[OpenAFS] Re: afs/cell transition procedure

[Andrew Deason]

On Thu, 12 Sep 2013 09:57:30 -0400
Kendrick Hernandez <kendrick.hernandez@umbc.edu> wrote:

> I saved the output of "showrev -a" before upgrading, if that would be
> helpful.

The below has a possible explanation, but sure, it would be good to
have. If it's large, don't send it to the list.

However, I've realized what may be happening is that that server just
didn't support the encryption type used by the kdc to encrypt the
service ticket (aes256). It looks like Solaris 10 krb5 does not support
aes256 if you don't have the SUNWcry package installed, which is
available but not installed by default until update 4. It does support
all of the other enctypes you mentioned, though (including aes128).

While I was aware this was at least a theoretical possibility, I could
not remember any actual systems you can run an openafs server on that
supported non-des krb that didn't support all of the common enctypes
(aes256, aes128, des3, and rc4). If that's what was happening here, you
are the first instance of this I've seen, and we should update the
install instructions to make a note of this.

And sorry about the lack of useful information from the server about
this. The part of the code that would be able to detect this error
currently has no ability to log anything, which is why this can get
confusing.

-- 
Andrew Deason
adeason@sinenomine.net