On Mon, 02 Apr 2007 08:36:07 -0700 Adam Chlipala <[EMAIL PROTECTED]> wrote:
> Adam Megacz wrote: > > One catch: I can't rename your kerberos principals [*], and I don't > > want to know your passwords (in order to create new principals). So, > > adamc/docelic/mwolson, could you please: [stuff] > > > > The transcript of my session: > > $ ssh -p 2222 [EMAIL PROTECTED] > Password for [EMAIL PROTECTED]: > Password: > Last login: Fri Mar 30 07:21:11 2007 from 1234bhost179.starwoodbroadband.com > [EMAIL PROTECTED]:~$ sudo kadmin.local > Authenticating as principal www-data/[EMAIL PROTECTED] with password. > kadmin.local: ank -policy admin [EMAIL PROTECTED] > Enter password for principal "[EMAIL PROTECTED]": > Re-enter password for principal "[EMAIL PROTECTED]": > add_principal: Principal or policy already exists while creating > "[EMAIL PROTECTED]". > kadmin.local: delprinc adamc/[EMAIL PROTECTED] > Are you sure you want to delete the principal "adamc/[EMAIL PROTECTED]"? > (yes/no): yes > Principal "adamc/[EMAIL PROTECTED]" deleted. > Make sure that you have removed this principal from all ACLs before reusing. > kadmin.local: > > Things that seem weird: > - Two password prompts on connecting with ssh > - Authenticating as principal 'www-data/...' > - Policy already exists > > Also, upon reconnecting (successfully, though again with two password > prompts): > > ssh [EMAIL PROTECTED] -p 2222 > Password for [EMAIL PROTECTED]: > Password: > Last login: Mon Apr 2 11:31:59 2007 from 206.169.168.190 > [EMAIL PROTECTED]:~$ tokens > > Tokens held by the Cache Manager: > > --End of list-- > [EMAIL PROTECTED]:~$ kinit > kinit(v5): Client not found in Kerberos database while getting initial > credentials Ok without too much diagnosis, I think this will help: ssh to deleuze, login will succeed on second pw prompt. sudo kadmin.local -p root/admin cpw adamc_admin (set your password) logout ssh deleuze, and login should work on first try and you get your krb ticket/afs token automatically. (And the www-data/admin is the first principal listed in ticket cache that sudo kadmin.local used.. since you didn't use -p adamc_admin, it authenticated by default as first entry from cache. Nothing serious, but I always manually specify -p <principal> so that the history record of who created and/or modified the entries is correct). _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
