[OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work

Phillip Moore w.phillip.moore@gmail.com
Thu, 30 Sep 2010 08:16:38 -0400 

--00c09f89958dcdc1070491790c09
Content-Type: text/plain; charset=ISO-8859-1

The Kerberos version is 1.6.1:

[root@fhcore ~]# rpm -q -a | grep ^krb5
krb5-server-1.6.1-36.el5_5.5
krb5-libs-1.6.1-36.el5_5.5
krb5-workstation-1.6.1-36.el5_5.5
krb5-libs-1.6.1-36.el5_5.5

I'm staying away form the bleeding edge releases, until I've re-learned how
to make all this work with the stable ones.

My problem is that I missed the step for setting up /usr/afs/etc/krb.conf to
map the cell to the realm name.

On Thu, Sep 30, 2010 at 8:08 AM, Derrick Brashear <shadow@gmail.com> wrote:

> On Thu, Sep 30, 2010 at 7:56 AM, Phillip Moore
> <w.phillip.moore@gmail.com> wrote:
> > My quest to refresh my AFS knowledge continues, with mixed results.
> > I can get as far as rebooting the first AFS machine, and the server and
> > client seems to come up fine, and talk to each other.  I can run any
> > administrative command as long as I use -localauth, and while I can get
> > tokens for the localcell just fine, the AFS server processes aren't
> trusting
> > them.
> > I'm using CentOS 5.4 on x86_64, using the Kerberos version which is
> packaged
> > with CentOS by default.
>
> what version? i don't think it will matter but if 1.8 there's an extra step
>
>  I've had no problem setting up my krb5 realm
> > (BOOT.EFS) and using it (my product already uses GSSAPI for basic
> > authentication).   Here's the Kerberos-related details of how this was
> > setup.
> > The AFS cell name is 'd.fh.nyc.us.boot.efs':
> > [root@fhcore etc]# kadmin -k
> > Authenticating as principal host/fhcore.boot.efs@BOOT.EFS with default
> > keytab.
> > kadmin:  add_principal -randkey -e des-cbc-crc:v4
> afs/d.fh.nyc.us.boot.efs
> > WARNING: no policy specified for afs/d.fh.nyc.us.boot.efs@BOOT.EFS;
> > defaulting to no policy
> > Principal "afs/d.fh.nyc.us.boot.efs@BOOT.EFS" created.
>
> that cell looks nothing like that realm.
>
> what's in FileLog? What's in /usr/afs/etc/krb.conf (or equivalent if
> you didn't use transarc paths)
>
> > How do I get the AFS server process to tell me how the credentials are
> being
> > handled?
>
> alas, currently, audit logs. but that's gonna be the issue. ptserver
> isn't mapping these to local realm user and so you are no one.
>
>
>
> --
> Derrick
>

--00c09f89958dcdc1070491790c09
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div><br></div>The Kerberos version is 1.6.1:<div><br></div><div><div>[root=
@fhcore ~]# rpm -q -a | grep ^krb5</div><div>krb5-server-1.6.1-36.el5_5.5</=
div><div>krb5-libs-1.6.1-36.el5_5.5</div><div>krb5-workstation-1.6.1-36.el5=
_5.5</div>
<div>krb5-libs-1.6.1-36.el5_5.5</div><div><br></div><div>I&#39;m staying aw=
ay form the bleeding edge releases, until I&#39;ve re-learned how to make a=
ll this work with the stable ones. =A0=A0</div><div><br></div><div>My probl=
em is that I missed the step for setting up /usr/afs/etc/krb.conf to map th=
e cell to the realm name.</div>
<br><div class=3D"gmail_quote">On Thu, Sep 30, 2010 at 8:08 AM, Derrick Bra=
shear <span dir=3D"ltr">&lt;<a href=3D"mailto:shadow@gmail.com">shadow@gmai=
l.com</a>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"m=
argin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class=3D"im">On Thu, Sep 30, 2010 at 7:56 AM, Phillip Moore<br>
&lt;<a href=3D"mailto:w.phillip.moore@gmail.com">w.phillip.moore@gmail.com<=
/a>&gt; wrote:<br>
&gt; My quest to refresh my AFS knowledge continues, with mixed results.<br=
>
&gt; I can get as far as rebooting the first AFS machine, and the server an=
d<br>
&gt; client seems to come up fine, and talk to each other. =A0I can run any=
<br>
&gt; administrative command as long as I use -localauth, and while I can ge=
t<br>
&gt; tokens for the localcell just fine, the AFS server processes aren&#39;=
t trusting<br>
&gt; them.<br>
&gt; I&#39;m using CentOS 5.4 on x86_64, using the Kerberos version which i=
s packaged<br>
&gt; with CentOS by default.<br>
<br>
</div>what version? i don&#39;t think it will matter but if 1.8 there&#39;s=
 an extra step<br>
<div class=3D"im"><br>
=A0I&#39;ve had no problem setting up my krb5 realm<br>
&gt; (BOOT.EFS) and using it (my product already uses GSSAPI for basic<br>
&gt; authentication). =A0 Here&#39;s the Kerberos-related details of how th=
is was<br>
&gt; setup.<br>
&gt; The AFS cell name is &#39;d.fh.nyc.us.boot.efs&#39;:<br>
&gt; [root@fhcore etc]# kadmin -k<br>
&gt; Authenticating as principal host/fhcore.boot.efs@BOOT.EFS with default=
<br>
&gt; keytab.<br>
&gt; kadmin: =A0add_principal -randkey -e des-cbc-crc:v4 afs/d.fh.nyc.us.bo=
ot.efs<br>
&gt; WARNING: no policy specified for afs/d.fh.nyc.us.boot.efs@BOOT.EFS;<br=
>
&gt; defaulting to no policy<br>
&gt; Principal &quot;afs/d.fh.nyc.us.boot.efs@BOOT.EFS&quot; created.<br>
<br>
</div>that cell looks nothing like that realm.<br>
<br>
what&#39;s in FileLog? What&#39;s in /usr/afs/etc/krb.conf (or equivalent i=
f<br>
you didn&#39;t use transarc paths)<br>
<div class=3D"im"><br>
&gt; How do I get the AFS server process to tell me how the credentials are=
 being<br>
&gt; handled?<br>
<br>
</div>alas, currently, audit logs. but that&#39;s gonna be the issue. ptser=
ver<br>
isn&#39;t mapping these to local realm user and so you are no one.<br>
<br>
<br>
<br>
--<br>
<font color=3D"#888888">Derrick<br>
</font></blockquote></div><br></div>

--00c09f89958dcdc1070491790c09--