[OpenAFS] AFS server key change and windows clients unable to authenticate

Renata Maria Dart renata@slac.stanford.edu
Tue, 20 Dec 2005 11:31:40 -0800 (PST)

Thanks for your response Jeff.  Our windows clients do not run
kerberos.  And the problem exists not only for users who were already
logged in, but on windows boxes that have just been rebooted, and on a
windows box that got a brand new install of OpenAFS this morning, so
existing tokens weren't even part of the picture.  Alf has confirmed
that he believes the enctypes are not the problem.  He checked what
kind of ticket he was getting on unix and it reported des-cbc-crc.
Is kvno part of kerberos for windows?  We looked for it and couldn't
find it.


On Tue, 20 Dec 2005, Jeffrey Altman wrote:

>Are you sure the clients are getting new Kerberos 5 service tickets?
>If they are still using the service tickets they obtained prior to
>the upgrade, executing 'aklog' a second or third time will use the
>same key.
>Make sure the users are actually obtaining a new TGT before they
>attempt to obtain the AFS tokens.
>You can use the "kvno" utility on the clients to find out what the
>key version number is of the afs service ticket.   Make sure that
>the key version number matches the one the servers are expecting.
>Also make sure that the KDC's are not issuing service tickets with
>enctypes that are not supported by your AFS servers.
>OpenAFS servers prior to 1.4.0 only support DES-CBC-CRC.
>Jeffrey Altman