[OpenAFS] rxkad error=19270408
Ted Creedon
tcreedon@easystreet.net
Thu, 23 Apr 2009 13:46:34 -0700
--000e0cd2de44c6677904683ef946
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
I appreciate your efforts.
Its not only not obvious but also a complete surprise that all of a sudden
all the remote clients (that were working) have all acted up, both Win
server 2003, XP and linux
More importantly the obvious looping of the clients for any reason indicates
a problem somewhere.
Anything I can do?.
The only thing I can think of is a keying and/or token problem that causes
the looping, however it would be coincidental that 2 sites had the problem
simultaneously..
/var/log/messages:
Apr 23 13:41:37 geronimo syslog-ng[2299]: last message repeated 3316 times
Apr 23 13:41:37 geronimo kernel: afs: Tokens for user of AFS id 1 for cell
creedon.biz: rxkad error=19270407 rxkad error=19270407
Apr 23 13:41:37 geronimo kernel: afs: Tokens for user of AFS id 1 for cell
creedon.biz: rxkad error=19270407
aklog -d -force creedon.biz
Authenticating to cell creedon.biz (server geronimo.creedon.biz).
Trying to authenticate to user's realm CREEDON.BIZ.
Getting tickets: afs/creedon.biz@CREEDON.BIZ
Using Kerberos V5 ticket natively
About to resolve name admin to id in cell creedon.biz.
Id 1
Set username to AFS ID 1
Setting tokens. AFS ID 1 / @ CREEDON.BIZ
On Thu, Apr 23, 2009 at 11:28 AM, Jeffrey Altman <
jaltman@secure-endpoints.com> wrote:
> Jeffrey Altman wrote:
> > Ted Creedon wrote:
> >> Upgraded XP to 1.5.59
> >>
> >> XP afsd_service.exe takes 98% of the cpu ditto for any client linux box.
> >> The XP and Linux clients are really not troubleshootable anymore due to
> >> the hard resets required.. The XP and Linux clients did claim to get a
> >> token, however.
> >>
> >> Both client and server work fine on geronimo. V 1.4.10 aklog gives the
> >> same result on both ookpik - client and geronimo - server
> >>
> >>
> >> aklog -d -force creedon.biz <http://creedon.biz>
> >> Authenticating to cell creedon.biz <http://creedon.biz> (server
> >> geronimo.creedon.biz <http://geronimo.creedon.biz>).
> >> Trying to authenticate to user's realm CREEDON.BIZ <http://CREEDON.BIZ
> >.
> >> Getting tickets: afs/creedon.biz <http://creedon.biz>@CREEDON.BIZ
> >> <http://CREEDON.BIZ>
> >> Using Kerberos V5 ticket natively
> >> About to resolve name admin to id in cell creedon.biz <
> http://creedon.biz>.
> >> Id 1
> >> Set username to AFS ID 1
> >> Setting tokens. AFS ID 1 / @ CREEDON.BIZ <http://CREEDON.BIZ>
> >>
> >
> > This output is from Linux. You said you couldn't get tokens on XP.
> > The output from Linux will not help diagnose a problem on XP.
> >
> > Does the CPU utilization drop if you discard your tokens with "unlog"?
> >
> > On XP:
> >
> > See if you can obtain a trace log. "fs trace -on", wait 5 seconds, "fs
> > trace -dump -off". The trace log is %windir%\temp\afsd.log.
> > If so, place it somewhere readable and post a link.
> >
> > If you cannot obtain a trace log. "fs minidump". The output will be
> > in %windir%\temp\afsd.dmp. Again, place it somewhere readable and post
> > a link.
> >
> > Jeffrey Altman
>
> I intentionally created an afs/cell@REALM principal whose kvno does not
> exist on the AFS servers. With 1.5.59 I am unable to reproduce the
> problem. According to the trace output a RXKADUNKNOWNKEY error is
> received from the file server. The STATUS_NO_KERB_KEY is then returned
> to the SMB redirector which does not attempt to retry.
>
> Whatever you are experiencing is not obvious.
