Subject: Re: [netatalk-admins] Netatalk and AuthMan on Solaris 2.6 with a Kerberos 5 KDC
From: Buck Huppmann (Charles-Huppmann@UIowa.edu)
Date: Fri Aug 20 1999 - 12:10:13 EDT
--On Mon, Aug 9, 1999 11:37 PM -0400 "Leonard J. Peirce"
<peirce@lab2.cc.wmich.edu> wrote:
> We're trying to use netatalk and AuthMan on Solaris 2.6 and attempting to
> authenticate to a Kerberos 5 KDC. Everything (netatalk and AuthMan)
> builds and installs fine. With AuthMan, we can get authenticated but
> when we try to use the ticket to try to connect with AppleShare it fails.
>
> Logs on our Kerberos KDC show:
>
> Aug 06 16:48:17 kdc1.wmich.edu krb5kdc[16466](info):
> PROCESS_V4:Initial ticket request Host: 141.218.44.115 User:
> "testuser" "" Aug 06 16:48:34 kdc1.wmich.edu krb5kdc[16466](info):
> PROCESS_V4:APPL Request testuser.@WMICH.EDU on 141.218.44.115 for
> afpserver.neta Aug 06 16:48:34 kdc1.wmich.edu krb5kdc[16466](Error):
> PROCESS_V4:UNKNOWN "afpserver" "neta"
The problem, I'm guessing (as this is a problem I had with krb5 also), is
that your version of krb5 isn't doing v4 instance conversion for
``afpserver'' principals; i.e., it's not taking v4 principals with un-FQDNs
as their instances (e.g., ``afpserver.neta@WMICH.EDU'') and mapping them to
v5 principals with FQDNs as their instances (e.g.,
``afpserver/neta.wmich.edu@WMICH.EDU'' or whatever). This results in a kdc
lookup failure. (Most humble plea of any krb5 hackers reading this list: it
would be nice if instance conversion was configurable instead of hard-coded)
This is fixed in krb5 patchlevel 1.0.6, and the particular patch you need
I've included below (hopefully, not in defiance of any commerce department
regs)
-- buck huppmannn pediatrics, university of iowa, iowa city, us--- Patch from MIT's krb5-1.0.5-krb5-1.0.6.diff.gz ---
diff -N -c -r krb5-1.0.5/src/lib/krb5/krb/conv_princ.c krb5-1.0.6/src/lib/krb5/krb/conv_princ.c *** krb5-1.0.5/src/lib/krb5/krb/conv_princ.c Fri Feb 6 22:44:51 1998 --- krb5-1.0.6/src/lib/krb5/krb/conv_princ.c Mon May 10 23:37:02 1999 *************** *** 67,72 **** --- 67,106 ---- {"imap", "imap", DO_REALM_CONVERSION}, {"ftp", "ftp", DO_REALM_CONVERSION}, {"ecat", "ecat", DO_REALM_CONVERSION}, + {"daemon", "daemon", DO_REALM_CONVERSION}, + {"gnats", "gnats", DO_REALM_CONVERSION}, + {"moira", "moira", DO_REALM_CONVERSION}, + {"prms", "prms", DO_REALM_CONVERSION}, + {"mandarin", "mandarin", DO_REALM_CONVERSION}, + {"register", "register", DO_REALM_CONVERSION}, + {"changepw", "changepw", DO_REALM_CONVERSION}, + {"sms", "sms", DO_REALM_CONVERSION}, + {"afpserver", "afpserver", DO_REALM_CONVERSION}, + {"gdss", "gdss", DO_REALM_CONVERSION}, + {"news", "news", DO_REALM_CONVERSION}, + {"abs", "abs", DO_REALM_CONVERSION}, + {"nfs", "nfs", DO_REALM_CONVERSION}, + {"tftp", "tftp", DO_REALM_CONVERSION}, + {"zephyr", "zephyr", DO_REALM_CONVERSION}, + {"http", "http", DO_REALM_CONVERSION}, + {"khttp", "khttp", DO_REALM_CONVERSION}, + {"pgpsigner", "pgpsigner", DO_REALM_CONVERSION}, + {"irc", "irc", DO_REALM_CONVERSION}, + {"mandarin-agent", "mandarin-agent", DO_REALM_CONVERSION}, + {"write", "write", DO_REALM_CONVERSION}, + {"palladium", "palladium", DO_REALM_CONVERSION}, + {"news", "news", DO_REALM_CONVERSION}, + {"abs", "abs", DO_REALM_CONVERSION}, + {"nfs", "nfs", DO_REALM_CONVERSION}, + {"tftp", "tftp", DO_REALM_CONVERSION}, + {"zephyr", "zephyr", DO_REALM_CONVERSION}, + {"http", "http", DO_REALM_CONVERSION}, + {"khttp", "khttp", DO_REALM_CONVERSION}, + {"pgpsigner", "pgpsigner", DO_REALM_CONVERSION}, + {"irc", "irc", DO_REALM_CONVERSION}, + {"mandarin-agent", "mandarin-agent", DO_REALM_CONVERSION}, + {"write", "write", DO_REALM_CONVERSION}, + {"palladium", "palladium", DO_REALM_CONVERSION}, {0, 0, 0}, };
This archive was generated by hypermail 2b28 : Sat Dec 18 1999 - 16:17:05 EST