[OpenAFS] [1.3.86] heimdal/krb5 auth for BOS requests fails during
initial cell setup
zeroguy
zeroguy@verizon.net
Thu, 04 Aug 2005 18:13:44 -0400
On Thu, 04 Aug 2005 07:40:35 +0200
scorch <scorch@muse.net.nz> wrote:
[...]
> -- thanks :-) but I'm stuck after switching out of -noauth, despite
> having seeming correct k5 tickets. My guess is that I need something
> like aklog, or my krb configuration but I am lost for the obvious
answer.
You need to run aklog. There's not a whole lot else you need to know
(it just grants you your afs token from your krb tickets). Just 'aklog',
no arguments, immediately after you run a successful kinit. Unless I'm
missing something and there's something special about your setup, that
is all you are missing.
-zeroguy
> After page 33, I switch after running in -noauth to 'restart BOS
server
> with authentication'. I always receive the following error:
> wavey@mercury:/usr/afs/bin $ ./bos shutdown mercury.muse.net.nz
-noauth
> bos: failed to shutdown servers (you are not authorized for this
operation)
> despite all my best kinit efforts. I'm sure I am missing something
> obvious but I can't find info in the logs. Any suggestions on how to
> proceed?
>
> overview
> ===========================================================
> 3dogs.muse.net.nz the KDC
> mercury.muse.net.nz slave KDC, afs file, db, backup, volserver etc.
> OS is OpenBSD 3.7 release, OpenAFS 1.3.86 compiled fine with
> ./configure --enable-transarc-paths --enable-fast-restart
> --enable-bitmap-later --quiet --enable-debug --enable-supergroups
>
> KerberosV works OK for encrypted telnet, and my wavey/afs credentials
> are available - but maybe not in the right form...
>
> $ kinit wavey/afs
> wavey/afs@MUSE.NET.NZ's Password:
> kinit: NOTICE: ticket renewable lifetime is 1 week
>
> $ klist -Tv
> Credentials cache: FILE:/tmp/krb5cc_1000
> Principal: wavey/afs@MUSE.NET.NZ
> Cache version: 4
>
> Server: krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
> Ticket etype: des3-cbc-sha1, kvno 1
> Auth time: Aug 3 02:49:05 2005
> End time: Aug 3 04:29:05 2005
> Renew till: Aug 10 02:49:05 2005
> Ticket flags: renewable, initial
> Addresses: IPv4:10.0.0.9, IPv4:10.0.0.20
>
> krb5.conf
> ===========================================================
> [libdefaults]
> default_realm = MUSE.NET.NZ
> ticket_lifetime = 6000
> clockskew = 300
> [realms]
> MUSE.NET.NZ = {
> supported_keytypes = des:normal des-cbc-crc:v4
des-cbc-crc:afs3
> kdc = 3dogs.muse.net.nz
> admin_server = 3dogs.muse.net.nz
> }
> [domain_realm]
> .muse.net.nz = MUSE.NET.NZ
> [kadmin]
> default_keys = v5 afs3
> afs-cell = muse.net.nz
> [logging]
> kadmind = FILE:/var/heimdal/kadmind.log
> [kdc]
> require-preauth = no
> afs-cell = muse.net.nz
> v4-realm = MUSE.NET.NZ
>
>
> PTS info
> ===========================================================
> ./pts interactive -noauth
> pts> examine wavey
> libprot: no such entry Could not get afs tokens, running
> unauthenticated.
> Name: wavey, id: 2, owner: system:administrators, creator:
anonymous,
> membership: 1, flags: S----, group quota: unlimited.
> pts> listentries
> libprot: no such entry Could not get afs tokens, running
> unauthenticated.
> Name ID Owner Creator
> anonymous 32766 -204 -204
> admin 1 -204 32766
> wavey 2 -204 32766
> wavey.afs 3 -204 32766
> pts> membership wavey
> libprot: no such entry Could not get afs tokens, running
> unauthenticated.
> Groups wavey (id: 2) is a member of:
> system:administrators
> pts> membership wavey.afs
> libprot: no such entry Could not get afs tokens, running
> unauthenticated.
> Groups wavey.afs (id: 3) is a member of:
> system:administrators
> pts>
>
> cheers, scorch
> --
> out of the frying pan and into the fire
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info