On 4/26/2015 5:55 AM, Turbo Fredriksson wrote: > But aklog don't want to work: > > Turbo-Fredrikssons-MacBook:~ turbo$ aklog -d > Authenticating to cell int.bayour.com (server Celia.bayour.com). > Trying to authenticate to user's realm INT.BAYOUR.COM. > Getting tickets: afs/[email protected] > Kerberos error code returned by get_cred : -1765328228 > aklog: Couldn't get int.bayour.com AFS tickets: > aklog: unknown RPC error (-1765328228) while getting AFS tickets > > Apparently that error indicates that it can't reach 'something' (unsure > of what - haven't found a good google search to revile anything).
-1765328228 (krb5).156 = Cannot contact any KDC for requested realm It means that the Kerberos library cannot find the KDCs for your realm via DNS SRV records or local configuration. > I've been trying to add 'stuff' to the krb5.conf file, but none seems > to be working (from an OpenAFS standpoint anyway): > > Turbo-Fredrikssons-MacBook:~ turbo$ cat /etc/krb5.conf I believe the correct system path for krb5.conf on OSX is /Library/Preferences/edu.mit.Kerberos > [libdefaults] > default_realm = INT.BAYOUR.COM > allow_weak_crypto = true > > forwardable = true > proxiable = true Do you really want proxiable tickets? > > dns_lookup_kdc = false > dns_lookup_realm = false DNS lookups are disabled. > allow_weak_crypto = true This is specified twice. Note that OSX Yosemite doesn't support weak crypto under any circumstances and you must use non-DES keys for Kerberos to address OPENAFS-SA-2013-003 https://www.openafs.org/pages/security/#OPENAFS-SA-2013-003 Only OpenAFS 1.6.5 or later can be used with non-DES keys for OpenAFS. > > [domain_realm] > .bayour.com = INT.BAYOUR.COM > bayour.com = INT.BAYOUR.COM > > [realms] > INT.BAYOUR.COM = { > kdc = celia.bayour.com > admin_server = celia.bayour.com > } > > [logging] > kdc = FILE:/var/log/kdc.log > kdc = SYSLOG:INFO > default = SYSLOG:INFO:USER > > [login] > krb4_convert = true > krb4_get_tickets = false kerberos 4 is dead.
smime.p7s
Description: S/MIME Cryptographic Signature
