[OpenAFS] Re: rxk error: caller not authorized (ALMOST SOLVED)
J Maynard Gelinas
gelinas@lns.mit.edu
Sun, 25 Apr 2004 19:08:36 -0400 (EDT)
I will answer my own question:
On Sun, 25 Apr 2004, J Maynard Gelinas wrote:
>
> And upon reverting back to woody3 packages my problem on the slave goes
> away! Sooooooo.... I think using 3DES key for K/M is the cause. Now, can I
> fix this without doing something drastic to my kerberos database (like
> hand editing a dump file wasn't drastic enough)? If not, should I dump V4
> TGT conversion on the clients? Any suggestions? And again, thanks for all
> the help!
>
http://groups.google.com/groups?q=kerberos+3DES+krb524&hl=en&lr=&ie=UTF-8&oe=UTF
-8&selm=ldv65qi2yl2.fsf%40cathode-dark-space.mit.edu&rnum=1
This is the original 3DES security announcement. It contains such useful
information as the nature of the problem, the fix, and includes a some
information on how to properly migrate an AFS cell/Kerberos realm that was
originally configured using 3DES encryption for the service keys. The
upshot is:
a) upgrade all kdc's to the new code concurently (we hadn't done that),
saving the master kdc for last.
b) "An alternate and more annoying upgrade strategy exists. At least
one max TGT life time before the upgrade, the TGT key can be changed to be
a single-des key. Since we support adding a new TGT key while preserving
the old one, this does not create an interruption in service."
It looks like a) is the best option. OK, at least now I know what
happened and why. Also, I know of a supported migration path recommended
by the kerberos team. Hopefully these posts will do someone else in a
similar situation some good. Our problem is nearly solved, all that
remains is to implement arrange the downtime to implement the real fix.
Again, thanks to all who responded!
Cheers,
--Maynard