klog: could not create ticket file

Christopher Allen Wing wingc at engin.umich.edu
Mon Jul 8 23:30:55 CEST 2002 

klog needs to create a ticket file to work because it was originally
written to use the regular Kerberos 4 mechanism for obtaining AFS
credentials.

klog in Arla is supposed to try several places to create a ticket file,
but it looks like it expects TKT_ROOT to be defined in the headers of the
Kerberos library you are compiling against:


--------------- arla-0.35.8/appl/afsutils/klog.c -------------------
static const char *tktbasename[] = {
    KLOG_TKT_ROOT,
#if defined(HAVE_KRB_GET_DEFAULT_TKT_ROOT)
    "",
#elif defined(TKT_ROOT)
    TKT_ROOT,
#endif
    NULL
};



Maybe on Mac OS X, TKT_ROOT is not set? (try grep -r TKT_ROOT in
/usr/kerberos/include or wherever it is on osx)



If TKT_ROOT is missing then this is the cause of the problem and this
patch should fix it:


--- arla-0.35.8/appl/afsutils/klog.c.orig	Wed Oct  3 18:52:01 2001
+++ arla-0.35.8/appl/afsutils/klog.c	Mon Jul  8 17:03:24 2002
@@ -364,11 +364,15 @@
  * use umich compat basename of ticket.
  */

+#ifndef TKT_ROOT
+#define TKT_ROOT "/tmp"
+#endif
+
 static const char *tktbasename[] = {
-    KLOG_TKT_ROOT,
 #if defined(HAVE_KRB_GET_DEFAULT_TKT_ROOT)
     "",
-#elif defined(TKT_ROOT)
+#else
+    KLOG_TKT_ROOT,
     TKT_ROOT,
 #endif
     NULL






The rationale for /ticket (mode 1733) is to prevent symlink attacks:



user A				user B

[ KRBTKFILE=/tmp/tktXXXXX ]
klog -tmp
writes to /tmp/tktXXXXX
				notices /tmp/tktXXXXX file
kdestroy
				notices /tmp/tktXXXXX missing
				does ln -s userAfile /tmp/tktXXXXX
klog -tmp
(overwrites userAfile)


Thanks,

Chris Wing
wingc at engin.umich.edu


On 8 Jul 2002, Magnus Ahltorp wrote:

> > I have just compiled arla-0.35.8 on Mac OS X 10.1.5. I compiled and
> > installed krbafs-1.1 before. arla was compiled with --disable-mmap,
> > --without-x and the --with-krbafs option.
> > arla started and worked but when I try to use klog to access our local
> > cell I receive a "klog: could not create ticket file" after entering a
> > password.
> >
> > Has anybody a hint for me? What's wrong?
>
> Apparently, it tries to create a ticket in /ticket. Why, I don't know,
> but you can try the flag -tmp to klog.
>
> You can also create a /ticket directory, but might be inconvenient, or
> you could edit the tktbasename variable in klog.c so that it contains
> "/tmp".
>
> /Magnus

More information about the Arla-drinkers mailing list