[OpenAFS] aklog: unable to obtain tokens for cell folkvang.org (status: 11862791).

Kevin openafs@gnosys.biz
Tue, 10 Feb 2004 01:24:26 -0500 

Thanks for the reply, Derrick.

On Tuesday 10 February 2004 00:42, Derrick J Brashear wrote:
> On Tue, 10 Feb 2004, Kevin wrote:
> > So it seemed to be looking for a krb524 library, and in my newly
> > built (and functional) 1.3.1 Kerberos system, I don't have such a
> > library. Guessing that the code that used to be in this library is
> > now in some other library (probably already linked against in the
> > build attempt), I just renamed the krb524 library in the Makefile to
> > krb5 and tried again.
>
> It's possible they rolled those functions into libkrb5; i don't know.

That seems to be what happened.

>
> > [appdefaults]
> > 	# from http://grand.central.org/twiki\
> > 	#  /bin/view/AFSLore/?topic=KerberosAFSInstall
> >         afs_krb5 = {
> >                 DUMMY.ORG = {
> >                         afs = false
> >                         afs/dummy.org = false
> >                 }
> >         }
>
> Why false? Also, why both? afs *or* afs/dummy.org, which matches the

Well, because that's what I found in a "howto" document that was the most 
recent I could find.  It's at 
http://grand.central.org/twiki/bin/view/AFSLore/?topic=KerberosAFSInstall
and it seems to have been written by JasonGarman (05 Feb 2002) and you (26 
Nov 2002), revision 1.14 from 30 Dec 2003 (unless I'm not understanding 
that footer correctly)

In reading it again, I see that "Only one of the two entries should be 
needed for a realm," but it does say false, not true.

> key you installed in KeyFile? The other shouldn't be in your database,

I installed afs/dummy.org@DUMMY.ORG in the KDC database and put that into 
the krb5.keytab, and from there, I presume that asetkey put it into the 
KeyFile.

> and shouldn't be specified here.

I didn't see afs_krb5 documented in the man page for krb5.conf, so I don't 
really understand too well what that statement is trying to do.  
Something about converting v5 tickets to v4?  Do I need to start with a 
v4 ticket (I tried first with just v5, then v4 and v5, all to no avail).

>
> Try true, and try it with only the correct key.

Thanks again for the suggestion.  I did try it, then restarted all the 
kerberos and afs processes, but still to no avail.  I still get:

# aklog -d
zeus:/usr/afs/bin # /home/adam/kafs/afs-krb5/src/aklog -d
Authenticating to cell dummy.org (server zeus).
We've deduced that we need to authenticate to realm DUMMY.ORG.
Getting tickets: afs/dummy.org@DUMMY.ORG
About to resolve name adam.admin to id in cell dummy.org.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 /  @ DUMMY.ORG
aklog: unable to obtain tokens for cell dummy.org (status: 11862791).

and
# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: adam/admin@DUMMY.ORG

Valid starting     Expires            Service principal
02/10/04 01:08:02  02/10/04 11:08:02  krbtgt/DUMMY.ORG@DUMMY.ORG
        renew until 02/11/04 01:08:02
02/10/04 01:08:30  02/10/04 11:08:02  afs/dummy.org@DUMMY.ORG
        renew until 02/11/04 01:08:02


Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached

I still have the bosserver running with -noauth.  Is it time to change 
that now that I have an admin user?  Or can I do so if I can't get a 
token?

Thanks again.