[OpenAFS] [1.3.86] heimdal/krb5 auth for BOS requests fails during initial
cell setup
scorch
scorch@muse.net.nz
Thu, 04 Aug 2005 07:40:35 +0200
hi,
I've been following a number of how-to guides, the best being
http://kula.public.iastate.edu/talks/afs-bpw-2005/afs-bpw-2005-iowa.pdf
-- thanks :-) but I'm stuck after switching out of -noauth, despite
having seeming correct k5 tickets. My guess is that I need something
like aklog, or my krb configuration but I am lost for the obvious answer.
After page 33, I switch after running in -noauth to 'restart BOS server
with authentication'. I always receive the following error:
wavey@mercury:/usr/afs/bin $ ./bos shutdown mercury.muse.net.nz -noauth
bos: failed to shutdown servers (you are not authorized for this operation)
despite all my best kinit efforts. I'm sure I am missing something
obvious but I can't find info in the logs. Any suggestions on how to
proceed?
overview
===========================================================
3dogs.muse.net.nz the KDC
mercury.muse.net.nz slave KDC, afs file, db, backup, volserver etc.
OS is OpenBSD 3.7 release, OpenAFS 1.3.86 compiled fine with
./configure --enable-transarc-paths --enable-fast-restart
--enable-bitmap-later --quiet --enable-debug --enable-supergroups
KerberosV works OK for encrypted telnet, and my wavey/afs credentials
are available - but maybe not in the right form...
$ kinit wavey/afs
wavey/afs@MUSE.NET.NZ's Password:
kinit: NOTICE: ticket renewable lifetime is 1 week
$ klist -Tv
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: wavey/afs@MUSE.NET.NZ
Cache version: 4
Server: krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
Ticket etype: des3-cbc-sha1, kvno 1
Auth time: Aug 3 02:49:05 2005
End time: Aug 3 04:29:05 2005
Renew till: Aug 10 02:49:05 2005
Ticket flags: renewable, initial
Addresses: IPv4:10.0.0.9, IPv4:10.0.0.20
krb5.conf
===========================================================
[libdefaults]
default_realm = MUSE.NET.NZ
ticket_lifetime = 6000
clockskew = 300
[realms]
MUSE.NET.NZ = {
supported_keytypes = des:normal des-cbc-crc:v4 des-cbc-crc:afs3
kdc = 3dogs.muse.net.nz
admin_server = 3dogs.muse.net.nz
}
[domain_realm]
.muse.net.nz = MUSE.NET.NZ
[kadmin]
default_keys = v5 afs3
afs-cell = muse.net.nz
[logging]
kadmind = FILE:/var/heimdal/kadmind.log
[kdc]
require-preauth = no
afs-cell = muse.net.nz
v4-realm = MUSE.NET.NZ
PTS info
===========================================================
./pts interactive -noauth
pts> examine wavey
libprot: no such entry Could not get afs tokens, running
unauthenticated.
Name: wavey, id: 2, owner: system:administrators, creator: anonymous,
membership: 1, flags: S----, group quota: unlimited.
pts> listentries
libprot: no such entry Could not get afs tokens, running
unauthenticated.
Name ID Owner Creator
anonymous 32766 -204 -204
admin 1 -204 32766
wavey 2 -204 32766
wavey.afs 3 -204 32766
pts> membership wavey
libprot: no such entry Could not get afs tokens, running
unauthenticated.
Groups wavey (id: 2) is a member of:
system:administrators
pts> membership wavey.afs
libprot: no such entry Could not get afs tokens, running
unauthenticated.
Groups wavey.afs (id: 3) is a member of:
system:administrators
pts>
cheers, scorch
--
out of the frying pan and into the fire