[OpenAFS] Can't get tokens since upgrading to 1.7.6 and Heimdal

Jeff Blaine jblaine@kickflop.net
Wed, 22 Feb 2012 10:30:40 -0500


The problem isn't "it's not finding afs/sub.my.org@SUB.MY.ORG"

The problem is: "it's not looking for afs@SUB.MY.ORG"

It should do that.

OpenAFS Quick Start Guide:
...
Begin by creating the following two entires in your site's Kerberos
database:
...

The entry for AFS server processes, called either afs or afs/cell.
...
                                                   ^^^

On 2/22/2012 10:15 AM, David Goldberg wrote:
> It should have it. The exact same krb.conf file except for the
> allow_weak_crypto line worked fine before when I was using MIT kerberos.
>
> I will check with the admin, though.
> Thanks
> --
> Dave Goldberg
> david.goldberg6@verizon.net
>
> Ken Dreyer <ktdreyer@ktdreyer.com> wrote:
>
>     On Wed, Feb 22, 2012 at 6:44 AM, David Goldberg
>     <david.goldberg6@verizon.net>  wrote:
>     >  $ aklog -d
>     >  Authenticating to cellsub.my.org  <http://sub.my.org>.
>     >  Getting v5 tickets: afs/sub.my.org  <http://sub.my.org>@SUB.MY.ORG
>     >  Getting v5 tickets: afs/sub.my.org  <http://sub.my.org>@MY.ORG
>     >  Getting v5 tickets: afs@MY.ORG
>     >  Kerberos error code returned by get_cred: -1765328377
>     >  aklog.exe: Couldn't getsub.my.org  <http://sub.my.org>  AFS tickets: UNKNOWN_SERVER
>
>     Looks like aklog is asking for the Kerberos service principal
>     "afs/sub.my.org  <http://sub.my.org>@SUB.MY.ORG" (and variations), but the KDC is saying
>     that it doesn't know that principal. Are you sure it is present in
>     your KDC's database? Is DES enabled on this principal and on the KDC?
>
>     -
>     Ken