Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
On Fri, Dec 23, 2016 at 01:10:22AM +, Ted Creedon wrote: > some progress anyway, I get tokens but no /afs > export KRB5CCNAME=FILE:/run/user/0/krb5cc/primary > > afsd -stat 4000 -dcache 4000 -daemons 6 -volumes 256 -files 5 > afsd: Error calling AFSOP_CACHEFILE for '/usr/vice/cache/D0/V2000' It may be worth stopping the client, unloading the kernel module, clearing out /usr/vice/cache, then loading the kernel module and starting a fresh client, just in case something got confused during your previous attempts. -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
At this point it would probably be helpful to send a single email with all of the relevant information at a single point in time, as we've now accumulated a lot of data that may be about different configurations and/or setups. (Also, is /run/user/0/krb5cc/primary a file or a (broken) symlink? -Ben On Fri, Dec 23, 2016 at 12:46:19AM +, Ted Creedon wrote: > FILE:/tmp/krb5cc_0 not = /run/user/0/krb5cc/tkt not= to krb5cc/primary > > > i.e. > klist -A > says > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: ad...@creedon.biz > and > aklog carps about missing /run/user/0/krb5cc/tkt > but > its krb5cc/primary that exists > > tree /run/user/0/ > /run/user/0/ > |-- KSMserver__0 > |-- dconf > | `-- user > |-- gvfs > |-- kdeinit5__0 > |-- klauncherTJ3534.1.slave-socket > |-- krb5cc > | `-- primary > |-- pulse > `-- systemd > |-- notify > `-- private > > 5 directories, 7 files > > > From: Benjamin Kaduk > Sent: Thursday, December 22, 2016 3:58:31 PM > To: Ted Creedon > Cc: openafs-info@openafs.org > Subject: Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user > > On Thu, Dec 22, 2016 at 11:42:41PM +, Ted Creedon wrote: > > different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still > > carps about > > /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT) > > Ah, this is a "fancy" default coming into play, no doubt. /run/user may > be isolated for various users with filesystem namespaces to prevent > cross-user attacks (though I guess that may not be coming into play here). > I also recall issues where the /run/user//krb5cc/ directory was > not created automatically, so check that it exists. > > > > ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin > > ad...@creedon.biz's Password: > > ookpik:/data1/openafs-1.8.0pre1 # klist -AT > > Credentials cache: FILE:/tmp/krb5cc_0 > > Principal: ad...@creedon.biz > > > > IssuedExpires Principal > > Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 krbtgt/creedon@creedon.biz > > Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 afs/creedon@creedon.biz > > Okay, now the kerberos part is succeeding, so any issue here is on the AFS > side. > > > > > > > Dec 22 15:33:01 201 Jun 23 07:32:57 201 Tokens for creedon.biz > > > > > > ## > > aklog > > aklog: Couldn't determine realm of user:aklog: unknown RPC error > > (-1765328189) while getting realm > > This seems to suggest that aklog -noprdb might succeed. > > > # > > open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or > > directory) > > There are two ticket caches in play here, which can be confusing to both > humans > (i.e., me) and software. Is KRB5CCNAME modified between any of the pasted > output > you have given here? Did you consciously try to set either > /run/user/0/krb5cc/tkt > or FILE:/tmp/krb5cc_0? > > Is aklog linked against a heimdal or MIT libkrb5? > Please provide any /etc/krb5.conf declarations relating to names of > credentials > caches. > > > I don't think it's particularly helpful to be randomly trying different > versions > of the software; I would rather get good solid debugging output from a > specific > setup and understand what is failing, so that software changes can be > targetted > instead of "shotgun style". > > -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
some progress anyway, I get tokens but no /afs export KRB5CCNAME=FILE:/run/user/0/krb5cc/primary afsd -stat 4000 -dcache 4000 -daemons 6 -volumes 256 -files 5 afsd: Error calling AFSOP_CACHEFILE for '/usr/vice/cache/D0/V2000' kinit admin ad...@creedon.biz's Password: aklog tokens Tokens held by the Cache Manager: User's (AFS ID 501) tokens for a...@creedon.biz [Expires Jun 23 09:02] --End of list-- BUT /afs doesn't get mounted to /vicepa ookpik:/usr/src/linux-4.1.31-30 # ls /afs ookpik:/usr/src/linux-4.1.31-30 # mount |g afs ookpik:/usr/src/linux-4.1.31-30 # fs mkmount /afs/.