[OpenAFS] Kerberos 5, AFS, and no krb524d
Nicholas Henke
henken@seas.upenn.edu
09 Jun 2003 14:32:00 -0400
On Mon, 2003-06-09 at 14:19, Douglas E. Engert wrote:
> Nicholas Henke wrote:
> >
> > On Mon, 2003-06-09 at 11:59, Douglas E. Engert wrote:
> > > I think you are asking if the ak5log I have can run with the standard
> > > Kerberos krb524 lib and krb524d.
> >
> > Sorry for the confusion -- yes that is what I was asking.
> > I have gotten ak5log to compile and run -- and it appears to be
> > succeeding.
>
> Was this with afs/<cell>@<realm> or with afsx/<cell>@<realm>?
afs/roughneck.liniac.upenn.edu@UPENN.EDU -- note that this works for
aklog as well as your ak5log.
>
> Is this just an admin problem?
>
> Does it work with an ordinary user?
I am not sure -- I have not been able to even setup the toplevel of the
/afs space. So far it is just an admin problem.
>
> You are trying to use a multipart user name, which might be making it harder.
> If you had a principal like henkeadmin@<realm> and gave the AFS user henkeadmin
> all privilages and listed it in /usr/afs/etc/UserList, I think that would work.
> (Each of our AFS admins has his own account so we dont have a shared afsadmin.)
This would just include the membership in system:administrators and bos
adduser ? I have done this for my regular username:
[root@roughneck etc]# bos adduser roughneck.liniac.upenn.edu henken
-cell roughneck.liniac.upenn.edu -noauth
[root@roughneck etc]# pts createuser -name henken -cell
roughneck.liniac.upenn.edu -noauth
User henken has id 2
[root@roughneck etc]# pts adduser henken system:administrators -cell
roughneck.liniac.upenn.edu -noauth
[root@roughneck etc]# pts membership henken
libprot: a pioctl failed Could not get afs tokens, running
unauthenticated.
Groups henken (id: 2) is a member of:
system:administrators
After this I stop the running bosserver -noauth, kill it and start afs.
enken@roughneck henken $ klist
Ticket cache: FILE:/tmp/krb5cc_27659
Default principal: henken@UPENN.EDU
Valid starting Expires Service principal
06/09/03 14:26:30 06/10/03 00:26:27 krbtgt/UPENN.EDU@UPENN.EDU
Kerberos 4 ticket cache: /tmp/tkt27659
klist: You have no tickets cached
henken@roughneck henken $ aklog -d
Authenticating to cell roughneck.liniac.upenn.edu (server
roughneck.liniac.upenn.edu).
We've deduced that we need to authenticate to realm UPENN.EDU.
Getting tickets: afs/roughneck.liniac.upenn.edu@UPENN.EDU
About to resolve name henken to id in cell roughneck.liniac.upenn.edu.
Id 2
Set username to AFS ID 2
Setting tokens. AFS ID 2 / @ UPENN.EDU
henken@roughneck henken $ bos listusers roughneck.liniac.upenn.edu
SUsers are: afsadmin.roughneck.liniac.upenn.edu henken
henken@roughneck henken $ bos listkeys roughneck.liniac.upenn.edu
bos: you are not authorized for this operation error encountered while
listing keys
>
> If you must use the multpart name, I don't think it gets converted
> like you might want. The krb524d appears to eventially call the
> krb5_524_conv_principal routine, and I don't see afsadmin listed.
What other information can I provide ? It seems like I get the same
errors regardless of the use of ak5log over aklog or vice-versa. They
seem to be hitting the same problem.
Nic
--
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania