[OpenAFS] Cross-Realm AFS Service Principal Confusion

Tue, 09 Feb 2010 13:36:30 -0800 

I just had to re-boot my entire network (building transformer upgrade), and now 
that I am back online I have lost the ability to authenticate with the cell. In 
my network I have a realm A.COM which houses user principals, and a realm B.COM 
which houses other principal types including afs/[email protected] which is the 
service principal for the b.com realm. Additionally the user principals in the 
A.COM realm are the same as the PTS user names in the b.com cell, and the 
/etc/openafs/server/krb.conf file has a first line which reads 'B.COM A.COM'.

Here is a transcript of a cell login attempt (first I ran unlog && kdestroy):

> kinit [email protected]
> klist
Ticket cache: FILE:/tmp/...
Default principal: [email protected]

Valid starting   Expires   Service Principal
...              ...       krbtgt/[email protected]

Kerberos 4 ticket cache: /tmp/...
klist: You have no tickets cached

> aklog -d
Authenticating to cell b.com (afsdb-1.b.com).
Trying to authenticate to user's realm A.COM.
Getting tickets: afs/[email protected].
Using Kerberos V5 ticket natively
About to resolve name heller to id in cell b.com.
Id 20003
Set username to AFS ID 20003
Setting tokens. AFS ID 20003 / @ A.COM

> klist
Ticket cache: FILE:/tmp/...
Default principal: [email protected]

Valid starting   Expires   Service Principal
...              ...       krbtgt/[email protected]
...              ...       krbtgt/[email protected]
...              ...       afs/[email protected]
...              ...       afs/[email protected]

Kerberos 4 ticket cache: /tmp/...
klist: You have no tickets cached


What appears to be happening is I'm getting the afs/[email protected] token installed 
and that is not the principal being used in the KeyFile on the afs BOS servers. 
The bigger trouble is the afs/[email protected] principal doesn't actually seem to 
exist (doing a kinit afs/[email protected] confirms this), so I'm not even sure why 
that is showing up! 

Hopefully my scenario isn't so convoluted that it is impossible to follow, does 
anyone have an idea as to what might be have gone wrong?

--
_/_/_/_/ Chris Heller                                     Network Systems |
_/_/_/   Teragram, A Division of SAS        e-mail: <[email protected]> |
_/_/_/   10 Fawcett St. 2nd Flr.             web: http://www.teragram.com |
_/_/     Cambridge, Ma 02138 voice: 617.576.6800 x237 ~ fax: 617.576.7227 v

:��T���&j)b�   b�өzpJ)ߢ�^��좸!��l��b��(���~�+����Y���b�ا~�����~ȧ~

Reply via email to