[OpenAFS] Re: aklog carps Couldn't determine realm of user
Ted Creedon
tcreedon@easystreet.net
Fri, 23 Dec 2016 01:10:22 +0000
some progress anyway, I get tokens but no /afs
export KRB5CCNAME=3DFILE:/run/user/0/krb5cc/primary
afsd -stat 4000 -dcache 4000 -daemons 6 -volumes 256 -files 50000
afsd: Error calling AFSOP_CACHEFILE for '/usr/vice/cache/D0/V2000'
kinit admin
admin@CREEDON.BIZ's Password:=20
aklog
tokens
Tokens held by the Cache Manager:
User's (AFS ID 501) tokens for afs@creedon.biz [Expires Jun 23 09:02]
--End of list--
BUT /afs doesn't get mounted to /vicepa
ookpik:/usr/src/linux-4.1.31-30 # ls /afs
ookpik:/usr/src/linux-4.1.31-30 # mount |g afs
ookpik:/usr/src/linux-4.1.31-30 # fs mkmount /afs/.$C root.cell -rw
fs: mount points must be created within the AFS file system
________________________________________
From: Benjamin Kaduk <kaduk@mit.edu>
Sent: Thursday, December 22, 2016 3:58:31 PM
To: Ted Creedon
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
On Thu, Dec 22, 2016 at 11:42:41PM +0000, Ted Creedon wrote:
> different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (stil=
l carps about
> /run/user/0/krb5cc/tkt", O_RDONLY) =3D -1 ENOENT)
Ah, this is a "fancy" default coming into play, no doubt. /run/user may
be isolated for various users with filesystem namespaces to prevent
cross-user attacks (though I guess that may not be coming into play here).
I also recall issues where the /run/user/<uid>/krb5cc/ directory was
not created automatically, so check that it exists.
> ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
> admin@CREEDON.BIZ's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist -AT
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: admin@CREEDON.BIZ
>
> Issued Expires Principal
> Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 krbtgt/CREEDON.BIZ@CREEDON.BI=
Z
> Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 afs/creedon.biz@CREEDON.BIZ
Okay, now the kerberos part is succeeding, so any issue here is on the AFS =
side.
>
>
> Dec 22 15:33:01 201 Jun 23 07:32:57 201 Tokens for creedon.biz
>
>
> ##################
> aklog
> aklog: Couldn't determine realm of user:aklog: unknown RPC error (-176532=
8189) while getting realm
This seems to suggest that aklog -noprdb might succeed.
> #####
> open("/run/user/0/krb5cc/tkt", O_RDONLY) =3D -1 ENOENT (No such file or d=
irectory)
There are two ticket caches in play here, which can be confusing to both hu=
mans
(i.e., me) and software. Is KRB5CCNAME modified between any of the pasted =
output
you have given here? Did you consciously try to set either /run/user/0/krb=
5cc/tkt
or FILE:/tmp/krb5cc_0?
Is aklog linked against a heimdal or MIT libkrb5?
Please provide any /etc/krb5.conf declarations relating to names of credent=
ials
caches.
I don't think it's particularly helpful to be randomly trying different ver=
sions
of the software; I would rather get good solid debugging output from a spec=
ific
setup and understand what is failing, so that software changes can be targe=
tted
instead of "shotgun style".
-Ben