Hi Eve,
The problem is that a plain SL5 ssh client does not do
GSSAPIDelegateCredentials and this is what is needed for you to get your
AFS credentials on minos06.
https://fermilinux.fnal.gov/documentation/security/ssh-client/
You don't have to have afs credentials on the machine you are coming from.
Troy
Eve V. E. Kovacs wrote:
I just upgraded one of our systems to SL5 and now one of our users
is having problems ssh'ing to minos06.fnal.gov. Everything still works on
all the SL4 systems.
The problem she is having has something to do with the change in kinit
and aklog in SL5. She gets her ticket using kinit and then ssh'es to
minos06. The error she gets on logging in is:
aklog: Couldn't determine realm of user:)aklog: unknown RPC error
(-1765328189) while getting lm
/usr/X11R6/bin/xauth: timeout in locking authority file
On minos06, the users' home area is an /afs file system. When she logs in,
she can't touch her own files. So clearly, she is not getting her AFS
token correctly on the SL5 system.
As suggested in some messages of a few days ago, I tried aliasing
kinit to
/usr/kerberos/bin/kinit ; /usr/bin/aklog
But now, when she tries to get her ticket before ssh'ing to minos06
she gets the error:
aklog: can't get afs configuration (afsconf_Open(/usr/vice/etc))
I also tried
aklog [email protected]
which gave the same error.
Do I just have the syntax wrong, or is there some other setup I need to do
to get aklog working correctly on SL5? (I think my krb5.conf file is ok,
because she has no problem getting a kerberos ticket and ssh'ing to other
hosts that don't use an /afs filesystem)
Thanks
Eve
--
__________________________________________________
Troy Dawson [email protected] (630)840-6468
Fermilab ComputingDivision/LCSI/CSI LMSS Group
__________________________________________________
