[OpenAFS] Getting Tickets but not Tokens

Christopher D. Clausen cclausen@acm.org
Sat, 10 May 2008 15:52:16 -0500

Jason C. Wells <jcw@highperformance.net> wrote:
> I am able to get an krb5 ticket for afs, but for some strange reason
> aklog won't get a token for me.
> I use heimdal on FreeBSD 6.3 and openafs 1.2.8 on Redhat 8. I am not
> running a kaserver.
> From the command line:
> [jcw@s3 stradamotorsports.com]$ kinit
> [jcw@s3 stradamotorsports.com]$ aklog -d
> Authenticating to cell stradamotorsports.com (server
> s3.stradamotorsports.com).
> We've deduced that we need to authenticate to realm
> afs/stradamotorsports.com@STRADAMOTORSPORTS.COM Kerberos error code 
> returned by get_cred: -1765328228
> aklog: Couldn't get stradamotorsports.com AFS tickets:
> aklog: Cannot contact any KDC for requested realm while getting AFS
> tickets

The error indicates a Kerberos problem, not an AFS problem.

Where did you get aklog from?  openafs 1.2.8 does not have an aklog 
binary and I suspect your aklog is trying to contact a krb524d process 
on the KDC (runs on port 4444 udp) and is probably failing thus 
rendering you unable to obtain tokens.

Either upgrade to a newer openafs version or obtain an aklog that has 
native Kerberos 5 support and does not need a krb524d service running. 
(You could also enable krb524d on the KDC, but I would not suggest