[OpenAFS] SuSe 9.0 &Heimdal.6
ted creedon
tcreedon@easystreet.com
Mon, 22 Dec 2003 10:20:55 -0800
This is a multi-part message in MIME format.
------=_NextPart_000_0031_01C3C875.48D4F2B0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
All my boxes are running xntp and are time synced:
=20
The K5 ticketing is working. I checked with:
=20
/var/lib/heimdal/bin/telnet -l myname -a -x localhost
and=20
/var/lib/heimdal/bin/telnet -l myname -a -x not_localhost
=20
Is it possible that fs is using the internal NTP feature which could be
disabled?
=20
It appears that the 524 ticket from kdc to afs is the problem although =
it
seems to be working.
=20
Does fs use a token or ticket?
=20
The tickets requested are in the form afs/tedcell@TED-DORIS.FAM.
=20
Since I'm running as root I kinit admin;afslog;
=20
Any further help is appreciated. It is nice to have everything in krb5.
=20
When I /etc/init.d/afs-server start; the log files are normal with the
apparent usual
=20
Could it be the pam_krb5 setup? There's a couple of failures in the =
filelog
shown below.
=20
pam_krb5afs: get_config() called
pam_krb5afs: Version: pam_krb5 1.3-rc8, @(#)$Revision: 1.29 $
pam_krb5afs: If you have any problem, mail to
pam-krb5-users@lists.sourceforge.net
pam_krb5afs: Creating a ticket with addresses
pam_krb5afs: krb4_convert false
pam_krb5afs: native_krb4_tgt false
pam_krb5afs: will afslog to cells `tedcell'
pam_krb5afs: will afslog to cell `tedcell'
pam_krb5afs: password-changing banner set to `Kerb_pam'
pam_krb5afs: ccache directory set to `/tmp'
pam_krb5afs: making tickets forwardable
pam_krb5afs: keytab file name set to `/etc/krb5.keytab'
pam_krb5afs: setting heimdal kdc timeout to 3
pam_krb5afs: will only attempt to authenticate users when UID >=3D 0
pam_krb5afs: making tickets non-proxiable
pam_krb5afs: setting renewable lifetime to 0
pam_krb5afs: required_tgs set to `'
pam_krb5afs: use_authtok false
pam_krb5afs: user_check true
pam_krb5afs: validate false
pam_krb5afs: warn_period 604800
pam_krb5afs: old_password_from_auth false
pam_krb5afs: pam_sm_authenticate() called (prc =3D Success)
pam_krb5afs: default Kerberos realm is `TED-DORIS.FAM'
pam_krb5afs: pam_get_user returned `root'
pam_krb5afs: user is `root'
pam_krb5afs: `root' has uid 0, gid 0
pam_krb5afs: attempting to authenticate `root'
pam_krb5afs: call krb5_get_init_creds_password (1)
pam_krb5afs: get_int_tkt returned Success
pam_krb5afs: authentication succeeds for `root'
pam_krb5afs: credentials saved for `root@TED-DORIS.FAM'
(pam_krb5afs_root@TED-DORIS.FAM_cred_stash)
pam_krb5afs: saved return code (0) for later use
(pam_krb5afs_root@TED-DORIS.FAM_ret_stash)
Dec 21 19:16:33 shemya kdm[1569]: pam_krb5afs: pam_sm_authenticate =
returning
0 (Success)
=20
FileLog
::::::::::::::
Sun Dec 21 21:18:17 2003 File server starting
Sun Dec 21 21:18:17 2003 afs_krb_get_lrealm failed, using tedcell.
Sun Dec 21 21:18:17 2003 VL_RegisterAddrs rpc failed; will retry
periodically (code=3D5376, err=3D2)
Sun Dec 21 21:18:17 2003 Set thread id 14 for FSYNC_sync
Sun Dec 21 21:18:17 2003 Partition /vicepa: attached 1 volumes; 0
volumes not attached
Sun Dec 21 21:18:17 2003 Set thread id 15 for 'FiveMinuteCheckLWP'
Sun Dec 21 21:18:17 2003 Set thread id 16 for 'HostCheckLWP'
Sun Dec 21 21:18:17 2003 Getting FileServer name...
