[OpenAFS] Re: Moving Magic Trio to another domain

Andrew Deason adeason@sinenomine.net
Tue, 24 Sep 2013 16:52:18 -0500


On Wed, 25 Sep 2013 00:37:19 +0300 (EEST)
"Jukka Tuominen" <jukka.tuominen@finndesign.fi> wrote:

> >> mkdir saids it cannot be done because it's readonly.
> >
> > For a dir in /afs/.cell? Not /afs/cell, but /afs/.cell; that is,
> > /afs/.[new.domain]. Can you 'fs lsm' /afs/.[new.domain] ?
> 
> Oops!
> '/afs/.[new.domain]' is a mount point for volume '%[new.domain]:root.cell'

I assume this gives a 'permission denied' error now?

> > No, it should not. What you're looking for are messages that say
> > something like 'invalid tokens' or 'tokens discarded' from AFS. If you
> > see anything like that, the kerberos stuff is broken, so you won't be
> > able to access anything that requires authentication.
> 
> Yes, indeed:
> afs: Tokens for user of AFS id 1 for cell liitin.org are discarded (rxkad
> error=19270408, server x.x.x.x)

$ translate_et 19270408
19270408 (rxk).8 = ticket contained unknown key version number

So yes, the authentication setup is broken. Are you using the non-DES
setup, and do you remember exactly what you did? Can you run in kadmin:

kadmin: getprinc afs/[new.domain]

and provide the parts that say "Key: vno X, [...]". Then run:

# ktutil
ktutil: rkt /usr/afs/etc/rxkad.keytab
ktutil: l -e
[output]

Either provide the output, or just look yourself to see if it the
'ktutil' output seems to be consistent with the 'getprinc' output above.

-- 
Andrew Deason
adeason@sinenomine.net