Hi Eve,
The problem is that a plain SL5 ssh client does not do 
GSSAPIDelegateCredentials and this is what is needed for you to get your 
AFS credentials on minos06.

https://fermilinux.fnal.gov/documentation/security/ssh-client/

You don't have to have afs credentials on the machine you are coming from.
Troy

Eve V. E. Kovacs wrote:
> I just upgraded one of our systems to SL5 and now one of our users
> is having problems ssh'ing to minos06.fnal.gov. Everything still works on 
> all the SL4 systems. 
> The problem she is having has something to do with the change in kinit
> and aklog in SL5. She gets her ticket using kinit and then ssh'es to 
> minos06. The error she gets on logging in is:
> 
> aklog: Couldn't determine realm of user:)aklog: unknown RPC error 
> (-1765328189)  while getting       lm
> /usr/X11R6/bin/xauth:  timeout in locking authority file
> 
> On minos06, the users' home area is an /afs file system. When she logs in, 
> she can't touch her own files. So clearly, she is not getting her AFS 
> token correctly on the SL5 system.
> 
> As suggested in some messages of a few days ago, I tried aliasing
> kinit to
> /usr/kerberos/bin/kinit ; /usr/bin/aklog
> But now, when she tries to get her ticket before ssh'ing to minos06
> she gets the error:
> aklog: can't get afs configuration (afsconf_Open(/usr/vice/etc))
> 
> I also tried 
> aklog [log in to unmask] 
> which gave the same error.
> 
> Do I just have the syntax wrong, or is there some other setup I need to do 
> to get aklog working correctly on SL5? (I think my krb5.conf file is ok, 
> because she has no problem getting a kerberos ticket and ssh'ing to other 
> hosts that don't use an /afs filesystem)
> 
> Thanks
> Eve
> 


-- 
__________________________________________________
Troy Dawson  [log in to unmask]  (630)840-6468
Fermilab  ComputingDivision/LCSI/CSI LMSS Group
__________________________________________________