[OpenAFS] Re: asetkey: failed to set key, code 70354694
Jeff Blaine
jblaine@kickflop.net
Fri, 07 Jan 2011 14:41:11 -0500
I should also point out that 'kinit; aklog' works for all
users who report problems.
How could it be that pam_krb5 (Russ's) and pam_afs_session
are broken due to a key change?
On 1/7/2011 2:38 PM, Jeff Blaine wrote:
> I lied, again! It's BACK.
>
> All file + DB servers report the exact same data for
> 'bos listkeys'
>
> All DB servers have been 'bos restart <server> -all'
>
> Various clients upon login throw the
>
> afs: Tokens for user of AFS id 26560 for cell rcf.our.org
> are discarded (rxkad error=19270408)
>
> error for various users. Some hosts work, some don't.
>
> Some that don't are 1.4.11 just like the servers. This
> is the communication after entering a password via
> SSH + pam_krb5 + pam_afs_session on a Solaris 10 SPARC
> box running 1.4.11:
>
> client1.our.org -> afsdb2.our.org UDP D=7004 S=32965 LEN=84
> afsdb2.our.org -> client1.our.org UDP D=32965 S=7004 LEN=180
> client1.our.org -> afsdb2.our.org UDP D=7004 S=32965 LEN=73
> client1.our.org -> afsdb1.our.org UDP D=7004 S=32966 LEN=84
> afsdb1.our.org -> client1.our.org UDP D=32966 S=7004 LEN=180
> client1.our.org -> afsdb1.our.org UDP D=7004 S=32966 LEN=73
> client1.our.org -> afsdb2.our.org UDP D=7004 S=32966 LEN=156
> afsdb2.our.org -> client1.our.org UDP D=32966 S=7004 LEN=140
> client1.our.org -> afsdb2.our.org UDP D=7004 S=32966 LEN=73
> client1.our.org -> afsdb2.our.org UDP D=7002 S=32966 LEN=300
> afsdb2.our.org -> client1.our.org UDP D=32966 S=7002 LEN=44
> client1.our.org -> afsdb2.our.org UDP D=7002 S=32966 LEN=73
> client1.our.org -> afsfs1.our.org UDP D=7000 S=7001 LEN=52
> afsfs1.our.org -> client1.our.org UDP D=7001 S=7000 LEN=52
> client1.our.org -> afsfs1.our.org UDP D=7000 S=7001 LEN=132
> afsfs1.our.org -> client1.our.org UDP D=7001 S=7000 LEN=74
> afsfs1.our.org -> client1.our.org UDP D=7001 S=7000 LEN=40
> client1.our.org -> afsfs1.our.org UDP D=7000 S=7001 LEN=52
> afsfs1.our.org -> client1.our.org UDP D=7001 S=7000 LEN=40
> client1.our.org -> afsfs1.our.org UDP D=7000 S=7001 LEN=476
> afsfs1.our.org -> client1.our.org UDP D=7001 S=7000 LEN=73
> afsfs1.our.org -> client1.our.org UDP D=7001 S=7000 LEN=156
> client1.our.org -> afsfs1.our.org UDP D=7000 S=7001 LEN=73
>
> FWIW, none of thosts above are the so-called previously
> problematic box, which we have actually halted for now
> to see if it affects anything.
>
> Can't make any sense of this.
>
> On 1/7/2011 12:15 PM, Jeff Blaine wrote:
>> This was solved by getting the responsible person to
>> finally upgrade this box to Solaris 10 and OpenAFS
>> 1.4.11 via upclientbin.
>>
>> On 1/6/2011 10:30 AM, Jeff Blaine wrote:
>>> It's talking to a Solaris 9 OpenAFS 1.4.6 server (the only
>>> one like that in our cell). Solaris 10 and OpenAFS 1.4.11
>>> on all other servers.
>>>
>>> I rebooted it though after the KeyFile update due to it
>>> seeming a little out of whack (AFS DB server only).
>>>
>>> On 1/6/2011 9:46 AM, Derrick Brashear wrote:
>>>> Same AFS version everywhere? Some older version had a bug and would
>>>> hang when rereading KeyFile, but it shouldn't cause this.
>>>> Use tcpdump and figure out which server is returning that error, or,
>>>> install a 1.5.78 client and see which server it logs the error about?
>>>>
>>>> On Thu, Jan 6, 2011 at 8:50 AM, Jeff Blaine<jblaine@kickflop.net>
>>>> wrote:
>>>>> Hmm, not so fast I guess. *Some* hosts are still doing
>>>>> this, others are fine (???).
>>>>>
>>>>> All /usr/afs/etc/KeyFile files checksum the same on our
>>>>> servers.
>>>>>
>>>>> rcf-smtp% ssh vegas
>>>>> Password:
>>>>> Last login: Thu Jan 6 08:04:52 2011 from rcf-smtp.our.
>>>>> afs: Tokens for user of AFS id 26560 for cell rcf.our.org are
>>>>> discarded
>>>>> (rxkad error=19270408)
>>>>> %
>>>>> % translate_et 19270408
>>>>> 19270408 (rxk).8 = ticket contained unknown key version number
>>>>> % kinit
>>>>> Password for jblaine@RCF.OUR.ORG:
>>>>> % aklog
>>>>> % logout
>>>>>
>>>>> rcf-smtp% ssh vegas
>>>>> Password:
>>>>> Last login: Thu Jan 6 08:28:51 2011 from rcf-smtp.our.
>>>>> afs: Tokens for user of AFS id 26560 for cell rcf.our.org are
>>>>> discarded
>>>>> (rxkad error=19270408)
>>>>> %
>>>>>
>>>>>
>>>>> On 1/5/2011 8:37 PM, Jeff Blaine wrote:
>>>>>>
>>>>>> Thanks all -- that did it.
>>>>>>
>>>>>> On 1/5/2011 5:47 PM, Andrew Deason wrote:
>>>>>>>
>>>>>>> On Wed, 05 Jan 2011 17:36:57 -0500
>>>>>>> Jeff Blaine<jblaine@kickflop.net> wrote:
>>>>>>>
>>>>>>>> etc-upserver-host# asetkey add 17 /etc/krb5.keytab afs
>>>>>>>> asetkey: failed to set key, code 70354694.
>>>>>>>> etc-upserver-host#
>>>>>>>
>>>>>>> $ translate_et 70354694
>>>>>>> 70354694 (acfg).6 = no more entries
>>>>>>>
>>>>>>> aka AFSCONF_FULL. You can only have 8 keys at once iirc; how many
>>>>>>> do you
>>>>>>> have in there?
>>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenAFS-info mailing list
>>>>>> OpenAFS-info@openafs.org
>>>>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>>>
>>>>> _______________________________________________
>>>>> OpenAFS-info mailing list
>>>>> OpenAFS-info@openafs.org
>>>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>>>
>>>>
>>>>
>>>>
>>> _______________________________________________
>>> OpenAFS-info mailing list
>>> OpenAFS-info@openafs.org
>>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>>
>> _______________________________________________
>> OpenAFS-info mailing list
>> OpenAFS-info@openafs.org
>> https://lists.openafs.org/mailman/listinfo/openafs-info
>>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>