From owner-freebsd-security Tue Jul 7 11:24:20 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id LAA11091 for freebsd-security-outgoing; Tue, 7 Jul 1998 11:24:20 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from chipweb.ml.org (qmailr@c1003518-a.plstn1.sfba.home.com [24.1.82.47]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id LAA10993 for ; Tue, 7 Jul 1998 11:24:09 -0700 (PDT) (envelope-from ludwigp@bigfoot.com) Received: (qmail 5531 invoked by uid 666); 7 Jul 1998 18:24:15 -0000 Received: from speedy.chipweb.ml.org (172.16.1.1) by inet.chipweb.ml.org with SMTP; 7 Jul 1998 18:24:15 -0000 Message-Id: <3.0.3.32.19980707112409.031f3894@mail.plstn1.sfba.home.com> X-Sender: ludwigp@mail.plstn1.sfba.home.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32) Date: Tue, 07 Jul 1998 11:24:09 -0700 To: joda@pdc.kth.se (Johan Danielsson) From: Ludwig Pummer Subject: Re: kerberos su problems betw 2 machines Cc: security@FreeBSD.ORG In-Reply-To: References: <3.0.3.32.19980625122541.006988b8@mail.plstn1.sfba.home.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sorry it's taken so long to reply... I'm responding to this reply, but I also tried Narvi's suggestion of naming the server by IP in my krb.conf, which didn't fix my problem. At 11:23 PM 6/25/98 -0400, Johan Danielsson wrote: >Ludwig Pummer writes: > >> On inet, logging in as ludwigp gives me my ticket. I can kinit to >> ludwigp.root and get my ticket, but trying to do su gives me "su: >> kerberos: unable to verify rcmd ticket: Incorrect network address >> (krb_rd_req)". > >This is most likely (but not necessarily) due to some hostname/address >mismatch. If your machines ip-address doesn't match the A record in >DNS, you get these problems. Likewise if you have more than one >interface and your hostname doesn't point to the one that you use to >talk to your KDC. This machine is multi-homed, but DNS is all set up properly. ludwigp@inet% hostname inet.chipweb.ml.org ludwigp@inet% nslookup inet.chipweb.ml.org Server: fortress.chipweb.ml.org Address: 172.16.1.7 Name: inet.chipweb.ml.org Address: 172.16.1.5 >Check what IP address the KDC thinks you are using >by looking at the log. If you run multi-homed, you might also want to >check the krb.equiv(5) man-page (this is not turned off in the FreeBSD >dist, right?) I have no krb.equiv and no manpage for it..but the log says: 7-Jul-1998 11:06:11: AS REQ ludwigp.@CHIPWEB.ML.ORG for krbtgt.CHIPWEB.ML.ORG from 24.1.82.47 7-Jul-1998 11:06:27: AS REQ ludwigp.root@CHIPWEB.ML.ORG for krbtgt.CHIPWEB.ML.ORG from 24.1.82.47 7-Jul-1998 11:06:27: APPL REQ ludwigp.root@CHIPWEB.ML.ORG for rcmd.inet from 24.1.82.47 So the kerberos stuff looks like it's coming from 24.1.82.47? Why is that? Could it be because the 24.1.82.47 interface is brought up first in rc.conf? >If you successfully used a kerberized login, this is probably not your >problem (depending on how paranoid your login is). Were you actually >using a kerberized login, or did you login via normal password + >kinit? Yes, it's using kerberized login: FreeBSD (inet.chipweb.ml.org) (ttyv4) login: ludwigp Password: Last login: Tue Jul 7 11:07:59 on ttyv4 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reversed. FreeBSD 2.2.5-RELEASE (INET) #0... .... ludwigp@inet% klist Ticket file: /tmp/tkt1001 Principal: ludwigp@CHIPWEB.ML.ORG Issued Expires Principal Jul 7 11:13:53 Jul 7 19:13:53 krbtgt.CHIPWEB.ML.ORG@CHIPWEB.ML.ORG --Thanks in advance --Ludwig Pummer ludwigp@bigfoot.com ICQ UIN: 692441 http://chipweb.home.ml.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message