Subject: | |
From: | |
Reply To: | |
Date: | Wed, 26 Aug 2009 09:38:13 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Hi Eve,
The problem is that a plain SL5 ssh client does not do
GSSAPIDelegateCredentials and this is what is needed for you to get your
AFS credentials on minos06.
https://fermilinux.fnal.gov/documentation/security/ssh-client/
You don't have to have afs credentials on the machine you are coming from.
Troy
Eve V. E. Kovacs wrote:
> I just upgraded one of our systems to SL5 and now one of our users
> is having problems ssh'ing to minos06.fnal.gov. Everything still works on
> all the SL4 systems.
> The problem she is having has something to do with the change in kinit
> and aklog in SL5. She gets her ticket using kinit and then ssh'es to
> minos06. The error she gets on logging in is:
>
> aklog: Couldn't determine realm of user:)aklog: unknown RPC error
> (-1765328189) while getting lm
> /usr/X11R6/bin/xauth: timeout in locking authority file
>
> On minos06, the users' home area is an /afs file system. When she logs in,
> she can't touch her own files. So clearly, she is not getting her AFS
> token correctly on the SL5 system.
>
> As suggested in some messages of a few days ago, I tried aliasing
> kinit to
> /usr/kerberos/bin/kinit ; /usr/bin/aklog
> But now, when she tries to get her ticket before ssh'ing to minos06
> she gets the error:
> aklog: can't get afs configuration (afsconf_Open(/usr/vice/etc))
>
> I also tried
> aklog [log in to unmask]
> which gave the same error.
>
> Do I just have the syntax wrong, or is there some other setup I need to do
> to get aklog working correctly on SL5? (I think my krb5.conf file is ok,
> because she has no problem getting a kerberos ticket and ssh'ing to other
> hosts that don't use an /afs filesystem)
>
> Thanks
> Eve
>
--
__________________________________________________
Troy Dawson [log in to unmask] (630)840-6468
Fermilab ComputingDivision/LCSI/CSI LMSS Group
__________________________________________________
|
|
|