[OpenAFS] rxkad error 19270405: caller not authorized
Jeffrey Hutzelman
jhutz@cmu.edu
Sat, 21 May 2005 16:01:55 -0400
On Saturday, May 21, 2005 05:08:42 PM +0200 Albrecht Gebhardt
<albrecht.gebhardt@uni-klu.ac.at> wrote:
> fs: Tokens for user of AFS id XYZ for cell uni-klu.ac.at are discarded
> (rxkad error=19270405)
As you determined, 19270405 is RXKADNOAUTH, "caller not authorized".
There are several cases where this can occur. One is the case you found,
where the caller presents a Kerberos V5 ticket with the 'invalid' flag set.
This bit is normally set only on post-dated tickets, which are timed to be
valid at some point in the future but must be validated by the KDC before
they can be used. This case does not occur often in practice.
A second case which can result in RXKADNOAUTH is when the caller presents a
ticket whose start and end times do not appear valid. This can occur when
the start time is later than the end time, or if the ticket expired more
than 30 days in the past, is not valid until more than 30 days in the
future, or has a lifetime longer than 30 days. Unless you have made a
recent configuration change on your KDC, this case would indicate that
either the KDC's or the server's clock is off by more than 30 days.
I'd suggest checking the clocks on all your servers.
-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
Sr. Research Systems Programmer
School of Computer Science - Research Computing Facility
Carnegie Mellon University - Pittsburgh, PA