Coda File System

modular clog + kerberos

From: root <coda_at_voidembraced.net>
Date: Mon, 18 Jan 2010 12:51:52 -0800
Greetings: 

I have [modular] clog working, and kerberos working.  However, I've yet to 
get coda w/kerberos working.  If anyone has a base example of how to get 
kerberos/coda talking to each other, I would sincerely appreciate it.  
Specifically, I think either my coda/kerberos users aren't matching up, or 
I'm failing to indicate the user to coda (coda realm vs kerberos realm, with 
or without kerberos realm, etc.) 

kinit & klist function normally
clog w/codaauth functions normally 

clog w/kerberos /wo kinit auth failure: 

[root_at_sandbox2 ~]# kdestroy
[root_at_sandbox2 ~]# clog
Password for admin/admin_at_KERBEROS.REALM:
krb5secret: Unknown error -1765328228 getting credentials
clog: failed to login to Kerberos 

[klist shows NO VALID TICKETS] 

clog w/kerberos /w kinit returns: 

[root_at_sandbox2 ~]# kinit admin
Password for admin_at_KERBEROS.REALM:
[root_at_sandbox2 ~]# clog
krb5secret: Unknown error -1765328228 getting credentials
clog: failed to login to Kerberos 

[klist shows VALID tgt TICKET] 

NOTE:  It is quite possible that I simply have not created the kerberos 
principal/user or the coda user correctly -- or, perhaps I simply haven't 
configured .codafs/clog/pref or TCP 370 "codaauth" service correctly for 
this user/principal pair.  This part of the configuration is largely 
undocumented.  While I have spent considerable time adding all manner of 
service and user principals into kerberos (including exporting the resulting 
krb5.keytab), I have not yet successfully logged in. 

An example of my novice level:  I created a coda user "admin" using pdbtool 
"cu" to duplicate the realmadmin user default.  This matches our kerberos 
"admin" user which, while not necessary, worked for us.  I can verify the 
coda "admin" user now exists, but how does one test to see if the coda user 
has a password; aetey.se instructions refer to leaving the coda user 
password blank for the coda side of the kerberos/coda pairing. 

 

I am using coda client and server as available from aetey.se -- my 
understanding is that this provides the modular clog which is recommended 
for kerberos. 

I have followed the instructions on aetey.se for client and server.  I have 
also configured DNS with optional SRV records (coda entries, as well as 
kerberos auth entries). 

For simplicity, I am testing the coda client on the server running the coda 
server.  However, if needed, I also have a second server only running the 
client. 

Since kinit works, and I have successfully tested kerberos for http auth, I 
am assuming the issue is not related to kerberos, and have thereby made my 
appeal on the coda mailing list. 

Regards,
 -Don
{void} 
Received on 2010-01-18 16:07:56