[OpenAFS] rxkad error 19270405: caller not authorized
Sun, 22 May 2005 10:08:40 +0200
On Sat, May 21, 2005 at 04:01:55PM -0400, Jeffrey Hutzelman wrote:
> On Saturday, May 21, 2005 05:08:42 PM +0200 Albrecht Gebhardt
> <firstname.lastname@example.org> wrote:
> >fs: Tokens for user of AFS id XYZ for cell uni-klu.ac.at are discarded
> >(rxkad error=19270405)
> As you determined, 19270405 is RXKADNOAUTH, "caller not authorized".
> There are several cases where this can occur. One is the case you found,
> where the caller presents a Kerberos V5 ticket with the 'invalid' flag set.
> This bit is normally set only on post-dated tickets, which are timed to be
> valid at some point in the future but must be validated by the KDC before
> they can be used. This case does not occur often in practice.
> A second case which can result in RXKADNOAUTH is when the caller presents a
> ticket whose start and end times do not appear valid. This can occur when
> the start time is later than the end time, or if the ticket expired more
> than 30 days in the past, is not valid until more than 30 days in the
> future, or has a lifetime longer than 30 days. Unless you have made a
> recent configuration change on your KDC, this case would indicate that
> either the KDC's or the server's clock is off by more than 30 days.
> I'd suggest checking the clocks on all your servers.
We did this immediately after the power came back after the crash,
epsecially because our time server didn't reboot correctly without
-- but yesterday we recognized that we forgot to check the time on one
fileserver out of eight!! It had a ntpd running but that didn't
recognize that the time server after its rivival.
It was not an afsdb server, it just serves a readonly replica of an
application data volume which is needed by our AFSroot
installation. This volume is also readonly availble from another
fileserver which had a correct time. This must have been the reason
for the random behauviour (works -- works not -- works ....)
Now it is working again.
> -- Jeffrey T. Hutzelman (N3NHS) <email@example.com>
> Sr. Research Systems Programmer
> School of Computer Science - Research Computing Facility
> Carnegie Mellon University - Pittsburgh, PA
// Albrecht Gebhardt Tel.: (++43 463) 2700/3118
// Institut fuer Mathematik Fax : (++43 463) 2700/3198
// Universitaet Klagenfurt mailto:firstname.lastname@example.org
// Universitaetsstr. 65 http://www.math.uni-klu.ac.at/~agebhard
// A-9020 Klagenfurt, Austria
// GPG PK: http://www.math.uni-klu.ac.at/~agebhard/agebhard.asc
// GPG FP: F46F 656E E83C 9323 CE30 FF8F 9DBA D1A3 B55A 78A6