[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Problem with name resolving, or what?
Try to do a 'klist -v', you will then see which IP-addresses are put in
the different tickets. Also try to do that AFTER you fails to login to see
what tickets you have after the fail (and with which tickets).
When you request a ticket with Krb5 the client will need to put in the
IP-address and if you client for some reason have the wrong idea of what
its IP-address is (like when using NAT) then it will fail. By using 'klist
-v' you can see what the client really have put in the tickets.
/thn
Måns Nilsson wrote:
>
> Client: Heimdal on OpenBSD
> Server Solaris 8 2/02, Heimdal. v.latest
>
> Problem: When obtaining a ticket *with* IP address info, server refuses
> login. When using --no-addresses (like when traversing NAT stuff) it works.
>
> Both hosts are on the same LAN,
> DNS works, both ways,
> the KDC is on the same LAN too,
> all machines have their FQDN as output of uname -n,
> and I've in general followed the advice I collected last time I did make a
> fool of myself in this august forum.
>
> Suggestions?
>
> Debug output:
>
> $ klist
> Credentials cache: FILE:/tmp/krb5cc_1004
> Principal: mansaxel@SUNET.SE
>
> Issued Expires Principal
> Jun 6 19:29:27 Jun 7 05:28:29 krbtgt/SUNET.SE@SUNET.SE
>
> v4-ticket file: /tmp/tkt1004
> Principal: mansaxel@SUNET.SE
>
> Issued Expires Principal
> Jun 6 19:29:27 Jun 7 05:29:27 krbtgt.SUNET.SE@SUNET.SE
> $ telnet -x yebisu
> Encryption is verbose
> Trying 192.36.125.136...
> Connected to yebisu.
> Escape character is '^]'.
> [ Trying mutual KERBEROS5 (host/yebisu.pilsnet.sunet.se@SUNET.SE)... ]
> [ Kerberos V5 refuses authentication because Read req failed: Incorrect net
> address ]
> [ Trying KERBEROS5 (host/yebisu.pilsnet.sunet.se@SUNET.SE)... ]
> [ Kerberos V5 refuses authentication because Read req failed: Incorrect net
> address ]
> [ Trying mutual KERBEROS4 (rcmd.yebisu@SUNET.SE) ... ]
> mk_req failed: Principal unknown (kerberos)
> [ Trying KERBEROS4 (rcmd.yebisu@SUNET.SE) ... ]
> mk_req failed: Principal unknown (kerberos)
> telnetd: Authorization failed.
> Connection closed by foreign host.
> $ uname -a
> OpenBSD slimsixten.pilsnet.sunet.se 3.1 SLIMSIXTEN#1 i386
> $ dig slimsixten.pilsnet.sunet.se +short
> 192.36.125.115
> $ kdestroy
>
> $ kauth --no-addresses
> mansaxel@SUNET.SE's Password:
> $ telnet -x yebisu
> Encryption is verbose
> Trying 192.36.125.136...
> Connected to yebisu.
> Escape character is '^]'.
> [ Trying mutual KERBEROS5 (host/yebisu.pilsnet.sunet.se@SUNET.SE)... ]
> [ Kerberos V5 accepts you as ``mansaxel@SUNET.SE'' ]
> [ Output is now encrypted with type DES_CFB64 ]
> [ Input is now decrypted with type DES_CFB64 ]
> Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001
> yebisu.pilsnet.sunet.se$ nslookup 192.36.125.115
> Server: resolver.sunet.se
> Address: 192.36.125.14
>
> Name: slimsixten.pilsnet.sunet.se
> Address: 192.36.125.115
>
> yebisu.pilsnet.sunet.se$
>
> --
> Måns Nilsson Systems Specialist
> +46 70 681 7204 KTHNOC MN1334-RIPE
>
> We're sysadmins. To us, data is a protocol-overhead.
--
---------------------------------------------------------------
Svensk Aktuell Elektronik AB Thomas Nyström
Box 10 Phone: +46 8 35 92 85
S-191 21 Sollentuna Fax: +46 8 59 47 45 36
Sweden Email: thn@saeab.se
---------------------------------------------------------------