[OpenAFS] Problem with klog

[Steven Jenkins]

On Fri, May 29, 2009 at 7:06 AM, David Robson <David.Robson@jet.uk> wrote:
...
> I have set up an AFS cell, a partition a volume and a user and an acl.
>
> On the server machine, I can authenticate as the user with kadmin and akl=
og,
> and then I have read/write access to the user's /afs home directory. =A0A=
ll
> good so far.
>
> However, I can't authenticate with klog, on the AFS server, or on client
> machines.
>
> If I run "klog <username>", I get the error message
>
> "Unable to authenticate to AFS because Authentication Server was
> unavailable."
>

Note that using klog + kaserver is one option, and that using kadmin
and aklog is a different option -- you can't mix the two.

As you discovered via googling, it's recommended that you use an
external Kerberos infrastructure rather than klog + kaserver.

> After a bit of googling, I find that I should be running the kaserver, I
> do so by running /usr/afs/bin/kaserver as root in the xterm. =A0How shoul=
d
> it be run, and with which arguments??
>
> With kaserver running, I now get the error ...
>
> "Unable to authenticate to AFS because user doesn't exist."
>
> But the user exists! =A0I created it with kadmin -q "addprinc <username>"
>

This is because your principal is in your third party KDC, not in the
kaserver.  To create principals in the kaserver, you use the 'kas'
command.  But again, since you already have a working 3rd party KDC,
just don't use the kaserver and klog at all.

> Further googling suggests I shouldn't be running kaserver, but kdc.
> However I AM running krb5kdc, but it doesn't seem to be listening on
> the same port as kaserver (7004)
>
> I am confused and stuck. =A0Can anyone put me in the right direction?
>

My suggestion is to not worry about klog at all and instead use kadmin
to create principals, kinit to get Kerberos tickets, and aklog to
convert those tickets to AFS tokens.

--=20
Steven Jenkins
End Point Corporation
http://www.endpoint.com/