MS 120 500 Wilson Road Batavia, IL 60510 bgreen@fnal.gov (630) 840-8420 (voice) (630) 840-8274 (FAX) ********************************************************************** From kreymer@fnal.gov Tue Jul 10 14:00:44 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA09218 for ; Tue, 10 Jul 2001 14:00:44 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG9008G3U560L@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 14:00:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F991@listserv.fnal.gov>; Tue, 10 Jul 2001 14:00:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 203340 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 14:00:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F990@listserv.fnal.gov>; Tue, 10 Jul 2001 14:00:42 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG9008FXU55M7@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 10 Jul 2001 14:00:42 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6AJ0RF22242; Tue, 10 Jul 2001 14:00:27 -0500 (CDT) Date: Tue, 10 Jul 2001 14:00:27 -0500 From: Matt Crawford Subject: Re: kcroninit In-reply-to: "10 Jul 2001 13:56:08 CDT." <3B4B4FC8.2D2650F8@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Bruce Greenway Cc: kerberos-users@fnal.gov Message-id: <200107101900.f6AJ0RF22242@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1482 > Any one have any idea where to start debugging this problem. ls -ld /var/adm We've seen a lot of systems (all Linux?) where this directory has the bizarre permissions 701 so members of one group can't access it. Change it to 711 or 755. From kreymer@fnal.gov Tue Jul 10 14:02:59 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA09224 for ; Tue, 10 Jul 2001 14:02:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG9007MPU8XVF@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 14:02:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F996@listserv.fnal.gov>; Tue, 10 Jul 2001 14:02:58 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 203345 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 14:02:58 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F995@listserv.fnal.gov>; Tue, 10 Jul 2001 14:02:57 -0500 Received: from fnal.gov ([131.225.85.99]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG9008HIU8XLJ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 10 Jul 2001 14:02:57 -0500 (CDT) Date: Tue, 10 Jul 2001 14:02:57 -0500 From: Bruce Greenway Subject: Re: kcroninit Sender: owner-kerberos-users@listserv.fnal.gov To: owner-kerberos-users@listserv.fnal.gov Cc: kerberos-users@fnal.gov Message-id: <3B4B5161.BE62D4E5@fnal.gov> Organization: ODS MIME-version: 1.0 X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200107101900.f6AJ0RF22242@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1483 Thanks that was the problem. Bruce Matt Crawford wrote: > > > Any one have any idea where to start debugging this problem. > > ls -ld /var/adm > > We've seen a lot of systems (all Linux?) where this directory has the > bizarre permissions 701 so members of one group can't access it. > Change it to 711 or 755. -- ********************************************************************** Bruce Greenway Fermilab MS 120 500 Wilson Road Batavia, IL 60510 bgreen@fnal.gov (630) 840-8420 (voice) (630) 840-8274 (FAX) ********************************************************************** From kreymer@fnal.gov Tue Jul 10 14:14:51 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA09231 for ; Tue, 10 Jul 2001 14:14:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG9009JOUSPRK@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 14:14:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F9CE@listserv.fnal.gov>; Tue, 10 Jul 2001 14:14:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 203405 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 14:14:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016F9CD@listserv.fnal.gov>; Tue, 10 Jul 2001 14:14:49 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG9007JAUSOHD@smtp.fnal.gov>; Tue, 10 Jul 2001 14:14:48 -0500 (CDT) Date: Tue, 10 Jul 2001 14:14:47 -0500 (CDT) From: Dane Skow Subject: Re: pam_krb5.so questions In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov, linux-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1484 On Mon, 9 Jul 2001, Steven Timm wrote: > On Mon, 9 Jul 2001, Steven Timm wrote: > > > > > The pam_krb5.so from RH 6.1 is working OK for me but there are > > a couple glitches. > > > > One--initially the pam authentication worked fine at a kdm login > > screen (KDE 2) for runlevel 5. > > The first problem is due to the fact that the pam_krb5.so is > not getting me an AFS token--thus all the startup scripts of > KDE fail because they can't write an AFS home area. If a token > is secured by other means, the login works fine. (this is why > I didn't notice the problem at first, there were AFS tokens hanging > around from before that weren't wiped out even with kdestroy.) For AFS it's "unlog" isn't it ? (tough to keep these relative straight) At least, this seems to work for me: AFS aklog:unlog, KRB5 kinit:kdestroy (creator:destroyer pairs.) tokens Tokens held by the Cache Manager: User's (AFS ID 1444) tokens for afs@fnal.gov [Expires Jul 16 14:45] User dane's tokens for krbtgt.FNAL.GOV@fnal.gov [Expires Jul 16 14:45] User dane's tokens for rcmd.fsui02@fnal.gov [Expires Jul 11 15:29] --End of list-- unlog tokens Tokens held by the Cache Manager: User dane's tokens for krbtgt.FNAL.GOV@fnal.gov [Expires Jul 16 14:45] User dane's tokens for rcmd.fsui02@fnal.gov [Expires Jul 11 15:29] > > Has anyone managed to cajole the pam_krb5.so into giving tokens? I'm presuming that one may be able to get the pam_krb5afs.so from 7.1 to work for you. At least that's what I'm trying this afternoon. One may have to play the trick of your KRB5 and AFS passwords being the same as I don't see how to invoke aklog without writing our own PAM module (unless that's what pam_krb5afs does under the sheets though I doubt it). > > For further information, /tmp/xses-username > gives info about an X session that is failing. > > Steve > From kreymer@fnal.gov Tue Jul 10 15:38:08 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09342 for ; Tue, 10 Jul 2001 15:38:08 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG900J48YNI8T@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 15:38:08 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FB5A@listserv.fnal.gov>; Tue, 10 Jul 2001 15:38:07 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 203841 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 15:38:07 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FB59@listserv.fnal.gov>; Tue, 10 Jul 2001 15:38:06 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG900K08YNIHT@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 10 Jul 2001 15:38:06 -0500 (CDT) Date: Tue, 10 Jul 2001 15:38:06 -0500 (CDT) From: Dane Skow Subject: FRHL 7.1 pam_krb5afs.so Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1485 I'm not going to cross post this to linux-users though it's a followup to Steven Timm's post there. I'd guess that anyone interested in this is on this kerb list. I'm able to login (at level 3) using the standard FRHL /bin/login and using my Fermi Kerberos password. However, I do NOT get an AFS token as I would expect. Thus I'd still have the problem Steven outlined with an AFS home area. pam_krb5afs is complaining about syntax error in /etc/krb5.conf that I don't see. Perhaps this is related ? I presume the last line is where it's failing to get the AFS token. The first line is where it's failing when testing against my local account password in /etc/shadow (as expected) Jul 10 15:27:08 unferth login(pam_unix)[1419]: authentication failure; logname=dane uid=500 euid=500 tty=pts/2 ruser= rhost= user=dane Jul 10 15:27:08 unferth login[1419]: pam_krb5afs: error parsing /etc/krb5.conf at line 17: syntax error Jul 10 15:27:11 unferth login[1419]: pam_krb5afs: authentication succeeds for dane Jul 10 15:27:11 unferth login[1419]: Authentication service cannot retrieve authentication info. Here's the top of /etc/krb5.conf for your inspection: (note that line 17 appears to be right at the transition to the [realms] group) # krb5conf v1.4 with afs on node unferth.fnal.gov automatic update 09Jul2001 ### ### This krb5.conf template is intended for use with Fermi ### Kerberos v1_2 and later. Earlier versions may choke on the ### "auth_to_local = " lines unless they are commented out. ### The installation process should do all the right things in ### any case, but if you are reading this and haven't updated ### your kerberos product to v1_2 or later, you really should! ### [libdefaults] ticket_lifetime = 1560 default_realm = FNAL.GOV checksum_type = 1 ccache_type = 2 default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc [realms] PILOT.FNAL.GOV = { kdc = krb-pilot-1.fnal.gov:88 kdc = krb-pilot-3.fnal.gov:88 kdc = krb-pilot-4.fnal.gov:88 kdc = krb-pilot-5.fnal.gov:88 admin_server = krb-pilot-admin.fnal.gov default_domain = fnal.gov auth_to_local = RULE:[1:$1@$0](.*@FNAL\.GOV)s/@.*// auth_to_local = DEFAULT } dane From kreymer@fnal.gov Tue Jul 10 15:46:28 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA09405 for ; Tue, 10 Jul 2001 15:46:28 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG900GCLZ1F8Q@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 15:46:28 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FB7B@listserv.fnal.gov>; Tue, 10 Jul 2001 15:46:27 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 203877 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 15:46:27 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FB7A@listserv.fnal.gov>; Tue, 10 Jul 2001 15:46:27 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GG900J5LZ1E8R@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 10 Jul 2001 15:46:26 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f6AKkPl11636 for ; Tue, 10 Jul 2001 15:46:25 -0500 (CDT) Date: Tue, 10 Jul 2001 15:46:25 -0500 From: aheavey@fnal.gov Subject: quick reference card Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200107102046.f6AKkPl11636@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1486 In response to Liz and Frank, I've put together a first draft of a 1-page reference card for kerberos. Please have a look and send me comments and suggestions. http://www.fnal.gov/docs/strongauth/html/sa_refcardletter.html PDF is available via link. -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Tue Jul 10 17:10:13 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA09661 for ; Tue, 10 Jul 2001 17:10:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGA00IOT2WZO8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 17:10:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FCC1@listserv.fnal.gov>; Tue, 10 Jul 2001 17:10:11 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 204252 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 17:10:11 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FCC0@listserv.fnal.gov>; Tue, 10 Jul 2001 17:10:11 -0500 Received: from imapserver2.fnal.gov ([131.225.9.7]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGA00JHE2WYW4@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 10 Jul 2001 17:10:10 -0500 (CDT) Received: from imapserver2.fnal.gov ([131.225.9.7]) by imapserver2.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 375 for ; Tue, 10 Jul 2001 17:10:10 -0500 Received: from fndapp.fnal.gov ([131.225.81.81]) by imapserver2.fnal.gov (NAVIEG 2.1 bld 63) with SMTP id M2001071017100904459 for ; Tue, 10 Jul 2001 17:10:09 -0500 Date: Tue, 10 Jul 2001 17:10:09 -0500 (CDT) From: Luciano Piccoli Subject: production X pilot realm Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1487 Hi, I'm having problems login to some machines that were in the pilot realm and have been brought to the production realm (e.g. droide.fnal.gov). When I telnet to it: --- begin --- piccoli@fndapp:217> telnet droide Trying 131.225.224.176... Connected to droide.fnal.gov (131.225.224.176). Escape character is '^]'. Waiting for encryption to be negotiated...[ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Key version number for principal in key table is incorrect ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Key version number for principal in key table is incorrect ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Key version number for principal in key table is incorrect ] [ Trying KERBEROS4 ... ] mk_req failed: You have no tickets cached [ Trying KERBEROS4 ... ] mk_req failed: You have no tickets cached Authentication negotation has failed, which is required for encryption. Good bye. --- end --- It complains about the "Key version number for principal in key table is incorrect". If one uses "telnet droide -k PILOT.FNAL.GOV" it works. These are my tickets: --- begin --- piccoli@fndapp:224> klist Ticket cache: /tmp/krb5cc_3110 Default principal: piccoli@FNAL.GOV Valid starting Expires Service principal 07/10/01 16:00:52 07/11/01 18:00:52 krbtgt/FNAL.GOV@FNAL.GOV 07/10/01 16:00:52 07/11/01 18:00:52 krbtgt/PILOT.FNAL.GOV@FNAL.GOV --- end --- This is the keytab file contents from droide and a piece of krb5.conf showing the default realm: --- begin --- [root@droide /etc]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal ------------------------------------------------ 2 ftp/droide.fnal.gov@PILOT.FNAL.GOV 2 host/droide.fnal.gov@PILOT.FNAL.GOV 2 ftp/droide.fnal.gov@FNAL.GOV 2 host/droide.fnal.gov@FNAL.GOV [root@droide /etc]# more /etc/krb5.conf ... [libdefaults] ticket_lifetime = 1560 default_realm = FNAL.GOV checksum_type = 1 ccache_type = 2 default_tgs_enctypes = des-cbc-crc default_tkt_enctypes = des-cbc-crc ... --- end --- Any ideas why I can't telnet using the production realm? Thanks, Luciano -- Luciano Piccoli piccoli@fnal.gov Fermi National Accelerator Laboratory phone: (630) 840-6593 Computing Division - ODS fax : (630) 840-6345 P.O.Box 500, MS 369, Batavia, IL 60510 From kreymer@fnal.gov Tue Jul 10 18:35:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id SAA09807 for ; Tue, 10 Jul 2001 18:35:44 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGA0045W6VJ87@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 18:35:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FD55@listserv.fnal.gov>; Tue, 10 Jul 2001 18:35:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 204412 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 18:35:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FD54@listserv.fnal.gov>; Tue, 10 Jul 2001 18:35:43 -0500 Received: from imapserver2.fnal.gov ([131.225.9.7]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGA0045N6VJRG@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 10 Jul 2001 18:35:43 -0500 (CDT) Received: from imapserver2.fnal.gov ([131.225.9.7]) by imapserver2.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 1352 for ; Tue, 10 Jul 2001 18:35:42 -0500 Received: from fnal.gov ([131.225.7.82]) by imapserver2.fnal.gov (NAVIEG 2.1 bld 63) with SMTP id M2001071018354121893 for ; Tue, 10 Jul 2001 18:35:41 -0500 Date: Tue, 10 Jul 2001 18:36:21 -0500 From: yocum@fnal.gov Subject: authorized_keys and kerberos Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos users Message-id: <3B4B9175.149A6C61@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.2-SGI_XFS_1.0 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1488 Sorry, if this question has been answered but google couldn't seem to find any reference to it on our site: what's the story with ssh authorized_keys and kerberos? Are they allowed, disallowed, otherwise? Should a person be able to log in to a kerberized machine from a non-kerberized machine w/ only authorized_keys, that is, w/o entering a passphrase or cryptocard access code? Thanks, Dan -- Dan Yocum Sloan Digital Sky Survey, Fermilab 630.840.6509 yocum@fnal.gov, http://www.sdss.org SDSS. Mapping the Universe. From kreymer@fnal.gov Tue Jul 10 19:21:59 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id TAA09830 for ; Tue, 10 Jul 2001 19:21:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGA0057890LIO@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 19:21:59 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FD96@listserv.fnal.gov>; Tue, 10 Jul 2001 19:21:58 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 204478 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 19:21:58 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FD95@listserv.fnal.gov>; Tue, 10 Jul 2001 19:21:58 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGA003ED90KC6@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 10 Jul 2001 19:21:57 -0500 (CDT) Date: Tue, 10 Jul 2001 19:21:55 -0500 (CDT) From: Dane Skow Subject: Re: authorized_keys and kerberos In-reply-to: <3B4B9175.149A6C61@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: yocum@fnal.gov Cc: kerberos users Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1489 On Tue, 10 Jul 2001 yocum@fnal.gov wrote: > Sorry, if this question has been answered but google couldn't seem to find > any reference to it on our site: what's the story with ssh authorized_keys > and kerberos? Are they allowed, disallowed, otherwise? Should a person be > able to log in to a kerberized machine from a non-kerberized machine w/ only > authorized_keys, that is, w/o entering a passphrase or cryptocard access > code? (It's in the User's guide section 9) For systems onsite, authorized_keys is not acceptable: the users must provide either a kerberos ticket (ie. come from a kerberized machine) or a onetime password method that checks for valid kerberos account (currently this is Cryptocard only). For systems offsite, we allow people to login to offsite kerberized machines (ie. machines that are part of the FNAL realm) via ssh as a compromise on remote requirements. dane > > Thanks, > Dan > > > -- > Dan Yocum > Sloan Digital Sky Survey, Fermilab 630.840.6509 > yocum@fnal.gov, http://www.sdss.org > SDSS. Mapping the Universe. > From kreymer@fnal.gov Tue Jul 10 20:09:30 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id UAA09867 for ; Tue, 10 Jul 2001 20:09:30 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGA005BPB7S93@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 10 Jul 2001 20:09:29 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FDB9@listserv.fnal.gov>; Tue, 10 Jul 2001 20:09:28 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 204516 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 10 Jul 2001 20:09:28 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0016FDB8@listserv.fnal.gov>; Tue, 10 Jul 2001 20:09:28 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GGA00901B7RM2@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 10 Jul 2001 20:09:27 -0500 (CDT) Received: from [192.168.1.100] ([169.207.20.41]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGA005C6B7RNF@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 10 Jul 2001 20:09:27 -0500 (CDT) Date: Tue, 10 Jul 2001 20:09:26 -0500 From: "Frank J. Nagy" Subject: Kerberos for Macintosh Sender: owner-kerberos-users@listserv.fnal.gov To: Kerberos Users Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit User-Agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022 Status: RO X-Status: X-Keywords: X-UID: 1490 MIT Kerberos for Macintosh V3.5 has been released as the current version. Test version 4.0a15 will expire in August. >From the V3.5 Release Notes: ENABLING NAT SUPPORT To enable Kerberos for Macintosh to work in a NAT (Network Address Translation) environment, such as from an Airport Base Station, you must add the following line to the libdefaults section of the Kerberos Preferences file: noaddresses = true Note that this reduces the security of Kerberos. Since I now have a LinkSys router at home, I had have to add this to get BetterTelnet to work (I was still able to get a ticket). This information needs to be incorporated into the Macintosh section of the Strong Authentication document. -- = Dr. Frank J. Nagy [Applied Scientist] 630-840-4935 = Fermilab Computing Division/Distributed Computing Dept/Technology = nagy@fnal.gov (Alt: nagy@mad.scientist.com -or- nagy@inil.com) = Web site: http://home.fnal.gov/~nagy/ = USnail: Fermilab POB 500 MS/369 Batavia, IL 60510 From kreymer@fnal.gov Wed Jul 11 09:19:02 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA11732 for ; Wed, 11 Jul 2001 09:19:02 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB004J5BRODC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 09:19:02 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170336@listserv.fnal.gov>; Wed, 11 Jul 2001 09:19:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 206106 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 09:19:00 -0500 Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170335@listserv.fnal.gov>; Wed, 11 Jul 2001 09:19:00 -0500 Date: Wed, 11 Jul 2001 09:19:00 -0500 From: James Amundson Subject: Re: authorized_keys and kerberos Sender: owner-kerberos-users@listserv.fnal.gov To: KERBEROS-USERS@listserv.fnal.gov Cc: James Amundson Message-id: Status: RO X-Status: X-Keywords: X-UID: 1491 On Tue, 10 Jul 2001 19:21:55 -0500, Dane Skow wrote: >(It's in the User's guide section 9) > >For systems onsite, authorized_keys is not acceptable: the users must >provide either a kerberos ticket (ie. come from a kerberized machine) or >a onetime password method that checks for valid kerberos account >(currently this is Cryptocard only). When I look at the Fermi-supplied kerberized ssh rpms, I see that authorized_keys (really RSA) authentication is turned on by default: |droidg>rpm -qf /etc/sshd_config ssh-1.2.27f-8 |droidg>grep RSA /etc/sshd_config RhostsRSAAuthentication yes RSAAuthentication yes I *think* the upd kerberized ssh configuration is the same way. Is there a problem here, or am I missing something? --Jim From kreymer@fnal.gov Wed Jul 11 09:22:11 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA11741 for ; Wed, 11 Jul 2001 09:22:11 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB001PYBWXLE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 09:22:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170346@listserv.fnal.gov>; Wed, 11 Jul 2001 09:22:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 206125 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 09:22:09 -0500 Received: from snowball.