[OpenAFS] Rekey AFS - aklog not working
Benjamin Kaduk
kaduk@mit.edu
Tue, 7 Sep 2021 07:36:28 -0700
On Tue, Sep 07, 2021 at 04:30:41PM +0200, Andreas Hirczy wrote:
> Hi!
>
> I recently tried to rekey our AFS - at last - following the ´basic
> procedure´ from https://www.openafs.org/pages/security/how-to-rekey.txt
> and https://www.openafs.org/pages/security/install-rxkad-k5-1.6.txt. My
> setup runs OpenAFS 1.8.5 and MIT Kerberos 1.17-3 on Debian.
>
> Afterwards obtaining tokens with aklog failed with error code 19270408
> (ticket contained unknown key version number):
>
> | $ aklog
> | afs: Tokens for user of AFS id 997 for cell itp.tugraz.at: rxkad error=19270408 (server 129.27.161.138)
> | afs: Tokens for user of AFS id 997 for cell itp.tugraz.at: rxkad error=19270408 (server 129.27.161.139)
> | afs: Tokens for user of AFS id 997 for cell itp.tugraz.at are discarded (rxkad error=19270408,server 129.27.161.95)
>
> I'm not sure whether I should run "akeyconvert" after copying the
> Kerberos keytab to the servers? In my opinion we should have a file
> /etc/openafs/server/KeyFileExt, but it's not mentioned in the
> docs.
That sounds like your kerberos KDC is issuing tickets using a newer service
key that the AFS server (the ptserver, specifically, in this case) hasn't
learned about yet.
Running akeyconvert after copying the keytab should do the trick. You may
need to `touch` the (server) CellServDB file after that in order to get the
change picked up; I forget if the KeyFileExt is on the list of files that
are watched in 1.8.5.
-Ben