Hi Harald, thanks for your reply. Comments inside:
On Thu, 2011-10-13 at 15:11 +0200, Harald Barth wrote: > What is the name of your AFS service ticket > > [email protected] > afs/[email protected] > something else? [remus] /root # /usr/heimdal/sbin/kadmin -l kadmin> get afs Principal: [email protected] Principal expires: never Password expires: never Last password change: never Max ticket life: 1 day 1 hour Max renewable life: 1 month Kvno: 2 Mkvno: unknown Last successful login: never Last failed login: never Failed login count: 0 Last modified: 2011-10-12 11:49:48 UTC Modifier: kadmin/[email protected] Attributes: Keytypes: des-cbc-md5(afs3-salt(ifh.de)), des-cbc-md4(afs3-salt(ifh.de)), des-cbc-crc(afs3-salt(ifh.de)) PK-INIT ACL: Aliases: kadmin> get afs/ifh.de kadmin: get afs/ifh.de: Principal does not exist > and what version number do these tickets have? Could it be that > you haver both the [email protected] and the afs/[email protected] in > your KDC but only one in the AFS server? No (see output). > What does the KDC log say when you compare > > > [oreade38] ~ % klog.krb5 > > Password for [email protected]: > > klog: ticket contained unknown key version number Can't get your viceid for > > cell ifh.de > > with > > > [oreade38] ~ % klog.krb5 -tmp > > Password for [email protected]: > > Wrote ticket file to /tmp/krb5cc_yF6bKY > > > ? I guess the KDC does deny something in the first operation. No, it sends out the ticket. Here's the Heimdal KDC log with debugging infos when doing 'klog.krb5': Oct 13 15:37:11 remus kdc[771]: AS-REQ [email protected] from IPv4:141.34.2.11 for afs/[email protected] Oct 13 15:37:11 remus kdc[771]: UNKNOWN -- afs/[email protected]: no such entry found in hdb Oct 13 15:37:11 remus kdc[771]: sending 112 bytes to IPv4:141.34.2.11 Oct 13 15:37:11 remus kdc[771]: AS-REQ [email protected] from IPv4:141.34.2.11 for [email protected] Oct 13 15:37:11 remus kdc[771]: Client sent patypes: 149 Oct 13 15:37:11 remus kdc[771]: Looking for PKINIT pa-data -- [email protected] Oct 13 15:37:11 remus kdc[771]: Looking for ENC-TS pa-data -- [email protected] Oct 13 15:37:11 remus kdc[771]: No preauth found, returning PREAUTH-REQUIRED -- [email protected] Oct 13 15:37:11 remus kdc[771]: sending 234 bytes to IPv4:141.34.2.11 Oct 13 15:37:14 remus kdc[771]: AS-REQ [email protected] from IPv4:141.34.2.11 for [email protected] Oct 13 15:37:14 remus kdc[771]: Client sent patypes: encrypted-timestamp, 149 Oct 13 15:37:14 remus kdc[771]: Looking for PKINIT pa-data -- [email protected] Oct 13 15:37:14 remus kdc[771]: Looking for ENC-TS pa-data -- [email protected] Oct 13 15:37:14 remus kdc[771]: ENC-TS Pre-authentication succeeded -- [email protected] using aes256-cts-hmac-sha1-96 Oct 13 15:37:14 remus kdc[771]: AS-REQ authtime: 2011-10-13T15:37:14 starttime: unset endtime: 2011-10-14T16:37:11 renew till: 2011-11-12T14:37:11 Oct 13 15:37:14 remus kdc[771]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, des-cbc-md5, des-cbc-md4, using aes256-cts-hmac-sha1-96/des-cbc-md5 Oct 13 15:37:14 remus kdc[771]: Requested flags: renewable, forwardable Oct 13 15:37:14 remus kdc[771]: sending 679 bytes to IPv4:141.34.2.11 And this happens when doing 'klog.krb5 -tmp': Oct 13 15:46:12 remus kdc[771]: AS-REQ [email protected] from IPv4:141.34.2.11 for krbtgt/[email protected] Oct 13 15:46:12 remus kdc[771]: Client sent patypes: 149 Oct 13 15:46:12 remus kdc[771]: Looking for PKINIT pa-data -- [email protected] Oct 13 15:46:12 remus kdc[771]: Looking for ENC-TS pa-data -- [email protected] Oct 13 15:46:12 remus kdc[771]: No preauth found, returning