Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-24 Thread Benjamin Kaduk
On Fri, Dec 23, 2016 at 01:10:22AM +, Ted Creedon wrote:
> some progress anyway, I get tokens but no /afs
> export KRB5CCNAME=FILE:/run/user/0/krb5cc/primary
> 
> afsd  -stat 4000 -dcache 4000 -daemons 6 -volumes 256 -files 5
> afsd: Error calling AFSOP_CACHEFILE for '/usr/vice/cache/D0/V2000'

It may be worth stopping the client, unloading the kernel module, clearing
out /usr/vice/cache, then loading the kernel module and starting a fresh
client, just in case something got confused during your previous attempts.

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-24 Thread Benjamin Kaduk
At this point it would probably be helpful to send a single email with
all of the relevant information at a single point in time, as we've now
accumulated a lot of data that may be about different configurations
and/or setups.

(Also, is /run/user/0/krb5cc/primary a file or a (broken) symlink?

-Ben

On Fri, Dec 23, 2016 at 12:46:19AM +, Ted Creedon wrote:
> FILE:/tmp/krb5cc_0 not = /run/user/0/krb5cc/tkt  not= to krb5cc/primary
> 
> 
> i.e.
> klist -A
> says
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: ad...@creedon.biz
> and
> aklog carps about missing /run/user/0/krb5cc/tkt
> but
> its krb5cc/primary that exists
> 
> tree /run/user/0/
> /run/user/0/
> |-- KSMserver__0
> |-- dconf
> |   `-- user
> |-- gvfs
> |-- kdeinit5__0
> |-- klauncherTJ3534.1.slave-socket
> |-- krb5cc
> |   `-- primary
> |-- pulse
> `-- systemd
> |-- notify
> `-- private
> 
> 5 directories, 7 files
> 
> 
> From: Benjamin Kaduk 
> Sent: Thursday, December 22, 2016 3:58:31 PM
> To: Ted Creedon
> Cc: openafs-info@openafs.org
> Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user
> 
> On Thu, Dec 22, 2016 at 11:42:41PM +, Ted Creedon wrote:
> > different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still 
> > carps about
> > /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)
> 
> Ah, this is a "fancy" default coming into play, no doubt.  /run/user may
> be isolated for various users with filesystem namespaces to prevent
> cross-user attacks (though I guess that may not be coming into play here).
> I also recall issues where the /run/user//krb5cc/ directory was
> not created automatically, so check that it exists.
> 
> 
> > ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
> > ad...@creedon.biz's Password:
> > ookpik:/data1/openafs-1.8.0pre1 # klist -AT
> > Credentials cache: FILE:/tmp/krb5cc_0
> > Principal: ad...@creedon.biz
> >
> >   IssuedExpires   Principal
> > Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  krbtgt/creedon@creedon.biz
> > Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  afs/creedon@creedon.biz
> 
> Okay, now the kerberos part is succeeding, so any issue here is on the AFS 
> side.
> 
> >
> >
> > Dec 22 15:33:01 201  Jun 23 07:32:57 201  Tokens for creedon.biz
> >
> >
> > ##
> > aklog
> > aklog: Couldn't determine realm of user:aklog: unknown RPC error 
> > (-1765328189)  while getting realm
> 
> This seems to suggest that aklog -noprdb might succeed.
> 
> > #
> > open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or 
> > directory)
> 
> There are two ticket caches in play here, which can be confusing to both 
> humans
> (i.e., me) and software.  Is KRB5CCNAME modified between any of the pasted 
> output
> you have given here?  Did you consciously try to set either 
> /run/user/0/krb5cc/tkt
> or FILE:/tmp/krb5cc_0?
> 
> Is aklog linked against a heimdal or MIT libkrb5?
> Please provide any /etc/krb5.conf declarations relating to names of 
> credentials
> caches.
> 
> 
> I don't think it's particularly helpful to be randomly trying different 
> versions
> of the software; I would rather get good solid debugging output from a 
> specific
> setup and understand what is failing, so that software changes can be 
> targetted
> instead of "shotgun style".
> 
> -Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Ted Creedon
some progress anyway, I get tokens but no /afs
export KRB5CCNAME=FILE:/run/user/0/krb5cc/primary

