[OpenAFS] OSX kerberos plugin fails with multiple principals

Henry B. Hotz hotz@jpl.nasa.gov
Fri, 21 Mar 2003 11:48:53 -0800 

This is Alexei's plugin.  I haven't tried Ragnar's.  I can't be 
certain which prompt is from which part of the system, but I had the 
passwords set the same in the institutional server as in my own 
heimdal server for this test.

[dhcp-78-212-233:~] hotz% kinit hotz@JPL.NASA.GOV
Kerberos Login:
Please enter the password for hotz@JPL.NASA.GOV:
[dhcp-78-212-233:~] hotz% klist -A
Kerberos 4 ticket cache: 'Initial default ccache'
Default Principal: hotz@JPL.NASA.GOV
Issued             Expires            Service Principal
03/21/03 11:26:53  03/21/03 21:26:53  krbtgt.JPL.NASA.GOV@JPL.NASA.GOV
03/21/03 11:26:56  03/21/03 21:26:56  afs@JPL.NASA.GOV

[dhcp-78-212-233:~] hotz% tokens

Tokens held by the Cache Manager:

User's (AFS ID 1989) tokens for afs@jpl.nasa.gov [Expires Mar 21 21:26]
    --End of list--
[dhcp-78-212-233:~] hotz% kinit hotz@HOTZ.JPL.NASA.GOV
Kerberos Login:
Please enter the password for hotz@HOTZ.JPL.NASA.GOV:
Kerberos Login:
Please enter your principal name: hotz
Please enter the password for hotz@JPL.NASA.GOV:
Segmentation fault
[dhcp-78-212-233:~] hotz% klist -A
Kerberos 4 ticket cache: 'Initial default ccache'
Default Principal: hotz@JPL.NASA.GOV
Issued             Expires            Service Principal
03/21/03 11:28:01  03/21/03 21:28:01  krbtgt.JPL.NASA.GOV@JPL.NASA.GOV
03/21/03 11:28:09  03/21/03 21:28:09  afs@JPL.NASA.GOV

-------------------------------------------------------------------------------
Kerberos 5 ticket cache: 'API:0'
Default Principal: hotz@HOTZ.JPL.NASA.GOV
Valid Starting     Expires            Service Principal
03/21/03 11:27:51  03/21/03 21:27:52 
krbtgt/HOTZ.JPL.NASA.GOV@HOTZ.JPL.NASA.GOV

[dhcp-78-212-233:~] hotz% tokens

Tokens held by the Cache Manager:

User's (AFS ID 1989) tokens for afs@jpl.nasa.gov [Expires Mar 21 21:28]
    --End of list--
[dhcp-78-212-233:~] hotz%


I just noticed something interesting.  Even though the plugin (or 
something) segfaulted, the afs ticket (and the token) did get updated 
expiration times.

Now the way I think this *should* work is it should get the 
afs@HOTZ.JPL.NASA.GOV ticket and add it to the API:0 ticket cache. 
It probably should fail creating the token somewhere since I'm not 
actually running a hotz.jpl.nasa.gov AFS cell.  Also it shouldn't 
prompt for the password the second time, of course.

I don't actually need this capability you understand.  I'm really 
pleased with what I've got from the OpenAFs community.  Thank you all!
-- 
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu