[OpenAFS] Service principal ticket expiring (AD)

Jonathan Nilsson jnilsson@uci.edu
Tue, 17 Jan 2012 15:50:54 -0800


--0016e6de038eb22ef404b6c20169
Content-Type: text/plain; charset=ISO-8859-1

i'm no expert, but we are successfully using AD as our Kerberos source.


> After aklog got me a token using AD (without error), the fileserver still
> rejects it.
>

how do you know that it is the fileserver reject the connection, and how do
you know it is related to Kerberos? i guess what i'm asking is: when do you
notice the error, what log file, and can you post a specific error message?

I needed to restart the fileserver and then it worked fine.  But a week
> later,
> I had to restart the fileserver again in order for AD Source AFS tokens.
>

i just noticed that our BosConfig does still have "restarttime" defined for
weekly on Sunday at 4am. I recall that being necessary in the past, but I
thought it wasn't the case any longer. and I don't recall that the restart
requirement was related to Kerberos.

maybe the weekly automatic restarts have been saving us from this problem
without realizing it!

-- Jonathan

--0016e6de038eb22ef404b6c20169
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div class=3D"gmail_quote"><div>i&#39;m no expert, but we are successfully =
using AD as our Kerberos source.</div><div>=A0</div><blockquote class=3D"gm=
ail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-le=
ft:1ex">

After aklog got me a token using AD (without error), the fileserver still r=
ejects it.<br></blockquote><div><br></div><div>how do you know that it is t=
he fileserver reject the connection, and how do you know it is related to K=
erberos? i guess what i&#39;m asking is: when do you notice the error, what=
 log file, and can you post a specific error message?</div>

<div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex=
;border-left:1px #ccc solid;padding-left:1ex">
I needed to restart the fileserver and then it worked fine. =A0But a week l=
ater,<br>
I had to restart the fileserver again in order for AD Source AFS tokens.<br=
></blockquote><div><br></div><div>i just noticed that our BosConfig does st=
ill have &quot;restarttime&quot; defined for weekly on Sunday at 4am. I rec=
all that being necessary in the past, but I thought it wasn&#39;t the case =
any longer. and I don&#39;t recall that the restart requirement was related=
 to Kerberos.</div>

<div><br></div><div>maybe the weekly automatic restarts have been saving us=
 from this problem without realizing it!</div><div><br></div><div>-- Jonath=
an</div></div><br>

--0016e6de038eb22ef404b6c20169--