[OpenAFS-devel] New AFS cell: MIT aklog fails; Heimdal aklog works

[Asheesh Laroia]

I'm setting up a new AFS cell, but there is clearly some breakage
around.  I'm using OpenAFS 1.3.70 as packaged by Sam Hartman in Debian
Experimental, because I had some problems using the 1.2.11 client in
Debian Testing with the 1.3.71 kernel module (which I compiled from
source).

On the AFS server (kiwi.gooftroop.org), I'm using the krb5-* series of
packages from Debian, which are MIT Kerberos.  On kiwi, I can
authenticate fine to the realm GOOFTROOP.ORG using kinit, and then run
aklog (from the openafs-krb5 package) to get access to AFS space.

(Hooray!  Almost.)

On a Debian GNU/Linux client renaissance, kinit works fine to
authenticate to the realm.  afsd is running, and "ls /afs" works fine. 
But when I use aklog to get AFS tokens, I get:

<transcript>
paulproteus@renaissance:~$ aklog -d
Authenticating to cell gooftroop.org (server kiwi.gooftroop.org).
We've deduced that we need to authenticate to realm GOOFTROOP.ORG.
Getting tickets: afs/gooftroop.org@GOOFTROOP.ORG
About to resolve name paulproteus to id in cell gooftroop.org.
Id 2
Set username to AFS ID 2
Setting tokens. AFS ID 2 /  @ GOOFTROOP.ORG
aklog: unable to obtain tokens for cell gooftroop.org (status: a pioctl failed).
</transcript>

However, if I replace openafs-krb5 and MIT krb5-user, krb5-utils with
the heimdal-clients package, I can run this successfully and be
authenticated to AFS.  I would just use this setup if I didn't have
Windows clients.  The OpenAFS 1.3.71 client, seemingly properly 
configured, gives:

<message>
The AFS client was unable to obtain tokens as paulproteus in cell 
gooftroop.org.

Error: 3 (unknown authentication error 3)
</message>

Can someone help diagnose either the pioctl failure or the 
Windows 
failure?  Thanks!

-- Asheesh Laroia.