[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
kerberos token....
|
From: |
Juan Manuel Guijarro Plaza |
|
Subject: |
kerberos token.... |
|
Date: |
Fri, 26 Apr 2002 17:56:06 +0200 (MEST) |
Hi,
We have 2 cvs server processes each of them running in a different
machine (called lxcvs01 and lxcvs02), both serving the same CVSROOT. For
that we have defined an IP name (isscvs) which is translated into lxcvs01
or lxcvs02 depending on workload and availability. Both pserver and ssh
access to this setup work fine. Unfortunately, kerberos 4 access does not
work and we get the following error message:
-----in the client side----------------
> echo $CVSROOT
:kserver:isscvs.cern.ch:/afs/cern.ch/project/cvs/itcobe
> cvs co CVSROOT/cvs-log
cvs [checkout aborted]: kerberos authentication failed: Can't get
inter-realm ticket granting ticket (get_ad_tkt)
>
----------------------------------------------------------------
-----in the server side----------------
E Fatal error, aborting.
error 0 kerberos: can't get local name: Generic kerberos error (kfailure)
----------------------------------------------------------------
Cvs queries to both:
----------------------------------------------------------------
:kserver:lxcvs01.cern.ch:/afs/cern.ch/project/cvs/itcobe
...and
:kserver:lxcvs02.cern.ch:/afs/cern.ch/project/cvs/itcobe
----------------------------------------------------------------
work fine.
We believe this is due to the fact that the cvs client acquires a
kerberos 4 ticket for rcmd.isscvs which none of our servers (lxcvs01 and
lxcvs02) can decode even if it existed. We have few questions:
* What (server) principals does cvs use?.
* Could this work if the client did a gethostbyname, gethostbyaddr
to find out the real name?
* Does CVS really uses a hostname-dependent ticket and, in
particular, what the 'service' name is.
any answer to them is very welcome. Suggestions to workaround this
problem are also welcome.
Thanks: manuel guijarro
--------------------------------+---------------------------------------
Manuel Guijarro: Information Technology Division
European Organisation for Nuclear Research
European Laboratory for Particle Physics (CERN)
--------------------------------+---------------------------------------
Earth mail: | E-mail:
|
CERN/IT/PS/Unix Infrastructure | Manuel.Guijarro@cern.ch
CH-1211 Geneve 23. Switzerland. | http://cern.ch/manuel
Phone #: + 41 22 767 24 03 | Fax #:
GSM phone #:+ 41 79 201 4137 | + 41 22 767 71 55
--------------------------------+---------------------------------------
Internal mail address:
Manuel GUIJARRO IT division, PS Group, Buildg:513, off:2-019
--------------------------------+---------------------------------------
########################################################################
#One is taken as intelligent man if he talks about what he doesn't know#
#########using the most unintelligible language." (Voltaire)############
########################################################################
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- kerberos token....,
Juan Manuel Guijarro Plaza <=