At this point it would probably be helpful to send a single email with all of the relevant information at a single point in time, as we've now accumulated a lot of data that may be about different configurations and/or setups.
(Also, is /run/user/0/krb5cc/primary a file or a (broken) symlink? -Ben On Fri, Dec 23, 2016 at 12:46:19AM +0000, Ted Creedon wrote: > FILE:/tmp/krb5cc_0 not = /run/user/0/krb5cc/tkt not= to krb5cc/primary > > > i.e. > klist -A > says > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: ad...@creedon.biz > and > aklog carps about missing /run/user/0/krb5cc/tkt > but > its krb5cc/primary that exists > > tree /run/user/0/ > /run/user/0/ > |-- KSMserver__0 > |-- dconf > | `-- user > |-- gvfs > |-- kdeinit5__0 > |-- klauncherTJ3534.1.slave-socket > |-- krb5cc > | `-- primary > |-- pulse > `-- systemd > |-- notify > `-- private > > 5 directories, 7 files > > ________________________________________ > From: Benjamin Kaduk <ka...@mit.edu> > Sent: Thursday, December 22, 2016 3:58:31 PM > To: Ted Creedon > Cc: openafs-info@openafs.org > Subject: Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user > > On Thu, Dec 22, 2016 at 11:42:41PM +0000, Ted Creedon wrote: > > different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still > > carps about > > /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT) > > Ah, this is a "fancy" default coming into play, no doubt. /run/user may > be isolated for various users with filesystem namespaces to prevent > cross-user attacks (though I guess that may not be coming into play here). > I also recall issues where the /run/user/<uid>/krb5cc/ directory was > not created automatically, so check that it exists. > > > > ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin > > ad...@creedon.biz's Password: > > ookpik:/data1/openafs-1.8.0pre1 # klist -AT > > Credentials cache: FILE:/tmp/krb5cc_0 > > Principal: ad...@creedon.biz > > > > Issued Expires Principal > > Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 krbtgt/creedon....@creedon.biz > > Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 afs/creedon....@creedon.biz > > Okay, now the kerberos part is succeeding, so any issue here is on the AFS > side. > > > > > > > Dec 22 15:33:01 201 Jun 23 07:32:57 201 Tokens for creedon.biz > > > > > > ################## > > aklog > > aklog: Couldn't determine realm of user:aklog: unknown RPC error > > (-1765328189) while getting realm > > This seems to suggest that aklog -noprdb might succeed. > > > ##### > > open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or > > directory) > > There are two ticket caches in play here, which can be confusing to both > humans > (i.e., me) and software. Is KRB5CCNAME modified between any of the pasted > output > you have given here? Did you consciously try to set either > /run/user/0/krb5cc/tkt > or FILE:/tmp/krb5cc_0? > > Is aklog linked against a heimdal or MIT libkrb5? > Please provide any /etc/krb5.conf declarations relating to names of > credentials > caches. > > > I don't think it's particularly helpful to be randomly trying different > versions > of the software; I would rather get good solid debugging output from a > specific > setup and understand what is failing, so that software changes can be > targetted > instead of "shotgun style". > > -Ben _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info