Hi, Andrew. Could you please send the output of this exact command sequence?
kinit [email protected] klist ssh -oGSSAPIAuthentication=yes -oGSSAPIDelegateCredentials=yes [email protected] klist (the last command will be executed on mire) Thanks - a Andrew T <[email protected]> writes: > I am using mit-krb5 1.6.3 on gentoo and trying to follow the "Instructions" at > http://wiki.hcoop.net/MemberManual/ShellAccess/PasswordlessLogin. > > When I ssh to mire using a standard password login everything works > fine. When I ssh to mire using kereberos credentials, the login > succeeds but I don't automatically get write access to my home > directory from my login shell. Any suggestions? Why aren't my kerberos > credentials being forwarded to mire's AFS? > > Andrew > > $ kinit [email protected] # get kerberos ticket > Password for [email protected]: ******** > $ klist # confirm that we have tickets > Ticket cache: FILE:/tmp/krb5cc_1001 > Default principal: [email protected] > > Valid starting Expires Service principal > 06/29/09 16:19:27 06/30/09 02:19:27 krbtgt/[email protected] > renew until 06/30/09 16:19:24 > $ cat ~/.ssh/config # my local configuration for a passwordless mire login > # need to "kinit [email protected] first" > Host hcoop > HostName mire.hcoop.net > GSSAPIAuthentication yes > GSSAPIDelegateCredentials yes > GSSAPITrustDns no > User andrew > > $ ssh -v hcoop # do passwordless mire login > OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009 > debug1: Reading configuration data /home/andrew/.ssh/config > debug1: Applying options for hcoop > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Connecting to mire.hcoop.net [69.90.123.68] port 22. > debug1: Connection established. > debug1: identity file /home/andrew/.ssh/identity type -1 > debug1: identity file /home/andrew/.ssh/id_rsa type -1 > debug1: identity file /home/andrew/.ssh/id_dsa type 2 > debug1: Remote protocol version 2.0, remote software version > OpenSSH_4.3p2 Debian-9etch3 > debug1: match: OpenSSH_4.3p2 Debian-9etch3 pat OpenSSH_4* > debug1: Enabling compatibility mode for protocol 2.0 > debug1: Local version string SSH-2.0-OpenSSH_5.2 > debug1: SSH2_MSG_KEXINIT sent > debug1: SSH2_MSG_KEXINIT received > debug1: kex: server->client aes128-ctr hmac-md5 none > debug1: kex: client->server aes128-ctr hmac-md5 none > debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP > debug1: SSH2_MSG_KEX_DH_GEX_INIT sent > debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY > debug1: Host 'mire.hcoop.net' is known and matches the RSA host key. > debug1: Found key in /home/andrew/.ssh/known_hosts:22 > debug1: ssh_rsa_verify: signature correct > debug1: SSH2_MSG_NEWKEYS sent > debug1: expecting SSH2_MSG_NEWKEYS > debug1: SSH2_MSG_NEWKEYS received > debug1: SSH2_MSG_SERVICE_REQUEST sent > debug1: SSH2_MSG_SERVICE_ACCEPT received > debug1: Authentications that can continue: > gssapi-keyex,gssapi-with-mic,keyboard-interactive > debug1: Next authentication method: gssapi-with-mic > debug1: Delegating credentials > debug1: Delegating credentials > debug1: Authentication succeeded (gssapi-with-mic). > debug1: channel 0: new [client-session] > debug1: Entering interactive session. > Last login: Mon Jun 29 16:18:34 2009 from 216.48.162.49 > Linux mire 2.6.23.14-grsec #1 SMP Mon Feb 11 18:39:15 EST 2008 i686 > > and...@mire:~$ klist # login worked but no credentials - did delegating work? > klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_10830) > Kerberos 4 ticket cache: /tmp/tkt10830 > klist: You have no tickets cached > > and...@mire:~$ touch ttt # can't access home folder on mire because > afs can't get credentials > touch: cannot touch `ttt': Permission denied > -- _______________________________________________ HCoop-Help mailing list [email protected] https://lists.hcoop.net/listinfo/hcoop-help
