[OpenAFS] Re: afs/cell transition procedure
Rich Sudlow
rich@nd.edu
Thu, 12 Sep 2013 20:44:29 -0400
On 09/12/2013 03:37 PM, Andrew Deason wrote:
> On Thu, 12 Sep 2013 15:00:59 -0400
> Kendrick Hernandez <kendrick.hernandez@umbc.edu> wrote:
>
>> I just verified on the old server that the SUNWcry package is not
>> installed, so that maybe the case here.
>
> Thanks for checking that.
I believe you need both SUNWcry & SUNWcryr
>
>>> And sorry about the lack of useful information from the server about
>>> this. The part of the code that would be able to detect this error
>>> currently has no ability to log anything, which is why this can get
>>> confusing.
>>
>> No problem, and thanks for the help. With the EOL of 1.4 in sight,
>> this probably won't be an issue for much longer.
>
> Well, this doesn't have to do with 1.4 vs 1.6. If the server cannot
> decrypt the response from the kdc, there's nothing our code can do about
> that. The same thing would happen with any other kerberized service.
>
> The only ways you could have fixed that situation were making Solaris
> understand aes256 (either by upgrading as you did, or presumably
> installing SUNWcry), or changing the kdc configuration to not issue
> aes256 tickets for the afs service (probably by removing the aes256 key
> for it).
>
--
Rich Sudlow
University of Notre Dame
Center for Research Computing - Union Station
506 W. South St
South Bend, In 46601
(574) 631-7258 (office)
(574) 807-1046 (cell)