$C root.cell -rw fs: mount points must be created within the AFS file system From: Benjamin Kaduk Sent: Thursday, December 22, 2016 3:58:31 PM To: Ted Creedon Cc: openafs-info@openafs.org Subject: Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user On Thu, Dec 22, 2016 at 11:42:41PM +, Ted Creedon wrote: > different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still > carps about > /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT) Ah, this is a "fancy" default coming into play, no doubt. /run/user may be isolated for various users with filesystem namespaces to prevent cross-user attacks (though I guess that may not be coming into play here). I also recall issues where the /run/user//krb5cc/ directory was not created automatically, so check that it exists. > ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin > ad...@creedon.biz's Password: > ookpik:/data1/openafs-1.8.0pre1 # klist -AT > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: ad...@creedon.biz > > IssuedExpires Principal > Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 krbtgt/creedon@creedon.biz > Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 afs/creedon@creedon.biz Okay, now the kerberos part is succeeding, so any issue here is on the AFS side. > > > Dec 22 15:33:01 201 Jun 23 07:32:57 201 Tokens for creedon.biz > > > ## > aklog > aklog: Couldn't determine realm of user:aklog: unknown RPC error > (-1765328189) while getting realm This seems to suggest that aklog -noprdb might succeed. > # > open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or > directory) There are two ticket caches in play here, which can be confusing to both humans (i.e., me) and software. Is KRB5CCNAME modified between any of the pasted output you have given here? Did you consciously try to set either /run/user/0/krb5cc/tkt or FILE:/tmp/krb5cc_0? Is aklog linked against a heimdal or MIT libkrb5? Please provide any /etc/krb5.conf declarations relating to names of credentials caches. I don't think it's particularly helpful to be randomly trying different versions of the software; I would rather get good solid debugging output from a specific setup and understand what is failing, so that software changes can be targetted instead of "shotgun style". -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
FILE:/tmp/krb5cc_0 not = /run/user/0/krb5cc/tkt not= to krb5cc/primary i.e. klist -A says Credentials cache: FILE:/tmp/krb5cc_0 Principal: ad...@creedon.biz and aklog carps about missing /run/user/0/krb5cc/tkt but its krb5cc/primary that exists tree /run/user/0/ /run/user/0/ |-- KSMserver__0 |-- dconf | `-- user |-- gvfs |-- kdeinit5__0 |-- klauncherTJ3534.1.slave-socket |-- krb5cc | `-- primary |-- pulse `-- systemd |-- notify `-- private 5 directories, 7 files From: Benjamin Kaduk Sent: Thursday, December 22, 2016 3:58:31 PM To: Ted Creedon Cc: openafs-info@openafs.org Subject: Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user On Thu, Dec 22, 2016 at 11:42:41PM +, Ted Creedon wrote: > different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still > carps about > /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT) Ah, this is a "fancy" default coming into play, no doubt. /run/user may be isolated for various users with filesystem namespaces to prevent cross-user attacks (though I guess that may not be coming into play here). I also recall issues where the /run/user//krb5cc/ directory was not created automatically, so check that it exists. > ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin > ad...@creedon.biz's Password: > ookpik:/data1/openafs-1.8.0pre1 # klist -AT > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: ad...@creedon.biz > > IssuedExpires Principal > Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 krbtgt/creedon@creedon.biz > Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 afs/creedon@creedon.biz Okay, now the kerberos part is succeeding, so any issue here is on the AFS side. > > > Dec 22 15:33:01 201 Jun 23 07:32:57 201 Tokens for creedon.biz > > > ## > aklog > aklog: Couldn't determine realm of user:aklog: unknown RPC error > (-1765328189) while getting realm This seems to suggest that aklog -noprdb might succeed. > # > open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or > directory) There are two ticket caches in play here, which can be confusing to both humans (i.e., me) and software. Is KRB5CCNAME modified between any of the pasted output you have given here? Did you consciously try to set either /run/user/0/krb5cc/tkt or FILE:/tmp/krb5cc_0? Is aklog linked against a heimdal or MIT libkrb5? Please provide any /etc/krb5.conf declarations relating to names of credentials caches. I don't think it's particularly helpful to be randomly trying different versions of the software; I would rather get good solid debugging output from a specific setup and understand what is failing, so that software changes can be targetted instead of "shotgun style". -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
