[OpenAFS] aklog -1765328189 on MacOSX after "port upgrade outdated"

John Tang Boyland boyland@uwm.edu
Sat, 13 Oct 2012 15:29:21 -0500

Dear OpenAFS community,
   Suddenly today, I was unable to aklog on my MacOSX SnowLeopard:
$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: boyland@CS.UWM.EDU

Valid starting     Expires            Service principal
10/13/12 14:49:05  10/14/12 14:49:05  krbtgt/CS.UWM.EDU@CS.UWM.EDU
	renew until 10/13/12 14:49:05
$ aklog -d -c cs.uwm.edu -k CS.UWM.EDU
Authenticating to cell cs.uwm.edu (server solomons.cs.uwm.edu).
aklog: Couldn't determine realm of user:aklog: unknown RPC error (-1765328189)  while getting realm

The error message from aklog is misleading, because even though
the realm is specified, aklog still dies.
The error message (see https://andromeda.rutgers.edu/~sysmail/krb5_error.html)
actually is
-1765328189	KRB5_FCC_NOFILE	No credentials cache file found

When trying to figure out what changed, I remembered that yesterday
I "sudo port upgrade outdated" for the first time in at least a year.
And then:

$ which kinit

Apparently when upgrading some macport program, it decided to
install kerberos too, which hadn't been installed (as a macport) before.
This installed in /opt/local/bin which is (in my path) before /usr/bin.
The built-in kerberos puts the credential cache in some
"special" place:

$ /usr/bin/klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: boyland@CS.UWM.EDU

So when my old token/ticket died, the /opt/local/bin/kinit
placed the credential in /tmp/krb5cc*, but aklog looked for
it elsewhere and died.

An easy workaround is to use /usr/bin/kinit rather than
"kinit" (i.e. /opt/local/bin/kinit).

I'm sending this to the list in case anyone else has the same
problem I had.  It took me a while to figure out what was going on.

Best regards,