[OpenAFS] OpenAFS 1.4.5 on OSX 10.5

Jeffrey Altman jaltman@secure-endpoints.com
Mon, 05 Nov 2007 19:31:46 -0500

Keith Johnston wrote:
> I have added the domain realm to my edu.mit.Kerberos file but still get
> the error message and I see that it is using a ID number that is not my
> UID. But it is still getting me tokens.
> kjoh001$ aklog -d
> Authenticating to cell ec.auckland.ac.nz (server
> afs-db1.ec.auckland.ac.nz).
> We've deduced that we need to authenticate using referrals.
> Getting tickets: afs/ec.auckland.ac.nz@

This indicates that there is no domain_realm mapping specified for
.ec.auckland.ac.nz in the krb5 configuration file.  As a result, the
Kerberos v5 library provided a referrals principal name (one without a
realm).  As a result it cannot determine that your Kerberos v5 principal
name should have the realm removed before querying the Protection service.

> Using Kerberos V5 ticket natively
> About to resolve name kjoh001@EC.AUCKLAND.AC.NZ to id in cell
> ec.auckland.ac.nz.
> Id 32766

As a result, it gets the anonymous ID number because the name
kjoh001@EC.AUCKLAND.AC.NZ does not exist in the database.

> doing first-time registration of kjoh001@ec.auckland.ac.nz at
> ec.auckland.ac.nz
> aklog: Permission denied so unable to create remote PTS user

aklog therefore tries to create a PTS entry and fails.

> kjoh001@ec.auckland.ac.nz in cell ec.auckland.ac.nz (status: 267269).

You can disable the pts registration by using the -noprdb flag.

Jeffrey Altman