[OpenAFS] Mit Krb5 and OpenAFS

Derek T. Yarnell derek@cs.umd.edu
Fri, 18 Jan 2002 12:11:52 -0500


On Tue, 15 Jan 2002, Charles Clancy wrote:

Still a little fuzzy about the what the migration kit is telling me.

In Step 4 : Test AFS with Kerberos 5

It says using asetkey to see what is in the current AFS keyfile. But you said
not to do the kaserver. So should that just return nothing? 
So i added a key value of 0 because there was no key. Which extreacted a key 
value
of 1 which i added to the AFS KeyTab with asetkey.

Now when i tried to get afs tokens through kinit then aklog i got this :

[root@bungholio]# /usr//local/openafs/bin/aklog -d
Authenticating to cell cs.umd.edu (server bungholio.cs.umd.edu).
We've deduced that we need to authenticate to realm CS.UMD.EDU.
Getting tickets: afs/@CS.UMD.EDU
About to resolve name derek to id in cell cs.umd.edu.
Id 32766
Set username to derek
Setting tokens. derek /  @ CS.UMD.EDU 
aklog: unable to obtain tokens for cell cs.umd.edu (status: 11862791).

Could this be that krb524d is not doing the right thing? Or am i missing 
something?

[root@bungholio]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: derek@CS.UMD.EDU

Valid starting     Expires            Service principal
01/18/02 11:51:41  01/18/02 21:51:41  krbtgt/CS.UMD.EDU@CS.UMD.EDU
01/18/02 11:51:57  01/18/02 21:51:41  afs@CS.UMD.EDU


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached


What parts am i supposed to do in the Quickstart Guide for Unix for AFS

I am at Initializing Cell Security but it has a lot of things with kas which
i thought talked directly to the kaserver which i was not supposed to setup.

Do i skip down to number 9 and start adding things into the ptserver? with pts?
or only 6 where i need to add users to the bos server?

Thanks for you help.

>> I have read a bunch of the mailling list and i am confused now. I have
>> a working Kerb V5 realm that i have tested and now know works. From
>> prior documentation i have to use the Migration Kit with aklog to
>> integrate with OpenAFS.  But a recent thread has led me to believe
>> (subject: kaserver date: early jan 2002) that this may not be true
>> anymore. What is the status of openafs and krb5?
>>
>> What then are the steps to bringing up AFS do you just follow the quickstart
>> guide minus telling the bos server to create the kaserver?
>
>If you have a working realm, and just want to add AFS, it's not that
>difficult.  You won't need to use the "migration" part of the kit --
>moving entries from the kaserver to Kerberos.
>
>First, setup your AFS cell, but don't do the kaserver part.  Then,
>download the migration kit.  It has documentation that explains everything
>pretty clearly.  You'll need to setup the key between AFS and Kerberos
>(with asetkey), compile aklog, and you should be ready to go.  Of course,
>you'll need to create ptserver entries for all your kerberos principles.
>
>--
>t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy
>

-- 
Derek Yarnell
CS System Staff
derek@cs.umd.edu
	
.				

   ... INDEED!