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170345@listserv.fnal.gov>; Wed, 11 Jul 2001 09:22:09 -0500 Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA21664; Wed, 11 Jul 2001 09:22:09 -0500 Date: Wed, 11 Jul 2001 09:22:09 -0500 (CDT) From: Steven Timm Subject: Re: authorized_keys and kerberos In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: James Amundson Cc: KERBEROS-USERS@listserv.fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1492 The ssh product is the same way in that its install will put in an sshd_config file that enables RSAAuthentication, RHostsRSAAuthentication, and Password Authentication. However, if you then do a ups install kerberos (or install it from the rpms) it will turn these three off again. So you either need to install the ssh product and/or rpms first, or make sure after you install it that these three options are again turned off in /etc/sshd_config (and a kill -HUP signal sent to the sshd daemon) to make sure the machine is fully strengthened. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Wed, 11 Jul 2001, James Amundson wrote: > On Tue, 10 Jul 2001 19:21:55 -0500, Dane Skow wrote: > > >(It's in the User's guide section 9) > > > >For systems onsite, authorized_keys is not acceptable: the users must > >provide either a kerberos ticket (ie. come from a kerberized machine) or > >a onetime password method that checks for valid kerberos account > >(currently this is Cryptocard only). > > When I look at the Fermi-supplied kerberized ssh rpms, I see that > authorized_keys (really RSA) authentication is turned on by default: > > |droidg>rpm -qf /etc/sshd_config > ssh-1.2.27f-8 > |droidg>grep RSA /etc/sshd_config > RhostsRSAAuthentication yes > RSAAuthentication yes > > I *think* the upd kerberized ssh configuration is the same way. Is there a > problem here, or am I missing something? > > --Jim > From kreymer@fnal.gov Wed Jul 11 09:29:24 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA11758 for ; Wed, 11 Jul 2001 09:29:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB004M7C8YDC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 09:29:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170369@listserv.fnal.gov>; Wed, 11 Jul 2001 09:29:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 206167 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 09:29:22 -0500 Received: from abacus.fnal.gov (131.225.248.13:3078) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170368@listserv.fnal.gov>; Wed, 11 Jul 2001 09:29:22 -0500 Received: from fnal.gov (IDENT:amundson@localhost.localdomain [127.0.0.1]) by abacus.fnal.gov (8.11.0/8.11.0) with ESMTP id f6BETGg21116; Wed, 11 Jul 2001 09:29:16 -0500 Date: Wed, 11 Jul 2001 09:29:16 -0500 From: James Amundson Subject: Re: authorized_keys and kerberos Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: KERBEROS-USERS@listserv.fnal.gov Message-id: <3B4C62BC.BD90F912@fnal.gov> Organization: CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.2.19-7.0.1 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1493 OK. Wow. I had no idea that installing kerberos *then* installing kerberized ssh would de-strengthen my machine. I'll go out on a limb and guess that most people don't know that. Is this considered an acceptable situation? --Jim Steven Timm wrote: > > The ssh product is the same way in that its install will put in > an sshd_config file that enables RSAAuthentication, > RHostsRSAAuthentication, and Password Authentication. However, > if you then do a ups install kerberos (or install it from the rpms) > it will turn these three off again. > > So you either need to install the ssh product and/or rpms first, > or make sure after you install it that these three options are > again turned off in /etc/sshd_config (and a kill -HUP signal sent > to the sshd daemon) to make sure the machine is fully strengthened. > > Steve > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Wed, 11 Jul 2001, James Amundson wrote: > > > On Tue, 10 Jul 2001 19:21:55 -0500, Dane Skow wrote: > > > > >(It's in the User's guide section 9) > > > > > >For systems onsite, authorized_keys is not acceptable: the users must > > >provide either a kerberos ticket (ie. come from a kerberized machine) or > > >a onetime password method that checks for valid kerberos account > > >(currently this is Cryptocard only). > > > > When I look at the Fermi-supplied kerberized ssh rpms, I see that > > authorized_keys (really RSA) authentication is turned on by default: > > > > |droidg>rpm -qf /etc/sshd_config > > ssh-1.2.27f-8 > > |droidg>grep RSA /etc/sshd_config > > RhostsRSAAuthentication yes > > RSAAuthentication yes > > > > I *think* the upd kerberized ssh configuration is the same way. Is there a > > problem here, or am I missing something? > > > > --Jim > > From kreymer@fnal.gov Wed Jul 11 11:17:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA11952 for ; Wed, 11 Jul 2001 11:17:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00EDTH9BZA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 11:17:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017059C@listserv.fnal.gov>; Wed, 11 Jul 2001 11:17:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 206777 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 11:17:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017059B@listserv.fnal.gov>; Wed, 11 Jul 2001 11:17:35 -0500 Received: from imapserver2.fnal.gov ([131.225.9.7]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00EG1H9A95@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 11 Jul 2001 11:17:34 -0500 (CDT) Received: from imapserver2.fnal.gov ([131.225.9.7]) by imapserver2.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 606; Wed, 11 Jul 2001 11:17:34 -0500 Received: from fnal.gov ([131.225.7.82]) by imapserver2.fnal.gov (NAVIEG 2.1 bld 63) with SMTP id M2001071111173421499 ; Wed, 11 Jul 2001 11:17:34 -0500 Date: Wed, 11 Jul 2001 11:18:17 -0500 From: yocum@fnal.gov Subject: Re: authorized_keys and kerberos Sender: owner-kerberos-users@listserv.fnal.gov To: Dane Skow Cc: kerberos users Message-id: <3B4C7C49.5C457566@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.2-SGI_XFS_1.0 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1494 Dane Skow wrote: > > On Tue, 10 Jul 2001 yocum@fnal.gov wrote: > > > Sorry, if this question has been answered but google couldn't seem to find > > any reference to it on our site: what's the story with ssh authorized_keys > > and kerberos? Are they allowed, disallowed, otherwise? Should a person be > > able to log in to a kerberized machine from a non-kerberized machine w/ only > > authorized_keys, that is, w/o entering a passphrase or cryptocard access > > code? > > (It's in the User's guide section 9) I take it you mean this document (there is no obvious "Kerberos Users Guide" link off the "Strong Authentication at Fermi" page): http://www.fnal.gov/docs/strongauth/html/unixinstall.html Hm. Per section 9.1.6 I see ssh will not be allowed on onsite machines, but it doesn't specify if the kerberized ssh (with cryptocard support) falls under this ruling as well. Does it? Section 5.4 suggests that it is... I'm confused. > > For systems onsite, authorized_keys is not acceptable: the users must > provide either a kerberos ticket (ie. come from a kerberized machine) or > a onetime password method that checks for valid kerberos account > (currently this is Cryptocard only). OK, so here's why I ask this question - as I outlined at the meeting this AM, we have one node which has been kerberized that has an LSF v3.2.2 server (eg. no kerberos support) installed. It also has the kerberized ssh installed so the data analysts can ssh in and start jobs on the farms. Jen has been able to ssh in directly w/o being challenged. I thought that RSAAuthentication would have been set to 'no' in sshd_config, but apparently it isn't. There is a possibility that I've got an old sshd_config file instead of a fermi modified one that comes with our kerberized ssh rpm package, but then again, maybe this one got overlooked. Thanks, Dan > > For systems offsite, we allow people to login to offsite kerberized > machines (ie. machines that are part of the FNAL realm) via ssh as > a compromise on remote requirements. > > dane > > > > > Thanks, > > Dan > > > > > > -- > > Dan Yocum > > Sloan Digital Sky Survey, Fermilab 630.840.6509 > > yocum@fnal.gov, http://www.sdss.org > > SDSS. Mapping the Universe. > > -- Dan Yocum Sloan Digital Sky Survey, Fermilab 630.840.6509 yocum@fnal.gov, http://www.sdss.org SDSS. Mapping the Universe. From kreymer@fnal.gov Wed Jul 11 11:22:14 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA11958 for ; Wed, 11 Jul 2001 11:22:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00EI2HH0CD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 11:22:13 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170609@listserv.fnal.gov>; Wed, 11 Jul 2001 11:22:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 206915 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 11:22:12 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170608@listserv.fnal.gov>; Wed, 11 Jul 2001 11:22:12 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00DHDHGZB2@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 11 Jul 2001 11:22:11 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA22355; Wed, 11 Jul 2001 11:22:12 -0500 Date: Wed, 11 Jul 2001 11:22:11 -0500 (CDT) From: Steven Timm Subject: Re: authorized_keys and kerberos In-reply-to: <3B4C7C49.5C457566@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: yocum@fnal.gov Cc: Dane Skow , kerberos users Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1495 > > > > For systems onsite, authorized_keys is not acceptable: the users must > > provide either a kerberos ticket (ie. come from a kerberized machine) or > > a onetime password method that checks for valid kerberos account > > (currently this is Cryptocard only). > > > OK, so here's why I ask this question - as I outlined at the meeting this > AM, we have one node which has been kerberized that has an LSF v3.2.2 server > (eg. no kerberos support) installed. It also has the kerberized ssh > installed so the data analysts can ssh in and start jobs on the farms. Jen > has been able to ssh in directly w/o being challenged. I thought that > RSAAuthentication would have been set to 'no' in sshd_config, but apparently > it isn't. There is a possibility that I've got an old sshd_config file > instead of a fermi modified one that comes with our kerberized ssh rpm > package, but then again, maybe this one got overlooked. > The default of the kerberized ssh install in both products and rpm is to leave RSAauthentication YES, RHostsRSAAuthentication Yes and Password Authentication Yes. Once the machine is fully strengthened all these will be set to No. Steve > > > Thanks, > Dan > > > > > For systems offsite, we allow people to login to offsite kerberized > > machines (ie. machines that are part of the FNAL realm) via ssh as > > a compromise on remote requirements. > > > > dane > > > > > > > > Thanks, > > > Dan > > > > > > > > > -- > > > Dan Yocum > > > Sloan Digital Sky Survey, Fermilab 630.840.6509 > > > yocum@fnal.gov, http://www.sdss.org > > > SDSS. Mapping the Universe. > > > > > -- > Dan Yocum > Sloan Digital Sky Survey, Fermilab 630.840.6509 > yocum@fnal.gov, http://www.sdss.org > SDSS. Mapping the Universe. > From kreymer@fnal.gov Wed Jul 11 11:27:50 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA11962 for ; Wed, 11 Jul 2001 11:27:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00DM9HQDE3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 11:27:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017063B@listserv.fnal.gov>; Wed, 11 Jul 2001 11:27:49 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 206971 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 11:27:49 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017063A@listserv.fnal.gov>; Wed, 11 Jul 2001 11:27:49 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00CNKHQCWO@smtp.fnal.gov> for KERBEROS-USERS@listserv.fnal.gov; Wed, 11 Jul 2001 11:27:48 -0500 (CDT) Date: Wed, 11 Jul 2001 11:27:47 -0500 From: Troy Dawson Subject: Re: authorized_keys and kerberos Sender: owner-kerberos-users@listserv.fnal.gov To: James Amundson Cc: Steven Timm , KERBEROS-USERS@listserv.fnal.gov Message-id: <3B4C7E83.DC4A735F@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B4C62BC.BD90F912@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1496 Howdy, Just a quick look at the ssh rpm (ssh-1.2.27f-8.i386.rpm) shows that it should NOT change the sshd_config if there is already one there. So if your sshd_config is setup to be kerberized, then it will remain that way. But there certainly are situations where your sshd_config could be 'unkerberized' and then it never get's re-kerberized. If you are installing kerberos from the rpms you just need to re-run the script /usr/krb5/config/config-sshd_config to get it back 're-kerberized' Troy James Amundson wrote: > > OK. Wow. I had no idea that installing kerberos *then* installing > kerberized ssh would de-strengthen my machine. I'll go out on a limb and > guess that most people don't know that. Is this considered an acceptable > situation? > > --Jim > > Steven Timm wrote: > > > > The ssh product is the same way in that its install will put in > > an sshd_config file that enables RSAAuthentication, > > RHostsRSAAuthentication, and Password Authentication. However, > > if you then do a ups install kerberos (or install it from the rpms) > > it will turn these three off again. > > > > So you either need to install the ssh product and/or rpms first, > > or make sure after you install it that these three options are > > again turned off in /etc/sshd_config (and a kill -HUP signal sent > > to the sshd daemon) to make sure the machine is fully strengthened. > > > > Steve > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > > > On Wed, 11 Jul 2001, James Amundson wrote: > > > > > On Tue, 10 Jul 2001 19:21:55 -0500, Dane Skow wrote: > > > > > > >(It's in the User's guide section 9) > > > > > > > >For systems onsite, authorized_keys is not acceptable: the users must > > > >provide either a kerberos ticket (ie. come from a kerberized machine) or > > > >a onetime password method that checks for valid kerberos account > > > >(currently this is Cryptocard only). > > > > > > When I look at the Fermi-supplied kerberized ssh rpms, I see that > > > authorized_keys (really RSA) authentication is turned on by default: > > > > > > |droidg>rpm -qf /etc/sshd_config > > > ssh-1.2.27f-8 > > > |droidg>grep RSA /etc/sshd_config > > > RhostsRSAAuthentication yes > > > RSAAuthentication yes > > > > > > I *think* the upd kerberized ssh configuration is the same way. Is there a > > > problem here, or am I missing something? > > > > > > --Jim > > > -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Wed Jul 11 11:30:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA11968 for ; Wed, 11 Jul 2001 11:30:45 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00FDYHV8P3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 11:30:45 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017064B@listserv.fnal.gov>; Wed, 11 Jul 2001 11:30:44 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 206988 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 11:30:44 -0500 Received: from imapserver2.