[OpenAFS] Re: afs/cell transition procedure
Thu, 12 Sep 2013 15:00:59 -0400
On Thu, Sep 12, 2013 at 12:00 PM, Andrew Deason <firstname.lastname@example.org> wrote:
> On Thu, 12 Sep 2013 09:57:30 -0400
> Kendrick Hernandez <email@example.com> wrote:
>> I saved the output of "showrev -a" before upgrading, if that would be
> The below has a possible explanation, but sure, it would be good to
> have. If it's large, don't send it to the list.
> However, I've realized what may be happening is that that server just
> didn't support the encryption type used by the kdc to encrypt the
> service ticket (aes256). It looks like Solaris 10 krb5 does not support
> aes256 if you don't have the SUNWcry package installed, which is
> available but not installed by default until update 4. It does support
> all of the other enctypes you mentioned, though (including aes128).
I just verified on the old server that the SUNWcry package is not
installed, so that maybe the case here.
> While I was aware this was at least a theoretical possibility, I could
> not remember any actual systems you can run an openafs server on that
> supported non-des krb that didn't support all of the common enctypes
> (aes256, aes128, des3, and rc4). If that's what was happening here, you
> are the first instance of this I've seen, and we should update the
> install instructions to make a note of this.
Yeah, prior to applying the patchset, U2 didn't have the krb5
libraries that our 1.4.15 binaries had been built against, but
afterwards they ran just fine.
> And sorry about the lack of useful information from the server about
> this. The part of the code that would be able to detect this error
> currently has no ability to log anything, which is why this can get
No problem, and thanks for the help. With the EOL of 1.4 in sight,
this probably won't be an issue for much longer.
: Kendrick Hernandez
: UNIX Systems Administrator
: UNIX Systems and Infrastructure
: Division of Information Technology
: University of Maryland, Baltimore County