[OpenAFS] rxkad error 19270405: caller not authorized

Albrecht Gebhardt albrecht.gebhardt@uni-klu.ac.at
Sat, 21 May 2005 17:08:42 +0200 

Hi all,

we are using openafs now for 1 year at uni-klu.ac.at with debian sarge
servers and clients (version 1.2.13) and linux kernel 2.4.30. We have
our homedirectories as well as a netbootable AFSroot (similar to
nfsroot) installation on AFS now.

last week we had a bad power outage, our large sized UPS failed, all
servers and routers crashed. We could revive our AFS cell, salvaging
went well, our kerberos KDC (heimdal-kdc, with its database stored in
LDAP (openldap)) works again.

But now we get frequently the error:

fs: Tokens for user of AFS id XYZ for cell uni-klu.ac.at are discarded (rxkad error=19270405)

when logging in with pam_krb5 + pam_openafs_session or simply after
issuing a kinit / aklog command. It shows a complete random behaviour,
no matter what type of hardware, which subnet ... sometimes you can
login (ssh, kdm) several times successfully - then it starts again.

I grepped a little bit through the openafs kernel sources, and found
only one place which spits out the above error message:
./afs/afs_analyze.c:515

Now I'm searching for places where the RXKADNOAUTH=19260405 error code
gets set. one place ist rxkad/ticket5.c where an "invalid" flag in the
afs/cell@REALM causes this code to be set. 

Before I go further, I want to ask if there is any general advice how
to solve this "caller not authorized" issue?

Does it mean that our KDC does not work reliably?

Or can it be that some router hardware (possibly broken after power
outage) causes RPC errors or damages packets? I captured a login trial
with rxkad error and I can see the TGT ticket, the AFS ticket and the
RX AFS PROT name-to-id call pass over the wire without any sign of
trouble.

Can it be that our AFSDB servers have been hit? (we compared their db
files with md5sum and they are identically, pts listentries ..., vos
listvldb etc. works, ...)

any advice?

Thanks in advance

Albrecht Gebhardt



-- 
// Albrecht Gebhardt          Tel.: (++43 463) 2700/3118
// Institut fuer Mathematik   Fax : (++43 463) 2700/3198
// Universitaet Klagenfurt    mailto:albrecht.gebhardt@uni-klu.ac.at
// Universitaetsstr. 65       http://www.math.uni-klu.ac.at/~agebhard
// A-9020 Klagenfurt, Austria
// GPG PK: http://www.math.uni-klu.ac.at/~agebhard/agebhard.asc
// GPG FP: F46F 656E E83C 9323 CE30  FF8F 9DBA D1A3 B55A 78A6