[OpenAFS] Can't get tokens since upgrading to 1.7.6 and Heimdal

David Goldberg david.goldberg6@verizon.net
Wed, 22 Feb 2012 10:15:16 -0500 

------EF86LYKAE8P62C21NKOTXQOV9R1HJV
Content-Type: text/plain;
 charset=UTF-8
Content-Transfer-Encoding: 8bit

It should have it. The exact same krb.conf file except for the allow_weak_crypto line worked fine before when I was using MIT kerberos.

I will check with the admin, though.
Thanks
-- 
Dave Goldberg
david.goldberg6@verizon.net

Ken Dreyer <ktdreyer@ktdreyer.com> wrote:

On Wed, Feb 22, 2012 at 6:44 AM, David Goldberg
<david.goldberg6@verizon.net> wrote:
> $ aklog -d
> Authenticating to cell sub.my.org.
> Getting v5 tickets: afs/sub.my.org@SUB.MY.ORG
> Getting v5 tickets: afs/sub.my.org@MY.ORG
> Getting v5 tickets: afs@MY.ORG
> Kerberos error code returned by get_cred: -1765328377
> aklog.exe: Couldn't get sub.my.org AFS tickets: UNKNOWN_SERVER

Looks like aklog is asking for the Kerberos service principal
"afs/sub.my.org@SUB.MY.ORG" (and variations), but the KDC is saying
that it doesn't know that principal. Are you sure it is present in
your KDC's database? Is DES enabled on this principal and on the KDC?

- Ken


------EF86LYKAE8P62C21NKOTXQOV9R1HJV
Content-Type: text/html;
 charset=utf-8
Content-Transfer-Encoding: 8bit

<html><head></head><body>It should have it.  The exact same krb.conf file except for the allow_weak_crypto line worked fine before when I was using MIT kerberos.<br>
<br>
I will check with the admin, though.<br>
Thanks<br>
-- <br>
Dave Goldberg<br>
david.goldberg6@verizon.net<br><br><div class="gmail_quote">Ken Dreyer &lt;ktdreyer@ktdreyer.com&gt; wrote:<blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<pre style="white-space: pre-wrap; word-wrap:break-word; font-family: sans-serif">On Wed, Feb 22, 2012 at 6:44 AM, David Goldberg<br />&lt;david.goldberg6@verizon.net&gt; wrote:<br />&gt; $ aklog -d<br />&gt; Authenticating to cell <a href="http://sub.my.org">sub.my.org</a>.<br />&gt; Getting v5 tickets: afs/<a href="http://sub.my.org">sub.my.org</a>@SUB.MY.ORG<br />&gt; Getting v5 tickets: afs/<a href="http://sub.my.org">sub.my.org</a>@MY.ORG<br />&gt; Getting v5 tickets: afs@MY.ORG<br />&gt; Kerberos error code returned by get_cred: -1765328377<br />&gt; aklog.exe: Couldn't get <a href="http://sub.my.org">sub.my.org</a> AFS tickets: UNKNOWN_SERVER<br /><br />Looks like aklog is asking for the Kerberos service principal<br />"afs/<a href="http://sub.my.org">sub.my.org</a>@SUB.MY.ORG" (and variations), but the KDC is saying<br />that it doesn't know that principal. Are you sure it is present in<br />your KDC's database? Is DES enabled on this principal and on the KDC?<br /><br />-
Ken<br /></pre></blockquote></div></body></html>
------EF86LYKAE8P62C21NKOTXQOV9R1HJV--