[OpenAFS] aklog oddness?

Sean Kelly smkelly@rooster.creighton.edu
Tue, 20 Dec 2005 14:35:07 -0600 

On Tue, Dec 20, 2005 at 03:25:19PM -0500, Jeffrey Altman wrote:
> Just a guess but perhaps you have two different versions of aklog on
> your machine and the first one use krb524 and the second one uses raw
> Kerberos 5?

All I have is a /usr/bin/aklog that came with the OpenAFS RPM
(openafs-krb5-1.4.0-rhel3.1). I'm also using pam_krb5afs from RHEL AS3's
pam_krb5-1.77-1 RPM.

> Perhaps your servers are old enough that they cannot support raw
> Kerberos 5 based tokens?

How would I tell?

[smkelly@<testhost-1> smkelly]$ rpm -qa|egrep 'openafs-server|krb'
krb5-libs-1.2.7-47
krbafs-1.1.1-11
krbafs-utils-1.1.1-11
pam_krb5-1.77-1
krb5-server-1.2.7-47
openafs-krb5-1.4.0-rhel3.1
krb5-workstation-1.2.7-47
openafs-server-1.4.0-rhel3.1
krb5-devel-1.2.7-47

[smkelly@<testhost-1> smkelly]$ klist
Ticket cache: FILE:/tmp/krb5cc_500_lcs36s
Default principal: smkelly@CREIGHTON.EDU

Valid starting     Expires            Service principal
12/20/05 14:27:29  12/21/05 00:27:29  krbtgt/CREIGHTON.EDU@CREIGHTON.EDU
        renew until 12/20/05 14:27:29


Kerberos 4 ticket cache: /tmp/tkt500_biC7u2
Principal: smkelly@CREIGHTON.EDU

  Issued              Expires             Principal
12/20/05 14:27:29  12/21/05 00:27:29  krbtgt.CREIGHTON.EDU@CREIGHTON.EDU
12/20/05 14:27:29  12/21/05 00:27:29  afs@CREIGHTON.EDU

I do notice that the afs ticket is in the krb4 section...


Thanks.

> 
> Sean Kelly wrote:
> > I've installed OpenAFS 1.4.0 on two RHEL AS 3 machines for testing. They
> > both use Kerberos 5, aklog, and all that good stuff. They seem to be
> > working perfectly, except if I do a second `aklog` after logging in and
> > getting my ticket from pam_krb5afs, it breaks:
> > 
> > g4:~ smkelly$ ssh <testhost-1>.creighton.edu
> > smkelly@<testhost-1>.creighton.edu's password: 
> > [smkelly@<testhost-1> smkelly]$ pwd
> > /afs/creighton.edu/users/smkelly
> > [smkelly@<testhost-1> smkelly]$ ls
> > *works*
> > [smkelly@<testhost-1> smkelly]$ aklog -d
> > Authenticating to cell creighton.edu (server <testhost-1>.creighton.edu).
> > We've deduced that we need to authenticate to realm CREIGHTON.EDU.
> > Getting tickets: afs/creighton.edu@CREIGHTON.EDU
> > Principal not found, trying alternate service name: afs/@CREIGHTON.EDU
> > About to resolve name smkelly to id in cell creighton.edu.
> > Id 500
> > Set username to AFS ID 500
> > Setting tokens. AFS ID 500 /  @ CREIGHTON.EDU 
> > [smkelly@<testhost-1> smkelly]$ ls
> > ls: .: Permission denied
> > [smkelly@<testhost-1> /]$ bos listhosts <testhost-1>
> > bos: failed to get cell name (ticket contained unknown key version number)
> > 
> > 
> > Any idea what the problem could be? Why does running aklog a second time
> > break me? Even with a -force it is broken.
> > 
> > Thanks.
> > 



-- 
Sean M. Kelly
Unix Systems Architect
Division of Information Technology
Creighton University
(402) 280-2264
AIM: smkellyg5