[OpenAFS] Kerberos 5, AFS, and no krb524d

Nicholas Henke henken@seas.upenn.edu
09 Jun 2003 13:04:27 -0400 

On Mon, 2003-06-09 at 11:41, Derek Atkins wrote:
> 
> Oh, I would just use your own ID for now -- you can add a "role"
> account later.  Or use henken/root@UPENN.EDU.

[snipped]

> The problem here is that it's not getting far enough to get to
> krb524d.  If you klist after running this I bet you do NOT have
> an afs/roughneck.liniac.upenn.edu service ticket in your credential
> cache!
> 
> See above about the DISALLOW_SVR attribute?  This is preventing the
> TGS_REQ from happening, so aklog cannot get the afs credential.  Fix
> your attributes to turn the afs principal into a service principal.
> 

Thanks Derek -- adding afs/roughneck.liniac.upenn.edu as a service
principal fixed my problems with aklog ( I think ).

BTW -- I _REALLY_ appreciate all of the help and suggestions I have
received from the people on this list. I could not have asked for better
repsonses and patience.

Now... for the next issue :)

I can kinit as afsadmin/roughneck.liniac.upenn.edu and run aklog, but
AFS seems to refuse to see me as an authorized super-user:

[root@roughneck root]# kinit -p afsadmin/roughneck.liniac.upenn.edu
Password for afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU:
[root@roughneck root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU

Valid starting     Expires            Service principal
06/09/03 13:00:48  06/09/03 23:00:46  krbtgt/UPENN.EDU@UPENN.EDU


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@roughneck root]# ak
ak5log  aklog
[root@roughneck root]# aklog -d
Authenticating to cell roughneck.liniac.upenn.edu (server
roughneck.liniac.upenn.edu).
We've deduced that we need to authenticate to realm UPENN.EDU.
Getting tickets: afs/roughneck.liniac.upenn.edu@UPENN.EDU
About to resolve name afsadmin.roughneck.liniac.upenn.edu to id in cell
roughneck.liniac.upenn.edu.
Id 4
Set username to AFS ID 4
Setting tokens. AFS ID 4 /  @ UPENN.EDU
[root@roughneck root]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: afsadmin/roughneck.liniac.upenn.edu@UPENN.EDU

Valid starting     Expires            Service principal
06/09/03 13:00:48  06/09/03 23:00:46  krbtgt/UPENN.EDU@UPENN.EDU
06/09/03 13:00:56  06/09/03 23:00:46 
afs/roughneck.liniac.upenn.edu@UPENN.EDU


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@roughneck root]# tokens

Tokens held by the Cache Manager:

User's (AFS ID 4) tokens for afs@roughneck.liniac.upenn.edu [Expires
Jun  9 23:00]
   --End of list--

[root@roughneck root]# bos listkeys roughneck.liniac.upenn.edu
bos: you are not authorized for this operation error encountered while
listing keys

What can I do to fix this ? BTW -- I had to add the user
afsadmin.roughneck.liniac.upenn.edu with bos adduser and pts create to
get aklog to resolve afsadmin/roughneck.liniac.upenn.edu to an AFS UID.

Nic
-- 
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania