This appears to be a krb524d issue which came up due to a kerberos
upgrade. Basically, the Redhat 7.3 pam_krb5afs.so doesn't fall back to
[EMAIL PROTECTED] after trying afs/principal/REALM, while the aklog provided by
openafs does.
After initial login where pam_krb5afs.so should generate a usable token:
bash-2.05a$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1126_hxky1T
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
04/24/04 18:38:01 04/25/04 18:38:01 krbtgt/[EMAIL PROTECTED]
renew until 04/25/04 19:38:01, Etype (skey, tkt): DES cbc mode
with CRC-32, Triple DES cbc mode with HMAC/sha1
Kerberos 4 ticket cache: /tmp/tkt1126_c3pXGm
Principal: [EMAIL PROTECTED]
Issued Expires Principal
04/24/04 18:38:01 04/25/04 15:53:01 [EMAIL PROTECTED]
bash-2.05a$ ls ~
ls: /afs/lns.mit.edu/user/gelinas: Permission denied
bash-2.05a$ aklog -d
Authenticating to cell lns.mit.edu (server afs1.lns.mit.edu.).
We've deduced that we need to authenticate to realm LNS.MIT.EDU.
Getting tickets: afs/[EMAIL PROTECTED]
Principal not found, trying alternate service name: [EMAIL PROTECTED]
About to resolve name gelinas to id in cell lns.mit.edu.
Id 1126
Set username to AFS ID 1126
Setting tokens. AFS ID 1126 / @ LNS.MIT.EDU
bash-2.05a$ ls ~
[homedir contents spewed forth]
I've tried updating the appdefaults in krb5.conf on the server to
include
[appdefaults]
afs_krb5 = {
LNS.MIT.EDU = {
afs/lns.mit.edu = false
afs = true
}
Per suggestions I've read regarding the update to krb524d, with no
luck.
Any suggestions as to what I'm doing wrong?
Thanks for any help...
--Maynard
On Thu, 22 Apr 2004, J Maynard Gelinas wrote:
>
> I'm seeing a strange intermittent problem with clients trying to login
> via gdm at the console. They successfully login, yet are unable to access
> their files stored in AFS. The error message at the client machine reads:
>
> Apr 22 10:43:56 ctppaganini kernel: afs: Tokens for user of AFS id 0 for
> celllns.mit.edu are discarded (rxkad error=19270405)
>
> Which means, according to:
>
> http://grand.central.org/numbers/et/RXK.html
>
> "19270405 RXKADNOAUTH caller not authorized"
>
> Manual attempts at obtaining a ticket via kinit and aklog
> intermittently seem to return a successful result yet lead to "permission
> denied" failure when attempting to access files stored in AFS space.
> Re-authenticating then solves the problem.
>
> Googling for solutions to this problem has been unsuccessful. Can
> anyone offer insight or a link as to potential causes and fixes?
>
> Thanks,
> --Maynard
>
>
_______________________________________________
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
