[OpenAFS] Kerberos 5, AFS, and no krb524d

Nicholas Henke henken@seas.upenn.edu
09 Jun 2003 19:59:07 -0400


On Mon, 2003-06-09 at 17:40, Douglas E. Engert wrote:
> Derek Atkins wrote:
> > 
> > Nicholas Henke <henken@seas.upenn.edu> writes:
> > 
> > > Hrm -- is it possible that the afs token is getting munged at some point
> > > ? I have not looked at the source, but what would prevent me from doing
> > > bos listkeys but not bos listusers?
> > 
> > listkeys requires you to be in the SUsers list; listusers does not.
> 
> I tried it on my cell, and it looks like you also have to have a token to
> see the listkeys. So itmight be the token is bad. Wrong key? 
> 
> Clock sync to within 5 minutes?
> 
> Using the production krb524d and not the one he thought it was?

Well -- I guess it was about time I fired up gdb and see what the heck
was actually happening :) 

Take a look at src/auth/userok.c in the afsconf_SuperUser function. It
is getting 'roughneck.liniac.upenn.edu' for the local cell name and
local realm name, but 'UPENN.EDU' for the tcell name -- hence when it
tries to do a lookup, it has to do a lookup where the cell of the
connection does not match the local cell and it does a lookup for
henken.UPENN.EDU or not henken, and the lookup fails. Fun eh ?

Now.... what is the proper way to use this, or fix it ?

Nic
-- 
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania