Wrong user name for network connection
Bill Cheeseman
bill at cheeseman.name
Tue Apr 22 05:54:51 PDT 2008
on 2008-04-22 7:28 AM, Axel Luttgens at luttgens at fusl.ac.be wrote:
> Thanks to your question, I've had the opportunity to get somewhat
> acquainted with .Mac accounts by creating one for myself and adding it
> to my user account.
> This has resulted in various pieces stored in my keychain, among them
> a ".Mac Sharing Certificate", ...
Yes, I have a certificate named "cheeseb (.Mac Sharing Certificate) and an
apparently associated private key named "cheeseb (>Mac Sharing key) -
<date>". The same certificate and an associated key appear on all 3 of my
network machines.
All of my machines have several other keychain items associated with my .Mac
account, too, some apparently related to specific .Mac services that I
utilize, such as iChat conferencing, .Mac backups, Back to my Mac, etc.
These are an "Apple .Mac Certificate Authority" certificate, my .Mac
password under the name "cheeseb", and three identity preferences named
"cheeseb at mac.com AIM Signing", "cheeseb at mac.com SharedServices" and
"com.apple.system.DefaultSharingIdentity". Oh, and my "cheeseb at mac.com"
iTunes Store password. Most of these are on all 3 machines, except for the
AIM Signing and iTunes Store items (I use iChat and iTunes on only one
machine).
> ... as well as some data created in or
> appended to my user record:
> (new) LinkedIdentity: a plist defining the .Mac user name
> (new) UserCertificate: <seems to be a copy of the ".Mac Sharing
> Certificate">
> (added) AuthenticationAuthority: an additional kerberos authentication
> source, the principal
> being the above certificate's SHA1 fingerprint.
> (added) RecordName: the .Mac full name and the SHA1 fingerprint
> Moreover, a principal for the identity bound tho that fingerprint is
> added to the "principal.LKDC" file in /var/db/krb5kdc.
I was mistaken when I reported to you in another message that there were
only 5 fields in my user record. I simply didn't notice that I needed to
scroll back up in my Terminal window to see the beginning of the record.
Sorry.
My user record on both the rogue machine and a good machine appear similar,
including a plist or XML item named LinkedIdentity which has a full name of
cheeseb at mac.com and a name of cheeseb. And a field AuthenticationAuthority
with a Kerberos fingerprint (with a different SHA number as between the two
machines)
> Now, the interesting thing appears when adding the same .Mac account
> on some user account on another box, and to enable AFP on that box.
> The same kind of data creation/addition will happen; in particular,
> the same .Mac Sharing Certificate will be used to fill that user
> account.
Yes, same here.
> As a result, each box now knows about some user bearing the SHA1
> fingerprint as one of its short names.
Yes, same here.
> Enters what seems to be a Finder built-in behavior.
> When clicking on the second box's icon in the sidebar, it seems that a
> connection will first be attempted under the .Mac identity (with the
> SHA1 fingerprint); then, because:
> that name is known by the remote box too,
> the .Mac password has been stored in the keychain (on both boxes),
> the AFP service is kerberized,
> a connection will succeed, and a ticked will be generated/received and
> displayed in Kerberos.app; the user's principal will be of the form:
> <SHA1 fingerprint>@LKDC:SHA1...
> hence those "lots of long numbers".
Yes, same here. BUT ONLY when going from either good machine to the rogue
machine. When I click either of the other two machines in the sidebar on the
rogue machine, I connect to the good machine "as cheeseb", not "as
cheeseb at mac.com.
So none of this seems to account for the different behavior when connecting
to the rogue machine as opposed to connecting to a good machine. I
understand that there could be something on both of the good machines that
controls how they connect to the rogue machine, but it "feels" more likely
to me that there must be something on the rogue machine making it respond to
connections differently. Note that connecting from either good machine to
the other good machine always connects "as cheeseb".
> I'm sure missing a lot of things, after only such a quick look.
> Anyway, could you confirm this is the kind of behavior you are facing
> with your "rogue" machine?
Yes, as detailed above.
--
Bill Cheeseman - bill at cheeseman.name
Quechee Software, Quechee, Vermont, USA
www.quecheesoftware.com
PreFab Software - www.prefabsoftware.com
More information about the MacOSX-admin
mailing list