[OpenAFS] Odd syncing behaviour AFTER upgrade

[Derrick J Brashear]

On Thu, 15 Jan 2004, Norman P. B. Joseph wrote:

> > Make your users get their passwords right, or just disable the account
> > locking.
>
> The account locking is a policy issue here that's not going away any
> time soon.  But thanks for the suggestion.

Then (assuming no other issues) you get to suck it up.

> In poking around there seems to be another issue at play.  The account
> was getting locked because the user's password was no longer being
> recognized (and in fewer than the 5 attempts we have configured on the
> account).  On a hunch I asked how long his password was.  It was 11
> characters.  I asked him to reset it to the 1st 8 characters, and after
> he did he was able to get tokens again through the Windows client.
>
> I vaguely recall an issue years ago with passwords greater than 8
> characters, but thought that was no longer the case.  Are AFS passwords
> restricted to 8 characters?

They are not. The algorithm for >8 characters is different, and before
that it used to be truncated by the software to 8 characters.

> What's confusing about all this is that we've been humming along for
> better than two years without these things (unsynced account locking
> information and > 8 character passwords) being an issue until Tuesday.
> The only thing that's changed in my environment have been the new
> database servers that were installed on Monday.  I'm just looking for
> some insight from people with more experience than I have.

Including, I assume, the kaserver. I'm unsure why the truncation behavior
would have changed due to a db server change. However, did you notice how
old the user's password was before fixing it?