[OpenAFS] [1.3.86] heimdal/krb5 auth for BOS requests fails during initial cell setup

scorch scorch@muse.net.nz
Tue, 09 Aug 2005 01:39:53 +0200

Tracy Di Marco White said the following on 2005-08-05 03:58:

hi Tracy, 0g, thanks for your help. I'm still having problems although 
perhaps things have advanced :-)

>>>-- thanks :-) but I'm stuck after switching out of -noauth, despite
>>>having seeming correct k5 tickets. My guess is that I need something
>>>like aklog, or my krb configuration but I am lost for the obvious
>If he's using the instructions we wrote, he's likely using heimdal, and so
>kinit will get tokens magically if he has "afslog = yes" in "[appdefaults]"
>in his /etc/krb5.conf.  (Sample krb5.conf on page 13, same instructions.)
>I don't see appdefaults in his krb5.conf snippet, so I don't know if he has
>that, but I don't see tokens in his klist, so probably not.

I added the /afslog=yes/ & now I get:

	wavey@scorch:/home/wavey $ klist
        Credentials cache: FILE:/tmp/krb5cc_1000
        Principal: wavey/afs@MUSE.NET.NZ

	Issued           Expires          Principal
	Aug  9 00:25:51  Aug  9 10:25:51  krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
	Aug  9 00:25:51  Aug  9 10:25:51  afs/muse.net.nz@MUSE.NET.NZ

which is clearly an improvement with the AFS tickets. NB /add 
-random-key afs/example.com /has to be written as /--random-key /, or/ 
-r /on my heimdal install. doing a klist -T  hangs though.

I'm OK up to 'Installing the initial AFS DB server'

    * Copy KeyFile created above to /usr/pkg/etc/openafs/server/KeyFile

I've not got a //usr/pkg/etc/openafs/server/KeyFile/, I put it in 

/But this isn't enough to restart the BOSS with just my tickets for 

root@scorch:/usr/afs/bin $ /usr/afs/bin/bosserver -log
root@scorch:/usr/afs/bin $ klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: wavey/afs@MUSE.NET.NZ

  Issued           Expires          Principal
Aug  9 00:34:11  Aug  9 10:34:11  krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
Aug  9 00:34:11  Aug  9 10:34:11  afs/muse.net.nz@MUSE.NET.NZ

root@scorch:/usr/afs/bin $ ./pts examine wavey.afs
libprot: AFS kernel pioctl doesn't exist Could not get afs tokens, running unauthenticated.
Name: wavey.afs, id: 1, owner: system:administrators, creator: anonymous,
  membership: 1, flags: S----, group quota: unlimited.

root@scorch:/usr/afs/bin $ ./bos restart -server scorch.muse.net.nz 
bos: AFS kernel pioctl doesn't exist (getting tickets)
bos: running unauthenticated
bos: failed to restart servers (you are not authorized for this operation)

& yet under/ -localauth/ it works. I've got my  
//usr/pkg/etc/openafs/server/KeyFile/ stored in //usr/afs/etc/KeyFile/ 
-- I assume this is the correct place based on info in the Wiki.Do you 
have any other suggestions for me?

cheers, dave
out of the frying pan and into the fire