On 26/08/09 00:08, Eve V. E. Kovacs wrote:
> I just upgraded one of our systems to SL5 and now one of our users
> is having problems ssh'ing to minos06.fnal.gov. Everything still works on 
> all the SL4 systems. 
> The problem she is having has something to do with the change in kinit
> and aklog in SL5. She gets her ticket using kinit and then ssh'es to 
> minos06. The error she gets on logging in is:
> 
> aklog: Couldn't determine realm of user:)aklog: unknown RPC error 
> (-1765328189)  while getting       lm
> /usr/X11R6/bin/xauth:  timeout in locking authority file

"No credentials cache found"

> On minos06, the users' home area is an /afs file system. When she logs in, 
> she can't touch her own files. So clearly, she is not getting her AFS 
> token correctly on the SL5 system.

probably rather a non-forwarded ticket to the system at FNAL, so cannot
convert to AFS token over there, so no AFS access. Stock OpenSSH doe not
known anything about AFS tokens, just Kerberos aka GSSAPI.

Suggest:

$ /usr/kerberos/bin/kinit -f [log in to unmask]
$ ssh -v -2 [log in to unmask]
(should say
..
Next authentication method: gssapi-with-mic
Delegating credentials
..
)
and on remote: ruin "klist -f; tokens" to see whether your credntials
have made it.

If issue is gone with this, edit /etc/krb5.conf to have
[libdefaults]
 ..
 forwardable = true

> As suggested in some messages of a few days ago, I tried aliasing
> kinit to
> /usr/kerberos/bin/kinit ; /usr/bin/aklog
> But now, when she tries to get her ticket before ssh'ing to minos06
> she gets the error:
> aklog: can't get afs configuration (afsconf_Open(/usr/vice/etc))

Check that your local AFS config is OK - if OpenAS expects things under
/usr/vice/etc, you should have at least ThisCell and CellServDB in there.

cheers
jan