(Illustration by Gaich Muramatsu)
Greetings: I have [modular] clog working, and kerberos working. However, I've yet to get coda w/kerberos working. If anyone has a base example of how to get kerberos/coda talking to each other, I would sincerely appreciate it. Specifically, I think either my coda/kerberos users aren't matching up, or I'm failing to indicate the user to coda (coda realm vs kerberos realm, with or without kerberos realm, etc.) kinit & klist function normally clog w/codaauth functions normally clog w/kerberos /wo kinit auth failure: [root_at_sandbox2 ~]# kdestroy [root_at_sandbox2 ~]# clog Password for admin/admin_at_KERBEROS.REALM: krb5secret: Unknown error -1765328228 getting credentials clog: failed to login to Kerberos [klist shows NO VALID TICKETS] clog w/kerberos /w kinit returns: [root_at_sandbox2 ~]# kinit admin Password for admin_at_KERBEROS.REALM: [root_at_sandbox2 ~]# clog krb5secret: Unknown error -1765328228 getting credentials clog: failed to login to Kerberos [klist shows VALID tgt TICKET] NOTE: It is quite possible that I simply have not created the kerberos principal/user or the coda user correctly -- or, perhaps I simply haven't configured .codafs/clog/pref or TCP 370 "codaauth" service correctly for this user/principal pair. This part of the configuration is largely undocumented. While I have spent considerable time adding all manner of service and user principals into kerberos (including exporting the resulting krb5.keytab), I have not yet successfully logged in. An example of my novice level: I created a coda user "admin" using pdbtool "cu" to duplicate the realmadmin user default. This matches our kerberos "admin" user which, while not necessary, worked for us. I can verify the coda "admin" user now exists, but how does one test to see if the coda user has a password; aetey.se instructions refer to leaving the coda user password blank for the coda side of the kerberos/coda pairing. I am using coda client and server as available from aetey.se -- my understanding is that this provides the modular clog which is recommended for kerberos. I have followed the instructions on aetey.se for client and server. I have also configured DNS with optional SRV records (coda entries, as well as kerberos auth entries). For simplicity, I am testing the coda client on the server running the coda server. However, if needed, I also have a second server only running the client. Since kinit works, and I have successfully tested kerberos for http auth, I am assuming the issue is not related to kerberos, and have thereby made my appeal on the coda mailing list. Regards, -Don {void}Received on 2010-01-18 16:07:56