[OpenAFS] OpenAfs+Kerberos+OSXLion+Finder+Two Realms
Ivan Glushkov
glushkov.ivan@googlemail.com
Thu, 22 Sep 2011 08:05:48 +0200
--Apple-Mail=_9EE76FD7-9A55-4186-9A29-1528B3638F68
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=us-ascii
Dear Experts,
I have installed OSX 10.7.1 a few weeks ago and I uninstalled my old =
(Snow Leopard) OpenAfs version using the uninstall link from the Snow =
Leopard installer image, and installed the Lion version. My main aim is =
to have access in my Finder.app to two realms, to which I am logged in =
with the same login but different passwords. With the previous =
configuration I was using the following configuration:
=3D=3D=3D=3D=3D Setting the environment
I have a "script" I was executing every 24 hours:
alias pas=3D'kdestroy --all; export KRB5CCNAME=3DFILE:/tmp/krb5cc_cern ; =
kinit -V glushkov@CERN.CH; aklog -force -c cern.ch -k CERN.CH; export =
KRB5CCNAME=3DFILE:/tmp/krb5cc_desy ; kinit -V glushkov@DESY.DE; aklog =
-force -c desy.de -k DESY.DE'
~ > pas
glushkov@CERN.CH's Password:=20
Placing tickets for 'glushkov@CERN.CH' in cache 'FILE:/tmp/krb5cc_cern'
glushkov@DESY.DE's Password:=20
Placing tickets for 'glushkov@DESY.DE' in cache 'FILE:/tmp/krb5cc_desy'
=3D=3D=3D=3D=3D Environment
Now, in a new terminal I have the following:
~ > klist
klist: krb5_cc_get_principal: No credentials cache file found
~ > tokens
Tokens held by the Cache Manager:
User's (AFS ID ***50) tokens for afs@desy.de [Expires Sep 23 08:18]
User's (AFS ID ***38) tokens for afs@cern.ch [Expires Sep 23 08:18]
--End of list--
~ >=20
=3D=3D=3D=3D=3D SSH
for ssh to both realms I have again the corresponding aliases, and it =
works like charm:
~ > alias | grep c403
alias c403=3D'export KRB5CCNAME=3DFILE:/tmp/krb5cc_cern; ssh -vY =
glushkov@lxplus403.cern.ch'
~ > c403
...
[lxplus403] ~ $ exit
~ > alias | grep cdesy
alias cdesy=3D'export KRB5CCNAME=3DFILE:/tmp/krb5cc_desy; ssh -vY =
glushkov@bastion.desy.de'
~ > cdesy
OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011
....
bastion05:~> exit
~ >=20
=3D=3D=3D=3D=3D Finder/Direct Access
I don't understand the direct access to the files:
~ > touch /afs/desy.de/user/g/glushkov/testfile
~ > touch /afs/cern.ch/user/g/glushkov/testfile
Sometimes (as in the case above) both are working.. Sometimes only =
desy.de... But why? Both of them should not be working, since there are =
no kerberos tokens (which is why the ssh requires password):
~ > klist
klist: krb5_cc_get_principal: No credentials cache file found
~ > tokens
Tokens held by the Cache Manager:
User's (AFS ID ***50) tokens for afs@desy.de [Expires Sep 23 08:18]
User's (AFS ID ***38) tokens for afs@cern.ch [Expires Sep 23 08:18]
--End of list--
~ > ssh lxplus.cern.ch
glushkov@lxplus.cern.ch's password:=20
~ > ssh bastion.desy.de
glushkov@bastion.desy.de's password:=20
~ >=20
Questions:
=3D=3D=3D=3D=3D=3D=3D=3D=3D
So where does afs get the credentials from (in this case)? What is the =
default place for that in OSX? (In Ticket Viewer.app there's no way to =
specify the realm to which one would like to get a ticket.)
How can I make direct file access working reliably for both realms?=20
Why there are always 5-6 afsd processes running on my machine? How cab I =
kill them? (kill -9 does not work)
How do I start/stop the afs deamon?
