[OpenAFS] [1.3.86] heimdal/krb5 auth for BOS requests fails during
initial cell setup
scorch
scorch@muse.net.nz
Tue, 09 Aug 2005 01:39:53 +0200
Tracy Di Marco White said the following on 2005-08-05 03:58:
hi Tracy, 0g, thanks for your help. I'm still having problems although
perhaps things have advanced :-)
>>>-- thanks :-) but I'm stuck after switching out of -noauth, despite
>>>having seeming correct k5 tickets. My guess is that I need something
>>>like aklog, or my krb configuration but I am lost for the obvious
>>>
>>>
>If he's using the instructions we wrote, he's likely using heimdal, and so
>kinit will get tokens magically if he has "afslog = yes" in "[appdefaults]"
>in his /etc/krb5.conf. (Sample krb5.conf on page 13, same instructions.)
>I don't see appdefaults in his krb5.conf snippet, so I don't know if he has
>that, but I don't see tokens in his klist, so probably not.
>
I added the /afslog=yes/ & now I get:
wavey@scorch:/home/wavey $ klist
Credentials cache: FILE:/tmp/krb5cc_1000
Principal: wavey/afs@MUSE.NET.NZ
Issued Expires Principal
Aug 9 00:25:51 Aug 9 10:25:51 krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
Aug 9 00:25:51 Aug 9 10:25:51 afs/muse.net.nz@MUSE.NET.NZ
which is clearly an improvement with the AFS tickets. NB /add
-random-key afs/example.com /has to be written as /--random-key /, or/
-r /on my heimdal install. doing a klist -T hangs though.
I'm OK up to 'Installing the initial AFS DB server'
* Copy KeyFile created above to /usr/pkg/etc/openafs/server/KeyFile
I've not got a //usr/pkg/etc/openafs/server/KeyFile/, I put it in
//usr/afs/etc/KeyFile
/But this isn't enough to restart the BOSS with just my tickets for
authentication:
root@scorch:/usr/afs/bin $ /usr/afs/bin/bosserver -log
root@scorch:/usr/afs/bin $ klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: wavey/afs@MUSE.NET.NZ
Issued Expires Principal
Aug 9 00:34:11 Aug 9 10:34:11 krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
Aug 9 00:34:11 Aug 9 10:34:11 afs/muse.net.nz@MUSE.NET.NZ
root@scorch:/usr/afs/bin $ ./pts examine wavey.afs
libprot: AFS kernel pioctl doesn't exist Could not get afs tokens, running unauthenticated.
Name: wavey.afs, id: 1, owner: system:administrators, creator: anonymous,
membership: 1, flags: S----, group quota: unlimited.
root@scorch:/usr/afs/bin $ ./bos restart -server scorch.muse.net.nz
bos: AFS kernel pioctl doesn't exist (getting tickets)
bos: running unauthenticated
bos: failed to restart servers (you are not authorized for this operation)
& yet under/ -localauth/ it works. I've got my
//usr/pkg/etc/openafs/server/KeyFile/ stored in //usr/afs/etc/KeyFile/
-- I assume this is the correct place based on info in the Wiki.Do you
have any other suggestions for me?
cheers, dave
--
out of the frying pan and into the fire