Sun Dec 21 21:18:17 2003 FileServer host name is 'shemya'
Sun Dec 21 21:18:17 2003 Getting FileServer address...
Sun Dec 21 21:18:17 2003 FileServer shemya has address 10.1.1.116
(0x7401010a or 0xa010174 in host byte order)
Sun Dec 21 21:18:17 2003 File Server started Sun Dec 21 21:18:17 =
2003
=20
Ted
=20
Frank Burkhardt fbo2@gmx.net <mailto:fbo2%40gmx.net> =20
Mon, 22 Dec 2003 09:44:24 +0100=20
* Previous message: [OpenAFS]
<https://lists.openafs.org/pipermail/openafs-info/2003-December/011556.ht=
ml>
SuSe 9.0 &Heimdal.6=20
* Next message: [OpenAFS]
<https://lists.openafs.org/pipermail/openafs-info/2003-December/011557.ht=
ml>
AFS, SSH and PAM=20
* Messages sorted by: [
<https://lists.openafs.org/pipermail/openafs-info/2003-December/date.html=
#11
558> date ] [
<https://lists.openafs.org/pipermail/openafs-info/2003-December/thread.ht=
ml#
11558> thread ] [
<https://lists.openafs.org/pipermail/openafs-info/2003-December/subject.h=
tml
#11558> subject ] [
<https://lists.openafs.org/pipermail/openafs-info/2003-December/author.ht=
ml#
11558> author ]=20
_____ =20
Hi,
=20
On Sun, Dec 21, 2003 at 12:24:17PM -0800, ted creedon wrote:
[snip]
> Running tokens does show an afs token and the everything seems to work
until
> one does
>=20
> =20
>=20
> kinit admin
>=20
> =20
>=20
> shemya: fs setacl /afs system:anyuser rl
> fs: You don't have the required access rights on '/afs'
What does you syslog show?
=20
When I got this error message, it was always a =
time-synchronisation-problem.
Make sure, all your servers and clients in your cell are synchronized.
=20
Regards,
=20
Frank
=20
=20
------=_NextPart_000_0031_01C3C875.48D4F2B0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
pre
{margin:0in;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
span.EmailStyle17
{font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
/* List Definitions */
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>All my boxes are running xntp and are time =
synced:</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>The K5 ticketing is working. I checked =
with:</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>/var/lib/heimdal/bin/telnet –l myname –a =
–x
localhost</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>and </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>/var/lib/heimdal/bin/telnet –l myname –a =
–x
not_localhost</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Is it possible that fs is using the internal NTP =
feature
which could be disabled?</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>It appears that the 524 ticket from kdc to afs =
is the
problem although it seems to be working.</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Does fs use a token or ticket?</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>The tickets requested are in the form <a
href=3D"mailto:afs/tedcell@TED-DORIS.FAM">afs/tedcell@TED-DORIS.FAM</a>.<=
/span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Since I’m running as root I kinit =
admin;afslog;</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Any further help is appreciated. It is nice to have =
everything
in krb5.</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>When I /etc/init.d/afs-server start; the log =
files are
normal with the apparent usual</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Could it be the pam_krb5 setup? There’s a =
couple of
failures in the filelog shown below.</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>pam_krb5afs: get_config() called<br>
pam_krb5afs: Version: pam_krb5 1.3-rc8, @(#)$Revision: 1.29 $<br>
pam_krb5afs: If you have any problem, mail to =
pam-krb5-users@lists.sourceforge.net<br>
pam_krb5afs: Creating a ticket with addresses<br>
pam_krb5afs: krb4_convert false<br>
