[OpenAFS] afs/cell transition procedure

Kendrick Hernandez kendrick.hernandez@umbc.edu
Fri, 6 Sep 2013 10:41:50 -0400


--001a11c1b9a2faec6304e5b80938
Content-Type: text/plain; charset=UTF-8

Hi,

I'm trying to follow the "afs/cell transition procedure" as outlined in

http://www.openafs.org/pages/security/how-to-rekey.txt

and I was able to generate a new disabled afs/cell principal with strong
encryption, extract it to the rxkad.keytab file and distribute it to our
file servers, and do the restarts. After this I've noticed the following
message repeated in the FileLog for our servers:

VL_RegisterAddrs rpc failed; will retry periodically (code=19270407, err=0)

When I went to enable the new afs/cell principal and disable the old one, I
was able to log in to a server and get an afs/cell service ticket, tokens,
and access my afs volume. I could also do the same for my afs "admin"
principal, but when I went to perform a "vos release" operation, I got an
error about

Could not lock the VLDB entry for the volume XXXXXXXX.
rxk: security object was passed a bad ticket
Error in vos release command.
rxk: security object was passed a bad ticket

>From one of our db servers I was able to do the release operation via
-localauth. I then disabled the new afs/cell principal and enabled the old
one, destroyed my tickets/tokens, re-authenticated, and was then able to
perform the vos release.

This leads me to believe that our servers are still using the old
principal. Do I need to restart the afs fileserver processes after enabling
the new afs/cell principal?

Best,
k-

-- 

: Kendrick Hernandez
: UNIX Systems Administrator
: UNIX Systems and Infrastructure
: Division of Information Technology
: University of Maryland, Baltimore County

--001a11c1b9a2faec6304e5b80938
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi,<div><br></div><div>I&#39;m trying to follow the &quot;=
afs/cell transition procedure&quot; as outlined in=C2=A0</div><div><br></di=
v><div><a href=3D"http://www.openafs.org/pages/security/how-to-rekey.txt">h=
ttp://www.openafs.org/pages/security/how-to-rekey.txt</a></div>
<div><br></div><div>and I was able to generate a new disabled afs/cell prin=
cipal with strong encryption, extract it to the rxkad.keytab file and distr=
ibute it to our file servers, and do the restarts. After this I&#39;ve noti=
ced the following message repeated in the FileLog for our servers:</div>
<div><br></div><div>VL_RegisterAddrs rpc failed; will retry periodically (c=
ode=3D19270407, err=3D0)<br></div><div><br></div><div style>When I went to =
enable the new afs/cell principal and disable the old one, I was able to lo=
g in to a server and get an afs/cell service ticket, tokens, and access my =
afs volume. I could also do the same for my afs &quot;admin&quot; principal=
, but when I went to perform a &quot;vos release&quot; operation, I got an =
error about=C2=A0</div>
<div><div><br></div><div><div>Could not lock the VLDB entry for the volume =
XXXXXXXX.</div><div>rxk: security object was passed a bad ticket</div><div>=
Error in vos release command.</div><div>rxk: security object was passed a b=
ad ticket</div>
</div><div><br></div><div style>From one of our db servers I was able to do=
 the release operation via -localauth. I then disabled the new afs/cell pri=
ncipal and enabled the old one, destroyed my tickets/tokens, re-authenticat=
ed, and was then able to perform the vos release.</div>
<div style><br></div><div style>This leads me to believe that our servers a=
re still using the old principal. Do I need to restart the afs fileserver p=
rocesses after enabling the new afs/cell principal?=C2=A0</div><div><br></d=
iv>
<div style>Best,</div><div style>k-</div><div><br></div>-- <br><br>: Kendri=
ck Hernandez<br>: UNIX Systems Administrator<br>: UNIX Systems and Infrastr=
ucture<br>: Division of Information Technology<br>: University of Maryland,=
 Baltimore County
</div></div>

--001a11c1b9a2faec6304e5b80938--