On Thu, Sep 22, 2011 at 2:05 AM, Ivan Glushkov <[email protected]> wrote: > Dear Experts, > > I have installed OSX 10.7.1 a few weeks ago and I uninstalled my old (Snow > Leopard) OpenAfs version using the uninstall link from the Snow Leopard > installer image, and installed the Lion version. My main aim is to have > access in my Finder.app to two realms, to which I am logged in with the same > login but different passwords. With the previous configuration I was using > the following configuration:
Kerberos in Lion has some bugs, sadly. > ===== Setting the environment > I have a "script" I was executing every 24 hours: > > alias pas='kdestroy --all; export KRB5CCNAME=FILE:/tmp/krb5cc_cern ; kinit > -V [email protected]; aklog -force -c cern.ch -k CERN.CH; export > KRB5CCNAME=FILE:/tmp/krb5cc_desy ; kinit -V [email protected]; aklog -force > -c desy.de -k DESY.DE' > ~ > pas > [email protected]'s Password: > Placing tickets for '[email protected]' in cache 'FILE:/tmp/krb5cc_cern' > [email protected]'s Password: > Placing tickets for '[email protected]' in cache 'FILE:/tmp/krb5cc_desy' > > > ===== Environment > Now, in a new terminal I have the following: > > ~ > klist > klist: krb5_cc_get_principal: No credentials cache file found > ~ > tokens > > Tokens held by the Cache Manager: > > User's (AFS ID ***50) tokens for [email protected] [Expires Sep 23 08:18] > User's (AFS ID ***38) tokens for [email protected] [Expires Sep 23 08:18] > --End of list-- > ~ > it's silly to hide these (AFS IDs). they give us nothing anyway. > > > ===== SSH > for ssh to both realms I have again the corresponding aliases, and it works > like charm: > > ~ > alias | grep c403 > alias c403='export KRB5CCNAME=FILE:/tmp/krb5cc_cern; ssh > -vY [email protected]' > ~ > c403 > ... > [lxplus403] ~ $ exit > > ~ > alias | grep cdesy > alias cdesy='export KRB5CCNAME=FILE:/tmp/krb5cc_desy; ssh > -vY [email protected]' > ~ > cdesy > OpenSSH_5.6p1, OpenSSL 0.9.8r 8 Feb 2011 > .... > bastion05:~> exit > ~ > > > > ===== Finder/Direct Access > I don't understand the direct access to the files: > > ~ > touch /afs/desy.de/user/g/glushkov/testfile > ~ > touch /afs/cern.ch/user/g/glushkov/testfile > > Sometimes (as in the case above) both are working.. you have tokens for both cells. you just got them, with aklog. if it didn't work, that would be a bug. >Sometimes > only desy.de... what tokens do you have then? get output when only desy works, from tokens. > But why? Both of them should not be working, since there are > no kerberos tokens (which is why the ssh requires password): there are afs tokens, there are no (default) kerberos tickets. incidentally, as long as you don't unlog, tokens (which on MacOS are currently per-uid, not per-login session or any other grouping) are still there until they expire. regardless, your ticket caches are always irrelevant other than to run aklog from. > ~ > klist > klist: krb5_cc_get_principal: No credentials cache file found > ~ > tokens > > Tokens held by the Cache Manager: > > User's (AFS ID ***50) tokens for [email protected] [Expires Sep 23 08:18] > User's (AFS ID ***38) tokens for [email protected] [Expires Sep 23 08:18] > --End of list-- > ~ > ssh lxplus.cern.ch > [email protected]'s password: > > ~ > ssh bastion.desy.de > [email protected]'s password: > > ~ > > > Questions: > ========= > So where does afs get the credentials from (in this case)? whichever ticket cache was current when you ran aklog. > What is the > default place for that in OSX? whichever ticket cache you last accessed (which is new to lion) you can use kswitch -p (principal) to make a different cache current; or if you know which cache you want to use (API cred caches are the default if you do not override) you can say e.g. KRB5CCNAME=API:(somenumber) aklog ... > (In Ticket Viewer.app there's no way to > specify the realm to which one would like to get a ticket.) > How can I make direct file access working reliably for both realms? get tokens from both sets of tickets. > Why there are always 5-6 afsd processes running on my machine? that's how AFS creates userspace contexts to do work for the kernel, like DNS lookups > How cab I > kill them? (kill -9 does not work) shut down AFS. AFS up, afsds run. AFS down, no afsds. > How do I start/stop the afs deamon? as root, launchctl stop org.openafs.filesystems.afs opposite to start. > How do I make the scp using the kerberos authentication? (I guess this is > not the right forum for that one) not really. it involves keying sshd and adding the right config settings. > > > Regards, > Ivan Glushkov > > -- Derrick _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
