[OpenAFS] Fw: it would be nice to have an administrators guide

2016-12-22 Thread Ted Creedon 


it would be nice to have an administrators guide on how to set up the keys for 
openafs 1.8 + heimdal 7.1

the intermixture of ad, heimdal & mit is confusing to say the least.

could you provide one?

tedc
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Ted Creedon 
some progress anyway, I get tokens but no /afs
export KRB5CCNAME=FILE:/run/user/0/krb5cc/primary

afsd  -stat 4000 -dcache 4000 -daemons 6 -volumes 256 -files 5
afsd: Error calling AFSOP_CACHEFILE for '/usr/vice/cache/D0/V2000'

kinit admin
ad...@creedon.biz's Password: 
 aklog
 tokens

Tokens held by the Cache Manager:

User's (AFS ID 501) tokens for a...@creedon.biz [Expires Jun 23 09:02]
   --End of list--
BUT /afs doesn't get mounted to /vicepa
ookpik:/usr/src/linux-4.1.31-30 # ls /afs
ookpik:/usr/src/linux-4.1.31-30 # mount |g afs
ookpik:/usr/src/linux-4.1.31-30 # fs mkmount /afs/.$C root.cell -rw
fs: mount points must be created within the AFS file system




From: Benjamin Kaduk 
Sent: Thursday, December 22, 2016 3:58:31 PM
To: Ted Creedon
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Thu, Dec 22, 2016 at 11:42:41PM +, Ted Creedon wrote:
> different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still 
> carps about
> /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)

Ah, this is a "fancy" default coming into play, no doubt.  /run/user may
be isolated for various users with filesystem namespaces to prevent
cross-user attacks (though I guess that may not be coming into play here).
I also recall issues where the /run/user//krb5cc/ directory was
not created automatically, so check that it exists.


> ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
> ad...@creedon.biz's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist -AT
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: ad...@creedon.biz
>
>   IssuedExpires   Principal
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  krbtgt/creedon@creedon.biz
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  afs/creedon@creedon.biz

Okay, now the kerberos part is succeeding, so any issue here is on the AFS side.

>
>
> Dec 22 15:33:01 201  Jun 23 07:32:57 201  Tokens for creedon.biz
>
>
> ##
> aklog
> aklog: Couldn't determine realm of user:aklog: unknown RPC error 
> (-1765328189)  while getting realm

This seems to suggest that aklog -noprdb might succeed.

> #
> open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or 
> directory)

There are two ticket caches in play here, which can be confusing to both humans
(i.e., me) and software.  Is KRB5CCNAME modified between any of the pasted 
output
you have given here?  Did you consciously try to set either 
/run/user/0/krb5cc/tkt
or FILE:/tmp/krb5cc_0?

Is aklog linked against a heimdal or MIT libkrb5?
Please provide any /etc/krb5.conf declarations relating to names of credentials
caches.


I don't think it's particularly helpful to be randomly trying different versions
of the software; I would rather get good solid debugging output from a specific
setup and understand what is failing, so that software changes can be targetted
instead of "shotgun style".

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Ted Creedon 
FILE:/tmp/krb5cc_0 not = /run/user/0/krb5cc/tkt  not= to krb5cc/primary


i.e.
klist -A
says
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@creedon.biz
and
aklog carps about missing /run/user/0/krb5cc/tkt
but
its krb5cc/primary that exists

tree /run/user/0/
/run/user/0/
|-- KSMserver__0
|-- dconf
|   `-- user
|-- gvfs
|-- kdeinit5__0
|-- klauncherTJ3534.1.slave-socket
|-- krb5cc
|   `-- primary
|-- pulse
`-- systemd
|-- notify
`-- private

5 directories, 7 files


From: Benjamin Kaduk 
Sent: Thursday, December 22, 2016 3:58:31 PM
To: Ted Creedon
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Thu, Dec 22, 2016 at 11:42:41PM +, Ted Creedon wrote:
> different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still 
> carps about
> /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)

Ah, this is a "fancy" default coming into play, no doubt.  /run/user may
be isolated for various users with filesystem namespaces to prevent
cross-user attacks (though I guess that may not be coming into play here).
I also recall issues where the /run/user//krb5cc/ directory was
not created automatically, so check that it exists.


> ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
> ad...@creedon.biz's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist -AT
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: ad...@creedon.biz
>
>   IssuedExpires   Principal
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  krbtgt/creedon@creedon.biz
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  afs/creedon@creedon.biz

Okay, now the kerberos part is succeeding, so any issue here is on the AFS side.

>
>
> Dec 22 15:33:01 201  Jun 23 07:32:57 201  Tokens for creedon.biz
>
>
> ##
> aklog
> aklog: Couldn't determine realm of user:aklog: unknown RPC error 
> (-1765328189)  while getting realm

This seems to suggest that aklog -noprdb might succeed.

> #
> open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or 
> directory)

There are two ticket caches in play here, which can be confusing to both humans
(i.e., me) and software.  Is KRB5CCNAME modified between any of the pasted 
output
you have given here?  Did you consciously try to set either 
/run/user/0/krb5cc/tkt
or FILE:/tmp/krb5cc_0?

Is aklog linked against a heimdal or MIT libkrb5?
Please provide any /etc/krb5.conf declarations relating to names of credentials
caches.


I don't think it's particularly helpful to be randomly trying different versions
of the software; I would rather get good solid debugging output from a specific
setup and understand what is failing, so that software changes can be targetted
instead of "shotgun style".

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Benjamin Kaduk 
On Thu, Dec 22, 2016 at 11:42:41PM +, Ted Creedon wrote:
> different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still 
> carps about 
> /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)

Ah, this is a "fancy" default coming into play, no doubt.  /run/user may
be isolated for various users with filesystem namespaces to prevent
cross-user attacks (though I guess that may not be coming into play here).
I also recall issues where the /run/user//krb5cc/ directory was
not created automatically, so check that it exists.


> ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
> ad...@creedon.biz's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist -AT
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: ad...@creedon.biz
> 
>   IssuedExpires   Principal
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  krbtgt/creedon@creedon.biz
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  afs/creedon@creedon.biz

Okay, now the kerberos part is succeeding, so any issue here is on the AFS side.

> 
> 
> Dec 22 15:33:01 201  Jun 23 07:32:57 201  Tokens for creedon.biz
> 
> 
> ##
> aklog
> aklog: Couldn't determine realm of user:aklog: unknown RPC error 
> (-1765328189)  while getting realm

This seems to suggest that aklog -noprdb might succeed.

> #
> open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or 
> directory)

There are two ticket caches in play here, which can be confusing to both humans
(i.e., me) and software.  Is KRB5CCNAME modified between any of the pasted 
output
you have given here?  Did you consciously try to set either 
/run/user/0/krb5cc/tkt
or FILE:/tmp/krb5cc_0?

Is aklog linked against a heimdal or MIT libkrb5?
Please provide any /etc/krb5.conf declarations relating to names of credentials
caches.


I don't think it's particularly helpful to be randomly trying different versions
of the software; I would rather get good solid debugging output from a specific
setup and understand what is failing, so that software changes can be targetted
instead of "shotgun style".

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Ted Creedon 
different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still 
carps about 
/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)

ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
ad...@creedon.biz's Password:
ookpik:/data1/openafs-1.8.0pre1 # klist -AT
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@creedon.biz

  IssuedExpires   Principal
Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  krbtgt/creedon@creedon.biz
Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  afs/creedon@creedon.biz



Dec 22 15:33:01 201  Jun 23 07:32:57 201  Tokens for creedon.biz


##
aklog
aklog: Couldn't determine realm of user:aklog: unknown RPC error (-1765328189)  
while getting realm
#
open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or directory)


From: Benjamin Kaduk 
Sent: Thursday, December 22, 2016 12:31:50 PM
To: Ted Creedon
Cc: Michael Meffie; openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Thu, Dec 22, 2016 at 07:50:02PM +, Ted Creedon wrote:
> Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ?
> I.e how can Principal: krbtgt/creedon@creedon.biz have a ticket if it was 
> never loggged in?

