sized types and more krb lib lossage...

Assar Westerlund assar at sics.se
Mon Mar 2 22:31:08 CET 1998 

John Hawkinson <jhawk at MIT.EDU> writes:
> error getting ticket for SIPB.MIT.EDU
> Getting root...
> arla loop started
> arla> cred-stat
> 1(100) credentials
> cred = 0, type = 0, securityindex = 0
> cell = 0, refcount = 1, killme = 0
>  
> arla> 
> 
> and things worked w/o authentication. Interestingly:

right.

> Breakpoint 1, main (argc=2, argv=0xeffff644)
>     at /afs/sipb/project/arla/src/arla/arlad/arla.c:450
> 450                 char *realm = strdup(cell_getthiscell ());
> (gdb) next
> 452                 strupr(realm);
> (gdb) next
> 454                 if (get_cred("afs","",realm, &krbdata.c)p) {
> (gdb) print realm
> $1 = 0x1dfea8 "SIPB.MIT.EDU"
> (gdb) call strcpy(realm,"ATHENA.MIT.EDU")
> $2 = 1965736
> (gdb) c
> Continuing.
> Getting root...
> arla loop started
> arla> cred-stat
> 2(100) credentials
> cred = 0, type = 0, securityindex = 0
> cell = 0, refcount = 1, killme = 0
>  
> cred = 10786, type = 1, securityindex = 2
> cell = 90, refcount = 0, killme = 0

So you retrieved a ticket for `afs at ATHENA.MIT.EDU' and it worked?  Did
you manage to fetch any files?

> | And why is it getting wrong key version against athena.mit.edu?
> 
> Is that a key *version* issue?  I'm a bit puzzled where the

I thought it was.

> volcache: VL_GetEntryByName(root.afs) failed: 19270408
> 
> is coming from, though, since RXKADUNKNOWNKEY only seems to be
> returned by decode_krb4_ticket(), which gets called via a function
> pointer that gets initialized in rxkad_NewServerSecurityObject, which
> doesn't seem to get called anywhere and doesn't seem to be in the
> final binary.

I'm confused.  I thought that you set the function pointer in the
rxkad server object to a function that retrieved keys from, for
example, a KeyFile and when that function failed you would get back
RXKADUNKNOWNKEY?

Can it be that you have an old `afs at ATHENA.MIT.EDU' principal with
different key and kvno then the current
`afs.athena.mit.edu at ATHENA.MIT.EDU'?

> So, this seems to fix things, but obviously isn't right:

I did it this way which seems to work for me (against sipb.mit.edu and
athena.mit.edu) :-)

#ifdef KERBEROS
	{
	    int ret;
	    const char *this_cell = cell_getthiscell ();
	    char *db_server = kocell_findnamedbbyname (this_cell);
	    char *realm = krb_realmofhost (db_server);
	    
	    ret = get_cred("afs", this_cell, realm, &krbdata.c);
	    if (ret)
		ret = get_cred("afs", "", realm, &krbdata.c);

	    if (ret) {
		ARLADEB(ADEBINIT, ("error getting ticket for %s\n",
				   realm));
	    } else if (cred_add_krb4(getuid(), &krbdata.c) == NULL) {
		ARLADEB(ADEBINIT, ("Could not insert tokens to arla\n"));
	    }
	}
#endif

/assar

More information about the Arla-drinkers mailing list