[OpenAFS] That infamous, magnificent bastard, error 19270408.

Ken Hornstein kenh@cmf.nrl.navy.mil
Sun, 10 Sep 2006 22:50:06 -0400

>Ok.  If I understand this right, your past clients are using
>"krb524d" to convert tickets -- and are storing a "real" kerberos 4
>ticket.  This latter key can *only* be des, because that's the
>only encryption mode supported by kerberos 4.
>If you have slightly newer code, you may have a version
>of aklog that does "rxkad 2b".  If so, it's unwrapping the
>kerberos 5 ticket, throwing away some bits it doesn't need,
>and sending the guts.  If you have the very newest code, you
>probably have a version of aklog that sends the kerberos 5 ticket over
>"as is".  This is probably what your solaris 9 + openafs 1.4.1 client
>is doing.

Oh, silly me.  Bill, here is the problem:

% rxdebug -version catsafs1.ucsc.edu
AFS version: Base configuration afs3.6 2.18

You're still running what looks to be Transarc-era code on your
fileservers.  Even if your KeyFile is correct on those machines,
the newer authentication protocol (rxkad2b, as Marcus says) won't
work.  You need to upgrade your fileservers.

(Now, I can sleep ... there IS a logical explanation :-) ).