[OpenAFS] Changing Kerberos Server?

Derek Atkins warlord@MIT.EDU
02 Aug 2002 21:57:03 -0400


"klaas hagemann" <klaas@northsailor.de> writes:

> Hi Derek,
> 
> krb5.conf is up to date.
> I dumped the database on the old server, loaded it on the new server and
> createt the stash-file and host-key for the Kebreros Server.
> After your mail i createt the afs/Prinzipal new and imported the new key.

Hmm, you dumped the database and then reloaded it into a new database
with a different master key?  I think that would be the cause of your
error -- I'm fairly sure the dump file is encrypted (although I could
be wrong, but I was fairly sure it was true).

> But it does not help.
> Wenn I do aklog -d i get the following:
> 
> > Authenticating to cell testsystem.test (server
> afs01.center.testsystem.test).
> > We've deduced that we need to authenticate to realm TESTSYSTEM.TEST.
> > Getting tickets: afs/testsystem.test@TESTSYSTEM.TEST
> > Kerberos error code returned by get_cred: -1765328228
> > aklog: Couldn't get testsystem.test AFS tickets:
> > aklog: Cannot contact any KDC for requested realm while getting AFS
> tickets
> 
> So it gets the afs-service ticket from Kerberos but cannot log in to afs
> with it.

No, this would mean that it is NOT getting the service ticket from
Kerberos.  Unfortunately I dont think translate_et is actually
returning the right return code:

-1765328228 (krb5).156 = unknown RPC error (-1765328228)

I dont think this is really an unknown RPC error.  However, it
definitely means that you're having a problem obtaining the AFS
service ticket.  If you "klist" you will probably _not_ have the AFS
key in there.

> I have the local Kerberos-KDC as a secondary kdc in the /etc/krb5.conf.
> When i start the lokal KDC-Deamon, it works fine. The Kerberos-Database is
> the same, host keys are exportet on both kdcs.
> The new, extra-Kerberos-Server is Version 1.2.4, the local one 1.2.5.

Does other kerberos stuff work on the new server?

> Any ideas?

-derek

> Thanks, Klaas
> ----- Original Message -----
> From: "Derek Atkins" <warlord@MIT.EDU>
> To: "Klaas Hagemann" <kerberos@northsailor.de>
> Cc: <openafs-info@openafs.org>
> Sent: Friday, August 02, 2002 12:07 AM
> Subject: Re: [OpenAFS] Changing Kerberos Server?
> 
> 
> > Is your krb5.conf up to date with the new KDC location?
> > Did you just rename the KDC or did you create a new
> > database?  Are you sure the AFS key is the same?
> > What do you get from 'aklog -d'?
> >
> > -derek
> >
> > "Klaas Hagemann" <kerberos@northsailor.de> writes:
> >
> > > Hi,
> > >
> > > i have installed OpenAFS with Kerberos-Integration on my
> Kerberos-Server.
> > > Now my Kerberos-Server has moved.
> > >
> > > Kerberos itsself works fine, i get a ticket and also get the afs/REALM
> > > ticket. But aklog then fails.
> > > It says:
> > > couldn't get afs tickets:
> > > cannot contact any kdc for requested realm while getting AFS-Tickets
> > >
> > > When i then do klist, i have the service ticket for afs, so kerberos
> works
> > > and /etc/krb5.conf is correct.
> > > When i start kerberos services on the afs-server again, it works fine.
> > >
> > > Any ideas?
> > >
> > > Klaas
> > >
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> > --
> >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> >        Member, MIT Student Information Processing Board  (SIPB)
> >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> >        warlord@MIT.EDU                        PGP key available
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
> 

-- 
       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
       Member, MIT Student Information Processing Board  (SIPB)
       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
       warlord@MIT.EDU                        PGP key available