[OpenAFS] rxkad error 19270405: caller not authorized

Albrecht Gebhardt albrecht.gebhardt@uni-klu.ac.at
Sun, 22 May 2005 10:08:40 +0200 

On Sat, May 21, 2005 at 04:01:55PM -0400, Jeffrey Hutzelman wrote:
> 
> On Saturday, May 21, 2005 05:08:42 PM +0200 Albrecht Gebhardt 
> <albrecht.gebhardt@uni-klu.ac.at> wrote:
> 
> 
> >fs: Tokens for user of AFS id XYZ for cell uni-klu.ac.at are discarded
> >(rxkad error=19270405)
> 
> As you determined, 19270405 is RXKADNOAUTH, "caller not authorized".
> There are several cases where this can occur.  One is the case you found,
> where the caller presents a Kerberos V5 ticket with the 'invalid' flag set. 
> This bit is normally set only on post-dated tickets, which are timed to be 
> valid at some point in the future but must be validated by the KDC before 
> they can be used.  This case does not occur often in practice.
> 
> A second case which can result in RXKADNOAUTH is when the caller presents a 
> ticket whose start and end times do not appear valid.  This can occur when 
> the start time is later than the end time, or if the ticket expired more 
> than 30 days in the past, is not valid until more than 30 days in the 
> future, or has a lifetime longer than 30 days.  Unless you have made a 
> recent configuration change on your KDC, this case would indicate that 
> either the KDC's or the server's clock is off by more than 30 days.
> 
> I'd suggest checking the clocks on all your servers.

We did this immediately after the power came back after the crash,
epsecially because our time server didn't reboot correctly without
manual help. 

-- but yesterday we recognized that we forgot to check the time on one
fileserver out of eight!! It had a ntpd running but that didn't
recognize that the time server after its rivival.  

It was not an afsdb server, it just serves a readonly replica of an
application data volume which is needed by our AFSroot
installation. This volume is also readonly availble from another
fileserver which had a correct time. This must have been the reason
for the random behauviour (works -- works not -- works ....)

Now it is working again. 

Thanks

> 
> -- Jeffrey T. Hutzelman (N3NHS) <jhutz+@cmu.edu>
>   Sr. Research Systems Programmer
>   School of Computer Science - Research Computing Facility
>   Carnegie Mellon University - Pittsburgh, PA
> 

-- 
// Albrecht Gebhardt          Tel.: (++43 463) 2700/3118
// Institut fuer Mathematik   Fax : (++43 463) 2700/3198
// Universitaet Klagenfurt    mailto:albrecht.gebhardt@uni-klu.ac.at
// Universitaetsstr. 65       http://www.math.uni-klu.ac.at/~agebhard
// A-9020 Klagenfurt, Austria
// GPG PK: http://www.math.uni-klu.ac.at/~agebhard/agebhard.asc
// GPG FP: F46F 656E E83C 9323 CE30  FF8F 9DBA D1A3 B55A 78A6