[OpenAFS] Thank you, and one more question
Charles Clancy
security@xauth.net
Thu, 16 Jan 2003 09:22:10 -0600 (CST)
On Thu, 16 Jan 2003, Peter Schuller wrote:
> I was finally successful this morning in setting up a working server
> with Kerberos.
By "Kerberos" I assume you mean "Kerberos 5".
> However I am having trouble obtaining a token. When I try to log in (in
> response to "Obtain new tokens..." in the AFS client tool) I get the
> message:
If you're using Kerberos 5, then the "Obtain new tokens..." feature in the
windows client will not work for you. You have to use kinit and aklog.
> I should note that there is one "problem" regarding authentication that
> I have on the Linux server aswell that might be related. Namely, if I
> just do "aklog" after kinit, I get:
>
> aklog: Couldn't get afs-cell-name AFS tickets:
> aklog: Server not found in Kerberos database while getting AFS
> tickets
>
> In order for it to work, I have to do:
>
> aklog afs-cell-name -k KERBEROS-REALM
>
> At first I thought this was due to the AFS cell name being in lower
> case, and the kerberos realm being the same name but in upper case. But
> then I realized - that's required by the AFS/kerberos cell name
> restrictions, correct? (AFS cells lower case; kerberos realms upper case)
The uppercase/lowercase thing is not a problem. Do an "aklog -d" to see
which cells and REALMS it's trying to talk to. There may also be a
problem if you're using a really old win32 aklog that only supports
checking for the "afs@REALM" principal rather than "afs/cell@REALM".
[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]