(Illustration by Gaich Muramatsu)
Greetings all: Tried the following: [root_at_sandbox3 ~]# ctokens Tokens [local user id: root] [root_at_sandbox3 ~]# clog -method kerberos5 coda_admin_user_at_coda.realm -tokenserver sandbox2.host.domain 370 -krealm KERBEROS.REALM -kdc sandbox2.host.domain -servprinc coda/coda.realm Password for coda_admin_user/default_at_coda.realm: [root_at_sandbox3 ~]# ctokens Tokens [local user id: root] [root_at_sandbox3 ~]# ls /coda/ [root_at_sandbox3 ~]# Server logs during event: [root_at_sandbox2 ~]# cat /vice/auth2/AuthLog 02:37:34 vid = coda_admin_uid 02:37:34 AuthNewConn(0x6f582c7a, 0, 66, 2, coda_admin_uid) [root_at_sandbox2 ~]# cat /var/log/krb5kdc.log krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: NEEDED_PREAUTH: kerberos_admin_user_at_KERBEROS.REALM for coda/coda.realm_at_KERBEROS.REALM, Additional pre-authentication required krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: ISSUE: authtime epoch_time, etypes {rep=18 tkt=18 ses=18}, kerberos_admin_user_at_KERBEROS.REALM for coda/coda.realm_at_KERBEROS.REALM So, no errors on clog! Progress! why can't I see /coda/coda.realm? Here is the getvolumelist output (in the off chance it is useful): [root_at_sandbox2 ~]# /vice/bin/volutil getvolumelist V_BindToServer: binding to host sandbox2.host.domain P/vice/pa Hsandbox2.host.domain T957fbc F56b29c W/.0 I1000001 H1 P/vice/pa m0 M0 U2 W1000001 C4b50579e D4b50579e B0 A0 Wcoda.realm.0 I1000002 H1 P/vice/pa m0 M0 U2 W1000002 C4b5062a6 D4b5062a6 B0 A0 GetVolumeList finished successfully Also, I'd like to clarify whether a "coda.realm" is what this page refers to as "Coda volume": http://www.coda.cs.cmu.edu/trac/wiki/CodaHOWTO/Introduction Thanks, -Don {void} root writes: > Greetings all: > > >>> Please feel free to make the assumption that I have false >>> understandings. If "KERBEROS.REALM" is stated, but from syntax it >>> should be "coda.realm", please correct me. >> >> Yes, it should be "codaaccount_at_coda.realm", not otherwise. > > Ok, I tried changing the clog to: > > [root_at_sandbox3 ~]# clog \ > -method kerberos5 coda_admin_user_at_coda.realm \ > -tokenserver sandbox2.host.domain 370 \ > -krealm KERBEROS.REALM \ > -kdc sandbox2.host.domain \ > -servprinc coda/coda.realm > > Basically, the method user_at_realm was changed to the coda realm from the > kerberos realm. Also, the servprinc was changed to the coda.realm from > sandbox2.host.domain. > > Does this appear sane? > > > Key points in this email: > > *) The only keytab used by coda inherently is on coda server hosts: > /vice/db/krb5.keytab > > *) The keytab need only maintain the service principle for: > codaauth/coda.realm_at_KERBEROS.REALM > > > The discourse on host/ vs coda/ vs codaauth/ ended with a > misunderstanding. This subject is not important, please disregard. > > The discourse on coda/kerberos auth related definitions and "kerberos > basics" also ended in misunderstanding. It may also be disregarded. > > Regards, > -Don > {void}Received on 2010-01-20 23:23:56