You have not said anything about the krb5 realm, or having added a principal to the realm's database.
Hi Douglas,
I have a completely working system using all RHEL 3.4 machines.
Krb5 is setup and working, corresponding principals are in the database, and RHEL 3.4 clients are functioning fine.
I'm trying to add RHEL 4 into the mix, and am running into problems obtaining tokens at login. I can login via Krb5, and I can get tokens via "afslog" after login. AFS seems to be working fine (after obtaining a token manually).
My best guess at this point is that the behaviour of the pam_krb5 module has changed from RHEL 3.4 to RHEL 4 (pam_krb5 version change from 1.73-1 to 2.1.2-1), and this is causing my problems.
As per the K5 migration info, I have an afs principal:
[EMAIL PROTECTED]
however, I note that the pam_krb5afs tries several other
combinations, but not this one exactly.
What is the difference between the [EMAIL PROTECTED] above and the one below.
My apologies, I mistyped - that should have read that it tries:
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
It does NOT try [EMAIL PROTECTED], which is the correct entry in the database (according to Step 4, subsection 3 of the Krb 5 AFS migration kit). Please note that this works fine AS-IS for RHEL 3.4 machines.
Have you added the principal to the KR5 realm? (Use the afs/[EMAIL PROTECTED] as this is afs/<cell>@<realm> which is what it tries first.)
If I change [EMAIL PROTECTED] to afs/[EMAIL PROTECTED], won't that break my existing and working RHEL 3.4 machines? Or are you suggesting that I have both entries? Don't the kvno numbers have to match between the AFS Keyfile and Kerberos databases (I'm inferring this from the Krb migration kit), so I can only have one entry here?
In your krb5.conf file I don't see any references to the Kerberos realm of ECON>DUKE.EDU.
I didn't send a complete krb5.conf file as I was trying for brevity, but here it is:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] ticket_lifetime = 24000 default_realm = ECON.DUKE.EDU dns_lookup_realm = false dns_lookup_kdc = false
[realms]
ECON.DUKE.EDU = {
kdc = kdc-1.econ.duke.edu:88
kdc = kdc-2.econ.duke.edu:88
admin_server = kdc-1.econ.duke.edu:749
default_domain = econ.duke.edu
}[domain_realm] .econ.duke.edu = ECON.DUKE.EDU econ.duke.edu = ECON.DUKE.EDU
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults]
pam = {
debug = true
ticket_lifetime = 86400
renew_lifetime = 86400
forwardable = true
krb4_convert = true
afs_cells = econ.duke.edu
minimum_uid = 1000
}
afs_krb5 = {
ECON.DUKE.EDU = {
afs = true
}
}Thanks again,
-Dj
-- Dj Merrill Sportsman 2+2 Builder #7118
"TSA: Totally Screwing Aviation" _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
