Date: Tue, 07 Jul 1998 11:24:09 -0700 From: Ludwig Pummer <ludwigp@bigfoot.com> To: joda@pdc.kth.se (Johan Danielsson) Cc: security@FreeBSD.ORG Subject: Re: kerberos su problems betw 2 machines Message-ID: <3.0.3.32.19980707112409.031f3894@mail.plstn1.sfba.home.com> In-Reply-To: <xofvhpoals5.fsf@blubb.pdc.kth.se> References: <Ludwig Pummer's message of "Thu, 25 Jun 1998 12:25:41 -0700"> <3.0.3.32.19980625122541.006988b8@mail.plstn1.sfba.home.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Sorry it's taken so long to reply...
I'm responding to this reply, but I also tried Narvi's suggestion of naming
the server by IP in my krb.conf, which didn't fix my problem.
At 11:23 PM 6/25/98 -0400, Johan Danielsson wrote:
>Ludwig Pummer <ludwigp@bigfoot.com> writes:
>
>> On inet, logging in as ludwigp gives me my ticket. I can kinit to
>> ludwigp.root and get my ticket, but trying to do su gives me "su:
>> kerberos: unable to verify rcmd ticket: Incorrect network address
>> (krb_rd_req)".
>
>This is most likely (but not necessarily) due to some hostname/address
>mismatch. If your machines ip-address doesn't match the A record in
>DNS, you get these problems. Likewise if you have more than one
>interface and your hostname doesn't point to the one that you use to
>talk to your KDC.
This machine is multi-homed, but DNS is all set up properly.
ludwigp@inet% hostname
inet.chipweb.ml.org
ludwigp@inet% nslookup inet.chipweb.ml.org
Server: fortress.chipweb.ml.org
Address: 172.16.1.7
Name: inet.chipweb.ml.org
Address: 172.16.1.5
>Check what IP address the KDC thinks you are using
>by looking at the log. If you run multi-homed, you might also want to
>check the krb.equiv(5) man-page (this is not turned off in the FreeBSD
>dist, right?)
I have no krb.equiv and no manpage for it..but the log says:
7-Jul-1998 11:06:11: AS REQ ludwigp.@CHIPWEB.ML.ORG for
krbtgt.CHIPWEB.ML.ORG from 24.1.82.47
7-Jul-1998 11:06:27: AS REQ ludwigp.root@CHIPWEB.ML.ORG for
krbtgt.CHIPWEB.ML.ORG from 24.1.82.47
7-Jul-1998 11:06:27: APPL REQ ludwigp.root@CHIPWEB.ML.ORG for rcmd.inet
from 24.1.82.47
So the kerberos stuff looks like it's coming from 24.1.82.47? Why is that?
Could it be because the 24.1.82.47 interface is brought up first in rc.conf?
>If you successfully used a kerberized login, this is probably not your
>problem (depending on how paranoid your login is). Were you actually
>using a kerberized login, or did you login via normal password +
>kinit?
Yes, it's using kerberized login:
FreeBSD (inet.chipweb.ml.org) (ttyv4)
login: ludwigp
Password:
Last login: Tue Jul 7 11:07:59 on ttyv4
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reversed.
FreeBSD 2.2.5-RELEASE (INET) #0...
....
ludwigp@inet% klist
Ticket file: /tmp/tkt1001
Principal: ludwigp@CHIPWEB.ML.ORG
Issued Expires Principal
Jul 7 11:13:53 Jul 7 19:13:53 krbtgt.CHIPWEB.ML.ORG@CHIPWEB.ML.ORG
--Thanks in advance
--Ludwig Pummer
ludwigp@bigfoot.com
ICQ UIN: 692441 http://chipweb.home.ml.org
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3.0.3.32.19980707112409.031f3894>