[OpenAFS] fs: You don't have the required access rights on '/afs' - SOLVED
Derrick Brashear
shadow@gmail.com
Thu, 11 Dec 2008 17:27:30 -0500
------=_Part_6477_15124187.1229034451939
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On Thu, Dec 11, 2008 at 4:33 PM, Tony D'Amato <tdamato@odu.edu> wrote:
> After working the problem with Jeffrey Altman and Douglas Engert as well
> as Derrick Brashear offline, here's what I was doing wrong:
>
> 1) The afs/lionstest.odu.edu key was using the wrong salt... I fixed this
> by removing all instances of afs/lionstest.odu.edu from the keytab and
> from AFS (using asetkey delete) and replaced them with the proper one, then
> recycled the server:
>
> kadmin: addprinc -randkey -e "des-cbc-crc:v4" afs/lionstest.odu.edu
>
> kadmin: ktadd -e "des-cbc-crc:v4" afs/lionstest.odu.edu
>
> # klist -k -e -t -K|grep afs
> 3 11/12/2008 15:43 afs/lionstest.odu.edu@AUTH.ODU.EDU (DES cbc mode
> with CRC-32) (0xb58c6e5e0d0b8f54)
>
> # asetkey add 3 /etc/krb5/krb5.keytab afs/lionstest.odu.edu
>
> # asetkey list
> kvno 3: key is: b58c6e5e0d0b8f54
> All done.
>
> 2) Because I'm using a Kerberos realm name which does not match the AFS
> cell name, I had to enter that realm into the following two files and
> recycle the AFS server and client:
>
> /usr/vice/etc/krb.conf # for the client
> /usr/afs/etc/krb.conf # for the server
>
The client doesn't care, actually. Just need the one in /usr/afs/etc
------=_Part_6477_15124187.1229034451939
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
<br><br><div class="gmail_quote">On Thu, Dec 11, 2008 at 4:33 PM, Tony D'Amato <span dir="ltr"><<a href="mailto:tdamato@odu.edu">tdamato@odu.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
After working the problem with Jeffrey Altman and Douglas Engert as
well as Derrick Brashear offline, here's what I was doing wrong:<br>
<br>
1) The afs/<a href="http://lionstest.odu.edu" target="_blank">lionstest.odu.edu</a> key was using the wrong salt... I fixed
this by removing all instances of afs/<a href="http://lionstest.odu.edu" target="_blank">lionstest.odu.edu</a> from the keytab
and from AFS (using asetkey delete) and replaced them with the proper
one, then recycled the server:<br>
<br>
kadmin: addprinc -randkey -e "des-cbc-crc:v4" afs/<a href="http://lionstest.odu.edu" target="_blank">lionstest.odu.edu</a><br>
<br>
kadmin: ktadd -e "des-cbc-crc:v4" afs/<a href="http://lionstest.odu.edu" target="_blank">lionstest.odu.edu</a><br>
<br>
# klist -k -e -t -K|grep afs<br>
3 11/12/2008 15:43 <a href="mailto:afs/lionstest.odu.edu@AUTH.ODU.EDU" target="_blank">afs/lionstest.odu.edu@AUTH.ODU.EDU</a> (DES cbc mode
with CRC-32) (0xb58c6e5e0d0b8f54)<br>
<br>
# asetkey add 3 /etc/krb5/krb5.keytab afs/<a href="http://lionstest.odu.edu" target="_blank">lionstest.odu.edu</a><br>
<br>
# asetkey list<br>
kvno 3: key is: b58c6e5e0d0b8f54<br>
All done.<br>
<br>
2) Because I'm using a Kerberos realm name which does not match the AFS
cell name, I had to enter that realm into the following two files and
recycle the AFS server and client:<br>
<br>
/usr/vice/etc/krb.conf # for the client<br>
/usr/afs/etc/krb.conf # for the server<br>
</div></blockquote><div><br>The client doesn't care, actually. Just need the one in /usr/afs/etc<br> <br></div></div><br>
------=_Part_6477_15124187.1229034451939--