[OpenAFS] kerberos problems
Douglas E. Engert
deengert@anl.gov
Mon, 02 Jun 2003 09:49:42 -0500
Its trying to do cross realm, from BISHOP.DHS.ORG to DHS.ORG
It is assuming the sshd server bishop.dhs.org is in realm DHS.ORG
Add a [domain_realm] section to the krb5.conf with
.dhs.org = BISHOP.DHS.ORG
David Bishop wrote:
>
> I know this isn't a kerberos-specific list, but as I'm only krb'ing my setup
> in order to use afs, I feel I'm justified in writing :-) If there is a
> better list to use, I'd be happy to go there instead...
>
> The problem is that I am unable to actually use any of the tickets that I get
> from my kerberos server. I can run kinit, and get a ticket, and if I use the
> wrong password, I get an error (i.e., all that's working). However, when I
> try to connect to the server via, say, ssh, it doesn't work. I'll copy &
> paste the output of the various commands below. To clarify, BISHOP.DHS.ORG
> is the name of my realm *and* the name of my dns-domain *and* the actual name
> of my server. And my client is debian.bishop.dhs.org (not visible to the
> "outside" world).
>
> [ david@debian ] $ klist
> Ticket cache: FILE:/tmp/krb5cc_1000
> Default principal: david@BISHOP.DHS.ORG
> Valid starting Expires Service principal
> 06/02/03 08:29:02 06/02/03 18:29:02 krbtgt/BISHOP.DHS.ORG@BISHOP.DHS.ORG
> Kerberos 4 ticket cache: /tmp/tkt1000
> klist: You have no tickets cached
> [ david@debian ] $ ssh bishop.dhs.org
> Enter passphrase for key '/home/david/.ssh/id_rsa':
> [ctrl-c'ed out of this]
>
> [meanwhile, back on the server]
> [ david@bishop ] $ tail krb5kdc.log
> Jun 02 08:29:02 bishop krb5kdc[8989](info): AS_REQ (3 etypes {16 1 3})
> 192.168.0.2(16416): ISSUE: authtime 1054564142, etypes {rep=16 tkt=16
> ses=16}, david@BISHOP.DHS.ORG for krbtgt/BISHOP.DHS.ORG@BISHOP.DHS.ORG
>
> Jun 02 08:32:36 bishop krb5kdc[8989](info): TGS_REQ (3 etypes {16 1 3})
> 192.168.0.2(16416): UNKNOWN_SERVER: authtime 1054564142,
> david@BISHOP.DHS.ORG for krbtgt/DHS.ORG@BISHOP.DHS.ORG, Server not found in
> Kerberos database
> <snip, repeated three more times>
>
> But why does it say DHS.ORG/BISHOP.DHS.ORG? One line above, it's
> BISHOP.DHS.ORG/BISHOP.DHS.ORG. What changed? And shouldn't it be something
> like david@DEBIAN/BISHOP.DHS.ORG, anyway? I'm so lost and confused....
>
> Well, if you got this far, thank you. I've read through so much
> documentation, I think I'm going blind. But there's so few "lead the newbie
> by the hand" stuff, it's kinda frustrating. And if you've never dealt with
> krb stuff before in your life, it's very overwhelming... Any pointers or
> tips (even to a complete newbie's FM) would be very greatly appreciated.
> Thanks!
>
> --
> "Sorry about the whole 'bomb' thing" - Bruce Rollins
> D.A.Bishop
>
> --------------------------------------------------------------------------------------------
>
> Part 1.2 Type: application/pgp-signature
> Description: signature
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444