[OpenAFS] Re: rxk error: caller not authorized

J Maynard Gelinas gelinas@lns.mit.edu
Sat, 24 Apr 2004 20:32:53 -0400 (EDT)


  I see two possible solutions to this given that I can't seem to tell 
krb524d to output the principal name in the form afs@REALM instead of 
AFS/principal@REALM:

  1)  create a new principal of the form: afs/lns.mit.edu@LNS.MIT.EDU. 
Extract it to a file using the correct encryption form for AFS. Use 
asetkey to insert the new key on all of my AFS servers. 

  2) Yank pam_krb5afs.so from my pam stack on the clients and execute the
openafs distribution aklog from within the pam stack.

   Option 1) seems the best bet long term, but I'll have to shut the whole
cell down to do this. Also, I'm not sure if I should use asetkey add KVNO 
FILE afs/lns.mit.edu (or afs) as the principal. If no one answers, I'll 
post whatever solution I find. --M

On Sat, 24 Apr 2004, J Maynard Gelinas wrote:

> 
>    This appears to be a krb524d issue which came up due to a kerberos
> upgrade. Basically, the Redhat 7.3 pam_krb5afs.so doesn't fall back to
> afs@REALM after trying afs/principal/REALM, while the aklog provided by 
> openafs does. 
> 
> After initial login where pam_krb5afs.so should generate a usable token:
> 
> bash-2.05a$ klist -e
> Ticket cache: FILE:/tmp/krb5cc_1126_hxky1T
> Default principal: gelinas@LNS.MIT.EDU
> 
> Valid starting     Expires            Service principal
> 04/24/04 18:38:01  04/25/04 18:38:01  krbtgt/LNS.MIT.EDU@LNS.MIT.EDU
>         renew until 04/25/04 19:38:01, Etype (skey, tkt): DES cbc mode 
> with CRC-32, Triple DES cbc mode with HMAC/sha1 
> 
> 
> Kerberos 4 ticket cache: /tmp/tkt1126_c3pXGm
> Principal: gelinas@LNS.MIT.EDU
> 
>   Issued              Expires             Principal
> 04/24/04 18:38:01  04/25/04 15:53:01  krbtgt.LNS.MIT.EDU@LNS.MIT.EDU
> bash-2.05a$ ls ~
> ls: /afs/lns.mit.edu/user/gelinas: Permission denied
> bash-2.05a$ aklog -d
> Authenticating to cell lns.mit.edu (server afs1.lns.mit.edu.).
> We've deduced that we need to authenticate to realm LNS.MIT.EDU.
> Getting tickets: afs/lns.mit.edu@LNS.MIT.EDU
> Principal not found, trying alternate service name: afs/@LNS.MIT.EDU
> About to resolve name gelinas to id in cell lns.mit.edu.
> Id 1126
> Set username to AFS ID 1126
> Setting tokens. AFS ID 1126 /  @ LNS.MIT.EDU 
> bash-2.05a$ ls ~
> 
> [homedir contents spewed forth]
> 
>    I've tried updating the appdefaults in krb5.conf on the server to 
> include 
> 
> [appdefaults]
> 
>    afs_krb5 = {
> 
>      LNS.MIT.EDU = {
>          afs/lns.mit.edu = false
>          afs = true
> }
> 
>    Per suggestions I've read regarding the update to krb524d, with no
> luck.
> 
> Any suggestions as to what I'm doing wrong?
> 
> Thanks for any help...
> 
> --Maynard
> 
> On Thu, 22 Apr 2004, J Maynard Gelinas wrote:
> 
> > 
> >    I'm seeing a strange intermittent problem with clients trying to login 
> > via gdm at the console. They successfully login, yet are unable to access 
> > their files stored in AFS. The error message at the client machine reads:
> > 
> > Apr 22 10:43:56 ctppaganini kernel: afs: Tokens for user of AFS id 0 for 
> > celllns.mit.edu are discarded (rxkad error=19270405)
> > 
> > Which means, according to:
> > 
> > http://grand.central.org/numbers/et/RXK.html
> > 
> > "19270405 RXKADNOAUTH caller not authorized"
> > 
> >    Manual attempts at obtaining a ticket via kinit and aklog
> > intermittently seem to return a successful result yet lead to "permission
> > denied" failure when attempting to access files stored in AFS space. 
> > Re-authenticating then solves the problem. 
> > 
> >    Googling for solutions to this problem has been unsuccessful. Can 
> > anyone offer insight or a link as to potential causes and fixes?
> > 
> > Thanks,
> > --Maynard
> > 
> > 
> 
>