afsd  -stat 4000 -dcache 4000 -daemons 6 -volumes 256 -files 5
afsd: Error calling AFSOP_CACHEFILE for '/usr/vice/cache/D0/V2000'

kinit admin
ad...@creedon.biz's Password: 
 aklog
 tokens

Tokens held by the Cache Manager:

User's (AFS ID 501) tokens for a...@creedon.biz [Expires Jun 23 09:02]
   --End of list--
BUT /afs doesn't get mounted to /vicepa
ookpik:/usr/src/linux-4.1.31-30 # ls /afs
ookpik:/usr/src/linux-4.1.31-30 # mount |g afs
ookpik:/usr/src/linux-4.1.31-30 # fs mkmount /afs/.$C root.cell -rw
fs: mount points must be created within the AFS file system




From: Benjamin Kaduk 
Sent: Thursday, December 22, 2016 3:58:31 PM
To: Ted Creedon
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Thu, Dec 22, 2016 at 11:42:41PM +, Ted Creedon wrote:
> different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still 
> carps about
> /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)

Ah, this is a "fancy" default coming into play, no doubt.  /run/user may
be isolated for various users with filesystem namespaces to prevent
cross-user attacks (though I guess that may not be coming into play here).
I also recall issues where the /run/user//krb5cc/ directory was
not created automatically, so check that it exists.


> ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
> ad...@creedon.biz's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist -AT
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: ad...@creedon.biz
>
>   IssuedExpires   Principal
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  krbtgt/creedon@creedon.biz
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  afs/creedon@creedon.biz

Okay, now the kerberos part is succeeding, so any issue here is on the AFS side.

>
>
> Dec 22 15:33:01 201  Jun 23 07:32:57 201  Tokens for creedon.biz
>
>
> ##
> aklog
> aklog: Couldn't determine realm of user:aklog: unknown RPC error 
> (-1765328189)  while getting realm

This seems to suggest that aklog -noprdb might succeed.

> #
> open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or 
> directory)

There are two ticket caches in play here, which can be confusing to both humans
(i.e., me) and software.  Is KRB5CCNAME modified between any of the pasted 
output
you have given here?  Did you consciously try to set either 
/run/user/0/krb5cc/tkt
or FILE:/tmp/krb5cc_0?

Is aklog linked against a heimdal or MIT libkrb5?
Please provide any /etc/krb5.conf declarations relating to names of credentials
caches.


I don't think it's particularly helpful to be randomly trying different versions
of the software; I would rather get good solid debugging output from a specific
setup and understand what is failing, so that software changes can be targetted
instead of "shotgun style".

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Ted Creedon
FILE:/tmp/krb5cc_0 not = /run/user/0/krb5cc/tkt  not= to krb5cc/primary


i.e.
klist -A
says
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@creedon.biz
and
aklog carps about missing /run/user/0/krb5cc/tkt
but
its krb5cc/primary that exists

tree /run/user/0/
/run/user/0/
|-- KSMserver__0
|-- dconf
|   `-- user
|-- gvfs
|-- kdeinit5__0
|-- klauncherTJ3534.1.slave-socket
|-- krb5cc
|   `-- primary
|-- pulse
`-- systemd
|-- notify
`-- private

5 directories, 7 files


From: Benjamin Kaduk 
Sent: Thursday, December 22, 2016 3:58:31 PM
To: Ted Creedon
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Thu, Dec 22, 2016 at 11:42:41PM +, Ted Creedon wrote:
> different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still 
> carps about
> /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)

Ah, this is a "fancy" default coming into play, no doubt.  /run/user may
be isolated for various users with filesystem namespaces to prevent
cross-user attacks (though I guess that may not be coming into play here).
I also recall issues where the /run/user//krb5cc/ directory was
not created automatically, so check that it exists.


> ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
> ad...@creedon.biz's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist -AT
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: ad...@creedon.biz
>
>   IssuedExpires   Principal
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  krbtgt/creedon@creedon.biz
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  afs/creedon@creedon.biz

Okay, now the kerberos part is succeeding, so any issue here is on the AFS side.

>
>
> Dec 22 15:33:01 201  Jun 23 07:32:57 201  Tokens for creedon.biz
>
>
> ##
> aklog
> aklog: Couldn't determine realm of user:aklog: unknown RPC error 
> (-1765328189)  while getting realm

This seems to suggest that aklog -noprdb might succeed.

> #
> open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or 
> directory)

There are two ticket caches in play here, which can be confusing to both humans
(i.e., me) and software.  Is KRB5CCNAME modified between any of the pasted 
output
you have given here?  Did you consciously try to set either 
/run/user/0/krb5cc/tkt
or FILE:/tmp/krb5cc_0?

Is aklog linked against a heimdal or MIT libkrb5?
Please provide any /etc/krb5.conf declarations relating to names of credentials
caches.


I don't think it's particularly helpful to be randomly trying different versions
of the software; I would rather get good solid debugging output from a specific
setup and understand what is failing, so that software changes can be targetted
instead of "shotgun style".

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Benjamin Kaduk
On Thu, Dec 22, 2016 at 11:42:41PM +, Ted Creedon wrote:
> different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still 
> carps about 
> /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)

Ah, this is a "fancy" default coming into play, no doubt.  /run/user may
be isolated for various users with filesystem namespaces to prevent
cross-user attacks (though I guess that may not be coming into play here).
I also recall issues where the /run/user//krb5cc/ directory was
not created automatically, so check that it exists.


> ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
> ad...@creedon.biz's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist -AT
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: ad...@creedon.biz
> 
>   IssuedExpires   Principal
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  krbtgt/creedon@creedon.biz
> Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  afs/creedon@creedon.biz

Okay, now the kerberos part is succeeding, so any issue here is on the AFS side.

> 
> 
> Dec 22 15:33:01 201  Jun 23 07:32:57 201  Tokens for creedon.biz
> 
> 
> ##
> aklog
> aklog: Couldn't determine realm of user:aklog: unknown RPC error 
> (-1765328189)  while getting realm

This seems to suggest that aklog -noprdb might succeed.

> #
> open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or 
> directory)

There are two ticket caches in play here, which can be confusing to both humans
(i.e., me) and software.  Is KRB5CCNAME modified between any of the pasted 
output
you have given here?  Did you consciously try to set either 
/run/user/0/krb5cc/tkt
or FILE:/tmp/krb5cc_0?

Is aklog linked against a heimdal or MIT libkrb5?
Please provide any /etc/krb5.conf declarations relating to names of credentials
caches.


I don't think it's particularly helpful to be randomly trying different versions
of the software; I would rather get good solid debugging output from a specific
setup and understand what is failing, so that software changes can be targetted
instead of "shotgun style".

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Ted Creedon
different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still 
carps about 
/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT)

ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin
ad...@creedon.biz's Password:
ookpik:/data1/openafs-1.8.0pre1 # klist -AT
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@creedon.biz

  IssuedExpires   Principal
Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  krbtgt/creedon@creedon.biz
Dec 22 15:33:01 2016  Jun 23 07:32:57 2017  afs/creedon@creedon.biz



Dec 22 15:33:01 201  Jun 23 07:32:57 201  Tokens for creedon.biz


##
aklog
aklog: Couldn't determine realm of user:aklog: unknown RPC error (-1765328189)  
while getting realm
#
open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or directory)


From: Benjamin Kaduk 
Sent: Thursday, December 22, 2016 12:31:50 PM
To: Ted Creedon
Cc: Michael Meffie; openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Thu, Dec 22, 2016 at 07:50:02PM +, Ted Creedon wrote:
> Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ?
> I.e how can Principal: krbtgt/creedon@creedon.biz have a ticket if it was 
> never loggged in?

