[OpenAFS] When Using Kerberos5 is klog necessary?

Chris McClimans openafs-info@mcclimans.net
Thu, 22 Jan 2004 17:24:23 -0600 

Here is gssklog by itself, ms2mit + gssklog, and the only combo that 
works, kinit (MIT) and gssklog.
-chris

*******************************
Using gssklog by itself:

N:\classes\auth\gssklog>klist
klist: No credentials cache found (ticket cache API:krb5cc)

N:\classes\auth\gssklog>tokens

Tokens held by the Cache Manager:

    --End of list --

N:\classes\auth\gssklog>gssklog
SSPI-error init_sec_context failed: major:80090300 minor:0012f200
Not enough memory is available to complete this request

Problem 2 with server elm.cs.ttu.edu, trying next
SSPI-error init_sec_context failed: major:80090300 minor:0012f1f0
Not enough memory is available to complete this request

Problem 2 with server oak.cs.ttu.edu
Failed code = 2


********************************
Using gssklog after ms2mit:


N:\classes\auth\gssklog>ms2mit

N:\classes\auth\gssklog>klist
Ticket cache: API:krb5cc
Default principal: cmcclima@TTU.EDU

Valid starting     Expires            Service principal
01/22/04 17:10:48  01/23/04 01:10:48  krbtgt/TTU.EDU@TTU.EDU
         renew until 01/22/04 18:10:48

N:\classes\auth\gssklog>gssklog
GSS-error init_sec_context failed: major:000d0000 minor:00000000
Miscellaneous failure
No error
Problem 2 with server elm.cs.ttu.edu, trying next
GSS-error init_sec_context failed: major:000d0000 minor:00000000
Miscellaneous failure
No error
Problem 2 with server oak.cs.ttu.edu
Failed code = 2

**********************************
Destroying the ms2mit tickets and getting MIT based tickets. then 
running gssklog:

N:\classes\auth\gssklog>kdestroy

N:\classes\auth\gssklog>klist
klist: No credentials cache found (ticket cache API:krb5cc)

N:\classes\auth\gssklog>kinit cmcclima@TTU.EDU
Password for cmcclima@TTU.EDU:

N:\classes\auth\gssklog>gssklog

N:\classes\auth\gssklog>tokens

Tokens held by the Cache Manager:

User cmcclima's tokens for afs@cs.ttu.edu [Expires Jan 23 03:21]
    --End of list --

N:\classes\auth\gssklog>klist
Ticket cache: API:krb5cc
Default principal: cmcclima@TTU.EDU

Valid starting     Expires            Service principal
01/22/04 17:21:07  01/23/04 03:21:07  krbtgt/TTU.EDU@TTU.EDU
01/22/04 17:21:07  01/23/04 03:21:07  krbtgt/CS.TTU.EDU@TTU.EDU
01/22/04 17:21:16  01/23/04 03:21:07  gssklog/elm.cs.ttu.edu@CS.TTU.EDU

On Jan 22, 2004, at 4:44 PM, Douglas E. Engert wrote:

>
>
> Chris McClimans wrote:
>>
>> David,
>> I'm using a similar setup here at TTU.
>> I have a CS.TTU.EDU mit realm with trust principals from the TTU.EDU
>> realm (an MS Active Directory) for user accounts.
>> I'm currently trying to find a decent solution from windows XP boxes
>> that are part of the TTU.EDU domain to automatically get tokens from
>> login. MIT leash/kinit + gssklog work however, ms2mit and gssklog 
>> fail.
>
> The ms2mit and gssklog should work. Do you have any output?
>
> The gssklog should also work without any Kerberos package on the PC,
> as it can use the SSPI directly. If you are having a problem, I would
> like to work with you on this.
>
>
>> Are you straight unixen in your department or do you have a mixture
>> like myself?
>> -chris
>>
>> On Dec 30, 2003, at 11:21 PM, David Botsch wrote:
>>
>>> I should add that here we have the additional complication of two
>>> kerberos
>>> realms. There is our realm/cell, and there is the realm used by the
>>> central
>>> computing on campus, here (and, of course, any used by any other
>>> departments).
>>>
>>> So, on our systems, if you want tokens/tickets in our cell, you klog.
>>> If you
>>> want tickets in the central realm, you kinit.
>>>
>>> So, switching to kinit for getting tokens/tickets causes other
>>> problems (in
>>> addition to the simple (heh) retraining of users problem).
>>>
>>> On Tue, Dec 30, 2003 at 10:34:00PM -0500, Ken Hornstein wrote:
>>>>> Why would I want to tell end users they have to type in two 
>>>>> commands
>>>>> to
>>>>> get tokens instead of one? Most can barely handle just typing in
>>>>> "klog".
>>>>
>>>> Years ago, I added support to my kinit so that it runs aklog
>>>> automatically.
>>>> Works just fine.
>>>>
>>>> --Ken
>>>> _______________________________________________
>>>> OpenAFS-info mailing list
>>>> OpenAFS-info@openafs.org
>>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>
>>> --
>>> ********************************
>>> David William Botsch
>>> Consultant/Advisor II
>>> CCMR Computing Facility
>>> dwb7@ccmr.cornell.edu
>>> ********************************
>>> _______________________________________________
>>> OpenAFS-info mailing list
>>> OpenAFS-info@openafs.org
>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>
>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>
> -- 
>
>  Douglas E. Engert  <DEEngert@anl.gov>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444