arla-0.41 and support for Tiger

Jean-Damien Durand Jean-Damien.Durand at cern.ch
Sat Jan 7 09:38:01 CET 2006 

Dear Philippe,

Here is how I get into afs at cern from debian/unstable/i386 using only
heimdal and arla;

- Configuration files are:
/etc/krb5.conf       (http://home.cern.ch/user/~jdurand/krb5.conf)
/etc/krb.conf        (http://home.cern.ch/user/~jdurand/krb.conf)
/etc/arla/ThisCell   (http://home.cern.ch/user/~jdurand/ThisCell)
/etc/arla/CellServDB (http://home.cern.ch/user/~jdurand/CellServDB)

The important line in krb5.conf is for the kdc: afsdb[1-3].cern.ch. Beware
that inside cern, that file contains afsmisc[1-3].cern.ch instead. This is
an error since these machines are behind a firewall.

- Access:

jddportable% kinit
jdurand at CERN.CH's Password:

jddportable% klist
Credentials cache: FILE:/tmp/krb5cc_27343
        Principal: jdurand at CERN.CH

  Issued           Expires          Principal
Jan  7 09:12:26  Jan  8 10:12:26  krbtgt/CERN.CH at CERN.CH
Jan  7 09:12:26  Jan  8 10:12:26  afs at CERN.CH

jddportable% kalog jdurand
Getting ticket for jdurand at cern.ch
Password:

From now on, I can access afs at cern with no problem.

Recently debian dropped kerberos4. Before that, kinit alone was enough.
With heimdal only, I did not find a way using kinit only to bypass the kalog 
step (but I did not investigated very much...).

Hope this help,

Cheers, JD.

On Friday 06 January 2006 18:33, Philippe Charpentier wrote:
> Hi Tomas,
> Thanks for the information! Restarting the Finder makes AFS appear,
> you are right... but opening it puts the Finder in a loop (rolling
> ball). I managed however to see my files going directly to my
> directory... useless as I couldn't get a token...
>
> Concerning getting an AFS token, I tried kinit as well, but
> unsuccessfully:
> phicharp% kinit phicharp at cern.ch
> Please enter the password for phicharp at cern.ch:
> Kerberos Login Failed: Password incorrect or preauthentication failed.
> I am sure the password I typed in was correct, of course ;-)
> As for what concerns afslog, I never managed to get a token with
> it... probably as I have not understood how it should work. It was
> (when Arla was not broken) letting me know for how long a token was
> still valid, but not enter a password...
> Most probably all this is due to my ignorance, but I certainly want
> to remain ignorant of all the internals of AFS and Kerberos ;-)
> If I use kinit without parameter, it complains that the default realm
> is not defined in the configuration file, but I have set "cern.ch"
> in /usr/arla/etc/ThisCell. I am probably missing something again
> there...
>
> Regards,  Philippe
>
> Le 6 janv. 06 à 12:11, Tomas Olsson a écrit :
> > Massimo Marino writes:
> >>> I have installed that new version of Arla that seems to mount /afs
> >>> from the command line, but I see no AFS disk mounted on the Finder.
> >>> When I try and get a token, it tells me:
> >>> Unable to authenticate to AFS because AFS kernel pioctl doesn't
> >>> exist.
> >
> > The mounting part is fixed in current sources, but there has been no
> > release since 0.41. It's not hard to build from cvs, but there are
> > a few
> > steps to set up the environment. Just ask, and I'll give you the
> > steps. It
> > really would be nice to have friends in CERN who know how to do it.
> >
> > Oh, and I think Finder notices /afs if you restart it or log in again.
> >
> > As for the tokens, the pioctl interface changed in Tiger. I think you
> > should be ok if you use the tools in /usr/arla/bin, there's an afs
> > aware
> > heimdal with kinit/klist/..., arla tools, plus the old mac GUI things
> > (the Afslog app etc). Unfortunately, the kalog in 0.41 is broken. Also
> > fixed in CVS, see
> > https://lists.stacken.kth.se/pipermail/arla-drinkers/2005-December/
> > 003716.html
> > for a possible workaround.
> >
> > /t (adding some Cc/Bcc)

More information about the Arla-drinkers mailing list