[OpenAFS] Problem with klog

Sean O'Malley omalleys@msu.edu
Fri, 29 May 2009 10:15:26 -0400 (EDT) 

I can quite remember if the patches got pushed downstream to the stable
(1.4.x)  version, but krb5 support for klog should be in the 1.5.x dev
branch. It is called something like klog.krb5.

I have sucessfully used that version of klog with the stable branch on
Solaris.

On Fri, 29 May 2009, Steven Jenkins wrote:

> On Fri, May 29, 2009 at 7:06 AM, David Robson <David.Robson@jet.uk> wrote=
:
> ...
> > I have set up an AFS cell, a partition a volume and a user and an acl.
> >
> > On the server machine, I can authenticate as the user with kadmin and a=
klog,
> > and then I have read/write access to the user's /afs home directory. =
=A0All
> > good so far.
> >
> > However, I can't authenticate with klog, on the AFS server, or on clien=
t
> > machines.
> >
> > If I run "klog <username>", I get the error message
> >
> > "Unable to authenticate to AFS because Authentication Server was
> > unavailable."
> >
>
> Note that using klog + kaserver is one option, and that using kadmin
> and aklog is a different option -- you can't mix the two.
>
> As you discovered via googling, it's recommended that you use an
> external Kerberos infrastructure rather than klog + kaserver.
>
> > After a bit of googling, I find that I should be running the kaserver, =
I
> > do so by running /usr/afs/bin/kaserver as root in the xterm. =A0How sho=
uld
> > it be run, and with which arguments??
> >
> > With kaserver running, I now get the error ...
> >
> > "Unable to authenticate to AFS because user doesn't exist."
> >
> > But the user exists! =A0I created it with kadmin -q "addprinc <username=
>"
> >
>
> This is because your principal is in your third party KDC, not in the
> kaserver.  To create principals in the kaserver, you use the 'kas'
> command.  But again, since you already have a working 3rd party KDC,
> just don't use the kaserver and klog at all.
>
> > Further googling suggests I shouldn't be running kaserver, but kdc.
> > However I AM running krb5kdc, but it doesn't seem to be listening on
> > the same port as kaserver (7004)
> >
> > I am confused and stuck. =A0Can anyone put me in the right direction?
> >
>
> My suggestion is to not worry about klog at all and instead use kadmin
> to create principals, kinit to get Kerberos tickets, and aklog to
> convert those tickets to AFS tokens.
>
>

--------------------------------------
  Sean O'Malley, Information Technologist
  Michigan State University
-------------------------------------