[OpenAFS] Changing Kerberos Server?
Derek Atkins
warlord@MIT.EDU
02 Aug 2002 21:57:03 -0400
"klaas hagemann" <klaas@northsailor.de> writes:
> Hi Derek,
>
> krb5.conf is up to date.
> I dumped the database on the old server, loaded it on the new server and
> createt the stash-file and host-key for the Kebreros Server.
> After your mail i createt the afs/Prinzipal new and imported the new key.
Hmm, you dumped the database and then reloaded it into a new database
with a different master key? I think that would be the cause of your
error -- I'm fairly sure the dump file is encrypted (although I could
be wrong, but I was fairly sure it was true).
> But it does not help.
> Wenn I do aklog -d i get the following:
>
> > Authenticating to cell testsystem.test (server
> afs01.center.testsystem.test).
> > We've deduced that we need to authenticate to realm TESTSYSTEM.TEST.
> > Getting tickets: afs/testsystem.test@TESTSYSTEM.TEST
> > Kerberos error code returned by get_cred: -1765328228
> > aklog: Couldn't get testsystem.test AFS tickets:
> > aklog: Cannot contact any KDC for requested realm while getting AFS
> tickets
>
> So it gets the afs-service ticket from Kerberos but cannot log in to afs
> with it.
No, this would mean that it is NOT getting the service ticket from
Kerberos. Unfortunately I dont think translate_et is actually
returning the right return code:
-1765328228 (krb5).156 = unknown RPC error (-1765328228)
I dont think this is really an unknown RPC error. However, it
definitely means that you're having a problem obtaining the AFS
service ticket. If you "klist" you will probably _not_ have the AFS
key in there.
> I have the local Kerberos-KDC as a secondary kdc in the /etc/krb5.conf.
> When i start the lokal KDC-Deamon, it works fine. The Kerberos-Database is
> the same, host keys are exportet on both kdcs.
> The new, extra-Kerberos-Server is Version 1.2.4, the local one 1.2.5.
Does other kerberos stuff work on the new server?
> Any ideas?
-derek
> Thanks, Klaas
> ----- Original Message -----
> From: "Derek Atkins" <warlord@MIT.EDU>
> To: "Klaas Hagemann" <kerberos@northsailor.de>
> Cc: <openafs-info@openafs.org>
> Sent: Friday, August 02, 2002 12:07 AM
> Subject: Re: [OpenAFS] Changing Kerberos Server?
>
>
> > Is your krb5.conf up to date with the new KDC location?
> > Did you just rename the KDC or did you create a new
> > database? Are you sure the AFS key is the same?
> > What do you get from 'aklog -d'?
> >
> > -derek
> >
> > "Klaas Hagemann" <kerberos@northsailor.de> writes:
> >
> > > Hi,
> > >
> > > i have installed OpenAFS with Kerberos-Integration on my
> Kerberos-Server.
> > > Now my Kerberos-Server has moved.
> > >
> > > Kerberos itsself works fine, i get a ticket and also get the afs/REALM
> > > ticket. But aklog then fails.
> > > It says:
> > > couldn't get afs tickets:
> > > cannot contact any kdc for requested realm while getting AFS-Tickets
> > >
> > > When i then do klist, i have the service ticket for afs, so kerberos
> works
> > > and /etc/krb5.conf is correct.
> > > When i start kerberos services on the afs-server again, it works fine.
> > >
> > > Any ideas?
> > >
> > > Klaas
> > >
> > > _______________________________________________
> > > OpenAFS-info mailing list
> > > OpenAFS-info@openafs.org
> > > https://lists.openafs.org/mailman/listinfo/openafs-info
> >
> > --
> > Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > Member, MIT Student Information Processing Board (SIPB)
> > URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> > warlord@MIT.EDU PGP key available
> > _______________________________________________
> > OpenAFS-info mailing list
> > OpenAFS-info@openafs.org
> > https://lists.openafs.org/mailman/listinfo/openafs-info
>
--
Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
Member, MIT Student Information Processing Board (SIPB)
URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
warlord@MIT.EDU PGP key available