[OpenAFS] That infamous, magnificent bastard, error 19270408.

Ken Hornstein kenh@cmf.nrl.navy.mil
Sun, 10 Sep 2006 16:07:30 -0400 

>I've searched the archives pretty hard, but I'm still getting stymied  
>by your friend and mine, rxkad error 19270408.  Our windows clients  
>are working perfectly, and our Solaris -8- configuration is working  
>perfectly with its internal k5/k4 bits but our Solaris 9  
>configuration against strict Krb5 isn't.  It's a pretty standard  
>build of client 1.4.1 against Solaris 9, using Sun's compilers- a  
>rather old revision.  If more specifics might be useful, I'll  
>cheerily provide them.

So, I am confused a bit here.  When you say "working with internal
k5/k4 bits" ... what does that mean?  You're using klog?  Or the 524
translator?  It sounds like systems that use the "internal" bits
work fine, but ones that use pure k5 don't.

>I get k5 tickets..  I get AFS tokens.. but on login, I get:
>afs: Tokens for user of AFS id XXXX for cell cats.ucsc.edu are  
>discarded (rxkad error=19270408).

It's always amazing to me the people that have this problem, when
it should be pretty simple to debug.

>Our AFS server administrator has checked the keys across the AFS  
>servers and on the K5 principal information on the KDC- but the  
>problem still persists.  I've looked at the code.. and my suspicion  
>is that if the keys were different amongst AFS servers and/or between  
>AFS and Kerberos servers, then -no- clients would work- not just the  
>"macOS and/or Solaris 9" situation I'm getting now.

When you say that they checked them ... what exactly did they check?
Did they compare the kvnos to make sure that they match?

Here's what I would advise:

- After you login to the systems that don't work, do a "klist".  You
  should see an AFS service principal.  Post the output of that klist.
- Run "kvno" and give it as an argument the AFS service principal.  You
  should see it say "kvno = <n>", where <n> should be a small integer
  number.  I am assuming MIT Kerberos, but since you're using MacOS X,
  that should be a given.
- Run (or have someone run who has the ability) "bos listkeys" against your
  AFS servers.  You should see something like:

  key <n> has cksum xxxxxxxxxx

  where <n> is the kvno of the key stored in the KeyFile on that server.
  There can be multiple keys in the KeyFile.

  You need one of the keys in the KeyFile to match the kvno of the key
  you get from the KDC.  When you get this error, it's telling you that
  the AFS server can't find a key in the KeyFile that matches the kvno
  in the ticket that you gave it.

--Ken