[OpenAFS] Problems with discarded tickets rxkad error=19270408 (OpenAFS 1.2.8/Krb5
1.3.3/gssklog 0.10)
Mark Dalton
mwd@cray.com
Fri, 11 Jun 2004 16:10:24 -0500
We are using (OpenAFS 1.2.8/Krb5 1.3.3/gssklog 0.10), and we get a rash of
discarded tickets from time to time. Below is all the relevant
information I can think of..
I did not setup the servers, I am just trying to resolve the problems of
the tokens getting
discarded.
Any help or hints of where to look would be greatly appreciated. It
bothered me there
were two keys, but I am thinking those are for two different realms.
We are loosing tickets on the 'cray.com' realm, from Linux clients
(32bit and 64bit machines).
Mark
kernel: afs: Tokens for user of AFS id #### for cell XXX.com are
discarded (rxkad error=19270408)
The Kerberos server has:
There are two cells:
afs/cray.com
afs/rs.cray.com
kadmin.local: getprinc afs/cray.com
Principal: afs/cray.com@CRAY.COM
Expiration date: [never]
Last password change: Thu Jun 03 21:16:48 CDT 2004
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Jun 03 21:16:48 CDT 2004 (####/####@CRAY.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
and
kadmin.local: getprinc afs/rs.cray.com
Principal: afs/rs.cray.com@CRAY.COM
Expiration date: [never]
Last password change: Thu May 20 00:13:51 CDT 2004
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu May 20 00:13:51 CDT 2004 (####/####@CRAY.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 3, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]
sunbeam.wc.cray.com% bos listkeys sunbeam
key 3 has cksum ############ --- These have different checksums
key 2 has cksum ############ --- These have different checksums
Keys last changed on Thu Jun 10 03:06:05 2004.
All done.
kdc.conf has:
[kdcdefaults]
kdc_ports = ##,###
[realms]
CRAY.COM = {
database_name = /var/krb5kdc/principal
admin_keytab = /var/krb5kdc/kadm5.keytab
acl_file = /var/krb5kdc/kadm5.acl
key_stash_file = /var/krb5kdc/.k5.CRAY.COM
kadmind_port = ###
max_life = 10h 0m 0s
max_renewable_life = 7d 0h 0m 0s
master_key_type = des3-hmac-sha1
supported_enctypes = des3-hmac-sha1:normal
des-cbc-crc:normal des:nor
mal des:v4 des:norealm des:onlyrealm des:afs3 des-cbc-crc:afs3
}
krb5.conf has:
[libdefaults]
default_realm = CRAY.COM
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
krb4_config = /etc/krb.conf -- does not exist
krb4_realms = /etc/krb.realms -- does not exist
forwardable = true
[realms]
CRAY.COM = {
kdc=mac1.cray.com
kdc=mac2.cray.com
kdc=mac3.cray.com
kdc=mac4.cray.com
admin_server=mac4.cray.com
default_domain=CRAY.COM
v4_instance_convert = {
cray = cray.com
}
}
[domain_realm]
.cray.com = CRAY.COM
cray.com = CRAY.COM
[logging]
kdc = SYSLOG:DEBUG:LOCAL3
admin_server = SYSLOG:DEBUG:LOCAL3
default = SYSLOG:DEBUG:LOCAL3
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
rlogin = {
forwardable= true
}
rsh = {
forwardable= true
}
telnet = {
autologin = true
forwardable= true
}