[OpenAFS] False replay error with 1.7 on Win 7 client (fwd)

Jeffrey Altman jaltman@secure-endpoints.com
Tue, 11 Dec 2012 10:40:14 -0500


This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig01470394400F5AC5523031CD
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Upgrading your AFS principal from afs@ to afs/math.cornell.edu@ will=20
fix this problem
and shorten the time it takes all AFS clients to obtain afs tokens.

On Tuesday, December 11, 2012 8:50:03 AM, Steve Gaarder wrote:
> I am trying to get Openafs 1.7.21 working on a Windows 7 machine.  I
> followed the directions on
> http://wiki.openafs.org/WindowsEndUserQuickStartGuide/
> and installed Heimdall and the Network Identity Manager from the links
> on that page.
>
> Using the Identity Manager, I am able to get a Kerberos ticket but not
> an AFS token.  If I use aklog from the command line, sometimes I get a
> token and sometimes I don't.  WHen it does not work, the error is
> ERR_REPEAT (Request is a replay).
>
> A packet trace confirms this, and shows that this is also what happens
> every time I try it with Identity Manager.
>
> Our KDC is using the principal afs@MATH.CORNELL.EDU, not
> afs/math.cornell.edu@MATH.CORNELL.EDU.  According to the packet trace,
> the client tries afs/math.cornell.edu@MATH.CORNELL.EDU twice before
> falling back to afs@MATH.CORNELL.EDU.  The first try is always
> rejected with PRINCIPAL_UNKNOWN. Sometimes the second try hits the
> same error, and sometimes it hits ERR_REPEAT, in which case the client
> gives up.  I assume there is a timing issue here, with the requests
> sometimes having the same timestamp.
>
> So how can we fix this?  THe KDC is running MIT Kerberos 1.6 on
> Scientific Linux 5.  I read on the net that there have been some
> replay cache improvements since then, so a KDC upgrade is one option
> for trying to fix this, but I can't do that right away.
>
> It seems to me that switching to afs/math.cornell.edu@MATH.CORNELL.EDU
> is likely to fix the problem, but I am uncertain about how to do that
> without creating any service disruptions.  If I do this:
>
> 1. Create afs/math.cornell.edu@MATH.CORNELL.EDU
> 2. Store the key in a keytab file
> 3. Use asetkey to add the key to the keyfile on each of the AFS servers=

>
> will it allow existing tokens that authenticated with
> afs@MATH.CORNELL.EDU to still work?
>
> Any other ideas?
>
> thanks,
>
> Steve Gaarder
> System Administrator, Dept of Mathematics
> Cornell University, Ithaca, NY, USA
> gaarder@math.cornell.edu
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info


--------------enig01470394400F5AC5523031CD
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iQEcBAEBAgAGBQJQx1PhAAoJENxm1CNJffh48LEH/j7/Hr1jsR3/uwRfl0I9Vt1L
jHNGFcXQ0QlrEgP7/Vfy1rWDm3ciztFsbwQep2eyAqa2/vjxSGF+6y3HNBtieWrh
kBFp2N5ak2xFOkEfOD35xERP/4LEdnQsNJmyk1e45D7mSROQoyeVijE94X4tpvOJ
/cZ5m159dt37bwCWVKQsIzjQVtY/84XpdDQQ+j8V12f0UdrJy01zMQzYNZqtf5Y7
1TYjKINAFU4jns5CXeicF9KXUNbJbnkMFFMoZ/d1pz8D1kHsd0GJridqC50HfHHk
UtZekvAnK286Yyi3K9jLyZJjyjtxgDK8Yjd4Gcqv3Hd1w9Tl53BJ3jaZFx/L1Sg=
=AYNF
-----END PGP SIGNATURE-----

--------------enig01470394400F5AC5523031CD--