Dj Merrill wrote:
>Douglas E. Engert wrote:
You have not said anything about the krb5 realm, or having added a principal to the realm's database.
Hi Douglas,
I have a completely working system using all RHEL 3.4 machines.
Krb5 is setup and working, corresponding principals are in the database, and RHEL 3.4 clients are functioning fine.
I'm trying to add RHEL 4 into the mix, and am running into problems obtaining tokens at login. I can login via Krb5, and I can get tokens via "afslog" after login. AFS seems to be working fine (after obtaining a token manually).
My best guess at this point is that the behaviour of the pam_krb5 module has changed from RHEL 3.4 to RHEL 4 (pam_krb5 version change from 1.73-1 to 2.1.2-1), and this is causing my problems.
As per the K5 migration info, I have an afs principal:
[EMAIL PROTECTED]
however, I note that the pam_krb5afs tries several other
combinations, but not this one exactly.
What is the difference between the [EMAIL PROTECTED] above and the one below.
My apologies, I mistyped - that should have read that it tries:
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("[EMAIL PROTECTED]")
Apr 25 13:39:35 galactica sshd[28332]: pam_krb5[28332]: attempting to obtain tokens for "econ.duke.edu" ("afs/[EMAIL PROTECTED]")
It does NOT try [EMAIL PROTECTED], which is the correct entry in the database (according to Step 4, subsection 3 of the Krb 5 AFS migration kit). Please note that this works fine AS-IS for RHEL 3.4 machines.
Have you added the principal to the KR5 realm? (Use the afs/[EMAIL PROTECTED] as this is afs/<cell>@<realm> which is what it tries first.)
If I change [EMAIL PROTECTED] to afs/[EMAIL PROTECTED], won't that break my existing and working RHEL 3.4 machines?
If you change it, yes it would break.
Or are you suggesting that I have both entries?
Yes.
Don't the kvno numbers have to match between the
AFS Keyfile and Kerberos databases
Yes as well as the key.
(I'm inferring this from
the Krb migration kit), so I can only have one entry here?
No, the KeyFile can have 8 keys, each with a different kvno. The principal name is not stored in the KeyFile, just the DES keys and kvnos. Its size is 4 byte number of keys, + 8*( 8 byte des key + 4 byte kvno). So if the [EMAIL PROTECTED] uses a key with kvno 1, the afs/[EMAIL PROTECTED] could use kvno 30.
The AFS server will take the kvno and look up the key in the KeyFile.
Much of the confusion comes down to what is the difference between a AFS cell and a Kerberos Realm. When AFS came with Krb5 in the kaserver, they where essentially the same. But I like to view them as different, with the AFS cell accepting authentication tokens from a number of sources and an AFS user could be mapped from the credentials used to authenticate to the AFS cell. (gssklog with Globus is an example, as is using krb524d to remap krb5 principals to AFS users.)
In your krb5.conf file I don't see any references to the Kerberos realm of ECON>DUKE.EDU.
I didn't send a complete krb5.conf file as I was trying for brevity, but here it is:
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] ticket_lifetime = 24000 default_realm = ECON.DUKE.EDU dns_lookup_realm = false dns_lookup_kdc = false
[realms] ECON.DUKE.EDU = { kdc = kdc-1.econ.duke.edu:88 kdc = kdc-2.econ.duke.edu:88 admin_server = kdc-1.econ.duke.edu:749 default_domain = econ.duke.edu }
[domain_realm] .econ.duke.edu = ECON.DUKE.EDU econ.duke.edu = ECON.DUKE.EDU
[kdc] profile = /var/kerberos/krb5kdc/kdc.conf
[appdefaults] pam = { debug = true ticket_lifetime = 86400 renew_lifetime = 86400 forwardable = true krb4_convert = true afs_cells = econ.duke.edu minimum_uid = 1000 } afs_krb5 = { ECON.DUKE.EDU = { afs = true } }
Thanks again,
-Dj
--
Douglas E. Engert <[EMAIL PROTECTED]> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info