I spent a good portion of the evening trying to get Kerberos credential
passing to work on my home setup, but never got it to work.
I have a nagging suspicion that I'm misunderstanding something basic.
I'm running OpenSuSE 10.2 x86_64, with OpenAFS 1.4.4, krb5-1.5.1, and
OpenSSH 4.4p1, and
I believe krb5 forwarding requires a host principal for the
forwarding machine. Do you have one for your home machine?
--James
On Sep 6, 2007, at 11:06 AM, Ken Aaker wrote:
I spent a good portion of the evening trying to get Kerberos
credential
passing to work on my home setup, but never
James Rogers wrote:
I believe krb5 forwarding requires a host principal for the
forwarding machine. Do you have one for your home machine?
No, I think you need the host key on the forwarded-to (server) machine. And
you need GSSAPIAuthentication in the ssh config on both the client and
Jim Rees wrote:
Even nicer would be token forwarding, like we had back in the good old days.
That would make it easier for those of us who need tokens in multiple cells.
But you can't have everything.
Why don't you write such a tool? It wouldn't be hard. In fact with
C-Kermit it would be
Jim Rees wrote:
James Rogers wrote:
I believe krb5 forwarding requires a host principal for the
forwarding machine. Do you have one for your home machine?
No, I think you need the host key on the forwarded-to (server) machine. And
you need GSSAPIAuthentication in the ssh config on
Ken Aaker [EMAIL PROTECTED] writes:
Thanks for the clues, I am probably missing the host principal. I did
try various settings of the GSSAPI ssh config parameters, but they
didn't seem to change the behavior. For the host principle, do I need to
have those in keytabs?
Yes, you should put it
Ken Aaker wrote:
Thanks for the clues, I am probably missing the host principal. I did
try various settings of the GSSAPI ssh config parameters, but they
didn't seem to change the behavior. For the host principle, do I need to
have those in keytabs?
The GSS config params to ssh won't do
Russ Allbery wrote:
Your original problem wasn't a PAM issue; it didn't get that far. It was
an ssh privilege delegation issue, in that your client wasn't even
forwarding the tickets. The ssh -K command-line option is useful here,
since it forces the command-line client to attempt privilege
Ken Aaker [EMAIL PROTECTED] writes:
FYI, I just ran across something, in the openssh versions I've been
using, 4.4p1 and 4.6p1, the -K option seems to have disappeared. -k is
still there, but the getopt() loop in ssh.c:main() doesn't have a 'K'
option. I had tried -K and got an invalid option
RA == Russ Allbery [EMAIL PROTECTED] writes:
RA It may be that this continues to be something provided by Simon's
RA patch which isn't being merged into OpenSSH for some reason.
4.7/4.7p1 release notes, hot off the press, explicitly list -K as synonym
for GSSAPIAuthentication=yes.
Another group in our department mounts web folders out of users home afs
space.
I recently moved several thousand user vols from one afs server to
another using vos move.
The folks running the web server reported that several of these
mountpoints were timing out on them.
This has happened
Steve Devine wrote:
Another group in our department mounts web folders out of users home afs
space.
I recently moved several thousand user vols from one afs server to
another using vos move.
The folks running the web server reported that several of these
mountpoints were timing out on them.
On Sep 6, 2007, at 13:06 , Steve Devine wrote:
Another group in our department mounts web folders out of users
home afs space.
I recently moved several thousand user vols from one afs server to
another using vos move.
The folks running the web server reported that several of these
Jim Rees wrote:
Ken Aaker wrote:
If it still won't work, try ssh -v to see whether it's attempting GSS
authentication. When it works you'll see something like this:
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password,keyboard-interactive
debug1: Next
Ken Aaker [EMAIL PROTECTED] writes:
It's really close, it's working from ralph to mars, but not from
mars to ralph.
