Coda File System

Re: modular clog + kerberos

From: root <coda_at_voidembraced.net>
Date: Wed, 20 Jan 2010 20:22:58 -0800
Greetings all: 

Tried the following: 

[root_at_sandbox3 ~]# ctokens 

Tokens [local user id: root] 

[root_at_sandbox3 ~]# clog -method kerberos5 coda_admin_user_at_coda.realm 
 -tokenserver sandbox2.host.domain 370 -krealm KERBEROS.REALM -kdc 
sandbox2.host.domain -servprinc coda/coda.realm
Password for coda_admin_user/default_at_coda.realm:
[root_at_sandbox3 ~]# ctokens 

Tokens [local user id: root] 

[root_at_sandbox3 ~]# ls /coda/
[root_at_sandbox3 ~]# 


Server logs during event: 

[root_at_sandbox2 ~]# cat /vice/auth2/AuthLog
02:37:34 	vid = coda_admin_uid
02:37:34 AuthNewConn(0x6f582c7a, 0, 66, 2, coda_admin_uid) 

[root_at_sandbox2 ~]# cat /var/log/krb5kdc.log
krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
NEEDED_PREAUTH: kerberos_admin_user_at_KERBEROS.REALM for 
coda/coda.realm_at_KERBEROS.REALM, Additional pre-authentication required
krb5kdc[](info): AS_REQ (8 etypes {18 17 16 5 23 3 2 1}) sandbox3_ipv4: 
ISSUE: authtime epoch_time, etypes {rep=18 tkt=18 ses=18}, 
kerberos_admin_user_at_KERBEROS.REALM for coda/coda.realm_at_KERBEROS.REALM 


So, no errors on clog!  Progress! 

why can't I see /coda/coda.realm? 

Here is the getvolumelist output (in the off chance it is useful): 

[root_at_sandbox2 ~]# /vice/bin/volutil getvolumelist
V_BindToServer: binding to host sandbox2.host.domain
P/vice/pa Hsandbox2.host.domain T957fbc F56b29c
W/.0 I1000001 H1 P/vice/pa m0 M0 U2 W1000001 C4b50579e D4b50579e B0 A0
Wcoda.realm.0 I1000002 H1 P/vice/pa m0 M0 U2 W1000002 C4b5062a6 D4b5062a6 B0 
A0
GetVolumeList finished successfully 

 

Also, I'd like to clarify whether a "coda.realm" is what this page refers to 
as "Coda volume":  
http://www.coda.cs.cmu.edu/trac/wiki/CodaHOWTO/Introduction 


Thanks,
 -Don
{void} 


root writes: 

> Greetings all:  
> 
> 
>>> Please feel free to make the assumption that I have false
>>> understandings.  If "KERBEROS.REALM" is stated, but from syntax it
>>> should be "coda.realm", please correct me.
>> 
>> Yes, it should be "codaaccount_at_coda.realm", not otherwise.
> 
> Ok, I tried changing the clog to:  
> 
> [root_at_sandbox3 ~]# clog \
>  -method kerberos5 coda_admin_user_at_coda.realm \
>  -tokenserver sandbox2.host.domain 370 \
>  -krealm KERBEROS.REALM \
>  -kdc sandbox2.host.domain \
>  -servprinc coda/coda.realm  
> 
> Basically, the method user_at_realm was changed to the coda realm from the 
> kerberos realm.  Also, the servprinc was changed to the coda.realm from 
> sandbox2.host.domain.  
> 
> Does this appear sane?  
> 
> 
> Key points in this email:  
> 
> *) The only keytab used by coda inherently is on coda server hosts:
> /vice/db/krb5.keytab  
> 
> *) The keytab need only maintain the service principle for:
> codaauth/coda.realm_at_KERBEROS.REALM  
> 
> 
> The discourse on host/ vs coda/ vs codaauth/ ended with a 
> misunderstanding.  This subject is not important, please disregard.  
> 
> The discourse on coda/kerberos auth related definitions and "kerberos 
> basics" also ended in misunderstanding.  It may also be disregarded.  
> 
> Regards,
> -Don
> {void}
 
Received on 2010-01-20 23:23:56