[LeBlanc@mcc.ac.uk: Arla 0.27 on S.u.S.E]

Chris Wing wingc at engin.umich.edu
Tue Oct 5 20:22:35 CEST 1999 

Owen:

I am working on a similar problem in klog: being able to automatically
figure out what realm to get a Kerberos ticket-granting ticket in based on
an AFS cell name.

The problem may lie in libkafs's krb_afslog() function, which calls upon
krb_realm_of_cell() to determine which Kerberos realm it should attempt to
get a ticket for.

Assuming that your Kerberos realm is MCC.AC.GB, and that your cell's
servers are 130.88.203.{11,12,14} (which is what my CellServDB has),
here's what may be going on:

- we get a Kerberos ticket for MCC.AC.GB  (which should work properly)

- klog calls krb_afslog_uid() to get the token.

- krb_afslog calls krb_realm_of_cell()

- krb_realm_of_cell() looks for the CellServDB entry for mcc.ac.gb, and
gets the IP address 130.88.203.11

- an inverse DNS lookup is performed on 130.88.203.11, yielding
rock.mcc.ac.uk

- (from my reading) the libkafs code assumes that the AFS server is in the
realm MCC.AC.UK, from it's domain name

- the libkafs code may be trying to get an AFS ticket (token) in the realm
MCC.AC.UK, which fails.


My apologies if I didn't study the libkafs code enough to figure out
what's really going on, but I did seem to notice the above behavior in my
tests.

Try adding the following to /etc/krb.realms and see if it solves your
problem:

.mcc.ac.uk	MCC.AC.GB


-Chris

wingc at engin.umich.edu





On Tue, 5 Oct 1999, Dr A V Le Blanc wrote:

> > On Tue, 28 Sep 1999 11:04:36 I wrote:
> > I managed to get arla 0.27 compiled and running on a S.u.S.E. 6.1
> > system...
> > I can now see my local cell's files.  But I cannot
> > authenticate.  I have
> > 
> >      nm-> klog zlsiial
> >      zlsiial at mcc.ac.gb's Password:
> >      klog: Unable to get an AFS token: Can't get inter-realm ticket granting
> >           ticket (get_ad_tkt)
> >      nm-> cat /etc/krb.conf
> >      MCC.AC.GB
> >      MCC.AC.GB ice.mcc.ac.uk admin server
> >      MCC.AC.GB rock.mcc.ac.uk admin server
> >      MCC.AC.GB snow.mcc.ac.uk admin server
> >      nm-> cat /etc/krb.realms
> >      mcc.ac.gb       MCC.AC.GB
> >      .mcc.ac.gb      MCC.AC.GB
> >      nm-> cat /usr/arla/etc/ThisCell
> >      mcc.ac.gb
> > 
> > Why does the klog (the one which comes with arla 0.27) think it
> > needs an inter-realm ticket?  Incidentally arla was compiled
> > and linked with kth kerberos snapshot 19990620.
> 
> I have not heard anything further since I sent debug output to
> this list.  I did wonder whether S.u.S.E's library setup was
> causing problems, so I did relink klog manually, but it still
> fails.  I have an strace, which is rather long...  I've put
> it at ftp://ftp.mcc.ac.uk/beta/strace.klog (or
> /afs/mcc.ac.gb/ftp/beta/strace.klog).
> 
>      -- Owen
>      LeBlanc at mcc.ac.uk
>

More information about the Arla-drinkers mailing list