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017064A@listserv.fnal.gov>; Wed, 11 Jul 2001 11:30:44 -0500 Received: from imapserver2.fnal.gov ([131.225.9.7]) by imapserver2.fnal.gov (Netscape Messaging Server 3.62) with SMTP id 1315 for ; Wed, 11 Jul 2001 11:30:43 -0500 Received: from fnal.gov ([131.225.7.82]) by imapserver2.fnal.gov (NAVIEG 2.1 bld 63) with SMTP id M2001071111304309360 for ; Wed, 11 Jul 2001 11:30:43 -0500 Date: Wed, 11 Jul 2001 11:31:26 -0500 From: yocum@fnal.gov Subject: Re: authorized_keys and kerberos Sender: owner-kerberos-users@listserv.fnal.gov To: owner-kerberos-users@listserv.fnal.gov Cc: KERBEROS-USERS@listserv.fnal.gov Message-id: <3B4C7F5E.F8A1A30D@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.77 [en] (X11; U; Linux 2.4.2-SGI_XFS_1.0 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B4C62BC.BD90F912@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1497 James Amundson wrote: > > OK. Wow. I had no idea that installing kerberos *then* installing > kerberized ssh would de-strengthen my machine. I'll go out on a limb and Yep. That pretty much sucks. Some intelligence should be written into the postinstall scripts in the RPM to *not* destrengthen a machine. Dan > guess that most people don't know that. Is this considered an acceptable > situation? > > --Jim > > Steven Timm wrote: > > > > The ssh product is the same way in that its install will put in > > an sshd_config file that enables RSAAuthentication, > > RHostsRSAAuthentication, and Password Authentication. However, > > if you then do a ups install kerberos (or install it from the rpms) > > it will turn these three off again. > > > > So you either need to install the ssh product and/or rpms first, > > or make sure after you install it that these three options are > > again turned off in /etc/sshd_config (and a kill -HUP signal sent > > to the sshd daemon) to make sure the machine is fully strengthened. > > > > Steve > > > > ------------------------------------------------------------------ > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > Fermilab Computing Division/Operating Systems Support > > Scientific Computing Support Group--Computing Farms Operations > > > > On Wed, 11 Jul 2001, James Amundson wrote: > > > > > On Tue, 10 Jul 2001 19:21:55 -0500, Dane Skow wrote: > > > > > > >(It's in the User's guide section 9) > > > > > > > >For systems onsite, authorized_keys is not acceptable: the users must > > > >provide either a kerberos ticket (ie. come from a kerberized machine) or > > > >a onetime password method that checks for valid kerberos account > > > >(currently this is Cryptocard only). > > > > > > When I look at the Fermi-supplied kerberized ssh rpms, I see that > > > authorized_keys (really RSA) authentication is turned on by default: > > > > > > |droidg>rpm -qf /etc/sshd_config > > > ssh-1.2.27f-8 > > > |droidg>grep RSA /etc/sshd_config > > > RhostsRSAAuthentication yes > > > RSAAuthentication yes > > > > > > I *think* the upd kerberized ssh configuration is the same way. Is there a > > > problem here, or am I missing something? > > > > > > --Jim > > > -- Dan Yocum Sloan Digital Sky Survey, Fermilab 630.840.6509 yocum@fnal.gov, http://www.sdss.org SDSS. Mapping the Universe. From kreymer@fnal.gov Wed Jul 11 12:10:14 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA12013 for ; Wed, 11 Jul 2001 12:10:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00ERKJP0ZA@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 12:10:14 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001706F9@listserv.fnal.gov>; Wed, 11 Jul 2001 12:10:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 207172 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 12:10:13 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001706F8@listserv.fnal.gov>; Wed, 11 Jul 2001 12:10:12 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00M2OJOZEL@smtp.fnal.gov>; Wed, 11 Jul 2001 12:10:12 -0500 (CDT) Date: Wed, 11 Jul 2001 12:10:11 -0500 (CDT) From: Dane Skow Subject: Re: authorized_keys and kerberos In-reply-to: <3B4C7E83.DC4A735F@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Troy Dawson Cc: James Amundson , Steven Timm , ssh-users@fnal.gov, KERBEROS-USERS@listserv.fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1498 Can I make the request then that future versions of ssh (UPS or RPM) have a default config that either checks for kerberos and not open up the sshd_config if there or have kerberos as the default sshd_config and have people change it if they're not running Kerberos (are we close to the point where that's the Unix default ? Certainly that will be the goal with FRHL 7.1) dane On Wed, 11 Jul 2001, Troy Dawson wrote: > Howdy, > Just a quick look at the ssh rpm (ssh-1.2.27f-8.i386.rpm) shows that it should > NOT change the sshd_config if there is already one there. So if your > sshd_config is setup to be kerberized, then it will remain that way. > > But there certainly are situations where your sshd_config could be > 'unkerberized' and then it never get's re-kerberized. > > If you are installing kerberos from the rpms you just need to re-run the > script /usr/krb5/config/config-sshd_config to get it back 're-kerberized' > Troy > James Amundson wrote: > > > > OK. Wow. I had no idea that installing kerberos *then* installing > > kerberized ssh would de-strengthen my machine. I'll go out on a limb and > > guess that most people don't know that. Is this considered an acceptable > > situation? > > > > --Jim > > > > Steven Timm wrote: > > > > > > The ssh product is the same way in that its install will put in > > > an sshd_config file that enables RSAAuthentication, > > > RHostsRSAAuthentication, and Password Authentication. However, > > > if you then do a ups install kerberos (or install it from the rpms) > > > it will turn these three off again. > > > > > > So you either need to install the ssh product and/or rpms first, > > > or make sure after you install it that these three options are > > > again turned off in /etc/sshd_config (and a kill -HUP signal sent > > > to the sshd daemon) to make sure the machine is fully strengthened. > > > > > > Steve > > > > > > ------------------------------------------------------------------ > > > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > > > Fermilab Computing Division/Operating Systems Support > > > Scientific Computing Support Group--Computing Farms Operations > > > > > > On Wed, 11 Jul 2001, James Amundson wrote: > > > > > > > On Tue, 10 Jul 2001 19:21:55 -0500, Dane Skow wrote: > > > > > > > > >(It's in the User's guide section 9) > > > > > > > > > >For systems onsite, authorized_keys is not acceptable: the users must > > > > >provide either a kerberos ticket (ie. come from a kerberized machine) or > > > > >a onetime password method that checks for valid kerberos account > > > > >(currently this is Cryptocard only). > > > > > > > > When I look at the Fermi-supplied kerberized ssh rpms, I see that > > > > authorized_keys (really RSA) authentication is turned on by default: > > > > > > > > |droidg>rpm -qf /etc/sshd_config > > > > ssh-1.2.27f-8 > > > > |droidg>grep RSA /etc/sshd_config > > > > RhostsRSAAuthentication yes > > > > RSAAuthentication yes > > > > > > > > I *think* the upd kerberized ssh configuration is the same way. Is there a > > > > problem here, or am I missing something? > > > > > > > > --Jim > > > > > > -- > __________________________________________________ > Troy Dawson dawson@fnal.gov (630)840-6468 > Fermilab ComputingDivision/OSS SCS Group > __________________________________________________ > From kreymer@fnal.gov Wed Jul 11 12:22:47 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA12031 for ; Wed, 11 Jul 2001 12:22:47 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00M4KK9XEL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 12:22:47 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170723@listserv.fnal.gov>; Wed, 11 Jul 2001 12:22:46 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 207218 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 12:22:46 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170722@listserv.fnal.gov>; Wed, 11 Jul 2001 12:22:45 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00ESYK9X1U@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 11 Jul 2001 12:22:45 -0500 (CDT) Date: Wed, 11 Jul 2001 12:22:45 -0500 (CDT) From: Dane Skow Subject: Re: authorized_keys and kerberos In-reply-to: <3B4C7C49.5C457566@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: yocum@fnal.gov Cc: kerberos users Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1499 On Wed, 11 Jul 2001 yocum@fnal.gov wrote: > Dane Skow wrote: > > > > On Tue, 10 Jul 2001 yocum@fnal.gov wrote: > > > > > Sorry, if this question has been answered but google couldn't seem to find > > > any reference to it on our site: what's the story with ssh authorized_keys > > > and kerberos? Are they allowed, disallowed, otherwise? Should a person be > > > able to log in to a kerberized machine from a non-kerberized machine w/ only > > > authorized_keys, that is, w/o entering a passphrase or cryptocard access > > > code? > > > > (It's in the User's guide section 9) > > > I take it you mean this document (there is no obvious "Kerberos Users Guide" > link off the "Strong Authentication at Fermi" page): > > http://www.fnal.gov/docs/strongauth/html/unixinstall.html Yup. That's the one I meant. > > Hm. Per section 9.1.6 I see ssh will not be allowed on onsite machines, but > it doesn't specify if the kerberized ssh (with cryptocard support) falls > under this ruling as well. Does it? Section 5.4 suggests that it is... I'm > confused. There is some residual omission of ssh in the tool list in the document that reflects the earlier status of no CryptoCard support in ssh (the current version DOES support this) that helps perpetuate a (FALSE) rumor that ssh is not allowed. In fact, I *prefer* kerberized ssh over telnet as it helps limit the possibility of insecure use of telnet anywhere. Perhaps, Anne, if you modified the tool list in 5.3 to list "ssh, telnet, rlogin, ..." this would help make it more explicit. As would rewriting the recommendation in 5.4.2 to use ssh (are the kerberized machines up to date enough on ssh to where this is okay ?) This gets a bit into the problem that versions of Kerberos and ssh need to keep up with the manual (and each other). Dane From kreymer@fnal.gov Wed Jul 11 12:55:10 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA12064 for ; Wed, 11 Jul 2001 12:55:10 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00LABLRWY0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 12:55:09 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170762@listserv.fnal.gov>; Wed, 11 Jul 2001 12:55:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 207283 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 12:55:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170761@listserv.fnal.gov>; Wed, 11 Jul 2001 12:55:08 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB0014KLRW0I@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 11 Jul 2001 12:55:08 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6BHspF25507; Wed, 11 Jul 2001 12:54:51 -0500 (CDT) Date: Wed, 11 Jul 2001 12:54:51 -0500 From: Matt Crawford Subject: Re: production X pilot realm In-reply-to: "10 Jul 2001 17:10:09 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Luciano Piccoli Cc: kerberos-users@fnal.gov Message-id: <200107111754.f6BHspF25507@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1500 > I'm having problems login to some machines that were in the pilot realm > and have been brought to the production realm (e.g. droide.fnal.gov). When > I telnet to it: > ... > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: > Key version number for principal in key table is incorrect ] > ... > This is the keytab file contents from droide and a piece of krb5.conf > showing the default realm: > [root@droide /etc]# klist -k > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ------------------------------------------------ > 2 ftp/droide.fnal.gov@PILOT.FNAL.GOV > 2 host/droide.fnal.gov@PILOT.FNAL.GOV > 2 ftp/droide.fnal.gov@FNAL.GOV > 2 host/droide.fnal.gov@FNAL.GOV Ah, interesting. You have the exact opposite of the usual cause of this problem. Usually someone has a ticket they acquired before kerberos was installed on the host which has kvno=1, but after installation (and within the life of that ticket) the kvno gets incremented upon keytab creation. What you have is a host principal created on May 9 -- one day before the migration of principals to the production realm -- but you PILOT.FNAL.GOV key table wasn't created until May 29, at which time you only made a pilot-realm keytab entry with the password. Ask compdiv@fnal.gov to reset the host & ftp password for droide *in the FNAL.GOV realm only!* and do these steps with the new password: cd /usr/krb5/sbin ./kadmin -r FNAL.GOV -p host/droide.fnal.gov@FNAL.GOV \ -q "ktadd host/droide.fnal.gov@FNAL.GOV" ./kadmin -r FNAL.GOV -p ftp/droide.fnal.gov@FNAL.GOV \ -q "ktadd ftp/droide.fnal.gov@FNAL.GOV" From kreymer@fnal.gov Wed Jul 11 13:00:51 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA12073 for ; Wed, 11 Jul 2001 13:00:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00LDAM1D7D@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 13:00:50 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017079A@listserv.fnal.gov>; Wed, 11 Jul 2001 13:00:50 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 207340 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 13:00:50 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170799@listserv.fnal.gov>; Wed, 11 Jul 2001 13:00:49 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB0021ZM1DDI@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 11 Jul 2001 13:00:49 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6BI0WF25545; Wed, 11 Jul 2001 13:00:32 -0500 (CDT) Date: Wed, 11 Jul 2001 13:00:32 -0500 From: Matt Crawford Subject: Re: authorized_keys and kerberos In-reply-to: "10 Jul 2001 18:36:21 CDT." <3B4B9175.149A6C61@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: yocum@fnal.gov Cc: kerberos users Message-id: <200107111800.f6BI0WF25545@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1501 > Sorry, if this question has been answered but google couldn't seem to find > any reference to it on our site: what's the story with ssh authorized_keys > and kerberos? Are they allowed, disallowed, otherwise? Disallowed. > Should a person be able to log in to a kerberized machine from a > non-kerberized machine w/ only authorized_keys, that is, w/o > entering a passphrase or cryptocard access code? No. But they can be used for CVS access. From kreymer@fnal.gov Wed Jul 11 13:33:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA12202 for ; Wed, 11 Jul 2001 13:33:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00LIFNJ3Y0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 13:33:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001707FC@listserv.fnal.gov>; Wed, 11 Jul 2001 13:33:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 207445 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 13:33:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001707FA@listserv.fnal.gov>; Wed, 11 Jul 2001 13:33:03 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00JN1NJ2D9@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 11 Jul 2001 13:33:02 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <3VBGMWYR>; Wed, 11 Jul 2001 13:33:02 -0500 Content-return: allowed Date: Wed, 11 Jul 2001 13:33:00 -0500 From: ARSystem Subject: 000000000019557 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D0A6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1502 CRAWFORD, MATT, Help Desk Ticket #000000000019557 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: kcroninit outside of fermilab Badge # (+) : 09005V First Name : MARSHALL Last Name (+) : WOLFE Phone : 4600 E-Mail Address : CWOLFE@HEP.UCHICAGO.EDU Incident Time : 7/11/01 12:31:18 PM System Name : Urgency : Medium Public Work Log : Problem Description : I was wondering how do I setup kcroninit on a computer away from Fermilab? I am on the Chicago group for CDF and would like to setup a cron job that connects to the CDF machines at FNAL and think that kcron should work. Thanks. Collin Wolfe From kreymer@fnal.gov Wed Jul 11 13:33:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA12202 for ; Wed, 11 Jul 2001 13:33:05 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00LIFNJ3Y0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 13:33:04 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001707FC@listserv.fnal.gov>; Wed, 11 Jul 2001 13:33:03 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 207445 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 13:33:03 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001707FA@listserv.fnal.gov>; Wed, 11 Jul 2001 13:33:03 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00JN1NJ2D9@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 11 Jul 2001 13:33:02 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <3VBGMWYR>; Wed, 11 Jul 2001 13:33:02 -0500 Content-return: allowed Date: Wed, 11 Jul 2001 13:33:00 -0500 From: ARSystem Subject: 000000000019557 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D0A6@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1503 CRAWFORD, MATT, Help Desk Ticket #000000000019557 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: kcroninit outside of fermilab Badge # (+) : 09005V First Name : MARSHALL Last Name (+) : WOLFE Phone : 4600 E-Mail Address : CWOLFE@HEP.UCHICAGO.EDU Incident Time : 7/11/01 12:31:18 PM System Name : Urgency : Medium Public Work Log : Problem Description : I was wondering how do I setup kcroninit on a computer away from Fermilab? I am on the Chicago group for CDF and would like to setup a cron job that connects to the CDF machines at FNAL and think that kcron should work. Thanks. Collin Wolfe From kreymer@fnal.gov Wed Jul 11 14:46:01 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA12278 for ; Wed, 11 Jul 2001 14:46:01 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB001KDQWN0I@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 14:46:01 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017092A@listserv.fnal.gov>; Wed, 11 Jul 2001 14:46:00 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 207782 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 14:46:00 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170929@listserv.fnal.gov>; Wed, 11 Jul 2001 14:46:00 -0500 Received: from fnal.gov ([131.225.81.142]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00824QWNZZ@smtp.fnal.gov> for KERBEROS-USERS@listserv.fnal.gov; Wed, 11 Jul 2001 14:45:59 -0500 (CDT) Date: Wed, 11 Jul 2001 14:45:59 -0500 From: Nuha Elmaghrabi Subject: Problems with ssh Sender: owner-kerberos-users@listserv.fnal.gov To: KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Message-id: <3B4CACF7.1AD19941@fnal.gov> Organization: Fermi Lab MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: multipart/alternative; boundary=------------7BC1339F72A0D258762DB976 X-Accept-Language: en Status: RO X-Status: X-Keywords: X-UID: 1504 --------------7BC1339F72A0D258762DB976 Content-Type: text/plain; charset=iso-8859-9 Content-Transfer-Encoding: 7bit When I execute the command ssh -l nuhae fnods I am prompted for a password even though I have a valid token and both machines (fndapt) and fnods are in the production realm. I understand that it is not supposed to ask me for a password (since I have a valid token). Others have tried to ssh into fnods from their machines and it works fine (they are not prompted for a password). Version of ssh I am using: SSH Version 1.2.27f [i686-unknown-linux], protocol version 1.5. Standard version. Does not use RSAREF. Ouput from the command ssh -v -l nuhae fnods : fndapt.fnal.gov: Reading configuration data /etc/ssh_config fndapt.fnal.gov: ssh_connect: getuid 5247 geteuid 5247 anon 1 fndapt.fnal.gov: Connecting to fnods [131.225.81.88] port 22. fndapt.fnal.gov: Connection established. fndapt.fnal.gov: Remote protocol version 1.5, remote software version 1.2.27f Portal fndapt.fnal.gov: Waiting for server public key. fndapt.fnal.gov: Received server public Key (768 bits) and host key (1024 bits). fndapt.fnal.gov: Host 'fnods' is known and matches the host key. fndapt.fnal.gov: Initializing random; seed file /afs/fnal.gov/files/home/room2/nuhae/.ssh/random_seed fndapt.fnal.gov: Encryption type: idea fndapt.fnal.gov: Sent encrypted session key fndapt.fnal.gov: Installing crc compensation attach detector. fndapt.fnal.gov: Received encrypted confirmation fndapt.fnal.gov: Trying Kerberos V5 TGT passing fndapt.fnal.gov: Kerberos V5 TGT passing was successful fndapt.fnal.gov: Trying Kerberos V5 authentication fndapt.fnal.gov: Kerberos V5: failure on credentials (Server not found in Kerberos database). fndapt.fnal.gov: No agent fndapt.fnal.gov: Doing password authentication Does anyone know how to fix this? Thanks, Nuha Elmaghrabi --------------7BC1339F72A0D258762DB976 Content-Type: text/html; charset=iso-8859-9 Content-Transfer-Encoding: 7bit When I execute the command ssh -l nuhae fnods I am prompted for a password even though I have a valid token and both machines (fndapt) and fnods are in the production realm. I understand that it is not supposed to ask me for a password (since I have a valid token). Others have tried to ssh into fnods from their machines and it works fine (they are not prompted for a password).

Version of ssh I am using:

SSH Version 1.2.27f [i686-unknown-linux], protocol version 1.5.
Standard version. Does not use RSAREF.
Ouput from the command ssh -v -l nuhae fnods :
fndapt.fnal.gov: Reading configuration data /etc/ssh_config
fndapt.fnal.gov: ssh_connect: getuid 5247 geteuid 5247 anon 1
fndapt.fnal.gov: Connecting to fnods [131.225.81.88] port 22.
fndapt.fnal.gov: Connection established.
fndapt.fnal.gov: Remote protocol version 1.5, remote software version 1.2.27f Portal
fndapt.fnal.gov: Waiting for server public key.
fndapt.fnal.gov: Received server public Key (768 bits) and host key (1024 bits).
fndapt.fnal.gov: Host 'fnods' is known and matches the host key.
fndapt.fnal.gov: Initializing random; seed file /afs/fnal.gov/files/home/room2/nuhae/.ssh/random_seed
fndapt.fnal.gov: Encryption type: idea
fndapt.fnal.gov: Sent encrypted session key
fndapt.fnal.gov: Installing crc compensation attach detector.
fndapt.fnal.gov: Received encrypted confirmation
fndapt.fnal.gov: Trying Kerberos V5 TGT passing
fndapt.fnal.gov: Kerberos V5 TGT passing was successful
fndapt.fnal.gov: Trying Kerberos V5 authentication
fndapt.fnal.gov: Kerberos V5: failure on credentials (Server not found in Kerberos database).
fndapt.fnal.gov: No agent
fndapt.fnal.gov: Doing password authentication
Does anyone know how to fix this?

