[OpenAFS] Changing Kerberos Server?

Matthew N. Andrews matt@slackers.net
Sun, 04 Aug 2002 08:47:06 -0700 

>
>
>No, this would mean that it is NOT getting the service ticket from
>Kerberos.  Unfortunately I dont think translate_et is actually
>returning the right return code:
>
>-1765328228 (krb5).156 = unknown RPC error (-1765328228)
>
>I dont think this is really an unknown RPC error.  However, it
>definitely means that you're having a problem obtaining the AFS
>service ticket.  If you "klist" you will probably _not_ have the AFS
>key in there.
>
I've seen the case where some kdc's return an error if the afs key does 
not exist that
some aklogs don't understand. in particular, for example the aklog in 
the redhat
openafs 1.2.5 rpms tries afs/cell.name@REALM.NAME and if it's talking to 
a heimdal
kdc doesn't understand the return code and thus doesn't proceed to trying
afs@REALM.NAME. other(MIT) kdcs return a different error code for this 
condition
which aklog identifies as "key does not exist" and goes on to try 
afs@REALM.NAME.
I think that the afs-kerberos5 migration kit contains an aklog that does 
the right thing.
I can't remember if the afslog from arla does the right thing or not.

-Matthew Andrews

>
>  
>
>>I have the local Kerberos-KDC as a secondary kdc in the /etc/krb5.conf.
>>When i start the lokal KDC-Deamon, it works fine. The Kerberos-Database is
>>the same, host keys are exportet on both kdcs.
>>The new, extra-Kerberos-Server is Version 1.2.4, the local one 1.2.5.
>>    
>>
>
>Does other kerberos stuff work on the new server?
>
>  
>
>>Any ideas?
>>    
>>
>
>-derek
>
>  
>
>>Thanks, Klaas
>>----- Original Message -----
>>From: "Derek Atkins" <warlord@MIT.EDU>
>>To: "Klaas Hagemann" <kerberos@northsailor.de>
>>Cc: <openafs-info@openafs.org>
>>Sent: Friday, August 02, 2002 12:07 AM
>>Subject: Re: [OpenAFS] Changing Kerberos Server?
>>
>>
>>    
>>
>>>Is your krb5.conf up to date with the new KDC location?
>>>Did you just rename the KDC or did you create a new
>>>database?  Are you sure the AFS key is the same?
>>>What do you get from 'aklog -d'?
>>>
>>>-derek
>>>
>>>"Klaas Hagemann" <kerberos@northsailor.de> writes:
>>>
>>>      
>>>
>>>>Hi,
>>>>
>>>>i have installed OpenAFS with Kerberos-Integration on my
>>>>        
>>>>
>>Kerberos-Server.
>>    
>>
>>>>Now my Kerberos-Server has moved.
>>>>
>>>>Kerberos itsself works fine, i get a ticket and also get the afs/REALM
>>>>ticket. But aklog then fails.
>>>>It says:
>>>>couldn't get afs tickets:
>>>>cannot contact any kdc for requested realm while getting AFS-Tickets
>>>>
>>>>When i then do klist, i have the service ticket for afs, so kerberos
>>>>        
>>>>
>>works
>>    
>>
>>>>and /etc/krb5.conf is correct.
>>>>When i start kerberos services on the afs-server again, it works fine.
>>>>
>>>>Any ideas?
>>>>
>>>>Klaas
>>>>
>>>>_______________________________________________
>>>>OpenAFS-info mailing list
>>>>OpenAFS-info@openafs.org
>>>>https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>        
>>>>
>>>--
>>>       Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>>>       Member, MIT Student Information Processing Board  (SIPB)
>>>       URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>>>       warlord@MIT.EDU                        PGP key available
>>>_______________________________________________
>>>OpenAFS-info mailing list
>>>OpenAFS-info@openafs.org
>>>https://lists.openafs.org/mailman/listinfo/openafs-info
>>>      
>>>
>
>  
>