[OpenAFS] [1.3.86] heimdal/krb5 auth for BOS requests fails during initial cell setup

Tracy Di Marco White gendalia@gmail.com
Mon, 8 Aug 2005 18:56:37 -0500 

On 8/8/05, scorch <scorch@muse.net.nz> wrote:
> Tracy Di Marco White said the following on 2005-08-05 03:58:

> >If he's using the instructions we wrote, he's likely using heimdal, and =
so
> >kinit will get tokens magically if he has "afslog =3D yes" in "[appdefau=
lts]"
> >in his /etc/krb5.conf.  (Sample krb5.conf on page 13, same instructions.=
)
> >I don't see appdefaults in his krb5.conf snippet, so I don't know if he =
has
> >that, but I don't see tokens in his klist, so probably not.
> >
>=20
> I added the /afslog=3Dyes/ & now I get:
>=20
>         wavey@scorch:/home/wavey $ klist
>         Credentials cache: FILE:/tmp/krb5cc_1000
>         Principal: wavey/afs@MUSE.NET.NZ
>=20
>         Issued           Expires          Principal
>         Aug  9 00:25:51  Aug  9 10:25:51  krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
>         Aug  9 00:25:51  Aug  9 10:25:51  afs/muse.net.nz@MUSE.NET.NZ
>=20
> which is clearly an improvement with the AFS tickets. NB /add
> -random-key afs/example.com /has to be written as /--random-key /, or/
> -r /on my heimdal install. doing a klist -T  hangs though.

You should probably ktrace it and see why it hangs.  It's likely all
the rest of your problems will go away once that's fixed.  Do you have
a CellServDB where ever it is you compiled it to go?

> I'm OK up to 'Installing the initial AFS DB server'
>=20
>     * Copy KeyFile created above to /usr/pkg/etc/openafs/server/KeyFile
>=20
> I've not got a //usr/pkg/etc/openafs/server/KeyFile/, I put it in
> //usr/afs/etc/KeyFile
>=20
> /But this isn't enough to restart the BOSS with just my tickets for
> authentication:
>=20
> root@scorch:/usr/afs/bin $ /usr/afs/bin/bosserver -log
> root@scorch:/usr/afs/bin $ klist
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: wavey/afs@MUSE.NET.NZ
>=20
>   Issued           Expires          Principal
> Aug  9 00:34:11  Aug  9 10:34:11  krbtgt/MUSE.NET.NZ@MUSE.NET.NZ
> Aug  9 00:34:11  Aug  9 10:34:11  afs/muse.net.nz@MUSE.NET.NZ
>=20
> root@scorch:/usr/afs/bin $ ./pts examine wavey.afs
> libprot: AFS kernel pioctl doesn't exist Could not get afs tokens, runnin=
g unauthenticated.
> Name: wavey.afs, id: 1, owner: system:administrators, creator: anonymous,
>   membership: 1, flags: S----, group quota: unlimited.
>=20
> root@scorch:/usr/afs/bin $ ./bos restart -server scorch.muse.net.nz
> bos: AFS kernel pioctl doesn't exist (getting tickets)
> bos: running unauthenticated
> bos: failed to restart servers (you are not authorized for this operation=
)
>=20
>=20
> & yet under/ -localauth/ it works. I've got my
> //usr/pkg/etc/openafs/server/KeyFile/ stored in //usr/afs/etc/KeyFile/
> -- I assume this is the correct place based on info in the Wiki.Do you
> have any other suggestions for me?

-localauth working means you put your KeyFile in the right place.

-Tracy