[OpenAFS] OpenAFS krb5 auth problems

Jeffrey Altman jaltman@secure-endpoints.com
Mon, 21 Feb 2011 10:57:47 -0500


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig28184ECE56538E7B46DE1F73
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 2/21/2011 1:07 AM, Carson Gaspar wrote:
> ARRGH! Of course all the krb5.conf bits were correct, but I forgot all
> about krb.conf. Many thanks for preventing me from removing more of my
> hair.
>=20
> Other than "duh, you should have known that", is there anything I could=

> have done to enable debugging sufficient to tell me why it was failing?=

>=20
> (And I look forward to the day all the legacy K4 crud can go away...)

This has very little to do with Kerberos v4 vs Kerberos v5.

Unfortunately there are very few debugging mechanisms for this failure
case.  The Kerberos v5 principal is valid but there is no matching entry
in the protection database.  I want to add a "WhoAmI" RPC that will
permit the client to ask a server what identity it thinks the user is.
That would be one method of validating the configuration.  Otherwise,
you need to turn the audit logging on.

Jeffrey Altman


--------------enig28184ECE56538E7B46DE1F73
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJNYot+AAoJENxm1CNJffh4msAH/1D/xP+jCpMdtLOSmOMa488l
PBKtEpAkbzQF7KoR4b8RZuqcQE9h4cKuIU99mOeb3jS+BRT3kcjiGH2uVUQEAdVU
vlklk3jnzaf0bAF2CigkrPNRraxesrqE9RRCI1iMf3FA5EBz3GJMHW+ssnYqzVJh
6Z3rBOfbemDXD/Fyii3/Vn7i9TT4CmgETdrGwFl79smaWtQxWqQW2mCCC10U7ykq
C7AgDzGSKPa7M1bpu85lSqcIcJDvtYKwBIucRBrBJOEhdda5Exm07vdIOk/ng99g
g/lhsmvLRKd/WHMpGKe+dRZq7FP8R9vQP81/w6XXJbvkFjFRar6HjF+LXj5Ku5M=
=5kkK
-----END PGP SIGNATURE-----

--------------enig28184ECE56538E7B46DE1F73--