Thanks,
Nuha Elmaghrabi --------------7BC1339F72A0D258762DB976-- From kreymer@fnal.gov Wed Jul 11 14:59:26 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA12311 for ; Wed, 11 Jul 2001 14:59:26 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB0084YRJ0XN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 14:59:26 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170978@listserv.fnal.gov>; Wed, 11 Jul 2001 14:59:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 207871 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 14:59:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170977@listserv.fnal.gov>; Wed, 11 Jul 2001 14:59:25 -0500 Received: from fnal.gov ([131.225.80.7]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB0085DRJ0O9@smtp.fnal.gov> for KERBEROS-USERS@listserv.fnal.gov; Wed, 11 Jul 2001 14:59:24 -0500 (CDT) Date: Wed, 11 Jul 2001 14:59:23 -0500 From: Gerald Guglielmo Subject: Re: Problems with ssh Sender: owner-kerberos-users@listserv.fnal.gov To: Nuha Elmaghrabi Cc: KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Reply-to: gug@fnal.gov Message-id: <3B4CB01B.34532E65@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.17-14 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <3B4CACF7.1AD19941@fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1505 Hi, Interesting that I cannot telnet into fndapt, while I have no trouble doing so to fnods. odsgug}(g023) telnet fndapt Trying 131.225.81.142... Connected to fndapt.fnal.gov (131.225.81.142). Escape character is '^]'. [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Key version number for principal in key table is incorrect ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Key version number for principal in key table is incorrect ] [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req failed: Key version number for principal in key table is incorrect ] [ Trying KERBEROS4 ... ] mk_req failed: Service expired (kerberos) [ Trying KERBEROS4 ... ] mk_req failed: Service expired (kerberos) Fermi Linux Release 6.1.2 (Strange) Kernel 2.2.16-3smp on a 2-processor i686 Press ENTER and compare this challenge to the one on your display: [66921321] Enter the displayed response: Nuha Elmaghrabi wrote: > > When I execute the command ssh -l nuhae fnods I am prompted for a > password even though I have a valid token and both machines (fndapt) > and fnods are in the production realm. I understand that it is not > supposed to ask me for a password (since I have a valid token). Others > have tried to ssh into fnods from their machines and it works fine > (they are not prompted for a password). > > Version of ssh I am using: > > SSH Version 1.2.27f [i686-unknown-linux], protocol version > 1.5. > Standard version. Does not use RSAREF. > > Ouput from the command ssh -v -l nuhae fnods : > > fndapt.fnal.gov: Reading configuration data /etc/ssh_config > fndapt.fnal.gov: ssh_connect: getuid 5247 geteuid 5247 anon > 1 > fndapt.fnal.gov: Connecting to fnods [131.225.81.88] port > 22. > fndapt.fnal.gov: Connection established. > fndapt.fnal.gov: Remote protocol version 1.5, remote > software version 1.2.27f Portal > fndapt.fnal.gov: Waiting for server public key. > fndapt.fnal.gov: Received server public Key (768 bits) and > host key (1024 bits). > fndapt.fnal.gov: Host 'fnods' is known and matches the host > key. > fndapt.fnal.gov: Initializing random; seed file > /afs/fnal.gov/files/home/room2/nuhae/.ssh/random_seed > fndapt.fnal.gov: Encryption type: idea > fndapt.fnal.gov: Sent encrypted session key > fndapt.fnal.gov: Installing crc compensation attach > detector. > fndapt.fnal.gov: Received encrypted confirmation > fndapt.fnal.gov: Trying Kerberos V5 TGT passing > fndapt.fnal.gov: Kerberos V5 TGT passing was successful > fndapt.fnal.gov: Trying Kerberos V5 authentication > fndapt.fnal.gov: Kerberos V5: failure on credentials (Server > not found in Kerberos database). > fndapt.fnal.gov: No agent > fndapt.fnal.gov: Doing password authentication > > Does anyone know how to fix this? > > Thanks, > Nuha Elmaghrabi -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Wed Jul 11 15:11:31 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA12344 for ; Wed, 11 Jul 2001 15:11:31 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB008CES35XN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 15:11:31 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001709C6@listserv.fnal.gov>; Wed, 11 Jul 2001 15:11:30 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 207958 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 15:11:29 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001709C5@listserv.fnal.gov>; Wed, 11 Jul 2001 15:11:29 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00B02S34QL@smtp.fnal.gov> for KERBEROS-USERS@listserv.fnal.gov; Wed, 11 Jul 2001 15:11:29 -0500 (CDT) Date: Wed, 11 Jul 2001 15:11:27 -0500 (CDT) From: Dane Skow Subject: Re: Problems with ssh In-reply-to: <3B4CB01B.34532E65@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Gerald Guglielmo Cc: Nuha Elmaghrabi , KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1506 On Wed, 11 Jul 2001, Gerald Guglielmo wrote: > Hi, > Interesting that I cannot telnet into fndapt, while I have no trouble > doing so to fnods. > odsgug}(g023) telnet fndapt > Trying 131.225.81.142... > Connected to fndapt.fnal.gov (131.225.81.142). > Escape character is '^]'. > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: Key version number for principal in key table is incorrect ] My understanding is that the "key version number" problem is symptomatic of having stale ticket around before the target was fully "ready" for receivers (this would presume that fndapt has made a transition (new install/realm) recently). Try doing a kdestroy/kinit on odsgug and try again. dane From kreymer@fnal.gov Wed Jul 11 15:11:58 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA12348 for ; Wed, 11 Jul 2001 15:11:58 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB006EKS3WQ1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 15:11:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001709CB@listserv.fnal.gov>; Wed, 11 Jul 2001 15:11:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 207963 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 15:11:56 -0500 Received: from snowball.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001709CA@listserv.fnal.gov>; Wed, 11 Jul 2001 15:11:56 -0500 Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA23106; Wed, 11 Jul 2001 15:11:56 -0500 Date: Wed, 11 Jul 2001 15:11:56 -0500 (CDT) From: Steven Timm Subject: Re: Problems with ssh In-reply-to: <3B4CACF7.1AD19941@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Nuha Elmaghrabi Cc: KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1507 Edit your /etc/krb5.conf file on the host machine and add the following line to the [domain_realm] section .fnal.gov = FNAL.GOV kerberized ssh token-passing won't work without it. Somehow this hasn't made it yet into any web page I've seen. Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Wed, 11 Jul 2001, Nuha Elmaghrabi wrote: > When I execute the command ssh -l nuhae fnods I am prompted for a > password even though I have a valid token and both machines (fndapt) and > fnods are in the production realm. I understand that it is not supposed > to ask me for a password (since I have a valid token). Others have tried > to ssh into fnods from their machines and it works fine (they are not > prompted for a password). > > Version of ssh I am using: > > SSH Version 1.2.27f [i686-unknown-linux], protocol version > 1.5. > Standard version. Does not use RSAREF. > > Ouput from the command ssh -v -l nuhae fnods : > > fndapt.fnal.gov: Reading configuration data /etc/ssh_config > fndapt.fnal.gov: ssh_connect: getuid 5247 geteuid 5247 anon 1 > fndapt.fnal.gov: Connecting to fnods [131.225.81.88] port 22. > fndapt.fnal.gov: Connection established. > fndapt.fnal.gov: Remote protocol version 1.5, remote software > version 1.2.27f Portal > fndapt.fnal.gov: Waiting for server public key. > fndapt.fnal.gov: Received server public Key (768 bits) and > host key (1024 bits). > fndapt.fnal.gov: Host 'fnods' is known and matches the host > key. > fndapt.fnal.gov: Initializing random; seed file > /afs/fnal.gov/files/home/room2/nuhae/.ssh/random_seed > fndapt.fnal.gov: Encryption type: idea > fndapt.fnal.gov: Sent encrypted session key > fndapt.fnal.gov: Installing crc compensation attach detector. > fndapt.fnal.gov: Received encrypted confirmation > fndapt.fnal.gov: Trying Kerberos V5 TGT passing > fndapt.fnal.gov: Kerberos V5 TGT passing was successful > fndapt.fnal.gov: Trying Kerberos V5 authentication > fndapt.fnal.gov: Kerberos V5: failure on credentials (Server > not found in Kerberos database). > fndapt.fnal.gov: No agent > fndapt.fnal.gov: Doing password authentication > > Does anyone know how to fix this? > > Thanks, > Nuha Elmaghrabi > From kreymer@fnal.gov Wed Jul 11 15:22:07 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA12370 for ; Wed, 11 Jul 2001 15:22:07 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB008FMSKTXN@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 15:22:06 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170A00@listserv.fnal.gov>; Wed, 11 Jul 2001 15:22:06 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 208026 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 15:22:06 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001709FF@listserv.fnal.gov>; Wed, 11 Jul 2001 15:22:06 -0500 Received: from fnal.gov ([131.225.80.7]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB007COSKTU9@smtp.fnal.gov> for KERBEROS-USERS@listserv.fnal.gov; Wed, 11 Jul 2001 15:22:05 -0500 (CDT) Date: Wed, 11 Jul 2001 15:22:04 -0500 From: Gerald Guglielmo Subject: Re: Problems with ssh Sender: owner-kerberos-users@listserv.fnal.gov To: Dane Skow Cc: Nuha Elmaghrabi , KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Reply-to: gug@fnal.gov Message-id: <3B4CB56C.FDC68240@fnal.gov> Organization: FNAL CD/ODS MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.17-14 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1508 Hi, No, that's not it. I had originally done that cycle several times before I sent my original reply. As a sanity check, I went through again and after kdestroy I check that no stale tickets remained. I did a kinit -r 7d -f and tried telnet fndapt, the result is the same. Dane Skow wrote: > > On Wed, 11 Jul 2001, Gerald Guglielmo wrote: > > > Hi, > > Interesting that I cannot telnet into fndapt, while I have no trouble > > doing so to fnods. > > odsgug}(g023) telnet fndapt > > Trying 131.225.81.142... > > Connected to fndapt.fnal.gov (131.225.81.142). > > Escape character is '^]'. > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > failed: Key version number for principal in key table is incorrect ] > > My understanding is that the "key version number" problem is symptomatic > of having stale ticket around before the target was fully "ready" for > receivers (this would presume that fndapt has made a transition (new > install/realm) recently). Try doing a kdestroy/kinit on odsgug and > try again. > > dane -- -Jerry-> gug@fnal.gov Pepe's Theory of everything: "Under the right circumstances, things happen." From kreymer@fnal.gov Wed Jul 11 15:44:42 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA12448 for ; Wed, 11 Jul 2001 15:44:42 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00B9PTMGQL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 15:44:42 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170AED@listserv.fnal.gov>; Wed, 11 Jul 2001 15:44:40 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 208298 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 15:44:40 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170AEC@listserv.fnal.gov>; Wed, 11 Jul 2001 15:44:40 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB009DPTMGX4@smtp.fnal.gov> for KERBEROS-USERS@listserv.fnal.gov; Wed, 11 Jul 2001 15:44:40 -0500 (CDT) Date: Wed, 11 Jul 2001 15:44:40 -0500 (CDT) From: Dane Skow Subject: Re: Problems with ssh In-reply-to: <3B4CB56C.FDC68240@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Gerald Guglielmo Cc: Nuha Elmaghrabi , KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1509 On Wed, 11 Jul 2001, Gerald Guglielmo wrote: > Hi, > No, that's not it. I had originally done that cycle several times > before I sent my original reply. As a sanity check, I went through again > and after kdestroy I check that no stale tickets remained. I did a kinit > -r 7d -f and tried telnet fndapt, the result is the same. Then perhaps it's the other direction and similar to the problem that Luciano reported. I'll have to defer to Matt on this one. dane > > Dane Skow wrote: > > > > On Wed, 11 Jul 2001, Gerald Guglielmo wrote: > > > > > Hi, > > > Interesting that I cannot telnet into fndapt, while I have no trouble > > > doing so to fnods. > > > odsgug}(g023) telnet fndapt > > > Trying 131.225.81.142... > > > Connected to fndapt.fnal.gov (131.225.81.142). > > > Escape character is '^]'. > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > > failed: Key version number for principal in key table is incorrect ] > > > > My understanding is that the "key version number" problem is symptomatic > > of having stale ticket around before the target was fully "ready" for > > receivers (this would presume that fndapt has made a transition (new > > install/realm) recently). Try doing a kdestroy/kinit on odsgug and > > try again. > > > > dane > > -- > -Jerry-> > gug@fnal.gov > Pepe's Theory of everything: "Under the right circumstances, things > happen." > From kreymer@fnal.gov Wed Jul 11 15:52:14 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA12466 for ; Wed, 11 Jul 2001 15:52:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00AAGTZ06O@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 15:52:14 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170B1C@listserv.fnal.gov>; Wed, 11 Jul 2001 15:52:13 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 208355 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 15:52:13 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170B1B@listserv.fnal.gov>; Wed, 11 Jul 2001 15:52:13 -0500 Received: from fnal.gov ([131.225.80.75]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB007KTTZ0U9@smtp.fnal.gov>; Wed, 11 Jul 2001 15:52:12 -0500 (CDT) Date: Wed, 11 Jul 2001 15:52:11 -0500 From: Troy Dawson Subject: Re: authorized_keys and kerberos Sender: owner-kerberos-users@listserv.fnal.gov To: Dane Skow Cc: James Amundson , Steven Timm , ssh-users@fnal.gov, KERBEROS-USERS@listserv.fnal.gov Message-id: <3B4CBC7B.7DD4A549@fnal.gov> MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1510 Hi, This is a very good suggestion. Now for the $500 dollar question. How do you check for kerberos? I have an idea, but I'm very curious at the ways that other people have. Troy Dane Skow wrote: > > Can I make the request then that future versions of ssh > (UPS or RPM) have a default config that either checks for > kerberos and not open up the sshd_config if there or > have kerberos as the default sshd_config and have people > change it if they're not running Kerberos (are we close > to the point where that's the Unix default ? Certainly > that will be the goal with FRHL 7.1) > > dane > -- __________________________________________________ Troy Dawson dawson@fnal.gov (630)840-6468 Fermilab ComputingDivision/OSS SCS Group __________________________________________________ From kreymer@fnal.gov Wed Jul 11 16:00:56 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA12500 for ; Wed, 11 Jul 2001 16:00:56 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB009IAUDIX4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 16:00:55 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170B45@listserv.fnal.gov>; Wed, 11 Jul 2001 16:00:54 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 208399 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 16:00:54 -0500 Received: from fsui02.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170B44@listserv.fnal.gov>; Wed, 11 Jul 2001 16:00:54 -0500 Received: from localhost (roethel@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with ESMTP id f6BL0j906621; Wed, 11 Jul 2001 16:00:45 -0500 (CDT) Date: Wed, 11 Jul 2001 16:00:45 -0500 (CDT) From: Wilhelm Roethel Subject: Re: Problems with ssh In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Dane Skow Cc: Gerald Guglielmo , Nuha Elmaghrabi , KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: fsui02.fnal.gov: roethel owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1511 Did anyone set the default realm on fndapt from PILOT to FNAL.GOV recently? It appears that the host keys for fndapt in FNAL.GOV realm do not match - very much like the problem on the droids. (I tried just this last week but got the same result, but then didn't have the time to follow this). If you go back to the PILOT realm at least cryptocard logins work again, which by the way don't work now (has this been mentioned - here is the output from my telnet 'session': roethel@fsui02> telnet fndapt Trying 131.225.81.142... Connected to fndapt.fnal.gov (131.225.81.142). Escape character is '^]'. 4.4 BSD UNIX (fndapt.fnal.gov) (ttyp0) Portal Fermi Linux Release 6.1.2 (Strange) Kernel 2.2.16-3smp on a 2-processor i686 login: login: roethel Press ENTER and compare this challenge to the one on your display: [11791851] Enter the displayed response: xxxxxx (my response) Press ENTER and compare this challenge to the one on your display: [11791851] Enter the displayed response: etc. etc. I guess we just have to do the same that Matt mentioned for the droids. Any better ideas? - Willi ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | Willi Roethel | | | | University of California, Irvine | | FERMILAB | | | P.O.Box 500, MS 366 | phone ++1-630-840-3979 | | Batavia, IL 60510 | | | | | email: roethel@fnal.gov | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ On Wed, 11 Jul 2001, Dane Skow wrote: > On Wed, 11 Jul 2001, Gerald Guglielmo wrote: > > > Hi, > > No, that's not it. I had originally done that cycle several times > > before I sent my original reply. As a sanity check, I went through again > > and after kdestroy I check that no stale tickets remained. I did a kinit > > -r 7d -f and tried telnet fndapt, the result is the same. > > Then perhaps it's the other direction and similar to the problem > that Luciano reported. I'll have to defer to Matt on this one. > > dane > > > > > Dane Skow wrote: > > > > > > On Wed, 11 Jul 2001, Gerald Guglielmo wrote: > > > > > > > Hi, > > > > Interesting that I cannot telnet into fndapt, while I have no trouble > > > > doing so to fnods. > > > > odsgug}(g023) telnet fndapt > > > > Trying 131.225.81.142... > > > > Connected to fndapt.fnal.gov (131.225.81.142). > > > > Escape character is '^]'. > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > > > failed: Key version number for principal in key table is incorrect ] > > > > > > My understanding is that the "key version number" problem is symptomatic > > > of having stale ticket around before the target was fully "ready" for > > > receivers (this would presume that fndapt has made a transition (new > > > install/realm) recently). Try doing a kdestroy/kinit on odsgug and > > > try again. > > > > > > dane > > > > -- > > -Jerry-> > > gug@fnal.gov > > Pepe's Theory of everything: "Under the right circumstances, things > > happen." > > > From kreymer@fnal.gov Wed Jul 11 16:04:58 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA12608 for ; Wed, 11 Jul 2001 16:04:58 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB009JQUK78K@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 16:04:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170B53@listserv.fnal.gov>; Wed, 11 Jul 2001 16:04:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 208414 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 16:04:56 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170B52@listserv.fnal.gov>; Wed, 11 Jul 2001 16:04:56 -0500 Received: from fnal.gov ([131.225.81.142]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB009J2UK7UQ@smtp.fnal.gov> for KERBEROS-USERS@listserv.fnal.gov; Wed, 11 Jul 2001 16:04:55 -0500 (CDT) Date: Wed, 11 Jul 2001 16:04:55 -0500 From: Nuha Elmaghrabi Subject: Re: Problems with ssh Sender: owner-kerberos-users@listserv.fnal.gov To: Wilhelm Roethel Cc: Dane Skow , Gerald Guglielmo , KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Message-id: <3B4CBF77.B96B18EA@fnal.gov> Organization: Fermi Lab MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=iso-8859-9 Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1512 Hello Willi - I changed fndapt from PILOT to FNAL.GOV. How do I fix the problem of the host keys not matching? Nuha Wilhelm Roethel wrote: > Did anyone set the default realm on fndapt from PILOT to FNAL.GOV > recently? > It appears that the host keys for fndapt in FNAL.GOV realm do not match - > very much like the problem on the droids. (I tried just this last week but > got the same result, but then didn't have the time to follow this). If you > go back to the PILOT realm at least cryptocard logins work again, which by > the way don't work now (has this been mentioned - here is the output from > my telnet 'session': > > roethel@fsui02> telnet fndapt > Trying 131.225.81.142... > Connected to fndapt.fnal.gov (131.225.81.142). > Escape character is '^]'. > > 4.4 BSD UNIX (fndapt.fnal.gov) (ttyp0) Portal > > Fermi Linux Release 6.1.2 (Strange) > Kernel 2.2.16-3smp on a 2-processor i686 > > login: > login: roethel > Press ENTER and compare this challenge to the one on your display: > [11791851] > Enter the displayed response: xxxxxx (my response) > > Press ENTER and compare this challenge to the one on your display: > [11791851] > Enter the displayed response: > > etc. etc. > > I guess we just have to do the same that Matt mentioned for the droids. > Any better ideas? > > - Willi > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > | Willi Roethel | > | | > | University of California, Irvine | > | FERMILAB | | > | P.O.Box 500, MS 366 | phone ++1-630-840-3979 | > | Batavia, IL 60510 | | > | | > | email: roethel@fnal.gov | > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > On Wed, 11 Jul 2001, Dane Skow wrote: > > > On