[OpenAFS] kerberos problems
David Bishop
tech@bishop.dhs.org
Mon, 2 Jun 2003 08:33:48 -0600
--Boundary-02=_QB22+bK/VlOkalB
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline
I know this isn't a kerberos-specific list, but as I'm only krb'ing my setu=
p=20
in order to use afs, I feel I'm justified in writing :-) If there is a=20
better list to use, I'd be happy to go there instead...
The problem is that I am unable to actually use any of the tickets that I g=
et=20
from my kerberos server. I can run kinit, and get a ticket, and if I use t=
he=20
wrong password, I get an error (i.e., all that's working). However, when I=
=20
try to connect to the server via, say, ssh, it doesn't work. I'll copy &=20
paste the output of the various commands below. To clarify, BISHOP.DHS.ORG=
=20
is the name of my realm *and* the name of my dns-domain *and* the actual na=
me=20
of my server. And my client is debian.bishop.dhs.org (not visible to the=20
"outside" world).
[ david@debian ] $ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: david@BISHOP.DHS.ORG
Valid starting Expires Service principal
06/02/03 08:29:02 06/02/03 18:29:02 krbtgt/BISHOP.DHS.ORG@BISHOP.DHS.ORG
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
[ david@debian ] $ ssh bishop.dhs.org
Enter passphrase for key '/home/david/.ssh/id_rsa':
[ctrl-c'ed out of this]
[meanwhile, back on the server]
[ david@bishop ] $ tail krb5kdc.log
Jun 02 08:29:02 bishop krb5kdc[8989](info): AS_REQ (3 etypes {16 1 3})=20
192.168.0.2(16416): ISSUE: authtime 1054564142, etypes {rep=3D16 tkt=3D16=20
ses=3D16}, david@BISHOP.DHS.ORG for krbtgt/BISHOP.DHS.ORG@BISHOP.DHS.ORG
Jun 02 08:32:36 bishop krb5kdc[8989](info): TGS_REQ (3 etypes {16 1 3})=20
192.168.0.2(16416): UNKNOWN_SERVER: authtime 1054564142, =20
david@BISHOP.DHS.ORG for krbtgt/DHS.ORG@BISHOP.DHS.ORG, Server not found in=
=20
Kerberos database
<snip, repeated three more times>
But why does it say DHS.ORG/BISHOP.DHS.ORG? One line above, it's=20
BISHOP.DHS.ORG/BISHOP.DHS.ORG. What changed? And shouldn't it be somethin=
g=20
like david@DEBIAN/BISHOP.DHS.ORG, anyway? I'm so lost and confused....
Well, if you got this far, thank you. I've read through so much=20
documentation, I think I'm going blind. But there's so few "lead the newbi=
e=20
by the hand" stuff, it's kinda frustrating. And if you've never dealt with=
=20
krb stuff before in your life, it's very overwhelming... Any pointers or=20
tips (even to a complete newbie's FM) would be very greatly appreciated. =20
Thanks!
=2D-=20
"Sorry about the whole 'bomb' thing" - Bruce Rollins
D.A.Bishop
--Boundary-02=_QB22+bK/VlOkalB
Content-Type: application/pgp-signature
Content-Description: signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQA+22BQEHLN/FXAbC0RAkEAAJ4tZPM1m5UM8WMgUO5V80SaZzZ/RgCffMjc
z57WS4Pgyr2lHMj13AKOyfM=
=F949
-----END PGP SIGNATURE-----
--Boundary-02=_QB22+bK/VlOkalB--