On Thu, Dec 22, 2016 at 11:42:41PM +, Ted Creedon wrote: > different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still > carps about > /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT) Ah, this is a "fancy" default coming into play, no doubt. /run/user may be isolated for various users with filesystem namespaces to prevent cross-user attacks (though I guess that may not be coming into play here). I also recall issues where the /run/user//krb5cc/ directory was not created automatically, so check that it exists. > ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin > ad...@creedon.biz's Password: > ookpik:/data1/openafs-1.8.0pre1 # klist -AT > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: ad...@creedon.biz > > IssuedExpires Principal > Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 krbtgt/creedon@creedon.biz > Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 afs/creedon@creedon.biz Okay, now the kerberos part is succeeding, so any issue here is on the AFS side. > > > Dec 22 15:33:01 201 Jun 23 07:32:57 201 Tokens for creedon.biz > > > ## > aklog > aklog: Couldn't determine realm of user:aklog: unknown RPC error > (-1765328189) while getting realm This seems to suggest that aklog -noprdb might succeed. > # > open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or > directory) There are two ticket caches in play here, which can be confusing to both humans (i.e., me) and software. Is KRB5CCNAME modified between any of the pasted output you have given here? Did you consciously try to set either /run/user/0/krb5cc/tkt or FILE:/tmp/krb5cc_0? Is aklog linked against a heimdal or MIT libkrb5? Please provide any /etc/krb5.conf declarations relating to names of credentials caches. I don't think it's particularly helpful to be randomly trying different versions of the software; I would rather get good solid debugging output from a specific setup and understand what is failing, so that software changes can be targetted instead of "shotgun style". -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
different outcome w/ 7.1.0 but no tokens from eiher afslog or aklog (still carps about /run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT) ookpik:/data1/openafs-1.8.0pre1 # kinit -afslog admin ad...@creedon.biz's Password: ookpik:/data1/openafs-1.8.0pre1 # klist -AT Credentials cache: FILE:/tmp/krb5cc_0 Principal: ad...@creedon.biz IssuedExpires Principal Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 krbtgt/creedon@creedon.biz Dec 22 15:33:01 2016 Jun 23 07:32:57 2017 afs/creedon@creedon.biz Dec 22 15:33:01 201 Jun 23 07:32:57 201 Tokens for creedon.biz ## aklog aklog: Couldn't determine realm of user:aklog: unknown RPC error (-1765328189) while getting realm # open("/run/user/0/krb5cc/tkt", O_RDONLY) = -1 ENOENT (No such file or directory) From: Benjamin Kaduk Sent: Thursday, December 22, 2016 12:31:50 PM To: Ted Creedon Cc: Michael Meffie; openafs-info@openafs.org Subject: Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user On Thu, Dec 22, 2016 at 07:50:02PM +, Ted Creedon wrote: > Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ? > I.e how can Principal: krbtgt/creedon@creedon.biz have a ticket if it was > never loggged in? It doesn't have a ticket; ad...@creedon.biz has a ticket. The ticket that ad...@creedon.biz has is a ticket-granting ticket, i.e., the service principal it is for is krbtgt/creedon@creedon.biz. -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
On Thu, Dec 22, 2016 at 07:50:02PM +, Ted Creedon wrote: > Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ? > I.e how can Principal: krbtgt/creedon@creedon.biz have a ticket if it was > never loggged in? It doesn't have a ticket; ad...@creedon.biz has a ticket. The ticket that ad...@creedon.biz has is a ticket-granting ticket, i.e., the service principal it is for is krbtgt/creedon@creedon.biz. -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ? I.e how can Principal: krbtgt/creedon@creedon.biz have a ticket if it was never loggged in? I'll try 7.1 tedc see below: kadmin> get krb* Principal: krbtgt/creedon@creedon.biz Principal expires: never Password expires: never Last password change: 2016-12-17 01:03:08 UTC Max ticket life: unlimited Max renewable life: unlimited Kvno: 1 Mkvno: unknown Last successful login: never Last failed login: never Failed login count: 0 Last modified: 2016-12-17 01:03:08 UTC Modifier: kadmin/ad...@creedon.biz Attributes: Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1] PK-INIT ACL: Aliases: Principal: krbtgt/creedon@creedon.biz Principal expires: never Password expires: never Last password change: 2016-12-20 00:29:08 UTC Max ticket life: unlimited Max renewable life: unlimited Kvno: 1 Mkvno: unknown Last successful login: never Last failed login: never Failed login count: 0 Last modified: 2016-12-20 00:29:08 UTC Modifier: kadmin/ad...