Wed, 11 Jul 2001, Gerald Guglielmo wrote: > > > > > Hi, > > > No, that's not it. I had originally done that cycle several times > > > before I sent my original reply. As a sanity check, I went through again > > > and after kdestroy I check that no stale tickets remained. I did a kinit > > > -r 7d -f and tried telnet fndapt, the result is the same. > > > > Then perhaps it's the other direction and similar to the problem > > that Luciano reported. I'll have to defer to Matt on this one. > > > > dane > > > > > > > > Dane Skow wrote: > > > > > > > > On Wed, 11 Jul 2001, Gerald Guglielmo wrote: > > > > > > > > > Hi, > > > > > Interesting that I cannot telnet into fndapt, while I have no trouble > > > > > doing so to fnods. > > > > > odsgug}(g023) telnet fndapt > > > > > Trying 131.225.81.142... > > > > > Connected to fndapt.fnal.gov (131.225.81.142). > > > > > Escape character is '^]'. > > > > > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > > > > > failed: Key version number for principal in key table is incorrect ] > > > > > > > > My understanding is that the "key version number" problem is symptomatic > > > > of having stale ticket around before the target was fully "ready" for > > > > receivers (this would presume that fndapt has made a transition (new > > > > install/realm) recently). Try doing a kdestroy/kinit on odsgug and > > > > try again. > > > > > > > > dane > > > > > > -- > > > -Jerry-> > > > gug@fnal.gov > > > Pepe's Theory of everything: "Under the right circumstances, things > > > happen." > > > > > From kreymer@fnal.gov Wed Jul 11 17:07:23 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id RAA12673 for ; Wed, 11 Jul 2001 17:07:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00AQCXG9S0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 11 Jul 2001 17:07:22 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170CAF@listserv.fnal.gov>; Wed, 11 Jul 2001 17:07:21 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 208822 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 11 Jul 2001 17:07:21 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00170CAE@listserv.fnal.gov>; Wed, 11 Jul 2001 17:07:21 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGB00I8VXG98X@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 11 Jul 2001 17:07:21 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f6BM7K317249 for ; Wed, 11 Jul 2001 17:07:20 -0500 (CDT) Date: Wed, 11 Jul 2001 17:07:20 -0500 From: aheavey@fnal.gov Subject: kerberizing exceed 7 Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200107112207.f6BM7K317249@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1513 Does anyone know about using exceed 7 in place of WRQ on Windows machines? I hear that PPD and maybe others are going to go that route and I'd like to document how to do it. (even if it won't be officially supported!) thanks -- -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Thu Jul 12 09:33:09 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA14641 for ; Thu, 12 Jul 2001 09:33:09 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD0071G738FU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 09:33:09 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001714D3@listserv.fnal.gov>; Thu, 12 Jul 2001 09:33:08 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 211144 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 09:33:08 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001714D2@listserv.fnal.gov>; Thu, 12 Jul 2001 09:33:07 -0500 Received: from fnal.gov ([131.225.226.206]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD0064V737ED@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 12 Jul 2001 09:33:07 -0500 (CDT) Date: Thu, 12 Jul 2001 09:33:07 -0500 From: Michael Diesburg Subject: Re: kerberizing exceed 7 Sender: owner-kerberos-users@listserv.fnal.gov To: aheavey@fnal.gov Cc: kerberos-users@fnal.gov Message-id: <3B4DB523.6C624D44@fnal.gov> Organization: Fermi National Accelerator Laboratory MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: <200107112207.f6BM7K317249@fsui02.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1514 Rich Partridge at D0 put some effort into this. You can find his notes on using Exceed 7 here: http://www-d0.fnal.gov/computing/systems/exceed7.txt Michael Diesburg aheavey@fnal.gov wrote: > > Does anyone know about using exceed 7 in place of WRQ on Windows machines? > I hear that PPD and maybe others are going to go that route and I'd like > to document how to do it. (even if it won't be officially supported!) > > thanks -- > > -- Anne > > Anne Heavey | Fermilab Computing Division | WWW Group > Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Thu Jul 12 09:38:20 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA14645 for ; Thu, 12 Jul 2001 09:38:20 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD004737BU21@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 09:38:19 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001714E4@listserv.fnal.gov>; Thu, 12 Jul 2001 09:38:18 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 211163 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 09:38:18 -0500 Received: from casey.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001714E3@listserv.fnal.gov>; Thu, 12 Jul 2001 09:38:18 -0500 Received: from localhost (fromm@localhost) by casey.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA05206; Thu, 12 Jul 2001 09:38:16 -0500 Date: Thu, 12 Jul 2001 09:38:16 -0500 (CDT) From: James Fromm Subject: Re: Problems with ssh In-reply-to: <3B4CACF7.1AD19941@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Nuha Elmaghrabi Cc: KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: A X-Keywords: X-UID: 1515 On Wed, 11 Jul 2001, Nuha Elmaghrabi wrote: > When I execute the command ssh -l nuhae fnods I am prompted for a > password even though I have a valid token and both machines (fndapt) and > fnods are in the production realm. I understand that it is not supposed > to ask me for a password (since I have a valid token). Others have tried > to ssh into fnods from their machines and it works fine (they are not > prompted for a password). > > Version of ssh I am using: > > SSH Version 1.2.27f [i686-unknown-linux], protocol version > 1.5. > Standard version. Does not use RSAREF. > > Ouput from the command ssh -v -l nuhae fnods : > > fndapt.fnal.gov: Reading configuration data /etc/ssh_config > fndapt.fnal.gov: ssh_connect: getuid 5247 geteuid 5247 anon 1 > fndapt.fnal.gov: Connecting to fnods [131.225.81.88] port 22. > fndapt.fnal.gov: Connection established. > fndapt.fnal.gov: Remote protocol version 1.5, remote software > version 1.2.27f Portal > fndapt.fnal.gov: Waiting for server public key. > fndapt.fnal.gov: Received server public Key (768 bits) and > host key (1024 bits). > fndapt.fnal.gov: Host 'fnods' is known and matches the host > key. > fndapt.fnal.gov: Initializing random; seed file > /afs/fnal.gov/files/home/room2/nuhae/.ssh/random_seed > fndapt.fnal.gov: Encryption type: idea > fndapt.fnal.gov: Sent encrypted session key > fndapt.fnal.gov: Installing crc compensation attach detector. > fndapt.fnal.gov: Received encrypted confirmation > fndapt.fnal.gov: Trying Kerberos V5 TGT passing > fndapt.fnal.gov: Kerberos V5 TGT passing was successful > fndapt.fnal.gov: Trying Kerberos V5 authentication > fndapt.fnal.gov: Kerberos V5: failure on credentials (Server > not found in Kerberos database). > fndapt.fnal.gov: No agent > fndapt.fnal.gov: Doing password authentication > > Does anyone know how to fix this? > The real problem was just discovered, the bottome line is that ssh is built with the wrong kerberos libraries (v1_3 fixed a problem that is related to this). I will build a new version of ssh (27g). From kreymer@fnal.gov Thu Jul 12 09:40:23 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA14651 for ; Thu, 12 Jul 2001 09:40:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD0073Y7F9FU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 09:40:22 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001714F2@listserv.fnal.gov>; Thu, 12 Jul 2001 09:40:21 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 211178 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 09:40:21 -0500 Received: from snowball.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001714F1@listserv.fnal.gov>; Thu, 12 Jul 2001 09:40:21 -0500 Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA25634; Thu, 12 Jul 2001 09:40:21 -0500 Date: Thu, 12 Jul 2001 09:40:21 -0500 (CDT) From: Steven Timm Subject: Re: Problems with ssh In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: James Fromm Cc: Nuha Elmaghrabi , KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs Status: RO X-Status: X-Keywords: X-UID: 1516 Does this mean that when the new version comes out it will no longer be necessary to put .fnal.gov = FNAL.GOV into our /etc/krb5.conf file to get kerberized ssh to work? Steve ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Thu, 12 Jul 2001, James Fromm wrote: > On Wed, 11 Jul 2001, Nuha Elmaghrabi wrote: > > > When I execute the command ssh -l nuhae fnods I am prompted for a > > password even though I have a valid token and both machines (fndapt) and > > fnods are in the production realm. I understand that it is not supposed > > to ask me for a password (since I have a valid token). Others have tried > > to ssh into fnods from their machines and it works fine (they are not > > prompted for a password). > > > > Version of ssh I am using: > > > > SSH Version 1.2.27f [i686-unknown-linux], protocol version > > 1.5. > > Standard version. Does not use RSAREF. > > > > Ouput from the command ssh -v -l nuhae fnods : > > > > fndapt.fnal.gov: Reading configuration data /etc/ssh_config > > fndapt.fnal.gov: ssh_connect: getuid 5247 geteuid 5247 anon 1 > > fndapt.fnal.gov: Connecting to fnods [131.225.81.88] port 22. > > fndapt.fnal.gov: Connection established. > > fndapt.fnal.gov: Remote protocol version 1.5, remote software > > version 1.2.27f Portal > > fndapt.fnal.gov: Waiting for server public key. > > fndapt.fnal.gov: Received server public Key (768 bits) and > > host key (1024 bits). > > fndapt.fnal.gov: Host 'fnods' is known and matches the host > > key. > > fndapt.fnal.gov: Initializing random; seed file > > /afs/fnal.gov/files/home/room2/nuhae/.ssh/random_seed > > fndapt.fnal.gov: Encryption type: idea > > fndapt.fnal.gov: Sent encrypted session key > > fndapt.fnal.gov: Installing crc compensation attach detector. > > fndapt.fnal.gov: Received encrypted confirmation > > fndapt.fnal.gov: Trying Kerberos V5 TGT passing > > fndapt.fnal.gov: Kerberos V5 TGT passing was successful > > fndapt.fnal.gov: Trying Kerberos V5 authentication > > fndapt.fnal.gov: Kerberos V5: failure on credentials (Server > > not found in Kerberos database). > > fndapt.fnal.gov: No agent > > fndapt.fnal.gov: Doing password authentication > > > > Does anyone know how to fix this? > > > > The real problem was just discovered, the bottome line is that ssh is > built with the wrong kerberos libraries (v1_3 fixed a problem that is > related to this). I will build a new version of ssh (27g). > From kreymer@fnal.gov Thu Jul 12 09:43:57 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA14663 for ; Thu, 12 Jul 2001 09:43:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD00MSO7L8AH@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 09:43:57 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171514@listserv.fnal.gov>; Thu, 12 Jul 2001 09:43:56 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 211218 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 09:43:56 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171513@listserv.fnal.gov>; Thu, 12 Jul 2001 09:43:56 -0500 Received: from fnal.gov ([131.225.232.197]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD004A47L721@smtp.fnal.gov> for KERBEROS-USERS@listserv.fnal.gov; Thu, 12 Jul 2001 09:43:55 -0500 (CDT) Date: Thu, 12 Jul 2001 09:43:55 -0500 From: Jason Harrington Subject: Re: Problems with ssh Sender: owner-kerberos-users@listserv.fnal.gov To: James Fromm Cc: KERBEROS-USERS@listserv.fnal.gov Message-id: <3B4DB7AB.C12F4594@fnal.gov> Organization: FNAL CD/CDF Task Force MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.18 i686) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7bit X-Accept-Language: en References: Status: RO X-Status: X-Keywords: X-UID: 1517 when can we expect to see this? James Fromm wrote: > > The real problem was just discovered, the bottome line is that ssh is > built with the wrong kerberos libraries (v1_3 fixed a problem that is > related to this). I will build a new version of ssh (27g). -- Jason M. Harrington Office: 630.840.6778 FNAL CD/CDF Task Force Pager: 630.266.2938 CDF PRTKMP 149E Email: jason@fnal.gov From kreymer@fnal.gov Thu Jul 12 11:49:20 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA14838 for ; Thu, 12 Jul 2001 11:49:20 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD00GBGDE6E5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 11:49:20 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001717D8@listserv.fnal.gov>; Thu, 12 Jul 2001 11:49:19 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 212029 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 11:49:19 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001717D7@listserv.fnal.gov>; Thu, 12 Jul 2001 11:49:18 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD00GEBDE6D5@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 12 Jul 2001 11:49:18 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6CGn0F29305; Thu, 12 Jul 2001 11:49:01 -0500 (CDT) Date: Thu, 12 Jul 2001 11:49:00 -0500 From: Matt Crawford Subject: Re: authorized_keys and kerberos In-reply-to: "11 Jul 2001 11:18:17 CDT." <3B4C7C49.5C457566@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: yocum@fnal.gov Cc: kerberos users Message-id: <200107121649.f6CGn0F29305@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1518 > http://www.fnal.gov/docs/strongauth/html/unixinstall.html > > Hm. Per section 9.1.6 I see ssh will not be allowed on onsite machines, but > it doesn't specify if the kerberized ssh (with cryptocard support) falls > under this ruling as well. Does it? Section 5.4 suggests that it is... I'm > confused. I've been tilting at this taxonomic windmill since the kerberos project was just a three-headed puppy. ssh, telnet and ftp are just the transports and none are forbidden. kerberos credentials, Cryptocards, passwords, RSA keys, and ip addresses + "privileged ports" are authentication methods and all but the first two are forbidden (on site, anyway). From kreymer@fnal.gov Thu Jul 12 12:24:05 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA14894 for ; Thu, 12 Jul 2001 12:24:05 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD00GIRF05E4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT kreymer@fnal.gov); Thu, 12 Jul 2001 12:24:05 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6CHNlF29367; Thu, 12 Jul 2001 12:23:47 -0500 (CDT) Date: Thu, 12 Jul 2001 12:23:47 -0500 From: Matt Crawford Subject: Re: phasing out the PILOT.FNAL.GOV realm In-reply-to: "11 Jul 2001 12:43:43 EDT." Sender: crawdad@gungnir.fnal.gov To: Michael Riveline Cc: Art Kreymer Message-id: <200107121723.f6CHNlF29367@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1519 > When I type ups install-keep-ssh kerberos v1_3a, the script asks me to > enter the ftp and host passwords... I had never set the ftp password > before and I don't have a "host" account, so I changed the ftp password. > Yet the script complained: > > ERROR: could not add principal ftp/calypso.physics.utoronto.ca to keytab file > ERROR: could not add principal host/calypso.physics.utoronto.ca to keytab file Hmm, do we need to rephrase this part of the installation instructions perhaps? The passwords in quesiton have nothing to do with your unix passwords or accounts. They are for enabling incoming Kerberos-authenticated access to your system. If you don't want that, stop. You're done. If you do want to support incoming Kerberos conenctions to ftp, telnet, rsh or rlogin, ask compdiv@fnal.gov for the "host and ftp principals" and get back a one-time password which you'll use with this command: ups install-hostkeys kerberos From kreymer@fnal.gov Thu Jul 12 13:19:57 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14983 for ; Thu, 12 Jul 2001 13:19:57 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD0027IHL7F5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 13:19:56 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171919@listserv.fnal.gov>; Thu, 12 Jul 2001 13:19:55 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 212391 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 13:19:55 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171918@listserv.fnal.gov>; Thu, 12 Jul 2001 13:19:55 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD00412HL6W2@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 12 Jul 2001 13:19:54 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6CIJaF29502; Thu, 12 Jul 2001 13:19:36 -0500 (CDT) Date: Thu, 12 Jul 2001 13:19:36 -0500 From: Matt Crawford Subject: Re: 000000000019557 Assigned to CRAWFORD, MATT. In-reply-to: "11 Jul 2001 13:33:00 CDT." <318CC3D38BE0D211BB1200105A093F7618D0A6@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200107121819.f6CIJaF29502@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1520 > Problem Description : I was wondering how do I setup kcroninit on a > computer away from Fermilab? I am on the Chicago group for CDF and > would like to setup a cron job that connects to the CDF machines at > FNAL and think that kcron should work. The same way you do if you are at the lab. One time per user, per host originating jobs setup kcrontinit kcroninit Then invoke your job as /usr/krb5/bin/kcron /path/to/my/script or insert into your script #!/bin/sh : ... KRB5CCNAME=/tmp/krb5cc_myjob_$$ ; export KRB5CCNAME kcron : ... : ... kdestroy From kreymer@fnal.gov Thu Jul 12 13:24:37 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14989 for ; Thu, 12 Jul 2001 13:24:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD0050JHSZCS@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 13:24:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171927@listserv.fnal.gov>; Thu, 12 Jul 2001 13:24:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 212405 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 13:24:35 -0500 Received: from gungnir.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171926@listserv.fnal.gov>; Thu, 12 Jul 2001 13:24:35 -0500 Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6CIOGF29522; Thu, 12 Jul 2001 13:24:16 -0500 (CDT) Date: Thu, 12 Jul 2001 13:24:16 -0500 From: Matt Crawford Subject: Re: Problems with ssh In-reply-to: "11 Jul 2001 14:59:23 CDT." <3B4CB01B.34532E65@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: gug@fnal.gov Cc: Nuha Elmaghrabi , KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Message-id: <200107121824.f6CIOGF29522@gungnir.fnal.gov> Status: RO X-Status: X-Keywords: X-UID: 1521 > Interesting that I cannot telnet into fndapt, while I have no trouble > doing so to fnods. That's unrelated to the ssh problem. > [ Kerberos V5 refuses authentication because telnetd: krb5_rd_req > failed: Key version number for principal in key table is incorrect ] Yolanda reset the host keys for fndapt on May 15 (by request, presumably) and the keytab for fndapt has not been updated. From kreymer@fnal.gov Thu Jul 12 13:24:45 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA14993 for ; Thu, 12 Jul 2001 13:24:44 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD00428HT7W2@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 13:24:44 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017192C@listserv.fnal.gov>; Thu, 12 Jul 2001 13:24:42 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 212410 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 13:24:42 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017192B@listserv.fnal.gov>; Thu, 12 Jul 2001 13:24:42 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD0044HHT5CF@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 12 Jul 2001 13:24:41 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <3VBGMW98>; Thu, 12 Jul 2001 13:24:41 -0500 Content-return: allowed Date: Thu, 12 Jul 2001 13:24:39 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000019557 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D16C@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1522 The following note has been sent to the requester: WOLFE, MARSHALL Short Description : kcroninit outside of fermilab Notes to Requester : The same way you do if you are at the lab. One time per user, per host originating jobs setup kcrontinit kcroninit Then invoke your job as /usr/krb5/bin/kcron /path/to/my/script or insert into your script #!/bin/sh : ... KRB5CCNAME=/tmp/krb5cc_myjob_$$ ; export KRB5CCNAME kcron : ... : ... kdestroy From kreymer@fnal.gov Thu Jul 12 13:45:04 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA15024 for ; Thu, 12 Jul 2001 13:45:04 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD002BOIR2F5@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 13:45:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017199E@listserv.fnal.gov>; Thu, 12 Jul 2001 13:45:02 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 212531 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 13:45:02 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017199D@listserv.fnal.gov>; Thu, 12 Jul 2001 13:45:02 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD0045IIR1Y0@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Thu, 12 Jul 2001 13:45:02 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <3VBGMW90>; Thu, 12 Jul 2001 13:45:01 -0500 Content-return: allowed Date: Thu, 12 Jul 2001 13:45:00 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19557 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D16D@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1523 19557 has been updated by blomberg. Short Description : kcroninit outside of fermilab New Work Log Entry : From: "Armin Reichold" To: "ARSystem" Subject: Out of Office AutoReply: Note to requester has been sent - 000000000019557 Date: Thursday, July 12, 2001 1:25 PM Dear Email-Writer I am out of my Fermilab office until Mon. 23rd July for a few days holiday followed by 10 days at the Snowmass conference. I will infrequently read email until then and only answere urgent stuff. cheers Armin From kreymer@fnal.gov Thu Jul 12 16:05:23 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA15431 for ; Thu, 12 Jul 2001 16:05:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD00G1ZP8X06@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 16:05:22 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171B9C@listserv.fnal.gov>; Thu, 12 Jul 2001 16:05:22 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 213082 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 16:05:22 -0500 Received: from casey.