[OpenAFS] client unable to access afs-cell after update to 1.4.1
Ulrich Eck
ueck@net-labs.de
Sun, 4 Jun 2006 21:03:09 +0200
--Apple-Mail-1--658102031
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=ISO-8859-1;
delsp=yes;
format=flowed
Hi Derek,
thanks for your help, i exportet the key to the keytab again - but =20
didn't distritute that key
to the afs-servers. the original problem was caused by using a wrong =20
cell-name on
one of the clients (which did work somehow before i upgraded to 1.4.1)
now it's working again like a charm :-)
cheers
Ulrich
Am 01.06.2006 um 02:55 schrieb Derek Atkins:
> The 1.4.x aklog should first try afs/cell@REALM and if that
> fails it should fallback and try afs@REALM. Right now
> you're running with two different keys, so that's part of
> your problem.
>
> -derek
>
> Ulrich Eck <ueck@net-labs.de> writes:
>
>> hi there,
>>
>> we have a small AFS-Cell using MIT-KRB5+524d on several debian/linux
>> machines.
>>
>> after upgrading one of the openafs-clients (debian) to v1.4.1 + new
>> kernel-modules
>> we're not able to access the afs-cell from this system.
>>
>> there seems to be a difference between v1.3.81 (used on our
>> fileservers/other clients) and
>> the new v1.4.1 in respect to what service-ticket aklog requests.
>>
>> on a working machine it requests a service-ticket for afs@OUR.DOMAIN
>> with the new
>> version it requests afs/cellname@OUR.DOMAIN. i tried to create a
>> principal afs/cellname@OUR.DOMAIN in our kdc - but i didn't have =20
>> success
>> as the kvno of the newly created principal does not match the
>> server-config.
>>
>> i get this error-message in the syslog of the client:
>> kernel: afs: Tokens for user of AFS id XXX for cell cellname are
>> discarded (rxkad error=3D19270408)
>>
>> ~$ translate_et 19270408
>> 19270408 (rxk).8 =3D ticket contained unknown key version number
>>
>> so my question(s):
>>
>> is it possible to tell aklog to behave like it did before the upgrade
>> (ergo request the afs@OUR.DOMAIN ticket) ?
>>
>> if not: can i tell the afs-cell to accept more than one service-=20
>> ticket
>> (afs@OUR.DOMAIN and afs/cellname@OUR.DOMAIN) and if yes - how =20
>> would i do
>> so ?
>>
>> thanks in advance for any suggestions/help
>>
>> cheers Ulrich
>>
>>
>> --=20
>> net-labs Systemhaus GmbH
>> Ebersberger Str. 46
>> 85570 Markt Schwaben
>> fon +49 8121 4747 0
>> fax +49 8121 4747 77
>> email: ueck@net-labs.de
>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
>>
>
> --=20
> Derek Atkins, SB '93 MIT EE, SM '95 MIT Media Laboratory
> Member, MIT Student Information Processing Board (SIPB)
> URL: http://web.mit.edu/warlord/ PP-ASEL-IA N1NWH
> warlord@MIT.EDU PGP key available
Ulrich Eck
net-labs Systemhaus GmbH
Gesch=E4ftsleitung
Ebersberger Str. 46
85570 Markt Schwaben
Tel: 08121/4747-0
Fax: 08121/4747-77
Email: ueck@net-labs.de
--Apple-Mail-1--658102031
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=ISO-8859-1
<HTML><BODY style=3D"word-wrap: break-word; -khtml-nbsp-mode: space; =
-khtml-line-break: after-white-space; ">Hi Derek,<DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>thanks for your help, i =
exportet the key to the keytab again - but didn't distritute that =
key</DIV><DIV>to the afs-servers. the original problem was caused by =
using a wrong cell-name on=A0</DIV><DIV>one of the clients (which did =
work somehow before i upgraded to 1.4.1)</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>now it's working again like =
a charm :-)</DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV>cheers</DIV><DIV>Ulrich</DIV>=
<DIV><BR class=3D"khtml-block-placeholder"></DIV><DIV><BR =
class=3D"khtml-block-placeholder"></DIV><DIV><BR><DIV><DIV>Am 01.06.2006 =
um 02:55 schrieb Derek Atkins:</DIV><BR =
class=3D"Apple-interchange-newline"><BLOCKQUOTE type=3D"cite"><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">The 1.4.x aklog should first try afs/cell@REALM and =
if that</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">fails it should fallback and try =
afs@REALM.<SPAN class=3D"Apple-converted-space">=A0 </SPAN>Right =
now</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">you're running with two =
different keys, so that's part of</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">your =
problem.</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">-derek</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Ulrich Eck <<A =
href=3D"mailto:ueck@net-labs.de">ueck@net-labs.de</A>> =
writes:</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV> =
<BLOCKQUOTE type=3D"cite"><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">hi there,</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">we have =
a small AFS-Cell using MIT-KRB5+524d on several debian/linux</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">machines.</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">after upgrading one of the =
openafs-clients (debian) to v1.4.1 + new</DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">kernel-modules</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">we're not able to access the =
afs-cell from this system.</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">there seems to be a difference =
between v1.3.81 (used on our</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">fileservers/other clients) and<SPAN =
class=3D"Apple-converted-space">=A0</SPAN></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">the new =
v1.4.1 in respect to what service-ticket aklog requests.</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">on a =
working machine it requests a service-ticket for <A =
href=3D"mailto:afs@OUR.DOMAIN">afs@OUR.DOMAIN</A></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">with the new</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">version it =
requests afs/<A =
href=3D"mailto:cellname@OUR.DOMAIN">cellname@OUR.DOMAIN</A>. i tried to =
create a</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">principal afs/<A =
href=3D"mailto:cellname@OUR.DOMAIN">cellname@OUR.DOMAIN</A> in our kdc - =
but i didn't have success</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">as the kvno =
