[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | USG buildhelp questions/answers |
|
| Moderator: | SMURF::FILTER |
|
| Created: | Mon Apr 26 1993 |
| Last Modified: | Mon Jan 20 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 2763 |
| Total number of notes: | 5802 |
1027.0. "FWD: mail i sent to brian mccarthy" by SMURF::FILTER (Automatic Posting Software - mail to flume::puck) Tue Oct 25 1994 12:18
Date Of Receipt: 25-OCT-1994 11:29:30.88
From: FLAMBE::"[email protected]"
To: flambe::odehelp
CC:
Subj: FWD: mail i sent to brian mccarthy
When you do a kinit, you get a ticket, and imbedded in that is your ip
address. An accept() on a socket is done, which gives the from_address,
i.e. your client address.
When you connect to the ode server, you also do an accept() on a socket
and get your from_address. The from_address inbedded in your ticket
needs to match your from_address when you connect to the ode server.
And if the 2 address's don't match, kerberos considers you an intruder.
The reason you get 2 different ip address's is wasted has 2 ip
address. When you do a kinit you go out one subnet and
when you connect to the ode server you go out another ip subnet,
and thus using the 2 different ip address's.
As Jo explains below the kerberos slave uses one subnet, the
ode server uses a different subnet, and the client has subnets.
There can be 2 fixes:
1) modify your routing tables
2) modify your /etc/krb.conf on wasted to control which
subnet you go out on to get your ticket.
This is a kerberos "problem" or feature. We have sent mail to
the DECathena folks. Would also like to send mail to the ULTRIX
kerberos folks, since they would be worth taking to about this.
At one point Brain McCarthy was my kerberos
contact. We haven't heard from him. Do you know who in zk3 is
the kerberos expert these days? It is in the sendauth()
(send authentication) and recvauth() (receive authentication)
part of kerberos that is doing the check for intrusion.
Tina
From: DECWET::JO "The minute you leave New York, you're out of town"
6-OCT-1994 09:33:15.24
To: RUSURE::MCCARTHY
CC: FLAMBE::JMF, MINSRV::GLIDDEN, ODE,JO
Subj: kerberos problem on multiple subnets
hi brian,
tina anderson mentioned that you were her most recent contact
with the kerberos group. if you're not, i hope that you can forward
this and point us to the appropriate person.
a problem with kerberos has surfaced in the following manner.
scenario:
client node - has 2 network interfaces
oleum (also the hostname) on subnet 0
oleumx2 (second interface) on subnet 32
kerberos slave, vindo, on subnet 16
application server, windup, on subnet 32
1. user on client node, does kinit getting a ticket with the address on
subnet 32
2. user invokes application, making a connection with the server
over the second interface on subnet 64. application server goes to
verify the client and fails due to the difference in network addresses
found in the ticket and what's given by the client.
problem: kinit goes over one interface using one address and the
application goes over another interface using the other address
causing the address mismatch.
have you found a solution to ths problem? an increasing number of
workstations with multiple network interfaces are coming to use and one
of the advantages for that is to be able to assign different network
addresses for the same node including addresses on a different subnet.
we appreciate any help you'll be able to give us. thanks.
jo fujii
DECode Group at DECwest
| T.R | Title | User | Personal
Name | Date | Lines
|
|---|