[OpenAFS] question about authentication with kerberos and Default principal
Gary Gatling
gsgatlin@ncsu.edu
Sat, 3 Mar 2018 10:15:10 -0500
--001a1142c4381d75a90566838f67
Content-Type: text/plain; charset="UTF-8"
Recently I decided to play around with some alternative architectures on
fedora with virt-manager/qemu. So I set up some power machines. (ppc64 and
ppc64le)
I also made some arm machines but I gather openafs isn't quite ready yet
for arm in 1.6.22.2.
I was able to compile openafs rpms for ppc64. I did not try ppc64le yet.
Its very slow to build in a emulator. Surprisingly openafs builds and I am
able to start the service and list afs directories. But I can't
authenticate to kerberos like I can on x86_64. I feel like I'm missing
something basic but I'm unsure what it is.
When I run kinit on x86_64, I get
[gsgatlin@t540p ~]$ kinit gsgatlin
Password for gsgatlin@EOS.NCSU.EDU:
[gsgatlin@t540p ~]$ klist
Ticket cache: KCM:1000
Default principal: gsgatlin@EOS.NCSU.EDU
Valid starting Expires Service principal
03/03/2018 09:55:22 03/04/2018 07:10:22 krbtgt/EOS.NCSU.EDU@EOS.NCSU.EDU
renew until 03/10/2018 09:55:17
but on ppc64 emulator, I get
[gsgatlin@localhost bin]$ kinit gsgatlin
Password for gsgatlin@EOS.NCSU.EDU:
[gsgatlin@localhost bin]$ klist
Ticket cache: KCM:1000:53854
Default principal: @EOS.NCSU.EDU
Valid starting Expires Service principal
03/03/2018 09:56:23 03/04/2018 07:11:23 krbtgt/EOS.NCSU.EDU@EOS.NCSU.EDU
for client gsgatlin@EOS.NCSU.EDU, renew until 03/10/2018 09:56:17
Notice the default principal says @EOS.NCSU.EDU instead of
gsgatlin@EOS.NCSU.EDU like it did on x86_64.
So when I run aklog on ppc64 it fails
[gsgatlin@localhost bin]$ aklog -d -c eos.ncsu.edu -k EOS.NCSU.EDU
Authenticating to cell eos.ncsu.edu (server eos01db.unity.ncsu.edu).
We were told to authenticate to realm EOS.NCSU.EDU.
Getting tickets: afs/eos.ncsu.edu@EOS.NCSU.EDU
Kerberos error code returned by get_cred : -1765328243
aklog: Couldn't get eos.ncsu.edu AFS tickets:
aklog: unknown RPC error (-1765328243) while getting AFS tickets
but on x86_64 (either on virt-manager or a real pc) I get
[gsgatlin@t540p ~]$ aklog -d -c eos.ncsu.edu -k EOS.NCSU.EDU
Authenticating to cell eos.ncsu.edu (server eos01db.unity.ncsu.edu).
We were told to authenticate to realm EOS.NCSU.EDU.
Getting tickets: afs/eos.ncsu.edu@EOS.NCSU.EDU
Using Kerberos V5 ticket natively
About to resolve name gsgatlin to id in cell eos.ncsu.edu.
Id 19149
Set username to AFS ID 19149
Setting tokens. AFS ID 19149 @ eos.ncsu.edu
Here is a link to my /etc/krb5.conf file on both systems:
https://pastebin.com/3HHP15c0
Does anyone know why it would work on one architecture (x86_64) but fail on
another (ppc64) ? Is my /etc/krb5.conf missing something? kinit is provided
by red hat so I think I can't have messed up that particular binary.
[gsgatlin@localhost bin]$ which kinit
/usr/bin/kinit
[gsgatlin@localhost bin]$ rpm -qf /usr/bin/kinit
krb5-workstation-1.15.2-7.fc27.ppc64
Thanks a lot for any ideas anyone may have. I feel like I was close to
getting everything working.
