[OpenAFS] Fileserver doesn't recognise host-principals

Frank Burkhardt fbo2@gmx.net
Tue, 2 Sep 2008 22:13:14 +0200


I've got a strange problem here. Some of my AFS-client-machines must
put some stuff into AFS on a regular basis. Since all of them have
a host/...-Keytab, I wanted to use it as AFS-identity:

 admin@afs $ pts create host.somehost.cbs.mpg.de
 User host.somehost.cbs.mpg.de has id 2000000044

 root@somehost # kinit -k -t /etc/krb5.keytab
 root@somehost # klist -e
 Ticket cache: FILE:/tmp/krb5cc_0
 Default principal: host/somehost.cbs.mpg.de@CBS.MPG.DE

 Valid starting     Expires            Service principal
 08/26/08 16:22:11  08/27/08 18:22:11  krbtgt/CBS.MPG.DE@CBS.MPG.DE
        Etype (skey, tkt): Triple DES cbc mode with HMAC/sha1, Triple DES cbc mode with HMAC/sha1
 08/26/08 16:22:49  08/27/08 18:22:11  afs@CBS.MPG.DE
         Etype (skey, tkt): DES cbc mode with CRC-32, DES cbc mode with CRC-32

 Kerberos 4 ticket cache: /tmp/tkt0
 klist: You have no tickets cached
 root@somehost # aklog
 root@somehost # tokens

 Tokens held by the Cache Manager:

 User's (AFS ID 2000000044) tokens for afs@cbs.mpg.de [Expires Aug 27 18:22]
    --End of list--

However, when I try to create a file in AFS, I'm recognised as anonymous:

 root@somehost # cd /afs/cbs.mpg.de/tmp/leipzig;rm -f xxx
 root@somehost # touch xxx
 root@somehost # ls -la xxx
 -rw-r--r-- 1 anonymous root 0 Aug 26 16:25 xxx

There's nothing suspicious in the AFS-client's dmesg or in the fileserver's

Does anyone have an idea, what might cause this problem? I use keytabs+AFS
all the time. The problem just affects host-keytabs - on at least 3 of my

Thank you for any hints.