At one point a while back I wrote code to support krb5 syntax, but didn't get it committed at the time since Derrick wanted to hold off.
-- Nathan On Mon, Jun 09, 2003 at 03:29:28PM -0400, Derek Atkins wrote: > Oh! How silly of me. AFS uses krb4 naming schemes, not krb5 naming > schemes. This means that your krb5 principal > afsadmin/roughneck.liniac.upenn.edu needs to be interted into your > PTS and BOS UserList as a krb4 name: > > afsadmin.roughneck.liniac.upenn.edu > > And you need the apprpriate quoting around the embedded periods > in the name (probably afsadmin.roughneck\.liniac\.upenn\.edu) > > -derek > > Nicholas Henke <[EMAIL PROTECTED]> writes: > > > On Mon, 2003-06-09 at 14:19, Douglas E. Engert wrote: > > > Nicholas Henke wrote: > > > > > > > > On Mon, 2003-06-09 at 11:59, Douglas E. Engert wrote: > > > > > I think you are asking if the ak5log I have can run with the standard > > > > > Kerberos krb524 lib and krb524d. > > > > > > > > Sorry for the confusion -- yes that is what I was asking. > > > > I have gotten ak5log to compile and run -- and it appears to be > > > > succeeding. > > > > > > Was this with afs/<cell>@<realm> or with afsx/<cell>@<realm>? > > > > afs/[EMAIL PROTECTED] -- note that this works for > > aklog as well as your ak5log. > > > > > > Is this just an admin problem? > > > > > > Does it work with an ordinary user? > > > > I am not sure -- I have not been able to even setup the toplevel of the > > /afs space. So far it is just an admin problem. > > > > > > > > You are trying to use a multipart user name, which might be making it harder. > > > If you had a principal like henkeadmin@<realm> and gave the AFS user henkeadmin > > > all privilages and listed it in /usr/afs/etc/UserList, I think that would work. > > > (Each of our AFS admins has his own account so we dont have a shared afsadmin.) > > > > This would just include the membership in system:administrators and bos > > adduser ? I have done this for my regular username: > > > > [EMAIL PROTECTED] etc]# bos adduser roughneck.liniac.upenn.edu henken > > -cell roughneck.liniac.upenn.edu -noauth > > > > [EMAIL PROTECTED] etc]# pts createuser -name henken -cell > > roughneck.liniac.upenn.edu -noauth > > User henken has id 2 > > > > [EMAIL PROTECTED] etc]# pts adduser henken system:administrators -cell > > roughneck.liniac.upenn.edu -noauth > > > > [EMAIL PROTECTED] etc]# pts membership henken > > libprot: a pioctl failed Could not get afs tokens, running > > unauthenticated. > > Groups henken (id: 2) is a member of: > > system:administrators > > > > After this I stop the running bosserver -noauth, kill it and start afs. > > > > [EMAIL PROTECTED] henken $ klist > > Ticket cache: FILE:/tmp/krb5cc_27659 > > Default principal: [EMAIL PROTECTED] > > > > Valid starting Expires Service principal > > 06/09/03 14:26:30 06/10/03 00:26:27 krbtgt/[EMAIL PROTECTED] > > > > > > Kerberos 4 ticket cache: /tmp/tkt27659 > > klist: You have no tickets cached > > [EMAIL PROTECTED] henken $ aklog -d > > Authenticating to cell roughneck.liniac.upenn.edu (server > > roughneck.liniac.upenn.edu). > > We've deduced that we need to authenticate to realm UPENN.EDU. > > Getting tickets: afs/[EMAIL PROTECTED] > > About to resolve name henken to id in cell roughneck.liniac.upenn.edu. > > Id 2 > > Set username to AFS ID 2 > > Setting tokens. AFS ID 2 / @ UPENN.EDU > > > > > > [EMAIL PROTECTED] henken $ bos listusers roughneck.liniac.upenn.edu > > SUsers are: afsadmin.roughneck.liniac.upenn.edu henken > > > > [EMAIL PROTECTED] henken $ bos listkeys roughneck.liniac.upenn.edu > > bos: you are not authorized for this operation error encountered while > > listing keys > > > > > > > > If you must use the multpart name, I don't think it gets converted > > > like you might want. The krb524d appears to eventially call the > > > krb5_524_conv_principal routine, and I don't see afsadmin listed. > > > > What other information can I provide ? It seems like I get the same > > errors regardless of the use of ak5log over aklog or vice-versa. They > > seem to be hitting the same problem. > > > > Nic > > -- > > Nicholas Henke > > Penguin Herder & Linux Cluster System Programmer > > Liniac Project - Univ. of Pennsylvania > > > > _______________________________________________ > > OpenAFS-info mailing list > > [EMAIL PROTECTED] > > https://lists.openafs.org/mailman/listinfo/openafs-info > > -- > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory > Member, MIT Student Information Processing Board (SIPB) > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH > [EMAIL PROTECTED] PGP key available > _______________________________________________ > OpenAFS-info mailing list > [EMAIL PROTECTED] > https://lists.openafs.org/mailman/listinfo/openafs-info ------------------------------------------------------------ Nathan Neulinger EMail: [EMAIL PROTECTED] University of Missouri - Rolla Phone: (573) 341-4841 Computing Services Fax: (573) 341-4216 _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
