[OpenAFS] Kerberos 5, AFS, and no krb524d

Nicholas Henke henken@seas.upenn.edu
09 Jun 2003 16:07:48 -0400 

On Mon, 2003-06-09 at 15:56, Douglas E. Engert wrote:
henken@roughneck henken $ ak5log -d
Authenticating to cell roughneck.liniac.upenn.edu.
Getting tickets: afs/roughneck.liniac.upenn.edu@UPENN.EDU
About to resolve name henken to id
Id 2
Set username to AFS ID 2
Setting tokens. AFS ID 2 /  @ UPENN.EDU
henken@roughneck henken $ klist
Ticket cache: FILE:/tmp/krb5cc_27659
Default principal: henken@UPENN.EDU

Valid starting     Expires            Service principal
06/09/03 15:59:06  06/10/03 01:59:05  krbtgt/UPENN.EDU@UPENN.EDU
06/09/03 16:00:46  06/10/03 01:59:05 
afs/roughneck.liniac.upenn.edu@UPENN.EDU


Kerberos 4 ticket cache: /tmp/tkt27659
klist: You have no tickets cached
henken@roughneck henken $ tok
tokens      tokens.krb
henken@roughneck henken $ tokens

Tokens held by the Cache Manager:

User's (AFS ID 2) tokens for afs@roughneck.liniac.upenn.edu [Expires Jun
10 01:55]
   --End of list--


> 
> Also do a klist and tokens commands after to see what else has changed.
> 
> But this looks strange, I would have expected it to say:
> 
>   Setting tokens. AFS ID 2 /  @ roughneck.liniac.upenn.edu
> 
> I would expect the cell name here, not the K5 realm name.
>  But you are running the aklog and the unmodified krb524 code. Our code in 
> ak5log and in the conv_princ.c would have done this:  

It does not look like this is happening -- fyi, there is no conv_princ.c
in the ak5log.30020606.tar. Did I grab the wrong source ?

> 
> !  *
> !  * If the client is in the same K5 realm as this server, then this
> !  * K5 realm is considered to be able to hand out tickets for the
> !  * AFS cell(s). We need to make it look like to AFS that the user
> !  * is in the AFS cell, so we set the clients prealm to match the
> !  * AFS cell name. But we don't want to do this if the client
> !  * is not in the same K5 realm, since AFS does some cross cell
> !  * authentication, and this would violate that. The user should
> !  * still look like he is in the foriegn K5 realm.
> !  */
> !      if (!strcmp(sname, "afsx")) {
> !        if (!strcmp(prealm, dummy))
> !          strcpy(prealm, sinst) ;
> !         strcpy(sname,"afs");
> !         *sinst = '\0';
> !        *afsflag = 1; /* set that this is AFS and princ was changed */
> !      } else
> ! #endif /* AFS524 */
> !      *afsflag = 0; /* with or without the AFS524, set to zero */
> !      return(0);
>   } 
> 
> 
> > 
> > henken@roughneck henken $ bos listusers roughneck.liniac.upenn.edu
> > SUsers are: afsadmin.roughneck.liniac.upenn.edu henken
> > 
> > henken@roughneck henken $ bos listkeys roughneck.liniac.upenn.edu
> > bos: you are not authorized for this operation error encountered while
> > listing keys
> > 
> 
> You need a token for oner of the people on the SUsers list above. 

I am guessing that I am not getting this due to the:
 Setting tokens. AFS ID 2 /  @ UPENN.EDU
instead of roughneck.liniac.upenn.edu. 

Nic
-- 
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania