[OpenAFS] Re: aklog carps Couldn't determine realm of user

Benjamin Kaduk kaduk@mit.edu
Thu, 22 Dec 2016 17:58:31 -0600 

On Thu, Dec 22, 2016 at 11:42:41PM +0000, Ted Creedon wrote:
> different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still carps about 
> /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)

Ah, this is a "fancy" default coming into play, no doubt.  /run/user may
be isolated for various users with filesystem namespaces to prevent
cross-user attacks (though I guess that may not be coming into play here).
I also recall issues where the /run/user/<uid>/krb5cc/ directory was
not created automatically, so check that it exists.


> ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
> admin@CREEDON.BIZ's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist -AT
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: admin@CREEDON.BIZ
> 
>   Issued                Expires               Principal
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  krbtgt/CREEDON.BIZ@CREEDON.BIZ
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  afs/creedon.biz@CREEDON.BIZ

Okay, now the kerberos part is succeeding, so any issue here is on the AFS side.

> 
> 
> Dec 22 15:33:01 201  Jun 23 07:32:57 201  Tokens for creedon.biz
> 
> 
> ##################
> aklog
> aklog: Couldn't determine realm of user:aklog: unknown RPC error (-1765328189)  while getting realm

This seems to suggest that aklog -noprdb might succeed.

> #####
> open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or directory)

There are two ticket caches in play here, which can be confusing to both humans
(i.e., me) and software.  Is KRB5CCNAME modified between any of the pasted output
you have given here?  Did you consciously try to set either /run/user/0/krb5cc/tkt
or FILE:/tmp/krb5cc_0?

Is aklog linked against a heimdal or MIT libkrb5?
Please provide any /etc/krb5.conf declarations relating to names of credentials
caches.


I don't think it's particularly helpful to be randomly trying different versions
of the software; I would rather get good solid debugging output from a specific
setup and understand what is failing, so that software changes can be targetted
instead of "shotgun style".

-Ben