[OpenAFS] Getting Tickets but not Tokens
Christopher D. Clausen
cclausen@acm.org
Sat, 10 May 2008 15:52:16 -0500
Jason C. Wells <jcw@highperformance.net> wrote:
> I am able to get an krb5 ticket for afs, but for some strange reason
> aklog won't get a token for me.
>
> I use heimdal on FreeBSD 6.3 and openafs 1.2.8 on Redhat 8. I am not
> running a kaserver.
>
> From the command line:
>
> [jcw@s3 stradamotorsports.com]$ kinit
> Password for jcw@STRADAMOTORSPORTS.COM:
>
> [jcw@s3 stradamotorsports.com]$ aklog -d
> Authenticating to cell stradamotorsports.com (server
> s3.stradamotorsports.com).
> We've deduced that we need to authenticate to realm
> STRADAMOTORSPORTS.COM. Getting tickets:
> afs/stradamotorsports.com@STRADAMOTORSPORTS.COM Kerberos error code
> returned by get_cred: -1765328228
> aklog: Couldn't get stradamotorsports.com AFS tickets:
> aklog: Cannot contact any KDC for requested realm while getting AFS
> tickets
The error indicates a Kerberos problem, not an AFS problem.
Where did you get aklog from? openafs 1.2.8 does not have an aklog
binary and I suspect your aklog is trying to contact a krb524d process
on the KDC (runs on port 4444 udp) and is probably failing thus
rendering you unable to obtain tokens.
Either upgrade to a newer openafs version or obtain an aklog that has
native Kerberos 5 support and does not need a krb524d service running.
(You could also enable krb524d on the KDC, but I would not suggest
that.)
<<CDC