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171B9B@listserv.fnal.gov>; Thu, 12 Jul 2001 16:05:21 -0500 Received: from localhost (fromm@localhost) by casey.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA06411; Thu, 12 Jul 2001 16:05:21 -0500 Date: Thu, 12 Jul 2001 16:05:21 -0500 (CDT) From: James Fromm Subject: Re: Problems with ssh In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: Nuha Elmaghrabi , KERBEROS-USERS@listserv.fnal.gov, Margaret Votava Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1524 On Thu, 12 Jul 2001, Steven Timm wrote: > Does this mean that when the new version comes out it > will no longer be necessary to put > > > .fnal.gov = FNAL.GOV > > into our /etc/krb5.conf file to get kerberized ssh to work? > > Steve > Yes. > > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Thu, 12 Jul 2001, James Fromm wrote: > > > On Wed, 11 Jul 2001, Nuha Elmaghrabi wrote: > > > > > When I execute the command ssh -l nuhae fnods I am prompted for a > > > password even though I have a valid token and both machines (fndapt) and > > > fnods are in the production realm. I understand that it is not supposed > > > to ask me for a password (since I have a valid token). Others have tried > > > to ssh into fnods from their machines and it works fine (they are not > > > prompted for a password). > > > > > > Version of ssh I am using: > > > > > > SSH Version 1.2.27f [i686-unknown-linux], protocol version > > > 1.5. > > > Standard version. Does not use RSAREF. > > > > > > Ouput from the command ssh -v -l nuhae fnods : > > > > > > fndapt.fnal.gov: Reading configuration data /etc/ssh_config > > > fndapt.fnal.gov: ssh_connect: getuid 5247 geteuid 5247 anon 1 > > > fndapt.fnal.gov: Connecting to fnods [131.225.81.88] port 22. > > > fndapt.fnal.gov: Connection established. > > > fndapt.fnal.gov: Remote protocol version 1.5, remote software > > > version 1.2.27f Portal > > > fndapt.fnal.gov: Waiting for server public key. > > > fndapt.fnal.gov: Received server public Key (768 bits) and > > > host key (1024 bits). > > > fndapt.fnal.gov: Host 'fnods' is known and matches the host > > > key. > > > fndapt.fnal.gov: Initializing random; seed file > > > /afs/fnal.gov/files/home/room2/nuhae/.ssh/random_seed > > > fndapt.fnal.gov: Encryption type: idea > > > fndapt.fnal.gov: Sent encrypted session key > > > fndapt.fnal.gov: Installing crc compensation attach detector. > > > fndapt.fnal.gov: Received encrypted confirmation > > > fndapt.fnal.gov: Trying Kerberos V5 TGT passing > > > fndapt.fnal.gov: Kerberos V5 TGT passing was successful > > > fndapt.fnal.gov: Trying Kerberos V5 authentication > > > fndapt.fnal.gov: Kerberos V5: failure on credentials (Server > > > not found in Kerberos database). > > > fndapt.fnal.gov: No agent > > > fndapt.fnal.gov: Doing password authentication > > > > > > Does anyone know how to fix this? > > > > > > > The real problem was just discovered, the bottome line is that ssh is > > built with the wrong kerberos libraries (v1_3 fixed a problem that is > > related to this). I will build a new version of ssh (27g). > > > > From kreymer@fnal.gov Thu Jul 12 16:07:13 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA15438 for ; Thu, 12 Jul 2001 16:07:13 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD00C8OPBZQ1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 16:07:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171BA4@listserv.fnal.gov>; Thu, 12 Jul 2001 16:07:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 213091 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 16:07:11 -0500 Received: from casey.fnal.gov by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171BA3@listserv.fnal.gov>; Thu, 12 Jul 2001 16:07:11 -0500 Received: from localhost (fromm@localhost) by casey.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA06415; Thu, 12 Jul 2001 16:07:11 -0500 Date: Thu, 12 Jul 2001 16:07:10 -0500 (CDT) From: James Fromm Subject: Re: Problems with ssh In-reply-to: <3B4DB7AB.C12F4594@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: Jason Harrington Cc: KERBEROS-USERS@listserv.fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1525 On Thu, 12 Jul 2001, Jason Harrington wrote: > when can we expect to see this? > > James Fromm wrote: > > > > The real problem was just discovered, the bottome line is that ssh is > > built with the wrong kerberos libraries (v1_3 fixed a problem that is > > related to this). I will build a new version of ssh (27g). > I added another fix (a workaround to the IRIX inet_ntoa() gcc bug) and am now building it. Let's say early next week, maybe Monday. From kreymer@fnal.gov Thu Jul 12 16:57:44 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA15568 for ; Thu, 12 Jul 2001 16:57:43 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGD00GMFRO618@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Thu, 12 Jul 2001 16:57:43 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171C49@listserv.fnal.gov>; Thu, 12 Jul 2001 16:57:43 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 213282 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Thu, 12 Jul 2001 16:57:43 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00171C48@listserv.fnal.gov>; Thu, 12 Jul 2001 16:57:42 -0500 Received: from cuervo ([131.225.5.168]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with SMTP id <0GGD00CH2RO6Q1@smtp.fnal.gov>; Thu, 12 Jul 2001 16:57:42 -0500 (CDT) Date: Thu, 12 Jul 2001 16:57:42 -0500 From: "Mark O. Kaletka" Subject: WRQ Reflection X 8.0.6 & Security Components 8.0.0 Sender: owner-kerberos-users@listserv.fnal.gov To: wrq-users@fnal.gov, kerberos-users@fnal.gov Message-id: MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2479.0006 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7bit Importance: Normal X-Priority: 3 (Normal) X-MSMail-priority: Normal Status: RO X-Status: X-Keywords: X-UID: 1526 WRQ Reflection X 8.0.6 and Security Components 8.0.0 have been loaded to \\pckits\WRQ and are now available to local NT admins who hold licenses (i.e. are in the ACL group with read access to the folder). The major change in this version is support for forwardable tickets in the telnet application. The "Strong Authentication at Fermilab" documentation is being updated and Chris Brew in OSS is developing an integrated installation script for "one-step" silent installation. For those who don't want to wait, here is the quick summary for installing this version: 1) First run the Reflection X 8.0.6 installer at \\pckits\WRQ\ReflectionX_8.0.6\Install.exe. Reflection X 8.0.6 be installed the Security Components. There are no significant changes in this part of the install procedure as documented in http://www.fnal.gov/docs/strongauth/html/winadmin.html. In all screens just choosing the defaults will work; 2) After installing Reflection X 8.0.6, run the Security Components 8.0.0 installer at \\pckits\WRQ\SecurityComponents_8.0.0. On the splash screen, choose "Workstation Install". When prompted to select components, highlight "Reflection Security Components" and use the pulldown menu to select "Entire feature will be installed on local hard drive" to select all the components for installation. In all other screens, choose the defaults. You will be prompted for realm information during this part of the install; 3) For installations only, execute the batch file \\pckits\WRQ\services.bat to update the Windows services file to allow Kerberos password changing to work; 4) Execute the registry file \\pckits\WRQ\FNAL.GOV.REG to configure the FNAL.GOV and PILOT.FNAL.GOV realms. When prompted " Are you sure you want to add the information ... " click "Yes"; You may need to re-create your principal profile(s) in the Kerberos Manager. To obtain forwardable tickets, in the Kerberos Manager press the "Authenticate" button and check the "Forwardable" box under "Ticket options". To use forwardable tickets in the Reflection Host UNIX-Digital telnet client application, open "Connection Setup", click "Security...", choose the "Kerberos" tab, and check the "Reflection Kerberos" and "Forward ticket" boxes (as well as any other Kerberos options you want). Also notice that you can now specify "User ID" different from your principal name (i.e. you can log directly into a root account with your user principal, if the .k5login allows). From kreymer@fnal.gov Fri Jul 13 11:25:39 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA17876 for ; Fri, 13 Jul 2001 11:25:39 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGF00G2O6YPS1@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 13 Jul 2001 11:25:38 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001727D1@listserv.fnal.gov>; Fri, 13 Jul 2001 11:25:37 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 216415 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 13 Jul 2001 11:25:37 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001727D0@listserv.fnal.gov>; Fri, 13 Jul 2001 11:25:37 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGF00H1H6YPWK@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 13 Jul 2001 11:25:37 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f6DGPaf27440 for ; Fri, 13 Jul 2001 11:25:36 -0500 (CDT) Date: Fri, 13 Jul 2001 11:25:36 -0500 From: aheavey@fnal.gov Subject: new quick ref card Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Reply-to: aheavey@fnal.gov Message-id: <200107131625.f6DGPaf27440@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1527 Matt caught some goofs I made -- please discard old one, use new (7/13). -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Fri Jul 13 11:30:35 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA17886 for ; Fri, 13 Jul 2001 11:30:35 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGF00F7G76YZD@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 13 Jul 2001 11:30:35 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001727F0@listserv.fnal.gov>; Fri, 13 Jul 2001 11:30:34 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 216450 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 13 Jul 2001 11:30:34 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001727EF@listserv.fnal.gov>; Fri, 13 Jul 2001 11:30:34 -0500 Received: from fsui02.fnal.gov ([131.225.68.20]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGF00G3976XML@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 13 Jul 2001 11:30:33 -0500 (CDT) Received: from localhost (aheavey@localhost) by fsui02.fnal.gov (8.10.2/8.10.2) with SMTP id f6DGUWW28658 for ; Fri, 13 Jul 2001 11:30:32 -0500 (CDT) Date: Fri, 13 Jul 2001 11:30:32 -0500 From: Anne Heavey Subject: Re: new quick ref card In-reply-to: "Your message of Fri, 13 Jul 2001 11:26:05 CDT." <3B4F211D.99D4AD79@fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <200107131630.f6DGUWW28658@fsui02.fnal.gov> X-Authentication-warning: fsui02.fnal.gov: aheavey@localhost didn't use HELO protocol Status: RO X-Status: X-Keywords: X-UID: 1528 http://www.fnal.gov/docs/strongauth/html/sa_refcardletter.html Best if you bookmark http://www.fnal.gov/docs/strongauth/ and use link under "Once you're Connected" or (currently) "Latest Information". PDF version available via link on html page. > Anne, > > Could you please provide the link? > > Thanks, > Cele > > aheavey@fnal.gov wrote: > > > > Matt caught some goofs I made -- please discard old one, use new (7/13). > > > > -- Anne > > > > Anne Heavey | Fermilab Computing Division | WWW Group > > Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 > > -- > *************************************************************** > Cele Bruce Fermi National Accelerator Lab > celebruce@fnal.gov P.O. Box 500, MS 369 > 630-840-3931 Batavia, IL 60510 -- Anne Anne Heavey | Fermilab Computing Division | WWW Group Ph: 630-840-8039 | Loc: WH 845 (8th floor NE) | MS: 120 From kreymer@fnal.gov Fri Jul 13 16:27:19 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA18804 for ; Fri, 13 Jul 2001 16:27:19 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGF00G1OKXH3B@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Fri, 13 Jul 2001 16:27:19 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00172EA9@listserv.fnal.gov>; Fri, 13 Jul 2001 16:27:17 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 218335 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Fri, 13 Jul 2001 16:27:17 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00172EA8@listserv.fnal.gov>; Fri, 13 Jul 2001 16:27:17 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGF005TVKXGK9@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Fri, 13 Jul 2001 16:27:16 -0500 (CDT) Date: Fri, 13 Jul 2001 16:27:17 -0500 (CDT) From: Dane Skow Subject: FRHL7.1 Kerberos/AFS PAMs ready for testing Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Status: RO X-Status: X-Keywords: X-UID: 1529 I have beta versions of PAMs available for testing in /afs/fnal.gov/files/home/room1/dane/PAM/pam_RH71. (~dane/PAM/pam_RH71 on FNALU) There are 4 files: [dane@unferth pam_RH71]$ ls -l total 278 -rw-r--r-- 1 1444 dane 2688 Jul 13 15:32 krb5.conf -rwxr-xr-x 1 1444 dane 141076 Jul 13 15:32 pam_krb5afs.so -rwxr-xr-x 1 1444 dane 138447 Jul 13 15:32 pam_krb5.so -rw-r--r-- 1 1444 dane 936 Jul 13 15:32 system-auth The two .so libraries replace ones in /etc/pam.d The krb5.conf file adds a section on [pam] on the end and removes the "auth_to_local" lines that cause grief to RH native Kerberos. The system-auth file is setup for both KRB and AFS tickets. If you only want the krb5 part, then change the pam_krb5 line to "sufficient" (and remove the pam_afs line or not at your pleasure). Caveats: 0) I've only tested on two machines. But it worked for me in both text and GUI login and an application (xscreensaver). There may be more PAM config file changes for others. 1) I have been unsuccessful at getting the pam_krb5afs.so to give both KRB5 and AFS with one call. (as might be preferable in some cases). 2) The pam_krb5 modules appear to be sensitive to the krb5.conf contents. I saw network hangs in one particular configuration on a Nightshade motherboard. 3) I'll work with Connie/Troy to get these included in the RPMS for the official release. For now, you're assumed to know what you're doing as root. I've got the attention of the author at RedHat working some of these bugs so timely trouble reports would be useful. Cheers, dane From kreymer@fnal.gov Sun Jul 15 14:04:34 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA22526 for ; Sun, 15 Jul 2001 14:04:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGJ00BAS3NJYZ@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Sun, 15 Jul 2001 14:04:33 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00173D30@listserv.fnal.gov>; Sun, 15 Jul 2001 14:04:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 222509 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Sun, 15 Jul 2001 14:04:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00173D2E@listserv.fnal.gov>; Sun, 15 Jul 2001 14:04:31 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGJ007I33NHYP@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Sun, 15 Jul 2001 14:04:31 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <36HVHHVA>; Sun, 15 Jul 2001 14:04:28 -0500 Content-return: allowed Date: Sun, 15 Jul 2001 14:04:27 -0500 From: ARSystem Subject: CRAWFORD, MATT #19145 Resolved. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D2A3@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1530 Thank you for your assistance. Help Desk ticket #000000000019145 has been resolved on 7/15/01 2:00:01 PM Resolution Timestamp: : 7/15/01 2:00:01 PM Solution Category : Auto Resolve Problem Category : Software Item : Kerberos Type : Utilities Short Description : Cannot activate host/ftp principals Solution : No further response from user in the past 21 days. Ticket being resolved. Problem Description : When I try to ups install kerberos on e.g. sameggs.fnal.gov, I get this highly informative message: kadmin: Preauthentication failed while initializing kadmin interface kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal ftp/sameggs.fnal.gov to keytab file. kadmin: Preauthentication failed while initializing kadmin interface kadmin: Preauthentication failed while initializing kadmin interface ERROR: could not add principal host/sameggs.fnal.gov to keytab file. I have followed every line at http://www.fnal.gov/docs/products/kerberos/. I had Yolanda reset that password for me two times. I have checked the time on the system. I have no bloody CLUE!!! Please help!!! Thank you. Addt-l info: the system (and others I try) has been in PILOT for a few months. Can't migrate to FNAL.GOV. -+-+-+-+-+-+-+-+-+-+ Igor Terekhov, Ph.D. Computing Division, ODS MS 114 Fermi National Accelerator Laboratory Phone: 630-840-8884 Fax: x2783 E-mail: terekhov@fnal.gov From kreymer@fnal.gov Mon Jul 16 11:13:21 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA24589 for ; Mon, 16 Jul 2001 11:13:21 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK001DWQE7BU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Jul 2001 11:13:21 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174734@listserv.fnal.gov>; Mon, 16 Jul 2001 11:13:19 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 225315 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 16 Jul 2001 11:13:19 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174733@listserv.fnal.gov>; Mon, 16 Jul 2001 11:13:19 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK00HRVQE5H4@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 16 Jul 2001 11:13:18 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <36HVHHZK>; Mon, 16 Jul 2001 11:13:18 -0500 Content-return: allowed Date: Mon, 16 Jul 2001 11:13:08 -0500 From: ARSystem Subject: 000000000019267 Assigned to CRAWFORD, MATT. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D322@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain; charset=iso-8859-1 Status: RO X-Status: X-Keywords: X-UID: 1531 CRAWFORD, MATT, Help Desk Ticket #000000000019267 has been assigned to you. It is a(n) Medium priority Software/Utilities /Kerberos type of problem. Short description: Reflection Kerberos Error Badge # (+) : 05316N First Name : STANISLAW Last Name (+) : KRZYWDZINSKI Phone : 2680 E-Mail Address : KRZYW@FNAL.GOV Incident Time : 6/26/01 10:32:07 AM System Name : Urgency : Medium Public Work Log : 6/26/01 1:35:58 PM marih From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: 000000000019267 Assigned to CRAWFORD, MATT. Date: Tuesday, June 26, 2001 1:31 PM Send this case to d0_nt-admin. 