[OpenAFS] KerberosV + AFS

Dan Pritts danno@internet2.edu
Mon, 29 Nov 2004 11:58:12 -0500 

I don't know the solution to your problem, but I can tell you that
"klist" does not list your AFS tokens.  "tokens" does that.

Your PAM module should be doing this for you, but try manually converting
your kerberos ticket into a token with the "aklog" command.  I expect
that will probably fail with the same kernel error message but it's worth
a shot.  

A google search on the "rxkad error=19270408" error message shows that
this issue has come up before and it was in fact with errors in key version
numbers and gives suggestions on solutions.  

https://lists.openafs.org/pipermail/openafs-info/2004-June/013866.html


On Thu, Nov 25, 2004 at 04:14:34PM -0300, Maurizio Santini wrote:
> I've the following problem with MIT kerberosV 1.3.5 and openafs 1.2.11
> on redhat 7.3.
> 
> ------------------LOG MESSAGE----------------
> login[6311]: pam_krb5afs: authentication succeeds for `testuser'
> login[6311]: pam_krb5afs: v4 ticket conversion succeeded for `testuser'
> login(pam_unix)[6311]: session opened for user testuser by (uid=0)
> testuser[6311]: LOGIN ON tty1 BY testuser
> kernel: afs: Tokens for user of AFS id 0 for cell test.pictage.com.ar
> are discarded (rxkad error=19270408)
> -------------------------------------
> 
> klist shows like I have a token but if I try to "touch" a file it gives
> permission denied.
> 
> ---------------------------------------------
> Ticket cache: FILE:/tmp/krb5cc_828_RpEUWZ
> Default principal: testuser@TEST.PICTAGE.COM.AR
> 
> Valid starting     Expires            Service principal
> 11/11/04 15:42:44  11/12/04 01:42:44 
> krbtgt/TEST.PICTAGE.COM.AR@TEST.PICTAGE.COM.AR
> renew until 11/12/04 01:42:44
> 
> Kerberos 4 ticket cache: /tmp/tkt828_WncZXj
> Principal: testuser@TEST.PICTAGE.COM.AR
> 
>   Issued              Expires             Principal
> 11/11/04 15:42:44  11/12/04 01:42:44
> krbtgt.TEST.PICTAGE.COM.AR@TEST.PICTAGE.COM.AR
> 11/11/04 15:42:44  11/12/04 01:42:44 
> afs.test.pictage.com.ar@TEST.PICTAGE.COM.AR
> ---------------------------------------------
> 
> The problem seems to be a difference in the key version number for the
> afs-service in AFS-Server-Key and Kerberos key or the encryption types.
> 
> How could I check that and make sure that things match?
> 
> Thank you for your help.
> 
> Maurizio Santini
> System administrator
> Ten Roses SRL
> 
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


danno
--
dan pritts - systems administrator - internet2
734/352-4953 office        734/834-7224 mobile