[OpenAFS] openafs installation

Roman Hlynovskiy roman.hlynovskiy@gmail.com
Sun, 28 Dec 2008 22:07:06 +0600

Hello Russ,

the key was created on KDC with: addprinc -policy service -randkey -e
des-cbc-crc:v4 afs
from kadmin.local

as far as i understand it defines ony des for communication?
i did not modify a key - this is my first afs installation and i was
just folloing the howto.

how do I check if aklog is using the right keyfile?

I have also tried to get some help through IRC, but unfortunately, the
only person who tried to help me, didn't have much time.
this is a log http://www.ece.cmu.edu/~allbery/lambdabot/logs/openafs/2008-12-26.txt.
my nick is n-other in this talk.

is there anything useful can be found from this log to help me with
the problem?

2008/12/27 Russ Allbery <rra@stanford.edu>:
> "Roman Hlynovskiy" <roman.hlynovskiy@gmail.com> writes:
>> I am trying to implement openafs to a couple of servers according to
>> this guide: http://www.debian-administration.org/articles/610
>> afs-newcell
>>     goes fine
>> kinit root/admin; aklog
>>     also ok
>> but afs-rootvol
>>  fails on fs sa /afs system:anyuser rl
>>  with
>> fs sa /afs system:anyuser rl
>> fs: You don't have the required access rights on '/afs'
>> Failed: 256
>> at the same time openafs module dumps the following line to dmesg:
>> afs: Tokens for user of AFS id 0 for cell forever.kz are discarded
>> (rxkad error=19270407)
> windlord:~> translate_et 19270407
> 19270407 (rxk).7 = security object was passed a bad ticket
> Chances are fairly high that this error message means that your AFS server
> disagrees with your Kerberos server about the afs/* key.  In other words,
> what you have in the KeyFile for your AFS server doesn't match what's in
> the KDC, either in the key or in the kvno.  Possible causes:
> * The key in the KDC is not restricted to only a DES enctype.
> * You've changed the KDC key (such as with a subsequent kadmin addkey
>  command) since you imported the key into the AFS KeyFile with asetkey.
> * You specified the wrong kvno in the asetkey command.
> * You have both an afs key and an afs/<cell> key in Kerberos and aklog
>  isn't using the one that you expect it to use.
> --
> Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>

...WBR, Roman Hlynovskiy