[OpenAFS] ADS and MIT Kerberos transition auth continued
Jeffrey Altman
jaltman@secure-endpoints.com
Wed, 01 Jul 2009 18:00:50 -0400
Eric Chris Garrison wrote:
> ...but as ecgarris@ADS.IU.EDU:
>
> Wed Jul 1 15:58:37 2009 [6] EVENT AFS_Aud_Unauth CODE -1 STR AFS_SRX_StData
> Wed Jul 1 15:58:37 2009 [6] EVENT AFS_SRX_StData CODE 0 NAME --UnAuth--
> HOST 149.166.144.33 ID 32766 FID 536870933:2:2
>
> So the ADS.IU.EDU user is showing as unauthorized? Strange that if I
> create a file, its UNIX permissions show as owned by ecgarris though.
>
>> I would also verify that the keytabs that you are using are in fact
>> correct. You can do so using the MIT Kerberos kvno command. Obtain a
>> TGT for ecgarris@ADS.IU.EDU and then issue:
>
>> kvno -k <keytab> afs/afstest.iu.edu@ADS.IU.EDU
Your Rx connection is unauthenticated. That means that
(a) either you do not have an AFS token
(b) the token contains a kvno that is not recognized by the AFS server
(c) the token is bad in some other way
On Windows using the MIT KFW klist command, what does "klist -e" show
when you have an afs/afstest.iu.edu@ADS.IU.EDU service ticket in the cache?
Jeffrey Altman