[OpenAFS] Re: aklog carps Couldn't determine realm of user
Ted Creedon
tcreedon@easystreet.net
Thu, 22 Dec 2016 23:42:41 +0000
different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still =
carps about=20
/run/user/0/krb5cc/tkt", O_RDONLY) =3D -1 ENOENT)
ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
admin@CREEDON.BIZ's Password:
ookpik:/data1/openafs-1.8.0pre1 # klist -AT
Credentials cache: FILE:/tmp/krb5cc_0
Principal: admin@CREEDON.BIZ
Issued Expires Principal
Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 krbtgt/CREEDON.BIZ@CREEDON.BIZ
Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 afs/creedon.biz@CREEDON.BIZ
Dec 22 15:33:01 201 Jun 23 07:32:57 201 Tokens for creedon.biz
##################
aklog
aklog: Couldn't determine realm of user:aklog: unknown RPC error (-17653281=
89) while getting realm
#####
open("/run/user/0/krb5cc/tkt", O_RDONLY) =3D -1 ENOENT (No such file or dir=
ectory)
________________________________________
From: Benjamin Kaduk <kaduk@mit.edu>
Sent: Thursday, December 22, 2016 12:31:50 PM
To: Ted Creedon
Cc: Michael Meffie; openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
On Thu, Dec 22, 2016 at 07:50:02PM +0000, Ted Creedon wrote:
> Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ?
> I.e how can Principal: krbtgt/CREEDON.BIZ@CREEDON.BIZ have a ticket if it=
was never loggged in?
It doesn't have a ticket; admin@CREEDON.BIZ has a ticket.
The ticket that admin@CREEDON.BIZ has is a ticket-granting ticket, i.e., th=
e service
principal it is for is krbtgt/CREEDON.BIZ@CREEDON.BIZ.
-Ben