I get 3 debug2: we sent a gssapi-with-mic packet, wait for reply
messages, then it fails over to password. The keytab files are identical
on the machines, and
On Thu, September 6, 2007 12:38 pm, Ken Aaker wrote:
Jim Rees wrote:
Ken Aaker wrote:
If it still won't work, try ssh -v to see whether it's attempting GSS
authentication. When it works you'll see something like this:
debug1: Authentications that can continue:
david l goodrich wrote:
I get 3 debug2: we sent a gssapi-with-mic packet, wait for reply
messages, then it fails over to password. The keytab files are identical
on the machines, and GSSAPIAuthentication is turned on in sshd_config on
both. Still something to do with the keytab on ralph?
Ken Aaker wrote:
Here's the klist output of my /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
--
3 host/[EMAIL PROTECTED]
3 host/[EMAIL PROTECTED]
2 host/[EMAIL PROTECTED]
2
Brandon S. Allbery KF8NH wrote:
Traditionally, port 7001/udp is all that is needed. The right thing
will happen if NAT translation takes place along the way, provided
the NAT device remembers the port translations for long enough (at
least 4 hours, IIRC).
I think ten minutes is
Jim Rees wrote:
Brandon S. Allbery KF8NH wrote:
Traditionally, port 7001/udp is all that is needed. The right thing
will happen if NAT translation takes place along the way, provided
the NAT device remembers the port translations for long enough (at
least 4 hours, IIRC).
I
On Sep 6, 2007, at 15:07 , Steve Devine wrote:
Jim Rees wrote:
I think ten minutes is enough, because that's how often the client
pings
servers it cares about. I could be wrong.
Hmm what if the server is blocking ping / icmp ?
Blocking arbitrary ICMP is always bad juju.
But the ping
Steve Devine wrote:
Hmm what if the server is blocking ping / icmp ?
I meant server probe, as in afs_CheckServers(), which is a GetTime rpc on
the wire. Not icmp.
___
OpenAFS-info mailing list
OpenAFS-info@openafs.org
Steve Devine wrote:
Hmm what if the server is blocking ping / icmp ?
Its not really a ping. Its a probe performed using an RXAFS RPC.
smime.p7s
Description: S/MIME Cryptographic Signature
Jeffrey Altman wrote:
Each host should only have its own keys.
The client principal is selected by the user not by the host.
The client principal comes from the user's credential cache.
Ok, I sorted that out, but it didn't make any difference in the
behavior. mars will still do
Jim Rees wrote:
Russ Allbery wrote:
Make sure you have a .k5login file in your home directory on both systems
that lists your Kerberos principal.
Isn't that only needed if your principal is not the same as your login name?
At this point I would usually start looking at the server logs.
Russ Allbery wrote:
Make sure you have a .k5login file in your home directory on both systems
that lists your Kerberos principal.
Isn't that only needed if your principal is not the same as your login name?
At this point I would usually start looking at the server logs.
Hi all,
Has anyone else seen issues with the OpenAFS client causing kernel panics
on startup on Solaris 10 update 4 (KJP 120011-14) SPARC? I find that the
servers start fine, but when /usr/vice/etc/afsd starts I get a panic. If
anyone would like, I can try to get a panic.
Thanks,
--
Coy
On Sep 6, 2007, at 22:05, Derrick J Brashear wrote:
On Thu, 6 Sep 2007, Coy Hile wrote:
Hi all,
Has anyone else seen issues with the OpenAFS client causing kernel
panics
on startup on Solaris 10 update 4 (KJP 120011-14) SPARC? I find
that the
servers start fine, but when
On 9/6/07, Robert Banz [EMAIL PROTECTED] wrote:
On Sep 6, 2007, at 22:05, Derrick J Brashear wrote:
On Thu, 6 Sep 2007, Coy Hile wrote:
Hi all,
Has anyone else seen issues with the OpenAFS client causing kernel
panics
on startup on Solaris 10 update 4 (KJP 120011-14) SPARC? I
On Thu, 6 Sep 2007, Coy Hile wrote:
Hi all,
Has anyone else seen issues with the OpenAFS client causing kernel panics
on startup on Solaris 10 update 4 (KJP 120011-14) SPARC? I find that the
servers start fine, but when /usr/vice/etc/afsd starts I get a panic. If
anyone would like, I can
30 matches
Mail list logo