forgot to reply-all
The PTS entry is the part I missed so far. To clarify, the K4 principal
should look like [EMAIL PROTECTED], not [EMAIL PROTECTED]
Jeffrey Altman wrote:
Andrew Bacchi wrote:
I need to allow hosts to read/write files into AFS directories. I
currently have a host principal as host/server.rpi.edu, and I
extracted a keytab file for it as /etc/krb5.keytab.
This is not working, so I must be missing something. How do I get AFS
tokens using krb5.keytab? There is some AFS form to the principal in
kerberos 5 that I haven't mapped correctly.
Several things:
(1) you must create a PTS entry that matches the service principal.
(see note below)
(2) you must obtain a Kerberos TGT using the keytab
(3) you must set a token using that TGT with aklog
Note that AFS does not currently have a notion of an identity for the
cache manager and given the fact that the principal names must be
converted to krb4 format the PTS entry for host/[EMAIL PROTECTED]
will become [EMAIL PROTECTED] when performing lookups in the PTS database.
There is nothing that will distinguish this AFS ID as a machine ID. When
it is being used, the process will be a member of system:authuser.
--
veritatis simplex oratio est
-Seneca
Andrew Bacchi
Systems Programmer
Information Technologies Infrastructure
Rensselaer Polytechnic Institute
phone: 518.276.6415 fax: 518.276.2809
http://www.rpi.edu/~bacchi/
--
veritatis simplex oratio est
-Seneca
Andrew Bacchi
Systems Programmer
Information Technologies Infrastructure
Rensselaer Polytechnic Institute
phone: 518.276.6415 fax: 518.276.2809
http://www.rpi.edu/~bacchi/
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
