FILE:/tmp/krb5cc_0 not = /run/user/0/krb5cc/tkt not= to krb5cc/primary
i.e.
klist -A
says
Credentials cache: FILE:/tmp/krb5cc_0
Principal: [email protected]
and
aklog carps about missing /run/user/0/krb5cc/tkt
but
its krb5cc/primary that exists
tree /run/user/0/
/run/user/0/
|-- KSMserver__0
|-- dconf
| `-- user
|-- gvfs
|-- kdeinit5__0
|-- klauncherTJ3534.1.slave-socket
|-- krb5cc
| `-- primary
|-- pulse
`-- systemd
|-- notify
`-- private
5 directories, 7 files
________________________________________
From: Benjamin Kaduk <[email protected]>
Sent: Thursday, December 22, 2016 3:58:31 PM
To: Ted Creedon
Cc: [email protected]
Subject: Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
On Thu, Dec 22, 2016 at 11:42:41PM +0000, Ted Creedon wrote:
> different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still
> carps about
> /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)
Ah, this is a "fancy" default coming into play, no doubt. /run/user may
be isolated for various users with filesystem namespaces to prevent
cross-user attacks (though I guess that may not be coming into play here).
I also recall issues where the /run/user/<uid>/krb5cc/ directory was
not created automatically, so check that it exists.
> ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
> [email protected]'s Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist -AT
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: [email protected]
>
> Issued Expires Principal
> Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 krbtgt/[email protected]
> Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 afs/[email protected]
Okay, now the kerberos part is succeeding, so any issue here is on the AFS side.
>
>
> Dec 22 15:33:01 201 Jun 23 07:32:57 201 Tokens for creedon.biz
>
>
> ##################
> aklog
> aklog: Couldn't determine realm of user:aklog: unknown RPC error
> (-1765328189) while getting realm
This seems to suggest that aklog -noprdb might succeed.
> #####
> open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or
> directory)
There are two ticket caches in play here, which can be confusing to both humans
(i.e., me) and software. Is KRB5CCNAME modified between any of the pasted
output
you have given here? Did you consciously try to set either
/run/user/0/krb5cc/tkt
or FILE:/tmp/krb5cc_0?
Is aklog linked against a heimdal or MIT libkrb5?
Please provide any /etc/krb5.conf declarations relating to names of credentials
caches.
I don't think it's particularly helpful to be randomly trying different versions
of the software; I would rather get good solid debugging output from a specific
setup and understand what is failing, so that software changes can be targetted
instead of "shotgun style".
-Ben
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info
