Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
That makes a lot of sense to me. The guide is already VERY complicated, and adding unnecessary options, and yet another decision the user has to research doesn't make anything easier. Derrick also pointed out that openafs-krb5 includes aklog as well, which you need later in the process, so in the interest of minimum necessary complexity, I'll leave the discussion of ktutil out of the guide for now. On Fri, Oct 1, 2010 at 1:19 AM, Brandon S Allbery KF8NH allb...@ece.cmu.edu wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/30/10 17:58 , Phillip Moore wrote: If that's the case, then do Heimdal users need to bother with the openafs-krb5 rpm at all? If this is going into a quick start guide, I would be tempted to say that because asetkey will work with Heimdal it should be preferred instead of splitting into Heimdal- and MIT-specific parts. (Also, the fact that ktutil list on an AFSKEYFILE will manufacture realm / cell information that isn't actually there could actually complicate debugging these kinds of issues. asetkey at least doesn't pretend they're there.) - -- brandon s. allbery [linux,solaris,freebsd,perl] allb...@kf8nh.com system administrator [openafs,heimdal,too many hats] allb...@ece.cmu.edu electrical and computer engineering, carnegie mellon university KF8NH -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkylb2YACgkQIn7hlCsL25UZqACfTuS8Xutm5FkqjC9+2bE6n8Rm PU8AoNNF4L7VdCNpE7zzHQI5VqND/SpU =8oEs -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
Maybe this (kind of old info, but who knows) ? http://www.openafs.org/pipermail/openafs-info/2004-September/014929.html On 9/30/2010 7:56 AM, Phillip Moore wrote: pts: Permission denied ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
On Thu, Sep 30, 2010 at 7:56 AM, Phillip Moore w.phillip.mo...@gmail.com wrote: My quest to refresh my AFS knowledge continues, with mixed results. I can get as far as rebooting the first AFS machine, and the server and client seems to come up fine, and talk to each other. I can run any administrative command as long as I use -localauth, and while I can get tokens for the localcell just fine, the AFS server processes aren't trusting them. I'm using CentOS 5.4 on x86_64, using the Kerberos version which is packaged with CentOS by default. what version? i don't think it will matter but if 1.8 there's an extra step I've had no problem setting up my krb5 realm (BOOT.EFS) and using it (my product already uses GSSAPI for basic authentication). Here's the Kerberos-related details of how this was setup. The AFS cell name is 'd.fh.nyc.us.boot.efs': [r...@fhcore etc]# kadmin -k Authenticating as principal host/fhcore.boot@boot.efs with default keytab. kadmin: add_principal -randkey -e des-cbc-crc:v4 afs/d.fh.nyc.us.boot.efs WARNING: no policy specified for afs/d.fh.nyc.us.boot@boot.efs; defaulting to no policy Principal afs/d.fh.nyc.us.boot@boot.efs created. that cell looks nothing like that realm. what's in FileLog? What's in /usr/afs/etc/krb.conf (or equivalent if you didn't use transarc paths) How do I get the AFS server process to tell me how the credentials are being handled? alas, currently, audit logs. but that's gonna be the issue. ptserver isn't mapping these to local realm user and so you are no one. -- Derrick ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
THAT is the missing peice!! I thought there was something missing to deal with the name mapping, and that's it. I'll be sure to document this in the Quick Start Guide patch. On Thu, Sep 30, 2010 at 8:07 AM, Jeff Blaine jbla...@kickflop.net wrote: Maybe this (kind of old info, but who knows) ? http://www.openafs.org/pipermail/openafs-info/2004-September/014929.html On 9/30/2010 7:56 AM, Phillip Moore wrote: pts: Permission denied
Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
The Kerberos version is 1.6.1: [r...@fhcore ~]# rpm -q -a | grep ^krb5 krb5-server-1.6.1-36.el5_5.5 krb5-libs-1.6.1-36.el5_5.5 krb5-workstation-1.6.1-36.el5_5.5 krb5-libs-1.6.1-36.el5_5.5 I'm staying away form the bleeding edge releases, until I've re-learned how to make all this work with the stable ones. My problem is that I missed the step for setting up /usr/afs/etc/krb.conf to map the cell to the realm name. On Thu, Sep 30, 2010 at 8:08 AM, Derrick Brashear sha...@gmail.com wrote: On Thu, Sep 30, 2010 at 7:56 AM, Phillip Moore w.phillip.mo...@gmail.com wrote: My quest to refresh my AFS knowledge continues, with mixed results. I can get as far as rebooting the first AFS machine, and the server and client seems to come up fine, and talk to each other. I can run any administrative command as long as I use -localauth, and while I can get tokens for the localcell just fine, the AFS server processes aren't trusting them. I'm using CentOS 5.4 on x86_64, using the Kerberos version which is packaged with CentOS by default. what version? i don't think it will matter but if 1.8 there's an extra step I've had no problem setting up my krb5 realm (BOOT.EFS) and using it (my product already uses GSSAPI for basic authentication). Here's the Kerberos-related details of how this was setup. The AFS cell name is 'd.fh.nyc.us.boot.efs': [r...@fhcore etc]# kadmin -k Authenticating as principal host/fhcore.boot@boot.efs with default keytab. kadmin: add_principal -randkey -e des-cbc-crc:v4 afs/d.fh.nyc.us.boot.efs WARNING: no policy specified for afs/d.fh.nyc.us.boot@boot.efs; defaulting to no policy Principal afs/d.fh.nyc.us.boot@boot.efs created. that cell looks nothing like that realm. what's in FileLog? What's in /usr/afs/etc/krb.conf (or equivalent if you didn't use transarc paths) How do I get the AFS server process to tell me how the credentials are being handled? alas, currently, audit logs. but that's gonna be the issue. ptserver isn't mapping these to local realm user and so you are no one. -- Derrick
Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
I usually create the AFS principal and put it onto the first server in one go with heimdals ktutil: ktutil -k AFSKEYFILE:/usr/afs/etc/KeyFile get -p your-admin-principal afs/your-c...@your-realm The AFSKEYFILE: tells the heimdal library that this is not a normal krb5 keyfile. (This is from memory only, so I blame any inaccuracy on that ;-) Harald. ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
This is good to know. Does it seem reasonable to document this as an alternative to using asetkey for sites that use Heimdal? If so, I'll include this in the Quick Start Guide patch (which, after all these promises, I had better submit if I am to regain any credibility here) On Thu, Sep 30, 2010 at 8:21 AM, Harald Barth h...@kth.se wrote: I usually create the AFS principal and put it onto the first server in one go with heimdals ktutil: ktutil -k AFSKEYFILE:/usr/afs/etc/KeyFile get -p your-admin-principal afs/your-c...@your-realm The AFSKEYFILE: tells the heimdal library that this is not a normal krb5 keyfile. (This is from memory only, so I blame any inaccuracy on that ;-) Harald.
Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
Phillip Moore w.phillip.mo...@gmail.com writes: This is good to know. Does it seem reasonable to document this as an alternative to using asetkey for sites that use Heimdal? Yes. People using Heimdal should probably not be using asetkey. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
If that's the case, then do Heimdal users need to bother with the openafs-krb5 rpm at all? I should point out that while I have already promised to *update* the QSG, it can't be *fixed* without a lot more ongoing work (and I'm sure this is obvious to everyone else). I'm merely updating the sections that I have found to be wrong during my own personal bootstrapping effort. On Thu, Sep 30, 2010 at 5:26 PM, Russ Allbery r...@stanford.edu wrote: Phillip Moore w.phillip.mo...@gmail.com writes: This is good to know. Does it seem reasonable to document this as an alternative to using asetkey for sites that use Heimdal? Yes. People using Heimdal should probably not be using asetkey. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/
Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
Phillip Moore w.phillip.mo...@gmail.com writes: If that's the case, then do Heimdal users need to bother with the openafs-krb5 rpm at all? Probably not. Although there's a lot of software that assumes you have an aklog, so making a symlink from aklog to afslog is probably useful. :) I should point out that while I have already promised to *update* the QSG, it can't be *fixed* without a lot more ongoing work (and I'm sure this is obvious to everyone else). I'm merely updating the sections that I have found to be wrong during my own personal bootstrapping effort. Yeah, it needs to be updated as things change, and probably needs a yearly review just to check that nothing fell out of date. -- Russ Allbery (r...@stanford.edu) http://www.eyrie.org/~eagle/ ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
On Thu, Sep 30, 2010 at 6:05 PM, Russ Allbery r...@stanford.edu wrote: Phillip Moore w.phillip.mo...@gmail.com writes: If that's the case, then do Heimdal users need to bother with the openafs-krb5 rpm at all? Probably not. Although there's a lot of software that assumes you have an aklog, so making a symlink from aklog to afslog is probably useful. :) i prefer aklog's behavior to that of afslog in some cases. also, at some sites the lack of the pts lookup in afslog and hence an AFS id in the tokens output is confusing. -- Derrick ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Quick Start Kerberos problem: can acquire tokens, but they don't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 9/30/10 17:58 , Phillip Moore wrote: If that's the case, then do Heimdal users need to bother with the openafs-krb5 rpm at all? If this is going into a quick start guide, I would be tempted to say that because asetkey will work with Heimdal it should be preferred instead of splitting into Heimdal- and MIT-specific parts. (Also, the fact that ktutil list on an AFSKEYFILE will manufacture realm / cell information that isn't actually there could actually complicate debugging these kinds of issues. asetkey at least doesn't pretend they're there.) - -- brandon s. allbery [linux,solaris,freebsd,perl] allb...@kf8nh.com system administrator [openafs,heimdal,too many hats] allb...@ece.cmu.edu electrical and computer engineering, carnegie mellon university KF8NH -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkylb2YACgkQIn7hlCsL25UZqACfTuS8Xutm5FkqjC9+2bE6n8Rm PU8AoNNF4L7VdCNpE7zzHQI5VqND/SpU =8oEs -END PGP SIGNATURE- ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
