[OpenAFS-devel] question about aklog and latest OAFS release...

Jim Doyle doyle@theworld.com
Fri, 9 Nov 2001 02:37:59 -0500


Howdy all.  I'm back in the saddle again. :)  For those of you on this
list (Derrick) whom I've worked with before - I used to be 'jrd@bu.edu'
and had formerly done the god-forsaken port of DCE 1.2.2 to Linux. Sorry
for being out of contact with so many people - I was doing the 'stock
options' thing in California for a few years. I must say that although
maknig the money was good -- commercial software sucks....

Anways -- I cant seem to get 'aklog' from the latest pkg
openafs-krb5-1.2.2-rh7.1.1.i386.rpm  to work at all..

I am using OpenAFS 1.2.2 on RH 7.1.  Further, I am using the stock
Kerberos 5 KDC bundled with RH7.1.  On the AFS side, I am not using
kaserver -- but rather 'fakeka' to proxy authentication to the local
kerberos database.  This works as I am able to klog and do things I would
expect.

aklog seems to fail to give me a valid token.  One concern I have is that
when aklog is run in debug mode -- it reports to get a service ticket
for 'afs/example.com@EXAMPLE.COM'.  This principal does not exist in my
KDC. However, 'afs@EXAMPLE.COM' does exist and the key for this lives
in the KeyFile on the server side.

after running aklog, tokens reports SOME kind of key, however, it fails to
allow me to authenticate to the fileserver or volserver processes.

Has anyone else encountered this before I start running into the sources?
Also - where are the sources for aklog??  They appear not to be in
openafs-1.2.2.src.tar.bz2 ?

Here's the demo of what I am seeing wrong:
-----------------------------------------------------------------------------
[root@prozac /root]# kdestroy
[root@prozac /root]# unlog
[root@prozac /root]# kinit jdoyle
Password for jdoyle@EXAMPLE.COM:
[root@prozac /root]# aklog
[root@prozac /root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: jdoyle@EXAMPLE.COM

Valid starting     Expires            Service principal
11/09/01 03:34:10  11/09/01 13:34:10  krbtgt/EXAMPLE.COM@EXAMPLE.COM
11/09/01 03:34:14  11/09/01 13:34:10  afs@EXAMPLE.COM


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@prozac /root]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 2) tokens for afs@example.com [Expires Nov  9 13:34]
   --End of list--
[root@prozac /root]# touch /afs/example.com/users/jrd/foobar
touch: creating `/afs/example.com/users/jrd/foobar': Permission denied
[root@prozac /root]# vos release root.cell
rxk: security object was passed a bad ticket



However, using klog and fakeka on the backend -- all is generally well:
-------------------------------------------------------------------------
[root@prozac /root]# unlog
[root@prozac /root]# klog jdoyle@EXAMPLE.COM
Password:
[root@prozac /root]# touch /afs/example.com/users/jrd/foobar
[root@prozac /root]# vos release root.cell
Released volume root.cell successfully
[root@prozac /root]#