[OpenAFS] Re: Moving Magic Trio to another domain
Wed, 25 Sep 2013 01:07:26 +0300 (EEST)
> On Wed, 25 Sep 2013 00:37:19 +0300 (EEST)
> "Jukka Tuominen" <email@example.com> wrote:
>> >> mkdir saids it cannot be done because it's readonly.
>> > For a dir in /afs/.cell? Not /afs/cell, but /afs/.cell; that is,
>> > /afs/.[new.domain]. Can you 'fs lsm' /afs/.[new.domain] ?
>> '/afs/.[new.domain]' is a mount point for volume
> I assume this gives a 'permission denied' error now?
>> > No, it should not. What you're looking for are messages that say
>> > something like 'invalid tokens' or 'tokens discarded' from AFS. If you
>> > see anything like that, the kerberos stuff is broken, so you won't be
>> > able to access anything that requires authentication.
>> Yes, indeed:
>> afs: Tokens for user of AFS id 1 for cell liitin.org are discarded
>> error=19270408, server x.x.x.x)
> $ translate_et 19270408
> 19270408 (rxk).8 = ticket contained unknown key version number
> So yes, the authentication setup is broken. Are you using the non-DES
> setup, and do you remember exactly what you did?
addprinc -policy service -randkey -e aes256-cts-hmac-sha1-96:normal
> Can you run in kadmin:
> kadmin: getprinc afs/[new.domain]
> and provide the parts that say "Key: vno X, [...]".
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
> Then run:
> # ktutil
> ktutil: rkt /usr/afs/etc/rxkad.keytab
> ktutil: l -e
> Either provide the output, or just look yourself to see if it the
> 'ktutil' output seems to be consistent with the 'getprinc' output above.
There is no file by name rxkad.keytab (tried to 'locate' it). Maybe it has
a different name in Ubuntu 10.04 or may this be the error?
> Andrew Deason
> OpenAFS-info mailing list