Arla 0.35.11, Mac OS X 10.2.4, Afslog.app, aklog

Thomas Jordan jordant at fnal.gov
Wed Mar 5 21:34:25 CET 2003 

I have a similar setup and launch afslog once I have krb tickets. The  
simple act of launching it gets my tokens. I created an alias for  
afslog:

alias afslog    'open /usr/arla/bin/Afslog.app'

so that my authentication looks like:

	[Dix:~] jordant% kinit
	Kerberos Login:
	Please enter the password for jordant at FNAL.GOV:
	[Dix:~] jordant% afslog
	[Dix:~] jordant% tokens

	Tokens held by Arla:

	User's (AFS ID 8998) tokens for afs at fnal.gov [Expires Mar  6 00:27]
    	--End of list--
	[Dix:~] jordant%
	[Dix:~] jordant% touch  
/afs/fnal.gov/files/home/room3/jordant/private/foo
	[Dix:~] jordant%

One obvious difference is that my local username, afs and krb principal  
all match.

Before I saw your mail, I believed that the *log utils in  
/usrt/arla/bin/ were built against the heimdal krb _not_ the MIT krb on  
our machines. Prior to 0.35.11, I had little luck building arla against  
the OSX versions of krb, so I always install from the disk image rather  
than building my own. Did you run make or install from the disk image?
	
	t.


On Wednesday, Mar 5, 2003, at 13:44 America/Chicago, Troy Goodson wrote:

> On Wednesday, March 5, 2003, at 09:22  AM, Alexandra Ellwood wrote:
>>> Questions:
>>>
>>> How do I specify my username with aklog?
>>>
>>> How do I use Afslog?
>>>
>>> If I should use "kinit --afslog", where do I specify the default  
>>> realm? I don't seem to have /etc/realms.conf or /etc/krb.conf
>>
>> I assume you are using Kerberos for Macintosh 4.5.1, the Kerberos  
>> implementation included with Mac OS X 10.2.4.  KfM uses a unified v4  
>> and v5 configuration file format.  Please see our documentation for  
>> creating this configuration file here:
>>
>> <http://web.mit.edu/macdev/Development/MITKerberos/Common/ 
>> Documentation/preferences-osx.html>
>>
>> Hope this helps!
>
> I also got a pointer to
> "Mac OS X 10.2: About Using Kerberos" Article ID: 107153
> <http://docs.info.apple.com/article.html?artnum=107153>
>
> I haven't had a chance to _really_ read either documentation well, but  
> now I'm using ~/Library/Preferences/edu.mit.Kerberos (see end of  
> message).
>
> I didn't get errors from kinit, but I didn't seem to have any AFS  
> tokens.
>
> [goodson-1:~] tdg% kinit --afslog tgoodson
> Kerberos Login:
> Please enter the password for tgoodson at JPL.NASA.GOV:
> [goodson-1:~] tdg% /usr/arla/bin/tokens
> Tokens held by Arla:
>    --End of list--
>
> Later,  I did /usr/arla/bin/aklog.  It didn't give an error, so I  
> tried editing a file but was told I didn't have permission.  Later, I  
> did /usr/arla/bin/aklog again, then I did /usr/arla/bin/tokens -- now  
> it's there!
>
> [goodson-1:~] tdg% /usr/arla/bin/tokens
> Tokens held by Arla:
> User's (AFS ID 1606) tokens for afs at jpl.nasa.gov [Expires Mar  5 21:15]
>    --End of list--
>
> then I was able to edit my file!
>
> So, looking at my tcsh history..
>     10  11:13   kinit --afslog tgoodson
>     14  11:14   /usr/arla/bin/tokens
>     15  11:14   cd  
> /afs/jpl.nasa.gov/user/t/tgoodson/public/od_class/lsqfil_earsat/
>     19  11:14   vi README.txt
>                                 (denied access)
>     22  11:15   /usr/arla/bin/aklog
>     23  11:15   vi README.txt
>                                 (denied access)
>     26  11:33   /usr/arla/bin/aklog
>     28  11:33   /usr/arla/bin/tokens
>     31  11:34   vi README.txt
>                                 (allowed access)
>
> Looks like I either need to run aklog twice, or aklog then tokens, or  
> I just need to wait some time for my token to appear.  At least it  
> works now...
>
>
> Troy.
>
>
>
>
>
>
> Contents of my ~/Library/Preferences/edu.mit.Kerberos
> -=-=-=-=-=-=-=-=-=-=
> [libdefaults]
>         default_realm = JPL.NASA.GOV
>         login_logout_notification = "aklog"
> [v4 realms]
>         JPL.NASA.GOV = {
>                 kdc = eis-fil-afsdb08.jpl.nasa.gov
>                 kdc = eis-fil-afsdb09.jpl.nasa.gov
>                 kdc = eis-fil-afsdb10.jpl.nasa.gov
>                 kpasswd_server = kerberos.jpl.nasa.gov
>                 default_domain = jpl.nasa.gov
>                 string_to_key_type = afs_string_to_key
>         }
> [v4 domain_realm]
>         .jpl.nasa.gov = JPL.NASA.GOV
>         jpl.nasa.gov = JPL.NASA.GOV
> -=-=-=-=-=-=-=-=-=-=
>
>
>
--
Thomas Jordan
Fermi National Accelerator Lab
MS 226
PO Box 500
Kirk and Pine Streets
Batavia, Illinois
60510
voice:
630.840.4035
fax: 630.840.8248

More information about the Arla-drinkers mailing list