[OpenAFS] afs migration to Kerberos 5 Help
Jeffrey Hutzelman
jhutz@cmu.edu
Fri, 18 Jun 2004 12:09:45 -0400
On Thursday, June 17, 2004 22:19:42 -0400 Steve Devine <sdevine@msu.edu>
wrote:
> All,
>
> I am trying to set up a test afs cell and migrate it to Kerb 5.
> The cell works as expected and the kdc works fine as well. I can kinit and
> klist tickets etc. I converted a afs principal to the kdc and now I can
> kinit using the original afs password .. so far so good.
>
> When I run aklog -d this is what I get
>###################
>
> Authenticating to cell kerb5.cl.msu.edu (server open-afsdb2.cl.msu.edu).
> We've deduced that we need to authenticate to realm KERB5.CL.MSU.EDU.
> Getting tickets: afs/kerb5.cl.msu.edu@KERB5.CL.MSU.EDU
> About to resolve name XXXX-email-protested-XXX to id in cell
> kerb5.cl.msu.edu. Id 4
> Set username to AFS ID 4
> Setting tokens. AFS ID 4 / @ KERB5.CL.MSU.EDU
> aklog: unable to obtain tokens for cell kerb5.cl.msu.edu (status:
> 11862791).
>################################
>
> Heres a question. In the README for afs-krb5 it says
> 1) Create an AFS principal in the Kerberos database. Call it:
> afs@YOUR.CELL.NAME
>
> Yet in the debug for aklog -d it seems to be calling for
> afs/kerb5.cl.msu.edu@KERB5.CL.MSU.EDU
>
> So which one do I need ?
Either will work -- any modern aklog will try both principal names; it will
try afs/krb5.cl.msu.edu@KERB5.CL.MSU.EDU and then afs@KERB5.CL.MSU.EDU. If
your kdb only contains the latter, then you will see messages in the kdc
logs about the unknown principal.
The debugging output you included indicates that aklog is successfully
obtaining an AFS service ticket and looking up the user's PTS ID. However,
it is failing to store the tokens with this error:
11862791 KTC.7 KTC_NOCM
Cache Manager is not initialized / afsd is not running
You must have a running AFS client before aklog will work.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA