Re: modular clog + kerberos

[root]

Greetings all: 

Here are some clog attempts with -servprinc defined -- whacked out for 
readability: 

[r...@sandbox3 ~]# clog \
 -method kerberos5 coda_admin_u...@coda.realm \
 -tokenserver sandbox2.host.domain 370 \
 -krealm KERBEROS.REALM \
 -kdc sandbox2.host.domain \
 -servprinc coda/sandbox3.host.domain 

[r...@sandbox3 ~]# clog \
 -method kerberos5 coda_admin_u...@coda.realm \
 -tokenserver sandbox2.host.domain 370 \
 -krealm KERBEROS.REALM \
 -kdc sandbox2.host.domain \
 -servprinc coda/sandbox3.host.dom...@kerberos.realm 

[r...@sandbox3 ~]# clog \
 -method kerberos5 coda_admin_u...@coda.realm \
 -tokenserver sandbox2.host.domain 370 \
 -krealm KERBEROS.REALM \
 -kdc sandbox2.host.domain \
 -servprinc coda/sandbox2.host.domain 

[r...@sandbox3 ~]# clog \
 -method kerberos5 coda_admin_u...@coda.realm \
 -tokenserver sandbox2.host.domain 370 \
 -krealm KERBEROS.REALM \
 -kdc sandbox2.host.domain \
 -servprinc coda/sandbox2.host.dom...@kerberos.realm 

I attempted the password three times for each clog command above -- twice 
with password correct, and once with password incorrect.  When password was 
correct, I got the following: 

Password for coda_admin_user/defa...@coda.domain:
Invalid login (RPC2_NOTAUTHENTICATED (F)). 


When password was incorrect, I got the following: 

krb5secret: Password incorrect
clog: failed to login to Kerberos 


On the server host, the vice/auth2/AuthLog had the following entries 
corresponding to my tests: 

Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port 

NOTE1:  These log entries correspond to the "RPC2_NOTAUTHENTICATED" errors 
above.  There are NO LOG ENTRIES corresponding to the "krb5secret: Password 
incorrect" errors. 

NOTE2:  Meddled with logs in the following ways:
 Stripped out leading date & time stamps
 The following substitution was made:
    n???0?????????????????? ???????a???0????????????KERBEROS.REALM?)
    TOKEN?
 Obfuscated text at "KERBEROS.REALM", "sandbox3_ipv6" and "random_port" 


So, we know that clog is connecting to the auth2 daemon.  I don't really 
know how the auth2 daemon is connecting to kerberos, but I suspect that may 
be the segment which is failing.  I simply don't know if it is failing 
because of:
*) clog command-line
*) vice/server.conf misconfig
*) coda user incorrect (/vice/bin/pdbtool)
*) kerberos principal(s) incorrect (and subsequently, the keytab) 

Undoubtedly it is a little of several of the above. 

Regards,
-Don
{void}