[OpenAFS] aklog Couldn't figure out realm

Derek Atkins warlord@MIT.EDU
Wed, 04 Feb 2004 10:37:26 -0500


David Miller <D.P.Miller@lse.ac.uk> writes:

> 1)When i run aklog to get the afs token I get this message:
> "aklog: Couldn't figure out realm for my.cell.name"
> If I run aklog, specifying the cell and kerberos realm (-k) it works fine.
> the aklog manpage says that those options are unnecessary except when
> the client is not properly configured. So how do i configure the
> client so it knows the kerberos realm ???

aklog looks at the db server name and then runs the krb5 hname to
realm canonicalization routine.  If your server is named fs.cell.name
then it will default to a kerberos realm of CELL.NAME and look for
that in krb5.conf.

You may need to modify the realms section of krb5.conf to specify the
realm mapping for your servers -- and you'll need to do that on ALL
krb5 clients -- if you don't follow the canonical default.

> 2)I cant get pam to fetch the afs token when logging in.
> pam_krb5 seems to work fine, I login and have a token that i can see
> with klist.
> but pam_openafs_session (aka pam_openafs-krb5) doesnt seem to run aklog.
> Would this be related to problem 1 ?
> after putting debug options in pam service files I get this

Probably, yes.

-derek
-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available