Index
Subject
: Re: LUG: Kerberos Ports
From
: Jack Neely <jjneely@pams.ncsu.[redacted]>
Date
: Mon, 30 Jan 2006 11:33:51 -0500
Parent
On Fri, Jan 27, 2006 at 02:41:15PM -0500, Bryan Burroughs wrote:
> Jack Neely wrote:
>
> >On Fri, Jan 27, 2006 at 10:09:43AM -0500, Bryan Burroughs wrote:
> >
> >
> >>Welp, I finally got my realmkit machine installed and up and running,
> >>but I can't seem to access the NCSU authentication servers. I'm
> >>guessing its a firewall issue, so I tried opening up port 88 (seems to
> >>be kerberos) but I still can't log in with my unity information. I made
> >>sure to add my ID to the list of users who can sign on, as well. Are
> >>there any more ports that I need to open up?
> >> Bryan Burroughs
> >>
> >>--
> >>"It's a one dog town, and he's old and mean..."
> >> -- Garth Brooks
> >>
> >>
> >>
> >
> >You user id is in /etc/users.local corrent?
> >
> >What does your /etc/krb5.conf file look like?
> >
> >Did the realmconfig service start at boot?
> >
> >Jack
> >
> >
> >
> All,
> realmconfig ran as it should have on the first boot. I didn't
> choose any crazy options and left my "department" as 'ncsu'.
> Figuring that the problem might be firewall related (I have a router
> in my room), I set the realm machine to be on the DMZ to avoid any port
> blockage, as well as disabling the firewall in Security Settings on the
> realm machine. Still isn't helping.
> My ID is in /etc/users.local, and the /etc/krb5.conf file looks as
> follows:
>
> [logging]
> default = FILE:/var/log/krb5libs.log
> kdc = FILE:/var/log/krb5kdc.log
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = EOS.NCSU.EDU
> dns_lookup_realm = true
> dns_lookup_kdc = true
>
> [realms]
> EXAMPLE.COM = {
> kdc = kerberos.example.com:88
> admin_server = kerberos.example.com:749
> default_domain = example.com
> }
>
> EOS.NCSU.EDU = {
> kdc = kerberos-6.ncsu.edu:88
> kdc = kerberos-5.ncsu.edu:88
> kdc = kerberos-3.ncsu.edu:88
> kdc = kerberos-1.ncsu.edu:88
> kdc = kerberos-2.ncsu.edu:88
> kdc = kerberos-4.ncsu.edu:88
> admin_server = kerberos-master.ncsu.edu:749
> }
>
> [domain_realm]
> .example.com = EXAMPLE.COM
> example.com = EXAMPLE.COM
>
> [kdc]
> profile = /var/kerberos/krb5kdc/kdc.conf
>
>
> [appdefaults]
> pam = {
> debug = false
> ticket_lifetime = 36000
> renew_lifetime = 36000
> forwardable = true
> krb4_convert = false
> afs_cells = eos.ncsu.edu bp.ncsu.edu unity.ncsu.edu
> }
>
> [domain_realm]
> .ncsu.edu = EOS.NCSU.EDU
> ncsu.edu = EOS.NCSU.EDU
>
> ---------end of file
>
> Looking at the machine more, it seems as though the problem might be
> related to DNS. I didn't tinker w/ the DNS info at all, so what I am
> seeing should be what the standard install does. The primary is
> 152.1.1.248, secondary is 152.1.2.22, no tertiary. But, the name
> resolution problem is a bit wacky. I have no problem using a
> webbrowser, and even get a connection refused message if I try the
> kerberos-6.ncsu.edu address. However, if I try and ping it, it gives me
> an "unknown host error," both from the xTerm and Network Tools-->ping.
> In fact, no web address resolves using either method, though I can ping
> the IP address of these web addresses all day long.
> Just for kicks, I added a line to the krb5.conf file just now with
> the IP of kerberos-6 (152.1.2.124) and the port number, just to see what
> would happen. After reboot, I found that I still could not login w/ my
> unity ID.
> Finally, AFS fails to mount on system boot with an error code of 13
> (i guess, its after "/afs" so I figure thats the error code), and the
> attempt to connect to timeserver.ncsu.edu fails due to Unknown host, but
> everything else loads with an "OK" next to it.
> Hope this helps, but it sure is one crazy thing goin on here...
> Thanks for the help!
>
> Bryan Burroughs
>
> --
> "It's a one dog town, and he's old and mean..."
> -- Garth Brooks
>
Cast aside those evil DNS servers!! Are you on resnet? The DNS servers
they seem to hand out via DHCP are not cool.
Edit /etc/resolv.conf and use 152.1.1.206 and 152.1.1.161. Then chattr
+i /etc/resolv.conf which is an evil hack to keep the DHCP daemons from
overwriting your DNS configuration. You should be able to lookup
servers now. More importantly you should be able to run "hes <userid>"
and get an answer. If hesiod doesn't resovle propperly that would keep
you from being able to log in and it is an extension of the DNS service.
Jack
--
Jack Neely <jjneely@ncsu.[redacted]>
Campus Linux Services Project Lead
PAMS Computer Operations at NC State University
GPG Fingerprint: 1917 5AC1 E828 9337 7AA4 EA6B 213B 765F 3B6A 5B89
Replies
: