Jonathan Nilsson wrote:
On Fri, Feb 26, 2010 at 10:44, Brandon S. Allbery KF8NH
<allb...@ece.cmu.edu <mailto:allb...@ece.cmu.edu>> wrote:
On Feb 26, 2010, at 13:24 , Jonathan Nilsson wrote:
[09:57 r...@afs1 ~]# kvno -c /tmp/krb5cc_0 afs
a...@ss2k-devel.uci.edu <mailto:a...@ss2k-devel.uci.edu>: kvno = 2
[09:57 r...@afs1 ~]# kvno -c /tmp/krb5cc_0 afs/mycell.edu
<http://mycell.edu>
afs/mycell.edu <http://mycell.edu>@MYCELL.EDU
<http://MYCELL.EDU>: kvno = 2
You put both of these in the KeyFile? With the same kvno? This
will break, because the KeyFile doesn't contain principals, and
picks entries by kvno. You'll need to change one of them and then
regenerate the KeyFile.
Hmm, part of that is a text-replacement error... oops, I was trying to
obfuscate my real REALM name, but clearly failed. That line should read
"a...@mycell.edu <mailto:a...@mycell.edu>" to be consistent with the rest
of my output.
However, I'm not sure what you mean by "both of those in the KeyFile" -
my output of asetkey and bos listkeys shows that I only have one key in
the KeyFile:
[09:57 r...@afs1 ~]# asetkey list
kvno 2: key is: <key_obscured>
All done.
[10:01 r...@afs1 ~]# bos listkeys afs1 -localauth
key 2 has cksum 1847647929
Keys last changed on Fri Feb 26 10:00:22 2010.
All done.
However, in my Kerberos ticket cache I do indeed have two tickets with
the same kvno.
I'm speculating, but that would be a problem with how Windows implements
the "ktpass mapuser" function and then returns tickets for a mapped user
with the same kvno as the principal. So both the user "afs" and the
principal "afs/mycell.edu <http://mycell.edu>" are returning tickets
with the same kvno. And I don't think there are separate entries for
these principals in the kerberos database.
I'll try changing the password on the "afs" user account and then see
what kvno I get.
Try using a name other then afs for the account name as it can confuse
the issue. The use of afs@<REALM> is obsolete. Using afs/<cell>@<REALM>
can allow multiple cellsto use the same Kerberos realm.
Otherwise, is there a way for aklog to not bother getting a ticket for
the "a...@mycell.edu <mailto:a...@mycell.edu>" principal, and just use
"afs/mycell.edu <http://mycell.edu>@MYCELL.EDU <http://MYCELL.EDU>"?
--
Jonathan Nilsson, jnils...@uci.edu <mailto:jnils...@uci.edu>
Social Sciences Computing Services
949.824.1536, 4110 SSPA, UC Irvine
--
brandon s. allbery [solaris,freebsd,perl,pugs,haskell]
allb...@kf8nh.com <mailto:allb...@kf8nh.com>
system administrator [openafs,heimdal,too many hats]
allb...@ece.cmu.edu <mailto:allb...@ece.cmu.edu>
electrical and computer engineering, carnegie mellon university KF8NH
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
OpenAFS-info mailing list
OpenAFS-info@openafs.org
https://lists.openafs.org/mailman/listinfo/openafs-info
