[OpenAFS] Quick Start Kerberos problem: can acquire tokens, but
they don't work
Thu, 30 Sep 2010 08:08:05 -0400
On Thu, Sep 30, 2010 at 7:56 AM, Phillip Moore
> My quest to refresh my AFS knowledge continues, with mixed results.
> I can get as far as rebooting the first AFS machine, and the server and
> client seems to come up fine, and talk to each other. =A0I can run any
> administrative command as long as I use -localauth, and while I can get
> tokens for the localcell just fine, the AFS server processes aren't trust=
> I'm using CentOS 5.4 on x86_64, using the Kerberos version which is packa=
> with CentOS by default.
what version? i don't think it will matter but if 1.8 there's an extra step
=A0I've had no problem setting up my krb5 realm
> (BOOT.EFS) and using it (my product already uses GSSAPI for basic
> authentication). =A0 Here's the Kerberos-related details of how this was
> The AFS cell name is 'd.fh.nyc.us.boot.efs':
> [root@fhcore etc]# kadmin -k
> Authenticating as principal host/fhcore.boot.efs@BOOT.EFS with default
> kadmin: =A0add_principal -randkey -e des-cbc-crc:v4 afs/d.fh.nyc.us.boot.=
> WARNING: no policy specified for afs/d.fh.nyc.us.boot.efs@BOOT.EFS;
> defaulting to no policy
> Principal "afs/d.fh.nyc.us.boot.efs@BOOT.EFS" created.
that cell looks nothing like that realm.
what's in FileLog? What's in /usr/afs/etc/krb.conf (or equivalent if
you didn't use transarc paths)
> How do I get the AFS server process to tell me how the credentials are be=
alas, currently, audit logs. but that's gonna be the issue. ptserver
isn't mapping these to local realm user and so you are no one.