[OpenAFS] Re: rxk error: caller not authorized

J Maynard Gelinas gelinas@lns.mit.edu
Sat, 24 Apr 2004 18:42:01 -0400 (EDT) 

   This appears to be a krb524d issue which came up due to a kerberos
upgrade. Basically, the Redhat 7.3 pam_krb5afs.so doesn't fall back to
afs@REALM after trying afs/principal/REALM, while the aklog provided by 
openafs does. 

After initial login where pam_krb5afs.so should generate a usable token:

bash-2.05a$ klist -e
Ticket cache: FILE:/tmp/krb5cc_1126_hxky1T
Default principal: gelinas@LNS.MIT.EDU

Valid starting     Expires            Service principal
04/24/04 18:38:01  04/25/04 18:38:01  krbtgt/LNS.MIT.EDU@LNS.MIT.EDU
        renew until 04/25/04 19:38:01, Etype (skey, tkt): DES cbc mode 
with CRC-32, Triple DES cbc mode with HMAC/sha1 


Kerberos 4 ticket cache: /tmp/tkt1126_c3pXGm
Principal: gelinas@LNS.MIT.EDU

  Issued              Expires             Principal
04/24/04 18:38:01  04/25/04 15:53:01  krbtgt.LNS.MIT.EDU@LNS.MIT.EDU
bash-2.05a$ ls ~
ls: /afs/lns.mit.edu/user/gelinas: Permission denied
bash-2.05a$ aklog -d
Authenticating to cell lns.mit.edu (server afs1.lns.mit.edu.).
We've deduced that we need to authenticate to realm LNS.MIT.EDU.
Getting tickets: afs/lns.mit.edu@LNS.MIT.EDU
Principal not found, trying alternate service name: afs/@LNS.MIT.EDU
About to resolve name gelinas to id in cell lns.mit.edu.
Id 1126
Set username to AFS ID 1126
Setting tokens. AFS ID 1126 /  @ LNS.MIT.EDU 
bash-2.05a$ ls ~

[homedir contents spewed forth]

   I've tried updating the appdefaults in krb5.conf on the server to 
include 

[appdefaults]

   afs_krb5 = {

     LNS.MIT.EDU = {
         afs/lns.mit.edu = false
         afs = true
}

   Per suggestions I've read regarding the update to krb524d, with no
luck.

Any suggestions as to what I'm doing wrong?

Thanks for any help...

--Maynard

On Thu, 22 Apr 2004, J Maynard Gelinas wrote:

> 
>    I'm seeing a strange intermittent problem with clients trying to login 
> via gdm at the console. They successfully login, yet are unable to access 
> their files stored in AFS. The error message at the client machine reads:
> 
> Apr 22 10:43:56 ctppaganini kernel: afs: Tokens for user of AFS id 0 for 
> celllns.mit.edu are discarded (rxkad error=19270405)
> 
> Which means, according to:
> 
> http://grand.central.org/numbers/et/RXK.html
> 
> "19270405 RXKADNOAUTH caller not authorized"
> 
>    Manual attempts at obtaining a ticket via kinit and aklog
> intermittently seem to return a successful result yet lead to "permission
> denied" failure when attempting to access files stored in AFS space. 
> Re-authenticating then solves the problem. 
> 
>    Googling for solutions to this problem has been unsuccessful. Can 
> anyone offer insight or a link as to potential causes and fixes?
> 
> Thanks,
> --Maynard
> 
>