>
> Jeffrey Altman
>
>
>
>
>
--000e0cd2de44c6677904683ef946
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
I appreciate your efforts.<br><br>Its not only not obvious but also a compl=
ete surprise that all of a sudden all the remote clients (that were working=
) have all acted up, both Win server 2003, XP and linux<br><br>More importa=
ntly the obvious looping of the clients for any reason indicates a problem =
somewhere.<br>
<br>Anything I can do?.<br><br>The only thing I can think of is a keying an=
d/or token problem that causes the looping, however it would be coincidenta=
l that 2 sites had the problem simultaneously..<br><br>/var/log/messages:<b=
r>
Apr 23 13:41:37 geronimo syslog-ng[2299]: last message repeated 3316 times<=
br>Apr 23 13:41:37 geronimo kernel: afs: Tokens for user of AFS id 1 for ce=
ll <a href=3D"http://creedon.biz">creedon.biz</a>: rxkad error=3D19270407 r=
xkad error=3D19270407<br>
Apr 23 13:41:37 geronimo kernel: afs: Tokens for user of AFS id 1 for cell =
<a href=3D"http://creedon.biz">creedon.biz</a>: rxkad error=3D19270407<br><=
br>=A0=A0 <br>aklog -d=A0 -force <a href=3D"http://creedon.biz">creedon.biz=
</a><br>
Authenticating to cell <a href=3D"http://creedon.biz">creedon.biz</a> (serv=
er <a href=3D"http://geronimo.creedon.biz">geronimo.creedon.biz</a>).<br>Tr=
ying to authenticate to user's realm <a href=3D"http://CREEDON.BIZ">CRE=
EDON.BIZ</a>.<br>
Getting tickets: afs/<a href=3D"http://creedon.biz">creedon.biz</a>@<a href=
=3D"http://CREEDON.BIZ">CREEDON.BIZ</a><br>Using Kerberos V5 ticket nativel=
y<br>About to resolve name admin to id in cell <a href=3D"http://creedon.bi=
z">creedon.biz</a>.<br>
Id 1<br>Set username to AFS ID 1<br>Setting tokens. AFS ID 1 /=A0 @ <a href=
=3D"http://CREEDON.BIZ">CREEDON.BIZ</a><br><br><br><div class=3D"gmail_quot=
e">On Thu, Apr 23, 2009 at 11:28 AM, Jeffrey Altman <span dir=3D"ltr"><<=
a href=3D"mailto:jaltman@secure-endpoints.com">jaltman@secure-endpoints.com=
</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><div></div><=
div class=3D"h5">Jeffrey Altman wrote:<br>
> Ted Creedon wrote:<br>
>> Upgraded XP to 1.5.59<br>
>><br>
>> XP afsd_service.exe takes 98% of the cpu ditto for any client linu=
x box.<br>
>> The XP and Linux clients are really not troubleshootable anymore d=
ue to<br>
>> the hard resets required.. The XP and Linux clients did claim to g=
et a<br>
>> token, however.<br>
>><br>
>> Both client and server work fine on geronimo. V 1.4.10 aklog gives=
the<br>
>> same result on both ookpik - client and geronimo - server<br>
>><br>
>><br>
>> aklog -d -force <a href=3D"http://creedon.biz" target=3D"_blank">c=
reedon.biz</a> <<a href=3D"http://creedon.biz" target=3D"_blank">http://=
creedon.biz</a>><br>
>> Authenticating to cell <a href=3D"http://creedon.biz" target=3D"_b=
lank">creedon.biz</a> <<a href=3D"http://creedon.biz" target=3D"_blank">=
http://creedon.biz</a>> (server<br>
>> <a href=3D"http://geronimo.creedon.biz" target=3D"_blank">geronimo=
.creedon.biz</a> <<a href=3D"http://geronimo.creedon.biz" target=3D"_bla=
nk">http://geronimo.creedon.biz</a>>).<br>
>> Trying to authenticate to user's realm <a href=3D"http://CREED=
ON.BIZ" target=3D"_blank">CREEDON.BIZ</a> <<a href=3D"http://CREEDON.BIZ=
" target=3D"_blank">http://CREEDON.BIZ</a>>.<br>
>> Getting tickets: afs/<a href=3D"http://creedon.biz" target=3D"_bla=
nk">creedon.biz</a> <<a href=3D"http://creedon.biz" target=3D"_blank">ht=
tp://creedon.biz</a>>@<a href=3D"http://CREEDON.BIZ" target=3D"_blank">C=
REEDON.BIZ</a><br>
>> <<a href=3D"http://CREEDON.BIZ" target=3D"_blank">http://CREEDO=
N.BIZ</a>><br>
>> Using Kerberos V5 ticket natively<br>
>> About to resolve name admin to id in cell <a href=3D"http://creedo=
n.biz" target=3D"_blank">creedon.biz</a> <<a href=3D"http://creedon.biz"=
target=3D"_blank">http://creedon.biz</a>>.<br>
>> Id 1<br>
>> Set username to AFS ID 1<br>
>> Setting tokens. AFS ID 1 / =A0@ <a href=3D"http://CREEDON.BIZ" tar=
get=3D"_blank">CREEDON.BIZ</a> <<a href=3D"http://CREEDON.BIZ" target=3D=
"_blank">http://CREEDON.BIZ</a>><br>
>><br>
><br>
> This output is from Linux. =A0You said you couldn't get tokens on =
XP.<br>
> The output from Linux will not help diagnose a problem on XP.<br>
><br>
> Does the CPU utilization drop if you discard your tokens with "un=
log"?<br>
><br>
> On XP:<br>
><br>
> See if you can obtain a trace log. =A0"fs trace -on", wait 5=
seconds, "fs<br>
> trace -dump -off". =A0The trace log is %windir%\temp\afsd.log.<br=
>
> If so, place it somewhere readable and post a link.<br>
><br>
> If you cannot obtain a trace log. =A0"fs minidump". =A0The o=
utput will be<br>
> in %windir%\temp\afsd.dmp. =A0Again, place it somewhere readable and p=
ost<br>
> a link.<br>
><br>
> Jeffrey Altman<br>
<br>
</div></div>I intentionally created an afs/cell@REALM principal whose kvno =
does not<br>
exist on the AFS servers. =A0With 1.5.59 I am unable to reproduce the<br>
problem. =A0According to the trace output a RXKADUNKNOWNKEY error is<br>
received from the file server. =A0The STATUS_NO_KERB_KEY is then returned<b=
r>
to the SMB redirector which does not attempt to retry.<br>
<br>
Whatever you are experiencing is not obvious.<br>
<font color=3D"#888888"><br>
Jeffrey Altman<br>
<br>
<br>
<br>
<br>
</font></blockquote></div><br>
--000e0cd2de44c6677904683ef946--