[OpenAFS] When Using Kerberos5 is klog necessary?
Douglas E. Engert
deengert@anl.gov
Thu, 22 Jan 2004 19:07:45 -0600
Maybe we should take this offline.
Chris McClimans wrote:
>
> Here is gssklog by itself, ms2mit + gssklog, and the only combo that
> works, kinit (MIT) and gssklog.
> -chris
>
> *******************************
> Using gssklog by itself:
>
> N:\classes\auth\gssklog>klist
> klist: No credentials cache found (ticket cache API:krb5cc)
>
> N:\classes\auth\gssklog>tokens
>
> Tokens held by the Cache Manager:
>
> --End of list --
This is as expected. Witout any addition input, gssapi
or SSPI can not get a credential.
But if you use "gssklog user" it will prompt for a password like
klog would and use SSPI in this situation.
>
> N:\classes\auth\gssklog>gssklog
> SSPI-error init_sec_context failed: major:80090300 minor:0012f200
> Not enough memory is available to complete this request
>
> Problem 2 with server elm.cs.ttu.edu, trying next
> SSPI-error init_sec_context failed: major:80090300 minor:0012f1f0
> Not enough memory is available to complete this request
The Microsoft error message is misleading.I have seen this before
when our Windows Admins updated one of the AD to Windows 2003.
The AD would then start generating tickets with knvo !=0. Check
the syslogs on the gssklogd servers and see if you are getting
"Key version number ... is incorrect" messages. If so I can tell
you how to correct it.
>
> Problem 2 with server oak.cs.ttu.edu
> Failed code = 2
>
> ********************************
> Using gssklog after ms2mit:
>
> N:\classes\auth\gssklog>ms2mit
>
> N:\classes\auth\gssklog>klist
> Ticket cache: API:krb5cc
> Default principal: cmcclima@TTU.EDU
>
> Valid starting Expires Service principal
> 01/22/04 17:10:48 01/23/04 01:10:48 krbtgt/TTU.EDU@TTU.EDU
> renew until 01/22/04 18:10:48
>
> N:\classes\auth\gssklog>gssklog
> GSS-error init_sec_context failed: major:000d0000 minor:00000000
> Miscellaneous failure
> No error
> Problem 2 with server elm.cs.ttu.edu, trying next
> GSS-error init_sec_context failed: major:000d0000 minor:00000000
> Miscellaneous failure
> No error
> Problem 2 with server oak.cs.ttu.edu
> Failed code = 2
>
Not sure. Do the syslogs on the gssklogd servers have any messages?
> **********************************
> Destroying the ms2mit tickets and getting MIT based tickets. then
> running gssklog:
>
> N:\classes\auth\gssklog>kdestroy
>
> N:\classes\auth\gssklog>klist
> klist: No credentials cache found (ticket cache API:krb5cc)
>
> N:\classes\auth\gssklog>kinit cmcclima@TTU.EDU
> Password for cmcclima@TTU.EDU:
>
> N:\classes\auth\gssklog>gssklog
>
> N:\classes\auth\gssklog>tokens
>
> Tokens held by the Cache Manager:
>
> User cmcclima's tokens for afs@cs.ttu.edu [Expires Jan 23 03:21]
> --End of list --
>
> N:\classes\auth\gssklog>klist
> Ticket cache: API:krb5cc
> Default principal: cmcclima@TTU.EDU
>
> Valid starting Expires Service principal
> 01/22/04 17:21:07 01/23/04 03:21:07 krbtgt/TTU.EDU@TTU.EDU
> 01/22/04 17:21:07 01/23/04 03:21:07 krbtgt/CS.TTU.EDU@TTU.EDU
> 01/22/04 17:21:16 01/23/04 03:21:07 gssklog/elm.cs.ttu.edu@CS.TTU.EDU
>
This looks correct.
> On Jan 22, 2004, at 4:44 PM, Douglas E. Engert wrote:
>
> >
> >
> > Chris McClimans wrote:
> >>
> >> David,
> >> I'm using a similar setup here at TTU.
> >> I have a CS.TTU.EDU mit realm with trust principals from the TTU.EDU
> >> realm (an MS Active Directory) for user accounts.
> >> I'm currently trying to find a decent solution from windows XP boxes
> >> that are part of the TTU.EDU domain to automatically get tokens from
> >> login. MIT leash/kinit + gssklog work however, ms2mit and gssklog
> >> fail.
> >
> > The ms2mit and gssklog should work. Do you have any output?
> >
> > The gssklog should also work without any Kerberos package on the PC,
> > as it can use the SSPI directly. If you are having a problem, I would
> > like to work with you on this.
> >
> >
> >> Are you straight unixen in your department or do you have a mixture
> >> like myself?
> >> -chris
> >>
> >> On Dec 30, 2003, at 11:21 PM, David Botsch wrote:
> >>
> >>> I should add that here we have the additional complication of two
> >>> kerberos
> >>> realms. There is our realm/cell, and there is the realm used by the
> >>> central
> >>> computing on campus, here (and, of course, any used by any other
> >>> departments).
> >>>
> >>> So, on our systems, if you want tokens/tickets in our cell, you klog.
> >>> If you
> >>> want tickets in the central realm, you kinit.
> >>>
> >>> So, switching to kinit for getting tokens/tickets causes other
> >>> problems (in
> >>> addition to the simple (heh) retraining of users problem).
> >>>
> >>> On Tue, Dec 30, 2003 at 10:34:00PM -0500, Ken Hornstein wrote:
> >>>>> Why would I want to tell end users they have to type in two
> >>>>> commands
> >>>>> to
> >>>>> get tokens instead of one? Most can barely handle just typing in
> >>>>> "klog".
> >>>>
> >>>> Years ago, I added support to my kinit so that it runs aklog
> >>>> automatically.
> >>>> Works just fine.
> >>>>
> >>>> --Ken
> >>>> _______________________________________________
> >>>> OpenAFS-info mailing list
> >>>> OpenAFS-info@openafs.org
> >>>> https://lists.openafs.org/mailman/listinfo/openafs-info
> >>>
> >>> --
> >>> ********************************
> >>> David William Botsch
> >>> Consultant/Advisor II
> >>> CCMR Computing Facility
> >>> dwb7@ccmr.cornell.edu
> >>> ********************************
> >>> _______________________________________________
> >>> OpenAFS-info mailing list
> >>> OpenAFS-info@openafs.org
> >>> https://lists.openafs.org/mailman/listinfo/openafs-info
> >>>
> >>
> >> _______________________________________________
> >> OpenAFS-info mailing list
> >> OpenAFS-info@openafs.org
> >> https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> > --
> >
> > Douglas E. Engert <DEEngert@anl.gov>
> > Argonne National Laboratory
> > 9700 South Cass Avenue
> > Argonne, Illinois 60439
> > (630) 252-5444
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444