[OpenAFS] Re: aklog carps Couldn't determine realm of user

Ted Creedon tcreedon@easystreet.net
Thu, 22 Dec 2016 06:07:08 +0000 

Heimdal set the ticket up..(I think)
So how does one login krbtgt?
PS making progress on the glibc/swig bug
Suse Leap uses glibc 2.22 the current is 2.24, offhand I suspect  something=
 like a missing .align 64
tedc

admin@CREEDON.BIZ's Password:
ookpik:/data1/openafs-1.8.0pre1 # klist
Credentials cache: FILE:/tmp/krb5cc_0
        Principal: admin@CREEDON.BIZ

  Issued                Expires        Principal
Dec 21 21:52:59 2016  >>>Expired<<<  krbtgt/CREEDON.BIZ@CREEDON.BIZ


kadmin> get krbtgt*
            Principal: krbtgt/CREEDON.BIZ@CREEDON.BIZ
    Principal expires: never
     Password expires: never
 Last password change: 2016-12-17 01:03:08 UTC
      Max ticket life: unlimited
   Max renewable life: unlimited
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2016-12-17 01:03:08 UTC
             Modifier: kadmin/admin@CREEDON.BIZ
           Attributes:
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], des3-cbc-sha1(p=
w-salt)[1], arcfour-hmac-md5(pw-salt)[1]
          PK-INIT ACL:
              Aliases:

            Principal: krbtgt/creedon.biz@CREEDON.BIZ
    Principal expires: never
     Password expires: never
 Last password change: 2016-12-20 00:29:08 UTC
      Max ticket life: unlimited
   Max renewable life: unlimited
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2016-12-20 00:29:08 UTC
             Modifier: kadmin/admin@CREEDON.BIZ
           Attributes:
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], des3-cbc-sha1(p=
w-salt)[1], arcfour-hmac-md5(pw-salt)[1]
          PK-INIT ACL:
              Aliases:


________________________________________
From: Michael Meffie <mmeffie@sinenomine.net>
Sent: Wednesday, December 21, 2016 6:15:58 AM
To: Ted Creedon
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Wed, 21 Dec 2016 02:21:13 +0000
Ted Creedon <tcreedon@easystreet.net> wrote:

> if
> KRB5CCNAME=3D"FILE:/tmp/krb5cc_0"
> is set
>
> one gets:
>
> aklog -d
> Authenticating to cell creedon.biz (server ookpik.creedon.biz).
> Trying to authenticate to user's realm CREEDON.BIZ.
> Getting tickets: afs/creedon.biz@CREEDON.BIZ
> Kerberos error code returned by get_cred : -1765328352
> aklog: Couldn't get creedon.biz AFS tickets:
> aklog: Ticket expired while getting AFS tickets

Thanks for testing 1.8.0pre1 Ted.  That error code indicates
the ticket has expired,

krb5 error -1765328352 =3D KRB5KRB_AP_ERR_TKT_EXPIRED

What does klist show?

Thanks,
Mike