[OpenAFS] Thank you, and one more question

Peter Schuller peter.schuller@infidyne.com
Thu, 16 Jan 2003 12:06:10 +0100


first off I would like to thank everyone who responded on this list and
privately, offering help in response to my last message.

I was finally successful this morning in setting up a working server
with Kerberos.

Thanks a lot!

That said, there is still one problem left. I am trying to set up
the Windows version of OpenAFS 1.2.8 to access the newly set up server.
It installs successfully and the OpenAFS service starts normally[1].

However I am having trouble obtaining a token. When I try to log in (in
response to "Obtain new tokens..." in the AFS client tool) I get the

   "The AFS client was unable to obtain tokens as USERNAME in cell

   Error: 3(unknown authentication error 3)"

I should note that there is one "problem" regarding authentication that
I have on the Linux server aswell that might be related. Namely, if I
just do "aklog" after kinit, I get:

   aklog: Couldn't get afs-cell-name AFS tickets:
   aklog: Server not found in Kerberos database while getting AFS

In order for it to work, I have to do:

   aklog afs-cell-name -k KERBEROS-REALM

At first I thought this was due to the AFS cell name being in lower
case, and the kerberos realm being the same name but in upper case. But
then I realized - that's required by the AFS/kerberos cell name
restrictions, correct? (AFS cells lower case; kerberos realms upper case)

Could the problems be related?

The user I am trying to authenticate as is verified to work with the
Linux client (on the server machine, using kinit and aklog). It was
created like this:

   kadmin.local -q "ank username"
   pts creategroup groupname
   pts adduser username groupname

Any pointers are greatly appreciated. Thanks!

[1] This indicates something is working. Because when I chose some cell
at random, which worked with 1.2.2b, the service won't start. I am
guessing/hoping this is because 1.2.8 uses kerberos by default. So when
I enter the correct cell (the one I just set up), it is able to start.
That must mean *something* is working right.

/ Peter Schuller, InfiDyne Technologies HB

PGP userID: 0xE9758B7D or 'Peter Schuller <peter.schuller@infidyne.com>'
Key retrival: Send an E-Mail to getpgpkey@scode.org
E-Mail: peter.schuller@infidyne.com Web: http://www.scode.org