[OpenAFS] unable to authenticate to openafs via aklog

Derek Atkins warlord@MIT.EDU
07 Jul 2003 16:43:59 -0400 

Yes, there is a limit in Krb4 names:

/* The maximum sizes for aname, realm, sname, and instance +1 */
#define         ANAME_SZ        40
#define         REALM_SZ        40
#define         SNAME_SZ        40
#define         INST_SZ         40
/* include space for '.' and '@' */
#define         MAX_K_NAME_SZ   (ANAME_SZ + INST_SZ + REALM_SZ + 2)

So, you're hitting this limit in the krb5 -> krb4 name conversion.

Unfortunately all you can do is change your realm name to something
shorter (you only need to remove 1 character from the name).

This is a Krb4 issue, not a krb5 issue, but AFS uses krb4 internally
so you need to live with krb4's limitations.

-derek

Stefan Nobis <stefan-ml@snobis.de> writes:

> Ken Hornstein <kenh@cmf.nrl.navy.mil> writes:
> 
> >>BTW: krb524init also said "Improper format of translation database
> >>entry converting to V4 credentials".
> 
> > What exactly is the name of the AFS service principal you're trying to
> > acquire?  It looks like from the code that there might be a problem
> 
> My Kerberos Realm is CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE and
> my afs cell is cluster.retina.e-technik.uni-dortmund.de.
> 
> My first try was a service principal
> afs@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> 
> But one time i tried a principal with the cell as instance (this
> always appeared in the log files) but instead of
> 
> afs/cluster.retina.e-technik.uni-dortmund.de@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> 
> aklog tries (first) to get the principal
> 
> afs/cluster.retina.e-technik.uni-dortmund.d@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> 
> (so it seems the principal/instance is one character too long).
> 
> > with the name (badly formatted or too long).  As a last resort, build
> > krb524d with full debugging and run it under gdb.
> 
> Here is the complete (unchanged) list of Kerberos principals:
> 
> kadmin.local:  listprincs
> K/M@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> afs@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> kadmin/admin@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> kadmin/changepw@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> kadmin/history@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> krbtgt/CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> root/admin@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> stefan/admin@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> stefan@CLUSTER.RETINA.E-TECHNIK.UNI-DORTMUND.DE
> 
> (BTW: The long realm name is nesseccary because there is already
> another realm retina.e-technik.uni-dortmund.de running (not by me
> but AFAIK there are no problems with openafs and krb5kdc))
> 
> -- 
> Until the next mail...,
> Stefan.
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available