It doesn't have a ticket; ad...@creedon.biz has a ticket.
The ticket that ad...@creedon.biz has is a ticket-granting ticket, i.e., the 
service
principal it is for is krbtgt/creedon@creedon.biz.

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Benjamin Kaduk
On Thu, Dec 22, 2016 at 07:50:02PM +, Ted Creedon wrote:
> Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ?
> I.e how can Principal: krbtgt/creedon@creedon.biz have a ticket if it was 
> never loggged in?

It doesn't have a ticket; ad...@creedon.biz has a ticket.
The ticket that ad...@creedon.biz has is a ticket-granting ticket, i.e., the 
service
principal it is for is krbtgt/creedon@creedon.biz.

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Ted Creedon
Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ?
I.e how can Principal: krbtgt/creedon@creedon.biz have a ticket if it was 
never loggged in?

I'll try 7.1
tedc

see below:
kadmin> get krb*
Principal: krbtgt/creedon@creedon.biz
Principal expires: never
 Password expires: never
 Last password change: 2016-12-17 01:03:08 UTC
  Max ticket life: unlimited
   Max renewable life: unlimited
 Kvno: 1
Mkvno: unknown
Last successful login: never
Last failed login: never
   Failed login count: 0
Last modified: 2016-12-17 01:03:08 UTC
 Modifier: kadmin/ad...@creedon.biz
   Attributes:
 Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], 
des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1]
  PK-INIT ACL:
  Aliases:

Principal: krbtgt/creedon@creedon.biz
Principal expires: never
 Password expires: never
 Last password change: 2016-12-20 00:29:08 UTC
  Max ticket life: unlimited
   Max renewable life: unlimited
 Kvno: 1
Mkvno: unknown
Last successful login: never
Last failed login: never
   Failed login count: 0
Last modified: 2016-12-20 00:29:08 UTC
 Modifier: kadmin/ad...@creedon.biz
   Attributes:
 Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], 
des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1]
  PK-INIT ACL:
  Aliases:



From: Benjamin Kaduk 
Sent: Thursday, December 22, 2016 10:35:56 AM
To: Ted Creedon
Cc: Michael Meffie; openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Thu, Dec 22, 2016 at 06:07:08AM +, Ted Creedon wrote:
> Heimdal set the ticket up..(I think)
> So how does one login krbtgt?
> PS making progress on the glibc/swig bug
> Suse Leap uses glibc 2.22 the current is 2.24, offhand I suspect  something 
> like a missing .align 64
> tedc
>
> ad...@creedon.biz's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: ad...@creedon.biz
>
>   IssuedExpiresPrincipal
> Dec 21 21:52:59 2016  >>>Expired<<<  krbtgt/creedon@creedon.biz

This is the important part; the local TGT in the cache has expired and cannot
be used to get a new service ticket for AFS.  Running 'kinit' should prompt
for admin's password and get things into a workable state where aklog has
a chance at succeeding.

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-22 Thread Benjamin Kaduk
On Thu, Dec 22, 2016 at 06:07:08AM +, Ted Creedon wrote:
> Heimdal set the ticket up..(I think)
> So how does one login krbtgt?
> PS making progress on the glibc/swig bug
> Suse Leap uses glibc 2.22 the current is 2.24, offhand I suspect  something 
> like a missing .align 64
> tedc
> 
> ad...@creedon.biz's Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist
> Credentials cache: FILE:/tmp/krb5cc_0
> Principal: ad...@creedon.biz
> 
>   IssuedExpiresPrincipal
> Dec 21 21:52:59 2016  >>>Expired<<<  krbtgt/creedon@creedon.biz

This is the important part; the local TGT in the cache has expired and cannot
be used to get a new service ticket for AFS.  Running 'kinit' should prompt
for admin's password and get things into a workable state where aklog has
a chance at succeeding.

