[OpenAFS] Trouble with AFS aklog - unable to obtain tokens - unknown cell passed to SetToken

Christian Ospelkaus christian@core-coutainville.org
Thu, 16 Oct 2003 09:35:20 +0200


Am Mittwoch, 15. Oktober 2003 19:40 schrieben Sie:
> Greetings,
>
> Im working with Debian/Woody and AFS 1.2.9, MIT Kerberos
>
> Ive recently set up a kerb 5 domain server (kdc1) with a 524 daemon
> and im now trying to set up an afs server (ali)
>
> When I run aklog, I get an error: unable to obtain tokens
>
> ali:/etc/openafs# kinit root/admin
> Password for root/admin@REALM.YADDA.WASHINGTON.EDU:
> ali:/etc/openafs#
> ali:/etc/openafs#
> ali:/etc/openafs# aklog yadda -k REALM.YADDA.WASHINGTON.EDU -d
> Authenticating to cell YADDA (server ali.yadda.washington.edu).
> We were told to authenticate to realm REALM.YADDA.WASHINGTON.EDU.
> Getting tickets: afs/YADDA@REALM.YADDA.WASHINGTON.EDU
> About to resolve name root.admin to id in cell YADDA.
> Id 1
> Set username to AFS ID 1
> Setting tokens. AFS ID 1 /  @ REALM.YADDA.WASHINGTON.EDU
> aklog: unable to obtain tokens for cell YADDA (status: unknown cell was
> passed to SetToken).
> ali:/etc/openafs#
>
>
> Here is my Kerberos Server log:
>
> Oct 15 10:05:40 kdc1.yadda.washington.edu krb5kdc[163](info): AS_REQ (2
> etypes {16 1}) 128.208.105.84(88): NEEDED_PREAUTH:
> root/admin@REALM.YADDA.WASHINGTON.EDU for
> krbtgt/REALM.YADDA.WASHINGTON.EDU@REALM.YADDA.WASHINGTON.EDU, Additional
> pre-authentication required
>
> Oct 15 10:05:44 kdc1.yadda.washington.edu krb5kdc[163](info): AS_REQ (2
> etypes {16 1}) 128.208.105.84(88): ISSUE: authtime 1066237544, etypes
> {rep=16 tkt=16 ses=16}, root/admin@REALM.YADDA.WASHINGTON.EDU for
> krbtgt/REALM.YADDA.WASHINGTON.EDU@REALM.YADDA.WASHINGTON.EDU
>
> Oct 15 10:05:48 kdc1.yadda.washington.edu krb5kdc[163](info): TGS_REQ (1
> etypes {1}) 128.208.105.84(88): ISSUE: authtime 1066237544, etypes
> {rep=16 tkt=16 ses=1}, root/admin@REALM.YADDA.WASHINGTON.EDU for
> afs/YADDA@REALM.YADDA.WASHINGTON.EDU
>
>
> And I can see traffic going from the machine Im running "aklog" on
> to the Kerb server and back on port 4444 - which is the "kerb524d"
> so presumably, the ticket is being "translated" to the v4 syntax.
>
> What else can I look at to try to debug this problem?
>
> thanks,
>
> Matt