[OpenAFS] rxkad error 19270405: caller not authorized

Jeffrey Hutzelman jhutz@cmu.edu
Sat, 21 May 2005 16:01:55 -0400


On Saturday, May 21, 2005 05:08:42 PM +0200 Albrecht Gebhardt 
<albrecht.gebhardt@uni-klu.ac.at> wrote:


> fs: Tokens for user of AFS id XYZ for cell uni-klu.ac.at are discarded
> (rxkad error=19270405)

As you determined, 19270405 is RXKADNOAUTH, "caller not authorized".
There are several cases where this can occur.  One is the case you found,
where the caller presents a Kerberos V5 ticket with the 'invalid' flag set. 
This bit is normally set only on post-dated tickets, which are timed to be 
valid at some point in the future but must be validated by the KDC before 
they can be used.  This case does not occur often in practice.

A second case which can result in RXKADNOAUTH is when the caller presents a 
ticket whose start and end times do not appear valid.  This can occur when 
the start time is later than the end time, or if the ticket expired more 
than 30 days in the past, is not valid until more than 30 days in the 
future, or has a lifetime longer than 30 days.  Unless you have made a 
recent configuration change on your KDC, this case would indicate that 
either the KDC's or the server's clock is off by more than 30 days.

I'd suggest checking the clocks on all your servers.

-- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
   Sr. Research Systems Programmer
   School of Computer Science - Research Computing Facility
   Carnegie Mellon University - Pittsburgh, PA