[OpenAFS-devel] afslog fails after update to heimdal 0.6 with msg "KDC policy rejects
request"
Ken Aaker
kenaaker@myclearwave.net
Mon, 31 May 2004 21:29:49 -0500
This can be filed in the "no good deed goes unpunished" bin.
I updated by openafs server at home to pick up some security updates,
and I can't get tokens any more.
I've spent every bit of free time that I've had this weekend trying to
get this sorted out, and I've run out of ideas.
Here's the information about my setup.
Running SuSE 9.0 on a dual Pentium server....
-------------Running openafs - Version information--------------------------
Name : openafs Relocations: (not relocateable)
Version : 1.2.11 Vendor: (none)
Release : 24.4aaker Build Date: Mon 02 Feb 2004
11:43:47 PM CST
-------------Running Heimdal - Version information--------------------------
Name : heimdal Relocations: (not relocateable)
Version : 0.6 Vendor: SuSE Linux AG,
Nuernberg, Germany
Release : 159 Build Date: Fri Apr 16
06:50:19 2004
--------------klist output--------------------
[kdaaker@endar kdaaker]$ klist
Credentials cache: FILE:/tmp/krb5cc_1043
Principal: kdaaker@AAKER.ORG
Issued Expires Principal
May 31 20:45:01 Jun 30 20:45:01 krbtgt/AAKER.ORG@AAKER.ORG
-------------tokens output-----------------------
[kdaaker@endar kdaaker]$ tokens
Tokens held by the Cache Manager:
--End of list--
-------- afslog -v output--------------
[kdaaker@endar kdaaker]$ afslog -v
krb5 tried afs@AAKER.ORG -> -1765328377
krb5 tried afs/aaker.org@AAKER.ORG -> -1765328372
krb5 tried afs@AAKER.ORG -> -1765328377
krb5 tried afs/aaker.org@AAKER.ORG -> -1765328372
afslog: krb5_afslog((null)): KDC policy rejects request
----------------- /etc/krb5.conf-------------------
[libdefaults]
default_realm = AAKER.ORG
default_etypes = des-cbc-crc
default_etypes_des = des-cbc-crc
ticket_lifetime = 30d
clockskew = 300
forwardable = true
forward = true
default_realm = AAKER.ORG
[realms]
AAKER.ORG = {
kdc = KERBEROS.AAKER.ORG
admin_server = KERBEROS.AAKER.ORG
krb524_server = KERBEROS.AAKER.ORG
v4_name_convert = {
ftp = ftp
pop = pop
rcmd = host
}
default_domain = aaker.org
kpasswd_server = KERBEROS.AAKER.ORG
}
[domain_realm]
.aaker.org = AAKER.ORG
aaker.org = AAKER.ORG
[kadmin]
kdc =
default_keys = v4 v5 afs3
afs-cell = aaker.org
v4-realm = AAKER.ORG
[logging]
default = SYSLOG:NOTICE:DAEMON
kdc = FILE:/var/log/kdc.log
kadmind = FILE:/var/log/kadmind.log
[appdefaults]
forwardable = true
default_lifetime = 240h
afs_krb5 = {
AAKER.ORG = {
afs = false
afs/aaker.org = true
}
}
pam = {
# debug = true
ticket_lifetime = 30d
renew_lifetime = 30d
forwardable = true
afs_cells = aaker.org
hosts = kerberos.aaker.org
max_timeout = 30
timeout_shift = 2
initial_timeout = 1
proxiable = true
retain_after_close = false
minimum_uid = 0
}
# krb5_run_aklog = 1
# krb5_aklog_path = /usr/bin/aklog
------------------------------------------------------------
--------------------- KeyFile Info. ------------------------
endar:/etc # ktutil -k AFSKEYFILE:/usr/afs/etc/KeyFile list
AFSKEYFILE:/usr/afs/etc/KeyFile:
Vno Type Principal
2 des-cbc-md5 afs/aaker.org@AAKER.ORG
----------------------kadmin -l output----------------------
kadmin> list *
....... (omitted some userids)
kadmin/admin@AAKER.ORG
kadmin/hprop@AAKER.ORG
afs/aaker.org@AAKER.ORG
kadmin/changepw@AAKER.ORG
krbtgt/AAKER.ORG@AAKER.ORG
changepw/kerberos@AAKER.ORG
host/mars.aaker.org@AAKER.ORG
host/endar.aaker.org@AAKER.ORG
....... (omitted some hosts)
kadmin> get afs/aaker.org@AAKER.ORG
Principal: afs/aaker.org@AAKER.ORG
Principal expires: never
Password expires: never
Last password change: never
Max ticket life: 1 month
Max renewable life: 1 month
Kvno: 2
Mkvno: 0
Policy: none
Last successful login: never
Last failed login: never
Failed login count: 0
Last modified: 2004-02-15 16:24:13 UTC
Modifier: kadmin/admin@AAKER.ORG
Attributes:
Keytypes(salttype[(salt-value)]): des-cbc-crc(pw-salt),
des-cbc-md4(pw-salt), des-cbc-md5(pw-salt)
--
Ken Aaker
kenaaker@myclearwave.net
kenaaker@silverbacksystems.com