Re: [OpenAFS] OpenAFS with GDM in Ubuntu 22.04 (or 20.04)?
I usually start the user@.services with the following ExecStart line: ExecStart=-/bin/bash -c "if [ $(id -u %i) -ge LIMIT ]; then export KRB5CCNAME=/run/krb-caches/krb5cc_$(id -u %i); aklog fi; exec /usr/lib/systemd/systemd --user" The assumptions are: - LIMIT is a user id limit, ids below are treated as machine-local and system users which don't have valid Kerberos credentials - kerberos cache filenames are known (no random files) - no use of PAG (as Jeffrey explained) or your services will lose access to AFS after a while (maybe a helper service could refresh systemd's token periodically) - the cache was filled by some upstream process (ssh or other login) - this means, ssh must adhere to this convention as well, which requires a small patch to sshd. Otherwise it instructs libkrb to use a random file. This would leave the pre-known cache file empty in case the ssh login is the first ever login, like on a server. I can send you the patch if interested. Kind regards, –Michael ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets
On 9/12/2022 11:49 AM, Jose M Calhariz (jose.calha...@tecnico.ulisboa.pt) wrote: Todo the setup of the cell I was following the instrtuctions from Debian 9. So I have done: kadmin.local addprinc -randkey -e des-cbc-crc:v4 afs ktadd -k /root/afs.keytab -e des-cbc-crc:v4 afs getprinc afs quit There are a couple of things wrong with these directions. 1. The service principal that should be created is "afs/" not "afs". 2. The encryption types that must be added are afs256-cts-hmac-sha1-96 and rc4-hmac (if you wish to support Windows clients) smime.p7s Description: S/MIME Cryptographic Signature
[OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets
The error means that the server does not support the requested encryption type. You may have a look here for the list of krb5 error codes: https://www.netmeister.org/blog/krb5-error-codes-table.html If you run MIT kerberos, you can run aklog as: $ KRB5_TRACE=/dev/stderr aklog which should present you with a detailed trace of the kerberos communication. It could help you find out which server denies the request and what else has been tried by the client. Kind regards, –Michael ___ OpenAFS-info mailing list OpenAFS-info@openafs.org https://lists.openafs.org/mailman/listinfo/openafs-info
Re: [OpenAFS] aklog: unknown RPC error (-1765328370) while getting AFS tickets
On 9/12/2022 10:10 AM, Jose M Calhariz (jose.calha...@tecnico.ulisboa.pt) wrote: Hi, I have setup a test cell of OpenAFS 1.6.x, Debian 9. For testing the upgrade to Debian 11. When I do the initial setup of the cell and do the first aklog I get the following error: aklog: unknown RPC error (-1765328370) while getting AFS tickets How do I get the meaning of this error? This error number is not on Google. I have just tested the aklog command on the client against another cell and it worked. So my problem is the new cell. The error is Kerberos v5 error KRB5KDC_ERR_ETYPE_NOSUPP, "KDC has no support for encryption type". Is the OpenAFS client version older than 1.6.5? Prior to 1.6.5 aklog explicitly requested AFS service tickets with a DES-CBC-CRC session key. Alternatively, the AFS service principal for the test cell might have been created without an AES key. Jeffrey Altman smime.p7s Description: S/MIME Cryptographic Signature