Re: modular clog + kerberos

[root]

Greetings all: 

Thought to check the kerberos logs, and found the following two unique entry 
groupings for my correct password attempts: 

krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
NEEDED_PREAUTH: kerberos_admin_u...@kerberos.realm for 
coda/sandbox3.host.dom...@kerberos.realm, Additional pre-authentication 
required
krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
ISSUE: authtime epoch_time, etypes {rep=18 tkt=18 ses=18}, 
kerberos_admin_u...@kerberos.realm for 
coda/sandbox3.host.dom...@kerberos.realm 

krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
NEEDED_PREAUTH: kerberos_admin_u...@kerberos.realm for 
coda/sandbox2.host.dom...@kerberos.realm, Additional pre-authentication 
required
krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
ISSUE: authtime epoch_time, etypes {rep=18 tkt=18 ses=18}, 
kerberos_admin_u...@kerberos.realm for 
coda/sandbox2.host.dom...@kerberos.realm 

NOTE1:  It appears that clog appends KERBEROS.REALM to the principal if it 
is not explicitly stipulated in the -servprinc option. 

NOTE2:  Log was meddled with in the following ways:
 stripped out leading syslog style datestamp and hostname
 stripped out krb5kdc pid inbetween []
 obfuscated sandbox3_ipv4, kerberos_admin_user, host.domain, epoch_time,
    and KERBEROS.REALM 


The following logs show an incorrect password attempt (even though 
vice/auth2/AuthLog has no corresponding entry): 

krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
NEEDED_PREAUTH: kerberos_admin_u...@kerberos.realm for 
coda/sandbox2.host.dom...@kerberos.realm, Additional pre-authentication 
required
krb5kdc[](info): preauth (timestamp) verify failure: Decrypt integrity check 
failed
krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
PREAUTH_FAILED: kerberos_admin_u...@kerberos.realm for 
coda/sandbox2.host.dom...@kerberos.realm, Decrypt integrity check failed 

NOTE1:  I don't know that this is particularly useful in my case beyond 
abstract trivia 

NOTE2:  Log was meddled with in the following ways:
 stripped out leading syslog style datestamp and hostname
 stripped out krb5kdc pid inbetween []
 obfuscated sandbox3_ipv4, kerberos_admin_user, host.domain,
    and KERBEROS.REALM
 did NOT touch "preauth (timestamp)" -- likely generic due to failure 


Regards,
-Don
{void} 


root writes: 

Greetings all:  

Here are some clog attempts with -servprinc defined -- whacked out for 
readability:  

[r...@sandbox3 ~]# clog \
 -method kerberos5 coda_admin_u...@coda.realm \
 -tokenserver sandbox2.host.domain 370 \
 -krealm KERBEROS.REALM \
 -kdc sandbox2.host.domain \
 -servprinc coda/sandbox3.host.domain  

[r...@sandbox3 ~]# clog \
 -method kerberos5 coda_admin_u...@coda.realm \
 -tokenserver sandbox2.host.domain 370 \
 -krealm KERBEROS.REALM \
 -kdc sandbox2.host.domain \
 -servprinc coda/sandbox3.host.dom...@kerberos.realm  

[r...@sandbox3 ~]# clog \
 -method kerberos5 coda_admin_u...@coda.realm \
 -tokenserver sandbox2.host.domain 370 \
 -krealm KERBEROS.REALM \
 -kdc sandbox2.host.domain \
 -servprinc coda/sandbox2.host.domain  

[r...@sandbox3 ~]# clog \
 -method kerberos5 coda_admin_u...@coda.realm \
 -tokenserver sandbox2.host.domain 370 \
 -krealm KERBEROS.REALM \
 -kdc sandbox2.host.domain \
 -servprinc coda/sandbox2.host.dom...@kerberos.realm  

I attempted the password three times for each clog command above -- twice 
with password correct, and once with password incorrect.  When password 
was correct, I got the following:  

Password for coda_admin_user/defa...@coda.domain:
Invalid login (RPC2_NOTAUTHENTICATED (F)).  


When password was incorrect, I got the following:  

krb5secret: Password incorrect
clog: failed to login to Kerberos  


On the server host, the vice/auth2/AuthLog had the following entries 
corresponding to my tests:  

Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port
Authentication failed for "TOKEN?" from [sandbox3_ipv6]:random_port  

NOTE1:  These log entries correspond to the "RPC2_NOTAUTHENTICATED" errors 
above.  There are NO LOG ENTRIES corresponding to the "krb5secret: 
Password incorrect" errors.  

NOTE2:  Meddled with logs in the following ways:
 Stripped out leading date & time stamps
 The following substitution was made:
    n???0?????????????????? ???????a???0????????????KERBEROS.REALM?)
    TOKEN?
 Obfuscated text at "KERBEROS.REALM", "sandbox3_ipv6" and "random_port"  


So, we know that clog is connecting to the auth2 daemon.  I don't really 
know how the auth2 daemon is connecting to kerberos, but I suspect that 
may be the segment which is failing.  I simply don't know if it is failing 
because of:
*) clog command-line
*) vice/server.conf misconfig
*) coda user incorrect (/vice/bin/pdbtool)
*) kerberos principal(s) incorrect (and subsequently, the keytab)  

Undoubtedly it is a little of several of the above.  

Regards,
-Don
{void}