6/26/01 2:00:49 PM marih From: "Greg Cisko" To: "ARSystem" Subject: Re: 000000000019267 Assigned to CISKO, GREG. Date: Tuesday, June 26, 2001 1:51 PM ----- Original Message ----- From: "Alan M Jonckheere" To: "Greg Cisko" Cc: "ARSystem" ; ; Sent: Thursday, June 14, 2001 2:52 PM > I sent out a mail message some time ago to the d0rug and d0nt mail lists on > this. To get this working on WRQ, you need to setup the FNAL.GOV realm: > 1) go to the Reflection Kerberos Manager > 2) pull down Configuration/configure realm > 3) add FNAL.GOV (with KDC host krb-fnal-1.fnal.gov > 4) highlight FNAL.GOV > KDC tab: add krb-fnal-2.fnal.gov and any others you wish to the KDC list > change KadminServer to0 krb-fnal-admin.fnal.gov > Hosts tab: add krb-fnal-2.fnal.gov + anyone else > RealmDefaults tab: change Pre-Authentication to "Encrypted timestamp" > Basically you setup realm FNAL.GOV exactly the same as PILOT.FNAL.GOV with the > substitution of "pilot"->"fnal" everywhere *except* in the realm name. > > Now for the "gotcha" part that actually is documented but is buried pretty deep. > > 5) login (via the pilot.fnal.gov realm or any other way you can get in) to > d0mino > 6) kpasswd xxx@FNAL.GOV > change your password in the FNAL.GOV realm > > Now back in WRQ, in the principal Profile box > 7) you can modify to change your default realm to FNAL.GOV and everything is > cool. > > Alan 6/26/01 2:32:36 PM marih From: "Stan Krzywdzinski" To: "ARSystem" Subject: Re: Help Desk Ticket 19267 Has Been Resolved. Date: Tuesday, June 26, 2001 2:29 PM I had already setup FNAL.GOV realm (steps 1-7), made it default and changed password on d0mino, as I think I indicated in my original e-mail, but the problem has been since then... So your 'resolution' is not a solution ! Stan Ticket ReOpened the Previous Solution was :To get this working on WRQ, you need to setup the FNAL.GOV realm: 1) go to the Reflection Kerberos Manager 2) pull down Configuration/configure realm 3) add FNAL.GOV (with KDC host krb-fnal-1.fnal.gov 4) highlight FNAL.GOV KDC tab: add krb-fnal-2.fnal.gov and any others you wish to the KDC list change KadminServer to0 krb-fnal-admin.fnal.gov Hosts tab: add krb-fnal-2.fnal.gov + anyone else RealmDefaults tab: change Pre-Authentication to "Encrypted timestamp" Basically you setup realm FNAL.GOV exactly the same as PILOT.FNAL.GOV with the substitution of "pilot"->"fnal" everywhere *except* in the realm name. Now for the "gotcha" part that actually is documented but is buried pretty deep. 5) login (via the pilot.fnal.gov realm or any other way you can get in) to d0mino 6) kpasswd xxx@FNAL.GOV change your password in the FNAL.GOV realm Now back in WRQ, in the principal Profile box 7) you can modify to change your default realm to FNAL.GOV and everything is cool. 6/26/01 3:59:40 PM marih From: "Alan M Jonckheere" To: "ARSystem" Cc: Subject: Re: CISKO, GREG #19267 Resolved. Date: Tuesday, June 26, 2001 3:58 PM The first part of this is my presciption on how to setup to use the @FNAL.GOV realm. It has nothing to do with Stan's problem. In fact I've had the same problem since we switched to the FNAL.GOV realm. I *think* it's a delay starting up some daemon on d0mino and the connection times out. Once the daemon is started, it succeeds the next time. The question still remains, is there a solution? I really doubt that this is an NT problem, though it might be. Alan 6/26/01 4:48:18 PM trb From: "Greg Cisko" To: "ARSystem" Cc: Subject: Re: CISKO, GREG AR ticket 19267 Has Been Updated. Date: Tuesday, June 26, 2001 4:45 PM Run the timesync application... Or sync the time in the kerberos manager... The following was e-mailed to the Requester: Stan, Try... Running the timesync application... Or sync the time in the kerberos manager... Please let us know if this resolves the problem. Thank you, HelpDesk Tom Bozonelos 6/27/01 8:10:27 AM blomberg From: "Greg Cisko" To: "ARSystem" Cc: Subject: Re: CISKO, GREG #19267 Resolved. Date: Tuesday, June 26, 2001 4:50 PM The *ONLY* NT problem it might be, is if the time was not synced properly. It is definitely not a NT system problem or issue that is for sure. Thanks, Greg 6/27/01 8:15:49 AM blomberg From: "Alan M Jonckheere" To: "Greg Cisko" Cc: ; "nt admin" Subject: Re: CISKO, GREG AR ticket 19267 Has Been Updated. Date: Tuesday, June 26, 2001 5:31 PM Uh. He said he'd tried that 6 or 7 times to no avail. It is *not* a failure to authenticate. It's more like there is an authentication time window when hand shaking with d0mino. When WRQ has to ask for a password, the time it takes to type that seems to be counted against the window. The KDC still issues a ticket, it's just refused at the remote end. The 2d time, no password is requested and it works fine. Alan 6/27/01 8:48:00 AM blomberg From: "Greg Cisko" To: Cc: Subject: Re: CISKO, GREG AR ticket 19267 Has Been Updated. Date: Wednesday, June 27, 2001 8:46 AM Well it certainly doesn't sound like an NT problem. Who do you think the helpdesk should have given this ticket to? Thanks, Greg 6/27/01 3:52:46 PM richt Latest e-mail from Alan. Can someone suggest whom this should be assigned to? Thanks, Rich Thompson x4846 From: "Alan M Jonckheere" To: "Greg Cisko" Cc: ; Subject: Re: CISKO, GREG AR ticket 19267 Has Been Updated. Date: Wednesday, June 27, 2001 3:39 PM Actually, the problem has *not* been narrowed down closer than WRQ or KDC or d0mino or some combination of those. It is *not* an NT *system* problem. That I'll grant you. It may still be an "NT" problem in that it *might* be a problem with WRQ. But since it first showed up when we switched to the production kerberos realm, I'd put my $ on KDC and/or d0mino and their interactions with WRQ. As for who this should have gone to: I have no idea. Matt Crawford would be the logical person, but only because he is somehow "responsible" for recommending WRQ and in the absence of anyone else who has been assigned to it. But he has refused in the past to try to diagnose WRQ problems for more or less good reasons. I've asked Mark Kaletka in a seperate thread if he could look into it. I have some hope there. Basically, there seems to be absolutely no one at the laboratory who is responsible, or feels responsible to look into these sorts of problems. Alan 7/16/01 8:36:09 AM marih From: "Stan Krzywdzinski" To: "ARSystem" Subject: Re: HelpDesk Problem 000000000019267 - Information needed Date: Monday, July 16, 2001 8:08 AM If I have a valid ticket on my NT, then there is no problem connecting/logging into d0mino. Of course there is no need for prompting for a password under this situation. However whenever prompting for a password is required (no valid ticket on NT) I get this "Reflection Kerberos Error" described below. I guess I just have to remember to always create a ticket on NT first ... Thanks Stan 7/16/01 11:10:13 AM trb From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: CC: Help Desk Ticket 000000000019267 Has Been Updated. Date: Monday, July 16, 2001 10:32 AM I don't understand why this has come back to me after all these weeks. Is it assigned to me again? Why? Does the text really need to be so ugly and hard to read? I refer to the proliferation of lines which are alternately long and short, indented and unindented. And why are the entries presented in an order which is neither oldest to newest or newest to oldest? ----------< Matt, this is my first view of this problem. It appears there isn't any one particular individual willing to accept responsibility for it after having been assigned and answered by yourself, Alan Jonckheere, and Greg Cisko. Bottom line, is there anyting you can suggest as a possible root cause? Problem - Restated.... Stan Krzywdzinski's works on a PC running WinNT. He uses WRQ Reflections to connect to d0mino. If he already has a valid ticket, he establishes a connection. However, if he's prompted to enter a password, upon doing so, he receives a Kerberos Error "Difference between expected and actual KDC reply time is too great (KRB105)". Can you help? Problem Description : I switched WRQ on D0 NT box, d0nt37, from PILOT.FNAL.GOV realm to FNAL.GOV realm. There is a small problem, however, each time when I connect to d0mino for the first time in a day, after entering my password for the principal krzyw@FNAL.GOV, a "Reflection Kerberos Error" occurs, which says: "Difference between expected and actual KDC reply time is too great (KRB105)". The error does not seem to be fatal, after acknowledging it and hiting CR all is fine, but it's annoying! I tried to Synchronize (Programs -> Reflection -> TimeSync, then Synchronize tab and Synchronize Now) several times, but to no avail. I had no such problem under PILOT.FNAL.GOV realm ... Is there a remedy ? Thanks Stan From kreymer@fnal.gov Mon Jul 16 11:13:23 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA24593 for ; Mon, 16 Jul 2001 11:13:23 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK001DWQE7BU@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Jul 2001 11:13:22 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174737@listserv.fnal.gov>; Mon, 16 Jul 2001 11:13:20 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 225317 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 16 Jul 2001 11:13:20 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174735@listserv.fnal.gov>; Mon, 16 Jul 2001 11:13:20 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK00HRVQE5H4@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 16 Jul 2001 11:13:19 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <36HVHHZL>; Mon, 16 Jul 2001 11:13:18 -0500 Content-return: allowed Date: Mon, 16 Jul 2001 11:13:09 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19267 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D323@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1532 19267 has been updated by trb. Short Description : Reflection Kerberos Error New Work Log Entry : From: "Matt Crawford" To: "ARSystem" Cc: Subject: Re: CC: Help Desk Ticket 000000000019267 Has Been Updated. Date: Monday, July 16, 2001 10:32 AM I don't understand why this has come back to me after all these weeks. Is it assigned to me again? Why? Does the text really need to be so ugly and hard to read? I refer to the proliferation of lines which are alternately long and short, indented and unindented. And why are the entries presented in an order which is neither oldest to newest or newest to oldest? ----------< Matt, this is my first view of this problem. It appears there isn't any one particular individual willing to accept responsibility for it after having been assigned and answered by yourself, Alan Jonckheere, and Greg Cisko. Bottom line, is there anyting you can suggest as a possible root cause? Problem - Restated.... Stan Krzywdzinski's works on a PC running WinNT. He uses WRQ Reflections to connect to d0mino. If he already has a valid ticket, he establishes a connection. However, if he's prompted to enter a password, upon doing so, he receives a Kerberos Error "Difference between expected and actual KDC reply time is too great (KRB105)". Can you help? From kreymer@fnal.gov Mon Jul 16 11:18:33 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA24597 for ; Mon, 16 Jul 2001 11:18:33 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK001HGQMVJG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Jul 2001 11:18:32 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174761@listserv.fnal.gov>; Mon, 16 Jul 2001 11:18:31 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 225360 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 16 Jul 2001 11:18:31 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.0017475F@listserv.fnal.gov>; Mon, 16 Jul 2001 11:18:31 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK00KNOQMTW2@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 16 Jul 2001 11:18:30 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <36HVHHZ4>; Mon, 16 Jul 2001 11:18:30 -0500 Content-return: allowed Date: Mon, 16 Jul 2001 11:18:18 -0500 From: ARSystem Subject: CRAWFORD, MATT #19255 Resolved. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D327@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1533 Thank you for your assistance. Help Desk ticket #000000000019255 has been resolved on 7/16/01 11:13:22 AM Resolution Timestamp: : 7/16/01 11:07:16 AM Solution Category : Unknown Problem Category : Software Item : Kerberos Type : Utilities Short Description : Kerberos Solution : Per e-mail from the user: Anne Heavey and I worked this one out already... Problem Description : I am having trouble running Kerberized FTP from my D0 NT (D0NT50) box trying to attach to D0Mino. I can attach to D0mino via kerberized telnet without difficulty. But when I try to connect with the FTP utility, it doesn't work. I have been able to do this in the past. It has not worked for quite a long while and I haven't reported it because I can still use my cryptocard. I have had identical problems using my laptop. Is this a known problem? Don Lincoln From kreymer@fnal.gov Mon Jul 16 12:05:25 2001 -0500 Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA24632 for ; Mon, 16 Jul 2001 12:05:25 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK00B9PSSF7N@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Jul 2001 12:05:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001748D6@listserv.fnal.gov>; Mon, 16 Jul 2001 12:05:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 225757 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 16 Jul 2001 12:05:10 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001748D0@listserv.fnal.gov>; Mon, 16 Jul 2001 12:05:10 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK00A93SRZ7I@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 16 Jul 2001 12:05:08 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <36HVHH7B>; Mon, 16 Jul 2001 12:04:44 -0500 Content-return: allowed Date: Mon, 16 Jul 2001 12:04:33 -0500 From: ARSystem Subject: CRAWFORD, MATT, Reminder for 19267 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D378@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain Status: RO X-Status: X-Keywords: X-UID: 1534 This reminder created on 7/16/01 12:03:08 PM Ticket 19267 has been assigned to you. This is a reminder that the ticket is not yet resolved. Status : Assigned First Name : STANISLAW Last Name (+) : KRZYWDZINSKI Phone : 2680 E-Mail Address : KRZYW@FNAL.GOV Incident Time : 6/26/01 10:32:07 AM System Name : Problem Category : Software Item : Kerberos Type : Utilities Urgency : Medium Short Description : Reflection Kerberos Error Problem Description : I switched WRQ on D0 NT box, d0nt37, from PILOT.FNAL.GOV realm to FNAL.GOV realm. There is a small problem, however, each time when I connect to d0mino for the first time in a day, after entering my password for the principal krzyw@FNAL.GOV, a "Reflection Kerberos Error" occurs, which says: "Difference between expected and actual KDC reply time is too great (KRB105)". The error does not seem to be fatal, after acknowledging it and hiting CR all is fine, but it's annoying! I tried to Synchronize (Programs -> Reflection -> TimeSync, then Synchronize tab and Synchronize Now) several times, but to no avail. I had no such problem under PILOT.FNAL.GOV realm ... Is there a remedy ? Thanks Stan From kreymer@fnal.gov Mon Jul 16 13:26:51 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA24911 for ; Mon, 16 Jul 2001 13:26:51 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK00EG3WKQND@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Jul 2001 13:26:51 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174A60@listserv.fnal.gov>; Mon, 16 Jul 2001 13:26:50 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 226171 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 16 Jul 2001 13:26:50 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174A5F@listserv.fnal.gov>; Mon, 16 Jul 2001 13:26:50 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK00FFHWKQHW@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 16 Jul 2001 13:26:50 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6GIQOF11115; Mon, 16 Jul 2001 13:26:24 -0500 (CDT) Date: Mon, 16 Jul 2001 13:26:24 -0500 From: Matt Crawford Subject: Re: CRAWFORD, MATT, Reminder for 19267 In-reply-to: "16 Jul 2001 12:04:33 CDT." <318CC3D38BE0D211BB1200105A093F7618D378@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200107161826.f6GIQOF11115@gungnir.fnal.gov> I suggest that the user go into "Kerberos Manager" and examine the realm configurations, making sure the list of KDCs matches the instructions at: http://www.fnal.gov/docs/strongauth/html/winadmin.html#24628 From kreymer@fnal.gov Mon Jul 16 14:01:37 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA24948 for ; Mon, 16 Jul 2001 14:01:37 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK00FI4Y6N4P@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Jul 2001 14:01:36 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174B08@listserv.fnal.gov>; Mon, 16 Jul 2001 14:01:35 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 226349 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 16 Jul 2001 14:01:35 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174B07@listserv.fnal.gov>; Mon, 16 Jul 2001 14:01:35 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGK00FKNY6M29@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 16 Jul 2001 14:01:35 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <36HVH2B1>; Mon, 16 Jul 2001 14:01:34 -0500 Content-return: allowed Date: Mon, 16 Jul 2001 14:01:30 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000019267 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D418@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain The following note has been sent to the requester: KRZYWDZINSKI, STANISLAW Short Description : Reflection Kerberos Error Notes to Requester : Stan, Please go into "Kerberos Manager" and examine the realm configurations, making sure the list of KDCs matches the instructions at: http://www.fnal.gov/docs/strongauth/html/winadmin.html#2462 Please let us know if this helps. HelpDesk Tom Bozonelos From kreymer@fnal.gov Mon Jul 16 15:03:03 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA25145 for ; Mon, 16 Jul 2001 15:03:03 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGL0033U11103@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Jul 2001 15:03:03 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174C81@listserv.fnal.gov>; Mon, 16 Jul 2001 15:03:02 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 226762 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 16 Jul 2001 15:03:02 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174C80@listserv.fnal.gov>; Mon, 16 Jul 2001 15:03:02 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGL0016R10ZYY@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 16 Jul 2001 15:03:01 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <36HVH2CH>; Mon, 16 Jul 2001 15:03:00 -0500 Content-return: allowed Date: Mon, 16 Jul 2001 15:02:51 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19267 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D43A@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain 19267 has been updated by blomberg. Short Description : Reflection Kerberos Error New Work Log Entry : From: "Stan Krzywdzinski" To: "ARSystem" Subject: Re: Additional info for 000000000019267 Date: Monday, July 16, 2001 2:53 PM I checked that I've had 2 items on the KDC list: krb-fnal-1.fnal.gov krb-fnal-2.fnal.gov Added 3 more: krb-fnal-3.fnal.gov krb-fnal-4.fnal.gov krb-fnal-5.fnal.gov as 'prescribed' in the instructions, but it did NOT help ! I am still getting this "Reflection Kerberos Error", when I try to connect to d0mino after clearing tickets on "Kerberos Manager". Stan From kreymer@fnal.gov Mon Jul 16 15:13:50 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA25278 for ; Mon, 16 Jul 2001 15:13:50 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGL000CQ1J0LL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Jul 2001 15:13:49 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174CE1@listserv.fnal.gov>; Mon, 16 Jul 2001 15:13:48 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 226877 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 16 Jul 2001 15:13:48 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174CE0@listserv.fnal.gov>; Mon, 16 Jul 2001 15:13:48 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGL0023D1IZL7@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 16 Jul 2001 15:13:47 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6GKDKF11765; Mon, 16 Jul 2001 15:13:21 -0500 (CDT) Date: Mon, 16 Jul 2001 15:13:20 -0500 From: Matt Crawford Subject: Re: CRAWFORD, MATT AR ticket 19267 Has Been Updated. In-reply-to: "16 Jul 2001 15:02:51 CDT." <318CC3D38BE0D211BB1200105A093F7618D43A@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200107162013.f6GKDKF11765@gungnir.fnal.gov> Well, then, figure out why your machine is getting its service ticket for d0mino from the PILOT realm -- maybe that's the problem. Check the configuration of the PILOT.FNAL.GOV realm; make sure you have the right KDC list (no krb-pilot-2, just -1, -3, -4) and that you do NOT list d0mino on the "hosts" tab for that realm. From kreymer@fnal.gov Mon Jul 16 15:23:34 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA25289 for ; Mon, 16 Jul 2001 15:23:34 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGL003681Z8DT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Jul 2001 15:23:34 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174D04@listserv.fnal.gov>; Mon, 16 Jul 2001 15:23:33 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 226916 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 16 Jul 2001 15:23:33 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174D02@listserv.fnal.gov>; Mon, 16 Jul 2001 15:23:33 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGL001BO1Z7YY@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 16 Jul 2001 15:23:32 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <36HVH2C8>; Mon, 16 Jul 2001 15:23:32 -0500 Content-return: allowed Date: Mon, 16 Jul 2001 15:23:28 -0500 From: ARSystem Subject: Note to requester has been sent - 000000000019267 Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D450@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain The following note has been sent to the requester: KRZYWDZINSKI, STANISLAW Short Description : Reflection Kerberos Error Notes to Requester : Well, then, figure out why your machine is getting its service ticket for d0mino from the PILOT realm -- maybe that's the problem. Check the configuration of the PILOT.FNAL.GOV realm; make sure you have the right KDC list (no krb-pilot-2, just -1, -3, -4) and that you do NOT list d0mino on the "hosts" tab for that realm. From kreymer@fnal.gov Mon Jul 16 16:14:41 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA25326 for ; Mon, 16 Jul 2001 16:14:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGL000Q64CFLL@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Jul 2001 16:14:40 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174E50@listserv.fnal.gov>; Mon, 16 Jul 2001 16:14:40 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 227323 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 16 Jul 2001 16:14:39 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174E4F@listserv.fnal.gov>; Mon, 16 Jul 2001 16:14:39 -0500 Received: from csdserver2.fnal.gov ([131.225.84.135]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGL003JP4CDDT@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 16 Jul 2001 16:14:39 -0500 (CDT) Received: by csdserver2.fnal.gov with Internet Mail Service (5.5.1960.3) id <36HVH2DZ>; Mon, 16 Jul 2001 16:14:37 -0500 Content-return: allowed Date: Mon, 16 Jul 2001 16:14:31 -0500 From: ARSystem Subject: CRAWFORD, MATT AR ticket 19267 Has Been Updated. Sender: owner-kerberos-users@listserv.fnal.gov To: "'kerberos-users@fnal.gov'" Message-id: <318CC3D38BE0D211BB1200105A093F7618D46D@csdserver2.fnal.gov> MIME-version: 1.0 X-Mailer: Internet Mail Service (5.5.1960.3) Content-type: text/plain 19267 has been updated by blomberg. Short Description : Reflection Kerberos Error New Work Log Entry : From: "Stan Krzywdzinski" To: "ARSystem" Subject: Re: Additional info for 000000000019267 Date: Monday, July 16, 2001 4:07 PM Well, for the PILOT realm KDC list I've had: krb-pilot-1.fnal.gov krb-pilot-2.fnal.gov I changed the list to: krb-pilot-1.fnal.gov krb-pilot-3.fnal.gov krb-pilot-4.fnal.gov and then verified that under Hosts tab for PILOT realm I do not have d0mino. Instead I do have the very same entries as on the KDC list. However, again it did not help ... Btw, you are right, it is also disturbing that after I connect to d0mino, I am getting the following tickets on Kerberos Manager: krbtgt/FNAL.GOV@FNAL.GOV krbtgt/PILOT.FNAL.GOV@FNAL.GOV host/d0mino.fnal.gov@PILOT.FNAL.GOV I really do not know how to eliminate tickets related to PILOT. Also what tickets I should be getting instead ? Thanks Stan From kreymer@fnal.gov Mon Jul 16 16:35:26 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id QAA25361 for ; Mon, 16 Jul 2001 16:35:26 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGL007AI5B0V0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Mon, 16 Jul 2001 16:35:25 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174E97@listserv.fnal.gov>; Mon, 16 Jul 2001 16:35:25 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 227401 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Mon, 16 Jul 2001 16:35:25 