[OpenAFS] 1.3.70 and aklog
Christopher D. Clausen
cclausen@acm.org
Mon, 16 Aug 2004 23:36:07 -0500
Derrick J Brashear wrote:
> I notice the comments aren't rolling in on this release. We need
> feedback to fix remaining issues so 1.4 can be released. Is anyone
> actually using this?
I am using it. I submitted a bug report and it has been fixed...
...perhaps someone can explain how the aklog with kerberos 5 support (no
need for krb425d) works? I read through the previous posts on 1.3.66,
but I don't really understand what is going. I believe this should work
as I expect and I should be able to use my AD domain tickets to get a
tokens in my home cell.
I am running OpenAFS 1.3.70 debug build and KfW 2.6.4. (Does the 1.3.71
build fix this?)
AD.UIUC.EDU is a Windows Active Directory
ACM.UIUC.EDU is an MIT Kerberos realm that trusts AD.UIUC.EDU
acm.uiuc.edu is the AFS cell where I want to obtain tokens.
I am logging on to my machine using my Active Directory password in the
AD.UIUC.EDU domain. I then run ms2mit to populate the MIT credential
cache with my AD tickets. I than attempt to obtain AFS tokens. I get a
token, but its for cclausen@ad.uiuc.edu and I do not have permissions
within the acm.uiuc.edu cell.
steps:
C:\>kdestroy
C:\>ms2mit
C:\>klist
Ticket cache: API:krb5cc.cclausen
Default principal: cclausen@AD.UIUC.EDU
Valid starting Expires Service principal
08/16/04 23:03:10 08/17/04 09:03:10 krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
renew until 08/23/04 23:03:10
08/16/04 23:03:10 08/17/04 09:03:10
host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
renew until 08/23/04 23:03:10
Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)
C:\>which -a aklog
C:\Progra~1\MIT\Kerberos\bin\aklog.exe
C:\Progra~1\OpenAFS\Client\Program\aklog.exe
C:\Program Files\OpenAFS\Client\Program\aklog.exe
C:\>filever "C:\Program Files\OpenAFS\Client\Program\aklog.exe"
--a-- W32i APP - 1.3.7000.0 shp 40,448 08-09-2004 aklog.exe
C:\> "C:\Program Files\OpenAFS\Client\Program\aklog.exe" -5 -d
Authenticating to cell acm.uiuc.edu.
Getting v5 tickets: afs/acm.uiuc.edu@ACM.UIUC.EDU
About to resolve name cclausen@AD.UIUC.EDU to id
Id 32766
doing first-time registration of cclausen@ad.uiuc.edu at acm.uiuc.edu
libprot: funny kvno (256) in ticket, proceeding
aklog.exe: unable to create remote PTS user cclausen@ad.uiuc.edu in cell
acm.uiuc.edu (status: 19270403).
Set username to cclausen@ad.uiuc.edu
Getting tokens.
C:\>klist
Ticket cache: API:krb5cc.cclausen
Default principal: cclausen@AD.UIUC.EDU
Valid starting Expires Service principal
08/16/04 23:03:10 08/17/04 09:03:10 krbtgt/AD.UIUC.EDU@AD.UIUC.EDU
renew until 08/23/04 23:03:10
08/16/04 23:03:10 08/17/04 09:03:10
host/kbs-cdc.ad.uiuc.edu@AD.UIUC.EDU
renew until 08/23/04 23:03:10
08/16/04 23:03:10 08/17/04 09:03:10 krbtgt/ACM.UIUC.EDU@AD.UIUC.EDU
renew until 08/23/04 23:03:10
08/16/04 23:05:32 08/17/04 09:03:10 afs/acm.uiuc.edu@ACM.UIUC.EDU
renew until 08/23/04 23:03:10
Kerberos 4 ticket cache: API:krb4cc
klist: No ticket file (tf_util)
C:\>tokens
Tokens held by the Cache Manager:
User cclausen@ad.uiuc.edu's tokens for afs@acm.uiuc.edu [Expires Aug 17
09:03]
--End of list --
C:\>h:
H:\>ls -l
(this hangs for a few minutes b/c I don't actually have permission in
the cell.)
Am I doing something wrong? Have something misconfigured?
Also, I'm pretty sure I should be able to specify the command line
options to aklog in any order. (The first one just prints a help
message, so I assume it does not work.) Is there a reason to require
parameters in a particular order?
H:\>C:\Progra~1\OpenAFS\Client\Program\aklog.exe -k ACM.UIUC.EDU -c
acm.uiuc.edu
Usage: aklog.exe [-d] [[-cell | -c] cell [-k krb_realm]] [[-p | -path]
pathname]
[-noprdb] [-force]
[-5 | -4]
-d gives debugging information.
krb_realm is the kerberos realm of a cell.
pathname is the name of a directory to which you wish to
authenticate.
-noprdb means don't try to determine AFS ID.
-5 or -4 selects whether to use Kerberos V or Kerberos IV.
(default is Kerberos V)
No commandline arguments means authenticate to the local cell.
H:\>C:\Progra~1\OpenAFS\Client\Program\aklog.exe -c acm.uiuc.edu -k
ACM.UIUC.EDU
H:\>
<<CDC
Christopher D. Clausen
ACM@UIUC SysAdmin