[OpenAFS] Re: Moving Magic Trio to another domain

[Jukka Tuominen]

> On Wed, 25 Sep 2013 00:37:19 +0300 (EEST)
> "Jukka Tuominen" <jukka.tuominen@finndesign.fi> wrote:
>
>> >> mkdir saids it cannot be done because it's readonly.
>> >
>> > For a dir in /afs/.cell? Not /afs/cell, but /afs/.cell; that is,
>> > /afs/.[new.domain]. Can you 'fs lsm' /afs/.[new.domain] ?
>>
>> Oops!
>> '/afs/.[new.domain]' is a mount point for volume
>> '%[new.domain]:root.cell'
>
> I assume this gives a 'permission denied' error now?
>
>> > No, it should not. What you're looking for are messages that say
>> > something like 'invalid tokens' or 'tokens discarded' from AFS. If you
>> > see anything like that, the kerberos stuff is broken, so you won't be
>> > able to access anything that requires authentication.
>>
>> Yes, indeed:
>> afs: Tokens for user of AFS id 1 for cell liitin.org are discarded
>> (rxkad
>> error=19270408, server x.x.x.x)
>
> $ translate_et 19270408
> 19270408 (rxk).8 = ticket contained unknown key version number
>
> So yes, the authentication setup is broken. Are you using the non-DES
> setup, and do you remember exactly what you did?

addprinc -policy service -randkey -e aes256-cts-hmac-sha1-96:normal
afs/[new.domain]

> Can you run in kadmin:
>
> kadmin: getprinc afs/[new.domain]
>
> and provide the parts that say "Key: vno X, [...]".

Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt


> Then run:
>
> # ktutil
> ktutil: rkt /usr/afs/etc/rxkad.keytab
> ktutil: l -e
> [output]
>
> Either provide the output, or just look yourself to see if it the
> 'ktutil' output seems to be consistent with the 'getprinc' output above.

There is no file by name rxkad.keytab (tried to 'locate' it). Maybe it has
a different name in Ubuntu 10.04 or may this be the error?

br, jukka


>
> --
> Andrew Deason
> adeason@sinenomine.net
>
> _______________________________________________
> OpenAFS-info mailing list
> OpenAFS-info@openafs.org
> https://lists.openafs.org/mailman/listinfo/openafs-info
>