Re: modular clog + kerberos

Wed, 20 Jan 2010 20:25:01 -0800

Greetings all: Tried the following: [r...@sandbox3 ~]# ctokens Tokens [local user id: root] [r...@sandbox3 ~]# clog -method kerberos5 coda_admin_u...@coda.realm -tokenserver sandbox2.host.domain 370 -krealm KERBEROS.REALM -kdc sandbox2.host.domain -servprinc coda/coda.realm 
Password for coda_admin_user/defa...@coda.realm:
[r...@sandbox3 ~]# ctokens Tokens [local user id: root] 
[r...@sandbox3 ~]# ls /coda/
[r...@sandbox3 ~]# 


Server logs during event: 


[r...@sandbox2 ~]# cat /vice/auth2/AuthLog
02:37:34        vid = coda_admin_uid

02:37:34 AuthNewConn(0x6f582c7a, 0, 66, 2, coda_admin_uid) 


[r...@sandbox2 ~]# cat /var/log/krb5kdc.log

krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
NEEDED_PREAUTH: kerberos_admin_u...@kerberos.realm for 
coda/coda.re...@kerberos.realm, Additional pre-authentication required
krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
ISSUE: authtime epoch_time, etypes {rep=18 tkt=18 ses=18}, 
kerberos_admin_u...@kerberos.realm for coda/coda.re...@kerberos.realm 




So, no errors on clog!  Progress! 

why can't I see /coda/coda.realm? 

Here is the getvolumelist output (in the off chance it is useful): 


[r...@sandbox2 ~]# /vice/bin/volutil getvolumelist
V_BindToServer: binding to host sandbox2.host.domain
P/vice/pa Hsandbox2.host.domain T957fbc F56b29c
W/.0 I1000001 H1 P/vice/pa m0 M0 U2 W1000001 C4b50579e D4b50579e B0 A0

Wcoda.realm.0 I1000002 H1 P/vice/pa m0 M0 U2 W1000002 C4b5062a6 D4b5062a6 B0 
A0
GetVolumeList finished successfully 





Also, I'd like to clarify whether a "coda.realm" is what this page refers to 
as "Coda volume":  
http://www.coda.cs.cmu.edu/trac/wiki/CodaHOWTO/Introduction 



Thanks,
-Don

{void} 




root writes: 


Greetings all:  




Please feel free to make the assumption that I have false
understandings.  If "KERBEROS.REALM" is stated, but from syntax it
should be "coda.realm", please correct me.


Yes, it should be "codaacco...@coda.realm", not otherwise.



Ok, I tried changing the clog to:  


[r...@sandbox3 ~]# clog \
 -method kerberos5 coda_admin_u...@coda.realm \
 -tokenserver sandbox2.host.domain 370 \
 -krealm KERBEROS.REALM \
 -kdc sandbox2.host.domain \

 -servprinc coda/coda.realm  

Basically, the method u...@realm was changed to the coda realm from the 
kerberos realm.  Also, the servprinc was changed to the coda.realm from 
sandbox2.host.domain.  

Does this appear sane?  




Key points in this email:  


*) The only keytab used by coda inherently is on coda server hosts:

/vice/db/krb5.keytab  


*) The keytab need only maintain the service principle for:

codaauth/coda.re...@kerberos.realm  




The discourse on host/ vs coda/ vs codaauth/ ended with a 
misunderstanding.  This subject is not important, please disregard.  

The discourse on coda/kerberos auth related definitions and "kerberos 
basics" also ended in misunderstanding.  It may also be disregarded.  


Regards,
-Don
{void}




























					Reply via email to