PREAUTH-REQUIRED -- [email protected] Oct 13 15:46:12 remus kdc[771]: sending 245 bytes to IPv4:141.34.2.11 Oct 13 15:46:14 remus kdc[771]: AS-REQ [email protected] from IPv4:141.34.2.11 for krbtgt/[email protected] Oct 13 15:46:14 remus kdc[771]: Client sent patypes: encrypted-timestamp, 149 Oct 13 15:46:14 remus kdc[771]: Looking for PKINIT pa-data -- [email protected] Oct 13 15:46:14 remus kdc[771]: Looking for ENC-TS pa-data -- [email protected] Oct 13 15:46:14 remus kdc[771]: ENC-TS Pre-authentication succeeded -- [email protected] using aes256-cts-hmac-sha1-96 Oct 13 15:46:14 remus kdc[771]: AS-REQ authtime: 2011-10-13T15:46:14 starttime: unset endtime: 2011-10-14T16:46:12 renew till: 2011-11-12T14:46:12 Oct 13 15:46:14 remus kdc[771]: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, des-cbc-crc, des-cbc-md5, des-cbc-md4, using aes256-cts-hmac-sha1-96/aes256-cts-hmac-sha1-96 Oct 13 15:46:14 remus kdc[771]: Requested flags: renewable, forwardable Oct 13 15:46:14 remus kdc[771]: sending 692 bytes to IPv4:141.34.2.11 Oct 13 15:46:14 remus kdc[771]: TGS-REQ [email protected] from IPv4:141.34.2.11 for afs/[email protected] [canonicalize, renewable, forwardable] Oct 13 15:46:14 remus kdc[771]: Searching referral for ifh.de Oct 13 15:46:14 remus kdc[771]: Returning a referral to realm DE for server afs/[email protected] that was not found Oct 13 15:46:14 remus kdc[771]: Server not found in database: krbtgt/[email protected]: no such entry found in hdb Oct 13 15:46:14 remus kdc[771]: Failed building TGS-REP to IPv4:141.34.2.11 Oct 13 15:46:14 remus kdc[771]: sending 107 bytes to IPv4:141.34.2.11 Oct 13 15:46:14 remus kdc[771]: TGS-REQ [email protected] from IPv4:141.34.2.11 for afs/[email protected] [renewable, forwardable] Oct 13 15:46:14 remus kdc[771]: Server not found in database: afs/[email protected]: no such entry found in hdb Oct 13 15:46:14 remus kdc[771]: Failed building TGS-REP to IPv4:141.34.2.11 Oct 13 15:46:14 remus kdc[771]: sending 107 bytes to IPv4:141.34.2.11 Oct 13 15:46:14 remus kdc[771]: TGS-REQ [email protected] from IPv4:141.34.2.11 for [email protected] [canonicalize, renewable, forwardable] Oct 13 15:46:14 remus kdc[771]: TGS-REQ authtime: 2011-10-13T15:46:14 starttime: 2011-10-13T15:46:14 endtime: 2011-10-14T16:46:12 renew till: 2011-11-12T14:46:12 Oct 13 15:46:14 remus kdc[771]: sending 589 bytes to IPv4:141.34.2.11 So from the KDC side everything is correct in both cases (or did I miss something?). > I tried to read the source code of klog.c , but was a bit turned down > by the use of for() { goto ; break } for most flow control.... > > ... > if (service) { > afscred = incred; > } else { > for (;;writeTicketFile = 0) { > if (writeTicketFile) { > what = "getting default ccache"; > ... > > So I have no idea what it uses as service ticket name and in which > order. Well, yes - I'm currently facing the same misery trying to understand the code ... > IMHO if klog.krb5's behaviour differs with and without -tmp, this is a bug of > klog.krb5. Yes. As I already wrote: without -tmp it requests the [email protected] ticket directly whereas with -tmp it requests krbtgt/IFH.DE first and uses this one to get a [email protected] service ticket (kinit/aklog behaviour) ... Cheers, Andreas -- | Andreas Haupt | E-Mail: [email protected] | DESY Zeuthen | WWW: http://www-zeuthen.desy.de/~ahaupt | Platanenallee 6 | Phone: +49/33762/7-7359 | D-15738 Zeuthen | Fax: +49/33762/7-7216 _______________________________________________ OpenAFS-info mailing list [email protected] https://lists.openafs.org/mailman/listinfo/openafs-info
