[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kerberos
Subject:    [Fwd: Kerberos authentication problems in Keyserver project]
From:       Alex T Prengel <alexp () MIT ! EDU>
Date:       2010-09-09 22:38:18
Message-ID: 1284071898.3527.41.camel () dit
[Download RAW message or body]

Forwarding this on jdreed's suggestion- apologies to those of you
getting it twice.

                               A.


Received: from ne300-mailsec-2.mit.edu (18.7.35.67) by
	oc11exhub1.exchange.mit.edu (18.9.3.11) with Microsoft SMTP Server id
	8.2.254.0; Thu, 9 Sep 2010 18:22:18 -0400
Received: from mailhub-auth-4.mit.edu (MAILHUB-AUTH-4.MIT.EDU [18.7.62.39])
	by ne300-mailsec-2.mit.edu (Symantec Mail Security) with SMTP id
	80.00.04231.DCE598C4; Thu,  9 Sep 2010 18:25:17 -0400 (EDT)
Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103])	by
	mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id o89MMHQb007628;
	Thu, 9 Sep 2010 18:22:17 -0400
Received: from [18.152.0.60] (DIT.MIT.EDU [18.152.0.60])	(authenticated
	bits=0)        (User authenticated as alexp@ATHENA.MIT.EDU)	by
	outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id o89MMGep002115
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT);
	Thu, 9 Sep 2010 18:22:17 -0400 (EDT)
From: Alex T Prengel <alexp@MIT.EDU>
To: "release-team@mit.edu" <release-team@mit.edu>
CC: Alex T Prengel <alexp@mit.edu>, Greg Hudson <ghudson@mit.edu>
Date: Thu, 9 Sep 2010 18:22:16 -0400
Subject: Kerberos authentication problems in Keyserver project
Thread-Topic: Kerberos authentication problems in Keyserver project
Thread-Index: ActQbXcfOBvqLcaoS2iVgX/+dLPT+g==
Message-ID: <1284070936.3527.26.camel@dit>
Accept-Language: en-US
Content-Language: en-US
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Organization-AuthSource: oc11exhub1.exchange.mit.edu
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-auditid: 12072343-b7c0aae000001087-58-4c895ecd0126
x-brightmail-tracker: AAAAARX2VCI=
Content-Type: text/plain; charset="iso-8859-1"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit

Hi,

I'm wondering if anyone on release-team can shed some light on an
intermittent problem the KeyServer pilot project is having with Kerberos
authentication for keyserved applications, or point me to a better place
to ask this.

The symptom is that at random intervals of one to several weeks, the
KeyServer's Kerberos authentication module locks up, and users
attempting to launch keyed applications get error messages like:  

KeyAccess could not log on to KeyServer because the authentication
process failed during negotiation with the server.

Stopping and restarting the KeyServer process seems to clear this
condition until it occurs again. 

Sassafras Software tech support tell us:

> it looks like kerberos (on the server) has gone AWOL.  The log shows  
> successful logins all through August and the first part of
> September,  
> then today at 16:22 (presumably when users were being denied) there  
> is a stream of these errors:
> 
>      gss_accept_sec_context (507) failed (851968, -1765328213)
>      status: Generic unknown RC/IO error
> 
> Error code -1765328213 is KRB5_RC_IO_UNKNOWN, might be a catch-all  
> error code.  Google doesn't find much other than some mention of the  
> credential cache code.  Since this is a Kerberos (GSSAPI) error
> there  
> is little we can do about it in our code.  And since the error is
> not  
> specific I don't have a suggestion for how to fix the problem other  
> than to note that restarting the process seems to clear the condition.

> From what I can tell the error is local to the KS host and has  
> nothing to do with the (remote) Kerberos server or the (remote) KA  
> clients.  KS, like all Kerberos clients, links with the GSSAPI/ 
> Kerberos libraries where much of the real work is done.  These  
> libraries maintain a large internal state on behalf of the calling  
> process, and this is where the problem must be happening.
> Restarting  
> the KS process clears out the Kerberos library's (bad) state and  
> creates a nice new working state.

The server host is a VM running RHEL 5.2; the libgssapi rpm is
libgssapi-0.10-2.

                                               Thanks,

                                                      Alex



________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic