[OpenAFS-devel] aklog on OS X does not contact KDC to obtain
AFS serivce principal
Benjamin Kaduk
kaduk@MIT.EDU
Thu, 31 Jul 2014 14:33:52 -0400 (EDT)
On Thu, 31 Jul 2014, Marcus Crestani wrote:
>>>>>> "BA" == Brandon Allbery <ballbery@sinenomine.net> writes:
> BA> One early thing to check: make sure you are actually using OS X's
> BA> Kerberos. MacPorts or Homebrew may pull in Kerberos as a dependency and
> BA> this can lead to getting tickets with one and then trying to aklog with
> BA> the other, and they may be using different ccaches and sometimes
> BA> different krb5.conf files.
>
> We are using OS X's Kerberos. And aklog uses the correct ccache, since
> aklog is able to obtain a token once the AFS service principal is in the
> ccache (manually added via kgetcred, for example). It is just not able
> to obtain the AFS service principal, for us it doesn't even talk to our
> KDC.
Ah, I think this may be another case of enctype mismatch. The original
message had:
> When using aklog (OpenAFS-1.6.6) on OS X 10.9.4 without an AFS service
1.6.6 predates rxkad-kdf and rxkad-k5, so aklog will be calling
krb5_enctype_enable() and explicitly requesting a key of type
ENCTYPE_DES_CBC_CRC. kgetgred does not do so, and can receive other
enctypes. Hmm, this doesn't make perfect sense, though, as aklog would
still need to be able to use the session key in order to claim success, I
think.
Regardless, can you please provide the 'klist -v' output after kgetcred?
-Ben