[OpenAFS] krb5 trust, rxkad error=19270408... I'm missing something

Douglas E. Engert deengert@anl.gov
Wed, 04 Apr 2012 09:35:25 -0500


On 4/3/2012 9:34 PM, clark wrote:
> I have the same probleme.
> I try to use the AD Kdc for my new cell authentification ...
> I found a lot of doc :
>
> http://wiki.openafs.org/AFSLore/win2008r2adaskdc/
> http://irp.nain-t.net/doku.php/320kerberos:70_kerberos-ad
> http://technet.microsoft.com/en-us/library/bb742433.aspx
> http://technet.microsoft.com/en-us/library/cc753771%28v=ws.10%29.aspx
> http://technet.microsoft.com/en-us/library/dd560670%28v=ws.10%29.aspx
> http://www.mail-archive.com/openafs-info@openafs.org/msg24908.html
> http://comments.gmane.org/gmane.comp.file-systems.openafs.general/27328
>
> But "pts: ticket contained unknown key version number" is already present.
>
> I check, kvno is the same in AD and in AFS KeyFile (asetkey)
>
> Anybody have a solution ??

Running Wireshark while doing the aklog might help, as it is good
at formatting the Kerberos tickets returned by AD and show the KVNOs.

If any of the DCs are read only (RODC) there may be an issue as Microsoft
is using part of the KVNO in the ticket to indicate a read only DC.

Google for: RODC OpenAFS
as there has been other discussions.

http://blogs.msdn.com/b/openspecification/archive/2011/05/11/notes-on-kerberos-kvno-in-windows-rodc-environment.aspx

>
>
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>
>

-- 

  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444