[OpenAFS] False replay error with 1.7 on Win 7 client (fwd)
Tue, 11 Dec 2012 08:50:03 -0500 (EST)
I am trying to get Openafs 1.7.21 working on a Windows 7 machine. I followed
the directions on http://wiki.openafs.org/WindowsEndUserQuickStartGuide/
and installed Heimdall and the Network Identity Manager from the links on that
Using the Identity Manager, I am able to get a Kerberos ticket but not an AFS
token. If I use aklog from the command line, sometimes I get a token and
sometimes I don't. WHen it does not work, the error is ERR_REPEAT (Request is
A packet trace confirms this, and shows that this is also what happens every
time I try it with Identity Manager.
Our KDC is using the principal afs@MATH.CORNELL.EDU, not
afs/math.cornell.edu@MATH.CORNELL.EDU. According to the packet trace, the
client tries afs/math.cornell.edu@MATH.CORNELL.EDU twice before falling back to
afs@MATH.CORNELL.EDU. The first try is always rejected with PRINCIPAL_UNKNOWN.
Sometimes the second try hits the same error, and sometimes it hits ERR_REPEAT,
in which case the client gives up. I assume there is a timing issue here, with
the requests sometimes having the same timestamp.
So how can we fix this? THe KDC is running MIT Kerberos 1.6 on Scientific
Linux 5. I read on the net that there have been some replay cache
improvements since then, so a KDC upgrade is one option for trying to fix
this, but I can't do that right away.
It seems to me that switching to afs/math.cornell.edu@MATH.CORNELL.EDU is
likely to fix the problem, but I am uncertain about how to do that without
creating any service disruptions. If I do this:
1. Create afs/math.cornell.edu@MATH.CORNELL.EDU
2. Store the key in a keytab file
3. Use asetkey to add the key to the keyfile on each of the AFS servers
will it allow existing tokens that authenticated with afs@MATH.CORNELL.EDU
to still work?
Any other ideas?
System Administrator, Dept of Mathematics
Cornell University, Ithaca, NY, USA