[OpenAFS] Re: afs/cell transition procedure
Andrew Deason
adeason@sinenomine.net
Thu, 12 Sep 2013 14:37:34 -0500
On Thu, 12 Sep 2013 15:00:59 -0400
Kendrick Hernandez <kendrick.hernandez@umbc.edu> wrote:
> I just verified on the old server that the SUNWcry package is not
> installed, so that maybe the case here.
Thanks for checking that.
> > And sorry about the lack of useful information from the server about
> > this. The part of the code that would be able to detect this error
> > currently has no ability to log anything, which is why this can get
> > confusing.
>
> No problem, and thanks for the help. With the EOL of 1.4 in sight,
> this probably won't be an issue for much longer.
Well, this doesn't have to do with 1.4 vs 1.6. If the server cannot
decrypt the response from the kdc, there's nothing our code can do about
that. The same thing would happen with any other kerberized service.
The only ways you could have fixed that situation were making Solaris
understand aes256 (either by upgrading as you did, or presumably
installing SUNWcry), or changing the kdc configuration to not issue
aes256 tickets for the afs service (probably by removing the aes256 key
for it).
--
Andrew Deason
adeason@sinenomine.net