Can you post and compare your krb5.conf files? Are they identical? Have you asked someone at Stanford? This might be a specific configuration problem for that realm.
If you join the #kerberos IRC on Freenode, various people may be able to help you out interactively. <<CDC Mukarram Syed <[EMAIL PROTECTED]> wrote: > Hi Again, > > Any suggestion will be appreciated. > > Thanks > > # mukarram > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Mukarram Syed > Sent: Friday, May 02, 2008 3:49 PM > To: kerberos@mit.edu > Subject: Suggestions on RHEL3 servers on Kerberos4 to Kerberos5 > upgrade. > > Hi Kerberos Gurus. > > > > I have 2 servers, the problem is that when I ssh into the box on the > server-notworking, I get both the .k5 and .k4 tickets: > > > > server-notworking > klist > > Ticket cache: FILE:/tmp/krb5cc_39728_T16049 > > Default principal: [EMAIL PROTECTED] > > > > Valid starting Expires Service principal > > 05/02/08 15:18:47 05/03/08 16:18:45 krbtgt/[EMAIL PROTECTED] > > 05/02/08 15:18:47 05/03/08 16:18:45 afs/[EMAIL PROTECTED] > > > > > > Kerberos 4 ticket cache: /tmp/tkt39728_16049 > > Principal: [EMAIL PROTECTED] > > > > Issued Expires Principal > > 05/02/08 15:18:45 05/03/08 01:18:45 > [EMAIL PROTECTED] > > 05/02/08 15:18:45 05/03/08 01:18:45 > [EMAIL PROTECTED] > > > > But on the server that's working, I only get the k5 tickets: > > > > server-working > klist > > Ticket cache: FILE:/tmp/krb5cc_39728_rJb29M > > Default principal: [EMAIL PROTECTED] > > > > Valid starting Expires Service principal > > 05/02/08 15:27:27 05/03/08 01:27:25 krbtgt/[EMAIL PROTECTED] > > 05/02/08 15:27:27 05/03/08 01:27:25 afs/[EMAIL PROTECTED] > > > > > > Kerberos 4 ticket cache: /tmp/tkt39728 > > Principal: [EMAIL PROTECTED] > > > > Issued Expires Principal > > 04/30/08 23:42:56 05/02/08 01:09:17 > [EMAIL PROTECTED] > > > > The only difference that I can see between the two klist command > outputs is: > > > > 05/02/08 15:18:45 05/03/08 01:18:45 > [EMAIL PROTECTED] > > > > What is this? > > > > Below is a comparison of the two servers. > > I will be upgrading krb5-SU-1.4.3-12.EL3 to krb5-SU-1.4.4-4.EL3 on the > server-notworking. I don't think this will make a difference because > I have already tried this on another server. I can't upgrade the > kernel though to match the server that is working. The server that > is not working is an actively used server. > > > > Also if I remove the .klogin file in my home directory on the > server-notworking, I can't login to this box. I need both .klogin and > .k5login files otherwise I get permission denied message when ssh'ing > in. > > I don't have the .klogin file in the server that is working.only the > .k5login file. > > Please advise. > > > > Thanks for you help. > > > > Regards > > > > # mukarram syed > > > > > > SYSTEM INFO > > > > server-notworking > server-working > > > > > > 2.4.21-27.0.2.ELsmp > 2.4.21-50.ELsmp > > > > Red Hat Enterprise Linux AS release 3 > Red Hat Enterprise Linux AS release 3 > > (Taroon Update 4) > (Taroon Update 9) > > > > STATUS > > > > Not getting the afs tokens without > Fully Functional.NO aklog -setpag option set. > > the aklog -setpag option in the shell > > startup scripts. Need .klogin and .k5login > > to be able to SSH. SSH won't work without > > .klogin file. > > > > OPENAFS > RPMS > > > > openafs-1.4.2-1.1 > openafs-1.4.2-1.1 > > openafs-client-1.4.2-1.1 > openafs-client-1.4.2-1.1 > > openafs-kernel-smp-1.4.2-2.4.21_27.0.2.EL_1 > openafs-kernel-smp-1.4.2-2.4.21_50.EL_1 > > openafs-kernel-source-1.4.2-1.1 > openafs-kernel-source-1.4.2-1.1 > > openafs-krb5-1.4.2-1.1 > openafs-krb5-1.4.2-1.1 > > > > KRB5 RPMS > > > > > > krb5-devel-1.2.7-42 > krb5-devel-1.2.7-64 > > krb5-libs-1.2.7-42 > krb5-libs-1.2.7-64 > > krb5-SU-1.4.3-12.EL3 > krb5-SU-1.4.4-4.EL3 > > openafs-krb5-1.4.2-1.1 > openafs-krb5-1.4.2-1.1 > > pam_krb5-SU-3.8-1.EL3 > pam_krb5-SU-3.8-1.EL3 > > > > > > PAM RPMS > > > > pam-0.75-62 > pam-0.75-72 > > pam-afs-session-1.5-1.EL3 > pam-afs-session-1.5-1.EL3 > > pam-devel-0.75-62 > pam_ccreds-3-3.rhel3.2 > > pam_krb5-SU-3.8-1.EL3 > pam-devel-0.75-72 > > pam_passwdqc-0.7.5-1 > pam_krb5-SU-3.8-1.EL3 > > pam_smb-1.1.7-1 > pam_passwdqc-0.7.5-1 > > > pam_smb-1.1.7-1 > > > > > > > IMPORTANT FILES: > CKSUMS/SIZES > > > > 782515666 1077 /etc/pam.d/system-auth > 782515666 1077 /etc/pam.d/system-auth > > 292550411 160 /etc/krb.conf > 292550411 160 /etc/krb.conf > > 2006343950 4385 /etc/krb5.conf > 3826595545 4386 /etc/krb5.conf > > 3068285566 267416 /usr/bin/aklog > 1302602016 267416 /usr/bin/aklog > > 1323949453 19 /usr/vice/etc/CellAlias > 1323949453 19 /usr/vice/etc/CellAlias > > 3556331601 16 /usr/vice/etc/ThisCell > 3556331601 16 /usr/vice/etc/ThisCell > > 1399150640 446 /usr/vice/etc/CellServDB > 514410920 208 /usr/vice/etc/CellServDB > > > > Also in the /etc/ssh/sshd_config file the only differences are (If I > change it to no, on the server-notworking, I can't SSH, I get > > Permission denied errors): > > > > KerberosAuthentication yes > KerberosAuthentication no > > KerberosOrLocalPasswd yes > KerberosOrLocalPasswd no > > KerberosTicketCleanup yes > KerberosTicketCleanup no > > > > SSH RPMS > > > > openssh-3.6.1p2-33.30.3 > openssh-3.6.1p2-33.30.14 > openssh-clients-3.6.1p2-33.30.3 > openssh-askpass-3.6.1p2-33.30.14 > openssh-server-3.6.1p2-33.30.3 > openssh-askpass-gnome-3.6.1p2-33.30.14 > openssh-clients-3.6.1p2-33.30.14 > openssh-server-3.6.1p2-33.30.14 ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
