sized types and more krb lib lossage...
John Hawkinson
jhawk at MIT.EDU
Mon Mar 2 22:36:26 CET 1998
| So you retrieved a ticket for `afs at ATHENA.MIT.EDU' and it worked? Did
| you manage to fetch any files?
No, that doesn't seem to function.
It turns out that afs at ATHENA.MIT.EDU is a legacy remnant and has no
significance whatsoever (sigh).
| > Is that a key *version* issue? I'm a bit puzzled where the
|
| I thought it was.
Yes, you're right.
| > volcache: VL_GetEntryByName(root.afs) failed: 19270408
| >
| > is coming from, though, since RXKADUNKNOWNKEY only seems to be
| > returned by decode_krb4_ticket(), which gets called via a function
| > pointer that gets initialized in rxkad_NewServerSecurityObject, which
| > doesn't seem to get called anywhere and doesn't seem to be in the
| > final binary.
|
| I'm confused. I thought that you set the function pointer in the
| rxkad server object to a function that retrieved keys from, for
| example, a KeyFile and when that function failed you would get back
| RXKADUNKNOWNKEY?
Well, yes, but since rxkad_NewServerSecurityObject never gets called,
I'm not sure how the function pointer ever gets initialized.
| Can it be that you have an old `afs at ATHENA.MIT.EDU' principal with
| different key and kvno then the current
| `afs.athena.mit.edu at ATHENA.MIT.EDU'?
Yup, that's right.
| > So, this seems to fix things, but obviously isn't right:
|
| I did it this way which seems to work for me (against sipb.mit.edu and
| athena.mit.edu) :-)
|
| #ifdef KERBEROS
| {
| int ret;
| const char *this_cell = cell_getthiscell ();
| char *db_server = kocell_findnamedbbyname (this_cell);
| char *realm = krb_realmofhost (db_server);
|
| ret = get_cred("afs", this_cell, realm, &krbdata.c);
| if (ret)
| ret = get_cred("afs", "", realm, &krbdata.c);
|
| if (ret) {
| ARLADEB(ADEBINIT, ("error getting ticket for %s\n",
| realm));
| } else if (cred_add_krb4(getuid(), &krbdata.c) == NULL) {
| ARLADEB(ADEBINIT, ("Could not insert tokens to arla\n"));
| }
| }
| #endif
That looks fine. Note that afssys.c from kafs seems to go even further,
and I'm not sure if it's worth it:
k_errno = -1;
if(krealm){
k_errno = get_cred(AUTH_SUPERUSER, cell, krealm, &c, &ticket);
if(k_errno)
k_errno = get_cred(AUTH_SUPERUSER, "", krealm, &c, &ticket);
}
if(k_errno)
k_errno = get_cred(AUTH_SUPERUSER, cell, CELL, &c, &ticket);
if(k_errno)
k_errno = get_cred(AUTH_SUPERUSER, "", CELL, &c, &ticket);
/* this might work in some conditions */
if(k_errno && (vl_realm = realm_of_cell(cell))){
k_errno = get_cred(AUTH_SUPERUSER, cell, vl_realm, &c, &ticket);
if(k_errno)
k_errno = get_cred(AUTH_SUPERUSER, "", vl_realm, &c, &ticket);
}
if(k_errno && lrealm){
k_errno = get_cred(AUTH_SUPERUSER, cell, lrealm, &c, &ticket);
Thanks.
--jhawk
More information about the Arla-drinkers
mailing list