[OpenAFS] klog.krb5 incompatible with Heimdal 1.5.1?
Andreas Haupt
ahaupt@ifh.de
Wed, 12 Oct 2011 15:31:14 +0200
Hi again,
On Wed, 2011-10-12 at 11:30 +0200, Andreas Haupt wrote:
> Dear all,
>
> Heimdal 1.5 seems to have dropped KA-server support - at least the KDC
> doesn't listen on port 7004 any more ... This means that the old klog
> command cannot work any more - ok.
>
> BUT: klog.krb5 doesn't seem to work, either!
[...]
It becomes even more interesting:
[oreade38] ~ % klog.krb5
Password for ahaupt@IFH.DE:
klog: ticket contained unknown key version number Can't get your viceid for cell ifh.de
[oreade38] ~ % tokens
Tokens held by the Cache Manager:
Tokens for afs@ifh.de [Expires Oct 13 16:22]
--End of list--
[oreade38] ~ % touch test
touch: cannot touch `test': Permission denied
[oreade38] ~ % klog.krb5 -tmp
Password for ahaupt@IFH.DE:
Wrote ticket file to /tmp/krb5cc_yF6bKY
[oreade38] ~ % tokens
Tokens held by the Cache Manager:
User's (AFS ID 9132) tokens for afs@ifh.de [Expires Oct 13 16:22]
--End of list--
[oreade38] ~ % touch test
[oreade38] ~ % rm test
[oreade38] ~ %
So when writing out a k5 cache file, everything works fine. Most
probably because in this case a krbtgt/<REALM> ticket is requested and
not the afs@<REALM> principal directly.
I compared the wireshark traffic between klog.krb5 contacting a Heimdal
1.2.1 & Heimdal 1.5.1 server - it looks identical except for the
encrypted ticket parts of course.
Nobody else tried this combination, yet?
Cheers,
Andreas
--
| Andreas Haupt | E-Mail: andreas.haupt@desy.de
| DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt
| Platanenallee 6 | Phone: +49/33762/7-7359
| D-15738 Zeuthen | Fax: +49/33762/7-7216