@creedon.biz Attributes: Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1] PK-INIT ACL: Aliases: From: Benjamin Kaduk Sent: Thursday, December 22, 2016 10:35:56 AM To: Ted Creedon Cc: Michael Meffie; openafs-info@openafs.org Subject: Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user On Thu, Dec 22, 2016 at 06:07:08AM +, Ted Creedon wrote: > Heimdal set the ticket up..(I think) > So how does one login krbtgt? > PS making progress on the glibc/swig bug > Suse Leap uses glibc 2.22 the current is 2.24, offhand I suspect something > like a missing .align 64 > tedc > > ad...@creedon.biz's Password: > ookpik:/data1/openafs-1.8.0pre1 # klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: ad...@creedon.biz > > IssuedExpiresPrincipal > Dec 21 21:52:59 2016 >>>Expired<<< krbtgt/creedon@creedon.biz This is the important part; the local TGT in the cache has expired and cannot be used to get a new service ticket for AFS. Running 'kinit' should prompt for admin's password and get things into a workable state where aklog has a chance at succeeding. -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
On Thu, Dec 22, 2016 at 06:07:08AM +, Ted Creedon wrote: > Heimdal set the ticket up..(I think) > So how does one login krbtgt? > PS making progress on the glibc/swig bug > Suse Leap uses glibc 2.22 the current is 2.24, offhand I suspect something > like a missing .align 64 > tedc > > ad...@creedon.biz's Password: > ookpik:/data1/openafs-1.8.0pre1 # klist > Credentials cache: FILE:/tmp/krb5cc_0 > Principal: ad...@creedon.biz > > IssuedExpiresPrincipal > Dec 21 21:52:59 2016 >>>Expired<<< krbtgt/creedon@creedon.biz This is the important part; the local TGT in the cache has expired and cannot be used to get a new service ticket for AFS. Running 'kinit' should prompt for admin's password and get things into a workable state where aklog has a chance at succeeding. -Ben ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
Heimdal set the ticket up..(I think) So how does one login krbtgt? PS making progress on the glibc/swig bug Suse Leap uses glibc 2.22 the current is 2.24, offhand I suspect something like a missing .align 64 tedc ad...@creedon.biz's Password: ookpik:/data1/openafs-1.8.0pre1 # klist Credentials cache: FILE:/tmp/krb5cc_0 Principal: ad...@creedon.biz IssuedExpiresPrincipal Dec 21 21:52:59 2016 >>>Expired<<< krbtgt/creedon@creedon.biz kadmin> get krbtgt* Principal: krbtgt/creedon@creedon.biz Principal expires: never Password expires: never Last password change: 2016-12-17 01:03:08 UTC Max ticket life: unlimited Max renewable life: unlimited Kvno: 1 Mkvno: unknown Last successful login: never Last failed login: never Failed login count: 0 Last modified: 2016-12-17 01:03:08 UTC Modifier: kadmin/ad...@creedon.biz Attributes: Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1] PK-INIT ACL: Aliases: Principal: krbtgt/creedon@creedon.biz Principal expires: never Password expires: never Last password change: 2016-12-20 00:29:08 UTC Max ticket life: unlimited Max renewable life: unlimited Kvno: 1 Mkvno: unknown Last successful login: never Last failed login: never Failed login count: 0 Last modified: 2016-12-20 00:29:08 UTC Modifier: kadmin/ad...@creedon.biz Attributes: Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1] PK-INIT ACL: Aliases: From: Michael Meffie Sent: Wednesday, December 21, 2016 6:15:58 AM To: Ted Creedon Cc: openafs-info@openafs.org Subject: Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user On Wed, 21 Dec 2016 02:21:13 + Ted Creedon wrote: > if > KRB5CCNAME="FILE:/tmp/krb5cc_0" > is set > > one gets: > > aklog -d > Authenticating to cell creedon.biz (server ookpik.creedon.biz). > Trying to authenticate to user's realm CREEDON.BIZ. > Getting tickets: afs/creedon@creedon.biz > Kerberos error code returned by get_cred : -1765328352 > aklog: Couldn't get creedon.biz AFS tickets: > aklog: Ticket expired while getting AFS tickets Thanks for testing 1.8.0pre1 Ted. That error code indicates the ticket has expired, krb5 error -1765328352 = KRB5KRB_AP_ERR_TKT_EXPIRED What does klist show? Thanks, Mike ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user
On Wed, 21 Dec 2016 02:21:13 + Ted Creedon wrote: > if > KRB5CCNAME="FILE:/tmp/krb5cc_0" > is set > > one gets: > > aklog -d > Authenticating to cell creedon.biz (server ookpik.creedon.biz). > Trying to authenticate to user's realm CREEDON.BIZ. > Getting tickets: afs/creedon@creedon.biz > Kerberos error code returned by get_cred : -1765328352 > aklog: Couldn't get creedon.biz AFS tickets: > aklog: Ticket expired while getting AFS tickets Thanks for testing 1.8.0pre1 Ted. That error code indicates the ticket has expired, krb5 error -1765328352 = KRB5KRB_AP_ERR_TKT_EXPIRED What does klist show? Thanks, Mike ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info