[OpenAFS-port-darwin] Re: port-darwin digest, Vol 1 #192 - 1 msg

Herlind Wurth wurth@imp.univie.ac.at
Fri, 05 Mar 2004 11:53:11 +0100 

Hi Bil!

Thanks for the help, but that won#t work.
I cannot get the afs tokens at login, because login = peters
and gets the kerberos ticket from the Domailcontroller (I.U.AC.AT).

But I want the afs token together with the kerberos ticket
for sam from M.I.U.AC.AT.
That's the problem, that there are 2 different servers that
provide the kerberos tickets and they do not communicate with
each other. 

So I have to get the ticket from M.I.U.AC.AT manually (through
the Kerberos-GUI-application). What I want is to get the afs
tickets automatically, when I get the second kerberos ticket.

Bye,Ann

> From: bil <bil_hays@unc.edu>
> Date: Thu, 04 Mar 2004 14:03:49 -0500
> To: wurth@imp.univie.ac.at
> Subject: Re: port-darwin digest, Vol 1 #192 - 1 msg
> 
> Does this help?
> <http://www.ibiblio.org/macsupport/kerberos/kerberos10_3.html>
> 
> specifically, adding login_logout_notification = "aklog" to libdefaults and
> installing Alexei's kfm_aklog plugin
> 
> --On Thursday, March 4, 2004 12:01 PM -0500 port-darwin-request@openafs.org
> wrote:
> 
>> 
>> Message: 1
>> Date: Thu, 04 Mar 2004 16:07:11 +0100
>> From: Herlind Wurth <wurth@imp.univie.ac.at>
>> To: <port-darwin@openafs.org>
>> Subject: [OpenAFS-port-darwin] Automatically get afs-ticket
>> 
>> Hi!
>> 
>> When getting a kerberos ticket with the Kerberos-GUI-application I want to
>> automatically also get an afs ticket.
>> 
>> My configuration:
>> OSX 10.3.2
>> When logging in I automatically get a kerberos ticket from our
>> Domaincontroller
>> (Realm: I.U.AC.AT)
>> User is peters
>> But the AFS is configured elsewhere.
>> 
>> So I get a kerberos ticket through the GUI-application from
>> Realm M.I.U.AC.AT
>> This is also no problem. I get the kerberos ticket.
>> But here the user is sam.
>> 
>> When I have the 2nd kerberos ticket (for sam at M.I.U.AC.AT),
>> I make sam the active user and can then get the afs ticket
>> via aklog using the console
>> Peters$ aklog -c m.i.u.ac.at -k M.I.U.AC.AT
>> 
>> But what I want is to get the afs ticket without using the console.
>> 
>> My edu.mit.Kerberos file looks like this:
>>     ---------------------------------------------
>> # WARNING This file is automatically created, if you wish to make changes
>> # delete the next two lines
>> # autogenerated from : /Active Directory/imp.univie.ac.at
>> # generation_id : 100079898
>> [libdefaults]
>>         ticket_lifetime = 600
>>         dns_fallback = no
>> [realms]
>>         I.U.AC.AT = {
>>                 kdc = vn2ad.i.u.ac.at.:88
>>                 kdc = vn2ad2.i.u.ac.at.:88
>>                 admin_server = vn2ad.i.u.ac.at.
>>                 admin_server = vn2ad2.i.u.ac.at.
>>         }
>>         M.I.U.A.A = {
>>                 kdc = dufy.i.u.ac.at
>>                 kdc = matisse.i.u.ac.at
>>                 admin_server = dufy.i.u.ac.at
>>                 default_domain = i.u.ac.at
>>         }
>> 
>> 
>> [login]
>>         krb5_get_tickets = true
>>         krb5_run_aklog = true
>>         aklog_path=/usr
>>     ---------------------------------------------
>> 
>> The line "aklog_path=/usr" I copied from the krb5.conf file on
>> dufy.i.u.ac.at
>> Actually the aklog is located in /usr/bin/
>> I also tried with "aklog_path=/usr/bin/" (and various other)
>> But that didn't work either.
>> 
>> (another problem I had, was that using only aklog got me an error message:
>> peters$ aklog -d
>> Authenticating to cell m.i.u.ac.at (server dufy.i.u.ac.at).
>> We've deduced that we need to authenticate to realm I.U.AC.AT.
>> Getting tickets: afs/m.i.u.ac.at@I.U.AC.AT
>> Kerberos error code returned by get_cred: -1765328377
>> aklog: Couldn't get m.i.u.ac.at AFS tickets:
>> aklog: Server not found in Kerberos database while getting AFS tickets
>> 
>> The problem was that it used the default realm I.U.AC.AT
>> So I have to call aklog with the cell and realm
>> 
>> For that I wrote a wrapper:
>>     ---------
>> # ! /bin/bash
>> 
>> /usr/bin/aklog.orig -d mendel.imp.univie.ac.at -k MENDEL.IMP.UNIVIE.AC.AT
>> 2&> /tmp/aklog.log
>>     ---------
>> And renamed aklog to aklog.orig
>> 
>> So now just typing aklog, when sam is the active user and has his kerberos
>> Ticket from M.I.U.AC.AT gets me the afs ticket
>> 
>> Also I know that aklog is not called automatically, when getting the
>> Ticket from M.I.U.AC.AT via the GUI-application because the logfile
>> aklog.log is not written)
>> 
>> 
>> So to make a long story short:
>> Please tell me what I have to insert in aklog_path=
>> So that aklog will be called automatically when I get the ticket for sam.
>> 
>> Or any other way that you know of, that I can get the afs-ticket
>> automatically when getting the kerberos ticket for sam from M.I.U.AC.AT .
>> 
>> I'd very much appreciate your help, Ann
>> 
>> 
>> 
>> --__--__--
>> 
>> _______________________________________________
>> port-darwin mailing list
>> port-darwin@openafs.org
>> https://lists.openafs.org/mailman/listinfo/port-darwin
>> 
>> 
>> End of port-darwin Digest
> 
> 
> 
> --
> 
> ________________________
> bil hays
> Network Manager
> Computer Science, UNC CH