[OpenAFS] OpenAFS - MIT V5 Kerberos problems

Tim Gaastra tim@gaastra.net
Mon, 25 Mar 2002 23:24:14 -0800


I'm running into something with OpenAFS that I'm just not sure about how
to fix...

I have an existing MIT Kerberos V realm (GAASTRA.NET) that is working
fine...

I'm trying to set up OpenAFS to use it as the authentication source.

I have tried following what I've read on the net, and I think I've done
the correct steps.

The cell name is "gaastra.net"

I've added a principal to Kerberos: afs/gaastra.net
kadmin:  getprinc afs/gaastra.net    
Principal: afs/gaastra.net@GAASTRA.NET
Expiration date: [never]
Last password change: Mon Mar 25 22:04:35 PST 2002
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Mar 25 22:04:35 PST 2002 (tim/admin@GAASTRA.NET)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 2, DES cbc mode with CRC-32, no salt

I've used kadmin and the ktadd function to add it to a temporary service
table on the OpenAFS server...
kadmin: ktadd -k /tmp/ktab afs/gaastra.net

I added it to the keyfile with
asetkey add 2 /tmp/ktab afs/gaastra.net

Asetkey list then shows:
kvno    2: key is: XXXXXXXXXXXXXXXXX
All done.

(Where XXXXXXXXXXXXXXX is the key)

I used pts to add a user afsadmin and added him to the
system:administrators group...

pts listentries shows:
Name                          ID  Owner Creator
anonymous                  32766   -204    -204 
afsadmin                       4   -204   32766

I also added a principal named afsadmin to the Kerberos server...

Now, when I try to use this...
kdestroy
kinit afsadmin
aklog -d

I get the output:
Authenticating to cell gaastra.net (server gorgon.gaastra.net).
We've deduced that we need to authenticate to realm GAASTRA.NET.
Getting tickets: afs/gaastra.net@GAASTRA.NET
About to resolve name afsadmin to id in cell gaastra.net.
Id 4
Set username to AFS ID 4
Setting tokens. AFS ID 4 /  @ GAASTRA.NET 
aklog: unable to obtain tokens for cell gaastra.net (status: unknown
cell was passed to SetToken).

What's going on here? This has me totally confused. If I do a klist -e
now I get:
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: afsadmin@GAASTRA.NET

Valid starting     Expires            Service principal
03/25/02 23:17:29  03/26/02 09:17:29  krbtgt/GAASTRA.NET@GAASTRA.NET
        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
CRC-32 
03/25/02 23:17:40  03/26/02 09:17:29  afs/gaastra.net@GAASTRA.NET
        Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with
CRC-32 


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

... So its getting the afs/gaastra.net ticket I think, but something is
going wrong... What is it?

(I'm using the OpenAFS RPM binaries for Redhat 7.2, with just the afs
kernel modules recompiled (since 2.4.9-31 isn't in the list yet), Latest
Kerberos V5 1.2 from MIT... KDC is running on Solaris machine and I have
krb524d running as krb524d -m on the KDC)...



--
Tim Gaastra
"His name is Troll: He fights for the lUsers"