[OpenAFS] kerberos problems

David Bishop tech@bishop.dhs.org
Mon, 2 Jun 2003 08:33:48 -0600


--Boundary-02=_QB22+bK/VlOkalB
Content-Type: text/plain;
  charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Description: signed data
Content-Disposition: inline

I know this isn't a kerberos-specific list, but as I'm only krb'ing my setu=
p=20
in order to use afs, I feel I'm justified in writing :-)  If there is a=20
better list to use, I'd be happy to go there instead...

The problem is that I am unable to actually use any of the tickets that I g=
et=20
from my kerberos server.  I can run kinit, and get a ticket, and if I use t=
he=20
wrong password, I get an error (i.e., all that's working).  However, when I=
=20
try to connect to the server via, say, ssh, it doesn't work.  I'll copy &=20
paste the output of the various commands below.  To clarify, BISHOP.DHS.ORG=
=20
is the name of my realm *and* the name of my dns-domain *and* the actual na=
me=20
of my server.  And my client is debian.bishop.dhs.org (not visible to the=20
"outside" world).

[ david@debian ] $ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: david@BISHOP.DHS.ORG
Valid starting     Expires            Service principal
06/02/03 08:29:02  06/02/03 18:29:02  krbtgt/BISHOP.DHS.ORG@BISHOP.DHS.ORG
Kerberos 4 ticket cache: /tmp/tkt1000
klist: You have no tickets cached
[ david@debian ] $ ssh bishop.dhs.org
Enter passphrase for key '/home/david/.ssh/id_rsa':
[ctrl-c'ed out of this]

[meanwhile, back on the server]
[ david@bishop ] $ tail krb5kdc.log
Jun 02 08:29:02 bishop krb5kdc[8989](info): AS_REQ (3 etypes {16 1 3})=20
192.168.0.2(16416): ISSUE: authtime 1054564142, etypes {rep=3D16 tkt=3D16=20
ses=3D16}, david@BISHOP.DHS.ORG for krbtgt/BISHOP.DHS.ORG@BISHOP.DHS.ORG

Jun 02 08:32:36 bishop krb5kdc[8989](info): TGS_REQ (3 etypes {16 1 3})=20
192.168.0.2(16416): UNKNOWN_SERVER: authtime 1054564142, =20
david@BISHOP.DHS.ORG for krbtgt/DHS.ORG@BISHOP.DHS.ORG, Server not found in=
=20
Kerberos database
<snip, repeated three more times>

But why does it say DHS.ORG/BISHOP.DHS.ORG?  One line above, it's=20
BISHOP.DHS.ORG/BISHOP.DHS.ORG.  What changed?  And shouldn't it be somethin=
g=20
like david@DEBIAN/BISHOP.DHS.ORG, anyway?  I'm so lost and confused....

Well, if you got this far, thank you.  I've read through so much=20
documentation, I think I'm going blind.  But there's so few "lead the newbi=
e=20
by the hand" stuff, it's kinda frustrating.  And if you've never dealt with=
=20
krb stuff before in your life, it's very overwhelming...  Any pointers or=20
tips (even to a complete newbie's FM) would be very greatly appreciated. =20
Thanks!

=2D-=20
"Sorry about the whole 'bomb' thing" - Bruce Rollins
D.A.Bishop

--Boundary-02=_QB22+bK/VlOkalB
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA+22BQEHLN/FXAbC0RAkEAAJ4tZPM1m5UM8WMgUO5V80SaZzZ/RgCffMjc
z57WS4Pgyr2lHMj13AKOyfM=
=F949
-----END PGP SIGNATURE-----

--Boundary-02=_QB22+bK/VlOkalB--