[OpenAFS] aklog: unknown RPC error (-1765328377) while getting
AFS tickets
Steven Schoch
schoch6@gmail.com
Wed, 25 Apr 2018 12:03:48 -0700
--0000000000005c35ce056ab0ee7e
Content-Type: text/plain; charset="UTF-8"
Thank you! I overlooked expiration time. I was expecting a ticket to be
automatically created when I authenticated through SSH, but it didn't.
I changed the file /etc/pam.d/system-auth as documented, so that the first
section now looks like this:
auth required pam_env.so
auth sufficient pam_afs.so try_first_pass ignore_root
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
The expectation is when I connect with SSH, it will use kerberos for
authentication, but it doesn't seem to be getting a ticket. How do I do
that?
If I get a ticket manually using kinit, then aklog works. However, I still
don't have permissions to create a file:
$ cd /afs/.example.com/home/xdemo
$ ls -ld
drwxr-xr-x. 3 xdemo root 2048 Apr 25 10:57 .
$ touch file
touch: cannot touch `file': Permission denied
On Wed, Apr 25, 2018 at 11:41 AM, Jeffrey Altman <jaltman@auristor.com>
wrote:
> -1765328352 (krb5).32 = Ticket expired
>
--0000000000005c35ce056ab0ee7e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><div><div><div><div><div><div>Thank you! I overlooked expi=
ration time. I was expecting a ticket to be automatically created when I au=
thenticated through SSH, but it didn't.<br></div>I changed the file /et=
c/pam.d/system-auth as documented, so that the first section now looks like=
this:<br><br>auth=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 required=C2=A0=
=C2=A0=C2=A0=C2=A0=C2=A0 pam_env.so<br>auth=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 sufficient=C2=A0=C2=A0=C2=A0 pam_afs.so try_first_pass ignore_=
root<br>auth=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 sufficient=C2=A0=C2=
=A0=C2=A0 pam_unix.so nullok try_first_pass<br>auth=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0=C2=A0 requisite=C2=A0=C2=A0=C2=A0=C2=A0 pam_succeed_if.so uid =
>=3D 500 quiet<br>auth=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 require=
d=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 pam_deny.so<br><br></div>The expectation is=
when I connect with SSH, it will use kerberos for authentication, but it d=
oesn't seem to be getting a ticket. How do I do that?<br><br></div>If I=
get a ticket manually using kinit, then aklog works. However, I still don&=
#39;t have permissions to create a file:<br><br></div>$ cd /afs/.<a href=3D=
"http://example.com/home/xdemo">example.com/home/xdemo</a><br></div>$ ls -l=
d<br>drwxr-xr-x. 3 xdemo root 2048 Apr 25 10:57 .<br></div>$ touch file<br>=
touch: cannot touch `file': Permission denied<br><br><div><div><div><di=
v><div><div><div><div><div class=3D"gmail_extra"><br><div class=3D"gmail_qu=
ote">On Wed, Apr 25, 2018 at 11:41 AM, Jeffrey Altman <span dir=3D"ltr"><=
;<a href=3D"mailto:jaltman@auristor.com" target=3D"_blank">jaltman@auristor=
.com</a>></span> wrote:<span class=3D"gmail-"></span><br><span class=3D"=
gmail-"></span><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0p=
x 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span clas=
s=3D"gmail-">
</span>-1765328352 (krb5).32 =3D Ticket expired<br>
</blockquote></div><br></div></div></div></div></div></div></div></div></di=
v></div>
--0000000000005c35ce056ab0ee7e--