[OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work

Derrick Brashear shadow@gmail.com
Thu, 30 Sep 2010 08:08:05 -0400

On Thu, Sep 30, 2010 at 7:56 AM, Phillip Moore
<w.phillip.moore@gmail.com> wrote:
> My quest to refresh my AFS knowledge continues, with mixed results.
> I can get as far as rebooting the first AFS machine, and the server and
> client seems to come up fine, and talk to each other. =A0I can run any
> administrative command as long as I use -localauth, and while I can get
> tokens for the localcell just fine, the AFS server processes aren't trust=
> them.
> I'm using CentOS 5.4 on x86_64, using the Kerberos version which is packa=
> with CentOS by default.

what version? i don't think it will matter but if 1.8 there's an extra step

=A0I've had no problem setting up my krb5 realm
> (BOOT.EFS) and using it (my product already uses GSSAPI for basic
> authentication). =A0 Here's the Kerberos-related details of how this was
> setup.
> The AFS cell name is 'd.fh.nyc.us.boot.efs':
> [root@fhcore etc]# kadmin -k
> Authenticating as principal host/fhcore.boot.efs@BOOT.EFS with default
> keytab.
> kadmin: =A0add_principal -randkey -e des-cbc-crc:v4 afs/d.fh.nyc.us.boot.=
> WARNING: no policy specified for afs/d.fh.nyc.us.boot.efs@BOOT.EFS;
> defaulting to no policy
> Principal "afs/d.fh.nyc.us.boot.efs@BOOT.EFS" created.

that cell looks nothing like that realm.

what's in FileLog? What's in /usr/afs/etc/krb.conf (or equivalent if
you didn't use transarc paths)

> How do I get the AFS server process to tell me how the credentials are be=
> handled?

alas, currently, audit logs. but that's gonna be the issue. ptserver
isn't mapping these to local realm user and so you are no one.