sized types and more krb lib lossage...

John Hawkinson jhawk at MIT.EDU
Mon Mar 2 22:36:26 CET 1998 

| So you retrieved a ticket for `afs at ATHENA.MIT.EDU' and it worked?  Did
| you manage to fetch any files?

No, that doesn't seem to function.

It turns out that afs at ATHENA.MIT.EDU is a legacy remnant and has no
significance whatsoever (sigh).

| > Is that a key *version* issue?  I'm a bit puzzled where the
|  
| I thought it was.

Yes, you're right.

| > volcache: VL_GetEntryByName(root.afs) failed: 19270408
| > 
| > is coming from, though, since RXKADUNKNOWNKEY only seems to be
| > returned by decode_krb4_ticket(), which gets called via a function
| > pointer that gets initialized in rxkad_NewServerSecurityObject, which
| > doesn't seem to get called anywhere and doesn't seem to be in the
| > final binary.
|  
| I'm confused.  I thought that you set the function pointer in the
| rxkad server object to a function that retrieved keys from, for
| example, a KeyFile and when that function failed you would get back
| RXKADUNKNOWNKEY?

Well, yes, but since rxkad_NewServerSecurityObject never gets called,
I'm not sure how the function pointer ever gets initialized.

| Can it be that you have an old `afs at ATHENA.MIT.EDU' principal with
| different key and kvno then the current
| `afs.athena.mit.edu at ATHENA.MIT.EDU'?

Yup, that's right.

| > So, this seems to fix things, but obviously isn't right:
|  
| I did it this way which seems to work for me (against sipb.mit.edu and
| athena.mit.edu) :-)
|  
| #ifdef KERBEROS
| 	  {
| 	      int ret;
| 	      const char *this_cell = cell_getthiscell ();
| 	      char *db_server = kocell_findnamedbbyname (this_cell);
| 	      char *realm = krb_realmofhost (db_server);
| 	      
| 	      ret = get_cred("afs", this_cell, realm, &krbdata.c);
| 	      if (ret)
| 		  ret = get_cred("afs", "", realm, &krbdata.c);
|  
| 	      if (ret) {
| 		  ARLADEB(ADEBINIT, ("error getting ticket for %s\n",
| 				     realm));
| 	      } else if (cred_add_krb4(getuid(), &krbdata.c) == NULL) {
| 		  ARLADEB(ADEBINIT, ("Could not insert tokens to arla\n"));
| 	      }
| 	  }
| #endif

That looks fine. Note that afssys.c from kafs seems to go even further,
and I'm not sure if it's worth it:

  k_errno = -1;
  if(krealm){
    k_errno = get_cred(AUTH_SUPERUSER, cell, krealm, &c, &ticket);
    if(k_errno)
      k_errno = get_cred(AUTH_SUPERUSER, "", krealm, &c, &ticket);
  }

  if(k_errno)
    k_errno = get_cred(AUTH_SUPERUSER, cell, CELL, &c, &ticket);
  if(k_errno)
    k_errno = get_cred(AUTH_SUPERUSER, "", CELL, &c, &ticket);
  
  /* this might work in some conditions */
  if(k_errno && (vl_realm = realm_of_cell(cell))){
    k_errno = get_cred(AUTH_SUPERUSER, cell, vl_realm, &c, &ticket);
    if(k_errno)
      k_errno = get_cred(AUTH_SUPERUSER, "", vl_realm, &c, &ticket);
  }
  
  if(k_errno && lrealm){
    k_errno = get_cred(AUTH_SUPERUSER, cell, lrealm, &c, &ticket);


Thanks.

--jhawk

More information about the Arla-drinkers mailing list