-Ben
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-21 Thread Ted Creedon
Heimdal set the ticket up..(I think)
So how does one login krbtgt?
PS making progress on the glibc/swig bug
Suse Leap uses glibc 2.22 the current is 2.24, offhand I suspect  something 
like a missing .align 64
tedc

ad...@creedon.biz's Password:
ookpik:/data1/openafs-1.8.0pre1 # klist
Credentials cache: FILE:/tmp/krb5cc_0
Principal: ad...@creedon.biz

  IssuedExpiresPrincipal
Dec 21 21:52:59 2016  >>>Expired<<<  krbtgt/creedon@creedon.biz


kadmin> get krbtgt*
Principal: krbtgt/creedon@creedon.biz
Principal expires: never
 Password expires: never
 Last password change: 2016-12-17 01:03:08 UTC
  Max ticket life: unlimited
   Max renewable life: unlimited
 Kvno: 1
Mkvno: unknown
Last successful login: never
Last failed login: never
   Failed login count: 0
Last modified: 2016-12-17 01:03:08 UTC
 Modifier: kadmin/ad...@creedon.biz
   Attributes:
 Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], 
des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1]
  PK-INIT ACL:
  Aliases:

Principal: krbtgt/creedon@creedon.biz
Principal expires: never
 Password expires: never
 Last password change: 2016-12-20 00:29:08 UTC
  Max ticket life: unlimited
   Max renewable life: unlimited
 Kvno: 1
Mkvno: unknown
Last successful login: never
Last failed login: never
   Failed login count: 0
Last modified: 2016-12-20 00:29:08 UTC
 Modifier: kadmin/ad...@creedon.biz
   Attributes:
 Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], 
des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1]
  PK-INIT ACL:
  Aliases:



From: Michael Meffie 
Sent: Wednesday, December 21, 2016 6:15:58 AM
To: Ted Creedon
Cc: openafs-info@openafs.org
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Wed, 21 Dec 2016 02:21:13 +
Ted Creedon  wrote:

> if
> KRB5CCNAME="FILE:/tmp/krb5cc_0"
> is set
>
> one gets:
>
> aklog -d
> Authenticating to cell creedon.biz (server ookpik.creedon.biz).
> Trying to authenticate to user's realm CREEDON.BIZ.
> Getting tickets: afs/creedon@creedon.biz
> Kerberos error code returned by get_cred : -1765328352
> aklog: Couldn't get creedon.biz AFS tickets:
> aklog: Ticket expired while getting AFS tickets

Thanks for testing 1.8.0pre1 Ted.  That error code indicates
the ticket has expired,

krb5 error -1765328352 = KRB5KRB_AP_ERR_TKT_EXPIRED

What does klist show?

Thanks,
Mike



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info


Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

2016-12-21 Thread Michael Meffie
On Wed, 21 Dec 2016 02:21:13 +
Ted Creedon  wrote:

> if
> KRB5CCNAME="FILE:/tmp/krb5cc_0"
> is set
> 
> one gets:
> 
> aklog -d
> Authenticating to cell creedon.biz (server ookpik.creedon.biz).
> Trying to authenticate to user's realm CREEDON.BIZ.
> Getting tickets: afs/creedon@creedon.biz
> Kerberos error code returned by get_cred : -1765328352
> aklog: Couldn't get creedon.biz AFS tickets:
> aklog: Ticket expired while getting AFS tickets

Thanks for testing 1.8.0pre1 Ted.  That error code indicates
the ticket has expired,

krb5 error -1765328352 = KRB5KRB_AP_ERR_TKT_EXPIRED

What does klist show?

Thanks,
Mike



___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info