[OpenAFS-port-darwin] Krb5 ticket -> AFS token upon login ...

Tim C. tim@umbc.edu
Wed, 11 Jun 2003 16:25:51 -0400 (EDT)


> I've been using both aklog and afslog without luck.  Previously, I was
> authenticating to an AFS kaserver.  Today I brought up MIT's krb5
> authentication server - separate from the AFS server - and added myself
> as a principal, assuming that I would now simply get an AFS token w/o
> problem.  But after modifying /Library/Preferences/edu.mit.kerberos to
> point to my kdc, both Kerberos plugins still do not give me a token.
> Does the following debug output suggest what my problem might be?
>
  I can't make much from the debug code, but I can offer some
suggestions.  I just spent the last few days figuring out the single
login stuff with kerb and afs on os x, and wrote up a page on it that
may be helpful:  http://www.gl.umbc.edu/root/macosx/

  Some things to check for are to make sure you have a v4 realms section
in your edu.mit.Kerberos file, and make sure you have the
afs_to_strings(or something like it) in there for your realm.  You can
get the exact lines from the link on that page.

Hope this Helps,
  Tim

> Thanks,
>
> Steve
>
> Here is what aklog gives compiled with debug:
>
> Jun 11 14:12:36
> /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/
> SecurityAgent: aklog.loginLogout: krb_get_tf_fullname() failed with
> error Can't find Kerberos ticket or TGT
> nJun 11 14:12:36
> /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/
> SecurityAgent: aklog.loginLogut: aklog failed with error 22
>
>
> Jun 11 14:12:36  WindowServer[2096]: currentUserIsInAdminGroup : Not
> found in 1 groups
> Jun 11 14:12:38
> /System/Library/Frameworks/Kerberos.framework/Servers/CCacheServer.app/
> Contents/MacOS/CCacheServer: Starting up.
>
> Jun 11 14:12:38
> /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/
> SecurityAgent: aklog.loginLogout: krb_get_tf_fullname() failed with
> error Can't find Kerberos ticket or TGT
> Jun 11 14:12:38
> /System/Library/CoreServices/SecurityAgent.app/Contents/MacOS/
> SecurityAgent: aklog.loginLogut: aklog failed with error 22
>
>
> Jun 11 14:12:44 /usr/libexec/fix_prebinding:
> /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder could not
> be launched prebound.
> Jun 11 14:12:53 /usr/libexec/fix_prebinding:
> /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder appears
> to have no prebinding problems.
> Jun 11 14:12:53 /usr/libexec/fix_prebinding: 2003-06-11 14:12:53 -0400:
> prebinding for Finder done.
>
> And here is afslog's debugging information:
>
> sh-2.05a$ kinit
> Kerberos Login:
> Please enter the password for lusol@LEHIGH.EDU:
> afslog.loginLogout[2858]: 14:52:50.733 (+0.003) - k_hasafs
> afslog.loginLogout[2858]: 14:52:50.741 (+0.008) - krb5_init_context
> afslog.loginLogout[2858]: 14:52:50.753 (+0.012) - krb5_cc_default
> afslog.loginLogout[2858]: 14:52:50.754 (+0.002) - krb5_cc_get_principal
> afslog.loginLogout[2858]: 14:52:50.755 (+0.001) -
> krb5_aname_to_localname
> afslog.loginLogout[2858]: 14:52:50.755 (+0.000) - krb5_free_principal
> afslog.loginLogout[2858]: DEBUG: Cache owner is: lusol
> afslog.loginLogout[2858]: 14:52:50.755 (+0.000) - getpwnam begin
> afslog.loginLogout[2858]: 14:52:50.766 (+0.010) - getpwnam
> afslog.loginLogout[2858]: 14:52:50.766 (+0.000) - getuid
> afslog.loginLogout[2858]: Getting AFS tokens for user lusol (257)
> afslog.loginLogout[2858]: 14:52:50.766 (+0.000) - krb5_afslog_uid_home
> start
> afslog.loginLogout[2858]: 14:52:50.767 (+0.001) - krb5_afslog_uid_home
> end
> afslog.loginLogout[2858]: 14:52:50.767 (+0.000) - Login End
> sh-rberos 5 ticket cache: 'API:Initial default ccache'
> Default Principal: lusol@LEHIGH.EDU
> Valid Starting     Expires            Service Principal
> 06/11/03 14:52:51  06/12/03 00:52:50  krbtgt/LEHIGH.EDU@LEHIGH.EDU
>
> sh-2.05a$ tokens
>
> Tokens held by the Cache Manager:
>
>     --End of list--
> sh-2.05a$
>
> _______________________________________________
> port-darwin mailing list
> port-darwin@openafs.org
> https://lists.openafs.org/mailman/listinfo/port-darwin
>

-----------------------------------------------------------------------
Tim Craig            These are my opinions and not my employers. :)
OIT-Systems
tim@umbc.edu         It's hard to be serious when you're
                       naked. - Garfield
-----------------------------------------------------------------------