[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Failed primary KDC - Can't login

To: kerberos <kerberos@mit.edu>
Subject: Re: Failed primary KDC - Can't login
From: Turbo Fredriksson <turbo@bayour.com>
Date: 10 Aug 2002 14:50:02 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <tx1r8h74x4z.fsf@mit.edu>
Organization: LDAP/Kerberos expert wannabe
References: <878z3j56la.fsf@papadoc.bayour.com> <tx1r8h74x4z.fsf@mit.edu>
User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7

Quoting Ken Raeburn <raeburn@MIT.EDU>:

> Turbo Fredriksson <turbo@bayour.com> writes:
> > I've set up two KDC's (kerberos1/rmgztk and kerberos2/morwen) and a
> > client (tuzjfi).
> 
> How do you pronounce "rmgztk"? :-)

I don't! :) All my SPARC's got names from a randomizer that a friend wrote
2 years ago (I was (un)happy to find a copy :). Unfortunatly I just took
them as they where, I never thought about PRONOUNCING them! :)

To late to change now though... Don't know how much I'll break if change it...

> > The second line comes just before I get 'login timed out ...', but it
> > seems like it's succeeding!
> 
> Yes, it does.  I don't think this is a problem with timeouts in the
> Kerberos code.

Neither do I, that's why I Cc'ed the OpenLDAP list. I more suspect a problem
with libnss-ldap/libpam-ldap (hence the openldap libs).

> > One thing that I thought of was that there's no KAdmin (krb524d) running
> > on kerberos2. Do I really _HAVE_ to run one? Kerberos2 is 'never' going
> > to be the master, it's just to authenticate users/services while kerberos1
> > is down (hopfully a very short time :)...
> 
> Don't confuse kadmin and krb524d.

Sorry, cut and past error. But I get your point (see below)... 

> I'm not familiar with the krb5 PAM module.  If it or other software is
> trying to get krb4 tickets during the login process, and doing it via
> krb524 (instead of a separate krb4 initial ticket request with
> password), that could add a similar delay of probably around 22
> seconds.  (Total 21 seconds waiting for responses from kerberos1 after
> three attempts to reach it, plus however long it takes to get back
> "port unreachable" messages from kerberos2.)

Hmmm... This I have to test. Thanx.

Nope. Don't seem to make any difference... The reason there was no krb524d
was because of configuration errors. This is now rectified. Thanx.

Morwen cut&past on tty2, login on tty3 (less than one second later) on the
client (tuzjfi):
----- s n i p -----
morwen:~# date ; tail -f /var/log/kerberos/krb5kdc.log -n0 /var/log/syslog
Sat Aug 10 14:36:06 CEST 2002
==> /var/log/kerberos/krb5kdc.log <==

==> /var/log/syslog <==
Aug 10 14:36:38 morwen tcplogd: ldap connection attempt from tuzjfi.bayour.com [192.168.1.4]

==> /var/log/kerberos/krb5kdc.log <==
Aug 10 14:36:58 morwen krb5kdc[4849](info): AS_REQ (3 etypes {16 1 3}) 192.168.1.4(88): NEEDED_PREAUTH: turbo@BAYOUR.COM for krbtgt/BAYOUR.COM@BAYOUR.COM, Additional pre-authentication required
----- s n i p -----

Aprox 7 seconds later, login times out on tty3... So it takes aprox 30
seconds before the LDAP request comes to kerberos2 (morwen), then an additional
20 seconds later, the kerberos request succeeds...

So it points more and more to a OpenLDAP problem...

> Something else you might try is getting "port unreachable" errors sent
> back from the address of kerberos1.  If your router can't do it
> (packet filter settings?)

No router (and when live, no access to it).

> bring up a machine on that address (or
> configure an extra address on another box) that's not running any of
> those services, so that you don't need to wait for the timeout.  Then
> perhaps both Kerberos and LDAP can fall back to kerberos2 more
> quickly.

That's an idea, but I'm not (exactly) sure how to do that...

The plan is (when I'm _ABSOLUTLY_ sure everything works as I expect it) is
as follows.

Papadoc (my current do-it-all server on the net) is currently running LDAP,
Kerberos and AFS. The first two services is to be removed, and insted move
to kerberos1 (rmgztk) and kerberos2 (morwen).

Between papadoc and rmgztk I'll have a serial link, which 'heartbeat' uses
to see if papadoc is dead or alive. If dead, it (kerberos1) takes over SOME
of the services. Basically a slim http server answering _ALL_ urls etc papadoc
listens to, saying that papadoc is dead. Also using qmail to spool mail which
is later sent to papadoc for processing. Just so that I don't lose any mails
while it's dead...

IF kerberos1 dies, I can still use kerberos2 to authenticate (the idea is to
have a FOURTH machine that have the AFS space etc). 

The idea is to have a 'fully redundant' system...

Now, since I have a serial cable between papadoc/kerberos1, this means that
I can't do the same between kerberos1 and kerberos2. The SPARC's (SS4) that
I have only have ONE serial port... :(

I have tried to setup 'heartbeat' to use the network, but have not been
successful. And even if I manage to do this, it would make a more complex
system. If it can't be resolved any other way, I'll guess I have to bite
the bullet :)

References:
- Failed primary KDC - Can't login
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Re: Solaris instability: maybe the monitor backend?
Next by Date: Re: Perplexed
Index(es):
- Chronological
- Thread