[OpenAFS] question about authentication with kerberos and Default principal

Gary Gatling gsgatlin@ncsu.edu
Sat, 3 Mar 2018 16:52:56 -0500


--f403045ea6869bd7960566891d35
Content-Type: text/plain; charset="UTF-8"

On Sat, Mar 3, 2018 at 3:46 PM, Harald Barth <haba@kth.se> wrote:
>
>
> Both MIT kinit and heimdal kinit honor the KRB5CCNAME environment
> variable which has the form TYPE:location thus a typical way to set
> your FILE cache is:
>
> export KRB5CCNAME=FILE:/tmp/krb5cc_`id -u`
>
> Btw: As FILE: is the oldest ticket cache type and the default, any
> file name will do. For example:
>
> export KRB5CCNAME=/tmp/whatever
>
> will set it to /tmp/whatever
>
>
Huh. Thats pretty weird. Using the KRB5CCNAME it works fine.

 [gsgatlin@localhost ~]$ export KRB5CCNAME=FILE:/tmp/krb5cc_`id -u`
[gsgatlin@localhost ~]$ kinit gsgatlin
Password for gsgatlin@EOS.NCSU.EDU:
[gsgatlin@localhost ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: gsgatlin@EOS.NCSU.EDU

Valid starting       Expires              Service principal
03/03/2018 16:40:27  03/04/2018 13:55:27  krbtgt/EOS.NCSU.EDU@EOS.NCSU.EDU
renew until 03/10/2018 16:40:22
[gsgatlin@localhost ~]$ aklog -c eos.ncsu.edu -k EOS.NCSU.EDU
[gsgatlin@localhost ~]$ aklog -c unity.ncsu.edu -k EOS.NCSU.EDU
[gsgatlin@localhost ~]$ aklog -c bp.ncsu.edu -k EOS.NCSU.EDU
[gsgatlin@localhost ~]$ tokens

Tokens held by the Cache Manager:

User's (AFS ID 19149) tokens for afs@bp.ncsu.edu [Expires Mar  4 13:55]
User's (AFS ID 19149) tokens for afs@unity.ncsu.edu [Expires Mar  4 13:55]
User's (AFS ID 19149) tokens for afs@eos.ncsu.edu [Expires Mar  4 13:55]
   --End of list--

I couldn't get the heimdal-kinit to work right but this setting
the KRB5CCNAME=FILE:/tmp/krb5cc_`id -u` is fine. I can just add that to my
auth shell script that does the kinit and the aklogs stuff on ppc64. Its
weird that it didn't work without it but I'm happy it even works at all.
Thanks you! :)

I can edit files in my home directory so I know its working now.

Thank you again for your help.

--f403045ea6869bd7960566891d35
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><br><div class=3D"gmail_quote">=
On Sat, Mar 3, 2018 at 3:46 PM, Harald Barth <span dir=3D"ltr">&lt;<a href=
=3D"mailto:haba@kth.se" target=3D"_blank">haba@kth.se</a>&gt;</span> wrote:=
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left:1px solid rgb(204,204,204);padding-left:1ex"><span class=3D"gmail-"><b=
r>
</span>Both MIT kinit and heimdal kinit honor the KRB5CCNAME environment<br=
>
variable which has the form TYPE:location thus a typical way to set<br>
your FILE cache is:<br>
<br>
export KRB5CCNAME=3DFILE:/tmp/krb5cc_`<wbr>id -u`<br>
<br>
Btw: As FILE: is the oldest ticket cache type and the default, any<br>
file name will do. For example:<br>
<br>
export KRB5CCNAME=3D/tmp/whatever<br>
<br>
will set it to /tmp/whatever<br><br></blockquote><div><br></div><div>Huh. T=
hats pretty weird. Using the=C2=A0KRB5CCNAME it works fine.</div><div><br><=
/div><div>=C2=A0[gsgatlin@localhost ~]$ export KRB5CCNAME=3DFILE:/tmp/krb5c=
c_`id -u`</div><div>[gsgatlin@localhost ~]$ kinit gsgatlin</div><div>Passwo=
rd for <a href=3D"mailto:gsgatlin@EOS.NCSU.EDU">gsgatlin@EOS.NCSU.EDU</a>:=
=C2=A0</div><div>[gsgatlin@localhost ~]$ klist</div><div>Ticket cache: FILE=
:/tmp/krb5cc_1000</div><div>Default principal: <a href=3D"mailto:gsgatlin@E=
OS.NCSU.EDU">gsgatlin@EOS.NCSU.EDU</a></div><div><br></div><div>Valid start=
ing=C2=A0 =C2=A0 =C2=A0 =C2=A0Expires=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 Service principal</div><div>03/03/2018 16:40:27=C2=A0 03/04/2018=
 13:55:27=C2=A0 krbtgt/<a href=3D"mailto:EOS.NCSU.EDU@EOS.NCSU.EDU">EOS.NCS=
U.EDU@EOS.NCSU.EDU</a></div><div><span style=3D"white-space:pre">	</span>re=
new until 03/10/2018 16:40:22</div><div>[gsgatlin@localhost ~]$ aklog -c <a=
 href=3D"http://eos.ncsu.edu">eos.ncsu.edu</a> -k <a href=3D"http://EOS.NCS=
U.EDU">EOS.NCSU.EDU</a></div><div>[gsgatlin@localhost ~]$ aklog -c <a href=
=3D"http://unity.ncsu.edu">unity.ncsu.edu</a> -k <a href=3D"http://EOS.NCSU=
.EDU">EOS.NCSU.EDU</a></div><div>[gsgatlin@localhost ~]$ aklog -c <a href=
=3D"http://bp.ncsu.edu">bp.ncsu.edu</a> -k <a href=3D"http://EOS.NCSU.EDU">=
EOS.NCSU.EDU</a></div><div>[gsgatlin@localhost ~]$ tokens</div><div><br></d=
iv><div>Tokens held by the Cache Manager:</div><div><br></div><div>User&#39=
;s (AFS ID 19149) tokens for <a href=3D"mailto:afs@bp.ncsu.edu">afs@bp.ncsu=
.edu</a> [Expires Mar=C2=A0 4 13:55]</div><div>User&#39;s (AFS ID 19149) to=
kens for <a href=3D"mailto:afs@unity.ncsu.edu">afs@unity.ncsu.edu</a> [Expi=
res Mar=C2=A0 4 13:55]</div><div>User&#39;s (AFS ID 19149) tokens for <a hr=
ef=3D"mailto:afs@eos.ncsu.edu">afs@eos.ncsu.edu</a> [Expires Mar=C2=A0 4 13=
:55]</div><div>=C2=A0 =C2=A0--End of list--</div><div><br></div></div>I cou=
ldn&#39;t get the heimdal-kinit to work right but this setting the=C2=A0KRB=
5CCNAME=3DFILE:/tmp/krb5cc_`id -u` is fine. I can just add that to my auth =
shell script that does the kinit and the aklogs stuff on ppc64. Its weird t=
hat it didn&#39;t work without it but I&#39;m happy it even works at all. T=
hanks you! :)<br></div><div class=3D"gmail_extra"><br></div><div class=3D"g=
mail_extra">I can edit files in my home directory so I know its working now=
.</div><div class=3D"gmail_extra"><br></div><div class=3D"gmail_extra">Than=
k you again for your help.</div></div>

--f403045ea6869bd7960566891d35--