[OpenAFS] KRB5 integration problems
Michael Nelson
mikenel@iapetus.com
Sun, 22 Sep 2002 18:02:04 -0400 (EDT)
> What does "klist -ke" give you at this point?
KVNO Principal
----
--------------------------------------------------------------------------
3 host/cedar.corp.iapetus.com@UNIX.IAPETUS.COM (Triple DES cbc mode
with HMAC/sha1)
3 host/cedar.corp.iapetus.com@UNIX.IAPETUS.COM (DES cbc mode with
CRC-32)
1 afs@UNIX.IAPETUS.COM (DES cbc mode with CRC-32)
>
> > asetkey add 1 /etc/krb5.keytab afs
> > kadmin.local -e des-cbc-crc:afs3 -q "ktremove -k /etc/krb5.keytab afs all"
>
> Why do you do this?
The latter? Because the OpenAFS install script does it (assuming that it
uses the keytab as a temporary mechanism to transfer the key via asetkey).
> What happens when you:
> kdestroy; kinit
> aklog -d
> klist
[mikenel@cedar install]# aklog -d
Authenticating to cell afs.iapetus.com (server cedar.corp.iapetus.com).
We've deduced that we need to authenticate to realm UNIX.IAPETUS.COM.
Getting tickets: afs/afs.iapetus.com@UNIX.IAPETUS.COM
About to resolve name admin to id in cell afs.iapetus.com.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 / @ UNIX.IAPETUS.COM
[mikenel@cedar install]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: admin@UNIX.IAPETUS.COM
Valid starting Expires Service principal
09/22/02 18:01:13 09/23/02 04:01:13
krbtgt/UNIX.IAPETUS.COM@UNIX.IAPETUS.COM
09/22/02 18:01:14 09/23/02 04:01:13 afs/afs.iapetus.com@UNIX.IAPETUS.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached