[OpenAFS] Changing Kerberos Server?

Klaas Hagemann kerberos@northsailor.de
Mon, 5 Aug 2002 16:54:35 +0200


........

thank you very much!!!
that's it...

Klaas
----- Original Message -----
From: "Derek Atkins" <warlord@MIT.EDU>
To: "Klaas Hagemann" <kerberos@northsailor.de>
Cc: <openafs-info@openafs.org>
Sent: Monday, August 05, 2002 2:54 PM
Subject: Re: [OpenAFS] Changing Kerberos Server?


> Do you have krb524d running on the new server?
>
> -derek
>
> "Klaas Hagemann" <kerberos@northsailor.de> writes:
>
> > ----- Original Message -----
> > From: "Derek Atkins" <warlord@MIT.EDU>
> > To: "klaas hagemann" <klaas@northsailor.de>
> > Cc: <openafs-info@openafs.org>
> > Sent: Saturday, August 03, 2002 3:57 AM
> > Subject: Re: [OpenAFS] Changing Kerberos Server?
> >
> >
> > > "klaas hagemann" <klaas@northsailor.de> writes:
> > >
> > > > Hi Derek,
> > > >
> > > > krb5.conf is up to date.
> > > > I dumped the database on the old server, loaded it on the new server
and
> > > > createt the stash-file and host-key for the Kebreros Server.
> > > > After your mail i createt the afs/Prinzipal new and imported the new
> > key.
> > >
> > > Hmm, you dumped the database and then reloaded it into a new database
> > > with a different master key?  I think that would be the cause of your
> > > error -- I'm fairly sure the dump file is encrypted (although I could
> > > be wrong, but I was fairly sure it was true).
> >
> > Of course, i used the same master-key. I had to enter the right passwort
to
> > create a new stash file. And everything else (kinit, etc. works fine
with
> > the new server.)
> >
> > > > But it does not help.
> > > > Wenn I do aklog -d i get the following:
> > > >
> > > > > Authenticating to cell testsystem.test (server
> > > > afs01.center.testsystem.test).
> > > > > We've deduced that we need to authenticate to realm
TESTSYSTEM.TEST.
> > > > > Getting tickets: afs/testsystem.test@TESTSYSTEM.TEST
> > > > > Kerberos error code returned by get_cred: -1765328228
> > > > > aklog: Couldn't get testsystem.test AFS tickets:
> > > > > aklog: Cannot contact any KDC for requested realm while getting
AFS
> > > > tickets
> > > >
> > > > So it gets the afs-service ticket from Kerberos but cannot log in to
afs
> > > > with it.
> > >
> > > No, this would mean that it is NOT getting the service ticket from
> > > Kerberos.  Unfortunately I dont think translate_et is actually
> > > returning the right return code:
> > >
> > > -1765328228 (krb5).156 = unknown RPC error (-1765328228)
> > >
> > > I dont think this is really an unknown RPC error.  However, it
> > > definitely means that you're having a problem obtaining the AFS
> > > service ticket.  If you "klist" you will probably _not_ have the AFS
> > > key in there.
> >
> > When I do klist i _do_ have the afs/cell.name@REALM.NAM service ticket.
That
> > is what i am wondering about.
> >
> >
> > > > I have the local Kerberos-KDC as a secondary kdc in the
/etc/krb5.conf.
> > > > When i start the lokal KDC-Deamon, it works fine. The
Kerberos-Database
> > is
> > > > the same, host keys are exportet on both kdcs.
> > > > The new, extra-Kerberos-Server is Version 1.2.4, the local one
1.2.5.
> > >
> > > Does other kerberos stuff work on the new server?
> > >
> > > > Any ideas?
> > >
> > > -derek
> > >
> > > > Thanks, Klaas
> > > > ----- Original Message -----
> > > > From: "Derek Atkins" <warlord@MIT.EDU>
> > > > To: "Klaas Hagemann" <kerberos@northsailor.de>
> > > > Cc: <openafs-info@openafs.org>
> > > > Sent: Friday, August 02, 2002 12:07 AM
> > > > Subject: Re: [OpenAFS] Changing Kerberos Server?
> > > >
> > > >
> > > > > Is your krb5.conf up to date with the new KDC location?
> > > > > Did you just rename the KDC or did you create a new
> > > > > database?  Are you sure the AFS key is the same?
> > > > > What do you get from 'aklog -d'?
> > > > >
> > > > > -derek
> > > > >
> > > > > "Klaas Hagemann" <kerberos@northsailor.de> writes:
> > > > >
> > > > > > Hi,
> > > > > >
> > > > > > i have installed OpenAFS with Kerberos-Integration on my
> > > > Kerberos-Server.
> > > > > > Now my Kerberos-Server has moved.
> > > > > >
> > > > > > Kerberos itsself works fine, i get a ticket and also get the
> > afs/REALM
> > > > > > ticket. But aklog then fails.
> > > > > > It says:
> > > > > > couldn't get afs tickets:
> > > > > > cannot contact any kdc for requested realm while getting
AFS-Tickets
> > > > > >
> > > > > > When i then do klist, i have the service ticket for afs, so
kerberos
> > > > works
> > > > > > and /etc/krb5.conf is correct.
> > > > > > When i start kerberos services on the afs-server again, it works
> > fine.
> > > > > >
> > > > > > Any ideas?
> > > > > >
> > > > > > Klaas
> > > > > >
> > > > > > _______________________________________________
> > > > > > OpenAFS-info mailing list
> > > > > > OpenAFS-info@openafs.org
> > > > > > https://lists.openafs.org/mailman/listinfo/openafs-info
> > > > >
> > > > > --
> > > > >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > > > >        Member, MIT Student Information Processing Board  (SIPB)
> > > > >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> > > > >        warlord@MIT.EDU                        PGP key available
> > > > > _______________________________________________
> > > > > OpenAFS-info mailing list
> > > > > OpenAFS-info@openafs.org
> > > > > https://lists.openafs.org/mailman/listinfo/openafs-info
> > > >
> > >
> > > --
> > >        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> > >        Member, MIT Student Information Processing Board  (SIPB)
> > >        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
> > >        warlord@MIT.EDU                        PGP key available
> >
>
> --
>        Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
>        Member, MIT Student Information Processing Board  (SIPB)
>        URL: http://web.mit.edu/warlord/    PP-ASEL-IA     N1NWH
>        warlord@MIT.EDU                        PGP key available