How do I make the scp using the kerberos authentication? (I guess this =
is not the right forum for that one)
Regards,
Ivan Glushkov
--Apple-Mail=_9EE76FD7-9A55-4186-9A29-1528B3638F68
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=us-ascii
<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">Dear =
Experts,<br><br>I have installed OSX 10.7.1 a few weeks ago and I =
uninstalled my old (Snow Leopard) OpenAfs version using the uninstall =
link from the Snow Leopard installer image, and installed the Lion =
version. My main aim is to have access in my Finder.app to two realms, =
to which I am logged in with the same login but different passwords. =
With the previous configuration I was using the following =
configuration:<br><br>=3D=3D=3D=3D=3D Setting the environment<br>I have =
a "script" I was executing every 24 hours:<br><br>alias pas=3D'kdestroy =
--all; export KRB5CCNAME=3DFILE:/tmp/krb5cc_cern ; kinit -V <a =
href=3D"mailto:glushkov@CERN.CH">glushkov@CERN.CH</a>; aklog -force =
-c <a href=3D"http://cern.ch/">cern.ch</a> -k CERN.CH; export =
KRB5CCNAME=3DFILE:/tmp/krb5cc_desy ; kinit -V <a =
href=3D"mailto:glushkov@DESY.DE">glushkov@DESY.DE</a>; aklog -force =
-c <a href=3D"http://desy.de/">desy.de</a> -k DESY.DE'<br>~ =
> pas<br><a href=3D"mailto:glushkov@CERN.CH">glushkov@CERN.CH</a>'s =
Password: <br>Placing tickets for '<a =
href=3D"mailto:glushkov@CERN.CH">glushkov@CERN.CH</a>' in cache =
'FILE:/tmp/krb5cc_cern'<br><a =
href=3D"mailto:glushkov@DESY.DE">glushkov@DESY.DE</a>'s =
Password: <br>Placing tickets for '<a =
href=3D"mailto:glushkov@DESY.DE">glushkov@DESY.DE</a>' in cache =
'FILE:/tmp/krb5cc_desy'<br><br><br>=3D=3D=3D=3D=3D Environment<br>Now, =
in a new terminal I have the following:<br><br>~ > klist<br>klist: =
krb5_cc_get_principal: No credentials cache file found<br>~ > =
tokens<br><br>Tokens held by the Cache Manager:<br><br>User's (AFS ID =
***50) tokens for <a =
href=3D"mailto:afs@desy.de">afs@desy.de</a> [Expires Sep 23 =
08:18]<br>User's (AFS ID ***38) tokens for <a =
href=3D"mailto:afs@cern.ch">afs@cern.ch</a> [Expires Sep 23 =
08:18]<br> --End of list--<br>~ =
> <br><br><br><br>=3D=3D=3D=3D=3D SSH<br>for ssh to both realms =
I have again the corresponding aliases, and it works like =
charm:<br><br>~ > alias | grep c403<br>alias c403=3D'export =
KRB5CCNAME=3DFILE:/tmp/krb5cc_cern; ssh -vY <a =
href=3D"mailto:glushkov@lxplus403.cern.ch">glushkov@lxplus403.cern.ch</a>'=
<br>~ > c403<br>...<br>[lxplus403] ~ $ exit<br><br>~ > alias | =
grep cdesy<br>alias cdesy=3D'export KRB5CCNAME=3DFILE:/tmp/krb5cc_desy; =
ssh -vY <a =
href=3D"mailto:glushkov@bastion.desy.de">glushkov@bastion.desy.de</a>'<br>=
~ > cdesy<br>OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb =
2011<br>....<br>bastion05:~> exit<br>~ > <br><br><br>=3D=3D=3D=3D=
=3D Finder/Direct Access<br>I don't understand the direct access to the =
files:<br><br>~ > touch /afs/desy.de/user/g/glushkov/testfile<br>~ =
> touch /afs/cern.ch/user/g/glushkov/testfile<br><br>Sometimes (as in =
the case above) both are working.. Sometimes only <a =
href=3D"http://desy.de/">desy.de</a>... But why? Both of them should not =
be working, since there are no kerberos tokens (which is why the ssh =
requires password):<br><br>~ > klist<br>klist: krb5_cc_get_principal: =
No credentials cache file found<br>~ > tokens<br><br>Tokens held by =
the Cache Manager:<br><br>User's (AFS ID ***50) tokens for <a =
href=3D"mailto:afs@desy.de">afs@desy.de</a> [Expires Sep 23 =
08:18]<br>User's (AFS ID ***38) tokens for <a =
href=3D"mailto:afs@cern.ch">afs@cern.ch</a> [Expires Sep 23 =
08:18]<br> --End of list--<br>~ > ssh <a =
href=3D"http://lxplus.cern.ch/">lxplus.cern.ch</a><br><a =
href=3D"mailto:glushkov@lxplus.cern.ch">glushkov@lxplus.cern.ch</a>'s =
password: <br><br>~ > ssh <a =
href=3D"http://bastion.desy.de/">bastion.desy.de</a><br><a =
href=3D"mailto:glushkov@bastion.desy.de">glushkov@bastion.desy.de</a>'s =
password: <br><br>~ > <br><br>Questions:<br>=3D=3D=3D=3D=3D=3D=
=3D=3D=3D<br>So where does afs get the credentials from (in this case)? =
What is the default place for that in OSX? (In Ticket Viewer.app there's =
no way to specify the realm to which one would like to get a =
ticket.)<br>How can I make direct file access working reliably for both =
realms? <br>Why there are always 5-6 afsd processes running on my =
machine? How cab I kill them? (kill -9 does not work)<br>How do I =
start/stop the afs deamon?<br>How do I make the scp using the kerberos =
authentication? (I guess this is not the right forum for that =
one)<br><br><br><span class=3D"Apple-tab-span" style=3D"white-space: =
pre; "> </span>Regards,<br><span class=3D"Apple-tab-span" =
style=3D"white-space: pre; "> </span>Ivan Glushkov<br>
<br></body></html>=
--Apple-Mail=_9EE76FD7-9A55-4186-9A29-1528B3638F68--