[OpenAFS] False replay error with 1.7 on Win 7 client (fwd)

[Steve Gaarder]

I am trying to get Openafs 1.7.21 working on a Windows 7 machine.  I followed 
the directions on http://wiki.openafs.org/WindowsEndUserQuickStartGuide/
and installed Heimdall and the Network Identity Manager from the links on that 
page.

Using the Identity Manager, I am able to get a Kerberos ticket but not an AFS 
token.  If I use aklog from the command line, sometimes I get a token and 
sometimes I don't.  WHen it does not work, the error is ERR_REPEAT (Request is 
a replay).

A packet trace confirms this, and shows that this is also what happens every 
time I try it with Identity Manager.

Our KDC is using the principal afs@MATH.CORNELL.EDU, not 
afs/math.cornell.edu@MATH.CORNELL.EDU.  According to the packet trace, the 
client tries afs/math.cornell.edu@MATH.CORNELL.EDU twice before falling back to 
afs@MATH.CORNELL.EDU.  The first try is always rejected with PRINCIPAL_UNKNOWN. 
Sometimes the second try hits the same error, and sometimes it hits ERR_REPEAT, 
in which case the client gives up.  I assume there is a timing issue here, with 
the requests sometimes having the same timestamp.

So how can we fix this?  THe KDC is running MIT Kerberos 1.6 on Scientific 
Linux 5.  I read on the net that there have been some replay cache 
improvements since then, so a KDC upgrade is one option for trying to fix 
this, but I can't do that right away.

It seems to me that switching to afs/math.cornell.edu@MATH.CORNELL.EDU is 
likely to fix the problem, but I am uncertain about how to do that without 
creating any service disruptions.  If I do this:

1. Create afs/math.cornell.edu@MATH.CORNELL.EDU
2. Store the key in a keytab file
3. Use asetkey to add the key to the keyfile on each of the AFS servers

will it allow existing tokens that authenticated with afs@MATH.CORNELL.EDU 
to still work?

Any other ideas?

thanks,

Steve Gaarder
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA
gaarder@math.cornell.edu