[OpenAFS] Openafs broken on Ubuntu Hardy ?

Sergio Gelato Sergio.Gelato@astro.su.se
Tue, 28 Oct 2008 09:31:25 +0100 

* Madhusudan Singh [2008-10-27 09:39:50 -0700]:
> > > I cannot cd into my own directory, so I ssh'ed into the server and issued
> > fs
> >
> > Which authentication method did you use with ssh? Does GSSAPI work?
> >
> 
> I have never really looked into this. I believe that I have ssh-krb5 or some
> such thing installed.  A quick look inside my /etc/ssh/sshd_config on the
> client indicates "GSSAPIAuthentication yes" is set.

The reason I asked is that GSSAPI authentication would leverage the same
Kerberos TGT you got your client-side AFS token from. It's a way of
confirming that there is nothing wrong with your TGT and that a
forwarded TGT gives you a working AFS token on the server. 
Invoking ssh with the -v option should show you which authentication
method is being used. Alternatively, if you're prompted for a password
you aren't using GSSAPI.

> > Looks good. One question, though: is the server you ran this on a member
> > of www-hosts ?
> 
> I have no idea (it does host www directories for users). How do I find out ?

pts members www-hosts

But judging from the rest of what you said, the answer to this particular
question isn't going to matter.

> Notable differences - its not addressless and kerberos 4 tickets were issued
> as well.

As Derrick reminded us (thanks for the correction), the token is
addressless in any case. I would hope that your cell's servers can deal
with a token that is derived directly from a Kerberos 5 ticket, but
that's really a question for your local helpdesk as they should know
what their cell is running. For the avoidance of doubt, you could try to
invoke aklog with the -524 option and see if that helps; but it's a
rather long shot.

> > Can't the helpdesk at YYY.EDU help you with this?
> 
> I will definitely ask them (though most of them are windows addled unix
> ignoramuses - this is one your more "modern" IT departments) once I have
> exhausted all chances of the problem being at my end. Thanks for your help
> and patience so far. Any suggestions would be greatly appreciated.

The reason why you might be luckier asking them is that it's their realm 
and their cell, and they should know exactly how they've set things up 
and have access to their KDC logs which may contain useful information 
about your problem. Besides, aren't they paid to help?

Even if the problem turns out to be entirely at your end, it's still
useful for them to know what functionality their users are looking for
(in your case, running the AFS client on an Ubuntu laptop); that tells
them e.g. what how-to documents they need to publish. So don't be too shy.