On Mon, 2003-06-09 at 15:56, Douglas E. Engert wrote:
[EMAIL PROTECTED] henken $ ak5log -d
Authenticating to cell roughneck.liniac.upenn.edu.
Getting tickets: afs/[EMAIL PROTECTED]
About to resolve name henken to id
Id 2
Set username to AFS ID 2
Setting tokens. AFS ID 2 / @ UPENN.EDU
[EMAIL PROTECTED] henken $ klist
Ticket cache: FILE:/tmp/krb5cc_27659
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
06/09/03 15:59:06 06/10/03 01:59:05 krbtgt/[EMAIL PROTECTED]
06/09/03 16:00:46 06/10/03 01:59:05
afs/[EMAIL PROTECTED]
Kerberos 4 ticket cache: /tmp/tkt27659
klist: You have no tickets cached
[EMAIL PROTECTED] henken $ tok
tokens tokens.krb
[EMAIL PROTECTED] henken $ tokens
Tokens held by the Cache Manager:
User's (AFS ID 2) tokens for [EMAIL PROTECTED] [Expires Jun
10 01:55]
--End of list--
>
> Also do a klist and tokens commands after to see what else has changed.
>
> But this looks strange, I would have expected it to say:
>
> Setting tokens. AFS ID 2 / @ roughneck.liniac.upenn.edu
>
> I would expect the cell name here, not the K5 realm name.
> But you are running the aklog and the unmodified krb524 code. Our code in
> ak5log and in the conv_princ.c would have done this:
It does not look like this is happening -- fyi, there is no conv_princ.c
in the ak5log.30020606.tar. Did I grab the wrong source ?
>
> ! *
> ! * If the client is in the same K5 realm as this server, then this
> ! * K5 realm is considered to be able to hand out tickets for the
> ! * AFS cell(s). We need to make it look like to AFS that the user
> ! * is in the AFS cell, so we set the clients prealm to match the
> ! * AFS cell name. But we don't want to do this if the client
> ! * is not in the same K5 realm, since AFS does some cross cell
> ! * authentication, and this would violate that. The user should
> ! * still look like he is in the foriegn K5 realm.
> ! */
> ! if (!strcmp(sname, "afsx")) {
> ! if (!strcmp(prealm, dummy))
> ! strcpy(prealm, sinst) ;
> ! strcpy(sname,"afs");
> ! *sinst = '\0';
> ! *afsflag = 1; /* set that this is AFS and princ was changed */
> ! } else
> ! #endif /* AFS524 */
> ! *afsflag = 0; /* with or without the AFS524, set to zero */
> ! return(0);
> }
>
>
> >
> > [EMAIL PROTECTED] henken $ bos listusers roughneck.liniac.upenn.edu
> > SUsers are: afsadmin.roughneck.liniac.upenn.edu henken
> >
> > [EMAIL PROTECTED] henken $ bos listkeys roughneck.liniac.upenn.edu
> > bos: you are not authorized for this operation error encountered while
> > listing keys
> >
>
> You need a token for oner of the people on the SUsers list above.
I am guessing that I am not getting this due to the:
Setting tokens. AFS ID 2 / @ UPENN.EDU
instead of roughneck.liniac.upenn.edu.
Nic
--
Nicholas Henke
Penguin Herder & Linux Cluster System Programmer
Liniac Project - Univ. of Pennsylvania
_______________________________________________
OpenAFS-info mailing list
[EMAIL PROTECTED]
https://lists.openafs.org/mailman/listinfo/openafs-info