pam_krb5afs: native_krb4_tgt false<br>
pam_krb5afs: will afslog to cells `tedcell'<br>
pam_krb5afs: will afslog to cell `tedcell'<br>
pam_krb5afs: password-changing banner set to `Kerb_pam'<br>
pam_krb5afs: ccache directory set to `/tmp'<br>
pam_krb5afs: making tickets forwardable<br>
pam_krb5afs: keytab file name set to `/etc/krb5.keytab'<br>
pam_krb5afs: setting heimdal kdc timeout to 3<br>
pam_krb5afs: will only attempt to authenticate users when UID >=3D =
0<br>
pam_krb5afs: making tickets non-proxiable<br>
pam_krb5afs: setting renewable lifetime to 0<br>
pam_krb5afs: required_tgs set to `'<br>
pam_krb5afs: use_authtok false<br>
pam_krb5afs: user_check true<br>
pam_krb5afs: validate false<br>
pam_krb5afs: warn_period 604800<br>
pam_krb5afs: old_password_from_auth false<br>
pam_krb5afs: pam_sm_authenticate() called (prc =3D Success)<br>
pam_krb5afs: default Kerberos realm is `TED-DORIS.FAM'<br>
pam_krb5afs: pam_get_user returned `root'<br>
pam_krb5afs: user is `root'<br>
pam_krb5afs: `root' has uid 0, gid 0<br>
pam_krb5afs: attempting to authenticate `root'<br>
pam_krb5afs: call krb5_get_init_creds_password (1)<br>
pam_krb5afs: get_int_tkt returned Success<br>
pam_krb5afs: authentication succeeds for `root'<br>
pam_krb5afs: credentials saved for `root@TED-DORIS.FAM'
(pam_krb5afs_root@TED-DORIS.FAM_cred_stash)<br>
pam_krb5afs: saved return code (0) for later use
(pam_krb5afs_root@TED-DORIS.FAM_ret_stash)<br>
Dec 21 </span></font>19:16:33 shemya kdm[1569]: pam_krb5afs: =
pam_sm_authenticate
returning 0 (Success)<br>
<font face=3DArial><span =
style=3D'font-family:Arial'> </span></font></p>
<p class=3DMsoPlainText><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:
10.0pt'>FileLog<br>
::::::::::::::<br>
Sun Dec 21 </span></font>21:18:17 2003 File server
starting<br>
Sun Dec 21 21:18:17 2003 afs_krb_get_lrealm failed, =
using tedcell.<br>
Sun Dec 21 21:18:17 2003 VL_RegisterAddrs rpc failed; =
will
retry periodically (code=3D5376, err=3D2)<br>
Sun Dec 21 21:18:17 2003 Set thread id 14 for =
FSYNC_sync<br>
Sun Dec 21 21:18:17 2003 Partition /vicepa: attached =
1 volumes;
0 volumes not attached<br>
Sun Dec 21 21:18:17 2003 Set thread id 15 for =
'FiveMinuteCheckLWP'<br>
Sun Dec 21 21:18:17 2003 Set thread id 16 for =
'HostCheckLWP'<br>
Sun Dec 21 21:18:17 2003 Getting FileServer =
name...<br>
Sun Dec 21 21:18:17 2003 FileServer host name is =
'shemya'<br>
Sun Dec 21 21:18:17 2003 Getting FileServer =
address...<br>
Sun Dec 21 21:18:17 2003 FileServer shemya has =
address
10.1.1.116 (0x7401010a or 0xa010174 in host byte order)<br>
Sun Dec 21 21:18:17 2003 File Server started Sun Dec =
21 21:18:17 2003<br>
<font face=3DArial><span =
style=3D'font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Ted</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><b><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt;font-weight:bold'>Frank Burkhardt =
</span></font></b><a
href=3D"mailto:fbo2%40gmx.net" title=3D"[OpenAFS] SuSe 9.0 =
&Heimdal.6">fbo2@gmx.net
</a><br>
<i><span style=3D'font-style:italic'>Mon, 22 Dec =
2003</span></i><i><span
style=3D'font-style:italic'> </span></i><i><span =
style=3D'font-style:italic'>09:44:24</span></i><i><span
style=3D'font-style:italic'> +0100</span></i> </p>
<ul type=3Ddisc>
<li class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>Previous message: <a
=
href=3D"https://lists.openafs.org/pipermail/openafs-info/2003-December/01=
1556.html">[OpenAFS]
SuSe 9.0 &Heimdal.6 </a></span></font></li>
<li class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt'>Next message: <a
=
href=3D"https://lists.openafs.org/pipermail/openafs-info/2003-December/01=
1557.html">[OpenAFS]
AFS, SSH and PAM </a></span></font></li>
<li class=3DMsoNormal><b><font size=3D3 face=3D"Times New Roman"><span
