So I may have fixed it, at least partially. The AFS token discard error number, 19270408, when translated with 'translate_et 19270408' gives "ticket contained unknown key version number". Which after some more digging gives the following paragraph from the krb524/README file once indicates that my Transarc AFS servers don't understand the encrypted tickets:
Configuring krb524d AFS Conversion ======================================================================
The krb524d looks in the appdefaults section of krb5.conf for an application called afs_krb5 to determine whether afs principals support encrypted ticket parts as tokens. The following configuration fragment says that afs/[EMAIL PROTECTED] supports the new token format but [EMAIL PROTECTED] and afs/[EMAIL PROTECTED] do not. Note that the default is to assume afs servers support the new format.
[appdefaults]
afs_krb5 = {
ATHENA.MIT.EDU = {
# This stanza describes principals in the
#ATHENA.MIT.EDU realm
afs = false
afs/athena.mit.edu = false
afs/sipb.mit.edu = true
}
}After adding the appdefaults section to my krb5.conf file and restarting the krb5kdc and krb524d services, I am now successfully using aklog. On the windows client it looks like WAKE is able to obtain valid AFS tokens using the krb tgt (I'm at home trying to do this via XP's remote desktop so it's a little painful).
So yeah, steps forward, but ... This seems to only work on systems for which there exists a host/FQDN principal in the krb5 database. So this isn't going to work for systems on a DSL connection or systems under DHCP with varying hostnames. (Testing now gives me an error of "Incorrect net address".)
So my question to the group, and sorry if this should go to an afs list instead of the krb list - what do people use for AFS access for remote/home users once they've migrated their afs to krb5?
--Matthew
--On Wednesday, March 05, 2003 11:06 PM -0500 Matthew Mauzy <[EMAIL PROTECTED]> wrote:
Key version numbers match (unless I'm not looking at the correct info). How do I check the enc types?
--Matthew
% bos listkeys db0 key 0 has cksum ... key 1 has cksum ... key 2 has cksum ... Keys last changed on Mon Mar 3 17:34:49 2003.
kadmin: getprinc afs Principal: [EMAIL PROTECTED] ... Last password change: Mon Mar 03 17:32:38 EST 2003 ... Number of keys: 1 Key: vno 2, DES cbc mode with CRC-32, no salt Attributes:
--On Thursday, March 06, 2003 12:30 PM +1300 Nathan Ward <[EMAIL PROTECTED]> wrote:
Check your key version numbers, and your enc types. I had this problem several times and it was a combination of these 2 problems that caused it.
Nathan Ward
Matthew Mauzy wrote:
I found the following post by Cesar Garcia posted in Feb 2002. I'm running into a similar problem and wonder if anyone has solved it.
I just migrated my AFS cell with afs-krb5 Migration Kit v1.3 to use krb5 v1.2.7. I'm running fakeka and krb524d on the KDC and ka-forwarder on the AFS DB servers and am able to use klog and authenticate to the new krb5 database. The problem is that aklog isn't working correctly. When I kinit (successfully) and then run aklog I get what appears to be a valid AFS token:
[EMAIL PROTECTED] ~ 8: tokens
Tokens held by the Cache Manager:
User's (AFS ID 9458) tokens for [EMAIL PROTECTED] [Expires Mar 6 03:52] --End of list--
but any thing that requires permissions, like 'touch temp', fails with the following error in the messages file:
kernel: afs: Tokens for user AFS id xxxxx for cell amath.unc.edu are discarded (rxkad error=19270408)
I'm fairly certain that the fakeka/ka-forwarder combo are working properly as klog still works fine. It's just tokens that are created with aklog that fail.
Since the windows AFS clients don't use the ka services, none of my windows clients are able to login to the AFS cell. I'm trying to use WAKE, (from Rose-Hulman http://www.rose-hulman.edu/TSC/software/wake/ ) to get around the Windows AFS/krb5 issues, but all the problems keep coming back to what seems to be a krb524 problem.
--Matthew
__________________________________________________________________
Matthew W. Mauzy
Systems Administrator
Applied Math @ UNC-CH
email : [EMAIL PROTECTED] pager : [EMAIL PROTECTED]
(W) 919.962.9819 www.amath.unc.edu/~mauzy/ (P) 919.347.0390
__________________________________________________________________
________________________________________________
Kerberos mailing list [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos
