[OpenAFS] ADS and MIT Kerberos transition auth continued

Jeffrey Altman jaltman@secure-endpoints.com
Wed, 01 Jul 2009 18:00:50 -0400

Eric Chris Garrison wrote:

> ...but as ecgarris@ADS.IU.EDU:
> Wed Jul  1 15:58:37 2009 [6] EVENT AFS_Aud_Unauth CODE -1 STR AFS_SRX_StData
> Wed Jul  1 15:58:37 2009 [6] EVENT AFS_SRX_StData CODE 0 NAME --UnAuth--
> HOST ID 32766 FID 536870933:2:2
> So the ADS.IU.EDU user is showing as unauthorized?  Strange that if I
> create a file, its UNIX permissions show as owned by ecgarris though.
>> I would also verify that the keytabs that you are using are in fact
>> correct.  You can do so using the MIT Kerberos kvno command.  Obtain a
>> TGT for ecgarris@ADS.IU.EDU and then issue:
>>   kvno -k <keytab> afs/afstest.iu.edu@ADS.IU.EDU

Your Rx connection is unauthenticated.  That means that

 (a) either you do not have an AFS token

 (b) the token contains a kvno that is not recognized by the AFS server

 (c) the token is bad in some other way

On Windows using the MIT KFW klist command, what does "klist -e" show
when you have an afs/afstest.iu.edu@ADS.IU.EDU service ticket in the cache?

Jeffrey Altman