[OpenAFS] Re: Trying OpenAFS, and missing

Andrew Deason adeason@sinenomine.net
Mon, 6 Jan 2014 12:48:11 -0600

On Wed, 1 Jan 2014 18:49:16 -0600 (CST)
Kristofer Pettijohn <kristofer@cybernetik.net> wrote:

> I re-ran through the process, following the Debian instructions (
> https://openafs.dk/doku.php?id=server:openafs ), and I am encountering
> the same error. I cannot figure this one out. 

If you're still looking to solve this:

> root@ueafs1:/var/log/openafs# bos setcellname -server ueafs1.ad.domain.com -name ad.domain.com -localauth 
> bos: failed to set cell (ticket contained unknown key version number) 

Let's stop right here. Regardless of what's on the KDC, using -localauth
like this should always work. This command should not involve the KDC at
all; we are constructing credentials using the rxkad.keytab file on
disk, and the server using (presumably) the same rxkad.keytab file on
disk. A first sanity check is to strace the 'bosserver' and 'bos'
processes to see if they are actually reading the rxkad.keytab file that
you think they are. You can run bosserver outside of the init script as
root with no arguments; there's nothing much special about it, just make
sure there's no other bosserver already running when you do it. Send the
bosserver process a QUIT signal to shut it down gracefully outside of
the init script.

Another sanity check is to check that the bosserver process and the
'bos' binary are linked to libkrb5. Just check e.g. 'ldd
/usr/sbin/bosserver'. If either of them are not, that's a problem
(though that's not your fault).

Anyway, assuming that all makes sense, another possible source of

Your rxkad.keytab file posted earlier contains DES keys in it; remove
them. The server processes ignore DES keys in the rxkad.keytab file, and
clients should as well, but this is not always true with some krb5
implementations; it's better to just be safe and remove them. You can
alter a keytab with ktutil; just check it with klist as you've been
doing afterwards to make sure it contains what you think it does.

Also keep in mind that a running server does not immediately detect
changes to rxkad.keytab immediately. You need to 'touch CellServDB' for
it to pick up changes; or completely restarting the server processes as
I think you've been doing is fine, too.

So, if you can get strace proof that both processes are using the same
rxkad.keytab (and it's the one you expect), and it contains no DES keys,
and you still get that error with 'bos -localauth', then that is indeed
quite strange, so let us know.

Andrew Deason