of the newly created principal does not match the</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">server-config.</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">i get this error-message in the =
syslog of the client:<SPAN =
class=3D"Apple-converted-space">=A0</SPAN></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">kernel: =
afs: Tokens for user of AFS id XXX for cell cellname are</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">discarded (rxkad error=3D19270408)</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">~$ =
translate_et 19270408</DIV><DIV style=3D"margin-top: 0px; margin-right: =
0px; margin-bottom: 0px; margin-left: 0px; ">19270408 (rxk).8 =3D ticket =
contained unknown key version number</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; min-height: =
14px; "><BR></DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">so my question(s):</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">is it =
possible to tell aklog to behave like it did before the =
upgrade</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">(ergo request the <A =
href=3D"mailto:afs@OUR.DOMAIN">afs@OUR.DOMAIN</A> ticket) ?</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">if not: =
can i tell the afs-cell to accept more than one service-ticket</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">(<A href=3D"mailto:afs@OUR.DOMAIN">afs@OUR.DOMAIN</A> =
and afs/<A href=3D"mailto:cellname@OUR.DOMAIN">cellname@OUR.DOMAIN</A>) =
and if yes - how would i do</DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">so =
?</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: =
0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">thanks in advance for any suggestions/help</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">cheers =
Ulrich</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; min-height: 14px; "><BR></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">--<SPAN =
class=3D"Apple-converted-space">=A0</SPAN></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">net-labs =
Systemhaus GmbH</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">Ebersberger Str. 46</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">85570 Markt Schwaben</DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">fon +49 =
8121 4747 0</DIV><DIV style=3D"margin-top: 0px; margin-right: 0px; =
margin-bottom: 0px; margin-left: 0px; ">fax +49 8121 4747 77</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">email: <A =
href=3D"mailto:ueck@net-labs.de">ueck@net-labs.de</A></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
">_______________________________________________</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; ">OpenAFS-info mailing list</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><A =
href=3D"mailto:OpenAFS-info@openafs.org">OpenAFS-info@openafs.org</A></DIV=
><DIV style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><A =
href=3D"https://lists.openafs.org/mailman/listinfo/openafs-info">https://l=
ists.openafs.org/mailman/listinfo/openafs-info</A></DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV> </BLOCKQUOTE><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; =
min-height: 14px; "><BR></DIV><DIV style=3D"margin-top: 0px; =
margin-right: 0px; margin-bottom: 0px; margin-left: 0px; ">--<SPAN =
class=3D"Apple-converted-space">=A0</SPAN></DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN =
class=3D"Apple-converted-space">=A0=A0 =A0 =A0 </SPAN>Derek Atkins, SB =
'93 MIT EE, SM '95 MIT Media Laboratory</DIV><DIV style=3D"margin-top: =
0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; "><SPAN =
class=3D"Apple-converted-space">=A0=A0 =A0 =A0 </SPAN>Member, MIT =
Student Information Processing Board<SPAN =
class=3D"Apple-converted-space">=A0 </SPAN>(SIPB)</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><SPAN class=3D"Apple-converted-space">=A0=A0 =A0 =A0 =
</SPAN>URL: <A =
href=3D"http://web.mit.edu/warlord/">http://web.mit.edu/warlord/</A><SPAN =
class=3D"Apple-converted-space">=A0 =A0 </SPAN>PP-ASEL-IA <SPAN =
class=3D"Apple-converted-space">=A0 =A0 </SPAN>N1NWH</DIV><DIV =
style=3D"margin-top: 0px; margin-right: 0px; margin-bottom: 0px; =
margin-left: 0px; "><SPAN class=3D"Apple-converted-space">=A0=A0 =A0 =A0 =
</SPAN><A href=3D"mailto:warlord@MIT.EDU">warlord@MIT.EDU</A><SPAN =
class=3D"Apple-converted-space">=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 </SPAN>PGP key available</DIV> </BLOCKQUOTE></DIV><BR><DIV> <P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" =
size=3D"3" style=3D"font: 12.0px Helvetica">Ulrich Eck</FONT></P> <P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; =
min-height: 14.0px"><BR></P> <P style=3D"margin: 0.0px 0.0px 0.0px =
0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px =
Helvetica">net-labs Systemhaus GmbH</FONT></P> <P style=3D"margin: 0.0px =
0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: =
12.0px Helvetica">Gesch=E4ftsleitung</FONT></P> <P style=3D"margin: =
0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: =
14.0px"><BR></P> <P style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT =
face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px =
Helvetica">Ebersberger Str. 46</FONT></P> <P style=3D"margin: 0.0px =
0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: =
12.0px Helvetica">85570 Markt Schwaben</FONT></P> <P style=3D"margin: =
0.0px 0.0px 0.0px 0.0px; font: 12.0px Helvetica; min-height: =
14.0px"><BR></P> <P style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT =
face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px Helvetica">Tel:<SPAN =
class=3D"Apple-converted-space">=A0 </SPAN>08121/4747-0</FONT></P> <P =
style=3D"margin: 0.0px 0.0px 0.0px 0.0px"><FONT face=3D"Helvetica" =
size=3D"3" style=3D"font: 12.0px Helvetica">Fax: =
08121/4747-77</FONT></P> <P style=3D"margin: 0.0px 0.0px 0.0px =
0.0px"><FONT face=3D"Helvetica" size=3D"3" style=3D"font: 12.0px =
Helvetica">Email: <A =
href=3D"mailto:ueck@net-labs.de">ueck@net-labs.de</A></FONT></P> =
</DIV><BR></DIV></BODY></HTML>=
--Apple-Mail-1--658102031--