[OpenAFS] Re: afs/cell transition procedure
Kendrick Hernandez
kendrick.hernandez@umbc.edu
Thu, 12 Sep 2013 15:00:59 -0400
On Thu, Sep 12, 2013 at 12:00 PM, Andrew Deason <adeason@sinenomine.net> wrote:
> On Thu, 12 Sep 2013 09:57:30 -0400
> Kendrick Hernandez <kendrick.hernandez@umbc.edu> wrote:
>
>> I saved the output of "showrev -a" before upgrading, if that would be
>> helpful.
>
> The below has a possible explanation, but sure, it would be good to
> have. If it's large, don't send it to the list.
>
> However, I've realized what may be happening is that that server just
> didn't support the encryption type used by the kdc to encrypt the
> service ticket (aes256). It looks like Solaris 10 krb5 does not support
> aes256 if you don't have the SUNWcry package installed, which is
> available but not installed by default until update 4. It does support
> all of the other enctypes you mentioned, though (including aes128).
I just verified on the old server that the SUNWcry package is not
installed, so that maybe the case here.
>
> While I was aware this was at least a theoretical possibility, I could
> not remember any actual systems you can run an openafs server on that
> supported non-des krb that didn't support all of the common enctypes
> (aes256, aes128, des3, and rc4). If that's what was happening here, you
> are the first instance of this I've seen, and we should update the
> install instructions to make a note of this.
Yeah, prior to applying the patchset, U2 didn't have the krb5
libraries that our 1.4.15 binaries had been built against, but
afterwards they ran just fine.
>
> And sorry about the lack of useful information from the server about
> this. The part of the code that would be able to detect this error
> currently has no ability to log anything, which is why this can get
> confusing.
No problem, and thanks for the help. With the EOL of 1.4 in sight,
this probably won't be an issue for much longer.
k-
--
: Kendrick Hernandez
: UNIX Systems Administrator
: UNIX Systems and Infrastructure
: Division of Information Technology
: University of Maryland, Baltimore County