(Illustration by Gaich Muramatsu)
(Illustration by Gaich Muramatsu)
Hello everyone, At the risk of re-asking an old question, can I ask for help on setting up Kerberos authentication for the coda client? I am running Coda 6.9.5-11 both client and server on Fedora 20 (different hosts) installed from standard Fedora RPM packages. Everything works fine using auth2 authentication. Kerberos is installed as part of FreeIPA 3.3.4-3. The FreeIPA and Coda servers run on the same host. Kerberised logins and NFS work fine on FreeIPA. I have created a service principal codaauth/server.wasielewski_at_WASIELEWSKI and exported the keytab file to /vice/db/krb5.keytab. In /etc/coda/server.conf I have the following Kerberos-relevant setup: # kerberos5service contains "%s" which will be substituted with a hostname, # for a usual DCE setup it would be "hosts/%s/self kerberos5servprinc=codaauth/server.wasielewski_at_WASIELEWSKI kerberos5service=host/%s/self kerberos5realm=WASIELEWSKI kerberos5keytab=/vice/db/krb5.keytab If I try to clog in using Kerberos I get the following error message on the client: [Andrew_at_ivanka-laptop ~]$ clog -kerberos5 codauser2_at_server.wasielewski username: codauser2_at_server.wasielewski krb5.c: No credentials cache found while preparing AP_REQ kinit: Client 'Andrew_at_WASIELEWSKI' not found in Kerberos database while getting initial credentials krb5.c: No credentials cache found while preparing AP_REQ Failed to get secret for server.wasielewski Invalid login (RPC2_FAIL (F)). ...and this in the krb5kdc.log file on the server Mar 11 23:23:58 server.wasielewski krb5kdc[31135](info): AS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: CLIENT_NOT_FOUND: Andrew_at_WASIELEWSKI for krbtgt/WASIELEWSKI_at_WASIELEWSKI, Client not found in Kerberos database (client IP address obfuscated as "aaa.bbb.ccc.ddd") codauser2 exists as both a FreeIPA and a Coda user, and I can log in fine using normal Linux login and auth2 respectively. Whatever options I give clog, it seems to take the Linux username and apply that as the Coda user. If I log in as codauser2, I get some different output: -sh-4.2$ clog -kerberos5 codauser2_at_server.wasielewski username: codauser2_at_server.wasielewski krb5.c: Server not found in Kerberos database while preparing AP_REQ Password for codauser2_at_WASIELEWSKI: krb5.c: Server not found in Kerberos database while preparing AP_REQ Failed to get secret for server.wasielewski Invalid login (RPC2_FAIL (F)). -sh-4.2$ ctokens Tokens held by the Cache Manager for codauser2: @server.wasielewski Not Authenticated ...and on the server: Mar 11 23:30:25 server.wasielewski krb5kdc[31134](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0, codauser2_at_WASIELEWSKI for host/SERVER.WASIELEWSKI_at_WASIELEWSKI, Server not found in Kerberos database Mar 11 23:30:25 server.wasielewski krb5kdc[31134](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0, codauser2_at_WASIELEWSKI for host/SERVER.WASIELEWSKI_at_WASIELEWSKI, Server not found in Kerberos database Mar 11 23:30:25 server.wasielewski krb5kdc[31134](info): AS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: NEEDED_PREAUTH: codauser2_at_WASIELEWSKI for krbtgt/WASIELEWSKI_at_WASIELEWSKI, Additional pre-authentication required Mar 11 23:30:39 server.wasielewski krb5kdc[31135](info): AS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: ISSUE: authtime 1394580639, etypes {rep=18 tkt=18 ses=18}, codauser2_at_WASIELEWSKI for krbtgt/WASIELEWSKI_at_WASIELEWSKI Mar 11 23:30:39 server.wasielewski krb5kdc[31135](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0, codauser2_at_WASIELEWSKI for host/SERVER.WASIELEWSKI_at_WASIELEWSKI, Server not found in Kerberos database Mar 11 23:30:39 server.wasielewski krb5kdc[31134](info): TGS_REQ (6 etypes {18 17 16 23 25 26}) aaa.bbb.ccc.ddd: LOOKING_UP_SERVER: authtime 0, codauser2_at_WASIELEWSKI for host/SERVER.WASIELEWSKI_at_WASIELEWSKI, Server not found in Kerberos database Can anyone see where I am going wrong? I have read about a "modular clog", but not clear where/how I get and use it, nor whether it is already part of the Coda client. Thanks in advance, AndrewReceived on 2014-03-11 19:41:20