[OpenAFS-devel] Re: aklog on OS X does not contact KDC to obtain AFS serivce principal

D Brashear shadow@gmail.com
Thu, 31 Jul 2014 16:05:30 -0400


--047d7b5d2f886d354c04ff82cb36
Content-Type: text/plain; charset=UTF-8

thing about dtruss is you need to be root, so you'll have to make sure you
got tickets as root.

i would have suggested tcpdump port 53 or port 88
but i guess dtruss will tell us what's up


On Thu, Jul 31, 2014 at 3:16 PM, Andrew Deason <adeason@sinenomine.net>
wrote:

> On Thu, 31 Jul 2014 20:27:13 +0200
> Marcus Crestani <crestani@informatik.uni-tuebingen.de> wrote:
>
> > We are using OS X's Kerberos.  And aklog uses the correct ccache, since
> > aklog is able to obtain a token once the AFS service principal is in the
> > ccache (manually added via kgetcred, for example).  It is just not able
> > to obtain the AFS service principal, for us it doesn't even talk to our
> > KDC.
>
> If you find yourself at a dead end, you could try running 'dtruss' to at
> least see if it's trying to send packets anywhere, or see what config
> files it is reading, if that helps tell you what is going on. e.g.:
>
> # dtruss -a -f 'aklog -d' 2>/tmp/somefile
>
> It would be better to have KRB5_TRACE-style tracing, or debugging
> messages via the krb5.conf 'logging' section, but I'm not sure if
> anything like that works on OS X (I can't get them to do anything on my
> 10.7 machine, but I'm not looking very hard).
>
> dtruss doesn't seem to interpret arguments for a lot of calls (like,
> say, the networking ones), but it's possible to extract more information
> with more dtrace scripting, if you want to go down that route.
>
> --
> Andrew Deason
> adeason@sinenomine.net
>
> _______________________________________________
> OpenAFS-devel mailing list
> OpenAFS-devel@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-devel
>
>


-- 
D

--047d7b5d2f886d354c04ff82cb36
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div>thing about dtruss is you need to be root, so yo=
u&#39;ll have to make sure you got tickets as root.<br><br></div>i would ha=
ve suggested tcpdump port 53 or port 88 <br></div>but i guess dtruss will t=
ell us what&#39;s up<br>
</div><div class=3D"gmail_extra"><br><br><div class=3D"gmail_quote">On Thu,=
 Jul 31, 2014 at 3:16 PM, Andrew Deason <span dir=3D"ltr">&lt;<a href=3D"ma=
ilto:adeason@sinenomine.net" target=3D"_blank">adeason@sinenomine.net</a>&g=
t;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"">On Thu, 31 Jul 2014 20:27:13=
 +0200<br>
Marcus Crestani &lt;<a href=3D"mailto:crestani@informatik.uni-tuebingen.de"=
>crestani@informatik.uni-tuebingen.de</a>&gt; wrote:<br>
<br>
&gt; We are using OS X&#39;s Kerberos. =C2=A0And aklog uses the correct cca=
che, since<br>
&gt; aklog is able to obtain a token once the AFS service principal is in t=
he<br>
&gt; ccache (manually added via kgetcred, for example). =C2=A0It is just no=
t able<br>
&gt; to obtain the AFS service principal, for us it doesn&#39;t even talk t=
o our<br>
&gt; KDC.<br>
<br>
</div>If you find yourself at a dead end, you could try running &#39;dtruss=
&#39; to at<br>
least see if it&#39;s trying to send packets anywhere, or see what config<b=
r>
files it is reading, if that helps tell you what is going on. e.g.:<br>
<br>
# dtruss -a -f &#39;aklog -d&#39; 2&gt;/tmp/somefile<br>
<br>
It would be better to have KRB5_TRACE-style tracing, or debugging<br>
messages via the krb5.conf &#39;logging&#39; section, but I&#39;m not sure =
if<br>
anything like that works on OS X (I can&#39;t get them to do anything on my=
<br>
10.7 machine, but I&#39;m not looking very hard).<br>
<br>
dtruss doesn&#39;t seem to interpret arguments for a lot of calls (like,<br=
>
say, the networking ones), but it&#39;s possible to extract more informatio=
n<br>
with more dtrace scripting, if you want to go down that route.<br>
<span class=3D"HOEnZb"><font color=3D"#888888"><br>
--<br>
Andrew Deason<br>
<a href=3D"mailto:adeason@sinenomine.net">adeason@sinenomine.net</a><br>
</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br>
_______________________________________________<br>
OpenAFS-devel mailing list<br>
<a href=3D"mailto:OpenAFS-devel@openafs.org">OpenAFS-devel@openafs.org</a><=
br>
<a href=3D"https://lists.openafs.org/mailman/listinfo/openafs-devel" target=
=3D"_blank">https://lists.openafs.org/mailman/listinfo/openafs-devel</a><br=
>
<br>
</div></div></blockquote></div><br><br clear=3D"all"><br>-- <br><div dir=3D=
"ltr">D</div>
</div>

--047d7b5d2f886d354c04ff82cb36--