[OpenAFS] client unable to access afs-cell after update to 1.4.1
Douglas E. Engert
deengert@anl.gov
Thu, 01 Jun 2006 08:56:35 -0500
Ulrich Eck wrote:
> hi there,
>
> we have a small AFS-Cell using MIT-KRB5+524d on several debian/linux
> machines.
>
> after upgrading one of the openafs-clients (debian) to v1.4.1 + new
> kernel-modules
> we're not able to access the afs-cell from this system.
>
> there seems to be a difference between v1.3.81 (used on our
> fileservers/other clients) and
> the new v1.4.1 in respect to what service-ticket aklog requests.
>
> on a working machine it requests a service-ticket for afs@OUR.DOMAIN
> with the new
> version it requests afs/cellname@OUR.DOMAIN. i tried to create a
> principal afs/cellname@OUR.DOMAIN in our kdc - but i didn't have success
> as the kvno of the newly created principal does not match the
> server-config.
Not sure what you mean by server-config.
But the /usr/afs/KeyFile on the servers only have des keys and key
version numbers. It can not check which key belongs to
which principal. So as long as the kvno's are different on
the principals for afs/cellname@OUR.DOMAIN and afs@OUR.DOAMIN
you can add both keys to the KeyFile.
>
> i get this error-message in the syslog of the client:
> kernel: afs: Tokens for user of AFS id XXX for cell cellname are
> discarded (rxkad error=19270408)
>
> ~$ translate_et 19270408
> 19270408 (rxk).8 = ticket contained unknown key version number
>
> so my question(s):
>
> is it possible to tell aklog to behave like it did before the upgrade
> (ergo request the afs@OUR.DOMAIN ticket) ?
So it would not mater.
>
> if not: can i tell the afs-cell to accept more than one service-ticket
> (afs@OUR.DOMAIN and afs/cellname@OUR.DOMAIN) and if yes - how would i do
> so ?
Yes, see above.
>
> thanks in advance for any suggestions/help
>
> cheers Ulrich
>
>
--
Douglas E. Engert <DEEngert@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444