[OpenAFS] AIX 5.3 and aklog_dynamic_auth fail

Derrick Brashear shadow@gmail.com
Fri, 19 Jun 2009 13:45:18 -0400


--0016e64f4a6879fc22046cb7164a
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

On Fri, Jun 19, 2009 at 5:17 AM, Remi Ferrand <remi.ferrand@cc.in2p3.fr>wrote:

> Hye everyone,
>
> I'm working on AIX 5.3, with OpenAFS v1.4.10 / AIX NAS Kerberos 5.
>
> My AFS cell is online and functionnal with Kerberos 5 (kinit + aklog OR
> klog.krb5 works fine). I can obtain a Kerberos 5 ticket and extract an
> AFS Token from it without any problem.
>
> I'm now trying to obtain an AFS token as soon as I "ssh" into my AFS
> client.
> I could find a ChangeLog saying that AIX LAM Module "aklog_dynamic_auth"
> is now fully functionnal
> (http://www.openafs.org/frameset/dl/openafs/1.4.10/ChangeLog ) and could
> do this stuff.
>
> The LAM compilation plugin went fine (no error).
> When I re-start my SSH daemon, LAM plugin is correctly loaded.
>
> However I still have the same error when an ssh connection is tried :
>
> (from AFS AIX client machine)
> Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog
> loaded: uid 0 pag -1
> Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog
> starting: user testkrb5 uid 0
> Jun 19 11:09:59 ccdvrs03 auth|security:err|error sshd[385070]: LAM
> aklog: get_credv5 returns -1765328352


#define KRB5KRB_AP_ERR_TKT_EXPIRED               (-1765328352L)

Your configs below don't appear to actually get a ticket, they just try to
aklog.

--0016e64f4a6879fc22046cb7164a
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<br><br><div class=3D"gmail_quote">On Fri, Jun 19, 2009 at 5:17 AM, Remi Fe=
rrand <span dir=3D"ltr">&lt;<a href=3D"mailto:remi.ferrand@cc.in2p3.fr">rem=
i.ferrand@cc.in2p3.fr</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_q=
uote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0=
pt 0.8ex; padding-left: 1ex;">
Hye everyone,<br>
<br>
I&#39;m working on AIX 5.3, with OpenAFS v1.4.10 / AIX NAS Kerberos 5.<br>
<br>
My AFS cell is online and functionnal with Kerberos 5 (kinit + aklog OR<br>
klog.krb5 works fine). I can obtain a Kerberos 5 ticket and extract an<br>
AFS Token from it without any problem.<br>
<br>
I&#39;m now trying to obtain an AFS token as soon as I &quot;ssh&quot; into=
 my AFS<br>
client.<br>
I could find a ChangeLog saying that AIX LAM Module &quot;aklog_dynamic_aut=
h&quot;<br>
is now fully functionnal<br>
(<a href=3D"http://www.openafs.org/frameset/dl/openafs/1.4.10/ChangeLog" ta=
rget=3D"_blank">http://www.openafs.org/frameset/dl/openafs/1.4.10/ChangeLog=
</a> ) and could<br>
do this stuff.<br>
<br>
The LAM compilation plugin went fine (no error).<br>
When I re-start my SSH daemon, LAM plugin is correctly loaded.<br>
<br>
However I still have the same error when an ssh connection is tried :<br>
<br>
(from AFS AIX client machine)<br>
Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog<br>
loaded: uid 0 pag -1<br>
Jun 19 11:09:59 ccdvrs03 auth|security:debug sshd[385070]: LAM aklog<br>
starting: user testkrb5 uid 0<br>
Jun 19 11:09:59 ccdvrs03 auth|security:err|error sshd[385070]: LAM<br>
aklog: get_credv5 returns -1765328352</blockquote><div><br>#define KRB5KRB_=
AP_ERR_TKT_EXPIRED=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 (-1765328352L)=
<br><br>Your configs below don&#39;t appear to actually get a ticket, they =
just try to aklog.<br><br>
</div></div><br>

--0016e64f4a6879fc22046cb7164a--