[OpenAFS] Re: Fwd: Re: afs/cell transition procedure

Kendrick Hernandez kendrick.hernandez@umbc.edu
Wed, 11 Sep 2013 16:49:53 -0400 

On Mon, Sep 9, 2013 at 10:37 AM, Andrew Deason <adeason@sinenomine.net> wrote:
>
> On Mon, 9 Sep 2013 07:10:05 -0400
> Kendrick Hernandez <kendrick.hernandez@umbc.edu> wrote:
>
> > > It suggests to me that your dbserver processes specifically may not be
> > > using the new rxkad.keytab for accepting connections. If you can
> > > authenticate to the fileserver with strong crypto, but not to the vldb,
> > > then that would be explained by the dbservers not having new keys.
> >
> > Ah, okay. I've also noticed that one of our db servers does not appear
> > to be synchronizing with the other two. Going back to your previous
> > suggestion of attempting "vos status", I re-enabled the new afs/cell
> > principal and was able to 'vos status' several of our fileservers. I
> > then tried some 'vos listvldb' operations which failed with the "rxk:
> > security object was passed a bad ticket" error. On a hunch I shut off
> > the server processes for the db server that's not syncing, and this
> > time the vos operations worked. Very strange.
>
> Okay, well, if you can narrow it down to a specific machine, of course
> that helps :) Can you not find any differences between that machine and
> the others? Are they running the exact same binaries, the 3 dbservers?
> Any difference in solaris patch levels or anything? Were you by chance
> seeing the same error code in the dbserver logs anywhere? (you may not,
> even if that error is occurring; some parts of the dbservers in 1.4 do
> not have good handling of certain types of errors, but I'm not sure if
> it's relevant here)

After examining the binaries to see that they were built with krb5
support, trussing the process and confirming it was opening
rxkad.keytab, it turns out that the server in question was at a much
lower patch level that the other two. After updating it, syncing is
working again.

k-

-- 

: Kendrick Hernandez
: UNIX Systems Administrator
: UNIX Systems and Infrastructure
: Division of Information Technology
: University of Maryland, Baltimore County