arla on Mac OS Tiger
Torsten Harenberg
harenberg at physik.uni-wuppertal.de
Sun Oct 23 16:41:24 CEST 2005
Hi Tomas, Love, Jacques et al.,
Tomas Olsson wrote:
> Also, Afslog.app defaults (as does heimdal) to using the file-based
> credential cache. The easiest way to get tickets is probably using
> /usr/arla/bin/kinit from the package.
>
> Torsten Harenberg <harenberg at physik.uni-wuppertal.de> writes:
>> [Torsten-Harenbergs-PowerBook:~] harenber% kinit -f harenber at CERN.CH
[...]
> That should have been fine, especially if you used /usr/arla/bin/kinit.
>
arghh.. it was a little late maybe, so I cutted the "wrong" information
out of my terminal.
See below...
> But it's probably right. You need to get details on CERN.CH kerberos
> servers, which is usually done in /etc/krb5.conf or proper dns records. Ask
> CERN about that. If they are still using krb4 or kaserver tell them to
> upgrade (and try /usr/arla/bin/kalog, it may still work).
So I guess this the problem.
What I did:
Some google'ing took me to:
http://jdurand.home.cern.ch/jdurand/knoppix.html
He quotes this information has to be entered:
% cat /etc/krb.conf
CERN.CH
CERN.CH afsdb1.cern.ch
CERN.CH afsdb3.cern.ch
CERN.CH afsdb2.cern.ch
CASPUR.IT pomodoro.caspur.it
CASPUR.IT banana.caspur.it
CASPUR.IT maslo.caspur.it
INFN.IT afs1.infn.it
INFN.IT afs2.infn.it
INFN.IT afs3.infn.it
AFS1.SCRI.FSU.EDU afs1.scri.fsu.edu
DESY.DE aixsr2.desy.de
DESY.DE rikki.desy.de
DESY.DE shiva.desy.de
% cat /etc/krb5.conf
[libdefaults]
default_realm = CERN.CH
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
ticket_lifetime = 90000
renew_lifetime = 1209600
[realms]
CERN.CH = {
kdc = afsmisc2.cern.ch afsmisc1.cern.ch
admin_server = afskrb5m.cern.ch
kpasswd_server = afskrb5m.cern.ch
default_domain = cern.ch
v4_name_convert = {
host = {
rcmd = host
ftp = ftp
imap = imap
}
}
}
[domain_realm]
.cern.ch = CERN.CH
[kadmin]
default_keys = v4 v5
[kdc]
enable-kerberos4 = yes
enable-kaserver = yes
This ends up in:
[Torsten-Harenbergs-PowerBook:/etc] harenber% /usr/arla/bin/kinit -4 -f
harenber at CERN.CH
harenber at CERN.CH's Password:
kinit: krb5_get_init_creds: unable to reach any KDC in realm CERN.CH
*BUT*
I have a DSL line at home with a router which does NAT (*argh*). I
looked into a netstat -f inet while waiting for kinit:
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp4 0 0 localhost.netinfo-loca localhost.1010
ESTABLISHED
tcp4 0 0 localhost.1010 localhost.netinfo-loca
ESTABLISHED
tcp4 0 0 localhost.netinfo-loca localhost.1021
ESTABLISHED
tcp4 0 0 localhost.1021 localhost.netinfo-loca
ESTABLISHED
udp4 0 0 192.168.100.201.49326 afsmisc1.cern.ch.kerbe
udp4 0 0 192.168.2.100.49280 *.*
[...]
This looks okay to me, but I don't know if there have to be any ports
opened in the router's internal firewall. Looking at the arla doc I
didn't found any information about this, but I'm pretty sure some of you
will know.
> Are there any public parts of /afs/cern.ch that you can access? Do we have
> any cern related people on the list?
Yes, I can see public areas:
[Torsten-Harenbergs-PowerBook:~] harenber% ls /afs/cern.ch/atlas
commissioning i386_linux22 man project users
ftp i386_linux24 maxidisk rlprod utilities
groups i386_redhat51 mbone scripts www
hp700_ux90 licensed misc software
hp_ux102 logs offline testbeam
So the entries in CellServDB seem to be correct:
[Torsten-Harenbergs-PowerBook:/usr/arla/etc] harenber% grep -i cern
CellServDB
>cern.ch #European Laboratory for Particle Physics, Geneva
137.138.128.148 #afsdb1.cern.ch
137.138.246.50 #afsdb3.cern.ch
137.138.246.51 #afsdb2.cern.ch
Any hint is very much appreciated!!!
Best regards,
Torsten
--
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
<> <>
<> Torsten Harenberg harenberg at physik.uni-wuppertal.de <>
<> Bergische Universitaet <>
<> FB C - Physik Tel.: +49 (0)202 439-3521 <>
<> Gaussstr. 20 Fax : +49 (0)202 439-2811 <>
<> 42097 Wuppertal <>
<> <>
<><><><><><><>< Of course it runs NetBSD http://www.netbsd.org ><>
More information about the Arla-drinkers
mailing list