[OpenAFS] Re: asetkey: failed to set key, code 70354694

[Andrew Deason]

On Fri, 07 Jan 2011 20:44:50 -0500
Jeff Blaine <jblaine@kickflop.net> wrote:

> > So, do you mean it works when you 'kinit; aklog', but you get an
> > error when you login normally? (as in, using a password) Whether
> > that be via ssh or whatever.
> 
> What I've found is that any authentication to kaserver
> ends up with a token that gets trashed/"discarded".
> That is, I can run klog, seemingly get tokens fine, and
> then they are discarded when I run the 'tokens' command.

Oh, okay, kinit/aklog as opposed to klog. That makes more sense.

> ~:cairo> touch file-in-home
> touch: file-in-home cannot create
> ~:cairo> echo tokens-are-bogus-but-listed
> tokens-are-bogus-but-listed

They're still there because such an error to one server doesn't
necessarily mean all servers will give the same error. At least, I think
that's the reasoning.

> And here is all of our servers showing matching keys (key 17
> is the one ktadd made which we then asetkey'd):

Yes, but that's the key for the krb5 setup. The kaserver setup will have
a different service key and kvno (unless you did something special to
synchronize them).

Did you perhaps the key that kaserver was using from the KeyFile to make
room for the new krb5 key? 'kas examine' can tell you the kvno for the
afs service key in the kadb. If it's not in the KeyFile on your servers,
well, there you go.

> % for i in sonia shiva svetlana ur bunky canaan ephesus
> babylon; do bos listkeys $i | grep 'key 17'; done
> key 17 has cksum 1172998608

Obfuscated cksum, right?

-- 
Andrew Deason
adeason@sinenomine.net