style=3D'font-size:12.0pt;font-weight:bold'>Messages sorted =
by:</span></font></b>
<a
=
href=3D"https://lists.openafs.org/pipermail/openafs-info/2003-December/da=
te.html#11558">[
date ]</a> <a
=
href=3D"https://lists.openafs.org/pipermail/openafs-info/2003-December/th=
read.html#11558">[
thread ]</a> <a
=
href=3D"https://lists.openafs.org/pipermail/openafs-info/2003-December/su=
bject.html#11558">[
subject ]</a> <a
=
href=3D"https://lists.openafs.org/pipermail/openafs-info/2003-December/au=
thor.html#11558">[
author ]</a> </li>
</ul>
<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font =
size=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>
<hr size=3D2 width=3D"100%" align=3Dcenter>
</span></font></div>
<pre><font size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'><!--beginarticle-->Hi,</span></font></pre><pre=
><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'> </span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span style=3D'font-size:10.0pt'>On =
</span></font>Sun, Dec 21, 2003 at 12:24:17PM -0800, ted creedon =
wrote:</pre><pre><font size=3D2
face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>[snip]</span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>><i><span
style=3D'font-style:italic'> Running tokens does show an afs token and =
the everything seems to work =
until</span></i></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>><i><span
style=3D'font-style:italic'> one =
does</span></i></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>><i><span
style=3D'font-style:italic'> </span></i></span></font></pre><pre><font =
size=3D2
face=3D"Courier New"><span style=3D'font-size:10.0pt'>><i><span
style=3D'font-style:italic'> =
</span></i></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>><i><span
style=3D'font-style:italic'> </span></i></span></font></pre><pre><font =
size=3D2
face=3D"Courier New"><span style=3D'font-size:10.0pt'>><i><span
style=3D'font-style:italic'> kinit =
admin</span></i></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>><i><span
style=3D'font-style:italic'> </span></i></span></font></pre><pre><font =
size=3D2
face=3D"Courier New"><span style=3D'font-size:10.0pt'>><i><span
style=3D'font-style:italic'> =
</span></i></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>><i><span
style=3D'font-style:italic'> </span></i></span></font></pre><pre><font =
size=3D2
face=3D"Courier New"><span style=3D'font-size:10.0pt'>><i><span
style=3D'font-style:italic'> shemya: fs setacl /afs system:anyuser =
rl</span></i></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>><i><span
style=3D'font-style:italic'> fs: You don't have the required access =
rights on '/afs'</span></i></span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span style=3D'font-size:10.0pt'>What does =
you syslog show?</span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'> </span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span style=3D'font-size:10.0pt'>When I =
got this error message, it was always a =
time-synchronisation-problem.</span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span style=3D'font-size:10.0pt'>Make =
sure, all your servers and clients in your cell are =
synchronized.</span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'> </span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>Regards,</span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'> </span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'>Frank</span></font></pre><pre><font
size=3D2 face=3D"Courier New"><span =
style=3D'font-size:10.0pt'> </span></font></pre>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<!--endarticle--></div>
</body>
</html>
------=_NextPart_000_0031_01C3C875.48D4F2B0--