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00174E96@listserv.fnal.gov>; Mon, 16 Jul 2001 16:35:25 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGL003O05B0DT@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Mon, 16 Jul 2001 16:35:24 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6GLYvF12064; Mon, 16 Jul 2001 16:34:57 -0500 (CDT) Date: Mon, 16 Jul 2001 16:34:57 -0500 From: Matt Crawford Subject: Re: CRAWFORD, MATT AR ticket 19267 Has Been Updated. In-reply-to: "16 Jul 2001 16:14:31 CDT." <318CC3D38BE0D211BB1200105A093F7618D46D@csdserver2.fnal.gov> Sender: owner-kerberos-users@listserv.fnal.gov To: ARSystem Cc: "'kerberos-users@fnal.gov'" Message-id: <200107162134.f6GLYvF12064@gungnir.fnal.gov> > I changed the list to: > > krb-pilot-1.fnal.gov > krb-pilot-3.fnal.gov > krb-pilot-4.fnal.gov Good. > > and then verified that under Hosts tab for PILOT realm I do not have > d0mino. ... > Btw, you are right, it is also disturbing that after I connect to > d0mino, I am getting the following tickets on Kerberos Manager: > krbtgt/FNAL.GOV@FNAL.GOV > krbtgt/PILOT.FNAL.GOV@FNAL.GOV > host/d0mino.fnal.gov@PILOT.FNAL.GOV Then I can't imagine why you're getting the service ticket from the pilot realm ... unless there's some other entry in the pilot hosts list, like ".fnal.gov" ? Try putting .fnal.gov and/or d0mino.fnal.gov into the hosts list in the FNAL.GOV realm and see if that helps. Clear all tickets and connect again. > what tickets I should be getting instead ? krbtgt/FNAL.GOV@FNAL.GOV host/d0mino.fnal.gov@FNAL.GOV The other ticket you had, krbtgt/PILOT.FNAL.GOV@FNAL.GOV, is the cross-realm ticket and will stop appearing if your machine stops thinking that d0mino is in the pilot realm. From kreymer@fnal.gov Tue Jul 17 13:43:12 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA27942 for ; Tue, 17 Jul 2001 13:43:12 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGM00BKXRZYOT@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 17 Jul 2001 13:43:12 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00175C47@listserv.fnal.gov>; Tue, 17 Jul 2001 13:43:10 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 218292 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 17 Jul 2001 13:43:10 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00175C45@listserv.fnal.gov>; Tue, 17 Jul 2001 13:43:10 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGM00DFBRZY7H@smtp.fnal.gov>; Tue, 17 Jul 2001 13:43:10 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6HIgfF15730; Tue, 17 Jul 2001 13:42:41 -0500 (CDT) Date: Tue, 17 Jul 2001 13:42:41 -0500 From: Matt Crawford Subject: Re: CrtptoCard time of life (fwd) In-reply-to: "17 Jul 2001 13:36:13 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Yolanda Valadez Cc: Guennadi Obrant , kerberos-users@fnal.gov Message-id: <200107171842.f6HIgfF15730@gungnir.fnal.gov> So far no cryptocard batteries have run out, so I can't tell you how long they last. You should have a small thick paper card in the plastic pouch that came with your cryptocard. It says that if the display becomes dim, it's time to replace the batteries. All you need is a small flat screwdriver and two new battries. The type you need is written on the same card. If you can't new ones in Russia (bozhemoi!), buy some now and take them with you. You can even practice taking out and putting in your existing batteries one at a time to gain confidence that you will be able to do it without wiping the card when the time comes to replace them. > I got my CryptoCard on Nov 2, 2000. I'm concerning the time of life of > this CryptoCard about, for example when the battery will wear out. I am > a Fermilab visitor and must leave to Russia, and I could not replace > the batteries there. From kreymer@fnal.gov Tue Jul 17 15:59:59 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id PAA07456 for ; Tue, 17 Jul 2001 15:59:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGM00394YBXF6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Tue, 17 Jul 2001 15:59:58 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00175EDF@listserv.fnal.gov>; Tue, 17 Jul 2001 15:59:57 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 219054 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Tue, 17 Jul 2001 15:59:57 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00175EDE@listserv.fnal.gov>; Tue, 17 Jul 2001 15:59:57 -0500 Received: from grindewald.fnal.gov ([131.225.81.209]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGM003H0YBWF8@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Tue, 17 Jul 2001 15:59:56 -0500 (CDT) Date: Tue, 17 Jul 2001 15:59:57 -0500 (CDT) From: Margaret Greaney Subject: is there a keep-ssh with kerberos install for .FNAL, not .PILOT? Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Hello, after doing a upd list -l kerberos and reviewing the output and also discussing how to install kerberos in a non-strengthened mode (with ssh) with people in my group, I still am uncertain about whether this ups product is available. I see that there is a ups product for kerberos with keep-ssh associated with the .PILOT realm but don't see it for the .FNAL realm. I am checking that the product exists before having to install some of the PPD clusters. Is this capability in ups for kerberos v1_3a? Is it now called install-sshd-weak? thanks, Margaret Margaret Greaney Telephone: 630-840-4623 Fermilab E-mail: mgreaney@fnal.gov CD/OSS/SCS From kreymer@fnal.gov Wed Jul 18 09:19:40 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id JAA09758 for ; Wed, 18 Jul 2001 09:19:40 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00FGLAGQQ0@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 18 Jul 2001 09:19:39 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001768FA@listserv.fnal.gov>; Wed, 18 Jul 2001 09:19:38 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 221905 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 18 Jul 2001 09:19:38 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001768F9@listserv.fnal.gov>; Wed, 18 Jul 2001 09:19:38 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00FJ1AGPPH@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 18 Jul 2001 09:19:37 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6IEJ7F17484; Wed, 18 Jul 2001 09:19:07 -0500 (CDT) Date: Wed, 18 Jul 2001 09:19:07 -0500 From: Matt Crawford Subject: Re: is there a keep-ssh with kerberos install for .FNAL, not .PILOT? In-reply-to: "17 Jul 2001 15:59:57 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Margaret Greaney Cc: kerberos-users@fnal.gov Message-id: <200107181419.f6IEJ7F17484@gungnir.fnal.gov> All the recent versions have an "install-keep-ssh" action. I didn't check back before v1_2, but I think it is in all versions. The other action "install-keep-ssh-pilot" is newer. Mind you, the ssh product has its own logic if it's installed after Kerberos ... From kreymer@fnal.gov Wed Jul 18 10:04:47 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA09899 for ; Wed, 18 Jul 2001 10:04:47 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00402CJXY3@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 18 Jul 2001 10:04:46 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001769FE@listserv.fnal.gov>; Wed, 18 Jul 2001 10:04:45 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 222198 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 18 Jul 2001 10:04:45 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.001769FD@listserv.fnal.gov>; Wed, 18 Jul 2001 10:04:45 -0500 Received: from CONVERSION-DAEMON.smtp.fnal.gov by smtp.fnal.gov (PMDF V6.0-24 #37519) id <0GGO00401CJXZE@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 18 Jul 2001 10:04:45 -0500 (CDT) Received: from janus.physics.ox.ac.uk ([163.1.243.65]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00FRMCJWQ0@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 18 Jul 2001 10:04:45 -0500 (CDT) Received: from amavis by janus.physics.ox.ac.uk with scanned-ok (Exim 3.16 #7) id 15MssW-0001UY-00 for kerberos-users@fnal.gov; Wed, 18 Jul 2001 16:04:44 +0100 Received: from al1.physics.ox.ac.uk ([163.1.244.73]) by janus.physics.ox.ac.uk with smtp (Exim 3.16 #7) id 15MssV-0001TB-00 for kerberos-users@fnal.gov; Wed, 18 Jul 2001 16:04:43 +0100 Received: from huffman (helo=localhost) by al1.physics.ox.ac.uk with local-esmtp (Exim 2.05 #1) id 15MssU-00083u-00 for kerberos-users@fnal.gov; Wed, 18 Jul 2001 16:04:42 +0100 Date: Wed, 18 Jul 2001 16:04:42 +0100 (BST) From: "Todd Huffman (CDF/ATLAS)" Subject: kdestroy Sender: owner-kerberos-users@listserv.fnal.gov To: "Kerberos User's group" Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-AVtransport: scanmails_remote X-AVwrapper: AMaViS (http://www.amavis.org/) X-AVscanner: Sophos sweep (http://www.sophos.com/) HI, Suppose that I have this list of tickets: 07/18/01 09:42:31 07/19/01 11:42:31 krbtgt/FNAL.GOV@FNAL.GOV 07/18/01 09:42:42 07/19/01 11:42:31 host/oxpc01.fnal.gov@FNAL.GOV 07/18/01 09:45:50 07/19/01 11:42:31 host/oxpc03.fnal.gov@FNAL.GOV And futher suppose that I only want to destroy the last one. How does one do that? kdestroy wipes out everything. Cheers, Todd ************************************************* ~ Dr. B. Todd Huffman ~ ~ Particle and Nuclear Physics ~ ~ University of Oxford ~ ~ Rm 631 ~ ~ Keble Rd ~ ~ Oxford OX1 3RH UK ~ ~ ~ ~ Phone: 44 - 1865 - 273402 ~ ~ LMH: 44 - 1865 - 274307 ~ ~ FAX: 44 - 1865 - 273418 ~ ~Mobile: 07876 - 380836 ~ ~ Home: 44 - 1865 - 450240 ~ ~ URL of my home page: ~ ~ http://www-pnp.physics.ox.ac.uk/~huffman/ ~ ************************************************* From kreymer@fnal.gov Wed Jul 18 10:11:25 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA09905 for ; Wed, 18 Jul 2001 10:11:25 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO0050ECUZBC@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 18 Jul 2001 10:11:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176A1B@listserv.fnal.gov>; Wed, 18 Jul 2001 10:11:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 222228 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 18 Jul 2001 10:11:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176A1A@listserv.fnal.gov>; Wed, 18 Jul 2001 10:11:23 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO0041MCUWW8@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 18 Jul 2001 10:11:22 -0500 (CDT) Date: Wed, 18 Jul 2001 10:11:19 -0500 (CDT) From: Dane Skow Subject: odd error message from aklog when using expired tickets Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Just to pass on a translation of an odd error message: Here's what I saw this morning: [dane@unferth include]$ aklog aklog: Couldn't get fnal.gov AFS tickets: aklog: unknown RPC error (-1765328352) while getting AFS tickets Whose root cause turned out to be that I had failed to get fresh tickets from my screensaver unlock (one reason why I've been quiet on that recently). A fresh kinit cleared this right up. FYI. dane From kreymer@fnal.gov Wed Jul 18 10:32:59 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA09921 for ; Wed, 18 Jul 2001 10:32:59 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO0052UDUXSE@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 18 Jul 2001 10:32:58 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176A7B@listserv.fnal.gov>; Wed, 18 Jul 2001 10:32:57 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 222332 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 18 Jul 2001 10:32:57 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176A7A@listserv.fnal.gov>; Wed, 18 Jul 2001 10:32:57 -0500 Received: from snowball.fnal.gov ([131.225.81.94]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO0048ADUXPJ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 18 Jul 2001 10:32:57 -0500 (CDT) Received: from localhost (timm@localhost) by snowball.fnal.gov (8.9.3/8.9.3) with ESMTP id KAA12494; Wed, 18 Jul 2001 10:32:58 -0500 Date: Wed, 18 Jul 2001 10:32:57 -0500 (CDT) From: Steven Timm Subject: Re: odd error message from aklog when using expired tickets In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Dane Skow Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: snowball.fnal.gov: timm owned process doing -bs ------------------------------------------------------------------ Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ Fermilab Computing Division/Operating Systems Support Scientific Computing Support Group--Computing Farms Operations On Wed, 18 Jul 2001, Dane Skow wrote: > Just to pass on a translation of an odd error message: > > Here's what I saw this morning: > > [dane@unferth include]$ aklog > aklog: Couldn't get fnal.gov AFS tickets: > aklog: unknown RPC error (-1765328352) while getting AFS tickets > > Whose root cause turned out to be that I had failed to get > fresh tickets from my screensaver unlock (one reason why I've > been quiet on that recently). A fresh kinit cleared this right up. > Is there any way to get the screensaver to not change the ownership of the credentials cache file to root? I have somehow convinced my screensaver (and by extension my kde display) to use a different credentials cache file than that used by the PAM module but I'm not sure how I did it. Steve > FYI. > > dane > From kreymer@fnal.gov Wed Jul 18 11:23:26 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id LAA09967 for ; Wed, 18 Jul 2001 11:23:26 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO005ESG70Q4@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 18 Jul 2001 11:23:25 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176B45@listserv.fnal.gov>; Wed, 18 Jul 2001 11:23:24 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 222551 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 18 Jul 2001 11:23:24 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176B44@listserv.fnal.gov>; Wed, 18 Jul 2001 11:23:24 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO005H0G6ZBC@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 18 Jul 2001 11:23:24 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6IGMtF18628; Wed, 18 Jul 2001 11:22:55 -0500 (CDT) Date: Wed, 18 Jul 2001 11:22:55 -0500 From: Matt Crawford Subject: Re: kdestroy In-reply-to: "18 Jul 2001 16:04:42 BST." Sender: owner-kerberos-users@listserv.fnal.gov To: "Todd Huffman (CDF/ATLAS)" Cc: "Kerberos User's group" Message-id: <200107181622.f6IGMtF18628@gungnir.fnal.gov> > Suppose that I have this list of tickets: > > 07/18/01 09:42:31 07/19/01 11:42:31 krbtgt/FNAL.GOV@FNAL.GOV > 07/18/01 09:42:42 07/19/01 11:42:31 host/oxpc01.fnal.gov@FNAL.GOV > 07/18/01 09:45:50 07/19/01 11:42:31 host/oxpc03.fnal.gov@FNAL.GOV > > And futher suppose that I only want to destroy the last one. If your tickets are renewable, "kinit -R" will discard all but the TGT, which is renewed. If your tickets are forwardable, you can forward the TGT alone to your own machine by rsh or one of the others, and then overwrite your existing cache: rsh -F `hostname` cp \$KRB5CCNAME $KRB5CCNAME To do anything more specific you'd have to write a program with the credential cache API. From kreymer@fnal.gov Wed Jul 18 12:25:14 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA10043 for ; Wed, 18 Jul 2001 12:25:14 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00D4MJ20U6@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 18 Jul 2001 12:25:13 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176C5C@listserv.fnal.gov>; Wed, 18 Jul 2001 12:25:12 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 222863 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 18 Jul 2001 12:25:12 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176C5B@listserv.fnal.gov>; Wed, 18 Jul 2001 12:25:12 -0500 Received: from hycppc05.fnal.gov ([131.225.53.254]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00F2RJ1ZBQ@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 18 Jul 2001 12:25:11 -0500 (CDT) Received: from localhost (chenyc@localhost) by hycppc05.fnal.gov (8.9.3/8.9.3) with ESMTP id MAA29301 for ; Wed, 18 Jul 2001 12:25:11 -0500 Date: Wed, 18 Jul 2001 12:25:11 -0500 (CDT) From: Yen-Chu Chen Subject: ftp error Sender: owner-kerberos-users@listserv.fnal.gov To: FNAL Kerberos-Pilot list Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII X-Authentication-warning: hycppc05.fnal.gov: chenyc owned process doing -bs Hi, Using CryptoCard I tried to ftp to hycppc05 from my notebook at lab using dhcp. I got the following error. 550 Can't set uid. Login failed. I can login to hycppc05 using CryptoCard without any problem. -- Best regards, Yen-Chu Chen chenyc@fnal.gov Office: (630) 840-5403, FAX: (630) 840-2968 (886)-(2)-2789-9681 (Inst. of Phys., Academia Sinica) From kreymer@fnal.gov Wed Jul 18 13:12:25 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA10204 for ; Wed, 18 Jul 2001 13:12:24 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00G92L8NF8@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 18 Jul 2001 13:12:24 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176D18@listserv.fnal.gov>; Wed, 18 Jul 2001 13:12:23 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 223081 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 18 Jul 2001 13:12:23 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176D17@listserv.fnal.gov>; Wed, 18 Jul 2001 13:12:23 -0500 Received: from unferth.fnal.gov ([131.225.81.159]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00EE6L8KVD@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 18 Jul 2001 13:12:22 -0500 (CDT) Date: Wed, 18 Jul 2001 13:12:18 -0500 (CDT) From: Dane Skow Subject: Re: odd error message from aklog when using expired tickets In-reply-to: Sender: owner-kerberos-users@listserv.fnal.gov To: Steven Timm Cc: kerberos-users@fnal.gov Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII On Wed, 18 Jul 2001, Steven Timm wrote: > ------------------------------------------------------------------ > Steven C. Timm (630) 840-8525 timm@fnal.gov http://home.fnal.gov/~timm/ > Fermilab Computing Division/Operating Systems Support > Scientific Computing Support Group--Computing Farms Operations > > On Wed, 18 Jul 2001, Dane Skow wrote: > > > Just to pass on a translation of an odd error message: > > > > Here's what I saw this morning: > > > > [dane@unferth include]$ aklog > > aklog: Couldn't get fnal.gov AFS tickets: > > aklog: unknown RPC error (-1765328352) while getting AFS tickets > > > > Whose root cause turned out to be that I had failed to get > > fresh tickets from my screensaver unlock (one reason why I've > > been quiet on that recently). A fresh kinit cleared this right up. > > > Is there any way to get the screensaver to not change the > ownership of the credentials cache file to root? I don't have this problem so we should compare notes. d > > I have somehow convinced my screensaver (and by extension my kde display) > to use a different credentials cache file than that used > by the PAM module but I'm not sure how I did it. > > Steve > > > > > > > > FYI. > > > > dane > > > From kreymer@fnal.gov Wed Jul 18 13:42:11 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id NAA10226 for ; Wed, 18 Jul 2001 13:42:11 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00K2CMM9HY@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 18 Jul 2001 13:42:11 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176D8C@listserv.fnal.gov>; Wed, 18 Jul 2001 13:42:09 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 223208 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 18 Jul 2001 13:42:09 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176D8B@listserv.fnal.gov>; Wed, 18 Jul 2001 13:42:09 -0500 Received: from gungnir.fnal.gov ([131.225.80.1]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00K26MM8H7@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 18 Jul 2001 13:42:08 -0500 (CDT) Received: from gungnir.fnal.gov (localhost [127.0.0.1]) by gungnir.fnal.gov (8.10.2+Sun/8.10.2) with ESMTP id f6IIfdF20527; Wed, 18 Jul 2001 13:41:39 -0500 (CDT) Date: Wed, 18 Jul 2001 13:41:38 -0500 From: Matt Crawford Subject: Re: ftp error In-reply-to: "18 Jul 2001 12:25:11 CDT." Sender: owner-kerberos-users@listserv.fnal.gov To: Yen-Chu Chen Cc: FNAL Kerberos-Pilot list Message-id: <200107181841.f6IIfdF20527@gungnir.fnal.gov> > 550 Can't set uid. I get the same thing if I try to ftp to that host as anonymous. I think your ftpd is not running as root! Let's see your inetd.conf. ---- ---- ---- ---- ---- ---- ---- ---- I will be away July 24 to August 14. Please make a habit of sending your Kerberos questions to kerberos-users@fnal.gov or helpdesk@fnal.gov. Other computer security issues which are not related to (actual or suspected) incidents can be sent to nightwatch@fnal.gov. Anything about incidents should, as always, go to computer_security@fnal.gov. From kreymer@fnal.gov Wed Jul 18 14:34:20 2001 -0500 Status: R X-Status: X-Keywords: Return-Path: Received: from heffalump (heffalump.fnal.gov [131.225.9.20]) by patnt2.fnal.gov (8.9.3/8.9.3) with ESMTP id OAA10389 for ; Wed, 18 Jul 2001 14:34:20 -0500 Received: from listserv.fnal.gov ([131.225.9.3]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00KETP16HG@smtp.fnal.gov> for kreymer@patnt2.fnal.gov (ORCPT KREYMER@FNAL.GOV); Wed, 18 Jul 2001 14:34:20 -0500 (CDT) Received: from listserv (listserv.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176E84@listserv.fnal.gov>; Wed, 18 Jul 2001 14:34:19 -0500 Received: from LISTSERV.FNAL.GOV by LISTSERV.FNAL.GOV (LISTSERV-TCP/IP release 1.8d) with spool id 223480 for KERBEROS-USERS@LISTSERV.FNAL.GOV; Wed, 18 Jul 2001 14:34:19 -0500 Received: from heffalump (heffalump.fnal.gov) by listserv.fnal.gov (LSMTP for Windows NT v1.1b) with SMTP id <0.00176E83@listserv.fnal.gov>; Wed, 18 Jul 2001 14:34:19 -0500 Received: from fnal.gov ([131.225.81.142]) by smtp.fnal.gov (PMDF V6.0-24 #37519) with ESMTP id <0GGO00KC6P16HA@smtp.fnal.gov> for kerberos-users@listserv.fnal.gov (ORCPT kerberos-users@fnal.gov); Wed, 18 Jul 2001 14:34:18 -0500 (CDT) Date: Wed, 18 Jul 2001 14:34:18 -0500 From: Nuha Elmaghrabi Subject: Uninstall Sender: owner-kerberos-users@listserv.fnal.gov To: kerberos-users@fnal.gov Message-id: <3B55E4BA.D39963A1@fnal.gov> Organization: Fermi Lab MIME-version: 1.0 X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.16-3smp i686) Content-type: text/plain; charset=iso-8859-9 Content-transfer-encoding: 7bit X-Accept-Language: en Hello - How do I uninstall Kerberos. Thanks, Nuha