[OpenAFS] openafs and dce cell
Derek T. Yarnell
derek@umiacs.umd.edu
Tue, 08 Nov 2005 12:04:06 -0500
Ken Hornstein wrote:
>> So we are moving out of DCE/DFS and I need to be able to run them side
>> by side for a bit. Obviously I can't run krb542d on the DCE cell. But
>> I can get a krb5 ticket out and that works fine, I thought there was now
>> support for converting krb5 tickets into tokens without the need of a
>> 524d? Or am I stuck with gssklog until I convert over to a MIT KDC with
>> the 524d?
>>
>
> If you have a new enough vintage of OpenAFS (I think 1.2.13) it can
> take a raw v5 ticket in an AFS token just fine. You need a new enough
> aklog (like the one that comes with OpenAFS 1.4). But you can run
> krb524d in a DCE cell, assuming you can extract the AFS service key
> into a keytab.
>
> --Ken
>
>
Ken I have followed your directions as usual and gave the afs key the
principal "afs". Although I did make a afs/umiacs.umd.edu principal as
well. There doesn't seem to be a switch for just trying krb5 in aklog
or is that choice made for you?
[root@oberon afs]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: derek@umiacs.umd.edu
Valid starting Expires Service principal
11/08/05 11:56:42 11/09/05 11:56:42 krbtgt/umiacs.umd.edu@umiacs.umd.edu
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@oberon afs]# tokens
Tokens held by the Cache Manager:
--End of list--
[root@oberon afs]# aklog
aklog: Couldn't get umiacs.umd.edu AFS tickets:
aklog: unknown RPC error (-1765328228) while getting AFS tickets
[root@oberon afs]# rpm -qf /usr/bin/aklog
openafs-krb5-1.4.0-rhel4.1
[root@oberon afs]# aklog -d
Authenticating to cell umiacs.umd.edu (server oberon.umiacs.umd.edu).
We've deduced that we need to authenticate to realm umiacs.umd.edu.
Getting tickets: afs/umiacs.umd.edu@umiacs.umd.edu
Kerberos error code returned by get_cred: -1765328228
aklog: Couldn't get umiacs.umd.edu AFS tickets:
aklog: unknown RPC error (-1765328228) while getting AFS tickets
[root@oberon afs]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: derek@umiacs.umd.edu
Valid starting Expires Service principal
11/08/05 11:56:42 11/09/05 11:56:42 krbtgt/umiacs.umd.edu@umiacs.umd.edu
11/08/05 11:56:49 11/09/05 11:56:42 afs/umiacs.umd.edu@umiacs.umd.edu
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
[root@oberon afs]# ps axuww | grep afs
root 29998 0.0 0.2 5552 3052 ? Ss Nov07 0:00
/usr/afs/bin/bosserver
root 29999 0.0 0.3 5912 3796 ? S Nov07 0:00
/usr/afs/bin/buserver
root 30000 0.0 0.4 7492 4556 ? S Nov07 0:00
/usr/afs/bin/ptserver
root 30001 0.0 0.5 8572 5980 ? S Nov07 0:00
/usr/afs/bin/vlserver
root 30003 0.0 0.1 3768 1352 ? S Nov07 0:00
/usr/afs/bin/upserver -crypt /usr/afs/etc
root 30007 0.0 0.6 193328 6704 ? S<l Nov07 0:00
/usr/afs/bin/fileserver
root 30008 0.0 0.1 137992 1652 ? Sl Nov07 0:00
/usr/afs/bin/volserver
root 30132 0.0 0.0 0 0 ? S Nov07 0:00
[afs_rxlistener]
root 30134 0.0 0.0 0 0 ? S Nov07 0:00
[afs_callback]
root 30136 0.0 0.0 0 0 ? S Nov07 0:00 [afs_rxevent]
root 30139 0.0 0.0 0 0 ? S Nov07 0:00 [afsd]
root 30141 0.0 0.0 0 0 ? S Nov07 0:00
[afs_checkserver]
root 30143 0.0 0.0 0 0 ? S Nov07 0:00
[afs_background]
root 30145 0.0 0.0 0 0 ? S Nov07 0:00
[afs_background]
root 30147 0.0 0.0 0 0 ? S Nov07 0:00
[afs_cachetrim]
root 26000 0.0 0.0 4480 652 pts/2 S+ 12:03 0:00 grep afs
--
---
Derek T. Yarnell
University of Maryland
Institute for Advanced Computer Studies
derek@umiacs.umd.edu