Index

Subject : Re: LUG: Kerberos Ports

From : Bryan Burroughs <beburrou@ncsu.[redacted]>

Date : Fri, 27 Jan 2006 14:41:15 -0500

Parent

Jack Neely wrote:

>On Fri, Jan 27, 2006 at 10:09:43AM -0500, Bryan Burroughs wrote:
>
>
>>Welp, I finally got my realmkit machine installed and up and running,
>>but I can't seem to access the NCSU authentication servers. I'm
>>guessing its a firewall issue, so I tried opening up port 88 (seems to
>>be kerberos) but I still can't log in with my unity information. I made
>>sure to add my ID to the list of users who can sign on, as well. Are
>>there any more ports that I need to open up?
>> Bryan Burroughs
>>
>>--
>>"It's a one dog town, and he's old and mean..."
>> -- Garth Brooks
>>
>>
>>
>
>You user id is in /etc/users.local corrent?
>
>What does your /etc/krb5.conf file look like?
>
>Did the realmconfig service start at boot?
>
>Jack
>
>
>
All,
realmconfig ran as it should have on the first boot. I didn't
choose any crazy options and left my "department" as 'ncsu'.
Figuring that the problem might be firewall related (I have a router
in my room), I set the realm machine to be on the DMZ to avoid any port
blockage, as well as disabling the firewall in Security Settings on the
realm machine. Still isn't helping.
My ID is in /etc/users.local, and the /etc/krb5.conf file looks as
follows:

[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log

[libdefaults]
default_realm = EOS.NCSU.EDU
dns_lookup_realm = true
dns_lookup_kdc = true

[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com:88
admin_server = kerberos.example.com:749
default_domain = example.com
}

EOS.NCSU.EDU = {
kdc = kerberos-6.ncsu.edu:88
kdc = kerberos-5.ncsu.edu:88
kdc = kerberos-3.ncsu.edu:88
kdc = kerberos-1.ncsu.edu:88
kdc = kerberos-2.ncsu.edu:88
kdc = kerberos-4.ncsu.edu:88
admin_server = kerberos-master.ncsu.edu:749
}

[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM

[kdc]
profile = /var/kerberos/krb5kdc/kdc.conf


[appdefaults]
pam = {
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
afs_cells = eos.ncsu.edu bp.ncsu.edu unity.ncsu.edu
}

[domain_realm]
.ncsu.edu = EOS.NCSU.EDU
ncsu.edu = EOS.NCSU.EDU

---------end of file

Looking at the machine more, it seems as though the problem might be
related to DNS. I didn't tinker w/ the DNS info at all, so what I am
seeing should be what the standard install does. The primary is
152.1.1.248, secondary is 152.1.2.22, no tertiary. But, the name
resolution problem is a bit wacky. I have no problem using a
webbrowser, and even get a connection refused message if I try the
kerberos-6.ncsu.edu address. However, if I try and ping it, it gives me
an "unknown host error," both from the xTerm and Network Tools-->ping.
In fact, no web address resolves using either method, though I can ping
the IP address of these web addresses all day long.
Just for kicks, I added a line to the krb5.conf file just now with
the IP of kerberos-6 (152.1.2.124) and the port number, just to see what
would happen. After reboot, I found that I still could not login w/ my
unity ID.
Finally, AFS fails to mount on system boot with an error code of 13
(i guess, its after "/afs" so I figure thats the error code), and the
attempt to connect to timeserver.ncsu.edu fails due to Unknown host, but
everything else loads with an "OK" next to it.
Hope this helps, but it sure is one crazy thing goin on here...
Thanks for the help!

Bryan Burroughs

--
"It's a one dog town, and he's old and mean..."
-- Garth Brooks

Attachments :

(Please be wary of attachments - they have not been scanned for viruses)

Replies :