[OpenAFS] Problems with discarded tickets rxkad error=19270408 (OpenAFS 1.2.8/Krb51.3.3/gssklog 0.10)

Douglas E. Engert deengert@anl.gov
Mon, 14 Jun 2004 12:58:04 -0500 


Mark Dalton wrote:

> We are using (OpenAFS 1.2.8/Krb5 1.3.3/gssklog 0.10), and we get a rash of
> discarded tickets from time to time.   Below is all the relevant
> information I can think of..
> I did not setup the servers, I am just trying to resolve the problems of
> the tokens getting
> discarded.
>
> Any help or hints of where to look would be greatly appreciated.   It
> bothered me there
> were two keys, but I am thinking those are for two different realms.
>
> We are loosing tickets on the 'cray.com' realm, from Linux clients
> (32bit and 64bit machines).
>
> Mark
>
> kernel: afs: Tokens for user of AFS id #### for cell XXX.com are
> discarded (rxkad error=19270408)
>

translate_et 19270408 says:
 19270408 (rxk).8 = ticket contained unknown key version number

Are all the /usr/afs/etc/KeyFile on the AFS servers in the cell
identical, and do  they match the copy of the KeyFile used by the gssklogd?

You say you have two cells. Do you see the message for only one cell,
or for both?

The KDC and gssklogd share a K5 key and kvno, by normal Kerberos
means using a keytab, and used by GSSAPI.

The gssklogd creates a token and used the copy of the /usr/afs/etc/KeyFile to get
a key. This key and kvno must be in the /usr/afs/etc/KeyFile of the servers.

The key and kvno in the AFS KeyFile are independent of the key and kvno in the KDC.

>
> The Kerberos server has:
>
> There are two cells:
>     afs/cray.com
>     afs/rs.cray.com
>
> kadmin.local:  getprinc afs/cray.com
> Principal: afs/cray.com@CRAY.COM
> Expiration date: [never]
> Last password change: Thu Jun 03 21:16:48 CDT 2004
> Password expiration date: [none]
> Maximum ticket life: 0 days 10:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Thu Jun 03 21:16:48 CDT 2004 (####/####@CRAY.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 1, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
>
> and
> kadmin.local:  getprinc afs/rs.cray.com
> Principal: afs/rs.cray.com@CRAY.COM
> Expiration date: [never]
> Last password change: Thu May 20 00:13:51 CDT 2004
> Password expiration date: [none]
> Maximum ticket life: 0 days 10:00:00
> Maximum renewable life: 7 days 00:00:00
> Last modified: Thu May 20 00:13:51 CDT 2004 (####/####@CRAY.COM)
> Last successful authentication: [never]
> Last failed authentication: [never]
> Failed password attempts: 0
> Number of keys: 1
> Key: vno 3, DES cbc mode with CRC-32, no salt
> Attributes:
> Policy: [none]
>
> sunbeam.wc.cray.com% bos listkeys sunbeam
> key 3 has cksum ############    --- These have different checksums
> key 2 has cksum ############    --- These have different checksums
> Keys last changed on Thu Jun 10 03:06:05 2004.
> All done.
>
> kdc.conf has:
> [kdcdefaults]
>         kdc_ports = ##,###
>
> [realms]
>         CRAY.COM = {
>                 database_name = /var/krb5kdc/principal
>                 admin_keytab = /var/krb5kdc/kadm5.keytab
>                 acl_file = /var/krb5kdc/kadm5.acl
>                 key_stash_file = /var/krb5kdc/.k5.CRAY.COM
>                 kadmind_port = ###
>                 max_life = 10h 0m 0s
>                 max_renewable_life = 7d 0h 0m 0s
>                 master_key_type = des3-hmac-sha1
>                 supported_enctypes = des3-hmac-sha1:normal
> des-cbc-crc:normal des:nor
> mal des:v4 des:norealm des:onlyrealm des:afs3 des-cbc-crc:afs3
>         }
>
> krb5.conf has:
> [libdefaults]
>         default_realm = CRAY.COM
>         default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
>         default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc des-cbc-md5
>         krb4_config = /etc/krb.conf  -- does not exist
>         krb4_realms = /etc/krb.realms  -- does not exist
>         forwardable = true
>
> [realms]
>         CRAY.COM = {
>                 kdc=mac1.cray.com
>                 kdc=mac2.cray.com
>                 kdc=mac3.cray.com
>                 kdc=mac4.cray.com
>                 admin_server=mac4.cray.com
>                 default_domain=CRAY.COM
>                 v4_instance_convert = {
>                         cray = cray.com
>                 }
>         }
> [domain_realm]
>         .cray.com = CRAY.COM
>         cray.com = CRAY.COM
> [logging]
>         kdc = SYSLOG:DEBUG:LOCAL3
>         admin_server = SYSLOG:DEBUG:LOCAL3
>         default = SYSLOG:DEBUG:LOCAL3
>
> [appdefaults]
>         kinit = {
>                 renewable = true
>                 forwardable= true
>         }
>         rlogin = {
>                 forwardable= true
>         }
>         rsh = {
>                 forwardable= true
>         }
>         telnet = {
>                 autologin = true
>                 forwardable= true
>         }
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info

--

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444