The Kerberos version is 1.6.1: [r...@fhcore ~]# rpm -q -a | grep ^krb5 krb5-server-1.6.1-36.el5_5.5 krb5-libs-1.6.1-36.el5_5.5 krb5-workstation-1.6.1-36.el5_5.5 krb5-libs-1.6.1-36.el5_5.5
I'm staying away form the bleeding edge releases, until I've re-learned how to make all this work with the stable ones. My problem is that I missed the step for setting up /usr/afs/etc/krb.conf to map the cell to the realm name. On Thu, Sep 30, 2010 at 8:08 AM, Derrick Brashear <sha...@gmail.com> wrote: > On Thu, Sep 30, 2010 at 7:56 AM, Phillip Moore > <w.phillip.mo...@gmail.com> wrote: > > My quest to refresh my AFS knowledge continues, with mixed results. > > I can get as far as rebooting the first AFS machine, and the server and > > client seems to come up fine, and talk to each other. I can run any > > administrative command as long as I use -localauth, and while I can get > > tokens for the localcell just fine, the AFS server processes aren't > trusting > > them. > > I'm using CentOS 5.4 on x86_64, using the Kerberos version which is > packaged > > with CentOS by default. > > what version? i don't think it will matter but if 1.8 there's an extra step > > I've had no problem setting up my krb5 realm > > (BOOT.EFS) and using it (my product already uses GSSAPI for basic > > authentication). Here's the Kerberos-related details of how this was > > setup. > > The AFS cell name is 'd.fh.nyc.us.boot.efs': > > [r...@fhcore etc]# kadmin -k > > Authenticating as principal host/fhcore.boot....@boot.efs with default > > keytab. > > kadmin: add_principal -randkey -e des-cbc-crc:v4 > afs/d.fh.nyc.us.boot.efs > > WARNING: no policy specified for afs/d.fh.nyc.us.boot....@boot.efs; > > defaulting to no policy > > Principal "afs/d.fh.nyc.us.boot....@boot.efs" created. > > that cell looks nothing like that realm. > > what's in FileLog? What's in /usr/afs/etc/krb.conf (or equivalent if > you didn't use transarc paths) > > > How do I get the AFS server process to tell me how the credentials are > being > > handled? > > alas, currently, audit logs. but that's gonna be the issue. ptserver > isn't mapping these to local realm user and so you are no one. > > > > -- > Derrick >