SCIENTIFIC-LINUX-USERS Archives

August 2004

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV
Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
Re: krb5/afs on SL 3.0.2 (x86_64) ?
From:
Connie Sieh <[log in to unmask]>
Reply To:
Connie Sieh <[log in to unmask]>
Date:
Mon, 9 Aug 2004 11:41:58 -0500
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (111 lines) 
Troy,

On Mon, 9 Aug 2004, Troy Dawson wrote:

> Hi,
> Well, here's the "works for me".
> I am logging in via ssh.  But it is the kerberized openssh that we have in
> contrib, not the plain openssh that normally comes with redhat (and hense
> scientific linux).  Other that the openssh, we found that we didn't need any
> other changes to get both kerberos tickets and afs tokens.
>
> # uname -a
> Linux handsome.fnal.gov 2.4.21-15.0.3.EL #1 Fri Jul 9 11:27:48 CDT 2004 x86_64
> x86_64 x86_64 GNU/Linux
>
> # cat /etc/redhat-release
> Scientific Linux SL Release 3.0.2 (SL)
>
> # rpm -qa | grep krb5
> krb5-libs-1.2.7-24
> krb5-workstation-1.2.7-24
> pam_krb5-1.73-1
> openafs-krb5-1.2.11-15.4.SL
> krb5-devel-1.2.7-24
> krb5-fermi-krb5.conf-1.8-LTS30x.6
>
> # rpm -qa | grep openssh
> openssh-3.6.1p2-33.30.1gss
> openssh-clients-3.6.1p2-33.30.1gss
> openssh-server-3.6.1p2-33.30.1gss

But that openssh is neither the Fermi one or the "redhat" one,  is'nt it
the one you rebuilt that has real kerberos support?

-Connie Sieh
>
> # rpm -qa | grep afs
> krbafs-utils-1.1.1-11
> kernel-module-openafs-2.4.21-15.0.2.EL-1.2.11-15.5.SL
> openafs-1.2.11-15.5.SL
> openafs-client-1.2.11-15.5.SL
> openafs-krb5-1.2.11-15.4.SL
> kernel-module-openafs-2.4.21-15.0.3.EL-1.2.11-15.5.SL
> krbafs-1.1.1-11
> krbafs-devel-1.1.1-11
> kernel-module-openafs-2.4.21-15.0.3.ELsmp-1.2.11-15.5.SL
>
> # tokens
>
> Tokens held by the Cache Manager:
>
> User's (AFS ID 2526) tokens for [log in to unmask] [Expires Aug 12 18:22]
>     --End of list--
>
>
> Does this help at all, or do you want some more info on a working system.
> You do have the aklog=true in you /etc/krb5.conf file don't you?
>
> Troy
>
> Stephan Wiesand wrote:
> > Hi,
> >
> > has anyone gotten this to work? My problem is that upon login
> > (by ssh as well as on the console), I get valid K4 and K5 tickets, but no
> > AFS token.
> >
> > Turning on debugging for pam_krb5afs yields log messages like these:
> >
> > ... [details about K4/5 ticket files, all looks good] ...
> > pam_krb5afs: k_setpag()
> > pam_krb5afs: k_setpag() returned 0
> > pam_krb5afs: afslog() to cell `ifh.de'
> > pam_krb5afs: afslog() returned 8
> > ...
> > pam_krb5afs: pam_sm_setcred returning 0 (Success)
> >
> > and after the timeout I'm logged in.
> >
> > Running /usr/kerberos/bin/afslog fails with
> >
> > afslog: Failed getting tokens for cell (local cell) in realm (local realm)
> >
> >
> > All this _does_ work for me with SL 3.0.2 (i386), and I'm fairly sure
> > my configuration there is identical. Also, running the afslog
> > executable from our 32bit Heimdal build on the Opteron works fine.
> >
> > Any hints? Even a "works for me" would help.
> >
> > Thanks,
> >         Stephan
> >
> > --
> >
> >  ----------------------------------------------------
> > | Stephan Wiesand  |                                |
> > |                  |                                |
> > | DESY     - DV -  | phone  +49 33762 7 7370        |
> > | Platanenallee 6  | fax    +49 33762 7 7216        |
> > | 15738 Zeuthen    |                                |
> > | Germany          | email  [log in to unmask] |
> >  ----------------------------------------------------
>
> --
> __________________________________________________
> Troy Dawson  [log in to unmask]  (630)840-6468
> Fermilab  ComputingDivision/CSS  CSI Group
> __________________________________________________
>

ATOM RSS1 RSS2