[OpenAFS] openafs and kerberos5

[Ken Hornstein]

>So that's obviously reason #1 why it's broke, And you're saying I
>also need to match the users's k5 & afs kvno's? 

No.

The user's key DON'T matter.  You can have completely different passwords
in the AFS and Kerberos 5 databases and still access AFS as the same
user.  We did this for a little while during the transition period.
Now I'm not saying I _recommend_ doing this (ours was a strange and
special case) but the point here is that the user's keys don't matter
for this case.  Your problem is completely with the AFS service
key.

>I'm a little gun-shy 'cause everytime I've converted the master key
>it's locked me out of the afs admin tools and I have to re-boot
>re-config and try again. (finaly figured out that recovery is 
>simpler if I backup the afs KeyFile.)

Uh ... are you updating the AFS KeyFile on _ALL_ AFS servers and database
servers?  That's something you need to make sure you're doing as well.
When I wrote the original kit directions, I had mistakenly assumed that
everyone was running update to make sure that all was happening; I found
out only later that many people don't do that.

--Ken