[OpenAFS] openafs installation

Russ Allbery rra@stanford.edu
Fri, 26 Dec 2008 10:25:49 -0800

"Roman Hlynovskiy" <roman.hlynovskiy@gmail.com> writes:

> I am trying to implement openafs to a couple of servers according to
> this guide: http://www.debian-administration.org/articles/610
> afs-newcell
>     goes fine
> kinit root/admin; aklog
>     also ok
> but afs-rootvol
>  fails on fs sa /afs system:anyuser rl
>  with
> fs sa /afs system:anyuser rl
> fs: You don't have the required access rights on '/afs'
> Failed: 256
> at the same time openafs module dumps the following line to dmesg:
> afs: Tokens for user of AFS id 0 for cell forever.kz are discarded
> (rxkad error=19270407)

windlord:~> translate_et 19270407
19270407 (rxk).7 = security object was passed a bad ticket

Chances are fairly high that this error message means that your AFS server
disagrees with your Kerberos server about the afs/* key.  In other words,
what you have in the KeyFile for your AFS server doesn't match what's in
the KDC, either in the key or in the kvno.  Possible causes:

* The key in the KDC is not restricted to only a DES enctype.

* You've changed the KDC key (such as with a subsequent kadmin addkey
  command) since you imported the key into the AFS KeyFile with asetkey.

* You specified the wrong kvno in the asetkey command.

* You have both an afs key and an afs/<cell> key in Kerberos and aklog
  isn't using the one that you expect it to use.

Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>