[OpenAFS] Heimdal and MIT Clients getting tokens

John Koyle jkoyle@rfpdepot.com
Tue, 02 Sep 2003 10:38:32 -0600 

I'm using OpenAFS with a Heimdal KDC.  I have clients using both heimdal
and MIT successfully.

The problem is when I ssh from a heimdal client to an MIT client.  The
kerberos ticket gets forwarded, but aklog can't convert it.  I'm
assuming this is due to the ticket being created with a heimdal client
because if I destroy the ticket and obtain a new one it works without
trouble.  Also, ssh to an MIT box from an MIT client works without
incident.  I'm using the gssapi patches with openssh 3.6.1

Would installing heimdal/afslog on all the clients allow me to convert
the forwarded ticket?

Since tokens are obtained during login via pam, this would cause a
problem with the pam module using the correct tool to convert a ticket
(in case the client is heimdal or MIT).  Has anyone else run into this
problem?  What did you do to solve it.

Thanks,
John




jkoyle@koily:~$ klist
Credentials cache: FILE:/tmp/krb5cc_2006_jqNfjM
        Principal: jkoyle@RFPDEPOT.COM

  Issued           Expires          Principal
Sep  2 09:29:57  Sep  9 09:29:57  krbtgt/RFPDEPOT.COM@RFPDEPOT.COM
Sep  2 09:29:57  Sep  9 09:29:57  krbtgt/RFPDEPOT.COM@RFPDEPOT.COM
Sep  2 09:29:57  Sep  9 09:29:57  afs@RFPDEPOT.COM
Sep  2 10:22:36  Sep  9 09:29:57  host/suroth.rfpdepot.com@RFPDEPOT.COM

   V4-ticket file: /tmp/tkt2006_doBOQW
        Principal: jkoyle@RFPDEPOT.COM

  Issued           Expires          Principal
Sep  2 09:29:57  Sep  9 18:19:58  krbtgt.RFPDEPOT.COM@RFPDEPOT.COM
jkoyle@koily:~$ ssh -K suroth
Could not chdir to home directory /afs/rfpdepot.com/home/jkoyle:
Permission denied
/usr/bin/X11/xauth:  timeout in locking authority file
/afs/rfpdepot.com/home/jkoyle/.Xauthority
-bash: /afs/rfpdepot.com/home/jkoyle/.bash_profile: Permission denied
-bash-2.05b$ klist
Ticket cache: FILE:/tmp/krb5cc_2006_JS8656
Default principal: jkoyle@RFPDEPOT.COM

Valid starting     Expires            Service principal
09/02/03 10:26:08  09/09/03 09:29:57  krbtgt/RFPDEPOT.COM@RFPDEPOT.COM


Kerberos 4 ticket cache: /tmp/tkt2006
klist: You have no tickets cached
-bash-2.05b$ aklog
aklog: Couldn't get rfpdepot.com AFS tickets:
aklog: No credentials found with supported encryption types while
getting AFS tickets
-bash-2.05b$ kdestroy
-bash-2.05b$ kinit
Password for jkoyle@RFPDEPOT.COM:
-bash-2.05b$ aklog
-bash-2.05b$ klist
Ticket cache: FILE:/tmp/krb5cc_2006_JS8656
Default principal: jkoyle@RFPDEPOT.COM

Valid starting     Expires            Service principal
09/02/03 10:26:40  09/09/03 10:26:40  krbtgt/RFPDEPOT.COM@RFPDEPOT.COM
09/02/03 10:26:43  09/09/03 10:26:40  afs@RFPDEPOT.COM


Kerberos 4 ticket cache: /tmp/tkt2006
klist: You have no tickets cached
-bash-2.05b$