[OpenAFS] Need help decoding kaserver debugging info

Brandon S. Allbery KF8NH allbery@ece.cmu.edu
Wed, 23 May 2007 20:52:47 -0400

On May 23, 2007, at 20:21 , Brian Sebby wrote:

> Wed May 23 18:55:01 2007 <account name>,krbtgt.ANL.GOV:auth from  
> <hex IP>
> I understand that the IP address is given in hex, but could someone  
> explain
> the difference between "afs:gtck", "afs:auth", and  
> "krbtgt.ANL.GOV:auth"?
> The last one almost makes me think that that is getting a ticket  
> from our
> Kerberos 5 realm, but I didn't think that would be logged to the  
> kaserver
> log.

krb5's krbtgt stuff is an extension of krb4's, and kaserver is  
essentially an early version of krb4.  As such, internally it uses  
krbtgt.REALM, and unless you did some very strange things when  
setting up cell anl.gov with kaserver, it created a krb4 realm  
ANL.GOV with a krbtgt.ANL.GOV principal that is used to acquire the  
service ticket for afs.

If the krb5 realm is *also* ANL.GOV then migration might be a bit  
complicated, but I'll have to let the experts address that one.

brandon s. allbery [solaris,freebsd,perl,pugs,haskell] allbery@kf8nh.com
system administrator [openafs,heimdal,too many hats] allbery@ece.cmu.edu
electrical and computer engineering, carnegie mellon university    KF8NH