It doesn't have a ticket; ad...@creedon.biz has a ticket.
The ticket that ad...@creedon.biz has is a ticket-granting ticket, i.e., the 
service
principal it is for is krbtgt/creedon@creedon.biz.

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Benjamin Kaduk 
On Thu, Dec 22, 2016 at 07:50:02PM +, Ted Creedon wrote:
> Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ?
> I.e how can Principal: krbtgt/creedon@creedon.biz have a ticket if it was 
> never loggged in?

It doesn't have a ticket; ad...@creedon.biz has a ticket.
The ticket that ad...@creedon.biz has is a ticket-granting ticket, i.e., the 
service
principal it is for is krbtgt/creedon@creedon.biz.

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Ted Creedon 
Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ?
I.e how can Principal: krbtgt/creedon@creedon.biz have a ticket if it was 
never loggged in?

I'll try 7.1
tedc

see below:
kadmin> get krb*
Principal: krbtgt/creedon@creedon.biz
Principal expires: never
 Password expires: never
 Last password change: 2016-12-17 01:03:08 UTC
  Max ticket life: unlimited
   Max renewable life: unlimited
 Kvno: 1
Mkvno: unknown
Last successful login: never
Last failed login: never
   Failed login count: 0
Last modified: 2016-12-17 01:03:08 UTC
 Modifier: kadmin/ad...@creedon.biz
   Attributes:
 Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], 
des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1]
  PK-INIT ACL:
  Aliases:

Principal: krbtgt/creedon@creedon.biz
Principal expires: never
 Password expires: never
 Last password change: 2016-12-20 00:29:08 UTC
  Max ticket life: unlimited
   Max renewable life: unlimited
 Kvno: 1
Mkvno: unknown
Last successful login: never
Last failed login: never
   Failed login count: 0
Last modified: 2016-12-20 00:29:08 UTC
 Modifier: kadmin/ad...@creedon.biz
   Attributes:
 Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], 
des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1]
  PK-INIT ACL:
  Aliases:



From: Benjamin Kaduk 
Sent: Thursday, December 22, 2016 10:35:56 AM
To: Ted Creedon
Cc: Michael Meffie; openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Thu, Dec 22, 2016 at 06:07:08AM +, Ted Creedon wrote:
> Heimdal set the ticket up..(I think)
> So how does one login krbtgt?
> PS making progress on the glibc/swig bug
> Suse Leap uses glibc 2.22 the current is 2.24, offhand I suspect  something 
> like a missing .align 64
> tedc
>
> ad...@creedon.biz's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: ad...@creedon.biz
>
>   IssuedExpiresPrincipal
> Dec 21 21:52:59 2016  >>>Expired<<<  krbtgt/creedon@creedon.biz

This is the important part; the local TGT in the cache has expired and cannot
be used to get a new service ticket for AFS.  Running 'kinit' should prompt
for admin's password and get things into a workable state where aklog has
a chance at succeeding.

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Benjamin Kaduk 
On Thu, Dec 22, 2016 at 06:07:08AM +, Ted Creedon wrote:
> Heimdal set the ticket up..(I think)
> So how does one login krbtgt?
> PS making progress on the glibc/swig bug
> Suse Leap uses glibc 2.22 the current is 2.24, offhand I suspect  something 
> like a missing .align 64
> tedc
> 
> ad...@creedon.biz's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: ad...@creedon.biz
> 
>   IssuedExpiresPrincipal
> Dec 21 21:52:59 2016  >>>Expired<<<  krbtgt/creedon@creedon.biz

This is the important part; the local TGT in the cache has expired and cannot
be used to get a new service ticket for AFS.  Running 'kinit' should prompt
for admin's password and get things into a workable state where aklog has
a chance at succeeding.

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info