[OpenAFS] Active Directory 2003, kerberos 5, openAFS - rxkad error=19270407, arghhhh

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 03 Jan 2007 09:16:50 -0500


L=F6nroth Erik wrote:
> I believe I have... My file looks like this. Can I be sure this is OK?
> In my missery I can't trust anything at the moment.
>=20
> [root@vmware01 ~]# cat /usr/afs/etc/krb.conf
> LAB.SCANIA.COM
> LAB.SCANIA.COM sesocolab11.scania.com

This is fine.  Although the second line is not used by AFS so you
can remove it.

Did you restart the AFS servers after setting this value?

> I have also looked in AD to se the Service principal binding (Is this
> right?) :
>=20
> C:\setspn -A afs/sss.se.scania.com afs
> Registering ServicePrincipalNames for
> CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Ds
> cania,DC=3Dcom
>         afs/sss.se.scania.com
> Updated object
>=20
> C:\setspn -L afs
> Registered ServicePrincipalNames for
> CN=3Dafs,OU=3DUsers,OU=3DVAS,OU=3DTEST,DC=3Dlab,DC=3Dsc
> ania,DC=3Dcom:
>     afs/sss.se.scania.com
>     HOST/afs
>     HOST/afs.LAB
>=20

That is fine.

RXKADBADTICKET can be generated if the clocks between AFS and AD
are not synchronized.  Are they?

Jeffrey Altman