[OpenAFS] "ktadd -k <anywhere> afs/xyz@REALM" breaks AFS instantly?
Adam Megacz
megacz@cs.berkeley.edu
Mon, 13 Feb 2006 19:32:19 -0800
Wow, I just went through a really confusing experience. Please tell
me if this is a correct understanding:
1. Exporting a key from the KDC into a keytab using "ktadd" causes
the principal's "kvno" to be incremented.
2. /etc/openafs/server/KeyFile contains such a key
3. The key in the KDC and the KeyFile must match exactly, including
their kvno.
If I understand correctly, simply exporting the afs principal's key
from the KDC (regardless of where you're exporting *to*) will
instantly break all servers in the cell.
... or, at least that's what appeared to happen to me; I started
getting "ticket version number did not match" (or something very
similar) and couldn't do anything in the cell that required privileges
other than system:anyuser.
- a
--
PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380