[OpenAFS] Re: aklog carps Couldn't determine realm of user

Ted Creedon tcreedon@easystreet.net
Thu, 22 Dec 2016 19:50:02 +0000 

Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ?
I.e how can Principal: krbtgt/CREEDON.BIZ@CREEDON.BIZ have a ticket if it w=
as never loggged in?

I'll try 7.1
tedc

see below:
kadmin> get krb*
            Principal: krbtgt/CREEDON.BIZ@CREEDON.BIZ
    Principal expires: never
     Password expires: never
 Last password change: 2016-12-17 01:03:08 UTC
      Max ticket life: unlimited
   Max renewable life: unlimited
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2016-12-17 01:03:08 UTC
             Modifier: kadmin/admin@CREEDON.BIZ
           Attributes:
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], des3-cbc-sha1(p=
w-salt)[1], arcfour-hmac-md5(pw-salt)[1]
          PK-INIT ACL:
              Aliases:

            Principal: krbtgt/creedon.biz@CREEDON.BIZ
    Principal expires: never
     Password expires: never
 Last password change: 2016-12-20 00:29:08 UTC
      Max ticket life: unlimited
   Max renewable life: unlimited
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2016-12-20 00:29:08 UTC
             Modifier: kadmin/admin@CREEDON.BIZ
           Attributes:
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], des3-cbc-sha1(p=
w-salt)[1], arcfour-hmac-md5(pw-salt)[1]
          PK-INIT ACL:
              Aliases:


________________________________________
From: Benjamin Kaduk <kaduk@mit.edu>
Sent: Thursday, December 22, 2016 10:35:56 AM
To: Ted Creedon
Cc: Michael Meffie; openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Thu, Dec 22, 2016 at 06:07:08AM +0000, Ted Creedon wrote:
> Heimdal set the ticket up..(I think)
> So how does one login krbtgt?
> PS making progress on the glibc/swig bug
> Suse Leap uses glibc 2.22 the current is 2.24, offhand I suspect  somethi=
ng like a missing .align 64
> tedc
>
> admin@CREEDON.BIZ's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: admin@CREEDON.BIZ
>
>   Issued                Expires        Principal
> Dec 21 21:52:59 2016  >>>Expired<<<  krbtgt/CREEDON.BIZ@CREEDON.BIZ

This is the important part; the local TGT in the cache has expired and cann=
ot
be used to get a new service ticket for AFS.  Running 'kinit' should prompt
for admin's password and get things into a workable state where aklog has
a chance at succeeding.

-Ben