[OpenAFS] aklog -1765328189 on MacOSX after "port upgrade outdated"
John Tang Boyland
boyland@uwm.edu
Sat, 13 Oct 2012 15:29:21 -0500
Dear OpenAFS community,
Suddenly today, I was unable to aklog on my MacOSX SnowLeopard:
$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: boyland@CS.UWM.EDU
Valid starting Expires Service principal
10/13/12 14:49:05 10/14/12 14:49:05 krbtgt/CS.UWM.EDU@CS.UWM.EDU
renew until 10/13/12 14:49:05
$ aklog -d -c cs.uwm.edu -k CS.UWM.EDU
Authenticating to cell cs.uwm.edu (server solomons.cs.uwm.edu).
aklog: Couldn't determine realm of user:aklog: unknown RPC error (-1765328189) while getting realm
The error message from aklog is misleading, because even though
the realm is specified, aklog still dies.
The error message (see https://andromeda.rutgers.edu/~sysmail/krb5_error.html)
actually is
-1765328189 KRB5_FCC_NOFILE No credentials cache file found
When trying to figure out what changed, I remembered that yesterday
I "sudo port upgrade outdated" for the first time in at least a year.
And then:
$ which kinit
/opt/local/bin/kinit
Apparently when upgrading some macport program, it decided to
install kerberos too, which hadn't been installed (as a macport) before.
This installed in /opt/local/bin which is (in my path) before /usr/bin.
The built-in kerberos puts the credential cache in some
"special" place:
$ /usr/bin/klist
Kerberos 5 ticket cache: 'API:Initial default ccache'
Default principal: boyland@CS.UWM.EDU
...
So when my old token/ticket died, the /opt/local/bin/kinit
placed the credential in /tmp/krb5cc*, but aklog looked for
it elsewhere and died.
An easy workaround is to use /usr/bin/kinit rather than
"kinit" (i.e. /opt/local/bin/kinit).
I'm sending this to the list in case anyone else has the same
problem I had. It took me a while to figure out what was going on.
Best regards,
John