retitle 549934 openafs-krb5: aklog cross-realm authentication isn't working reassign 549934 openafs-krb5 thanks
bai <[email protected]> writes: > This only gets a token for cell bai.adm.es.aau.dk (ThisCell): > auth [default=done] pam_afs_session.so > afs_cells=bai.adm.es.aau.dk,kuk.adm.es.aau.dk > This correctly gets tokens for both cells: > auth [default=done] pam_afs_session.so > afs_cells=bai.adm.es.aau.dk,kuk.adm.es.aau.dk program=/usr/bin/afslog > Using the afslog program from the command line also works, like here: > b...@krb5-server:~$ afslog --verbose -c bai.adm.es.aau.dk -c > kuk.adm.es.aau.dk > afslog: Getting tokens for cell "bai.adm.es.aau.dk" > krb5 tried [email protected] -> 0 > afslog: Getting tokens for cell "kuk.adm.es.aau.dk" > krb5 tried afs/[email protected] -> -1765328377 > krb5 tried [email protected] -> 0 > Using the aklog program from the command line fails, like here: This indicates that the problem isn't due to libpam-afs-session. Instead, you're having a problem with the OpenAFS aklog program from openafs-krb5, but the corresponding Heimdal afslog program is working. > b...@krb5-server:~$ aklog -d -c kuk.adm.es.aau.dk -c bai.adm.es.aau.dk > Authenticating to cell kuk.adm.es.aau.dk (server > afsdb1.kuk.adm.es.aau.dk). > Trying to authenticate to user's realm BAI.ADM.ES.AAU.DK. > Getting tickets: afs/[email protected] > We've deduced that we need to authenticate using referrals. > Getting tickets: afs/kuk.adm.es.aau.dk@ > We've deduced that we need to authenticate to realm KUK.ADM.ES.AAU.DK. > Getting tickets: afs/[email protected] > Getting tickets: [email protected] > Kerberos error code returned by get_cred : -1765328377 > aklog: Couldn't get kuk.adm.es.aau.dk AFS tickets: > aklog: unknown RPC error (-1765328377) while getting AFS tickets windlord:~/tmp/OPENAFS> grep -- -1765328377 /usr/include/krb5/krb5.h #define KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN (-1765328377L) So the OpenAFS aklog, which is using the MIT Kerberos libraries, is unable to get cross-realm tickets from your local realm for the service afs in the remote realm KUK.ADM.ES.AAU.DK. This error message can mean that it can't find the krbtgt/* principal for the cross-realm authentication. Could you run the command: kvno [email protected] with your normal Kerberos tickets and see if it runs into the same problem? If so, the problem is either with your KDCs or with the Kerberos libraries, not with aklog. If kvno works and aklog doesn't, the problem may be with aklog. Could you also run a klist before and after running aklog, and before and after running kvno? -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
