[OpenAFS] Kerberos 5, AFS, and no krb524d
Douglas E. Engert
deengert@anl.gov
Mon, 09 Jun 2003 15:55:01 -0500
Nicholas Henke wrote:
>
> On Mon, 2003-06-09 at 15:56, Douglas E. Engert wrote:
> henken@roughneck henken $ ak5log -d
> Authenticating to cell roughneck.liniac.upenn.edu.
> Getting tickets: afs/roughneck.liniac.upenn.edu@UPENN.EDU
> About to resolve name henken to id
> Id 2
> Set username to AFS ID 2
> Setting tokens. AFS ID 2 / @ UPENN.EDU
What does the aklog do in this situation? This is ak5log.
> henken@roughneck henken $ klist
> Ticket cache: FILE:/tmp/krb5cc_27659
> Default principal: henken@UPENN.EDU
>
> Valid starting Expires Service principal
> 06/09/03 15:59:06 06/10/03 01:59:05 krbtgt/UPENN.EDU@UPENN.EDU
> 06/09/03 16:00:46 06/10/03 01:59:05
> afs/roughneck.liniac.upenn.edu@UPENN.EDU
>
> Kerberos 4 ticket cache: /tmp/tkt27659
> klist: You have no tickets cached
> henken@roughneck henken $ tok
> tokens tokens.krb
> henken@roughneck henken $ tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 2) tokens for afs@roughneck.liniac.upenn.edu [Expires Jun
> 10 01:55]
> --End of list--
>
> >
> > Also do a klist and tokens commands after to see what else has changed.
> >
> > But this looks strange, I would have expected it to say:
> >
> > Setting tokens. AFS ID 2 / @ roughneck.liniac.upenn.edu
> >
> > I would expect the cell name here, not the K5 realm name.
> > But you are running the aklog and the unmodified krb524 code. Our code in
> > ak5log and in the conv_princ.c would have done this:
>
> It does not look like this is happening -- fyi, there is no conv_princ.c
> in the ak5log.30020606.tar. Did I grab the wrong source ?
No, the conv_princ.c was on the server side in the krb524 code.
But as I said, you are trying to run the ak5log with the standard krb524d,
something I am not doing.
I would have expected Derek's /usr/afs/etc/Realms to have solved your problem.
>
> >
> > ! *
> > ! * If the client is in the same K5 realm as this server, then this
> > ! * K5 realm is considered to be able to hand out tickets for the
> > ! * AFS cell(s). We need to make it look like to AFS that the user
> > ! * is in the AFS cell, so we set the clients prealm to match the
> > ! * AFS cell name. But we don't want to do this if the client
> > ! * is not in the same K5 realm, since AFS does some cross cell
> > ! * authentication, and this would violate that. The user should
> > ! * still look like he is in the foriegn K5 realm.
> > ! */
> > ! if (!strcmp(sname, "afsx")) {
> > ! if (!strcmp(prealm, dummy))
> > ! strcpy(prealm, sinst) ;
> > ! strcpy(sname,"afs");
> > ! *sinst = '\0';
> > ! *afsflag = 1; /* set that this is AFS and princ was changed */
> > ! } else
> > ! #endif /* AFS524 */
> > ! *afsflag = 0; /* with or without the AFS524, set to zero */
> > ! return(0);
> > }
> >
> >
> > >
> > > henken@roughneck henken $ bos listusers roughneck.liniac.upenn.edu
> > > SUsers are: afsadmin.roughneck.liniac.upenn.edu henken
> > >
> > > henken@roughneck henken $ bos listkeys roughneck.liniac.upenn.edu
> > > bos: you are not authorized for this operation error encountered while
> > > listing keys
> > >
> >
> > You need a token for oner of the people on the SUsers list above.
>
> I am guessing that I am not getting this due to the:
> Setting tokens. AFS ID 2 / @ UPENN.EDU
> instead of roughneck.liniac.upenn.edu.
Yes met too. But dont see why.
>
> Nic
> --
> Nicholas Henke
> Penguin Herder & Linux Cluster System Programmer
> Liniac Project - Univ. of Pennsylvania
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444