[OpenAFS] That infamous, magnificent bastard, error 19270408.

John Rudd jrudd@ucsc.edu
Sun, 10 Sep 2006 20:26:15 -0700 

On Sep 10, 2006, at 7:50 PM, Ken Hornstein wrote:

>> Ok.  If I understand this right, your past clients are using
>> "krb524d" to convert tickets -- and are storing a "real" kerberos 4
>> ticket.  This latter key can *only* be des, because that's the
>> only encryption mode supported by kerberos 4.
>> If you have slightly newer code, you may have a version
>> of aklog that does "rxkad 2b".  If so, it's unwrapping the
>> kerberos 5 ticket, throwing away some bits it doesn't need,
>> and sending the guts.  If you have the very newest code, you
>> probably have a version of aklog that sends the kerberos 5 ticket over
>> "as is".  This is probably what your solaris 9 + openafs 1.4.1 client
>> is doing.
>
> Oh, silly me.  Bill, here is the problem:
>
> % rxdebug -version catsafs1.ucsc.edu
> AFS version: Base configuration afs3.6 2.18
>
> You're still running what looks to be Transarc-era code on your
> fileservers.  Even if your KeyFile is correct on those machines,
> the newer authentication protocol (rxkad2b, as Marcus says) won't
> work.  You need to upgrade your fileservers.
>
> (Now, I can sleep ... there IS a logical explanation :-) ).
>

*laugh*  The plan was to do that slowly through the quarter.

(just to make things clear: Bill manages most of our AFS clients, Joe 
is the AFS admin (and will soon be the kerberos admin), and I'm the 
kerberos admin)

Here's the getprinc results that were mentioned:

kadmin:  getprinc afs
Principal: afs@CATS.UCSC.EDU
Expiration date: Mon Dec 31 20:59:00 PST 2035
Last password change: Wed Jul 26 15:45:29 PDT 2006
Password expiration date: [none]
Maximum ticket life: 0 days 21:15:00
Maximum renewable life: 7 days 00:00:00
Last modified: Wed Jul 26 15:47:29 PDT 2006 (joed/admin@CATS.UCSC.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 5, DES cbc mode with CRC-32, no salt
Attributes:
Policy: [none]

kadmin:  getprinc afs/cats.ucsc.edu
Principal: afs/cats.ucsc.edu@CATS.UCSC.EDU
Expiration date: Mon Dec 31 20:59:00 PST 2035
Last password change: Thu Apr 03 11:17:00 PST 1997
Password expiration date: [none]
Maximum ticket life: 0 days 21:15:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Apr 03 11:17:00 PST 1997 (@CATS.UCSC.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes:
Policy: [none]

I wonder if this means Joe will have to speed up the pace of the AFS 
upgrade, then.  I thought someone said it was perfectly ok to run 
OpenAFS database servers with Transarc Fileservers?