On Thu, 31 Jul 2014, Marcus Crestani wrote:
"BA" == Brandon Allbery <ballb...@sinenomine.net> writes:
BA> One early thing to check: make sure you are actually using OS X's
BA> Kerberos. MacPorts or Homebrew may pull in Kerberos as a dependency and
BA> this can lead to getting tickets with one and then trying to aklog with
BA> the other, and they may be using different ccaches and sometimes
BA> different krb5.conf files.
We are using OS X's Kerberos. And aklog uses the correct ccache, since
aklog is able to obtain a token once the AFS service principal is in the
ccache (manually added via kgetcred, for example). It is just not able
to obtain the AFS service principal, for us it doesn't even talk to our
KDC.
Ah, I think this may be another case of enctype mismatch. The original
message had:
When using aklog (OpenAFS-1.6.6) on OS X 10.9.4 without an AFS service
1.6.6 predates rxkad-kdf and rxkad-k5, so aklog will be calling
krb5_enctype_enable() and explicitly requesting a key of type
ENCTYPE_DES_CBC_CRC. kgetgred does not do so, and can receive other
enctypes. Hmm, this doesn't make perfect sense, though, as aklog would
still need to be able to use the session key in order to claim success, I
think.
Regardless, can you please provide the 'klist -v' output after kgetcred?
-Ben
_______________________________________________
OpenAFS-devel mailing list
OpenAFS-devel@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-devel
