[OpenAFS] RE: W2K kdc and AFS saga continuing...
Neulinger, Nathan
nneul@umr.edu
Tue, 8 Jul 2003 13:57:38 -0500
> [root@vermio log]# aklog -d -noprdb
> Authenticating to cell lala.itc.auth.gr (server vermio).
> We've deduced that we need to authenticate to realm LALA.ITC.AUTH.GR.
> Getting tickets: afs/lala.itc.auth.gr@LALA.ITC.AUTH.GR
> got kvno from file =3D 0
> Not resolving name test to id (-noprdb set)
> Set username to test
> Setting tokens. test / @ LALA.ITC.AUTH.GR
> aklog: unable to obtain tokens for cell lala.itc.auth.gr=20
> (status: 11862791).
> [root@vermio log]#
Did you pts create test and is afs running on the client?
If you don't have a populated PT database, you'll need to do that first,
with either noauth or ptutil.
=20
> There I am, completely stuck. Any suggestions?=20
>=20
> BTW, isn't the KRB5 principal format supposed to be=20
> {service|username}/hostname@realmname? Why does aklog request an=20
> afs/realm@REALM ticket? Shouldn't that be=20
> afs/konserba.itc.auth.gr@LALA.ITC.GR=20
It's not afs/realm, it's afs/cell. You can do it that way, or just
"afs@REALM", which many sites use instead. aklog in ken's 2.0 kit should
handle both, but tries /cell first.=20
> for example?. It seems to make no difference if I create the=20
> windows keyfile for principal=20
> afs/konserba.itc.auth.gr@LALA.ITC.AUTH.GR, aklog still tries=20
> to get a token for=20
> afs/lala.itc.auth.gr@LALA.ITC.AUTH.GR, failing prematurely :>)=20
Try disabling that in the configure run with --disable-full-princ and it
will just request afs@LALA...GR.
-- Nathan