some progress anyway, I get tokens but no /afs
export KRB5CCNAME=FILE:/run/user/0/krb5cc/primary

afsd  -stat 4000 -dcache 4000 -daemons 6 -volumes 256 -files 50000
afsd: Error calling AFSOP_CACHEFILE for '/usr/vice/cache/D0/V2000'

kinit admin
ad...@creedon.biz's Password: 
 aklog
 tokens

Tokens held by the Cache Manager:

User's (AFS ID 501) tokens for a...@creedon.biz [Expires Jun 23 09:02]
   --End of list--
BUT /afs doesn't get mounted to /vicepa
ookpik:/usr/src/linux-4.1.31-30 # ls /afs
ookpik:/usr/src/linux-4.1.31-30 # mount |g afs
ookpik:/usr/src/linux-4.1.31-30 # fs mkmount /afs/.$C root.cell -rw
fs: mount points must be created within the AFS file system



________________________________________
From: Benjamin Kaduk <ka...@mit.edu>
Sent: Thursday, December 22, 2016 3:58:31 PM
To: Ted Creedon
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Thu, Dec 22, 2016 at 11:42:41PM +0000, Ted Creedon wrote:
> different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still 
> carps about
> /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)

Ah, this is a "fancy" default coming into play, no doubt.  /run/user may
be isolated for various users with filesystem namespaces to prevent
cross-user attacks (though I guess that may not be coming into play here).
I also recall issues where the /run/user/<uid>/krb5cc/ directory was
not created automatically, so check that it exists.


> ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
> ad...@creedon.biz's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist -AT
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: ad...@creedon.biz
>
>   Issued                Expires               Principal
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  krbtgt/creedon....@creedon.biz
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  afs/creedon....@creedon.biz

Okay, now the kerberos part is succeeding, so any issue here is on the AFS side.

>
>
> Dec 22 15:33:01 201  Jun 23 07:32:57 201  Tokens for creedon.biz
>
>
> ##################
> aklog
> aklog: Couldn't determine realm of user:aklog: unknown RPC error 
> (-1765328189)  while getting realm

This seems to suggest that aklog -noprdb might succeed.

> #####
> open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or 
> directory)

There are two ticket caches in play here, which can be confusing to both humans
(i.e., me) and software.  Is KRB5CCNAME modified between any of the pasted 
output
you have given here?  Did you consciously try to set either 
/run/user/0/krb5cc/tkt
or FILE:/tmp/krb5cc_0?

Is aklog linked against a heimdal or MIT libkrb5?
Please provide any /etc/krb5.conf declarations relating to names of credentials
caches.


I don't think it's particularly helpful to be randomly trying different versions
of the software; I would rather get good solid debugging output from a specific
setup and understand what is failing, so that software changes can be targetted
instead of "shotgun style".

-Ben
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to