afs and kerberos (fwd)

Camelia Botez camelia at wicc.weizmann.ac.il
Wed Mar 15 11:03:38 CET 2000 

I run arla-0.30 and krb4-1.0.
The things started to work but not all of them.
I'm sending tp you my problems that also Dr A V Le Blanc has them ( that's
what I understood from his answer).
Maybe someone can help me.


Thank you

Camelia Botez

System Administrator
Weizmann Institute of Science - Physics Faculty
E-mail
camelia.botez at weizmann.ac.il
Phone 972-8-9343288
Fax   972-8-9344106 or 972-8-9344102


---------- Forwarded message ----------
Date: Wed, 15 Mar 2000 10:28:38 +0200 (IST)
From: Camelia Botez <camelia at wicc.weizmann.ac.il>
Reply-To: camelia.botez at weizmann.ac.il
To: Dr A V Le Blanc <LeBlanc at mcc.ac.uk>
Cc: camelia.botez at weizmann.ac.il
Subject: Re: afs and kerberos




Camelia Botez

System Administrator
Weizmann Institute of Science - Physics Faculty
E-mail
camelia.botez at weizmann.ac.il
Phone 972-8-9343288
Fax   972-8-9344106 or 972-8-9344102




 Thanks a lot for your time once again and I'm sorry to disturb you , but
I still have krb problems. 
  
 
In /etc/krb.conf I have:

CERN.CH
CERN.CH afs1.cern.ch admin server
CERN.CH afs3.cern.ch admin server
CERN.CH afs11.cern.ch admin server
DESY.DE solar00.desy.de admin server
DESY.DE shiva.desy.de admin server
DESY.DE rikki.desy.de admin server
RHIC rafs03.rhic.bnl.gov admin server
RHIC rafs02.rhic.bnl.gov admin server
RHIC rafs01.rhic.bnl.gov admin server
 
In /etc/krb.realms I have:

cern.ch CERN.CH
.cern.ch CERN.CH
.ac.il CERN.CH
desy.de DESY.DE
.desy.de DESY.DE
rhic RHIC
rhic.bnl.gov RHIC
.rhic.bnl.gov RHIC
 
In /usr/arla/etc/CellServDB  I have :

>cern.ch                # European Laboratory for Particle Physics, Geneva
137.138.129.147                 #afs1.cern.ch
137.138.128.144                 #afs3.cern.ch
137.138.129.16                  #afs11.cern.ch
>desy.de                # Deutsches Elektronen-Synchrotron
131.169.244.60                  #solar00.desy.de
131.169.55.19                   #shiva.desy.de
131.169.30.50                   #rikki.desy.de
>rhic           #Relativistic Heavy Ion Collider
130.199.80.230                  #rafs03.rhic.bnl.gov
130.199.80.93                   #rafs02.rhic.bnl.gov
130.199.80.92                   #rafs01.rhic.bnl.gov
 
In /usr/arla/etc/ThisCell I have:

cern.ch
 
I try to get authentication into cern.ch , desy.de and rhic with different
users and their afs-passwords but I get tickets only in cern.ch.
If it is not too much I send you some messages I get during kauth to
desy.de and cern.ch.

Using desy.de I get :

Getting host entry for rikki.desy.de...Got it.
connecting to rikki.desy.de (131.169.30.50) udp, port 750
sending 113 bytes to rikki.desy.de (131.169.30.50), udp port 750
recieved 119 bytes on udp/tcp socket
Machine time: Wed Mar 15 09:55:22 2000
Correcting to Wed Mar 15 09:55:22 2000
Realm: DESY.DE
serv=krbtgt.CERN.CH at DESY.DE princ=yehuda. at DESY.DE
Machine time: Wed Mar 15 09:55:22 2000
Correcting to Wed Mar 15 09:55:22 2000
Authent->length = 101
lrealm is CERN.CH
Getting host entry for afs11.cern.ch...Got it.
connecting to afs11.cern.ch (137.138.129.16) udp, port 750
sending 111 bytes to afs11.cern.ch (137.138.129.16), udp port 750
recieved 52 bytes on udp/tcp socket
Realm: CERN.CH
Realm: DESY.DE
serv=krbtgt.CERN.CH at DESY.DE princ=yehuda. at DESY.DE
Machine time: Wed Mar 15 09:55:23 2000
Correcting to Wed Mar 15 09:55:23 2000
Authent->length = 101
lrealm is CERN.CH
Getting host entry for afs11.cern.ch...Got it.
connecting to afs11.cern.ch (137.138.129.16) udp, port 750
sending 118 bytes to afs11.cern.ch (137.138.129.16), udp port 750
recieved 52 bytes on udp/tcp socket
kauth: Permission Denied (kerberos)
[yehuda at camelia-pc ~]# /usr/athena/bin/klist
Ticket file:    /tmp/tkt0
Principal:      yehuda at DESY.DE

  Issued           Expires          Principal
Mar 15 09:54:57  Mar 15 19:54:57  krbtgt.DESY.DE at DESY.DE
Mar 15 09:55:22  Mar 15 19:55:22  krbtgt.CERN.CH at DESY.DE

and afslog gives the error message:

afslog: Failed getting tokens for cell(local cell) in realm (local realm).

Trying to connect to rhic I get 

kauth: Can't get inter-realm ticket granting ticket(get_ad_tkt).


But when I try to kauth in cern.ch I get :


serv=krbtgt.CERN.CH at CERN.CH princ=levinson. at CERN.CH
Machine time: Wed Mar 15 10:06:15 2000
Correcting to Wed Mar 15 10:06:15 2000
Authent->length = 93
lrealm is CERN.CH
Getting host entry for afs11.cern.ch...Got it.
connecting to afs11.cern.ch (137.138.129.16) udp, port 750
sending 103 bytes to afs11.cern.ch (137.138.129.16), udp port 750
recieved 105 bytes on udp/tcp socket
Machine time: Wed Mar 15 10:06:15 2000
Correcting to Wed Mar 15 10:06:15 2000
serv=afs. at CERN.CH princ=levinson. at CERN.CH
Machine time: Wed Mar 15 10:06:15 2000
Correcting to Wed Mar 15 10:06:15 2000
Authent->length = 93
[levinson at camelia-pc ~]# /usr/athena/bin/klist
Ticket file:    /tmp/tkt0
Principal:      levinson at CERN.CH

  Issued           Expires          Principal
Mar 15 10:06:15  Mar 15 20:06:15  krbtgt.CERN.CH at CERN.CH
Mar 15 10:06:15  Mar 15 20:11:15  afs at CERN.CH
[levinson at camelia-pc ~]# /usr/athena/bin/afslog 
[levinson at camelia-pc ~]# /usr/athena/bin/klist
Ticket file:    /tmp/tkt0
Principal:      levinson at CERN.CH
  Issued           Expires          Principal
Mar 15 10:06:15  Mar 15 20:06:15  krbtgt.CERN.CH at CERN.CH
Mar 15 10:06:15  Mar 15 20:11:15  afs at CERN.CH


and everything works fine.
How can I get in the same time authentication for different users into
those 3 realms with the config files I wrote you at the begining. 


I'll be happy to make it work .

More information about the Arla-drinkers mailing list