Re: [OpenAFS] Re: aklog carps Couldn't determine realm of user

Thu, 22 Dec 2016 11:51:07 -0800 

Yes it should but it doesn't. See the conundrum in kadmin->get krbgtkt ?
I.e how can Principal: krbtgt/[email protected] have a ticket if it was 
never loggged in?

I'll try 7.1
tedc

see below:
kadmin> get krb*
            Principal: krbtgt/[email protected]
    Principal expires: never
     Password expires: never
 Last password change: 2016-12-17 01:03:08 UTC
      Max ticket life: unlimited
   Max renewable life: unlimited
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2016-12-17 01:03:08 UTC
             Modifier: kadmin/[email protected]
           Attributes:
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], 
des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1]
          PK-INIT ACL:
              Aliases:

            Principal: krbtgt/[email protected]
    Principal expires: never
     Password expires: never
 Last password change: 2016-12-20 00:29:08 UTC
      Max ticket life: unlimited
   Max renewable life: unlimited
                 Kvno: 1
                Mkvno: unknown
Last successful login: never
    Last failed login: never
   Failed login count: 0
        Last modified: 2016-12-20 00:29:08 UTC
             Modifier: kadmin/[email protected]
           Attributes:
             Keytypes: aes256-cts-hmac-sha1-96(pw-salt)[1], 
des3-cbc-sha1(pw-salt)[1], arcfour-hmac-md5(pw-salt)[1]
          PK-INIT ACL:
              Aliases:


________________________________________
From: Benjamin Kaduk <[email protected]>
Sent: Thursday, December 22, 2016 10:35:56 AM
To: Ted Creedon
Cc: Michael Meffie; [email protected]
Subject: Re: [OpenAFS] Re: aklog carps  Couldn't determine realm of user

On Thu, Dec 22, 2016 at 06:07:08AM +0000, Ted Creedon wrote:
> Heimdal set the ticket up..(I think)
> So how does one login krbtgt?
> PS making progress on the glibc/swig bug
> Suse Leap uses glibc 2.22 the current is 2.24, offhand I suspect  something 
> like a missing .align 64
> tedc
>
> [email protected]'s Password:
> ookpik:/data1/openafs-1.8.0pre1 # klist
> Credentials cache: FILE:/tmp/krb5cc_0
>         Principal: [email protected]
>
>   Issued                Expires        Principal
> Dec 21 21:52:59 2016  >>>Expired<<<  krbtgt/[email protected]

This is the important part; the local TGT in the cache has expired and cannot
be used to get a new service ticket for AFS.  Running 'kinit' should prompt
for admin's password and get things into a workable state where aklog has
a chance at succeeding.

-Ben
_______________________________________________
OpenAFS-info mailing list
[email protected]
https://lists.openafs.org/mailman/listinfo/openafs-info

Reply via email to