[OpenAFS] Moving Kerberos

James D. Nurmi jnurmi-openafs-info@qwe.cc
Tue, 25 Feb 2003 13:10:58 -0500 

HAH! Got the bugger....  The latest error was because I still had an 
afs/cellname  principal running around...  So the fix is either tweak 
krb5.conf to default to afs/cellname (or just afs)  (windows clients 
wont go to afs/cellname, at least not that I've found, so my choice was 
straight afs@REALM)

Thanks all :-)

James Nurmi

Derek Atkins wrote:

>"James D. Nurmi" <jnurmi-openafs-info@qwe.cc> writes:
>
>  
>
>>the krb5.conf is correctly stating that the kdc & adminserver are the
>>newly CNamed kerberos1 machine... Kinit works, aklog works.  klist
>>lists out the new ticket, tokens claims to have tokens... However if I
>>try to enter a section on /afs that requires anything above
>>system:anyuser (from any client machine) gets:
>>
>>afs: Tokens for user of AFS id 2 for cell econ.vt.edu are discarded
>>(rxkad error=19270408)
>>    
>>
>
>Are you sure you configured your krb524d to produce old-style afs
>tokens?  See the Kerberos documentation.
>
>  
>
>>Interestingly, klog fails, and AFS for windows says Authentication
>>Server cannot be found...
>>    
>>
>
>Yea -- klog specifically looks at the AFS DB servers.
>
>  
>
>>Still toying with it though...  I'll let you know if i get any
>>breakthroughs....
>>    
>>
>
>-derek
>
>  
>
>>Derek Atkins wrote:
>>
>>    
>>
>>>Set your krb.conf/krb5.conf to point to the new KDC.
>>>
>>>Or do you mean you're actually using "klog"???
>>>
>>>-derek
>>>
>>>"James D. Nurmi" <jnurmi-openafs-info@qwe.cc> writes:
>>>
>>>
>>>      
>>>
>>>>I've been attempting of late to rotate some of the functionality of
>>>>our servers to accomodate a new machine... In the process, I would
>>>>like to move kerberos off of one of our AFS machines onto its own box.
>>>>I got the KDC moved as well as possible, and all services work
>>>>normally, except for AFS...  Is there a way to tell AFS where to look
>>>>for the kerberos server?  or does it /have/ to be on the ptServer?
>>>>
>>>>James Nurmi
>>>>
>>>>
>>>>_______________________________________________
>>>>OpenAFS-info mailing list
>>>>OpenAFS-info@openafs.org
>>>>https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>
>>>>        
>>>>
>>>      
>>>
>>_______________________________________________
>>OpenAFS-info mailing list
>>OpenAFS-info@openafs.org
>>https://lists.openafs.org/mailman/listinfo/openafs-info
>>    
>>
>
>  
>