[OpenAFS] Re: OpenAFS and AD trusts

Andrew Deason adeason@sinenomine.net
Tue, 19 Jul 2011 15:47:52 -0500


On Tue, 19 Jul 2011 15:56:17 -0400
Danko Antolovic <dantolov@indiana.edu> wrote:

> If I tell aklog to go after RESOURCE.NET explicitly, I end up with the 
> same error that started this thread:
> 
> [root@afs1c afs]# aklog  -d  -c afs1.bedrock.iu.edu  -k  RESOURCE.NET
> Authenticating to cell afs1.bedrock.iu.edu (server afs1.bedrock.iu.edu).
> We were told to authenticate to realm RESOURCE.NET.
> Getting tickets: afs/afs1.bedrock.iu.edu@RESOURCE.NET
> Getting tickets: afs/afs1.bedrock.iu.edu@RESOURCE.NET
> Kerberos error code returned by get_cred : -1765328228
> aklog: Couldn't get afs1.bedrock.iu.edu AFS tickets:
> aklog: unknown RPC error (-1765328228) while getting AFS tickets
> 
> This looks like AFS is trying to get the ticket from RESOURCE.NET, and 
> fails with
> "-1765328228 KRB5_KDC_UNREACH Cannot contact any KDC for requested realm"

This seems more of a kerberos issue than an afs issue. After you kinit,
can you run 'kvno afs/afs1.bedrock.iu.edu@RESOURCE.NET'? (if successful,
you should see the afs/afs1.bedrock.iu.edu@RESOURCE.NET service ticket
in 'klist' afterwards) Do you have the RESOURCE.NET KDCs specified in
your krb5.conf ?

-- 
Andrew Deason
adeason@sinenomine.net