[OpenAFS] kerberos problems

Douglas E. Engert deengert@anl.gov
Mon, 02 Jun 2003 09:49:42 -0500 

Its trying to do cross realm, from BISHOP.DHS.ORG to DHS.ORG
It is assuming the sshd server bishop.dhs.org is in realm DHS.ORG

Add a [domain_realm] section to the krb5.conf with 

  .dhs.org = BISHOP.DHS.ORG



David Bishop wrote:
> 
> I know this isn't a kerberos-specific list, but as I'm only krb'ing my setup
> in order to use afs, I feel I'm justified in writing :-)  If there is a
> better list to use, I'd be happy to go there instead...
> 
> The problem is that I am unable to actually use any of the tickets that I get
> from my kerberos server.  I can run kinit, and get a ticket, and if I use the
> wrong password, I get an error (i.e., all that's working).  However, when I
> try to connect to the server via, say, ssh, it doesn't work.  I'll copy &
> paste the output of the various commands below.  To clarify, BISHOP.DHS.ORG
> is the name of my realm *and* the name of my dns-domain *and* the actual name
> of my server.  And my client is debian.bishop.dhs.org (not visible to the
> "outside" world).
> 
> [ david@debian ] $ klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: david@BISHOP.DHS.ORG
> Valid starting     Expires            Service principal
> 06/02/03 08:29:02  06/02/03 18:29:02  krbtgt/BISHOP.DHS.ORG@BISHOP.DHS.ORG
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
> [ david@debian ] $ ssh bishop.dhs.org
> Enter passphrase for key '/home/david/.ssh/id_rsa':
> [ctrl-c'ed out of this]
> 
> [meanwhile, back on the server]
> [ david@bishop ] $ tail krb5kdc.log
> Jun 02 08:29:02 bishop krb5kdc[8989](info): AS_REQ (3 etypes {16 1 3})
> 192.168.0.2(16416): ISSUE: authtime 1054564142, etypes {rep=16 tkt=16
> ses=16}, david@BISHOP.DHS.ORG for krbtgt/BISHOP.DHS.ORG@BISHOP.DHS.ORG
> 
> Jun 02 08:32:36 bishop krb5kdc[8989](info): TGS_REQ (3 etypes {16 1 3})
> 192.168.0.2(16416): UNKNOWN_SERVER: authtime 1054564142,
> david@BISHOP.DHS.ORG for krbtgt/DHS.ORG@BISHOP.DHS.ORG, Server not found in
> Kerberos database
> <snip, repeated three more times>
> 
> But why does it say DHS.ORG/BISHOP.DHS.ORG?  One line above, it's
> BISHOP.DHS.ORG/BISHOP.DHS.ORG.  What changed?  And shouldn't it be something
> like david@DEBIAN/BISHOP.DHS.ORG, anyway?  I'm so lost and confused....
> 
> Well, if you got this far, thank you.  I've read through so much
> documentation, I think I'm going blind.  But there's so few "lead the newbie
> by the hand" stuff, it's kinda frustrating.  And if you've never dealt with
> krb stuff before in your life, it's very overwhelming...  Any pointers or
> tips (even to a complete newbie's FM) would be very greatly appreciated.
> Thanks!
> 
> --
> "Sorry about the whole 'bomb' thing" - Bruce Rollins
> D.A.Bishop
> 
>   --------------------------------------------------------------------------------------------
> 
>    Part 1.2       Type: application/pgp-signature
>            Description: signature

-- 

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444