--001a1142c4381d75a90566838f67
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">Recently I decided to play around with some alternative ar=
chitectures on fedora with virt-manager/qemu. So I set up some power machin=
es. (ppc64 and ppc64le)<div>I also made some arm machines but I gather open=
afs isn't quite ready yet for arm in 1.6.22.2.<br><div><br></div><div>I=
was able to compile openafs rpms for ppc64.=C2=A0 I did not try ppc64le ye=
t. Its very slow to build in a emulator. Surprisingly openafs builds and I =
am able to start the service and list afs directories. But I can't auth=
enticate to kerberos like I can on x86_64. I feel like I'm missing some=
thing basic but I'm unsure what it is.</div><div><br></div><div>When I =
run kinit on x86_64, I get</div><div><br></div><div><div>[gsgatlin@t540p ~]=
$ kinit gsgatlin</div><div>Password for <a href=3D"mailto:gsgatlin@EOS.NCSU=
.EDU">gsgatlin@EOS.NCSU.EDU</a>:=C2=A0</div><div>[gsgatlin@t540p ~]$ klist<=
/div><div>Ticket cache: KCM:1000</div><div>Default principal: <a href=3D"ma=
ilto:gsgatlin@EOS.NCSU.EDU">gsgatlin@EOS.NCSU.EDU</a></div><div><br></div><=
div>Valid starting=C2=A0 =C2=A0 =C2=A0 =C2=A0Expires=C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 Service principal</div><div>03/03/2018 09:55:22=
=C2=A0 03/04/2018 07:10:22=C2=A0 krbtgt/<a href=3D"mailto:EOS.NCSU.EDU@EOS.=
NCSU.EDU">EOS.NCSU.EDU@EOS.NCSU.EDU</a></div><div><span style=3D"white-spac=
e:pre"> </span>renew until 03/10/2018 09:55:17</div></div><div><br></div><d=
iv><br></div><div>but on ppc64 emulator, I get</div><div><br></div><div><di=
v>[gsgatlin@localhost bin]$ kinit gsgatlin</div><div>Password for <a href=
=3D"mailto:gsgatlin@EOS.NCSU.EDU">gsgatlin@EOS.NCSU.EDU</a>:=C2=A0</div><di=
v>[gsgatlin@localhost bin]$ klist</div><div>Ticket cache: KCM:1000:53854</d=
iv><div>Default principal: @<a href=3D"http://EOS.NCSU.EDU">EOS.NCSU.EDU</a=
></div><div><br></div><div>Valid starting=C2=A0 =C2=A0 =C2=A0 =C2=A0Expires=
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Service principal</div><di=
v>03/03/2018 09:56:23=C2=A0 03/04/2018 07:11:23=C2=A0 krbtgt/<a href=3D"mai=
lto:EOS.NCSU.EDU@EOS.NCSU.EDU">EOS.NCSU.EDU@EOS.NCSU.EDU</a></div><div><spa=
n style=3D"white-space:pre"> </span>for client <a href=3D"mailto:gsgatlin@E=
OS.NCSU.EDU">gsgatlin@EOS.NCSU.EDU</a>, renew until 03/10/2018 09:56:17</di=
v></div><div><br></div><div>Notice the default principal says=C2=A0=C2=A0@<=
a href=3D"http://EOS.NCSU.EDU">EOS.NCSU.EDU</a> instead of=C2=A0<a href=3D"=
mailto:gsgatlin@EOS.NCSU.EDU">gsgatlin@EOS.NCSU.EDU</a> like it did on x86_=
64.</div><div><br></div><div>So when I run aklog on ppc64 it fails</div><di=
v><br></div><div><div>[gsgatlin@localhost bin]$ aklog -d -c <a href=3D"http=
://eos.ncsu.edu">eos.ncsu.edu</a> -k <a href=3D"http://EOS.NCSU.EDU">EOS.NC=
SU.EDU</a></div><div>Authenticating to cell <a href=3D"http://eos.ncsu.edu"=
>eos.ncsu.edu</a> (server <a href=3D"http://eos01db.unity.ncsu.edu">eos01db=
.unity.ncsu.edu</a>).</div><div>We were told to authenticate to realm <a hr=
ef=3D"http://EOS.NCSU.EDU">EOS.NCSU.EDU</a>.</div><div>Getting tickets: afs=
/<a href=3D"mailto:eos.ncsu.edu@EOS.NCSU.EDU">eos.ncsu.edu@EOS.NCSU.EDU</a>=
</div><div>Kerberos error code returned by get_cred : -1765328243</div><div=
>aklog: Couldn't get <a href=3D"http://eos.ncsu.edu">eos.ncsu.edu</a> A=
FS tickets:</div><div>aklog: unknown RPC error (-1765328243) while getting =
AFS tickets</div></div><div><br></div><div><br></div><div>but on x86_64 (ei=
ther on virt-manager or a real pc) I get</div><div><br></div><div><div>[gsg=
atlin@t540p ~]$ aklog -d -c <a href=3D"http://eos.ncsu.edu">eos.ncsu.edu</a=
> -k <a href=3D"http://EOS.NCSU.EDU">EOS.NCSU.EDU</a></div><div>Authenticat=
ing to cell <a href=3D"http://eos.ncsu.edu">eos.ncsu.edu</a> (server <a hre=
f=3D"http://eos01db.unity.ncsu.edu">eos01db.unity.ncsu.edu</a>).</div><div>=
We were told to authenticate to realm <a href=3D"http://EOS.NCSU.EDU">EOS.N=
CSU.EDU</a>.</div><div>Getting tickets: afs/<a href=3D"mailto:eos.ncsu.edu@=
EOS.NCSU.EDU">eos.ncsu.edu@EOS.NCSU.EDU</a></div><div>Using Kerberos V5 tic=
ket natively</div><div>About to resolve name gsgatlin to id in cell <a href=
=3D"http://eos.ncsu.edu">eos.ncsu.edu</a>.</div><div>Id 19149</div><div>Set=
username to AFS ID 19149</div><div>Setting tokens. AFS ID 19149 @ <a href=
=3D"http://eos.ncsu.edu">eos.ncsu.edu</a></div></div><div><br></div><div>He=
re is a link to my /etc/krb5.conf file on both systems:</div><div><br></div=
><div><a href=3D"https://pastebin.com/3HHP15c0">https://pastebin.com/3HHP15=
c0</a><br></div><div><br></div><div>Does anyone know why it would work on o=
ne architecture (x86_64) but fail on another (ppc64) ? Is my /etc/krb5.conf=
missing something? kinit is provided by red hat so I think I can't hav=
e messed up that particular binary.</div><div><br></div><div><div>[gsgatlin=
@localhost bin]$ which kinit</div><div>/usr/bin/kinit</div><div>[gsgatlin@l=
ocalhost bin]$ rpm -qf /usr/bin/kinit</div><div>krb5-workstation-1.15.2-7.f=
c27.ppc64</div></div><div><br></div><div>Thanks a lot for any ideas anyone =
may have.=C2=A0 I feel like I was close to getting everything working.</div=
><div><br></div><div><br></div></div></div>
--001a1142c4381d75a90566838f67--