[OpenAFS-devel] Re: aklog on OS X does not contact KDC to obtain AFS serivce principal

Andrew Deason adeason@sinenomine.net
Thu, 31 Jul 2014 14:16:08 -0500


On Thu, 31 Jul 2014 20:27:13 +0200
Marcus Crestani <crestani@informatik.uni-tuebingen.de> wrote:

> We are using OS X's Kerberos.  And aklog uses the correct ccache, since
> aklog is able to obtain a token once the AFS service principal is in the
> ccache (manually added via kgetcred, for example).  It is just not able
> to obtain the AFS service principal, for us it doesn't even talk to our
> KDC.

If you find yourself at a dead end, you could try running 'dtruss' to at
least see if it's trying to send packets anywhere, or see what config
files it is reading, if that helps tell you what is going on. e.g.:

# dtruss -a -f 'aklog -d' 2>/tmp/somefile

It would be better to have KRB5_TRACE-style tracing, or debugging
messages via the krb5.conf 'logging' section, but I'm not sure if
anything like that works on OS X (I can't get them to do anything on my
10.7 machine, but I'm not looking very hard).

dtruss doesn't seem to interpret arguments for a lot of calls (like,
say, the networking ones), but it's possible to extract more information
with more dtrace scripting, if you want to go down that route.

-- 
Andrew Deason
adeason@sinenomine.net