[OpenAFS] Kerberos 5, AFS, and no krb524d
Nicholas Henke
henken@seas.upenn.edu
09 Jun 2003 13:04:27 -0400
On Mon, 2003-06-09 at 11:41, Derek Atkins wrote:
>
> Oh, I would just use your own ID for now -- you can add a "role"
> account later. Or use henken/root@UPENN.EDU.
[snipped]
> The problem here is that it's not getting far enough to get to
> krb524d. If you klist after running this I bet you do NOT have
> an afs/roughneck.liniac.upenn.edu service ticket in your credential
> cache!
>
> See above about the DISALLOW_SVR attribute? This is preventing the
> TGS_REQ from happening, so aklog cannot get the afs credential. Fix
> your attributes to turn the afs principal into a service principal.
>
Thanks Derek -- adding afs/roughneck.liniac.upenn.edu as a service
principal fixed my problems with aklog ( I think ).
BTW -- I _REALLY_ appreciate all of the help and suggestions I have
received from the people on this list. I could not have asked for better
repsonses and patience.
Now... for the next issue :)
I can kinit as afsadmin/roughneck.liniac.upenn.edu and run aklog, but
AFS seems to refuse to see me as an authorized super-user:
[root@roughneck root]# kinit -p afsadmin/roughneck.liniac.upenn.edu
Password for afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU:
[root@roughneck root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU
Valid starting Expires Service principal
06/09/03 13:00:48 06/09/03 23:00:46 krbtgt/UPENN.EDU@UPENN.EDU
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@roughneck root]# ak
ak5log aklog
[root@roughneck root]# aklog -d
Authenticating to cell roughneck.liniac.upenn.edu (server
roughneck.liniac.upenn.edu).
We've deduced that we need to authenticate to realm UPENN.EDU.
Getting tickets: afs/roughneck.liniac.upenn.edu@UPENN.EDU
About to resolve name afsadmin.roughneck.liniac.upenn.edu to id in cell
roughneck.liniac.upenn.edu.
Id 4
Set username to AFS ID 4
Setting tokens. AFS ID 4 / @ UPENN.EDU
[root@roughneck root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU
Valid starting Expires Service principal
06/09/03 13:00:48 06/09/03 23:00:46 krbtgt/UPENN.EDU@UPENN.EDU
06/09/03 13:00:56 06/09/03 23:00:46
afs/roughneck.liniac.upenn.edu@UPENN.EDU
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@roughneck root]# tokens
Tokens held by the Cache Manager:
User's (AFS ID 4) tokens for afs@roughneck.liniac.upenn.edu [Expires
Jun 9 23:00]
--End of list--
[root@roughneck root]# bos listkeys roughneck.liniac.upenn.edu
bos: you are not authorized for this operation error encountered while
listing keys
What can I do to fix this ? BTW -- I had to add the user
afsadmin.roughneck.liniac.upenn.edu with bos adduser and pts create to
get aklog to resolve afsadmin/roughneck.liniac.upenn.edu to an AFS UID.
Nic
--
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania